Merge branch 'master' into kkrishna/updates2019

Author: Kalyan Krishna

2-WebApp-graph-user/2-1-Call-MSGraph/README.md

@@ -104,6 +104,37 @@ The two new lines of code:
   > - replace `using Microsoft.Identity.Web.TokenCacheProviders.InMemory` by `using Microsoft.Identity.Web.TokenCacheProviders.Session`
   > - Replace `.AddInMemoryTokenCaches()` by `.AddSessionTokenCaches()`
   > add `app.UseSession();` in the `Configure(IApplicationBuilder app, IHostingEnvironment env)` method, for instance after `app.UseCookiePolicy();`
+  >
+  >
+  > You can also use a distributed token cache, and choose the serialization implementation. For this,  in **Startup.cs**:
+  > - replace `using Microsoft.Identity.Web.TokenCacheProviders.InMemory` by `using Microsoft.Identity.Web.TokenCacheProviders.Distributed`
+  > - Replace `.AddInMemoryTokenCaches()` by `.AddDistributedTokenCaches()`
+  > - Then choose the distributed cache implementation. For details, see https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-2.2#distributed-memory-cache
+  >
+  >   ```CSharp
+  >   // use a distributed Token Cache by adding
+  >      .AddDistributedTokenCaches();
+  >
+  >   // and then choose your implementation.
+  >  
+  >   // For instance the distributed in memory cache (not cleaned when you stop the app)
+  >   services.AddDistributedMemoryCache()
+  >
+  >   // Or a Redis cache
+  >   services.AddStackExchangeRedisCache(options =>
+  >   {
+  >    options.Configuration = "localhost";
+  >    options.InstanceName = "SampleInstance";
+  >   });
+  >
+  >   // Or even a SQL Server token cache
+  >   services.AddDistributedSqlServerCache(options =>
+  >   {
+  >    options.ConnectionString =_config["DistCache_ConnectionString"];
+  >    options.SchemaName = "dbo";
+  >    options.TableName = "TestCache";
+  >   });
+  >   ```
 
 ### Add additional files to call Microsoft Graph
 

2-WebApp-graph-user/2-1-Call-MSGraph/Startup.cs

@@ -7,6 +7,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.TokenCacheProviders.Distributed;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using WebApp_OpenIDConnect_DotNet.Infrastructure;
 using WebApp_OpenIDConnect_DotNet.Services;
@@ -40,6 +41,32 @@ public void ConfigureServices(IServiceCollection services)
                .AddMsal(Configuration, new string[] { Constants.ScopeUserRead })
                .AddInMemoryTokenCaches();
 
+            /*
+               // or use a distributed Token Cache by adding 
+                           .AddDistributedTokenCaches();
+
+               // and then choose your implementation. 
+               // See https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-2.2#distributed-memory-cache
+
+               // For instance the distributed in memory cache (not cleared when you stop the app)
+                services.AddDistributedMemoryCache()
+
+               // Or a Redis cache
+               services.AddStackExchangeRedisCache(options =>
+                    {
+                        options.Configuration = "localhost";
+                        options.InstanceName = "SampleInstance";
+                    });
+
+               // Or even a SQL Server token cache
+               services.AddDistributedSqlServerCache(options =>
+                {
+                    options.ConnectionString = 
+                        _config["DistCache_ConnectionString"];
+                    options.SchemaName = "dbo";
+                    options.TableName = "TestCache";
+                });
+            */
             // Add Graph
             services.AddGraphService(Configuration);
 

4-WebApp-your-API/Client/Startup.cs

@@ -40,7 +40,7 @@ public void ConfigureServices(IServiceCollection services)
             // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
             // 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'
             // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
-            JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+            //JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
 
             // Token acquisition service based on MSAL.NET
             // and chosen token cache implementation

4-WebApp-your-API/TodoListService/Startup.cs

@@ -51,13 +51,9 @@ public void ConfigureServices(IServiceCollection services)
             // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
             // 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'
             // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
-            JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+            //JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
 
             services.AddProtectedWebApi(Configuration);
-            services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
-            {
-                options.TokenValidationParameters.NameClaimType = "name";
-            });
 
             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
         }

5-WebApp-AuthZ/5-1-Roles/appsettings.json

@@ -1,21 +1,20 @@
 {
-  "AzureAd": {
-    "Instance": "https://login.microsoftonline.com/",
-    "Domain": "kalyankrishna.com",
-    "TenantId": "4d39e77c-b0f3-4253-ae0b-7068ddd47949",
-    "ClientId": "7f1d4458-72e7-41b5-ad81-103bd6e307b7",
-    "CallbackPath": "/signin-oidc",
-    "SignedOutCallbackPath ": "/signout-callback-oidc",
+	"AzureAd": {
+		"Instance": "https://login.microsoftonline.com/",
+		"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+		"TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
+		"ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
+		"CallbackPath": "/signin-oidc",
+		"SignedOutCallbackPath ": "/signout-callback-oidc",
 
-    // To call an API
-    "ClientSecret": "9Y7lZKjDwKYZC3Ut1S8Dzg3TmAqVEJKUIbmIbH0jMdM="
-
-  },
-  "Logging": {
-    "LogLevel": {
-      "Default": "Warning"
-    }
-  },
-  "AllowedHosts": "*",
-  "GraphApiUrl": "https://graph.microsoft.com/beta"
+		// To call an API
+		"ClientSecret": "[Copy the client secret added to the app from the Azure portal]"
+	},
+	"Logging": {
+		"LogLevel": {
+			"Default": "Warning"
+		}
+	},
+	"AllowedHosts": "*",
+	"GraphApiUrl": "https://graph.microsoft.com/beta"
 }

Microsoft.Identity.Web/Diagrams.cd

@@ -46,28 +46,28 @@
     </TypeIdentifier>
   </Class>
   <Class Name="Microsoft.Identity.Web.WebAppServiceCollectionExtensions">
-    <Position X="0.5" Y="0.5" Width="11" />
+    <Position X="0.5" Y="0.5" Width="13.25" />
     <TypeIdentifier>
-      <HashCode>AAAAAAAAAAAAAgAAAAAAAAAAAAAAAACAAAAAAAAAAAA=</HashCode>
+      <HashCode>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAI=</HashCode>
       <FileName>WebAppServiceCollectionExtensions.cs</FileName>
     </TypeIdentifier>
   </Class>
   <Class Name="Microsoft.Identity.Web.WebApiServiceCollectionExtensions">
-    <Position X="0.5" Y="2" Width="15" />
+    <Position X="0.5" Y="2" Width="14.5" />
     <TypeIdentifier>
-      <HashCode>AAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAA=</HashCode>
+      <HashCode>AAAAAACAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA=</HashCode>
       <FileName>WebApiServiceCollectionExtensions.cs</FileName>
     </TypeIdentifier>
   </Class>
-  <Class Name="Microsoft.Identity.Web.MsalUiRequiredExceptionFilterAttribute">
+  <Class Name="Microsoft.Identity.Web.AuthorizeForScopesAttribute">
     <Position X="0.5" Y="5.75" Width="3.5" />
     <Members>
       <Method Name="BuildAuthenticationPropertiesForIncrementalConsent" Hidden="true" />
       <Method Name="CanBeSolvedByReSignInUser" Hidden="true" />
     </Members>
     <TypeIdentifier>
-      <HashCode>AAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAgAIAIA=</HashCode>
-      <FileName>MsalUiRequiredExceptionFilterAttribute.cs</FileName>
+      <HashCode>AAAAAAAAAAAAACAAAAAAIAAAAAAAAAAAAAAAAgAIAIA=</HashCode>
+      <FileName>AuthorizeForScopesAttribute.cs</FileName>
     </TypeIdentifier>
   </Class>
   <Class Name="Microsoft.Identity.Web.AccountExtensions">

Microsoft.Identity.Web/README.md

@@ -13,7 +13,7 @@ to enable them to work with the Microsoft identity platform (formerly named Azur
 
 As of today, ASP.NET Core web apps templates (`dot net new mvc -auth`) create web apps that sign in users with the Azure AD v1.0 endpoint (allowing to sign in users with their organizational accounts, also named *Work or school accounts*). This library brings `ServiceCollection` extension methods to be used in the ASP.NET Core web app **Startup.cs** file to enable the web app to sign in users with the Microsoft identity platform (formerly Azure AD v2.0 endpoint), and, optionally enable the web app to call APIs on behalf of the signed-in user.
 
-![WebAppServiceCollectionExtensions](https://user-images.githubusercontent.com/13203188/62526924-0a563780-b7ef-11e9-8ce0-db284db3f02c.png)
+![WebAppServiceCollectionExtensions](https://user-images.githubusercontent.com/13203188/64252959-82ae3680-cf1c-11e9-8a01-0a0be728a78e.png)
 
 ### Web apps that sign in users - Startup.cs
 
@@ -84,6 +84,11 @@ public class Startup
 }
 ```
 
+Note that by default, `AddMicrosoftIdentityPlatformAuthentication` gets the configuration from the "AzureAD" section of the configuration files. It has
+several parameters that you can change.
+
+Also the proposed token cache serialization is in memory. you can also use the session cache, or various distributed caches
+
 ### Web app controller
 
 For your web app to call web APIs on behalf of the signed-in user, you'll need to add a parameter of type `ITokenAcquisition` to the constructor of your controller (the `ITokenAcquisition` service will be injected by dependency injection by ASP.NET Core)
@@ -125,7 +130,7 @@ public class HomeController : Controller
 
 The controller action is decorated by an attribute `AuthorizeForScopesAttribute` which enables to process the `MsalUiRequiredException` that could be thrown by the service implementing `ITokenAcquisition.GetAccessTokenOnBehalfOfUserAsync` so that the web app interacts with the user, and ask them to consent to the scopes, or re-sign-in if needed.
 
-<img alt="AuthorizeForScopesAttribute" src="https://user-images.githubusercontent.com/13203188/62526956-18a45380-b7ef-11e9-99f3-c75085d61ce5.png" width="50%"/>
+<img alt="AuthorizeForScopesAttribute" src="https://user-images.githubusercontent.com/13203188/64253212-0bc56d80-cf1d-11e9-9666-2e72b78886ed.png" width="50%"/>
 
 ### Samples and documentation
 
@@ -139,7 +144,7 @@ You can see in details how the library is used in the following samples:
 
 The library also enables web APIs to work with the Microsoft identity platform, enabling them to process access tokens for both work and school and Microsoft personal accounts.
 
-![image](https://user-images.githubusercontent.com/13203188/62526937-10e4af00-b7ef-11e9-9fee-c205c97653c5.png)
+![image](https://user-images.githubusercontent.com/13203188/64253058-ba1ce300-cf1c-11e9-8f01-88180fc0faed.png)
 
 ### Protected web APIS - Startup.cs
 
@@ -209,6 +214,8 @@ public class Startup
 }
 ```
 
+Like for Web Apps, you can choose various token cache implementations.
+
 If you're certain that your web API will need some specific scopes, you can optionally pass them as arguments to `AddProtectedApiCallsWebApis`.
 
 ### Web API controller
@@ -218,7 +225,7 @@ For your web API to call downstream APIs, you'll need to:
 - add (like in web apps), a parameter of type `ITokenAcquisition` to the constructor of your controller (the `ITokenAcquisition` service will be injected by dependency injection by ASP.NET Core)
 - verify, in your controller actions, that the token contains the scopes expected by the action. For this, you'll call the `VerifyUserHasAnyAcceptedScope` extension method on the `HttpContext`
 
-  <img alt="ScopesRequiredHttpContextExtensions" src="https://user-images.githubusercontent.com/13203188/62527104-60c37600-b7ef-11e9-8dcb-66bb982fe147.png" width="80%"/>
+  <img alt="ScopesRequiredHttpContextExtensions" src="https://user-images.githubusercontent.com/13203188/64253176-f9e3ca80-cf1c-11e9-8fe9-df06cee11c25.png" width="80%"/>
 
 - in your controller actions, to call: `ITokenAcquisition.GetAccessTokenOnBehalfOfUserAsync` passing the scopes for which to request a token.
 
@@ -262,6 +269,36 @@ For web apps that calls web apis, and web APIs that call downstream APIs, the co
 | `AddInMemoryTokenCaches` | `TokenCacheProviders.InMemory` | In memory token cache serialization. This implementation is great in samples. It's also good in production applications provided you don't mind if the token cache is lost when the web app is restarted. `AddInMemoryTokenCaches` takes an optional parameter of type `MsalMemoryTokenCacheOptions` that enables you to specify the duration after which the cache entry will expire unless it's used.
 | `AddSqlTokenCaches` | `TokenCacheProviders.Sql` | The token cache maintained in a SQL database. This implementation is ideal for production applications that need to keep their token caches. AddSqlTokenCaches takes a parameter of type `MsalSqlTokenCacheOptions` that let you specify the SQL connection string  
 | `AddSessionTokenCaches` | `TokenCacheProviders.Session` | The token cache is bound to the user session. This option isn't ideal if the ID token is too large because it contains too many claims as the cookie would be too large.
+| `AddDistributedTokenCaches` | `TokenCacheProviders.Distributed` | The token cache is an adapter against the ASP.NET Core `IDistributedCache` implementation, therefore enabling you to choose between a distributed memory cache, a Redis cache, or a SQL Server cache. For details about the IDistributedCache` implementations, see https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-2.2#distributed-memory-cache.
+
+Examples of possible distributed cache:
+
+```CSharp
+// or use a distributed Token Cache by adding 
+    services.AddMicrosoftIdentityPlatformAuthentication(Configuration)
+            .AddMsal(new string[] { scopesToRequest })
+            .AddDistributedTokenCaches();
+
+// and then choose your implementation
+
+// For instance the distributed in memory cache (not cleared when you stop the app)
+services.AddDistributedMemoryCache()
+
+// Or a Redis cache
+services.AddStackExchangeRedisCache(options =>
+{
+ options.Configuration = "localhost";
+ options.InstanceName = "SampleInstance";
+});
+
+// Or even a SQL Server token cache
+services.AddDistributedSqlServerCache(options =>
+{
+ options.ConnectionString = _config["DistCache_ConnectionString"];
+ options.SchemaName = "dbo";
+ options.TableName = "TestCache";
+});
+```
 
 ## Other utility classes
 

Microsoft.Identity.Web/TokenCacheProviders/Distributed/DistributedTokenCacheAdapterExtension.cs

@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.Identity.Web.TokenCacheProviders.Distributed
+{
+    /// <summary>
+    /// Extension class used to add an in-memory token cache serializer to MSAL
+    /// </summary>
+    public static class DistributedTokenCacheAdapterExtension
+    {
+        /// <summary>Adds both the app and per-user in-memory token caches.</summary>
+        /// <param name="services">The services collection to add to.</param>
+        /// <param name="cacheOptions">The MSALMemoryTokenCacheOptions allows the caller to set the token cache expiration</param>
+        /// <returns></returns>
+        public static IServiceCollection AddDistributedTokenCaches(
+            this IServiceCollection services)
+        {
+            AddDistributedAppTokenCache(services);
+            AddDistributedUserTokenCache(services);
+            return services;
+        }
+
+        /// <summary>Adds the in-memory based application token cache to the service collection.</summary>
+        /// <param name="services">The services collection to add to.</param>
+        /// <param name="cacheOptions">The MSALMemoryTokenCacheOptions allows the caller to set the token cache expiration</param>
+        public static IServiceCollection AddDistributedAppTokenCache(
+            this IServiceCollection services)
+        {
+            services.AddDistributedMemoryCache();
+            services.AddSingleton<IMsalAppTokenCacheProvider, MsalAppDistributedTokenCacheProvider>();
+            return services;
+        }
+
+        /// <summary>Adds the in-memory based per user token cache to the service collection.</summary>
+        /// <param name="services">The services collection to add to.</param>
+        /// <param name="cacheOptions">The MSALMemoryTokenCacheOptions allows the caller to set the token cache expiration</param>
+        /// <returns></returns>
+        public static IServiceCollection AddDistributedUserTokenCache(
+            this IServiceCollection services)
+        {
+            services.AddDistributedMemoryCache();
+            services.AddHttpContextAccessor();
+            services.AddSingleton<IMsalUserTokenCacheProvider, MsalPerUserDistributedTokenCacheProvider>();
+            return services;
+        }
+    }
+}

Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalAppDistributedTokenCacheProvider.cs

@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Principal;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Identity.Web.TokenCacheProviders.Distributed
+{
+    /// <summary>
+    /// An implementation of token cache for Confidential clients backed by MemoryCache.
+    /// MemoryCache is useful in Api scenarios where there is no HttpContext to cache data.
+    /// </summary>
+    /// <seealso cref="https://aka.ms/msal-net-token-cache-serialization"/>
+    public class MsalAppDistributedTokenCacheProvider : MsalDistributedTokenCacheAdapter, IMsalAppTokenCacheProvider
+    {
+        public MsalAppDistributedTokenCacheProvider(IOptions<AzureADOptions> azureAdOptions,
+                                    IHttpContextAccessor httpContextAccessor,
+                                    IDistributedCache memoryCache,
+                                    IOptions<DistributedCacheEntryOptions> cacheOptions) :
+              base(azureAdOptions, httpContextAccessor, memoryCache, cacheOptions)
+        {
+
+        }
+
+        public async Task InitializeAsync(ITokenCache tokenCache)
+        {
+            await InitializeAsync(tokenCache, true).ConfigureAwait(false);
+        }
+    }
+}