Merge branch 'master' into tibre/refactor

Author: Tiago Brenck

.github/ISSUE_TEMPLATE.md

@@ -16,7 +16,7 @@ IF SUFFICIENT INFORMATION IS NOT PROVIDED VIA THE FOLLOWING TEMPLATE THE ISSUE M
 
 Please add an 'x' for the scenario(s) where you found an issue
 
-1. [ ] Web app that signs in users
+1. Web app that signs in users
    1. [ ] with a work and school account in your organization: [1-WebApp-OIDC/1-1-MyOrg](../blob/master/1-WebApp-OIDC/1-1-MyOrg)
    1. [ ] with any work and school account: [/1-WebApp-OIDC/1-2-AnyOrg](../blob/master/1-WebApp-OIDC/1-2-AnyOrg)
    1. [ ] with any work or school account or Microsoft personal account: [1-WebApp-OIDC/1-3-AnyOrgOrPersonal](../blob/master/1-WebApp-OIDC/1-3-AnyOrgOrPersonal)
@@ -27,7 +27,7 @@ Please add an 'x' for the scenario(s) where you found an issue
    1. [ ] With specific token caches: [2-WebApp-graph-user/2-2-TokenCache](../blob/master/2-WebApp-graph-user/2-2-TokenCache)
    1. [ ] Calling Microsoft Graph in national clouds: [2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph](../blob/master/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph)
 1. [ ] Web app calling several APIs [3-WebApp-multi-APIs](../blob/master/3-WebApp-multi-APIs)
-1. [ ] Web app calling your own Web API
+1. [ ] Web app calling your own Web API [4-WebApp-your-API](../blob/master/4-WebApp-your-API)
 1. Web app restricting users
    1. [ ] by Roles: [5-WebApp-AuthZ/5-1-Roles](../blob/master/5-WebApp-AuthZ/5-1-Roles)
    1. [ ] by Groups: [5-WebApp-AuthZ/5-2-Groups](../blob/master/5-WebApp-AuthZ/5-2-Groups)

.gitignore

@@ -1,4 +1,4 @@
-################################################################################
+################################################################################
 # This .gitignore file was automatically created by Microsoft(R) Visual Studio.
 ################################################################################
 
@@ -35,12 +35,27 @@
 /2-WebApp-graph-user/2-3-Best-Practices/.vs
 /2-WebApp-graph-user/2-3-Best-Practices/bin
 /2-WebApp-graph-user/2-3-Best-Practices/obj
+/2-WebApp-graph-user/2-3-Multi-Tenant/.vs
+/2-WebApp-graph-user/2-3-Multi-Tenant/bin
+/2-WebApp-graph-user/2-3-Multi-Tenant/obj
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/.vs
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/obj
 /3-WebApp-multi-APIs/.vs
 /3-WebApp-multi-APIs/bin
 /3-WebApp-multi-APIs/obj
 /4-WebApp-your-API/.vs
 /4-WebApp-your-API/bin
 /4-WebApp-your-API/obj
+/4-WebApp-your-API/Client/.vs
+/4-WebApp-your-API/Client/bin
+/4-WebApp-your-API/Client/obj
+/5-WebApp-AuthZ/5-1-Roles/.vs
+/5-WebApp-AuthZ/5-1-Roles/bin
+/5-WebApp-AuthZ/5-1-Roles/obj
+/5-WebApp-AuthZ/5-2-Groups/.vs
+/5-WebApp-AuthZ/5-2-Groups/bin
+/5-WebApp-AuthZ/5-2-Groups/obj
 /5-WebApp-AuthZ-Roles-Groups/.vs
 /5-WebApp-AuthZ-Roles-Groups/bin
 /5-WebApp-AuthZ-Roles-Groups/obj
@@ -96,3 +111,14 @@
 /4-WebApp-your-API/TodoListService/obj
 /4-WebApp-your-API/TodoListService/bin
 /4-WebApp-your-API/Client/obj
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin/Debug/netcoreapp2.2
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/obj
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin/Release/netcoreapp2.2
+/Microsoft.Identity.Web.Test/bin/Release/netcoreapp2.2
+/Microsoft.Identity.Web.Test/obj
+/4-WebApp-your-API/4-2-B2C/.vs
+/4-WebApp-your-API/4-2-B2C/Client/obj
+/4-WebApp-your-API/4-2-B2C/TodoListService/obj
+/2-WebApp-graph-user/2-3-Multi-Tenant/.vs/WebApp-OpenIDConnect-DotNet
+/2-WebApp-graph-user/2-3-Multi-Tenant/bin/Debug/netcoreapp2.2
+/2-WebApp-graph-user/2-3-Multi-Tenant/obj

1-WebApp-OIDC/1-1-MyOrg/Controllers/HomeController.cs

@@ -1,5 +1,6 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
 using System.Diagnostics;
 using WebApp_OpenIDConnect_DotNet.Models;
 
@@ -8,20 +9,28 @@ namespace WebApp_OpenIDConnect_DotNet.Controllers
     [Authorize]
     public class HomeController : Controller
     {
-        public HomeController()
+        private readonly ILogger<HomeController> _logger;
+
+        public HomeController(ILogger<HomeController> logger)
         {
+            _logger = logger;
         }
 
         public IActionResult Index()
         {
             return View();
         }
 
+        public IActionResult Privacy()
+        {
+            return View();
+        }
+
         [AllowAnonymous]
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult Error()
         {
-            return View(new ErrorViewModel {RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier});
+            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
         }
     }
 }

1-WebApp-OIDC/1-1-MyOrg/Program.cs

@@ -1,17 +1,20 @@
-using Microsoft.AspNetCore;
-using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
 
 namespace WebApp_OpenIDConnect_DotNet
 {
     public class Program
     {
         public static void Main(string[] args)
         {
-            CreateWebHostBuilder(args).Build().Run();
+            CreateHostBuilder(args).Build().Run();
         }
 
-        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
-            WebHost.CreateDefaultBuilder(args)
-                .UseStartup<Startup>();
+        public static IHostBuilder CreateHostBuilder(string[] args) =>
+            Host.CreateDefaultBuilder(args)
+                .ConfigureWebHostDefaults(webBuilder =>
+                {
+                    webBuilder.UseStartup<Startup>();
+                });
     }
 }

1-WebApp-OIDC/1-1-MyOrg/Properties/launchSettings.json

@@ -8,20 +8,13 @@
     }
   },
   "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "webApp": {
+    "WebApp_OpenIDConnect_DotNet": {
       "commandName": "Project",
       "launchBrowser": true,
+      "applicationUrl": "https://localhost:44366;http://localhost:3110",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
-      },
-      "applicationUrl": "http://localhost:3110/"
+      }
     }
   }
 }

1-WebApp-OIDC/1-1-MyOrg/README.md

@@ -4,18 +4,18 @@ platforms: dotnet
 author: jmprieur
 level: 100
 client: ASP.NET Core Web App
-endpoint: AAD v2.0
+endpoint: Microsoft identity platform
 ---
 
 # An ASP.NET Core Web app signing-in users with the Microsoft identity platform in your organization
 
-> This sample is for Azure AD, not Azure AD B2C. See [active-directory-b2c-dotnetcore-webapp](https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp), until we incorporate the B2C variation in the tutorial.
+> This sample is for Azure AD, not Azure AD B2C. See [sample 1-5-B2C](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C), for B2C scenario.
 
 [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/AAD%20Samples/.NET%20client%20samples/ASP.NET%20Core%20Web%20App%20tutorial)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=819)
 
 ## Scenario
 
-This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users. Users can only sign-in with their `work and school` accounts in their own organization. It leverages the ASP.NET Core OpenID Connect middleware.
+This sample shows how to build a .NET Core MVC Web app that uses OpenID Connect to sign in users. Users can only sign-in with their `work and school` accounts in their own organization. It leverages the ASP.NET Core OpenID Connect middleware.
 
 ![Sign in with Azure AD](ReadmeFiles/sign-in.png)
 
@@ -26,32 +26,38 @@ This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Conn
 
 To run this sample:
 
-> Pre-requisites: Install .NET Core 2.2 or later (for example for Windows) by following the instructions at [.NET and C# - Get Started in 10 Minutes](https://www.microsoft.com/net/core). In addition to developing on Windows, you can develop on [Linux](https://www.microsoft.com/net/core#linuxredhat), [Mac](https://www.microsoft.com/net/core#macos), or [Docker](https://www.microsoft.com/net/core#dockercmd).
+> Pre-requisites: Install .NET Core 3.0 or later (for example for Windows) by following the instructions at [.NET and C# - Get Started in 10 Minutes](https://www.microsoft.com/net/core). In addition to developing on Windows, you can develop on [Linux](https://www.microsoft.com/net/core#linuxredhat), [Mac](https://www.microsoft.com/net/core#macos), or [Docker](https://www.microsoft.com/net/core#dockercmd).
 
 ### Step 1: Register the sample with your Azure AD tenant
 
 There is one project in this sample. To register it, you can:
 
-- either use PowerShell scripts that **automatically** creates the Azure AD applications and related objects (passwords, permissions, dependencies) for you and modify the Visual Studio projects' configuration files. If you want to use this automation:
+- either use PowerShell scripts that **automatically** creates the Azure AD applications and related objects (passwords, permissions, dependencies) for you and modify the Visual Studio projects' configuration files.
 
-  1. On Windows run PowerShell and navigate to the solution's folder
-  2. In PowerShell run:
+  <details>
+  <summary>Expand to see how to use this automation</summary>
 
-     ```PowerShell
-     Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
-     ```
+    1. On Windows run PowerShell and navigate to the solution's folder
 
-  3. Run the script to create your Azure AD application and configure the code of the sample application accordinly
+    2. In PowerShell run:
 
-     ```PowerShell
-     .\AppCreationScripts\Configure.ps1
-     ```
+       ```PowerShell
+       Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
+       ```
+
+    3. Run the script to create your Azure AD application and configure the code of the sample application accordingly
+
+       ```PowerShell
+       .\AppCreationScripts\Configure.ps1
+       ```
 
-   > Other ways of running the scripts are described in [App Creation Scripts](./AppCreationScripts/AppCreationScripts.md)
+       > Other ways of running the scripts are described in [App Creation Scripts](./AppCreationScripts/AppCreationScripts.md)
 
-  4. Open the Visual Studio solution and click start. That's it!
+    4. Open the Visual Studio solution and click start. That's it!
 
-- or, if you don't want to use automation, follow the steps below:
+    </details>
+
+- or, if you want to register your application with the Azure portal, follow the steps below:
 
 #### Choose the Azure AD tenant where you want to create your applications
 
@@ -68,9 +74,23 @@ As a first step you'll need to:
 1. When the **Register an application page** appears, enter your application's registration information:
    - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `WebApp`.
    - In the **Supported account types** section, select **Accounts in this organizational directory only ({tenant name})**.
+     <details open=true>
+     <summary>Expand/collapse screenshot</summary>
+
+       ![Register app](../../ReadmeFiles/screenshot-register-app.png)
+
+     </details>
      > Note that there are more than one redirect URIs. You'll need to add them from the **Authentication** tab later after the app has been created succesfully.
+     
 1. Select **Register** to create the application.
 1. On the app **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.
+   <details open=true>
+   <summary>Expand/collapse screenshot</summary>
+
+     ![OVerview page](../../ReadmeFiles/screenshot-overview.png)
+
+   </details>
+
 1. In the list of pages for the app, select **Authentication**..
    - In the Redirect URIs section, select **Web** in the combo-box and enter the following redirect URIs.
        - `https://localhost:44321/`
@@ -79,13 +99,20 @@ As a first step you'll need to:
    - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires
      the [Implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to
      sign-in the user.
+     <details open=true>
+     <summary>Expand/collapse screenshot</summary>
+
+       ![Authentication page](../../ReadmeFiles/screenshot-authentication.png)
+
+     </details>
+
 1. Select **Save**.
 
 > Note that unless the Web App calls a Web API, no certificate or secret is needed.
 
 ### Step 2: Download/ Clone this sample code or build the application using a template
 
-This sample was created from the dotnet core 2.2 [dotnet new mvc](https://docs.microsoft.com/dotnet/core/tools/dotnet-new?tabs=netcore2x) template with `SingleOrg` authentication, and then tweaked to let it support tokens for the Azure AD V2 endpoint. You can clone/download this repository or create the sample from the command line:
+This sample was created from the dotnet core 2.2 [dotnet new mvc](https://docs.microsoft.com/dotnet/core/tools/dotnet-new?tabs=netcore2x) template with `SingleOrg` authentication, and then tweaked to let it support tokens for the Microsoft identity platform endpoint. You can clone/download this repository or create the sample from the command line:
 
 #### Option 1: Download/ clone this sample
 
@@ -136,10 +163,10 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
      by this line:
 
      ```CSharp
-      services.AddAzureAdV2Authentication(Configuration);
+      services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
      ```
 
-     This enables your application to use the Microsoft identity platform (formerly Azure AD v2.0) endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
+     This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
 
     1. Change the `Properties\launchSettings.json` file to ensure that you start your web app from <https://localhost:44321> as registered. For this:
     - update the `sslPort` of the `iisSettings` section to be `44321`
@@ -149,16 +176,15 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
 
 1. Build the solution and run it.
 
-2. Open your web browser and make a request to the app. Accept the IIS Express SSL certificate if needed. The app immediately attempts to authenticate you via the Azure AD v2 endpoint. Sign in with your personal account or with work or school account.
-
+2. Open your web browser and make a request to the app. Accept the IIS Express SSL certificate if needed. The app immediately attempts to authenticate you via the identity platform endpoint. Sign in with your personal account or with work or school account.
 
 ## Toubleshooting
 
 ### known issue on iOS 12
 
 ASP.NET core applications create session cookies that represent the identity of the caller. Some Safari users using iOS 12 had issues which are described in [ASP.NET Core #4467](https://github.com/aspnet/AspNetCore/issues/4647) and the Web kit bugs database [Bug 188165 - iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication](https://bugs.webkit.org/show_bug.cgi?id=188165). 
 
-If your web site needs to be accessed from users using iOS 12, you probably want to disable the SameSite protection, but also ensure that state changes are protected with CSRF anti-forgery mecanism. See the how to fix section of [Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #4647](https://github.com/aspnet/AspNetCore/issues/4647)
+If your web site needs to be accessed from users using iOS 12, you probably want to disable the SameSite protection, but also ensure that state changes are protected with CSRF anti-forgery mechanism. See the how to fix section of [Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #4647](https://github.com/aspnet/AspNetCore/issues/4647)
 
 > Did the sample not work for you as expected? Did you encounter issues trying this sample? Then please reach out to us using the [GitHub Issues](../../../../issues) page.
 

1-WebApp-OIDC/1-1-MyOrg/Startup.cs

@@ -1,12 +1,11 @@
-using Microsoft.AspNetCore.Authentication.AzureAD.UI;
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
 
 namespace WebApp_OpenIDConnect_DotNet
@@ -31,20 +30,20 @@ public void ConfigureServices(IServiceCollection services)
             });
 
             // Sign-in users with the Microsoft identity platform
-            services.AddAzureAdV2Authentication(Configuration);
+            services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
 
-            services.AddMvc(options =>
+            services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
                     .RequireAuthenticatedUser()
                     .Build();
                 options.Filters.Add(new AuthorizeFilter(policy));
-            })
-            .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
+            });
+           services.AddRazorPages();
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {
             if (env.IsDevelopment())
             {
@@ -61,13 +60,17 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
             app.UseStaticFiles();
             app.UseCookiePolicy();
 
+            app.UseRouting();
+
             app.UseAuthentication();
+            app.UseAuthorization();
 
-            app.UseMvc(routes =>
+            app.UseEndpoints(endpoints =>
             {
-                routes.MapRoute(
+                endpoints.MapControllerRoute(
                     name: "default",
-                    template: "{controller=Home}/{action=Index}/{id?}");
+                    pattern: "{controller=Home}/{action=Index}/{id?}");
+                endpoints.MapRazorPages();
             });
         }
     }

1-WebApp-OIDC/1-1-MyOrg/Views/Home/Index.cshtml

@@ -6,7 +6,7 @@
     ASP.NET Core web app signing-in users in your organization
 </h1>
 <p>
-    This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users in your organization. It leverages the ASP.NET Core OpenID Connect middleware.
+    This sample shows how to build a .NET Core MVC Web app that uses OpenID Connect to sign in users in your organization. It leverages the ASP.NET Core OpenID Connect middleware.
 </p>
 <img src="https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/raw/master/1-WebApp-OIDC/1-1-MyOrg/ReadmeFiles/sign-in.png
 "/>

1-WebApp-OIDC/1-1-MyOrg/Views/Shared/Error.cshtml

@@ -18,5 +18,8 @@
     Swapping to <strong>Development</strong> environment will display more detailed information about the error that occurred.
 </p>
 <p>
-    <strong>Development environment should not be enabled in deployed applications</strong>, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>, and restarting the application.
+    <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
+    It can result in displaying sensitive information from exceptions to end users.
+    For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
+    and restarting the app.
 </p>