Minor fixes

Kalyan Krishna · Kalyan Krishna · commit e36935f821f1 · 2019-08-13T18:07:35.000-07:00
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1 b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1
@@ -192,8 +192,8 @@ Function ConfigureApplications
                                                   -ReplyUrls "https://localhost:44321/", "https://localhost:44321/signin-oidc", "https://localhost:44321/Account/EndSession" `
                                                   -IdentifierUris "https://$tenantName/WebApp-GroupClaims" `
                                                   -PasswordCredentials $key `
-                                                  -Oauth2AllowImplicitFlow $true `
                                                   -GroupMembershipClaims "SecurityGroup" `
+                                                  -Oauth2AllowImplicitFlow $true `
                                                   -PublicClient $False
 
    $currentAppId = $webAppAadApplication.AppId
@@ -219,7 +219,7 @@ Function ConfigureApplications
    # Add Required Resources Access (from 'webApp' to 'Microsoft Graph')
    Write-Host "Getting access from 'webApp' to 'Microsoft Graph'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
-                                                -requiredDelegatedPermissions "Directory.Read.All" `
+                                                -requiredDelegatedPermissions "User.Read|Directory.Read.All" `
 
    $requiredResourcesAccess.Add($requiredPermissions)
 
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json
@@ -25,7 +25,7 @@
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
-          "DelegatedPermissions": [ "Directory.Read.All" ]
+          "DelegatedPermissions": [ "User.Read", "Directory.Read.All" ]
         }
       ]
     }
diff --git a/5-WebApp-AuthZ/5-2-Groups/Startup.cs b/5-WebApp-AuthZ/5-2-Groups/Startup.cs
@@ -1,4 +1,5 @@
-﻿using Microsoft.AspNetCore.Authorization;
+﻿using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -44,8 +45,11 @@ public void ConfigureServices(IServiceCollection services)
             // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
             JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
 
+            Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
+
             // Sign-in users with the Microsoft identity platform
-            services.AddAzureAdV2Authentication(Configuration)
+            OpenIdConnectOptions openIdConnectOptions = new OpenIdConnectOptions();
+            services.AddMicrosoftIdentityPlatformAuthentication(Configuration, openIdConnectOptions)
                     .AddMsal(new string[] { "User.Read", "Directory.Read.All" })
                     .AddSessionTokenCaches();
 
diff --git a/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs b/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs
@@ -35,7 +35,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 namespace Microsoft.Identity.Web.Resource
 {
     /// <summary>
-    /// Generic class that validates token issuer from the provided Azure AD authority. Use the <see cref="AadIssuerValidatorFactory"/> to create instaces of this class.
+    /// Generic class that validates token issuer from the provided Azure AD authority. Use the <see cref="AadIssuerValidatorFactory"/> to create instances of this class.
     /// </summary>
     public class AadIssuerValidator
     {
diff --git a/Microsoft.Identity.Web/StartupHelpers.cs b/Microsoft.Identity.Web/StartupHelpers.cs
@@ -44,9 +44,45 @@ public static class StartupHelpers
         /// <param name="services">Service collection to which to add this authentication scheme</param>
         /// <param name="configuration">The Configuration object</param>
         /// <returns></returns>
-        public static IServiceCollection AddMicrosoftIdentityPlatformAuthentication(this IServiceCollection services, IConfiguration configuration)
+        public static IServiceCollection AddMicrosoftIdentityPlatformAuthentication(this IServiceCollection services, IConfiguration configuration, OpenIdConnectOptions openIdConnectOptions, string configBinderKey = "AzureAd")
         {
-            return AddAzureAdV2Authentication(services, configuration);
+            services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
+                .AddAzureAD(options => configuration.Bind(configBinderKey, options));
+
+            openIdConnectOptions.Authority = openIdConnectOptions.Authority + "/v2.0/";
+            openIdConnectOptions.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetIssuerValidator(openIdConnectOptions.Authority).Validate;
+            openIdConnectOptions.TokenValidationParameters.NameClaimType = "preferred_username";
+
+            openIdConnectOptions.Events.OnRedirectToIdentityProvider = context =>
+            {
+                var login = context.Properties.GetParameter<string>(OpenIdConnectParameterNames.LoginHint);
+                if (!string.IsNullOrWhiteSpace(login))
+                {
+                    context.ProtocolMessage.LoginHint = login;
+                    context.ProtocolMessage.DomainHint = context.Properties.GetParameter<string>(OpenIdConnectParameterNames.DomainHint);
+
+                    // delete the login_hint and domainHint from the Properties when we are done otherwise
+                    // it will take up extra space in the cookie.
+                    context.Properties.Parameters.Remove(OpenIdConnectParameterNames.LoginHint);
+                    context.Properties.Parameters.Remove(OpenIdConnectParameterNames.DomainHint);
+                }
+
+                // Additional claims
+                if (context.Properties.Items.ContainsKey(OidcConstants.AdditionalClaims))
+                {
+                    context.ProtocolMessage.SetParameter(OidcConstants.AdditionalClaims,
+                                                         context.Properties.Items[OidcConstants.AdditionalClaims]);
+                }
+
+                return Task.FromResult(0);
+            };
+
+            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
+            {
+                options = openIdConnectOptions;
+            });
+
+            return services;
         }
 
         /// <summary>

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@`
`25`	`25`	`"RequiredResourcesAccess": [`
`26`	`26`	`{`
`27`	`27`	`"Resource": "Microsoft Graph",`
`28`		`- "DelegatedPermissions": [ "Directory.Read.All" ]`
	`28`	`+ "DelegatedPermissions": [ "User.Read", "Directory.Read.All" ]`
`29`	`29`	`}`
`30`	`30`	`]`
`31`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
`35`	`35`	`namespace Microsoft.Identity.Web.Resource`
`36`	`36`	`{`
`37`	`37`	`/// <summary>`
`38`		`- /// Generic class that validates token issuer from the provided Azure AD authority. Use the <see cref="AadIssuerValidatorFactory"/> to create instaces of this class.`
	`38`	`+ /// Generic class that validates token issuer from the provided Azure AD authority. Use the <see cref="AadIssuerValidatorFactory"/> to create instances of this class.`
`39`	`39`	`/// </summary>`
`40`	`40`	`public class AadIssuerValidator`
`41`	`41`	`{`