Removed unnecessary optimization from the Sql cache provider

Author: Kalyan Krishna

2-WebApp-graph-user/2-2-TokenCache/AppCreationScripts/Cleanup.ps1

@@ -9,7 +9,7 @@ if ($null -eq (Get-Module -ListAvailable -Name "AzureAD")) {
     Install-Module "AzureAD" -Scope CurrentUser 
 } 
 Import-Module AzureAD
-$ErrorActionPreference = 'Stop'
+$ErrorActionPreference = "Stop"
 
 Function Cleanup
 {

2-WebApp-graph-user/2-2-TokenCache/AppCreationScripts/Configure.ps1

@@ -65,7 +65,7 @@ Function AddResourcePermission($requiredAccess, `
 }
 
 #
-# Exemple: GetRequiredPermissions "Microsoft Graph"  "Graph.Read|User.Read"
+# Example: GetRequiredPermissions "Microsoft Graph"  "Graph.Read|User.Read"
 # See also: http://stackoverflow.com/questions/42164581/how-to-configure-a-new-azure-ad-application-through-powershell
 Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requiredDelegatedPermissions, [string]$requiredApplicationPermissions, $servicePrincipal)
 {
@@ -134,18 +134,18 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
     Set-Content -Path $configFilePath -Value $lines -Force
 }
 
-
 Set-Content -Value "<html><body><table>" -Path createdApps.html
 Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the Azure portal</th></tr></thead><tbody>" -Path createdApps.html
 
+$ErrorActionPreference = "Stop"
+
 Function ConfigureApplications
 {
 <#.Description
    This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
    configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
    so that they are consistent with the Applications parameters
 #> 
-
     $commonendpoint = "common"
 
     # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
@@ -177,7 +177,7 @@ Function ConfigureApplications
     $tenant = Get-AzureADTenantDetail
     $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
 
-    # Get the user running the script
+    # Get the user running the script to add the user as the app owner
     $user = Get-AzureADUser -ObjectId $creds.Account.Id
 
    # Create the webApp AAD application
@@ -187,6 +187,7 @@ Function ConfigureApplications
    $fromDate = [DateTime]::Now;
    $key = CreateAppKey -fromDate $fromDate -durationInYears 2 -pw $pw
    $webAppAppKey = $pw
+   # create the application 
    $webAppAadApplication = New-AzureADApplication -DisplayName "WebApp-OpenIDConnect-DotNet-code-v2" `
                                                   -HomePage "https://localhost:44321/" `
                                                   -LogoutUrl "https://localhost:44321/signout-oidc" `
@@ -197,6 +198,7 @@ Function ConfigureApplications
                                                   -Oauth2AllowImplicitFlow $true `
                                                   -PublicClient $False
 
+   # create the service principal of the newly created application 
    $currentAppId = $webAppAadApplication.AppId
    $webAppServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
 
@@ -225,7 +227,6 @@ Function ConfigureApplications
 
    $requiredResourcesAccess.Add($requiredPermissions)
 
-
    Set-AzureADApplication -ObjectId $webAppAadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
    Write-Host "Granted permissions."
 
@@ -241,7 +242,8 @@ Function ConfigureApplications
 # Pre-requisites
 if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
     Install-Module "AzureAD" -Scope CurrentUser 
-} 
+}
+
 Import-Module AzureAD
 
 # Run interactively (will ask you for the tenant ID)

2-WebApp-graph-user/2-2-TokenCache/AppCreationScripts/sample.json

@@ -1,6 +1,6 @@
 {
   "Sample": {
-    "Title": "Using the Microsoft identity platform to call the Microsoft Graph API from an An ASP.NET Core 2.x Web App, on behalf of a user signing-in using their work and school or Microsoft personal account",
+    "Title": "Using the Microsoft identity platform to call the Microsoft Graph API from an a ASP.NET Core 2.x Web App, on behalf of a user signing-in using their work and school or Microsoft personal account",
     "Level": 200,
     "Client": "ASP.NET Core 2.x Web App",
     "Service": "Microsoft Graph",

2-WebApp-graph-user/2-2-TokenCache/appsettings.json

@@ -17,7 +17,7 @@
       "TokenCacheDbConnStr": "Data Source=(LocalDb)\\MSSQLLocalDB;Database=MY_TOKEN_CACHE_DATABASE;Trusted_Connection=True;"
   */
   "ConnectionStrings": {
-    "TokenCacheDbConnStr": "[Enter the Sql server connection string, e.g. Server=MY_SQL_SERVER;Database=MY_TOKEN_CACHE_DATABASE;Trusted_Connection=True;"
+    "TokenCacheDbConnStr": "[Enter the Sql server connection string, e.g. Server=MY_SQL_SERVER;Database=MsalTokenCacheDatabase;Trusted_Connection=True;"
   },
   "Logging": {
     "LogLevel": {

Microsoft.Identity.Web/TokenAcquisition.cs

@@ -69,11 +69,11 @@ public TokenAcquisition(
         };
 
         /// <summary>
-        /// This handler is executed after authorization code is received (once the user signs-in and consents) during the 
-        /// <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow'>Authorization code flow grant flow</a> in a web app. 
+        /// This handler is executed after authorization code is received (once the user signs-in and consents) during the
+        /// <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow'>Authorization code flow grant flow</a> in a web app.
         /// It uses the code to request an access token from the Microsoft Identity platform and caches the tokens and an entry about the signed-in user's account in the MSAL's token cache.
-        /// The access token (and refresh token) provided in the <see cref="AuthorizationCodeReceivedContext"/>, once added to the cache, are then used to acquire more tokens using the 
-        /// <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow'>on-behalf-of flow</a> for the signed-in user's account, 
+        /// The access token (and refresh token) provided in the <see cref="AuthorizationCodeReceivedContext"/>, once added to the cache, are then used to acquire more tokens using the
+        /// <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow'>on-behalf-of flow</a> for the signed-in user's account,
         /// in order to call to downstream APIs.
         /// </summary>
         /// <param name="context">The context used when an 'AuthorizationCode' is received over the OpenIdConnect protocol.</param>
@@ -117,7 +117,7 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeR
                 // race condition ending-up in an error from Azure AD telling "code already redeemed")
                 context.HandleCodeRedemption();
 
-                // The cache will need the claims from the ID token. 
+                // The cache will need the claims from the ID token.
                 // If they are not yet in the HttpContext.User's claims, so adding them here.
                 if (!context.HttpContext.User.Claims.Any())
                 {
@@ -146,7 +146,7 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync(AuthorizationCodeR
 
         /// <summary>
         /// Typically used from a Web App or WebAPI controller, this method retrieves an access token
-        /// for a downstream API using the <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow'>on-behalf-of flow</a> 
+        /// for a downstream API using the <a href='https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow'>on-behalf-of flow</a>
         /// for the user account that is ascertained from claims are provided in the <see cref="HttpContext.User"/> instance of the <paramref name="context"/> parameter
         /// </summary>
         /// <param name="scopes">Scopes to request for the downstream API to call</param>
@@ -287,8 +287,6 @@ public async Task RemoveAccountAsync(RedirectContext context)
             }
         }
 
-
-
         /// <summary>
         /// Creates an MSAL Confidential client application if needed
         /// </summary>
@@ -450,9 +448,9 @@ private async Task AddAccountToCacheFromJwtAsync(IEnumerable<string> scopes, Jwt
         }
 
         /// <summary>
-        /// Used by Web APIs, which cannot interact with the user, when they run into a situation where user consent is required for additional scopes. 
-        /// This method appends in the HttpResponse being sent back to the client, a 403 (forbidden) status code and populates the 'WWW-Authenticate' header with additional information. 
-        /// The client, when it receives the 403 code with this header, can use the additional information provided in the header to trigger an interaction with the user where the user 
+        /// Used by Web APIs, which cannot interact with the user, when they run into a situation where user consent is required for additional scopes.
+        /// This method appends in the HttpResponse being sent back to the client, a 403 (forbidden) status code and populates the 'WWW-Authenticate' header with additional information.
+        /// The client, when it receives the 403 code with this header, can use the additional information provided in the header to trigger an interaction with the user where the user
         /// can then consent to additional scopes.
         /// </summary>
         /// <param name="scopes">The additional scopes that the user needs to consent to</param>

Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalAppDistributedTokenCacheProvider.cs

@@ -13,7 +13,7 @@
 namespace Microsoft.Identity.Web.TokenCacheProviders.Distributed
 {
     /// <summary>
-    /// An implementation of token cache for Confidential clients backed by MemoryCache.
+    /// An implementation of token cache for Confidential clients backed by a IDistributedCache .
     /// MemoryCache is useful in Api scenarios where there is no HttpContext to cache data.
     /// </summary>
     /// <seealso cref="https://aka.ms/msal-net-token-cache-serialization"/>

Microsoft.Identity.Web/TokenCacheProviders/MsalAbstractTokenCacheProvider.cs

@@ -9,6 +9,8 @@
 
 namespace Microsoft.Identity.Web.TokenCacheProviders
 {
+    /// <summary></summary>
+    /// <seealso cref="Microsoft.Identity.Web.TokenCacheProviders.IMsalTokenCacheProvider" />
     public abstract class MsalAbstractTokenCacheProvider : IMsalTokenCacheProvider
     {
         /// <summary>
@@ -113,6 +115,7 @@ public async Task ClearAsync()
         }
 
         protected abstract Task WriteCacheBytesAsync(string cacheKey, byte[] bytes);
+
         protected abstract Task<byte[]> ReadCacheBytesAsync(string cacheKey);
 
         protected abstract Task RemoveKeyAsync(string cacheKey);

Microsoft.Identity.Web/TokenCacheProviders/Sql/MsalSqlTokenCacheProvider.cs

@@ -27,77 +27,61 @@ public MsalSqlTokenCacheProvider(IHttpContextAccessor httpContextAccessor, Token
         private readonly TokenCacheDbContext _tokenCacheDb;
 
         /// <summary>
-        /// This keeps the latest copy of the token in memory to save calls to DB, if possible.
+        /// This keeps the latest copy of the token in memory ..
         /// </summary>
-        private TokenCacheDbRecord _inMemoryCache;
+        private TokenCacheDbRecord _cacheDbRecord;
 
         /// <summary>
         /// The data protector
         /// </summary>
         private readonly IDataProtector _dataProtector;
 
 
-        protected override async Task<byte[]> ReadCacheBytesAsync(string cacheKey)
+        protected override Task<byte[]> ReadCacheBytesAsync(string cacheKey)
         {
-            if (_inMemoryCache == null) // first time access
+            try
             {
-                try
-                {
-                    _inMemoryCache = GetLatestRecordQuery(cacheKey).FirstOrDefault();
-                }
-                catch (SqlException ex) when (ex.Message == "Invalid object name 'Records'")
-                {
-                    // Microsoft.Identity.Web changed from several tables (AppTokenCache, UserTokenCache) to one table (record)
-                    // If you care about the cache, you can migrate them, otherwise re-create the database
-                    throw new Exception("You need to migrate the AppTokenCache and UserTokenCache tables to Records, or run SqlTokenCacheProviderExtension.CreateTokenCachingTablesInSqlDatabase() to create the database", ex);
-                }
-                catch (SqlException ex) when (ex.Message.StartsWith("Cannot open database \"MY_TOKEN_CACHE_DATABASE\" requested by the login."))
-                {
-                    throw new Exception("You need to run SqlTokenCacheProviderExtension.CreateTokenCachingTablesInSqlDatabase() to create the database", ex);
-                }
+                _cacheDbRecord = GetLatestRecordQuery(cacheKey).FirstOrDefault();
             }
-            else
+            catch (SqlException ex) when (ex.Message == "Invalid object name 'Records'")
             {
-                // retrieve last written record from the DB
-                var lastwriteInDb = GetLatestRecordQuery(cacheKey).Select(n => n.LastWrite).FirstOrDefault();
-
-                // if the persisted copy is newer than the in-memory copy
-                if (lastwriteInDb > _inMemoryCache.LastWrite)
-                {
-                    // read from from storage, update in-memory copy
-                    _inMemoryCache = GetLatestRecordQuery(cacheKey).FirstOrDefault();
-                }
+                // Microsoft.Identity.Web changed from several tables (AppTokenCache, UserTokenCache) to one table (record)
+                // If you care about the cache, you can migrate them, otherwise re-create the database
+                throw new Exception("You need to migrate the AppTokenCache and UserTokenCache tables to Records, or run SqlTokenCacheProviderExtension.CreateTokenCachingTablesInSqlDatabase() to create the database", ex);
+            }
+            catch (SqlException ex) when (ex.Message.StartsWith("Cannot open database"))
+            {
+                throw new Exception("You need to run SqlTokenCacheProviderExtension.CreateTokenCachingTablesInSqlDatabase() to create the database", ex);
             }
 
             // Send data to the TokenCache instance
-            return (_inMemoryCache == null) ? null : _dataProtector.Unprotect(_inMemoryCache.CacheBits);
+            return Task.FromResult((_cacheDbRecord == null) ? null : _dataProtector.Unprotect(_cacheDbRecord.CacheBits));
         }
 
-        protected override Task RemoveKeyAsync(string cacheKey)
+        protected override async Task RemoveKeyAsync(string cacheKey)
         {
             var cacheEntries = _tokenCacheDb.Records.Where(c => c.CacheKey == cacheKey);
             _tokenCacheDb.Records.RemoveRange(cacheEntries);
-            _tokenCacheDb.SaveChanges();
-            return Task.CompletedTask;
+            await _tokenCacheDb.SaveChangesAsync();
         }
 
         protected override async Task WriteCacheBytesAsync(string cacheKey, byte[] bytes)
         {
-            if (_inMemoryCache == null)
+            if (_cacheDbRecord == null)
             {
-                _inMemoryCache = new TokenCacheDbRecord
+                _cacheDbRecord = new TokenCacheDbRecord
                 {
                     CacheKey = cacheKey
                 };
             }
 
-            _inMemoryCache.CacheBits = _dataProtector.Protect(bytes);
-            _inMemoryCache.LastWrite = DateTime.Now;
+            _cacheDbRecord.CacheBits = _dataProtector.Protect(bytes);
+            _cacheDbRecord.LastWrite = DateTime.Now;
 
             try
             {
                 // Update the DB and the lastwrite
-                _tokenCacheDb.Entry(_inMemoryCache).State = _inMemoryCache.TokenCacheId == 0 ? EntityState.Added : EntityState.Modified;
+                _tokenCacheDb.Entry(_cacheDbRecord).State = _cacheDbRecord.TokenCacheId == 0 ? EntityState.Added : EntityState.Modified;
                 _tokenCacheDb.SaveChanges();
             }
             catch (DbUpdateConcurrencyException)
@@ -109,7 +93,7 @@ protected override async Task WriteCacheBytesAsync(string cacheKey, byte[] bytes
 
         private IOrderedQueryable<TokenCacheDbRecord> GetLatestRecordQuery(string cacheKey)
         {
-                return _tokenCacheDb.Records.Where(c => c.CacheKey == cacheKey).OrderByDescending(d => d.LastWrite);
+            return _tokenCacheDb.Records.Where(c => c.CacheKey == cacheKey).OrderByDescending(d => d.LastWrite);
         }
     }
 }

Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs

@@ -113,7 +113,7 @@ public static IServiceCollection AddProtectedApiCallsWebApis(
             this IServiceCollection services,
             IConfiguration configuration,
             IEnumerable<string> scopes = null,
-            string configSectionName = "AzureAD")
+            string configSectionName = "AzureAd")
         {
             services.AddTokenAcquisition();
             services.AddHttpContextAccessor();