- Added Utils classes

- Updated Microsoft.Identity.Client to 3.0.8

Author: Tiago Brenck

TaskWebApp/TaskWebApp.csproj

@@ -52,8 +52,8 @@
       <HintPath>..\packages\Antlr.3.5.0.2\lib\Antlr3.Runtime.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.CSharp" />
-    <Reference Include="Microsoft.Identity.Client, Version=3.0.5.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae, processorArchitecture=MSIL">
-      <HintPath>..\packages\Microsoft.Identity.Client.3.0.5-preview\lib\net45\Microsoft.Identity.Client.dll</HintPath>
+    <Reference Include="Microsoft.Identity.Client, Version=3.0.8.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.Identity.Client.3.0.8\lib\net45\Microsoft.Identity.Client.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.IdentityModel.JsonWebTokens, Version=5.4.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\packages\Microsoft.IdentityModel.JsonWebTokens.5.4.0\lib\net451\Microsoft.IdentityModel.JsonWebTokens.dll</HintPath>
@@ -182,6 +182,12 @@
     <Compile Include="Models\TokenCacheHelper.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="Startup.cs" />
+    <Compile Include="Utils\ClaimsPrincipalExtension.cs" />
+    <Compile Include="Utils\Constants.cs" />
+    <Compile Include="Utils\Globals.cs" />
+    <Compile Include="Utils\MsalAppBuilder.cs" />
+    <Compile Include="Utils\MSALPerUserMemoryTokenCache.cs" />
+    <Compile Include="Utils\MSALPerUserSessionTokenCache.cs" />
   </ItemGroup>
   <ItemGroup>
     <Content Include="Content\bootstrap.css" />

TaskWebApp/Utils/ClaimsPrincipalExtension.cs

@@ -0,0 +1,62 @@
+using Microsoft.Identity.Client;
+using System.Security.Claims;
+
+namespace TaskWebApp.Utils
+{
+    public static class ClaimsPrincipalExtension
+    {
+        /// <summary>
+        /// Get the Account identifier for an MSAL.NET account from a ClaimsPrincipal
+        /// </summary>
+        /// <param name="claimsPrincipal">Claims principal</param>
+        /// <returns>A string corresponding to an account identifier as defined in <see cref="Microsoft.Identity.Client.AccountId.Identifier"/></returns>
+        public static string GetMsalAccountId(this ClaimsPrincipal claimsPrincipal)
+        {
+			string userObjectId = GetObjectId(claimsPrincipal);
+			string tenantId = "775527ff-9a37-4307-8b3d-cc311f58d925"; //TODO: FIX THIS
+
+			if (!string.IsNullOrWhiteSpace(userObjectId) && !string.IsNullOrWhiteSpace(tenantId))
+			{
+				return $"{userObjectId}.{tenantId}";
+			}
+
+			return null;
+		}
+
+		/// <summary>
+		/// Get the unique object ID associated with the claimsPrincipal
+		/// </summary>
+		/// <param name="claimsPrincipal">Claims principal from which to retrieve the unique object id</param>
+		/// <returns>Unique object ID of the identity, or <c>null</c> if it cannot be found</returns>
+		public static string GetObjectId(this ClaimsPrincipal claimsPrincipal)
+        {
+            var objIdclaim = claimsPrincipal.FindFirst(ClaimConstants.ObjectId);
+
+            if (objIdclaim == null)
+            {
+                objIdclaim = claimsPrincipal.FindFirst("oid");
+            }
+
+            return objIdclaim != null ? objIdclaim.Value : string.Empty;
+        }
+
+        /// <summary>
+        /// Builds a ClaimsPrincipal from an IAccount
+        /// </summary>
+        /// <param name="account">The IAccount instance.</param>
+        /// <returns>A ClaimsPrincipal built from IAccount</returns>
+        public static ClaimsPrincipal ToClaimsPrincipal(this IAccount account)
+        {
+            if (account != null)
+            {
+                var identity = new ClaimsIdentity();
+                identity.AddClaim(new Claim(ClaimConstants.ObjectId, account.HomeAccountId.ObjectId));
+                identity.AddClaim(new Claim(ClaimConstants.TenantId, account.HomeAccountId.TenantId));
+                identity.AddClaim(new Claim(ClaimTypes.Upn, account.Username));
+                return new ClaimsPrincipal(identity);
+            }
+
+            return null;
+        }
+    }
+}

TaskWebApp/Utils/Constants.cs

@@ -0,0 +1,36 @@
+/************************************************************************************************
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+***********************************************************************************************/
+
+namespace TaskWebApp.Utils
+{
+    /// <summary>
+    /// claim keys constants
+    /// </summary>
+    public static class ClaimConstants
+    {
+        public const string ObjectId = "http://schemas.microsoft.com/identity/claims/objectidentifier";
+        public const string TenantId = "http://schemas.microsoft.com/identity/claims/tenantid";
+        public const string tid = "tid";
+    }
+}

TaskWebApp/Utils/Globals.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Collections.Generic;
+using System.Configuration;
+using System.Linq;
+using System.Web;
+
+namespace TaskWebApp.Utils
+{
+    public static class Globals
+    {
+        // App config settings
+        public static string ClientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        public static string ClientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
+        public static string AadInstance = ConfigurationManager.AppSettings["ida:AadInstance"];
+        public static string Tenant = ConfigurationManager.AppSettings["ida:Tenant"];
+        public static string RedirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
+        public static string ServiceUrl = ConfigurationManager.AppSettings["api:TaskServiceUrl"];
+
+        // B2C policy identifiers
+        public static string SignUpSignInPolicyId = ConfigurationManager.AppSettings["ida:SignUpSignInPolicyId"];
+        public static string EditProfilePolicyId = ConfigurationManager.AppSettings["ida:EditProfilePolicyId"];
+        public static string ResetPasswordPolicyId = ConfigurationManager.AppSettings["ida:ResetPasswordPolicyId"];
+
+        public static string DefaultPolicy = SignUpSignInPolicyId;
+
+        // API Scopes
+        public static string ApiIdentifier = ConfigurationManager.AppSettings["api:ApiIdentifier"];
+        public static string ReadTasksScope = ApiIdentifier + ConfigurationManager.AppSettings["api:ReadScope"];
+        public static string WriteTasksScope = ApiIdentifier + ConfigurationManager.AppSettings["api:WriteScope"];
+        public static string[] Scopes = new string[] { ReadTasksScope, WriteTasksScope };
+
+        // OWIN auth middleware constants
+        public const string ObjectIdElement = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
+
+        // Authorities
+        public static string B2CAuthority = string.Format(AadInstance, Tenant, DefaultPolicy);
+        public static string WellKnownMetadata = $"{AadInstance}/v2.0/.well-known/openid-configuration";
+
+    }
+}

TaskWebApp/Utils/MSALPerUserMemoryTokenCache.cs

@@ -0,0 +1,202 @@
+/************************************************************************************************
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+***********************************************************************************************/
+
+using Microsoft.Identity.Client;
+using System;
+using System.Runtime.Caching;
+using System.Security.Claims;
+
+namespace TaskWebApp.Utils
+{
+	public class MSALPerUserMemoryTokenCache
+	{
+		/// <summary>
+		/// The backing MemoryCache instance
+		/// </summary>
+		internal readonly MemoryCache memoryCache = MemoryCache.Default;
+
+		/// <summary>
+		/// The duration till the tokens are kept in memory cache. In production, a higher value, upto 90 days is recommended.
+		/// </summary>
+		private readonly DateTimeOffset cacheDuration = DateTimeOffset.Now.AddHours(48);
+
+		/// <summary>
+		/// The internal handle to the client's instance of the Cache
+		/// </summary>
+		private ITokenCache UserTokenCache;
+
+		/// <summary>
+		/// Once the user signes in, this will not be null and can be ontained via a call to Thread.CurrentPrincipal
+		/// </summary>
+		internal ClaimsPrincipal SignedInUser;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="MSALPerUserMemoryTokenCache"/> class.
+		/// </summary>
+		/// <param name="tokenCache">The client's instance of the token cache.</param>
+		public MSALPerUserMemoryTokenCache(ITokenCache tokenCache)
+		{
+			this.Initialize(tokenCache, ClaimsPrincipal.Current);
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="MSALPerUserMemoryTokenCache"/> class.
+		/// </summary>
+		/// <param name="tokenCache">The client's instance of the token cache.</param>
+		/// <param name="user">The signed-in user for whom the cache needs to be established.</param>
+		public MSALPerUserMemoryTokenCache(ITokenCache tokenCache, ClaimsPrincipal user)
+		{
+			this.Initialize(tokenCache, user);
+		}
+
+		/// <summary>
+		/// Explores the Claims of a signed-in user (if available) to populate the unique Id of this cache's instance.
+		/// </summary>
+		/// <returns>The signed in user's object Id , if available in the ClaimsPrincipal.Current instance</returns>
+		private string GetSignedInUsersUniqueId()
+		{
+			return ClaimsPrincipal.Current?.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
+		}
+
+		/// <summary>Initializes the cache instance</summary>
+		/// <param name="tokenCache">The ITokenCache passed through the constructor</param>
+		/// <param name="user">The signed-in user for whom the cache needs to be established..</param>
+		private void Initialize(ITokenCache tokenCache, ClaimsPrincipal user)
+		{
+			this.SignedInUser = user;
+
+			this.UserTokenCache = tokenCache;
+			this.UserTokenCache.SetBeforeAccess(this.UserTokenCacheBeforeAccessNotification);
+			this.UserTokenCache.SetAfterAccess(this.UserTokenCacheAfterAccessNotification);
+			this.UserTokenCache.SetBeforeWrite(this.UserTokenCacheBeforeWriteNotification);
+
+			if (this.SignedInUser == null)
+			{
+				// No users signed in yet, so we return
+				return;
+			}
+
+			this.LoadUserTokenCacheFromMemory();
+		}
+
+		/// <summary>
+		/// Explores the Claims of a signed-in user (if available) to populate the unique Id of this cache's instance.
+		/// </summary>
+		/// <returns>The signed in user's object.tenant Id , if available in the ClaimsPrincipal.Current instance</returns>
+		internal string GetMsalAccountId()
+		{
+			if (this.SignedInUser != null)
+			{
+				return this.SignedInUser.GetMsalAccountId();
+			}
+			return null;
+		}
+
+		/// <summary>
+		/// Loads the user token cache from memory.
+		/// </summary>
+		private void LoadUserTokenCacheFromMemory()
+		{
+			string cacheKey = this.GetMsalAccountId();
+
+			if (string.IsNullOrWhiteSpace(cacheKey))
+				return;
+
+			// Ideally, methods that load and persist should be thread safe. MemoryCache.Get() is thread safe.
+			byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(this.GetMsalAccountId());
+			this.UserTokenCache.DeserializeMsalV3(tokenCacheBytes);
+		}
+
+		/// <summary>
+		/// Persists the user token blob to the memoryCache.
+		/// </summary>
+		private void PersistUserTokenCache()
+		{
+			string cacheKey = this.GetMsalAccountId();
+
+			if (string.IsNullOrWhiteSpace(cacheKey))
+				return;
+
+			// Ideally, methods that load and persist should be thread safe.MemoryCache.Get() is thread safe.
+			this.memoryCache.Set(this.GetMsalAccountId(), this.UserTokenCache.SerializeMsalV3(), this.cacheDuration);
+		}
+
+		/// <summary>
+		/// Clears the TokenCache's copy of this user's cache.
+		/// </summary>
+		public void Clear()
+		{
+			this.memoryCache.Remove(this.GetMsalAccountId());
+
+			// Nulls the currently deserialized instance
+			this.LoadUserTokenCacheFromMemory();
+		}
+
+		/// <summary>
+		/// Triggered right after MSAL accessed the cache.
+		/// </summary>
+		/// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
+		private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs args)
+		{
+			this.SetSignedInUserFromNotificationArgs(args);
+
+			// if the access operation resulted in a cache update
+			if (args.HasStateChanged)
+			{
+				this.PersistUserTokenCache();
+			}
+		}
+
+		/// <summary>
+		/// Triggered right before MSAL needs to access the cache. Reload the cache from the persistence store in case it changed since the last access.
+		/// </summary>
+		/// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
+		private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
+		{
+			this.LoadUserTokenCacheFromMemory();
+		}
+
+		/// <summary>
+		/// if you want to ensure that no concurrent write take place, use this notification to place a lock on the entry
+		/// </summary>
+		/// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
+		private void UserTokenCacheBeforeWriteNotification(TokenCacheNotificationArgs args)
+		{
+			// Since we are using a MemoryCache ,whose methods are threads safe, we need not to do anything in this handler.
+		}
+
+		/// <summary>
+		/// To keep the cache, ClaimsPrincipal and Sql in sync, we ensure that the user's object Id we obtained by MSAL after
+		/// successful sign-in is set as the key for the cache.
+		/// </summary>
+		/// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
+		private void SetSignedInUserFromNotificationArgs(TokenCacheNotificationArgs args)
+		{
+			if (this.SignedInUser == null && args.Account != null)
+			{
+				this.SignedInUser = args.Account.ToClaimsPrincipal();
+			}
+		}
+	}
+}