Merge pull request #66 from Azure-Samples/jmprieur/Msal3.0.3-preview

Update to MSAL.NET 3.0.3-preview

Author: jmprieur

README.md

@@ -166,37 +166,56 @@ This sample shows how to use MSAL to redeem the authorization code into an acces
 The redemption takes place in the `AuthorizationCodeReceived` notification of the authorization middleware. Here there's the relevant code:
 
 ```csharp
+// Use MSAL to swap the code for an access token
+// Extract the code from the response notification
 var code = context.ProtocolMessage.Code;
-string signedInUserID = context.Ticket.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
-TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
 
-ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
+string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
+IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(AzureAdB2COptions.ClientId)
+    .WithB2CAuthority(AzureAdB2COptions.Authority)
+    .WithRedirectUri(AzureAdB2COptions.RedirectUri)
+    .WithClientSecret(AzureAdB2COptions.ClientSecret)
+    .Build();
+ new MSALStaticCache(signedInUserID, context.HttpContext).EnablePersistence(cca.UserTokenCache);
 
 try
 {
-  AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
-  context.HandleCodeRedemption(result.AccessToken, result.IdToken);
+    AuthenticationResult result = await cca.AcquireTokenByAuthorizationCode(AzureAdB2COptions.ApiScopes.Split(' '), code)
+        .ExecuteAsync();
+
+
+    context.HandleCodeRedemption(result.AccessToken, result.IdToken);
+}
 ```
 
 Important things to notice:
-- The `ConfidentialClientApplication` is the primitive that MSAL uses to model the application. As such, it is initialized with the main application's coordinates.
-- `MSALSessionCache` is a sample implementation of a custom MSAL token cache, which saves tokens in the current HTTP session. In a real-life application, you would likely want to save tokens in a long lived store instead, so that you don't need to retrieve new ones more often than necessary.
-- The scope requested by `AcquireTokenByAuthorizationCodeAsync` is just the one required for invoking the API targeted by the application as part of its essential features. We'll see later that the app allows for extra scopes, but you can ignore those at this point. 
+- The `IConfidentialClientApplication` is the interface that MSAL uses to model the application. As such, it is initialized with the main application's coordinates.
+- `MSALStaticCache` is a sample implementation of a custom MSAL token cache, which saves tokens in memory. In a real-life application, you would likely want to save tokens in a long lived store instead, so that you don't need to retrieve new ones more often than necessary. For examples of such caches see [ASP.NET Core Web app tutorial | Token caches](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache)
+- The scope requested by `AcquireTokenByAuthorizationCode` is just the one required for invoking the API targeted by the application as part of its essential features. We'll see later that the app allows for extra scopes, but you can ignore those at this point. 
 
 ### Using access tokens in the app, handling token expiration
 
 The `Api` action in the `HomeController` class demonstrates how to take advantage of MSAL for getting access to protected API easily and securely. Here there's the relevant code:
 
 ```csharp
+// Retrieve the token with the specified scopes
 var scope = AzureAdB2COptions.ApiScopes.Split(' ');
 string signedInUserID = HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;
-TokenCache userTokenCache = new MSALSessionCache(signedInUserID, this.HttpContext).GetMsalCacheInstance();
 
-ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
-AuthenticationResult result = await cca.AcquireTokenSilentAsync(scope, cca.Users.FirstOrDefault(), AzureAdB2COptions.Authority, false);
+IConfidentialClientApplication cca =
+ConfidentialClientApplicationBuilder.Create(AzureAdB2COptions.ClientId)
+    .WithRedirectUri(AzureAdB2COptions.RedirectUri)
+    .WithClientSecret(AzureAdB2COptions.ClientSecret)
+    .WithB2CAuthority(AzureAdB2COptions.Authority)
+    .Build();
+new MSALStaticCache(signedInUserID, this.HttpContext).EnablePersistence(cca.UserTokenCache);
+
+var accounts = await cca.GetAccountsAsync();
+AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault())
+    .ExecuteAsync();
 ```
 
-The idea is very simple. The code creates a new instance of `ConfidentialClientApplication` with the exact same coordinates as the ones used when redeeming the authorization code at authentication time. In particular, note that the exact same cache is used.
-That done, all you need to do is to invoke `AcquireTokenSilentAsync`, asking for the scopes you need. MSAL will look up the cache and return any cached token which match with the requirement. If such access tokens are expired or no suitable access tokens are present, but there is an associated refresh token, MSAL will automatically use that to get a new access token and return it transparently.    
+The idea is very simple. The code creates a new instance of `IConfidentialClientApplication` with the exact same coordinates as the ones used when redeeming the authorization code at authentication time. In particular, note that the exact same cache is used.
+That done, all you need to do is to invoke `AcquireTokenSilent`, asking for the scopes you need. MSAL will look up the cache and return any cached token which match with the requirement. If such access tokens are expired or no suitable access tokens are present, but there is an associated refresh token, MSAL will automatically use that to get a new access token and return it transparently.    
 
 In the case in which refresh tokens are not present or they fail to obtain a new access token, MSAL will throw `MsalUiRequiredException`. That means that in order to obtain the requested token, the user must go through an interactive experience.

WebApp-OpenIDConnect-DotNet/Controllers/HomeController.cs

@@ -44,11 +44,18 @@ public async Task<IActionResult> Api()
                 // Retrieve the token with the specified scopes
                 var scope = AzureAdB2COptions.ApiScopes.Split(' ');
                 string signedInUserID = HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;
-                TokenCache userTokenCache = new MSALSessionCache(signedInUserID, this.HttpContext).GetMsalCacheInstance();
-                ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
+
+                IConfidentialClientApplication cca =
+                ConfidentialClientApplicationBuilder.Create(AzureAdB2COptions.ClientId)
+                    .WithRedirectUri(AzureAdB2COptions.RedirectUri)
+                    .WithClientSecret(AzureAdB2COptions.ClientSecret)
+                    .WithB2CAuthority(AzureAdB2COptions.Authority)
+                    .Build();
+                new MSALStaticCache(signedInUserID, this.HttpContext).EnablePersistence(cca.UserTokenCache);
 
                 var accounts = await cca.GetAccountsAsync();
-                AuthenticationResult result = await cca.AcquireTokenSilentAsync(scope, accounts.FirstOrDefault(), AzureAdB2COptions.Authority, false);
+                AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault())
+                    .ExecuteAsync();
 
                 HttpClient client = new HttpClient();
                 HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, AzureAdB2COptions.ApiUrl);

WebApp-OpenIDConnect-DotNet/Models/MSALSessionCache.cs

@@ -2,6 +2,7 @@
 
 using System.Threading;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Memory;
 
 namespace WebApp_OpenIDConnect_DotNet.Models
 {
@@ -12,7 +13,7 @@ public class MSALSessionCache
         string CacheId = string.Empty;
         HttpContext httpContext = null;
 
-        TokenCache cache = new TokenCache();
+        ITokenCache cache;
 
         public MSALSessionCache(string userId, HttpContext httpcontext)
         {
@@ -23,8 +24,9 @@ public MSALSessionCache(string userId, HttpContext httpcontext)
             Load();
         }
 
-        public TokenCache GetMsalCacheInstance()
+        public ITokenCache EnablePersistence(ITokenCache cache)
         {
+            this.cache = cache;
             cache.SetBeforeAccess(BeforeAccessNotification);
             cache.SetAfterAccess(AfterAccessNotification);
             Load();
@@ -51,7 +53,7 @@ public void Load()
             byte[] blob = httpContext.Session.Get(CacheId);
             if(blob != null)
             {
-                cache.Deserialize(blob);
+                cache.DeserializeMsalV3(blob);
             }
             SessionLock.ExitReadLock();
         }
@@ -61,7 +63,7 @@ public void Persist()
             SessionLock.EnterWriteLock();
 
             // Reflect changes in the persistent store
-            httpContext.Session.Set(CacheId, cache.Serialize());
+            httpContext.Session.Set(CacheId, cache.SerializeMsalV3());
             SessionLock.ExitWriteLock();
         }
 

WebApp-OpenIDConnect-DotNet/Models/StaticCache.cs

@@ -0,0 +1,75 @@
+using Microsoft.Identity.Client;
+
+using System.Threading;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Memory;
+using System.Collections.Generic;
+
+namespace WebApp_OpenIDConnect_DotNet.Models
+{
+    public class MSALStaticCache
+    {
+        private static Dictionary<string, byte[]> staticCache = new Dictionary<string, byte[]>();
+
+        private static ReaderWriterLockSlim SessionLock = new ReaderWriterLockSlim(LockRecursionPolicy.NoRecursion);
+        string UserId = string.Empty;
+        string CacheId = string.Empty;
+        HttpContext httpContext = null;
+
+        ITokenCache cache;
+
+        public MSALStaticCache(string userId, HttpContext httpcontext)
+        {
+            // not object, we want the SUB
+            UserId = userId;
+            CacheId = UserId + "_TokenCache";
+            httpContext = httpcontext;
+        }
+
+        public ITokenCache EnablePersistence(ITokenCache cache)
+        {
+            this.cache = cache;
+            cache.SetBeforeAccess(BeforeAccessNotification);
+            cache.SetAfterAccess(AfterAccessNotification);
+            Load();
+            return cache;
+        }
+
+        public void Load()
+        {
+            SessionLock.EnterReadLock();
+            byte[] blob = staticCache.ContainsKey(CacheId) ? staticCache[CacheId] : null ;
+            if(blob != null)
+            {
+                cache.DeserializeMsalV3(blob);
+            }
+            SessionLock.ExitReadLock();
+        }
+
+        public void Persist()
+        {
+            SessionLock.EnterWriteLock();
+
+            // Reflect changes in the persistent store
+            staticCache[CacheId] = cache.SerializeMsalV3();
+            SessionLock.ExitWriteLock();
+        }
+
+        // Triggered right before MSAL needs to access the cache.
+        // Reload the cache from the persistent store in case it changed since the last access.
+        void BeforeAccessNotification(TokenCacheNotificationArgs args)
+        {
+            Load();
+        }
+
+        // Triggered right after MSAL accessed the cache.
+        void AfterAccessNotification(TokenCacheNotificationArgs args)
+        {
+            // if the access operation resulted in a cache update
+            if (args.HasStateChanged)
+            {
+                Persist();
+            }
+        }
+    }
+}

WebApp-OpenIDConnect-DotNet/OpenIdConnectOptionsSetup.cs

@@ -107,11 +107,17 @@ public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext c
                 var code = context.ProtocolMessage.Code;
 
                 string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
-                TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
-                ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
+                IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(AzureAdB2COptions.ClientId)
+                    .WithB2CAuthority(AzureAdB2COptions.Authority)
+                    .WithRedirectUri(AzureAdB2COptions.RedirectUri)
+                    .WithClientSecret(AzureAdB2COptions.ClientSecret)
+                    .Build();
+                new MSALStaticCache(signedInUserID, context.HttpContext).EnablePersistence(cca.UserTokenCache);
+
                 try
                 {
-                    AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
+                    AuthenticationResult result = await cca.AcquireTokenByAuthorizationCode(AzureAdB2COptions.ApiScopes.Split(' '), code)
+                        .ExecuteAsync();
 
 
                     context.HandleCodeRedemption(result.AccessToken, result.IdToken);

WebApp-OpenIDConnect-DotNet/Startup.cs

@@ -19,6 +19,7 @@ public Startup(IHostingEnvironment env)
                 .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
                 .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
                 .AddEnvironmentVariables();
+
             Configuration = builder.Build();
         }
 
@@ -45,7 +46,8 @@ public void ConfigureServices(IServiceCollection services)
             services.AddSession(options =>
             {
                 options.IdleTimeout = TimeSpan.FromHours(1);
-                options.CookieHttpOnly = true;
+                options.Cookie.HttpOnly = true;
+                options.Cookie.IsEssential = true;
             });
 
 
@@ -54,6 +56,7 @@ public void ConfigureServices(IServiceCollection services)
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
         {
+            loggerFactory.AddConsole();
             loggerFactory.AddConsole(Configuration.GetSection("Logging"));
             loggerFactory.AddDebug();
 

WebApp-OpenIDConnect-DotNet/WebApp-OpenIDConnect-DotNet.csproj

@@ -1,10 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFramework>netcoreapp2.2</TargetFramework>
     <RootNamespace>WebApp_OpenIDConnect_DotNet</RootNamespace>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Client" Version="2.7.1" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="3.0.3-preview" />
     <PackageReference Include="Microsoft.AspNetCore" Version="2.2.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Cookies" Version="2.2.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="2.2.0" />