Merge pull request #75 from Azure-Samples/jmprieur/syncMicrosoftIdentityWeb

Syncing Microsoft.Identity.Web content with ASP.NET Core web app tutorial

Author: jmprieur

Microsoft.Identity.Web/ClaimConstants.cs

@@ -35,5 +35,7 @@ public static class ClaimConstants
         public const string PreferredUserName = "preferred_username";
         public const string TenantId = "http://schemas.microsoft.com/identity/claims/tenantid";
         public const string Tid = "tid";
+        public const string Scope = "http://schemas.microsoft.com/identity/claims/scope";
+        public const string Roles = "roles";
     }
 }

Microsoft.Identity.Web/ClaimPrincipalExtension.cs

@@ -87,7 +87,7 @@ public static string GetLoginHint(this ClaimsPrincipal claimsPrincipal)
         /// <summary>
         /// Gets the domain-hint associated with an identity
         /// </summary>
-        /// <param name="claimsPrincipal">Identity for which to compte the domain-hint</param>
+        /// <param name="claimsPrincipal">Identity for which to compute the domain-hint</param>
         /// <returns>domain-hint for the identity, or <c>null</c> if it cannot be found</returns>
         public static string GetDomainHint(this ClaimsPrincipal claimsPrincipal)
         {

Microsoft.Identity.Web/Client/ITokenAcquisition.cs

@@ -19,7 +19,7 @@ public interface ITokenAcquisition
         /// From the configuration of the Authentication of the ASP.NET Core Web API: 
         /// <code>OpenIdConnectOptions options;</code>
         /// 
-        /// Subscribe to the authorization code recieved event:
+        /// Subscribe to the authorization code received event:
         /// <code>
         ///  options.Events = new OpenIdConnectEvents();
         ///  options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived;

Microsoft.Identity.Web/Client/MsalUiRequiredExceptionFilterAttribute.cs

@@ -1,19 +1,19 @@
-using System.Collections.Generic;
-using System.Linq;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Identity.Client;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using System.Collections.Generic;
+using System.Linq;
 
 namespace Microsoft.Identity.Web.Client
 {
     /// <summary>
     /// Filter used on a controller action to trigger an incremental consent.
     /// </summary>
     /// <example>
-    /// The following controller action will trigger 
+    /// The following controller action will trigger
     /// <code>
     /// [MsalUiRequiredExceptionFilter(Scopes = new[] {"Mail.Send"})]
     /// public async Task<IActionResult> SendEmail()
@@ -24,7 +24,7 @@ namespace Microsoft.Identity.Web.Client
     public class MsalUiRequiredExceptionFilterAttribute : ExceptionFilterAttribute
     {
         public string[] Scopes { get; set; }
-        
+
         public override void OnException(ExceptionContext context)
         {
             MsalUiRequiredException msalUiRequiredException = context.Exception as MsalUiRequiredException;
@@ -33,7 +33,7 @@ public override void OnException(ExceptionContext context)
                 msalUiRequiredException = context.Exception?.InnerException as MsalUiRequiredException;
             }
 
-            if (msalUiRequiredException!=null)
+            if (msalUiRequiredException != null)
             {
                 if (CanBeSolvedByReSignInUser(msalUiRequiredException))
                 {
@@ -42,10 +42,10 @@ public override void OnException(ExceptionContext context)
                     context.Result = new ChallengeResult(properties);
                 }
             }
-            
+
             base.OnException(context);
         }
-        
+
         private bool CanBeSolvedByReSignInUser(MsalUiRequiredException ex)
         {
             // ex.ErrorCode != MsalUiRequiredException.UserNullError indicates a cache problem.
@@ -61,7 +61,7 @@ private bool CanBeSolvedByReSignInUser(MsalUiRequiredException ex)
         /// Build Authentication properties needed for an incremental consent.
         /// </summary>
         /// <param name="scopes">Scopes to request</param>
-        /// <param name="ex">ui is present</param>
+        /// <param name="ex">MsalUiRequiredException instance</param>
         /// <param name="context">current http context in the pipeline</param>
         /// <returns>AuthenticationProperties</returns>
         private AuthenticationProperties BuildAuthenticationPropertiesForIncrementalConsent(
@@ -94,4 +94,4 @@ private AuthenticationProperties BuildAuthenticationPropertiesForIncrementalCons
             return properties;
         }
     }
-}
+}

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -98,7 +98,7 @@ public TokenAcquisition(IConfiguration configuration, IMSALAppTokenCacheProvider
         /// From the configuration of the Authentication of the ASP.NET Core Web API:
         /// <code>OpenIdConnectOptions options;</code>
         ///
-        /// Subscribe to the authorization code recieved event:
+        /// Subscribe to the authorization code received event:
         /// <code>
         ///  options.Events = new OpenIdConnectEvents();
         ///  options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived;
@@ -125,9 +125,17 @@ public async Task AddAccountToCacheFromAuthorizationCode(AuthorizationCodeReceiv
             try
             {
                 // As AcquireTokenByAuthorizationCodeAsync is asynchronous we want to tell ASP.NET core that we are handing the code
-                // even if it's not done yet, so that it does not concurrently call the Token endpoint.
+                // even if it's not done yet, so that it does not concurrently call the Token endpoint. (otherwise there will be a
+                // race condition ending-up in an error from Azure AD telling "code already redeemed")
                 context.HandleCodeRedemption();
 
+                // The cache will need the claims from the ID token. In the case of guest scenarios
+                // If they are not yet in the HttpContext.User's claims, adding them.
+                if (!context.HttpContext.User.Claims.Any())
+                {
+                    (context.HttpContext.User.Identity as ClaimsIdentity).AddClaims(context.Principal.Claims);
+                }
+
                 var application = GetOrBuildConfidentialClientApplication(context.HttpContext, context.Principal);
 
                 // Do not share the access token with ASP.NET Core otherwise ASP.NET will cache it and will not send the OAuth 2.0 request in
@@ -272,15 +280,15 @@ public async Task RemoveAccount(RedirectContext context)
                 account = accounts.FirstOrDefault(a => a.Username == user.GetLoginHint());
             }
 
-            if (account!=null)
+            if (account != null)
             {
                 this.UserTokenCacheProvider?.Clear(account.HomeAccountId.Identifier);
 
                 await app.RemoveAsync(account);
             }
         }
 
-        IConfidentialClientApplication application;
+        private IConfidentialClientApplication application;
 
         /// <summary>
         /// Creates an MSAL Confidential client application if needed
@@ -359,14 +367,15 @@ private async Task<string> GetAccessTokenOnBehalfOfUser(IConfidentialClientAppli
             // Get the account
             IAccount account = await application.GetAccountAsync(accountIdentifier);
 
-            // Special case for guest users as the Guest iod / tenant id are not surfaced.
+            // Special case for guest users as the Guest id / tenant id are not surfaced.
             if (account == null)
             {
                 var accounts = await application.GetAccountsAsync();
                 account = accounts.FirstOrDefault(a => a.Username == loginHint);
             }
 
-            AuthenticationResult result;
+            AuthenticationResult result = null;
+
             if (string.IsNullOrWhiteSpace(tenant))
             {
                 result = await application.AcquireTokenSilent(scopes.Except(scopesRequestedByMsalNet), account)
@@ -379,6 +388,7 @@ private async Task<string> GetAccessTokenOnBehalfOfUser(IConfidentialClientAppli
                                           .WithAuthority(authority)
                                           .ExecuteAsync();
             }
+
             return result.AccessToken;
         }
 
@@ -417,9 +427,8 @@ private void AddAccountToCacheFromJwt(IEnumerable<string> scopes, JwtSecurityTok
             }
         }
 
-
         /// <summary>
-        /// Used in Web APIs (which therefore cannot have an interaction with the user). 
+        /// Used in Web APIs (which therefore cannot have an interaction with the user).
         /// Replies to the client through the HttpReponse by sending a 403 (forbidden) and populating wwwAuthenticateHeaders so that
         /// the client can trigger an iteraction with the user so that the user consents to more scopes
         /// </summary>
@@ -466,7 +475,7 @@ private static bool AcceptedTokenVersionIsNotTheSameAsTokenVersion(MsalUiRequire
         {
             // Normally app developers should not make decisions based on the internal AAD code
             // however until the STS sends sub-error codes for this error, this is the only
-            // way to distinguish the case. 
+            // way to distinguish the case.
             // This is subject to change in the future
             return (msalSeviceException.Message.Contains("AADSTS50013"));
         }

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALPerUserMemoryTokenCacheProvider.cs

@@ -94,18 +94,13 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
             // if the access operation resulted in a cache update
             if (args.HasStateChanged)
             {
-                string cacheKey = args.Account?.HomeAccountId?.Identifier;
-                if (string.IsNullOrEmpty(cacheKey))
-                {
-                    cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
-                }
+                string cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
 
                 if (string.IsNullOrWhiteSpace(cacheKey))
                     return;
 
                 // Ideally, methods that load and persist should be thread safe.MemoryCache.Get() is thread safe.
                 this.memoryCache.Set(cacheKey, args.TokenCache.SerializeMsalV3(), this.CacheOptions.SlidingExpiration);
-
             }
         }
 
@@ -116,17 +111,13 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
         private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
         {
-            string cacheKey = args.Account?.HomeAccountId?.Identifier;
-            if (string.IsNullOrEmpty(cacheKey))
-            {
-                cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
-            }
+            string cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
 
             if (string.IsNullOrWhiteSpace(cacheKey))
                 return;
 
             byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(cacheKey);
-            args.TokenCache.DeserializeMsalV3(tokenCacheBytes, shouldClearExistingCache:true);
+            args.TokenCache.DeserializeMsalV3(tokenCacheBytes, shouldClearExistingCache: true);
         }
 
         /// <summary>
@@ -137,4 +128,4 @@ private void UserTokenCacheBeforeWriteNotification(TokenCacheNotificationArgs ar
         {
         }
     }
-}
+}

Microsoft.Identity.Web/Client/TokenCacheProviders/Session/MSALPerUserSessionTokenCacheProvider.cs

@@ -107,11 +107,7 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
             // if the access operation resulted in a cache update
             if (args.HasStateChanged)
             {
-                string cacheKey = args.Account?.HomeAccountId?.Identifier;
-                if (string.IsNullOrEmpty(cacheKey))
-                {
-                    cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
-                }
+                string cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
 
                 if (string.IsNullOrWhiteSpace(cacheKey))
                     return;
@@ -140,11 +136,7 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
         private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
         {
             this.HttpContext.Session.LoadAsync().Wait();
-            string cacheKey = args.Account?.HomeAccountId?.Identifier;
-            if (string.IsNullOrEmpty(cacheKey))
-            {
-                cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
-            }
+            string cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
             if (string.IsNullOrWhiteSpace(cacheKey))
                 return;
 

Microsoft.Identity.Web/Client/TokenCacheProviders/Sql/MSALPerUserSqlTokenCacheProvider.cs

@@ -121,11 +121,7 @@ private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs a
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
         private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs args)
         {
-            string accountId = args.Account?.HomeAccountId?.Identifier;
-            if (string.IsNullOrEmpty(accountId))
-            {
-                accountId = httpContextAccesssor.HttpContext.User.GetMsalAccountId();
-            }
+            string accountId = httpContextAccesssor.HttpContext.User.GetMsalAccountId();
 
             // if state changed, i.e. new token obtained
             if (args.HasStateChanged && !string.IsNullOrWhiteSpace(accountId))
@@ -160,11 +156,7 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
         /// </summary>
         private void ReadCacheForSignedInUser(TokenCacheNotificationArgs args)
         {
-            string accountId = args.Account?.HomeAccountId?.Identifier;
-            if (string.IsNullOrEmpty(accountId))
-            {
-                accountId = httpContextAccesssor.HttpContext.User.GetMsalAccountId();
-            }
+            string accountId = httpContextAccesssor.HttpContext.User.GetMsalAccountId();
             if (this.InMemoryCache == null) // first time access
             {
                 this.InMemoryCache = GetLatestUserRecordQuery(accountId).FirstOrDefault();

Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -7,6 +7,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="2.2.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="2.2.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.1.0" />
   </ItemGroup>
 </Project>

Microsoft.Identity.Web/README.md

@@ -5,7 +5,7 @@ This library contains a set of reusable classes useful in Web Applications and W
 The library contains helper classes to:
 
 - **Bootstrap the web resource from the Startup.cs file** in your web application by just calling a few methods
-  - `AddAzureAdV2Authentication` to add authentication with the Microsoft Identity platform (AAD v2.0), including managing the authority validation, and the sign-out.
+  - `AddAzureAdV2Authentication` to add authentication with the Microsoft Identity platform (AAD v2.0), including managing the authority validation.
 
     ```CSharp
     services.AddAzureAdV2Authentication();