Update to Microsoft Identity Web 0.3.0-preview. (#159)

* Update to Microsoft Identity Web 0.3.0-preview.

Author: pmaytak

1. Desktop app calls Web API/README-incremental.md

@@ -284,10 +284,10 @@ Replace:
 With:
 
 ```CSharp
-services.AddMicrosoftWebApiAuthentication(Configuration);
+services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
 ```
 
-The method `AddMicrosoftWebApiAuthentication` in Microsoft.Identity.Web ensures that:
+The method `AddMicrosoftIdentityWebApiAuthentication` in Microsoft.Identity.Web ensures that:
 
 - the tokens are validated with Microsoft Identity Platform 
 - the valid audiences are both the ClientID of our Web API (default value of `options.Audience` with the ASP.NET Core template) and api://{ClientID}

1. Desktop app calls Web API/README.md

@@ -300,10 +300,10 @@ Replace:
 With:
 
 ```CSharp
-services.AddMicrosoftWebApiAuthentication(Configuration);
+services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
 ```
 
-The method `AddMicrosoftWebApiAuthentication` in Microsoft.Identity.Web ensures that:
+The method `AddMicrosoftIdentityWebApiAuthentication` in Microsoft.Identity.Web ensures that:
 
 - the tokens are validated with Microsoft Identity Platform 
 - the valid audiences are both the ClientID of our Web API (default value of `options.Audience` with the ASP.NET Core template) and api://{ClientID}

1. Desktop app calls Web API/TodoListService/Startup.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Configuration;
@@ -22,7 +23,7 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddMicrosoftWebApiAuthentication(Configuration);
+            services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
 
             services.AddControllers();
         }

1. Desktop app calls Web API/TodoListService/TodoListService.csproj

@@ -7,6 +7,6 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="0.2.2-preview" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="0.3.0-preview" />
   </ItemGroup>
 </Project>

2. Web API now calls Microsoft Graph/README-incremental.md

@@ -132,60 +132,37 @@ Update `Startup.cs` file:
   by
 
   ```csharp
-  services.AddMicrosoftWebApiAuthentication(Configuration)
-          .AddMicrosoftWebApiCallsWebApi(Configuration)
+  services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
+          .EnableTokenAcquisitionToCallDownstreamApi()
           .AddInMemoryTokenCaches();
   ```
-  `AddMicrosoftWebApiAuthentication` subscribes to the `OnTokenValidated` JwtBearerAuthentication event, and in this event, adds the user account into MSAL.NET's user token cache.
+
+  `EnableTokenAcquisitionToCallDownstreamApi` subscribes to the `OnTokenValidated` JwtBearerAuthentication event, and in this event, adds the user account into MSAL.NET's user token cache.
 
   `AddInMemoryTokenCaches` adds an in memory token cache provider, which will cache the Access Tokens acquired for the downstream Web API.																			  
 #### Modify the TodoListController.cs file to add information on the todo item about its owner
 
-In the `TodoListController.cs` file, the Post() action was modified.																   
+In the `TodoListController.cs` file, the `Post` method is modified by replacing
+
 ```CSharp
 todoStore.Add(new TodoItem { Owner = owner, Title = Todo.Title });
 ```
 
-is replaced by:
+with
 
 ```CSharp
-ownerName = await CallGraphAPIOnBehalfOfUser();
-string title = string.IsNullOrWhiteSpace(ownerName) ? Todo.Title : $"{Todo.Title} ({ownerName})";
-todoStore.Add(new TodoItem { Owner = owner, Title = title });
+User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
+string title = string.IsNullOrWhiteSpace(user.UserPrincipalName) ? todo.Title : $"{todo.Title} ({user.UserPrincipalName})";
+TodoStore.Add(new TodoItem { Owner = owner, Title = title });
 ```
 
-The work of calling the Microsoft Graph to get the owner name is done in `CallGraphAPIOnBehalfOfUser()`.
+The work of calling Microsoft Graph to get the owner name is done by `GraphServiceClient`, which is set up by Microsoft Identity Web.
 
-This method:
+`GraphServiceClient`
 
-- gets an Access Token for the Microsoft Graph on behalf of the user (leveraging the in memory token cache, which was added on the `Startup.cs`)
+- gets an access token for the Microsoft Graph on behalf of the user (leveraging the in-memory token cache, which was added in the `Startup.cs`), and
 - calls the Microsoft Graph `/me` endpoint to retrieve the name of the user.
 
-    ```CSharp
-    public async Task<string> CallGraphAPIOnBehalfOfUser()
-    {
-        string[] scopes = new string[] { "user.read" };
-
-        // we use MSAL.NET to get a token to call the API On Behalf Of the current user
-        try
-        {
-            string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
-            dynamic me = await CallGraphApiOnBehalfOfUser(accessToken);
-            return me.userPrincipalName;
-        }
-        catch (MicrosoftIdentityWebChallengeUserException ex)
-        {
-            await tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex.MsalUiRequiredException);
-            return string.Empty;
-        }
-        catch (MsalUiRequiredException ex)
-        {
-            await tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex);
-            return string.Empty;
-        }
-    }
-    ```
-
 ### Handling required interactions with the user (dynamic consent, MFA, etc.)
 
 Please refer to [Microsoft.Identity.Web\wiki](https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis) on how Web APIs should handle exceptions which require user interaction like `MFA`.

2. Web API now calls Microsoft Graph/README.md

@@ -286,12 +286,12 @@ Update `Startup.cs` file:
   by
 
   ```csharp
-  services.AddMicrosoftWebApiAuthentication(Configuration)
-          .AddMicrosoftWebApiCallsWebApi(Configuration)
+  services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
+          .EnableTokenAcquisitionToCallDownstreamApi()
           .AddInMemoryTokenCaches();
   ```
 
-  `AddMicrosoftWebApiAuthentication` does the following:
+  `AddMicrosoftIdentityWebApiAuthentication` does the following:
   - add the **JwtBearerAuthenticationScheme** (Note the replacement of BearerAuthenticationScheme by JwtBearerAuthenticationScheme)
   - set the authority to be the Microsoft identity platform identity
   - set the audiences to be validated
@@ -304,57 +304,33 @@ Update `Startup.cs` file:
 
   The implementations of these classes are in the [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) library, and they are designed to be reusable in your applications (Web apps and Web apis).
 
-  `AddMicrosoftWebApiCallsWebApi` subscribes to the `OnTokenValidated` JwtBearerAuthentication event, and in this event, adds the user account into MSAL.NET's user token cache.
+  `EnableTokenAcquisitionToCallDownstreamApi` subscribes to the `OnTokenValidated` JwtBearerAuthentication event, and in this event, adds the user account into MSAL.NET's user token cache.
 
   `AddInMemoryTokenCaches` adds an in memory token cache provider, which will cache the Access Tokens acquired for the downstream Web API.
 
 ### Modify the TodoListController.cs file to add information on the todo item about its owner
 
-In the `TodoListController.cs` file, the Post() action was modified.
+In the `TodoListController.cs` file, the `Post` method is modified by replacing
 
 ```CSharp
 todoStore.Add(new TodoItem { Owner = owner, Title = Todo.Title });
 ```
 
-is replaced by:
+with
 
 ```CSharp
-ownerName = await CallGraphAPIOnBehalfOfUser();
-string title = string.IsNullOrWhiteSpace(ownerName) ? Todo.Title : $"{Todo.Title} ({ownerName})";
-todoStore.Add(new TodoItem { Owner = owner, Title = title });
+User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
+string title = string.IsNullOrWhiteSpace(user.UserPrincipalName) ? todo.Title : $"{todo.Title} ({user.UserPrincipalName})";
+TodoStore.Add(new TodoItem { Owner = owner, Title = title });
 ```
 
-The work of calling the Microsoft Graph to get the owner name is done in `CallGraphAPIOnBehalfOfUser()`.
+The work of calling Microsoft Graph to get the owner name is done by `GraphServiceClient`, which is set up by Microsoft Identity Web.
 
-This method:
+`GraphServiceClient`
 
-- gets an Access Token for the Microsoft Graph on behalf of the user (leveraging the in memory token cache, which was added on the `Startup.cs`)
+- gets an access token for the Microsoft Graph on behalf of the user (leveraging the in-memory token cache, which was added in the `Startup.cs`), and
 - calls the Microsoft Graph `/me` endpoint to retrieve the name of the user.
 
-    ```CSharp
-    public async Task<string> CallGraphAPIOnBehalfOfUser()
-    {
-        string[] scopes = new string[] { "user.read" };
-
-        // we use MSAL.NET to get a token to call the API On Behalf Of the current user
-        try
-        {
-            string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
-            dynamic me = await CallGraphApiOnBehalfOfUser(accessToken);
-            return me.userPrincipalName;
-        }
-        catch (MicrosoftIdentityWebChallengeUserException ex)
-        {
-            await tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex.MsalUiRequiredException);
-            return string.Empty;
-        }
-        catch (MsalUiRequiredException ex)
-        {
-            await tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex);
-            return string.Empty;
-        }
-    }
-    ```
 
 ### Handling required interactions with the user (dynamic consent, MFA, etc.)
 

2. Web API now calls Microsoft Graph/TodoListService/Controllers/TodoListController.cs

@@ -5,23 +5,20 @@
 // In the first chapter this is just a protected API (ENABLE_OBO is not set)
 // In this chapter, the Web API calls a downstream API on behalf of the user (OBO)
 #define ENABLE_OBO
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
 using Microsoft.Graph;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
-using Newtonsoft.Json;
-using System;
-using System.Collections.Concurrent;
-using System.Collections.Generic;
-using System.Linq;
-using System.Net;
-using System.Net.Http;
-using System.Net.Http.Headers;
-using System.Security.Claims;
-using System.Threading.Tasks;
 using TodoListService.Models;
 
 namespace TodoListService.Controllers
@@ -30,12 +27,16 @@ namespace TodoListService.Controllers
     [Route("api/[controller]")]
     public class TodoListController : Controller
     {
-        public TodoListController(ITokenAcquisition tokenAcquisition)
+        public TodoListController(ITokenAcquisition tokenAcquisition, GraphServiceClient graphServiceClient, IOptions<MicrosoftGraphOptions> graphOptions)
         {
             _tokenAcquisition = tokenAcquisition;
+            _graphServiceClient = graphServiceClient;
+            _graphOptions = graphOptions;
         }
 
-        readonly ITokenAcquisition _tokenAcquisition;
+        private readonly ITokenAcquisition _tokenAcquisition;
+        private readonly GraphServiceClient _graphServiceClient;
+        private readonly IOptions<MicrosoftGraphOptions> _graphOptions;
 
         static readonly ConcurrentBag<TodoItem> TodoStore = new ConcurrentBag<TodoItem>();
 
@@ -56,18 +57,17 @@ public IEnumerable<TodoItem> Get()
 
         // POST api/values
         [HttpPost]
-        public async void Post([FromBody]TodoItem todo)
+        public async void Post([FromBody] TodoItem todo)
         {
             HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
             string owner = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
-            string ownerName;
 #if ENABLE_OBO
             // This is a synchronous call, so that the clients know, when they call Get, that the 
             // call to the downstream API (Microsoft Graph) has completed.
             try
             {
-                ownerName = CallGraphApiOnBehalfOfUser().GetAwaiter().GetResult();
-                string title = string.IsNullOrWhiteSpace(ownerName) ? todo.Title : $"{todo.Title} ({ownerName})";
+                User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
+                string title = string.IsNullOrWhiteSpace(user.UserPrincipalName) ? todo.Title : $"{todo.Title} ({user.UserPrincipalName})";
                 TodoStore.Add(new TodoItem { Owner = owner, Title = title });
             }
             catch (MsalException ex)
@@ -78,48 +78,19 @@ public async void Post([FromBody]TodoItem todo)
             }
             catch (Exception ex)
             {
-                HttpContext.Response.ContentType = "text/plain";
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
-                await HttpContext.Response.WriteAsync("An error occurred while calling the downstream API\n" + ex.Message);
+                if (ex.InnerException is MicrosoftIdentityWebChallengeUserException challengeException)
+                {
+                    await _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(_graphOptions.Value.Scopes.Split(' '),
+                        challengeException.MsalUiRequiredException);
+                }
+                else
+                {
+                    HttpContext.Response.ContentType = "text/plain";
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+                    await HttpContext.Response.WriteAsync("An error occurred while calling the downstream API\n" + ex.Message);
+                }
             }
 #endif
-
-        }
-
-        public async Task<string> CallGraphApiOnBehalfOfUser()
-        {
-            string[] scopes = { "user.read" };
-
-            // we use MSAL.NET to get a token to call the API On Behalf Of the current user
-            try
-            {
-                string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);
-                dynamic me = await CallGraphApiOnBehalfOfUser(accessToken);
-                return me.UserPrincipalName;
-            }
-            catch (MicrosoftIdentityWebChallengeUserException ex)
-            {
-                await _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex.MsalUiRequiredException);
-                return string.Empty;
-            }
-            catch (MsalUiRequiredException ex)
-            {
-                await _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(scopes, ex);
-                return string.Empty;
-            }
-        }
-
-        private static async Task<dynamic> CallGraphApiOnBehalfOfUser(string accessToken)
-        {
-            // Call the Graph API and retrieve the user's profile.
-            GraphServiceClient graphServiceClient = new GraphServiceClient(new DelegateAuthenticationProvider((requestMessage) => {
-                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
-                return Task.FromResult(0);
-            }));
-
-            User graphUser = await graphServiceClient.Me.Request().GetAsync();
-            
-            return graphUser;
         }
     }
 }

2. Web API now calls Microsoft Graph/TodoListService/Startup.cs

@@ -7,7 +7,6 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
-using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 
 namespace TodoListService
 {
@@ -23,9 +22,11 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddMicrosoftWebApiAuthentication(Configuration)
-                    .AddMicrosoftWebApiCallsWebApi(Configuration)
-                    .AddInMemoryTokenCaches();
+            services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
+                    .EnableTokenAcquisitionToCallDownstreamApi()
+                        .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
+                        .AddInMemoryTokenCaches();
+
             services.AddControllers();
         }
 

2. Web API now calls Microsoft Graph/TodoListService/TodoListService.csproj

@@ -11,8 +11,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="0.2.2-preview" />
-    <PackageReference Include="Microsoft.Graph" Version="3.8.0" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="0.3.0-preview" />
   </ItemGroup>
 
 </Project>

2. Web API now calls Microsoft Graph/TodoListService/appsettings.json

@@ -2,7 +2,7 @@
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
     "ClientId": "[Enter_client_ID_Of_TodoListService-v2_from_Azure_Portal,_e.g._2ec40e65-ba09-4853-bcde-bcb60029e596]",
-    "ClientSecret":  "[Enter_client_secret_as_added_fom_the_certificates_&_secrets_page_from_your_app_registration]",
+    "ClientSecret": "[Enter_client_secret_as_added_fom_the_certificates_&_secrets_page_from_your_app_registration]",
 
     /*
       You need specify the TenantId only if you want to accept access tokens from a single tenant (line of business app)
@@ -12,6 +12,17 @@
     "TenantId": "common" // A guid (Tenant ID = Directory ID) or 'common' or 'organizations' or 'consumers'
 
   },
+    "DownstreamAPI": {
+      /*
+       'Scopes' contains space separated scopes of the web API you want to call. This can be:
+        - a scope for a V2 application (for instance api://b3682cc7-8b30-4bd2-aaba-080c6bf0fd31/access_as_user)
+        - a scope corresponding to a V1 application (for instance <App ID URI>/.default, where  <App ID URI> is the
+          App ID URI of a legacy v1 web application
+        Applications are registered in the https://portal.azure.com portal.
+      */
+      "BaseUrl": "[WebApiUrl]",
+      "Scopes": "user.read"
+    },
   "Kestrel": {
     "Endpoints": {
       "Http": {