Added notes to token validation code

marcusca10 · marcusca10 · commit b11595814667 · 2020-02-25T21:09:22.000+01:00
diff --git a/Microsoft.SCIM.WebHostSample/Startup.cs b/Microsoft.SCIM.WebHostSample/Startup.cs
@@ -41,7 +41,8 @@ public void ConfigureServices(IServiceCollection services)
             {
                 // Development environment code
                 // Validation for bearer token for authorization used during testing.
-                // This is not meant to replace proper OAuth for authentication purposes.
+                // NOTE: It's not recommended to use this code in production, it is not meant to replace proper OAuth authentication.
+                //       This option is primarily available for testing purposes.
                 services.AddAuthentication(options =>
                 {
                     options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
@@ -65,7 +66,11 @@ public void ConfigureServices(IServiceCollection services)
             }
             else
             {
-                // Azure AD token validation code
+                // Leave the optional Secret Token field blank
+                // Azure AD includes an OAuth bearer token issued from Azure AD with each request
+                // The following code validates the Azure AD-issued token
+                // NOTE: It's not recommended to leave this field blank and rely on a token generated by Azure AD. 
+                //       This option is primarily available for testing purposes.
                 services.AddAuthentication(options =>
                 {
                     options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,8 @@ public void ConfigureServices(IServiceCollection services)`
`41`	`41`	`{`
`42`	`42`	`// Development environment code`
`43`	`43`	`// Validation for bearer token for authorization used during testing.`
`44`		`- // This is not meant to replace proper OAuth for authentication purposes.`
	`44`	`+ // NOTE: It's not recommended to use this code in production, it is not meant to replace proper OAuth authentication.`
	`45`	`+ // This option is primarily available for testing purposes.`
`45`	`46`	`services.AddAuthentication(options =>`
`46`	`47`	`{`
`47`	`48`	`options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;`
`@@ -65,7 +66,11 @@ public void ConfigureServices(IServiceCollection services)`
`65`	`66`	`}`
`66`	`67`	`else`
`67`	`68`	`{`
`68`		`- // Azure AD token validation code`
	`69`	`+ // Leave the optional Secret Token field blank`
	`70`	`+ // Azure AD includes an OAuth bearer token issued from Azure AD with each request`
	`71`	`+ // The following code validates the Azure AD-issued token`
	`72`	`+ // NOTE: It's not recommended to leave this field blank and rely on a token generated by Azure AD.`
	`73`	`+ // This option is primarily available for testing purposes.`
`69`	`74`	`services.AddAuthentication(options =>`
`70`	`75`	`{`
`71`	`76`	`options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;`