Update to MSAL

Author: dstrockis

TodoListClient/App.config

@@ -4,9 +4,7 @@
         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
     </startup>
   <appSettings>
-    <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
     <add key="ida:ClientId" value="{Enter the Application Id that you copied from the App Registration Portal.}" />
-    <add key="ida:RedirectUri" value="{Enter the Redirect Uri copied from the App Registration Portal.}" />
     <add key="todo:TodoListBaseAddress" value="https://localhost:44321/" />
   </appSettings>
 </configuration>

TodoListClient/FileCache.cs

@@ -1,4 +1,4 @@
-using Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.Identity.Client;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -18,7 +18,7 @@ class FileCache : TokenCache
         private static readonly object FileLock = new object();
 
         // Initializes the cache against a local file.
-        // If the file is already rpesent, it loads its content in the ADAL cache
+        // If the file is already present, it loads its content in the MSAL cache
         public FileCache(string filePath=@".\TokenCache.dat")
         {
             CacheFilePath = filePath;
@@ -31,13 +31,13 @@ public FileCache(string filePath=@".\TokenCache.dat")
         }
 
         // Empties the persistent store.
-        public override void Clear()
+        public override void Clear(string clientId)
         {
-            base.Clear();
+            base.Clear(clientId);
             File.Delete(CacheFilePath);
         }
 
-        // Triggered right before ADAL needs to access the cache.
+        // Triggered right before MSAL needs to access the cache.
         // Reload the cache from the persistent store in case it changed since the last access.
          void BeforeAccessNotification(TokenCacheNotificationArgs args)
         {
@@ -47,7 +47,7 @@ void BeforeAccessNotification(TokenCacheNotificationArgs args)
             }
         }
 
-        // Triggered right after ADAL accessed the cache.
+        // Triggered right after MSAL accessed the cache.
         void AfterAccessNotification(TokenCacheNotificationArgs args)
         {
             // if the access operation resulted in a cache update

TodoListClient/MainWindow.xaml.cs

@@ -31,13 +31,13 @@
 
 // The following using statements were added for this sample.
 using System.Globalization;
-using Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.Identity.Client;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Web.Script.Serialization;
 using System.Runtime.InteropServices;
 using System.Configuration;
-using Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory;
+
 
 namespace TodoListClient
 {
@@ -52,49 +52,49 @@ public partial class MainWindow : Window
         // The Redirect URI is the URI where the v2.0 endpoint will return OAuth responses.
         // The Authority is the sign-in URL.
 
-        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
+        
         private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
-        Uri redirectUri = new Uri(ConfigurationManager.AppSettings["ida:RedirectUri"]);
-        private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common");
+        
         private static string todoListBaseAddress = ConfigurationManager.AppSettings["todo:TodoListBaseAddress"];
 
         private HttpClient httpClient = new HttpClient();
-        private AuthenticationContext authContext = null;
+        private PublicClientApplication app = null;
 
         protected override async void OnInitialized(EventArgs e)
         {
             base.OnInitialized(e);
 
-            authContext = new AuthenticationContext(authority, new FileCache());
+            // TODO: Initialize the PublicClientApplication
+            app = new PublicClientApplication(clientId)
+            {
+                UserTokenCache = new FileCache(),
+            };
             AuthenticationResult result = null;
 
+            // TODO: Check if the user is already signed in. 
             // As the app starts, we want to check to see if the user is already signed in.
-            // You can do so by trying to get a token from ADAL, passing in the parameter
-            // PromptBehavior.Never.  This forces ADAL to throw an exception if it cannot
+            // You can do so by trying to get a token from MSAL, using the method
+            // AcquireTokenSilent.  This forces MSAL to throw an exception if it cannot
             // get a token for the user without showing a UI.
-   
             try
             {
-                result = await authContext.AcquireTokenAsync(new string[] { clientId }, null, clientId, redirectUri, new PlatformParameters(PromptBehavior.Never, null));
-
-                // If we got here, a valid token is in the cache.  Proceed to 
-                // fetch the user's tasks from the TodoListService via the 
-                // GetTodoList() method.
-
+                result = await app.AcquireTokenSilentAsync(new string[] { clientId });
+                // If we got here, a valid token is in the cache - or MSAL was able to get a new oen via refresh token.
+                // Proceed to fetch the user's tasks from the TodoListService via the GetTodoList() method.
+                
                 SignInButton.Content = "Clear Cache";
                 GetTodoList();
             }
-            catch (AdalException ex)
+            catch (MsalException ex)
             {
-                if (ex.ErrorCode == "user_interaction_required")
+                if (ex.ErrorCode == "failed_to_acquire_token_silently")
                 {
                     // If user interaction is required, the app should take no action,
                     // and simply show the user the sign in button.
                 }
                 else
                 {
-                    // Here, we catch all other AdalExceptions
-
+                    // Here, we catch all other MsalExceptions
                     string message = ex.Message;
                     if (ex.InnerException != null)
                     {
@@ -104,7 +104,7 @@ protected override async void OnInitialized(EventArgs e)
                 }
             }
         }
-        
+
 
         public MainWindow()
         {
@@ -113,21 +113,26 @@ public MainWindow()
 
         private async void GetTodoList()
         {
+
+            // TODO: Get a token from MSAL, and attach
+            // it to the GET request in the Authorization
+            // header.
+
             AuthenticationResult result = null;
             try
             {
-                // Here, we try to get an access token to call the TodoListService 
-                // without invoking any UI prompt.  PromptBehavior.Never forces
-                // ADAL to throw an exception if it cannot get a token silently.
+                // Here, we try to get an access token to call the TodoListService
+                // without invoking any UI prompt.  AcquireTokenSilentAsync forces
+                // MSAL to throw an exception if it cannot get a token silently.
 
-                result = await authContext.AcquireTokenAsync(new string[] { clientId }, null, clientId, redirectUri, new PlatformParameters(PromptBehavior.Never, null));
+                result = await app.AcquireTokenSilentAsync(new string[] { clientId });
             }
-            catch (AdalException ex)
+            catch (MsalException ex)
             {
-                // ADAL couldn't get a token silently, so show the user a message
+                // MSAL couldn't get a token silently, so show the user a message
                 // and let them click the Sign-In button.
 
-                if (ex.ErrorCode == "user_interaction_required")
+                if (ex.ErrorCode == "failed_to_acquire_token_silently")
                 {
                     MessageBox.Show("Please sign in first");
                     SignInButton.Content = "Sign In";
@@ -147,13 +152,12 @@ private async void GetTodoList()
                 return;
             }
 
-            // Once the token has been returned by ADAL, 
-            // add it to the http authorization header, 
+            // Once the token has been returned by MSAL,
+            // add it to the http authorization header,
             // before making the call to access the To Do list service.
 
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.Token);
 
-
             // Call the To Do list service.
             HttpResponseMessage response = await httpClient.GetAsync(todoListBaseAddress + "/api/todolist");
 
@@ -185,11 +189,11 @@ private async void AddTodoItem(object sender, RoutedEventArgs e)
             AuthenticationResult result = null;
             try
             {
-                result = await authContext.AcquireTokenAsync(new string[] { clientId }, null, clientId, redirectUri, new PlatformParameters(PromptBehavior.Never, null));
+                result = await app.AcquireTokenSilentAsync(new string[] { clientId });
             }
-            catch (AdalException ex)
+            catch (MsalException ex)
             {
-                if (ex.ErrorCode == "user_interaction_required")
+                if (ex.ErrorCode == "failed_to_acquire_token_silently")
                 {
                     MessageBox.Show("Please sign in first");
                     SignInButton.Content = "Sign In";
@@ -226,36 +230,38 @@ private async void AddTodoItem(object sender, RoutedEventArgs e)
 
         private async void SignIn(object sender = null, RoutedEventArgs args = null)
         {
+            // TODO: Sign the user out if they clicked the "Clear Cache" button
+
             // If the user clicked the 'clear cache' button,
-            // clear the ADAL token cache and show the user as signed out.
+            // clear the MSAL token cache and show the user as signed out.
             // It's also necessary to clear the cookies from the browser
             // control so the next user has a chance to sign in.
 
             if (SignInButton.Content.ToString() == "Clear Cache")
             {
                 TodoList.ItemsSource = string.Empty;
-                authContext.TokenCache.Clear();
+                app.UserTokenCache.Clear(app.ClientId);
                 ClearCookies();
                 SignInButton.Content = "Sign In";
                 return;
             }
 
             // If the user clicked the 'Sign-In' button, force
-            // ADAL to prompt the user for credentials by specifying
-            // PromptBehavior.Always.  ADAL will get a token for the 
-            // TodoListService and cache it for you.
+            // MSAL to prompt the user for credentials by using
+            // AcquireTokenAsync, a method that is guaranteed to show a prompt to the user.
+            // MSAL will get a token for the TodoListService and cache it for you.
 
             AuthenticationResult result = null;
             try
             {
-                result = await authContext.AcquireTokenAsync(new string[] { clientId }, null, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always, null));
+                result = await app.AcquireTokenAsync(new string[] { clientId });
                 SignInButton.Content = "Clear Cache";
                 GetTodoList();
             }
-            catch (AdalException ex)
+            catch (MsalException ex)
             {
-                // If ADAL cannot get a token, it will throw an exception.
-                // If the user canceled the login, it will result in the 
+                // If MSAL cannot get a token, it will throw an exception.
+                // If the user canceled the login, it will result in the
                 // error code 'authentication_canceled'.
 
                 if (ex.ErrorCode == "authentication_canceled")
@@ -277,9 +283,12 @@ private async void SignIn(object sender = null, RoutedEventArgs args = null)
                 return;
             }
 
+
+            // TODO: Invoke UI & get a token if the user clicked "Sign In"
+
         }
 
-        // This function clears cookies from the browser control used by ADAL.
+        // This function clears cookies from the browser control used by MSAL.
         private void ClearCookies()
         {
             const int INTERNET_OPTION_END_BROWSER_SESSION = 42;

TodoListClient/TodoListClient.csproj

@@ -34,13 +34,13 @@
     <WarningLevel>4</WarningLevel>
   </PropertyGroup>
   <ItemGroup>
-    <Reference Include="Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory.4.0.208052020-alpha\lib\net45\Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory.dll</HintPath>
+    <Reference Include="Microsoft.Identity.Client, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.Identity.Client.1.0.304142221-alpha\lib\net45\Microsoft.Identity.Client.dll</HintPath>
+      <Private>True</Private>
     </Reference>
-    <Reference Include="Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory.Platform, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\packages\Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory.4.0.208052020-alpha\lib\net45\Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory.Platform.dll</HintPath>
+    <Reference Include="Microsoft.Identity.Client.Platform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\packages\Microsoft.Identity.Client.1.0.304142221-alpha\lib\net45\Microsoft.Identity.Client.Platform.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System" />
     <Reference Include="System.Configuration" />

TodoListClient/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="Microsoft.Experimental.IdentityModel.Clients.ActiveDirectory" version="4.0.208052020-alpha" targetFramework="net45" />
+  <package id="Microsoft.Identity.Client" version="1.0.304142221-alpha" targetFramework="net45" />
 </packages>

TodoListService/App_Start/Startup.Auth.cs

@@ -24,11 +24,6 @@ public void ConfigureAuth(IAppBuilder app)
                 ValidateIssuer = false,
             };
 
-            // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthenticaitonMiddleware uses a
-            // metadata endpoint which is not supported by the v2.0 endpoint.  Instead, this 
-            // OpenIdConenctCachingSecurityTokenProvider can be used to fetch & use the OpenIdConnect
-            // metadata document.
-
             app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
             {
                 AccessTokenFormat = new Microsoft.Owin.Security.Jwt.JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")),

TodoListService/Web.config

@@ -9,7 +9,7 @@
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
-    <add key="ida:Audience" value="{Enter the Application Id that you copied from the App Registration Portal.}" />
+    <add key="ida:Audience" value="{Enter the Application Id that you copied from the App Registration Portal.}" /> 
   </appSettings>
   <system.web>
     <compilation debug="true" targetFramework="4.5" />