Enabled allowed user config without client secret

Author: joelverhagen

src/Website/AllowListAuthorizationHandler.cs

@@ -1,11 +1,13 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Microsoft.Graph;
 using Microsoft.Identity.Web;
@@ -18,16 +20,16 @@ public class AllowListAuthorizationHandler : AuthorizationHandler<AllowListRequi
         private const string AllowedGroupClaimName = "ExplorePackages.AllowedGroup";
         private const string HttpContextKeyForJwt = "JwtSecurityTokenUsedToCallWebAPI";
 
-        private readonly GraphServiceClient _graphServiceClient;
+        private readonly IServiceProvider _serviceProvider;
         private readonly bool _restrictUsers;
         private readonly Dictionary<string, HashSet<string>> _allowedUsers;
         private readonly Dictionary<string, HashSet<string>> _allowedGroups;
 
         public AllowListAuthorizationHandler(
-            GraphServiceClient graphServiceClient,
+            IServiceProvider serviceProvider,
             IOptions<ExplorePackagesWebsiteSettings> options)
         {
-            _graphServiceClient = graphServiceClient;
+            _serviceProvider = serviceProvider;
             _restrictUsers = options.Value.RestrictUsers;
             _allowedUsers = TenantToObjectIds(options.Value.AllowedUsers);
             _allowedGroups = TenantToObjectIds(options.Value.AllowedGroups);
@@ -111,7 +113,8 @@ public async Task AddAllowedGroupClaimsAsync(TokenValidatedContext context)
                 // Source: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/ef20861535add11f5d37e25228379c8dfc5d1796/5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs
                 context.HttpContext.Items[HttpContextKeyForJwt] = context.SecurityToken;
 
-                var memberGroups = await _graphServiceClient
+                var memberGroups = await _serviceProvider
+                    .GetRequiredService<GraphServiceClient>()
                     .Me
                     .CheckMemberGroups(objectIds)
                     .Request()

src/Website/Startup.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Linq;
 using System.Text.Json.Serialization;
 using Knapcode.ExplorePackages.Website.Logic;
 using Knapcode.ExplorePackages.Worker;
@@ -52,7 +53,7 @@ public void ConfigureServices(IServiceCollection services)
                     options.PayloadSerializerOptions.Converters.Add(new JsonStringEnumConverter());
                 });
 
-            services
+            var microsoftIdentityBuilder = services
                 .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                 .AddMicrosoftIdentityWebApp(options =>
                 {
@@ -71,10 +72,18 @@ await context
                     options.ExpireTimeSpan = TimeSpan.FromHours(1);
                     options.SlidingExpiration = false;
                     options.AccessDeniedPath = "/Home/AccessDenied";
-                })
-                .EnableTokenAcquisitionToCallDownstreamApi()
-                .AddInMemoryTokenCaches()
-                .AddMicrosoftGraph();
+                });
+
+            var initialSettings = Configuration
+                .GetSection(ExplorePackagesSettings.DefaultSectionName)
+                .Get<ExplorePackagesWebsiteSettings>();
+            if (initialSettings.AllowedGroups.Any())
+            {
+                microsoftIdentityBuilder
+                    .EnableTokenAcquisitionToCallDownstreamApi()
+                    .AddInMemoryTokenCaches()
+                    .AddMicrosoftGraph();
+            }
 
             services
                 .AddAuthorization(options =>