Migrate ADO Samples from ADAL to MSAL (#69)

* Migrate ManagedClientConsoleAppSample from ADAL to MSAL

Author: Shama-K

DeviceProfileSample/App.config

@@ -3,4 +3,15 @@
     <startup> 
         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
     </startup>
+  <appSettings>
+        <!--Azure AD App Registration details-->
+        <add key="ida:Tenant" value="[Enter_the_tenant_Id_Here]" />
+        <add key="ida:ClientId" value="[Enter_the_Application_Id_Here]" />
+      
+        <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}/v2.0" />
+      
+        <!--URL of Azure DevOps organization-->      
+        <add key="ado:OrganizationUrl" value="[Enter_URL_Azure_DevOps_organization]" />
+
+  </appSettings>
 </configuration>

DeviceProfileSample/DeviceProfileSample.csproj

@@ -8,8 +8,9 @@
     <AssemblyName>DeviceProfileSample</AssemblyName>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="3.16.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="10.0.3" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.29.0" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="System.Configuration.ConfigurationManager" Version="5.0.0" />
   </ItemGroup>
   <ItemGroup>
     <Reference Include="Microsoft.CSharp" />

DeviceProfileSample/Program.cs

@@ -1,72 +1,115 @@
-using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.Identity.Client;
 using System;
+using System.Configuration;
+using System.Globalization;
 using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
+using System.Threading.Tasks;
 
 namespace DeviceProfileSample
 {
     public class Program
     {
-        //============= Config [Edit these with your settings] =====================
-        internal const string vstsCollectionUrl = "https://myaccount.visualstudio.com"; //change to the URL of your VSTS account; NOTE: This must use HTTPS
-        internal const string clientId = "872cd9fa-d31f-45e0-9eab-6e460a02d1f1";        //update this with your Application ID from step 2.6 (do not change this if you have an MSA backed account)
-        //==========================================================================
+        //
+        // The Client ID is used by the application to uniquely identify itself to Azure AD.
+        // The Tenant is the name or Id of the Azure AD tenant in which this application is registered.
+        // The AAD Instance is the instance of Azure, for example public Azure or Azure China.
+        // The Authority is the sign-in URL of the tenant.
+        //
+        internal static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
+        internal static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
+        internal static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        internal static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
 
-        internal const string VSTSResourceId = "499b84ac-1321-427f-aa17-267ca6975798"; //Static value to target VSTS. Do not change
+        //Constant value to target Azure DevOps. Do not change  
+        internal static string[] scopes = new string[] { "499b84ac-1321-427f-aa17-267ca6975798/user_impersonation" };
 
+        //URL of your Azure DevOps account.
+        internal static string azureDevOpsOrganizationUrl = ConfigurationManager.AppSettings["ado:OrganizationUrl"];
+        
+        // The MSAL Public client app
+        private static IPublicClientApplication application;
 
-        public static void Main(string[] args)
+        public static async Task Main(string[] args)
         {
-            AuthenticationContext ctx = GetAuthenticationContext(null);
-            AuthenticationResult result = null;
             try
             {
-                DeviceCodeResult codeResult = ctx.AcquireDeviceCodeAsync(VSTSResourceId, clientId).Result;
-                Console.WriteLine("You need to sign in.");
-                Console.WriteLine("Message: " + codeResult.Message + "\n");
-                result = ctx.AcquireTokenByDeviceCodeAsync(codeResult).Result;
+               var authResult = await SignInUserAndGetTokenUsingMSAL(scopes);
+
+                // Create authorization header of the form "Bearer {AccessToken}"
+                var authHeader = authResult.CreateAuthorizationHeader();
 
-                var bearerAuthHeader = new AuthenticationHeaderValue("Bearer", result.AccessToken);
-                ListProjects(bearerAuthHeader);
+                ListProjects(authHeader);
             }
             catch (Exception ex)
             {
                 Console.ForegroundColor = ConsoleColor.Red;
                 Console.WriteLine("Something went wrong.");
                 Console.WriteLine("Message: " + ex.Message + "\n");
             }
+            Console.ReadLine();
         }
 
-        private static AuthenticationContext GetAuthenticationContext(string tenant)
+        /// <summary>
+        /// Signs in the user using the device code flow and obtain an access token for Azure DevOps
+        /// </summary>
+        /// <param name="configuration"></param>
+        /// <param name="scopes"></param>
+        /// <returns>AuthenticationResult</returns>
+        private static async Task<AuthenticationResult> SignInUserAndGetTokenUsingMSAL(string[] scopes)
         {
-            AuthenticationContext ctx = null;
-            if (tenant != null)
-                ctx = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);
-            else
+            // Initialize the MSAL library by building a public client application
+            application = PublicClientApplicationBuilder.Create(clientId)
+                                                    .WithAuthority(authority)
+                                                    .WithDefaultRedirectUri()
+                                                    .Build();
+
+
+            AuthenticationResult result;
+
+            try
+            {
+                var accounts = await application.GetAccountsAsync();
+                // Try to acquire an access token from the cache. If device code is required, Exception will be thrown.
+                result = await application.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync();
+            }
+            catch (MsalUiRequiredException)
             {
-                ctx = new AuthenticationContext("https://login.windows.net/common");
-                if (ctx.TokenCache.Count > 0)
+                result = await application.AcquireTokenWithDeviceCode(scopes, deviceCodeResult =>
                 {
-                    string homeTenant = ctx.TokenCache.ReadItems().First().TenantId;
-                    ctx = new AuthenticationContext("https://login.microsoftonline.com/" + homeTenant);
-                }
+                    // This will print the message on the console which tells the user where to go sign-in using
+                    // a separate browser and the code to enter once they sign in.
+                    // The AcquireTokenWithDeviceCode() method will poll the server after firing this
+                    // device code callback to look for the successful login of the user via that browser.
+                    // This background polling (whose interval and timeout data is also provided as fields in the
+                    // deviceCodeCallback class) will occur until:
+                    // * The user has successfully logged in via browser and entered the proper code
+                    // * The timeout specified by the server for the lifetime of this code (typically ~15 minutes) has been reached
+                    // * The developing application calls the Cancel() method on a CancellationToken sent into the method.
+                    //   If this occurs, an OperationCanceledException will be thrown (see catch below for more details).
+                    Console.WriteLine(deviceCodeResult.Message);
+                    return Task.FromResult(0);
+                }).ExecuteAsync();
             }
-
-            return ctx;
+            return result;
         }
 
-        private static void ListProjects(AuthenticationHeaderValue authHeader)
+        /// <summary>
+        /// Get all projects in the organization that the authenticated user has access to and print the results.
+        /// </summary>
+        /// <param name="authHeader"></param>
+        private static void ListProjects(string authHeader)
         {
             // use the httpclient
             using (var client = new HttpClient())
             {
-                client.BaseAddress = new Uri(vstsCollectionUrl);
+                client.BaseAddress = new Uri(azureDevOpsOrganizationUrl);
                 client.DefaultRequestHeaders.Accept.Clear();
                 client.DefaultRequestHeaders.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
                 client.DefaultRequestHeaders.Add("User-Agent", "VstsRestApiSamples");
                 client.DefaultRequestHeaders.Add("X-TFS-FedAuthRedirect", "Suppress");
-                client.DefaultRequestHeaders.Authorization = authHeader;
+                client.DefaultRequestHeaders.Add("Authorization", authHeader);
 
                 // connect to the REST endpoint            
                 HttpResponseMessage response = client.GetAsync("_apis/projects?stateFilter=All&api-version=2.2").Result;

DeviceProfileSample/README.md

@@ -1,25 +1,29 @@
 # Device Profile Sample
 
-For a headless text output client application, it is not possible authenticate through an interactive prompt. Instead a text only approach is necessary. This flow leverages a user's external device (i.e. phone) to authenticate through an interactive login prompt and pass the auth token to the headless application. For more information [click here](https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-deviceprofile/?v=17.23h).
+For a headless text output client application, it is not possible authenticate through an interactive prompt. Instead a text only approach is necessary. This flow leverages a user's external device (i.e. phone) to authenticate through an interactive login prompt and pass the auth token to the headless application. For more information [click here](https://azure.microsoft.com/resources/samples/active-directory-dotnet-deviceprofile/?v=17.23h).
+
+If the tenant admin requires device authentication conditional access policies, using the Device profile flow won't be a good option.
 
 ## Sample Application
 
-This buildable sample will walk you through the steps to create a client-side console application which uses ADAL to authenticate a user via the [Device Profile flow](https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-deviceprofile/?v=17.23h) and returns a JSON string containing all account team project data viewable by the authenticated user.
+This sample will walk you through the steps to create a client-side console application which uses **MSAL.NET** to authenticate a user via the [Device Profile flow](https://azure.microsoft.com/resources/samples/active-directory-dotnet-deviceprofile/?v=17.23h) and returns a JSON string containing all account team project data viewable by the authenticated user.
+
+To run this sample you will need:
 
-To run this sample for an [Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis) backed Azure DevOps account you will need:
-* [Visual Studio IDE](https://www.visualstudio.com/vs/)
-* An Azure Active Directory (AAD) tenant. If you do not have one, follow these [steps to set up an AAD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant)
-* A user account in your AAD tenant
-* A Azure DevOps account backed by your AAD tenant where your user account has access. If you have an existing Azure DevOps account not connected to your AAD tenant follow these [steps to connect your AAD tenant to your Azure DevOps account](https://www.visualstudio.com/en-us/docs/setup-admin/team-services/manage-organization-access-for-your-account-vs)
+- [Visual Studio](https://visualstudio.microsoft.com/downloads/)
+- An **Azure AD** tenant. For more information see: [How to get an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+- A user account in your **Azure AD** tenant.
+- A Azure DevOps account backed by your AAD tenant where your user account has access. If you have an existing Azure DevOps account not connected to your AAD tenant follow these [steps to connect your AAD tenant to your Azure DevOps account](https://docs.microsoft.com/azure/devops/organizations/accounts/manage-azure-active-directory-groups-vsts?view=vsts&tabs=new-nav)
 
 To run this sample for a [Microsoft Account](https://account.microsoft.com/account) backed Azure DevOps account you will need:
-* [Visual Studio IDE](https://www.visualstudio.com/vs/)
-* A Azure DevOps account not connected to AAD
 
-## Step 1: Clone or download vsts-auth-samples repository
+- Azure DevOps account not connected to AAD.
 
-From a shell or command line: 
-```no-highlight
+## Step 1: Clone or download this repository
+
+From a shell or command line:
+
+```console
 git clone https://github.com/Microsoft/vsts-auth-samples.git
 ```
 
@@ -29,33 +33,35 @@ git clone https://github.com/Microsoft/vsts-auth-samples.git
 If you are a Microsoft Account backed Azure DevOps account please skip this step.
 ```
 
-1. Sign in to the [Azure Portal](https://portal.azure.com).
-2. On the top bar, click on your account and under the Directory list, choose the Active Directory tenant where you wish to register your application.
-3. On the left hand navigation menu, select `Azure Active Directory`.
-4. Click on `App registrations` and select `New application registration` from the top bar.
-5. Enter a `name` for you application, ex. "Adal native app sample", choose `Native` for `application type`, and enter `http://adalsample` for the `Redirect URI`. Finally click `create` at the bottom of the screen.
-6. Save the `Application ID` from your new application registration. You will need it later in this sample.
-7. Grant permissions for Azure DevOps. Click `Required permissions` -> `add` -> `1 Select an API` -> type in and select `Azure DevOps` -> check the box for `Delegated Permissions` -> click `Select` -> click `Done` -> click `Grant Permissions` -> click `Yes`.
+1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+1. Select **New registration**.
+1. In the **Register an application page** that appears, enter your application's registration information:
+   - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `MSAL-DeviceCodeFlow`.
+   - Under **Supported account types**, select **Accounts in this organizational directory only**.
+1. Select **Register** to create the application.
+1. In the app's registration screen, find and note the **Application (client) ID**. You use this value in your app's configuration file(s) later in your code.
+   - In the **Advanced settings** | **Default client type** section, flip the switch for `Treat application as a public client` to **Yes**.
+1. Select **Save** to save your changes.
+1. In the app's registration screen, select the **API permissions** blade in the left to open the page where we add access to the APIs that your application needs.
+   - Select the **Add a permission** button and then,
+   - Ensure that the **Microsoft APIs** tab is selected.
+   - In the list of APIs, select the API `Azure DevOps`.
+   - In the **Delegated permissions** section, select the **user_impersonation** in the list. Use the search box if necessary.
+   - Select the **Add permissions** button at the bottom.
+
+## Step 3: Configure the application to use your app registration
 
-## Step 3: Install and configure ADAL (optional)
+Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
 
-Package: `Microsoft.Identity.Model.Clients.ActiveDirectory` has already been installed and configured in the sample, but if you are adding to your own project you will need to [install and configure it yourself](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory). 
+> In the steps below, "ClientID" is the same as "Application ID" or "AppId".
 
-## Step 4a: Run the sample (AAD backed Azure DevOps account)
+1. Open the `DeviceProfileSample\App.config` file.
+1. Find the key `ida:ClientID` and replace the existing value with the application ID (clientId) of `ManagedClientConsoleAppSample` app copied from the Azure portal.
+1. Find the key `ida:Tenant` and replace the existing value with your Azure AD tenant ID or tenant domain.
+1. Find the key `ado:OrganizationUrl` and replace the existing value to the URL of your Azure DevOps organization; NOTE: This must use HTTPS.
 
-1. Navigate to the sample in cloned repo `vsts-auth-samples/DeviceProfileSample/`
-2. Open the solution file `DeviceProfileSample.sln` in [Visual Studio 2017](https://www.visualstudio.com/downloads/)
-3. Use [Nuget package restore](https://docs.microsoft.com/en-us/nuget/consume-packages/package-restore) to ensure you have all dependencies installed
-4. Open CS file `Program.cs` and there is a section with input values to change at the top of the class:
-    * `azureDevOpsOrganizationUrl` - Update this value to your VSTS collection URL, e.g. http://dev.azure.com/organization.
-    * `clientId` - Update this value with the `Application ID` you saved in step 2.6.
-5. Build and run solution. You should see a console window with instructions on how to authenticate via the Device Profile flow. After authenticating you should see all team project information viewable by the authenticated identity displayed in the console window.
+## Running the sample
 
-## Step 4b: Run the sample (Microsoft Account backed Azure DevOps account)
+Clean the solution, rebuild the solution, and run it.
 
-1. Navigate to the sample in cloned repo `vsts-auth-samples/DeviceProfileSample/`
-2. Open the solution file `DeviceProfileSample.sln` in [Visual Studio 2017](https://www.visualstudio.com/downloads/)
-3. Use [Nuget package restore](https://docs.microsoft.com/en-us/nuget/consume-packages/package-restore) to ensure you have all dependencies installed
-4. Open CS file `Program.cs` and there is a section with input values to change at the top of the class:
-    * `azureDevOpsOrganizationUrl` - Update this value to your VSTS collection URL, e.g. http://dev.azure.com/organization.
-5. Build and run solution. You should see a console window with instructions on how to authenticate via the Device Profile flow. After authenticating you should see all team project information viewable by the authenticated identity displayed in the console window.
+Use a web browser to open the Url (https://microsoft.com/devicelogin) that is displayed in console app. Input the code presented in the console , sign-in and check the result of the operation back in the console.

ManagedClientConsoleAppSample/App.config

@@ -32,5 +32,14 @@
     <appSettings>
         <!-- Service Bus specific app setings for messaging connections -->
         <add key="Microsoft.ServiceBus.ConnectionString" value="Endpoint=sb://[your namespace].servicebus.windows.net;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=[your secret]" />
+       
+        <!--Azure AD App Registration details-->
+        <add key="ida:Tenant" value="[Enter_the_tenant_Id_Here]" />
+        <add key="ida:ClientId" value="[Enter_the_Application_Id_Here]" />
+      
+        <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}/v2.0" />
+      
+        <!--URL of Azure DevOps organization-->      
+        <add key="ado:OrganizationUrl" value="http://dev.azure.com/organization" />
     </appSettings>
 </configuration>