/// <summary>
/// AcquireTokenOnBehalfOfAsync
/// </summary>
public async Task<AuthenticationResult> AcquireTokenOnBehalfOfAsync(string[] scope, UserAssertion userAssertion)
{
Authenticator authenticator = new Authenticator(this.Authority, this.ValidateAuthority, this.CorrelationId);
return
await
this.AcquireTokenOnBehalfCommonAsync(authenticator, scope, userAssertion, null)
.ConfigureAwait(false);
}
/// <summary>
/// Acquires an access token for this application (usually a Web API) from the authority configured in the application,
/// in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow.
/// See https://aka.ms/msal-net-on-behalf-of.
/// This confidential client application was itself called with a token which will be provided in the
/// <paramref name="userAssertion">userAssertion</paramref> parameter.
/// </summary>
/// <param name="scopes">Scopes requested to access a protected API</param>
/// <param name="userAssertion">Instance of <see cref="UserAssertion"/> containing credential information about
/// the user on behalf of whom to get a token.</param>
/// <returns>A builder enabling you to add optional parameters before executing the token request</returns>
/// <remarks>You can also chain the following optional parameters:
/// <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/>
/// </remarks>
public AcquireTokenOnBehalfOfParameterBuilder AcquireTokenOnBehalfOf(
IEnumerable <string> scopes,
UserAssertion userAssertion)
{
return(AcquireTokenOnBehalfOfParameterBuilder.Create(
ClientExecutorFactory.CreateConfidentialClientExecutor(this),
scopes,
userAssertion));
}
internal static AcquireTokenOnBehalfOfParameterBuilder Create(
IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor,
IEnumerable <string> scopes,
UserAssertion userAssertion)
{
return(new AcquireTokenOnBehalfOfParameterBuilder(confidentialClientApplicationExecutor)
.WithScopes(scopes)
.WithUserAssertion(userAssertion));
}
/// <summary>
/// Acquires an access token for this application (usually a Web API) from the authority configured in the application,
/// in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow.
/// See https://aka.ms/msal-net-on-behalf-of.
/// This confidential client application was itself called with a token which will be provided in the
/// <paramref name="userAssertion">userAssertion</paramref> parameter.
/// </summary>
/// <param name="scopes">Scopes requested to access a protected API</param>
/// <param name="userAssertion">Instance of <see cref="UserAssertion"/> containing credential information about
/// the user on behalf of whom to get a token.</param>
/// <returns>A builder enabling you to add optional parameters before executing the token request</returns>
/// <remarks>You can also chain the following optional parameters:
/// <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/>
/// </remarks>
public AcquireTokenOnBehalfOfParameterBuilder AcquireTokenOnBehalfOf(
IEnumerable <string> scopes,
UserAssertion userAssertion)
{
if (userAssertion == null)
{
ServiceBundle.ApplicationLogger.Error("User assertion for OBO request should not be null");
throw new MsalClientException(MsalError.UserAssertionNullError);
}
return(AcquireTokenOnBehalfOfParameterBuilder.Create(
ClientExecutorFactory.CreateConfidentialClientExecutor(this),
scopes,
userAssertion));
}
/// <inheritdoc />
public AcquireTokenOnBehalfOfParameterBuilder InitiateLongRunningProcessInWebApi(
IEnumerable <string> scopes,
string userToken,
ref string longRunningProcessSessionKey)
{
if (string.IsNullOrEmpty(userToken))
{
throw new ArgumentNullException(nameof(userToken));
}
UserAssertion userAssertion = new UserAssertion(userToken);
if (string.IsNullOrEmpty(longRunningProcessSessionKey))
{
longRunningProcessSessionKey = userAssertion.AssertionHash;
}
return(AcquireTokenOnBehalfOfParameterBuilder.Create(
ClientExecutorFactory.CreateConfidentialClientExecutor(this),
scopes,
userAssertion,
longRunningProcessSessionKey));
}
private AcquireTokenOnBehalfOfParameterBuilder WithUserAssertion(UserAssertion userAssertion)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithUserAssertion);
Parameters.UserAssertion = userAssertion;
return(this);
}
private AcquireTokenOnBehalfOfParameterBuilder WithUserAssertion(UserAssertion userAssertion)
{
Parameters.UserAssertion = userAssertion;
return(this);
}
private async Task <AuthenticationResult> AcquireTokenOnBehalfCommonAsync(Authority authority,
string[] scope, UserAssertion userAssertion, string policy)
{
var requestParams = this.CreateRequestParameters(authority, scope, policy, null, this.UserTokenCache);
requestParams.UserAssertion = userAssertion;
var handler = new OnBehalfOfRequest(requestParams);
return(await handler.RunAsync().ConfigureAwait(false));
}
/// <summary>
/// Acquires token using On-Behalf-Of flow.
/// </summary>
/// <param name="scopes">Array of scopes requested for resource</param>
/// <param name="userAssertion">Instance of UserAssertion containing user's token.</param>
/// <returns>Authentication result containing token of the user for the requested scopes</returns>
public async Task <AuthenticationResult> AcquireTokenOnBehalfOfAsync(IEnumerable <string> scopes, UserAssertion userAssertion)
{
Authority authority = Internal.Instance.Authority.CreateAuthority(Authority, ValidateAuthority);
return
(await
AcquireTokenOnBehalfCommonAsync(authority, scopes, userAssertion, ApiEvent.ApiIds.AcquireTokenOnBehalfOfWithScopeUser)
.ConfigureAwait(false));
}
private async Task<AuthenticationResult> AcquireTokenOnBehalfCommonAsync(Authenticator authenticator, string[] scope, UserAssertion userAssertion, string policy)
{
var handler = new OnBehalfOfRequest(this.GetHandlerData(authenticator, scope, policy, this.UserTokenCache), userAssertion);
return await handler.RunAsync();
}
/// <summary>
/// AcquireTokenOnBehalfOfAsync
/// </summary>
public async Task <AuthenticationResult> AcquireTokenOnBehalfOfAsync(string[] scope, UserAssertion userAssertion)
{
Authority authority = Internal.Instance.Authority.CreateAuthority(this.Authority, this.ValidateAuthority);
return
(await
this.AcquireTokenOnBehalfCommonAsync(authority, scope, userAssertion, null)
.ConfigureAwait(false));
}
/// <summary>
/// Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access
/// another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of).
/// This confidential client application was itself called with a token which will be provided in the
/// <paramref name="userAssertion">userAssertion</paramref> parameter.
/// </summary>
/// <param name="scopes">Scopes requested to access a protected API</param>
/// <param name="userAssertion">Instance of <see cref="UserAssertion"/> containing credential information about
/// the user on behalf of whom to get a token.</param>
/// <returns>Authentication result containing a token for the requested scopes and account</returns>
/// <seealso cref="AcquireTokenOnBehalfOfAsync(IEnumerable{string}, UserAssertion, string)"/> for the on-behalf-of flow when specifying the authority
public async Task <AuthenticationResult> AcquireTokenOnBehalfOfAsync(IEnumerable <string> scopes, UserAssertion userAssertion)
{
GuardMobileFrameworks();
Authority authority = Instance.Authority.CreateAuthority(ServiceBundle, Authority, ValidateAuthority);
return
(await
AcquireTokenOnBehalfCommonAsync(authority, scopes, userAssertion, ApiEvent.ApiIds.AcquireTokenOnBehalfOfWithScopeUser, false)
.ConfigureAwait(false));
}
/// <summary>
/// Acquires an access token for this application (usually a Web API) from a specific authority, in order to access
/// another downstream protected Web API on behalf of a user (See https://aka.ms/msal-net-on-behalf-of).
/// This confidential client application was itself called with a token which will be provided in the
/// This override sends the certificate, which helps certificate rotation in Azure AD
/// <paramref name="userAssertion">userAssertion</paramref> parameter.
/// </summary>
/// <param name="scopes">Scopes requested to access a protected API</param>
/// <param name="userAssertion">Instance of <see cref="UserAssertion"/> containing credential information about
/// the user on behalf of whom to get a token.</param>
/// <param name="authority">Specific authority for which the token is requested. Passing a different value than configured does not change the configured value</param>
/// <returns>Authentication result containing a token for the requested scopes and account</returns>
async Task <AuthenticationResult> IConfidentialClientApplicationWithCertificate.AcquireTokenOnBehalfOfWithCertificateAsync(IEnumerable <string> scopes, UserAssertion userAssertion,
string authority)
{
GuardMobileFrameworks();
Authority authorityInstance = Instance.Authority.CreateAuthority(ServiceBundle, authority, ValidateAuthority);
return
(await
AcquireTokenOnBehalfCommonAsync(authorityInstance, scopes, userAssertion, ApiEvent.ApiIds.AcquireTokenOnBehalfOfWithScopeUserAuthority, true)
.ConfigureAwait(false));
}
private async Task <AuthenticationResult> AcquireTokenOnBehalfCommonAsync(Authority authority,
IEnumerable <string> scopes, UserAssertion userAssertion, ApiEvent.ApiIds apiId)
{
var requestParams = CreateRequestParameters(authority, scopes, null, UserTokenCache);
requestParams.UserAssertion = userAssertion;
var handler = new OnBehalfOfRequest(requestParams)
{
ApiId = apiId, IsConfidentialClient = true
};
return(await handler.RunAsync().ConfigureAwait(false));
}
public void OBOUserAssertionHashUsernamePassedTest()
{
TokenCache cache = TokenCacheHelper.CreateCacheWithItems();
string someAssertion = "some-assertion-passed-by-developer";
TokenCacheKey key = cache.tokenCacheDictionary.Keys.First();
//update cache entry with hash of an assertion that will not match
cache.tokenCacheDictionary[key].UserAssertionHash =
new CryptographyHelper().CreateSha256Hash(someAssertion);
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
app.UserTokenCache = cache;
//this is a fail safe. No call should go on network
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage =
MockHelpers.CreateInvalidGrantTokenResponseMessage()
};
UserAssertion assertion = new UserAssertion(someAssertion, AssertionType, key.DisplayableId);
Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(),
assertion, key.Authority, TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual(key.UniqueId, result.User.UniqueId);
Assert.AreEqual(key.DisplayableId, result.User.DisplayableId);
Assert.AreEqual(HashAccessToken,
cache.tokenCacheDictionary[key].UserAssertionHash);
}
public void OBOUserAssertionHashNotFoundTest()
{
TokenCache cache = TokenCacheHelper.CreateCacheWithItems();
string someAssertion = "some-assertion-passed-by-developer";
TokenCacheKey key = cache.tokenCacheDictionary.Keys.First();
//update cache entry with hash of an assertion that will not match
cache.tokenCacheDictionary[key].UserAssertionHash =
new CryptographyHelper().CreateSha256Hash(someAssertion + "-but-not-in-cache");
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
app.UserTokenCache = cache;
string[] scope = {"mail.read"};
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage =
MockHelpers.CreateSuccessTokenResponseMessage("unique_id_3", "*****@*****.**", "root_id_3",
scope)
};
UserAssertion assertion = new UserAssertion(someAssertion, AssertionType);
Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(),
assertion, key.Authority, TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual("unique_id_3", result.User.UniqueId);
Assert.AreEqual("*****@*****.**", result.User.DisplayableId);
//check for new assertion Hash
AuthenticationResultEx resultEx =
cache.tokenCacheDictionary.Values.First(r => r.Result.User.UniqueId.Equals("unique_id_3"));
Assert.AreEqual(HashAccessToken, resultEx.UserAssertionHash);
}
/// <summary>
/// AcquireTokenOnBehalfOfAsync
/// </summary>
public async Task <AuthenticationResult> AcquireTokenOnBehalfOfAsync(string[] scope, UserAssertion userAssertion, string authority, string policy)
{
Authenticator authenticator = new Authenticator(authority, this.ValidateAuthority, this.CorrelationId);
return
(await
this.AcquireTokenOnBehalfCommonAsync(authenticator, scope, userAssertion, policy)
.ConfigureAwait(false));
}
private async Task <AuthenticationResult> AcquireTokenOnBehalfCommonAsync(Authenticator authenticator, string[] scope, UserAssertion userAssertion, string policy)
{
var handler = new OnBehalfOfRequest(this.GetHandlerData(authenticator, scope, policy, this.UserTokenCache), userAssertion);
return(await handler.RunAsync());
}