public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the Microsoft v2.0 authentication and authorization service.
// The `Scope` describes the permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = appId,
Authority = "https://login.microsoftonline.com/common/v2.0",
PostLogoutRedirectUri = redirectUri,
RedirectUri = redirectUri,
Scope = "openid email profile offline_access " + graphScopes,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
// In a real application you would use IssuerValidator for additional checks,
// like making sure the user's organization has signed up for your app.
// IssuerValidator = (issuer, token, tvp) =>
// {
// if (MyCustomTenantValidation(issuer))
// return issuer;
// else
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// },
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async (context) =>
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
string[] scopes = graphScopes.Split(new char[] { ' ' });
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
},
AuthenticationFailed = (context) =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
}
public void GetAuthorizationRequestUrlDuplicateParamsTest()
{
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
try
{
Task<Uri> task = app.GetAuthorizationRequestUrlAsync(TestConstants.DefaultScope.AsArray(),
TestConstants.DefaultDisplayableId, "[email protected]");
Uri uri = task.Result;
Assert.Fail("MSALException should be thrown here");
}
catch (Exception exc)
{
Assert.IsTrue(exc.InnerException is MsalException);
Assert.AreEqual("duplicate_query_parameter", ((MsalException)exc.InnerException).ErrorCode);
Assert.AreEqual("Duplicate query parameter 'login_hint' in extraQueryParameters", ((MsalException)exc.InnerException).Message);
}
}
// Get an access token. First tries to get the token from the token cache.
public async Task<string> GetUserAccessTokenAsync()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
tokenCache = new SessionTokenCache(
signedInUserID,
HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase);
//var cachedItems = tokenCache.ReadItems(appId); // see what's in the cache
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
tokenCache);
try
{
AuthenticationResult result = await cca.AcquireTokenSilentAsync(scopes.Split(new char[] { ' ' }));
return result.Token;
}
// Unable to retrieve the access token silently.
catch (MsalSilentTokenAcquisitionException)
{
HttpContext.Current.Request.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties() { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
throw new Exception(Resource.Error_AuthChallengeNeeded);
}
}
public void ConfidentialClientUsingSecretTest()
{
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
app.AppTokenCache = new TokenCache();
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage()
};
Task<AuthenticationResult> task = app.AcquireTokenForClient(TestConstants.DefaultScope.ToArray(),
TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.IsNotNull("header.payload.signature", result.Token);
Assert.AreEqual(TestConstants.DefaultScope.AsSingleString(), result.ScopeSet.AsSingleString());
//make sure user token cache is empty
Assert.AreEqual(0, app.UserTokenCache.Count);
//check app token cache count to be 1
Assert.AreEqual(1, app.AppTokenCache.Count);
//make sure refresh token is null
foreach (var value in app.AppTokenCache.tokenCacheDictionary.Values)
{
Assert.IsNull(value.RefreshToken);
}
}
public static async Task <string> FetchTokenConfidentalAsync(string[] scopes)
{
try
{
Microsoft.Identity.Client.ConfidentialClientApplication cc = new Microsoft.Identity.Client.ConfidentialClientApplication(PBIConfig.ClientId, PBIConfig.RedirectUrl, new Microsoft.Identity.Client.ClientCredential(PBIConfig.ClientSecret), null, null);
// var accounts = await cc.GetAccountsAsync();
// Microsoft.Identity.Client.AuthenticationResult result = await cc.AcquireTokenSilentAsync(scopes, accounts.First());
Microsoft.Identity.Client.AuthenticationResult result = await cc.AcquireTokenForClientAsync(scopes);
return(result.AccessToken);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
return(null);
}
public void ConstructorsTest()
{
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
Assert.IsNotNull(app);
Assert.IsNotNull(app.UserTokenCache);
Assert.IsNotNull(app.AppTokenCache);
Assert.AreEqual("https://login.microsoftonline.com/common/", app.Authority);
Assert.AreEqual(TestConstants.DefaultClientId, app.ClientId);
Assert.AreEqual(TestConstants.DefaultRedirectUri, app.RedirectUri);
Assert.AreEqual("https://login.microsoftonline.com/common/", app.Authority);
Assert.IsNotNull(app.ClientCredential);
Assert.IsNotNull(app.ClientCredential.Secret);
Assert.AreEqual(TestConstants.DefaultClientSecret, app.ClientCredential.Secret);
Assert.IsNull(app.ClientCredential.Certificate);
Assert.IsNull(app.ClientCredential.ClientAssertion);
Assert.AreEqual(0, app.ClientCredential.ValidTo);
app = new ConfidentialClientApplication(TestConstants.DefaultAuthorityGuestTenant,
TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential("secret"), new TokenCache());
Assert.AreEqual(TestConstants.DefaultAuthorityGuestTenant, app.Authority);
}
internal AcquireTokenByAuthorizationCodeParameterBuilder(IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor)
: base(confidentialClientApplicationExecutor)
{
ConfidentialClientApplication.GuardMobileFrameworks();
}
/// <inheritdoc />
internal ConfidentialClientApplicationBuilder(ApplicationConfiguration configuration)
: base(configuration)
{
ConfidentialClientApplication.GuardMobileFrameworks();
}
public void GetAuthorizationRequestUrlCustomRedirectUriTest()
{
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
Task<Uri> task = app.GetAuthorizationRequestUrlAsync(TestConstants.DefaultScope.AsArray(),
"custom://redirect-uri", TestConstants.DefaultDisplayableId, "extra=qp&prompt=none",
TestConstants.ScopeForAnotherResource.AsArray(), TestConstants.DefaultAuthorityGuestTenant,
TestConstants.DefaultPolicy);
Uri uri = task.Result;
Assert.IsNotNull(uri);
Assert.IsTrue(uri.AbsoluteUri.StartsWith(TestConstants.DefaultAuthorityGuestTenant, StringComparison.CurrentCulture));
Dictionary<string, string> qp = EncodingHelper.ParseKeyValueList(uri.Query.Substring(1), '&', true, null);
Assert.IsNotNull(qp);
Assert.AreEqual(12, qp.Count);
Assert.AreEqual("r1/scope1 r1/scope2 r2/scope1 r2/scope2 openid offline_access", qp["scope"]);
Assert.AreEqual(TestConstants.DefaultClientId, qp["client_id"]);
Assert.AreEqual("code", qp["response_type"]);
Assert.AreEqual("custom://redirect-uri", qp["redirect_uri"]);
Assert.AreEqual(TestConstants.DefaultDisplayableId, qp["login_hint"]);
Assert.AreEqual("MSAL.Desktop", qp["x-client-sku"]);
Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-ver"]));
Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-cpu"]));
Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-os"]));
Assert.AreEqual("qp", qp["extra"]);
Assert.AreEqual("none", qp["prompt"]);
Assert.AreEqual(TestConstants.DefaultPolicy, qp["p"]);
}
public void OBOUserAssertionHashUsernamePassedTest()
{
TokenCache cache = TokenCacheHelper.CreateCacheWithItems();
string someAssertion = "some-assertion-passed-by-developer";
TokenCacheKey key = cache.tokenCacheDictionary.Keys.First();
//update cache entry with hash of an assertion that will not match
cache.tokenCacheDictionary[key].UserAssertionHash =
new CryptographyHelper().CreateSha256Hash(someAssertion);
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
app.UserTokenCache = cache;
//this is a fail safe. No call should go on network
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage =
MockHelpers.CreateInvalidGrantTokenResponseMessage()
};
UserAssertion assertion = new UserAssertion(someAssertion, AssertionType, key.DisplayableId);
Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(),
assertion, key.Authority, TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual(key.UniqueId, result.User.UniqueId);
Assert.AreEqual(key.DisplayableId, result.User.DisplayableId);
Assert.AreEqual(HashAccessToken,
cache.tokenCacheDictionary[key].UserAssertionHash);
}
public void OBOUserAssertionHashNotFoundTest()
{
TokenCache cache = TokenCacheHelper.CreateCacheWithItems();
string someAssertion = "some-assertion-passed-by-developer";
TokenCacheKey key = cache.tokenCacheDictionary.Keys.First();
//update cache entry with hash of an assertion that will not match
cache.tokenCacheDictionary[key].UserAssertionHash =
new CryptographyHelper().CreateSha256Hash(someAssertion + "-but-not-in-cache");
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache());
app.UserTokenCache = cache;
string[] scope = {"mail.read"};
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage =
MockHelpers.CreateSuccessTokenResponseMessage("unique_id_3", "*****@*****.**", "root_id_3",
scope)
};
UserAssertion assertion = new UserAssertion(someAssertion, AssertionType);
Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(),
assertion, key.Authority, TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual("unique_id_3", result.User.UniqueId);
Assert.AreEqual("*****@*****.**", result.User.DisplayableId);
//check for new assertion Hash
AuthenticationResultEx resultEx =
cache.tokenCacheDictionary.Values.First(r => r.Result.User.UniqueId.Equals("unique_id_3"));
Assert.AreEqual(HashAccessToken, resultEx.UserAssertionHash);
}
public void ConfidentialClientUsingCertificateTest()
{
ClientCredential cc = new ClientCredential(new ClientAssertionCertificate(new X509Certificate2("valid_cert.pfx", "password")));
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, cc, new TokenCache());
app.AppTokenCache = new TokenCache();
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage()
};
Task<AuthenticationResult> task = app.AcquireTokenForClient(TestConstants.DefaultScope.ToArray(),
TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.IsNotNull("header.payload.signature", result.Token);
Assert.AreEqual(TestConstants.DefaultScope.AsSingleString(), result.ScopeSet.AsSingleString());
//make sure user token cache is empty
Assert.AreEqual(0, app.UserTokenCache.Count);
//check app token cache count to be 1
Assert.AreEqual(1, app.AppTokenCache.Count);
//make sure refresh token is null
foreach (var value in app.AppTokenCache.tokenCacheDictionary.Values)
{
Assert.IsNull(value.RefreshToken);
}
//assert client credential
Assert.IsNotNull(cc.ClientAssertion);
Assert.AreNotEqual(0, cc.ValidTo);
//save client assertion.
string cachedAssertion = cc.ClientAssertion.Assertion;
long cacheValidTo = cc.ValidTo;
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage()
};
task = app.AcquireTokenForClient(TestConstants.ScopeForAnotherResource.ToArray(),
TestConstants.DefaultPolicy);
result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual(cacheValidTo, cc.ValidTo);
Assert.AreEqual(cachedAssertion, cc.ClientAssertion.Assertion);
}
/// <inheritdoc />
public override Task <AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken)
{
ConfidentialClientApplication.GuardMobileFrameworks();
ValidateAndCalculateApiId();
return(ExecuteInternalAsync(cancellationToken));
}
internal AbstractConfidentialClientAcquireTokenParameterBuilder(IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor)
: base(confidentialClientApplicationExecutor.ServiceBundle)
{
ConfidentialClientApplication.GuardMobileFrameworks();
ConfidentialClientApplicationExecutor = confidentialClientApplicationExecutor;
}
/// <summary>
/// Constructor of client (application) credentials from a <see cref="ClientAssertionCertificate"/>
/// </summary>
/// <param name="certificate">contains information about the certificate previously shared with AAD at application
/// registration to prove the identity of the application (the client) requesting the tokens.</param>
public ClientCredential(ClientAssertionCertificate certificate)
{
ConfidentialClientApplication.GuardMobileFrameworks();
Certificate = certificate;
}
