private void InitializeTests(
bool isB2C,
string tokenVersion)
{
_options = new MicrosoftIdentityOptions
{
ClientId = TestConstants.ClientId,
};
if (isB2C)
{
_options.SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow;
}
if (tokenVersion == V2 || isB2C)
{
_expectedAudience = _options.ClientId;
}
else
{
_expectedAudience = $"api://{_options.ClientId}";
}
IEnumerable <Claim> claims = new Claim[]
{
new Claim(Version, tokenVersion),
new Claim(Audience, _expectedAudience),
};
_token = new JwtSecurityToken(null, null, claims);
_validationParams = new TokenValidationParameters();
_registerValidAudience = new RegisterValidAudience();
_registerValidAudience.RegisterAudienceValidation(_validationParams, _options);
_validAudiences = new List <string> {
_expectedAudience
};
}
private static void AddMicrosoftIdentityWebApiImplementation(
AuthenticationBuilder builder,
Action <JwtBearerOptions> configureJwtBearerOptions,
Action <MicrosoftIdentityOptions> configureMicrosoftIdentityOptions,
string jwtBearerScheme,
bool subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
builder.AddJwtBearer(jwtBearerScheme, configureJwtBearerOptions);
builder.Services.Configure(jwtBearerScheme, configureMicrosoftIdentityOptions);
builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton <IValidateOptions <MicrosoftIdentityOptions>, MicrosoftIdentityOptionsValidation>());
builder.Services.AddHttpContextAccessor();
builder.Services.AddHttpClient();
builder.Services.TryAddSingleton <MicrosoftIdentityIssuerValidatorFactory>();
builder.Services.AddOptions <AadIssuerValidatorOptions>();
if (subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
builder.Services.AddSingleton <IJwtBearerMiddlewareDiagnostics, JwtBearerMiddlewareDiagnostics>();
}
// Change the authentication configuration to accommodate the Microsoft identity platform endpoint (v2.0).
builder.Services.AddOptions <JwtBearerOptions>(jwtBearerScheme)
.Configure <IServiceProvider, IOptionsMonitor <MicrosoftIdentityOptions> >((options, serviceProvider, microsoftIdentityOptionsMonitor) =>
{
var microsoftIdentityOptions = microsoftIdentityOptionsMonitor.Get(jwtBearerScheme);
if (string.IsNullOrWhiteSpace(options.Authority))
{
options.Authority = AuthorityHelpers.BuildAuthority(microsoftIdentityOptions);
}
// This is a Microsoft identity platform web API
options.Authority = AuthorityHelpers.EnsureAuthorityIsV2(options.Authority);
if (options.TokenValidationParameters.AudienceValidator == null &&
options.TokenValidationParameters.ValidAudience == null &&
options.TokenValidationParameters.ValidAudiences == null)
{
RegisterValidAudience registerAudience = new RegisterValidAudience();
registerAudience.RegisterAudienceValidation(
options.TokenValidationParameters,
microsoftIdentityOptions);
}
// If the developer registered an IssuerValidator, do not overwrite it
if (options.TokenValidationParameters.IssuerValidator == null)
{
// Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
// we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory =
serviceProvider.GetRequiredService <MicrosoftIdentityIssuerValidatorFactory>();
options.TokenValidationParameters.IssuerValidator =
microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate;
}
// If you provide a token decryption certificate, it will be used to decrypt the token
if (microsoftIdentityOptions.TokenDecryptionCertificates != null)
{
options.TokenValidationParameters.TokenDecryptionKey =
new X509SecurityKey(DefaultCertificateLoader.LoadFirstCertificate(microsoftIdentityOptions.TokenDecryptionCertificates));
}
if (options.Events == null)
{
options.Events = new JwtBearerEvents();
}
// When an access token for our own web API is validated, we add it to MSAL.NET's cache so that it can
// be used from the controllers.
var tokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
{
if (!microsoftIdentityOptions.AllowWebApiToBeAuthorizedByACL)
{
// This check is required to ensure that the web API only accepts tokens from tenants where it has been consented and provisioned.
if (!context.Principal.Claims.Any(x => x.Type == ClaimConstants.Scope) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Scp) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Roles) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Role))
{
throw new UnauthorizedAccessException(IDWebErrorMessage.NeitherScopeOrRolesClaimFoundInToken);
}
}
await tokenValidatedHandler(context).ConfigureAwait(false);
};
if (subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
var diagnostics = serviceProvider.GetRequiredService <IJwtBearerMiddlewareDiagnostics>();
diagnostics.Subscribe(options.Events);
}
});
}
/// <summary>
/// Protects the Web API with Microsoft identity platform (formerly Azure AD v2.0)
/// This method expects the configuration file will have a section, named "AzureAd" as default, with the necessary settings to initialize authentication options.
/// </summary>
/// <param name="builder">AuthenticationBuilder to which to add this configuration.</param>
/// <param name="configureJwtBearerOptions">The action to configure <see cref="JwtBearerOptions"/>.</param>
/// <param name="configureMicrosoftIdentityOptions">The action to configure the <see cref="MicrosoftIdentityOptions"/>
/// configuration options.</param>
/// <param name="tokenDecryptionCertificate">Token decryption certificate.</param>
/// <param name="jwtBearerScheme">The JwtBearer scheme name to be used. By default it uses "Bearer".</param>
/// <param name="subscribeToJwtBearerMiddlewareDiagnosticsEvents">
/// Set to true if you want to debug, or just understand the JwtBearer events.
/// </param>
/// <returns>The authentication builder to chain.</returns>
public static AuthenticationBuilder AddProtectedWebApi(
this AuthenticationBuilder builder,
Action <JwtBearerOptions> configureJwtBearerOptions,
Action <MicrosoftIdentityOptions> configureMicrosoftIdentityOptions,
X509Certificate2 tokenDecryptionCertificate = null,
string jwtBearerScheme = JwtBearerDefaults.AuthenticationScheme,
bool subscribeToJwtBearerMiddlewareDiagnosticsEvents = false)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
builder.Services.Configure(jwtBearerScheme, configureJwtBearerOptions);
builder.Services.Configure <MicrosoftIdentityOptions>(configureMicrosoftIdentityOptions);
builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton <IValidateOptions <MicrosoftIdentityOptions>, MicrosoftIdentityOptionsValidation>());
builder.Services.AddHttpContextAccessor();
builder.Services.AddSingleton <IJwtBearerMiddlewareDiagnostics, JwtBearerMiddlewareDiagnostics>();
builder.Services.AddHttpClient();
// Change the authentication configuration to accommodate the Microsoft identity platform endpoint (v2.0).
builder.AddJwtBearer(jwtBearerScheme, options =>
{
// TODO:
// Suspect. Why not get the IOption<MicrosoftIdentityOptions>?
var microsoftIdentityOptions = new MicrosoftIdentityOptions(); // configuration.GetSection(configSectionName).Get<MicrosoftIdentityOptions>();
configureMicrosoftIdentityOptions(microsoftIdentityOptions);
if (string.IsNullOrWhiteSpace(options.Authority))
{
options.Authority = AuthorityHelpers.BuildAuthority(microsoftIdentityOptions);
}
// This is a Microsoft identity platform Web API
options.Authority = AuthorityHelpers.EnsureAuthorityIsV2(options.Authority);
if (options.TokenValidationParameters.AudienceValidator == null)
{
RegisterValidAudience registerAudience = new RegisterValidAudience();
registerAudience.RegisterAudienceValidation(
options.TokenValidationParameters,
microsoftIdentityOptions);
}
// If the developer registered an IssuerValidator, do not overwrite it
if (options.TokenValidationParameters.IssuerValidator == null)
{
// Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
// we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetIssuerValidator(options.Authority).Validate;
}
// If you provide a token decryption certificate, it will be used to decrypt the token
if (tokenDecryptionCertificate != null)
{
options.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(tokenDecryptionCertificate);
}
else if (tokenDecryptionCertificate == null && microsoftIdentityOptions.TokenDecryptionCertificates != null)
{
options.TokenValidationParameters.TokenDecryptionKey =
new X509SecurityKey(DefaultCertificateLoader.LoadFirstCertificate(microsoftIdentityOptions.TokenDecryptionCertificates));
}
if (options.Events == null)
{
options.Events = new JwtBearerEvents();
}
// When an access token for our own Web API is validated, we add it to MSAL.NET's cache so that it can
// be used from the controllers.
var tokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
{
// This check is required to ensure that the Web API only accepts tokens from tenants where it has been consented and provisioned.
if (!context.Principal.Claims.Any(x => x.Type == ClaimConstants.Scope) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Scp) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Roles) &&
!context.Principal.Claims.Any(y => y.Type == ClaimConstants.Role))
{
throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");
}
await tokenValidatedHandler(context).ConfigureAwait(false);
};
if (subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
var diags = builder.Services.BuildServiceProvider().GetRequiredService <IJwtBearerMiddlewareDiagnostics>();
diags.Subscribe(options.Events);
}
});
return(builder);
}
private static void AddMicrosoftIdentityWebApiImplementation(
AuthenticationBuilder builder,
Action <JwtBearerOptions> configureJwtBearerOptions,
Action <MicrosoftIdentityOptions> configureMicrosoftIdentityOptions,
string jwtBearerScheme,
bool subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
builder.AddJwtBearer(jwtBearerScheme, configureJwtBearerOptions);
builder.Services.Configure(jwtBearerScheme, configureMicrosoftIdentityOptions);
builder.Services.AddHttpContextAccessor();
builder.Services.AddHttpClient();
builder.Services.TryAddSingleton <MicrosoftIdentityIssuerValidatorFactory>();
builder.Services.AddRequiredScopeAuthorization();
builder.Services.AddRequiredScopeOrAppPermissionAuthorization();
builder.Services.AddOptions <AadIssuerValidatorOptions>();
if (subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
builder.Services.AddTransient <IJwtBearerMiddlewareDiagnostics, JwtBearerMiddlewareDiagnostics>();
}
// Change the authentication configuration to accommodate the Microsoft identity platform endpoint (v2.0).
builder.Services.AddOptions <JwtBearerOptions>(jwtBearerScheme)
.Configure <IServiceProvider, IOptionsMonitor <MergedOptions>, IOptionsMonitor <MicrosoftIdentityOptions>, IOptions <MicrosoftIdentityOptions> >((
options,
serviceProvider,
mergedOptionsMonitor,
msIdOptionsMonitor,
msIdOptions) =>
{
MicrosoftIdentityBaseAuthenticationBuilder.SetIdentityModelLogger(serviceProvider);
MergedOptions mergedOptions = mergedOptionsMonitor.Get(jwtBearerScheme);
MergedOptions.UpdateMergedOptionsFromJwtBearerOptions(options, mergedOptions);
MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptions.Value, mergedOptions);
MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptionsMonitor.Get(jwtBearerScheme), mergedOptions);
MergedOptionsValidation.Validate(mergedOptions);
if (string.IsNullOrWhiteSpace(options.Authority))
{
options.Authority = AuthorityHelpers.BuildAuthority(mergedOptions);
}
// This is a Microsoft identity platform web API
options.Authority = AuthorityHelpers.EnsureAuthorityIsV2(options.Authority);
if (options.TokenValidationParameters.AudienceValidator == null &&
options.TokenValidationParameters.ValidAudience == null &&
options.TokenValidationParameters.ValidAudiences == null)
{
RegisterValidAudience registerAudience = new RegisterValidAudience();
registerAudience.RegisterAudienceValidation(
options.TokenValidationParameters,
mergedOptions);
}
// If the developer registered an IssuerValidator, do not overwrite it
if (options.TokenValidationParameters.ValidateIssuer && options.TokenValidationParameters.IssuerValidator == null)
{
// Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
// we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory =
serviceProvider.GetRequiredService <MicrosoftIdentityIssuerValidatorFactory>();
options.TokenValidationParameters.IssuerValidator =
microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate;
}
// If you provide a token decryption certificate, it will be used to decrypt the token
if (mergedOptions.TokenDecryptionCertificates != null)
{
DefaultCertificateLoader.UserAssignedManagedIdentityClientId = mergedOptions.UserAssignedManagedIdentityClientId;
IEnumerable <X509Certificate2?> certificates = DefaultCertificateLoader.LoadAllCertificates(mergedOptions.TokenDecryptionCertificates);
IEnumerable <X509SecurityKey> keys = certificates.Select(c => new X509SecurityKey(c));
options.TokenValidationParameters.TokenDecryptionKeys = keys;
}
if (options.Events == null)
{
options.Events = new JwtBearerEvents();
}
// When an access token for our own web API is validated, we add it to MSAL.NET's cache so that it can
// be used from the controllers.
if (!mergedOptions.AllowWebApiToBeAuthorizedByACL)
{
ChainOnTokenValidatedEventForClaimsValidation(options.Events, jwtBearerScheme);
}
if (subscribeToJwtBearerMiddlewareDiagnosticsEvents)
{
var diagnostics = serviceProvider.GetRequiredService <IJwtBearerMiddlewareDiagnostics>();
diagnostics.Subscribe(options.Events);
}
});
}
