private async Task <AuthenticationResult> GetNewAccessTokenAsync(AuthenticationProviderOption msalAuthProviderOption)
{
AuthenticationResult authenticationResult = null;
int retryCount = 0;
do
{
try
{
if (!string.IsNullOrEmpty(msalAuthProviderOption.UserAccount?.Email))
{
authenticationResult = await ClientApplication.AcquireTokenByIntegratedWindowsAuth(msalAuthProviderOption.Scopes)
.WithUsername(msalAuthProviderOption.UserAccount.Email)
.ExecuteAsync();
}
else
{
authenticationResult = await ClientApplication.AcquireTokenByIntegratedWindowsAuth(Scopes)
.ExecuteAsync();
}
break;
}
catch (MsalServiceException serviceException)
{
if (serviceException.ErrorCode == ErrorConstants.Codes.TemporarilyUnavailable)
{
TimeSpan delay = this.GetRetryAfter(serviceException);
retryCount++;
// pause execution
await Task.Delay(delay);
}
else
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedMsalException
},
serviceException);
}
}
catch (Exception exception)
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedException
},
exception);
}
} while (retryCount < msalAuthProviderOption.MaxRetry);
return(authenticationResult);
}
/// <summary>
/// Sets <see cref="UserAssertion"/> for this request.
/// This should only be used with <see cref="OnBehalfOfProvider"/>.
/// </summary>
/// <param name="baseRequest">The <see cref="IBaseRequest"/>.</param>
/// <param name="userAssertion">A <see cref="UserAssertion"/> for the user.</param>
public static T WithUserAssertion <T>(this T baseRequest, UserAssertion userAssertion) where T : IBaseRequest
{
string authHandlerOptionKey = typeof(AuthenticationHandlerOption).ToString();
AuthenticationHandlerOption authHandlerOptions = baseRequest.MiddlewareOptions[authHandlerOptionKey] as AuthenticationHandlerOption;
AuthenticationProviderOption msalAuthProviderOption = authHandlerOptions.AuthenticationProviderOption as AuthenticationProviderOption ?? new AuthenticationProviderOption();
msalAuthProviderOption.UserAssertion = userAssertion;
authHandlerOptions.AuthenticationProviderOption = msalAuthProviderOption;
baseRequest.MiddlewareOptions[authHandlerOptionKey] = authHandlerOptions;
return(baseRequest);
}
/// <summary>
/// Sets Microsoft Graph's scopes that will be used by <see cref="IAuthenticationProvider"/> to authenticate this request
/// and can be used to perform incremental scope consent.
/// This only works with the default authentication handler and default set of Microsoft graph authentication providers.
/// If you use a custom authentication handler or authentication provider, you have to handle it's retrieval in your implementation.
/// </summary>
/// <param name="baseRequest">The <see cref="IBaseRequest"/>.</param>
/// <param name="scopes">Microsoft graph scopes used to authenticate this request.</param>
public static T WithScopes <T>(this T baseRequest, string[] scopes) where T : IBaseRequest
{
string authHandlerOptionKey = typeof(AuthenticationHandlerOption).ToString();
AuthenticationHandlerOption authHandlerOptions = baseRequest.MiddlewareOptions[authHandlerOptionKey] as AuthenticationHandlerOption;
AuthenticationProviderOption msalAuthProviderOption = authHandlerOptions.AuthenticationProviderOption as AuthenticationProviderOption ?? new AuthenticationProviderOption();
msalAuthProviderOption.Scopes = scopes;
authHandlerOptions.AuthenticationProviderOption = msalAuthProviderOption;
baseRequest.MiddlewareOptions[authHandlerOptionKey] = authHandlerOptions;
return(baseRequest);
}
/// <summary>
/// Sets MSAL's force refresh flag to <see cref="IAuthenticationProvider"/> for this request. If set to true, <see cref="IAuthenticationProvider"/> will refresh existing access token in cahce.
/// This defaults to false if not set.
/// </summary>
/// <param name="baseRequest">The <see cref="IBaseRequest"/>.</param>
/// <param name="forceRefresh">A <see cref="bool"/> flag to determine whether refresh access token or not.</param>
public static T WithForceRefresh <T>(this T baseRequest, bool forceRefresh) where T : IBaseRequest
{
string authHandlerOptionKey = typeof(AuthenticationHandlerOption).ToString();
AuthenticationHandlerOption authHandlerOptions = baseRequest.MiddlewareOptions[authHandlerOptionKey] as AuthenticationHandlerOption;
AuthenticationProviderOption msalAuthProviderOption = authHandlerOptions.AuthenticationProviderOption as AuthenticationProviderOption ?? new AuthenticationProviderOption();
msalAuthProviderOption.ForceRefresh = forceRefresh;
authHandlerOptions.AuthenticationProviderOption = msalAuthProviderOption;
baseRequest.MiddlewareOptions[authHandlerOptionKey] = authHandlerOptions;
return(baseRequest);
}
/// <summary>
/// Adds an authentication header to the incoming request by checking the application's <see cref="TokenCache"/>
/// for an unexpired access token. If a token is not found or expired, it gets a new one.
/// </summary>
/// <param name="httpRequestMessage">A <see cref="HttpRequestMessage"/> to authenticate</param>
public async Task AuthenticateRequestAsync(HttpRequestMessage httpRequestMessage)
{
AuthenticationProviderOption msalAuthProviderOption = httpRequestMessage.GetMsalAuthProviderOption();
int retryCount = 0;
do
{
try
{
AuthenticationResult authenticationResult = await ClientApplication.AcquireTokenForClient(new string[] { AuthConstants.DefaultScopeUrl })
.WithForceRefresh(msalAuthProviderOption.ForceRefresh)
.ExecuteAsync();
if (!string.IsNullOrEmpty(authenticationResult?.AccessToken))
{
httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue(CoreConstants.Headers.Bearer, authenticationResult.AccessToken);
}
break;
}
catch (MsalServiceException serviceException)
{
if (serviceException.ErrorCode == ErrorConstants.Codes.TemporarilyUnavailable)
{
TimeSpan delay = this.GetRetryAfter(serviceException);
retryCount++;
// pause execution
await Task.Delay(delay);
}
else
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedMsalException
},
serviceException);
}
}
catch (Exception exception)
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedException
},
exception);
}
} while (retryCount < msalAuthProviderOption.MaxRetry);
}
internal static AuthenticationProviderOption GetMsalAuthProviderOption(this HttpRequestMessage httpRequestMessage)
{
AuthenticationHandlerOption authHandlerOption = httpRequestMessage.GetMiddlewareOption <AuthenticationHandlerOption>();
AuthenticationProviderOption authenticationProviderOption = authHandlerOption?.AuthenticationProviderOption as AuthenticationProviderOption ?? new AuthenticationProviderOption();
// copy the claims and scopes information
if (authHandlerOption?.AuthenticationProviderOption is ICaeAuthenticationProviderOption caeAuthenticationProviderOption)
{
authenticationProviderOption.Claims = caeAuthenticationProviderOption.Claims;
authenticationProviderOption.Scopes = caeAuthenticationProviderOption.Scopes;
}
return(authenticationProviderOption);
}
private async Task <AuthenticationResult> GetNewAccessTokenAsync(AuthenticationProviderOption msalAuthProviderOption)
{
AuthenticationResult authenticationResult = null;
int retryCount = 0;
do
{
try
{
authenticationResult = await ClientApplication.AcquireTokenOnBehalfOf(msalAuthProviderOption.Scopes, msalAuthProviderOption.UserAssertion)
.WithAuthority(ClientApplication.Authority)
.ExecuteAsync();
break;
}
catch (MsalServiceException serviceException)
{
if (serviceException.ErrorCode == ErrorConstants.Codes.TemporarilyUnavailable)
{
TimeSpan delay = this.GetRetryAfter(serviceException);
retryCount++;
// pause execution
await Task.Delay(delay);
}
else
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedMsalException
},
serviceException);
}
}
catch (Exception exception)
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedException
},
exception);
}
} while (retryCount < msalAuthProviderOption.MaxRetry);
return(authenticationResult);
}
/// <summary>
/// Sets a username (email) and password of an Azure AD account to authenticate.
/// This should only be used with <see cref="UsernamePasswordProvider"/>.
/// This provider is NOT RECOMMENDED because it exposes the users password.
/// We recommend you use <see cref="IntegratedWindowsAuthenticationProvider"/> instead.
/// </summary>
/// <param name="baseRequest">The <see cref="IBaseRequest"/>.</param>
/// <param name="email">Email address of the user to authenticate.</param>
/// <param name="password">Password of the user to authenticate.</param>
public static T WithUsernamePassword <T>(this T baseRequest, string email, SecureString password) where T : IBaseRequest
{
string authHandlerOptionKey = typeof(AuthenticationHandlerOption).ToString();
AuthenticationHandlerOption authHandlerOptions = baseRequest.MiddlewareOptions[authHandlerOptionKey] as AuthenticationHandlerOption;
AuthenticationProviderOption msalAuthProviderOption = authHandlerOptions.AuthenticationProviderOption as AuthenticationProviderOption ?? new AuthenticationProviderOption();
msalAuthProviderOption.Password = password;
msalAuthProviderOption.UserAccount = new GraphUserAccount {
Email = email
};
authHandlerOptions.AuthenticationProviderOption = msalAuthProviderOption;
baseRequest.MiddlewareOptions[authHandlerOptionKey] = authHandlerOptions;
return(baseRequest);
}
/// <summary>
/// Adds an authentication header to the incoming request by checking the application's <see cref="TokenCache"/>
/// for an unexpired access token. If a token is not found or expired, it gets a new one.
/// </summary>
/// <param name="httpRequestMessage">A <see cref="HttpRequestMessage"/> to authenticate.</param>
public async Task AuthenticateRequestAsync(HttpRequestMessage httpRequestMessage)
{
AuthenticationProviderOption msalAuthProviderOption = httpRequestMessage.GetMsalAuthProviderOption();
msalAuthProviderOption.Scopes = msalAuthProviderOption.Scopes ?? Scopes.ToArray();
AuthenticationResult authenticationResult = await ClientApplication.GetAccessTokenSilentAsync(msalAuthProviderOption);
if (authenticationResult == null)
{
authenticationResult = await GetNewAccessTokenAsync(msalAuthProviderOption);
}
if (!string.IsNullOrEmpty(authenticationResult.AccessToken))
{
httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue(CoreConstants.Headers.Bearer, authenticationResult.AccessToken);
}
}
/// <summary>
/// Adds an authentication header to the incoming request by checking the application's <see cref="TokenCache"/>
/// for an unexpired access token.
/// If an access token doesn't exist, it will throw a <see cref="AuthenticationException"/>
/// and the web app must handle this and perform a challange.
/// </summary>
/// <param name="httpRequestMessage">A <see cref="HttpRequestMessage"/> to authenticate.</param>
public async Task AuthenticateRequestAsync(HttpRequestMessage httpRequestMessage)
{
AuthenticationProviderOption msalAuthProviderOption = httpRequestMessage.GetMsalAuthProviderOption();
msalAuthProviderOption.Scopes = msalAuthProviderOption.Scopes ?? Scopes.ToArray();
AuthenticationResult authenticationResult = await ClientApplication.GetAccessTokenSilentAsync(msalAuthProviderOption);
if (string.IsNullOrEmpty(authenticationResult?.AccessToken))
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.AuthenticationChallengeRequired,
Message = ErrorConstants.Message.AuthenticationChallengeRequired
});
}
httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue(CoreConstants.Headers.Bearer, authenticationResult.AccessToken);
}
private async Task <AuthenticationResult> GetNewAccessTokenAsync(IAccount account, AuthenticationProviderOption msalAuthProviderOption)
{
AuthenticationResult authenticationResult = null;
int retryCount = 0;
string extraQueryParameter = null;
do
{
try
{
var builder = ClientApplication.AcquireTokenInteractive(msalAuthProviderOption.Scopes)
.WithAccount(account)
.WithPrompt(Prompt)
.WithExtraQueryParameters(extraQueryParameter)
.WithExtraScopesToConsent(null)
.WithAuthority(ClientApplication.Authority);
#if NET45
if (ParentWindow != null)
{
builder = builder.WithParentActivityOrWindow(ParentWindow);
}
else
{
builder = builder.WithParentActivityOrWindow(ParentPointer);
}
#elif NETSTANDARD1_3
builder = builder.WithParentActivityOrWindow(Parent);
#endif
authenticationResult = await builder.ExecuteAsync();
break;
}
catch (MsalServiceException serviceException)
{
if (serviceException.ErrorCode == ErrorConstants.Codes.TemporarilyUnavailable)
{
TimeSpan delay = this.GetRetryAfter(serviceException);
retryCount++;
// pause execution
await Task.Delay(delay);
}
else if (serviceException.Claims != null)
{
extraQueryParameter = $"claims={serviceException.Claims}";
retryCount++;
}
else
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedMsalException
},
serviceException);
}
}
catch (Exception exception)
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedException
},
exception);
}
} while (retryCount < msalAuthProviderOption.MaxRetry);
return(authenticationResult);
}
private async Task <AuthenticationResult> GetNewAccessTokenAsync(CancellationToken cancellationToken, AuthenticationProviderOption msalAuthProviderOption)
{
AuthenticationResult authenticationResult = null;
int retryCount = 0;
string extraQueryParameter = null;
do
{
try
{
AcquireTokenWithDeviceCodeParameterBuilder parameterBuilder = ClientApplication
.AcquireTokenWithDeviceCode(msalAuthProviderOption.Scopes, DeviceCodeResultCallback)
.WithExtraQueryParameters(extraQueryParameter);
if (!string.IsNullOrEmpty(msalAuthProviderOption.Claims))
{
parameterBuilder.WithClaims(msalAuthProviderOption.Claims);
}
authenticationResult = await parameterBuilder.ExecuteAsync(cancellationToken);
break;
}
catch (MsalServiceException serviceException)
{
if (serviceException.ErrorCode == ErrorConstants.Codes.TemporarilyUnavailable)
{
TimeSpan delay = this.GetRetryAfter(serviceException);
retryCount++;
// pause execution
await Task.Delay(delay);
}
else if (serviceException.Claims != null)
{
extraQueryParameter = $"claims={serviceException.Claims}";
retryCount++;
}
else
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedMsalException
},
serviceException);
}
}
catch (Exception exception)
{
throw new AuthenticationException(
new Error
{
Code = ErrorConstants.Codes.GeneralException,
Message = ErrorConstants.Message.UnexpectedException
},
exception);
}
} while (retryCount < msalAuthProviderOption.MaxRetry);
return(authenticationResult);
}
