/// <summary>
/// Redeems the authorization code by calling AcquireTokenByAuthorizationCodeAsync in order to ensure
/// that the cache has a token for the signed-in user, which will then enable the controllers (like the
/// TodoController, to call AcquireTokenSilentAsync successfully.
/// </summary>
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedContext context)
{
// Acquire a Token for the Graph API and cache it using ADAL. In the TodoListController, we'll use the cache to acquire a token for the Todo List API
string userObjectId = (context.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
var code = context.ProtocolMessage.Code;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(azureAdOptions.ClientId, azureAdOptions.Authority, azureAdOptions.RedirectUri, new ClientCredential(azureAdOptions.ClientSecret), userTokenCache, null);
try
{
var scopes = azureAdOptions.ApiScopes.Split(' ');
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
//AcquireTokenSilentAsync(scopes, cca.Users.FirstOrDefault(), azureAdOptions.Authority, false);
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
//TODO: Handle
throw;
}
// Notify the OIDC middleware that we already took care of code redemption.
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
// If there is a code in the OpenID Connect response, redeem it for an access token and store it away.
var code = context.Code;
string userObjectId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
SampleTokenCache tokenCache = new SampleTokenCache(userObjectId);
var credential = new ClientCredential(ClientSecret);
var cca = new ConfidentialClientApplication(
ClientId,
context.Request.Uri.ToString(),
credential,
tokenCache.GetMsalCacheInstance(),
null);
try
{
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, Scopes);
}
catch (MsalException ex)
{
context.HandleResponse();
context.Response.Redirect($"/error/index?message={ex.Message}");
}
}
/// <summary>
/// Is called whenever B2C retrieves a new auth token.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token
// Extract the authorization code from the response notification
var code = context.ProtocolMessage.Code;
var signedInUserId = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
var userTokenCache = new MsalSessionCache(signedInUserId, context.HttpContext).GetMsalCacheInstance();
var clientApplication = new ConfidentialClientApplication(
AzureAdB2COptions.ClientId,
AzureAdB2COptions.Authority,
AzureAdB2COptions.RedirectUri,
new ClientCredential(AzureAdB2COptions.ClientSecret),
userTokenCache,
null);
// try to retrieve the baerer token
try
{
var result = await clientApplication.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
Trace.TraceError(ex.Message);
throw;
}
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token
// Extract the code from the response notification
var code = context.ProtocolMessage.Code;
foreach (var claim in context.Ticket.Principal.Claims)
{
System.Console.WriteLine(claim.Type + "-->" + claim.Value);
}
string signedInUserID = context.Ticket.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
try
{
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
//TODO: Handle
throw;
}
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
string signedInUserId = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
SessionTokenCache tokenCache = new SessionTokenCache(
signedInUserId,
notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase);
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appPassword),
tokenCache.GetMsalCacheInstance(),
null);
try
{
var result = await cca.AcquireTokenByAuthorizationCodeAsync(notification.Code, scopes);
}
catch (MsalException ex)
{
string message, debug;
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=" + message + "&debug=" + debug);
}
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token
// Extract the code from the response notification
var code = context.ProtocolMessage.Code;
string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
string displayName = context.Principal.FindFirst("Name").Value;
string email = context.Principal.FindFirst("Emails").Value;
string country = String.Empty;
if (context.Principal.FindFirst("Country") != null)
{
country = context.Principal.FindFirst("Country").Value;
}
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
try
{
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
//TODO: Handle
throw;
}
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
var clientCredential = new ClientCredential(context.Options.ClientSecret);
var userId = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
var tokenCache = new SessionTokenCache(context.HttpContext, userId);
var confidentialClientApplication = new ConfidentialClientApplication(
context.Options.ClientId,
context.Options.Authority,
_options.RedirectUri,
clientCredential,
tokenCache.GetInstance(),
null);
try
{
var authenticationResult = await confidentialClientApplication.AcquireTokenByAuthorizationCodeAsync(context.ProtocolMessage.Code, _options.ApiScopes.Split(' '));
context.HandleCodeRedemption(authenticationResult.AccessToken, authenticationResult.IdToken);
}
catch (Exception ex)
{
// TODO: Handle
throw;
}
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token
// Extract the code from the response notification
var code = context.ProtocolMessage.Code;
string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
// TODO: Cache tokens?
var tokenCache = new TokenCache();
var redirectUri = new UriBuilder(context.Request.Scheme, context.Request.Host.Host, context.Request.Host.Port ?? 80, context.Request.PathBase + "/signin-oidc");
var cca = new ConfidentialClientApplication(_azureAdB2COptions.ClientId, _azureAdB2COptions.Authority, redirectUri.Uri.ToString(), new ClientCredential(_azureAdB2COptions.ClientSecret), tokenCache, null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, _azureAdB2COptions.ScopeString.Split(' '));
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
// Check if we have an attendee record for this user, and load it up if we do.
var attendee = await _apiClient.GetMeAsync(result.AccessToken);
// If we do, load additional claims. If not, don't and the filter will take care of "welcoming" the user :)
if (attendee != null)
{
var claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
AttendeeClaimMapper.UpdateClaims(claimsIdentity, attendee);
}
}
private async Task OnAuthorizationCodeRecieved(AuthorizationCodeReceivedNotification context)
{
// Upon successful sign in, get & cache a token using MSAL
string userId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
ConfidentialClientApplication cc = new ConfidentialClientApplication(Globals.ClientId, Globals.RedirectUri, new ClientCredential(Globals.ClientSecret), new MsalSessionTokenCache(userId, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
AuthenticationResult result = await cc.AcquireTokenByAuthorizationCodeAsync(new[] { "user.readbasic.all" }, context.Code);
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
var clientCredential = new ClientCredential(context.Options.ClientSecret);
var userId = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
var userTokenCache = new MSALSessionCache(userId, context.HttpContext).GetMsalCacheInstance();
var confidentialClientApplication = new ConfidentialClientApplication(
context.Options.ClientId,
context.Options.Authority,
$"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}",
clientCredential,
userTokenCache,
null);
try
{
var authenticationResult = await confidentialClientApplication.AcquireTokenByAuthorizationCodeAsync(
context.ProtocolMessage.Code,
new[]
{
"https://contoso.onmicrosoft.com/api/user_impersonation"
});
context.HandleCodeRedemption(authenticationResult.AccessToken, authenticationResult.IdToken);
}
catch (Exception ex)
{
// TODO: Handle.
throw;
}
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the Microsoft v2.0 authentication and authorization service.
// The `Scope` describes the permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = appId,
//Authority = "https://login.microsoftonline.com/common/v2.0",
Authority = "https://login.microsoftonline.com/{0}",
PostLogoutRedirectUri = redirectUri,
RedirectUri = redirectUri,
Scope = "openid email profile offline_access " + graphScopes,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
// In a real application you would use IssuerValidator for additional checks,
// like making sure the user's organization has signed up for your app.
// IssuerValidator = (issuer, token, tvp) =>
// {
// if (MyCustomTenantValidation(issuer))
// return issuer;
// else
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// },
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async(context) =>
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new SessionTokenCache(signedInUserID,
context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
userTokenCache,
null);
string[] scopes = graphScopes.Split(new char[] { ' ' });
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
},
AuthenticationFailed = (context) =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return(Task.FromResult(0));
}
}
});
}
private static OpenIdConnectEvents CreateOpenIdConnectEventHandlers(B2CAuthenticationOptions authOptions, B2CPolicies policies, IDistributedCache distributedCache)
{
return(new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context => SetIssuerAddressAsync(context, policies.SignInOrSignUpPolicy),
OnRedirectToIdentityProviderForSignOut = context => SetIssuerAddressForSignOutAsync(context, policies.SignInOrSignUpPolicy),
OnAuthorizationCodeReceived = async context =>
{
try
{
var principal = context.Principal;
var userTokenCache = new DistributedTokenCache(distributedCache, principal.FindFirst(Constants.ObjectIdClaimType).Value).GetMSALCache();
var client = new ConfidentialClientApplication(authOptions.ClientId,
authOptions.GetAuthority(principal.FindFirst(Constants.AcrClaimType).Value),
"https://app", // it's not really needed
new ClientCredential(authOptions.ClientSecret),
userTokenCache,
null);
var result = await client.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
new[] { $"{authOptions.ApiIdentifier}/read_values" });
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
context.Fail(ex);
}
},
OnAuthenticationFailed = context =>
{
context.Fail(context.Exception);
return Task.FromResult(0);
},
OnMessageReceived = context =>
{
if (!string.IsNullOrEmpty(context.ProtocolMessage.Error) &&
!string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription))
{
if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091")) // cancel profile editing
{
context.HandleResponse();
context.Response.Redirect("/");
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90118")) // forgot password
{
context.HandleResponse();
context.Response.Redirect("/Account/ResetPassword");
}
}
return Task.FromResult(0);
}
});
}
public async Task AuthorizationCodeRequestTestAsync()
{
await RunWithMockHttpAsync(
async (httpManager, serviceBundle, receiver) =>
{
httpManager.AddInstanceDiscoveryMockHandler();
var cache = new TokenCache()
{
BeforeAccess = BeforeCacheAccess,
AfterAccess = AfterCacheAccess
};
var cc = new ClientCredential("secret");
var app = new ConfidentialClientApplication(
serviceBundle,
MsalTestConstants.ClientId,
"https://" + MsalTestConstants.ProductionPrefNetworkEnvironment + "/tfp/home/policy",
MsalTestConstants.RedirectUri,
cc,
cache,
null)
{
ValidateAuthority = false
};
httpManager.AddMockHandlerForTenantEndpointDiscovery(MsalTestConstants.AuthorityHomeTenant, "p=policy");
httpManager.AddSuccessTokenResponseMockHandlerForPost();
var result = await app.AcquireTokenByAuthorizationCodeAsync("some-code", MsalTestConstants.Scope)
.ConfigureAwait(false);
Assert.IsNotNull(result);
Assert.AreEqual(1, app.UserTokenCache.TokenCacheAccessor.AccessTokenCount);
Assert.AreEqual(1, app.UserTokenCache.TokenCacheAccessor.RefreshTokenCount);
cache = new TokenCache()
{
BeforeAccess = BeforeCacheAccess,
AfterAccess = AfterCacheAccess
};
app = new ConfidentialClientApplication(
MsalTestConstants.ClientId,
"https://" + MsalTestConstants.ProductionPrefNetworkEnvironment + "/tfp/home/policy",
MsalTestConstants.RedirectUri,
cc,
cache,
null)
{
ValidateAuthority = false
};
IEnumerable <IAccount> users = await app.GetAccountsAsync().ConfigureAwait(false);
Assert.AreEqual(1, users.Count());
}).ConfigureAwait(false);
}
public static async Task <String> GetAccessTokenByAuthenticationCodeAsync(string authCode, string webUrl)
{
ConfidentialClientApplication cca = new ConfidentialClientApplication(SettingsHelper.AppId, webUrl,
new ClientCredential(SettingsHelper.AppPassword), null);
string[] scopes = { "Calendars.Read" };
var authResult = await cca.AcquireTokenByAuthorizationCodeAsync(scopes, authCode);
return(authResult.Token);
}
public async Task <AuthResult> GetTokenByAuthCodeAsync(AuthenticationOptions authOptions, string authorizationCode)
{
var tokenCache = new AuthTokenCache().GetCacheInstance();
var client = new ConfidentialClientApplication(authOptions.ClientId, authOptions.RedirectUrl, new ClientCredential(authOptions.ClientSecret), tokenCache, null);
var result = await client.AcquireTokenByAuthorizationCodeAsync(authorizationCode, authOptions.Scopes);
var authResult = result.ToAuthResult(tokenCache);
return(authResult);
}
public async Task Used_For_ConfidentialClientApplication_Succeeds()
{
// msal acquiretokenbyauthorizationcodeasync ->
// https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-v2/
// https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Acquiring-tokens-with-authorization-codes-on-web-apps
// app registrations | {confidential client} | api permissions | add a permission | see best practices for requesting permissions ->
// https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent
var app = new ConfidentialClientApplication(confidentialClientId, confidentialClientRedirectUri,
new ClientCredential(confidentialClientSecret), FileTokenCache.GetUserCache(/* cacheFilePath: "d://temp//my.msalcache.bin", */ cacheFileProtect: false), null);
//new ClientCredential(confidentialClientSecret), RedisTokenCache.GetAppOrUserCache(uniqueId), null);
var accounts = await app.GetAccountsAsync();
AuthenticationResult authResult = null;
//scopes = new string[] { msftGraphResource };
//scopes = new string[] { "openid profile offline_access Mail.Read Mail.Send" };
try
{
// attempt to acquire valid token from cache or if expired use refresh token to silently acquire and cache new one
authResult = await app.AcquireTokenSilentAsync(scopes, accounts.FirstOrDefault());
}
catch (MsalUiRequiredException ex)
{
// A MsalUiRequiredException happened on AcquireTokenSilentAsync. This indicates you need to call AcquireTokenAsync to acquire a token.
Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");
try
{
authResult = await app.AcquireTokenByAuthorizationCodeAsync(authorizationCode, scopes);
//authResult = await app.AcquireTokenOnBehalfOfAsync(scopes, new UserAssertion(accessToken));
}
catch (MsalException msalex)
{
// ErrorCode: invalid_grant, StatusCode: 400 implies you need ???
// ErrorCode: invalid_scope StatusCode: 400 implies you need ???
Debug.WriteLine($"Error Acquiring Token:{System.Environment.NewLine}{msalex}");
}
}
catch (Exception ex)
{
Debug.WriteLine($"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}");
}
//var jwt = GetJsonWebToken(authResult.AccessToken); var actual = jwt["body"]["oid"].Value<string>();
//var jwt = new JwtSecurityTokenHandler().ReadJwtToken(authResult.AccessToken); var actual = jwt.Payload["oid"];
var actual = authResult.UniqueId;
var expected = uniqueId;
Assert.True(actual == expected);
}
public async Task <AuthResult> GetTokenByAuthCodeAsync(AuthenticationOptions authOptions, string authorizationCode)
{
InMemoryTokenCacheMSAL tokenCache = new InMemoryTokenCacheMSAL();
ConfidentialClientApplication client = new ConfidentialClientApplication(authOptions.ClientId, authOptions.RedirectUrl,
new ClientCredential(authOptions.ClientSecret), tokenCache);
Uri redirectUri = new Uri(authOptions.RedirectUrl);
var result = await client.AcquireTokenByAuthorizationCodeAsync(authOptions.Scopes, authorizationCode);
AuthResult authResult = result.FromMSALAuthenticationResult(tokenCache);
return(authResult);
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Extract the code from the response notification
var code = notification.Code;
var signedInUserId = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
var userTokenCache = new MSALSessionCache(signedInUserId,
notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase)
.GetMsalCacheInstance();
var cca = new ConfidentialClientApplication(ClientId, Authority, RedirectUri,
new ClientCredential(ClientSecret), userTokenCache, null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, Scopes);
}
public void Configure(string name, OpenIdConnectOptions options)
{
options.ClientId = _azureOptions.ClientId;
options.Authority = $"{_azureOptions.Instance}common/v2.0";
options.UseTokenLifetime = true;
options.CallbackPath = _azureOptions.CallbackPath;
options.RequireHttpsMetadata = false;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
var allScopes = $"{_azureOptions.Scopes} {_azureOptions.GraphScopes}".Split(new[] { ' ' });
foreach (var scope in allScopes)
{
options.Scope.Add(scope);
}
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
};
options.Events = new OpenIdConnectEvents
{
//OnTicketReceived = context =>
//{
// return Task.CompletedTask;
//},
OnAuthorizationCodeReceived = async(context) =>
{
var code = context.ProtocolMessage.Code;
var identifier = context.Principal.FindFirst(Startup.ObjectIdentifierType).Value;
var memoryCache = context.HttpContext.RequestServices.GetRequiredService <IMemoryCache>();
var graphScopes = _azureOptions.GraphScopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
var cca = new ConfidentialClientApplication(
_azureOptions.ClientId,
_azureOptions.BaseUrl + _azureOptions.CallbackPath,
new ClientCredential(_azureOptions.ClientSecret),
new MemoryCacheTokenCache(identifier, memoryCache).GetCacheInstance(),
null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, graphScopes);
//// Check whether the login is from the MSA tenant.
//// The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account.
//var currentTenantId = context.Principal.FindFirst(Startup.TenantIdType).Value;
//if (currentTenantId == "9188040d-6c67-4c5b-b112-36a304b66dad")
//{
// // MSA (Microsoft Account) is used to log in
//}
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
},
};
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
ConfidentialClientApplication cca =
new ConfidentialClientApplication(clientId, redirectUri, new ClientCredential(appKey), userTokenCache, null);
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, new string[] { scopeWebApi });
// the result doesn't matter -- our goal is to just populate the TokenCache, which the above call does.
}
/// <summary>
/// Handle authorization codes by creating a token cache then requesting and storing an access token
/// for the user.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
string userId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new SessionTokenCache(
userId, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
// A ConfidentialClientApplication is a server-side client application that can securely store a client secret,
// which is not accessible by the user.
ConfidentialClientApplication cca = new ConfidentialClientApplication(
clientId, redirectUri, new ClientCredential(clientSecret), userTokenCache, null);
string[] scopes = this.scopes.Split(new char[] { ' ' });
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(context.Code, scopes);
}
public async Task <IActionResult> CallbackAsync(string code, string error, [FromQuery(Name = "error_description")] string description, string resource, string state)
{
// アクセス トークンを取得します
var clientCredential = new ClientCredential(ClientSecret);
var clientApplication = new ConfidentialClientApplication(ClientId, RedirectUrl, clientCredential, null, null);
var authenticationResult = await clientApplication.AcquireTokenByAuthorizationCodeAsync(code, new[] { Scope });
// アクセス トークンをセッションに格納します
var accessToken = authenticationResult.AccessToken;
this.HttpContext.Session.Set("access_token", Encoding.UTF8.GetBytes(accessToken));
return(this.RedirectToAction("Index", "Home"));
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token
// Extract the code from the response notification
var code = context.ProtocolMessage.Code;
var signedInUserID = context.Ticket.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
var userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
var cca = new ConfidentialClientApplication(B2COptions.ClientId, B2COptions.Authority, B2COptions.RedirectUri, new ClientCredential(B2COptions.ClientSecret), userTokenCache, null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, B2COptions.ApiScopes.Split(' '));
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedContext context)
{
// Use MSAL to swap the code for an access token, extract the code from the response notification
var code = context.ProtocolMessage.Code;
TokenCache userTokenCache = new MSALSessionCache(context.HttpContext).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(
_azureAdB2COptions.ClientId,
_azureAdB2COptions.Authority,
_azureAdB2COptions.RedirectUri,
new ClientCredential(_azureAdB2COptions.ClientSecret),
userTokenCache,
null);
await cca.AcquireTokenByAuthorizationCodeAsync(code, _azureAdB2COptions.VeracityPlatformServiceScopes.Split(' '));
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
Authority = "https://login.microsoftonline.com/common/v2.0",
PostLogoutRedirectUri = redirectUri,
RedirectUri = redirectUri,
Scope = "openid email profile offline_access " + graphScopes,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async(context) =>
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new SessionTokenCache(
signedInUserID,
context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase
).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
userTokenCache,
null);
string[] scopes = graphScopes.Split(new char[] { ' ' });
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
},
AuthenticationFailed = (context) =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return(Task.FromResult(0));
}
}
}
);
}
public async Task AuthorizationCodeRequestTest()
{
TokenCache cache = new TokenCache()
{
BeforeAccess = BeforeCacheAccess,
AfterAccess = AfterCacheAccess
};
ClientCredential cc =
new ClientCredential("secret");
var app = new ConfidentialClientApplication(TestConstants.ClientId, "https://" + TestConstants.ProductionEnvironment + "/tfp/home/policy",
TestConstants.RedirectUri, cc, cache, null)
{
ValidateAuthority = false
};
//add mock response for tenant endpoint discovery
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
ResponseMessage = MockHelpers.CreateOpenIdConfigurationResponse(TestConstants.AuthorityHomeTenant, "p=policy")
});
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessTokenResponseMessage()
});
AuthenticationResult result = await app.AcquireTokenByAuthorizationCodeAsync("some-code", TestConstants.Scope).ConfigureAwait(false);
Assert.IsNotNull(result);
Assert.AreEqual(1, app.UserTokenCache.TokenCacheAccessor.AccessTokenCacheDictionary.Count);
Assert.AreEqual(1, app.UserTokenCache.TokenCacheAccessor.RefreshTokenCacheDictionary.Count);
cache = new TokenCache()
{
BeforeAccess = BeforeCacheAccess,
AfterAccess = AfterCacheAccess
};
app = new ConfidentialClientApplication(TestConstants.ClientId, "https://" + TestConstants.ProductionEnvironment + "/tfp/home/policy",
TestConstants.RedirectUri, cc, cache, null)
{
ValidateAuthority = false
};
Assert.AreEqual(1, app.Users.Count());
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Extract the code from the response notification
var code = notification.Code;
var userObjectId = notification.AuthenticationTicket.Identity.FindFirst(ObjectIdElement).Value;
var authority = String.Format(AadInstance, Tenant, DefaultPolicy);
var httpContext = notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase;
// Exchange the code for a token. Make sure to specify the necessary scopes
ClientCredential cred = new ClientCredential(ClientSecret);
ConfidentialClientApplication app = new ConfidentialClientApplication(authority, Startup.ClientId,
RedirectUri, cred, new NaiveSessionCache(userObjectId, httpContext));
var authResult = await app.AcquireTokenByAuthorizationCodeAsync(new string[] { ReadTasksScope, WriteTasksScope }, code, DefaultPolicy);
}
/*
* Callback function when an authorization code is received.
*/
private static async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Extract the code from the response notification
var code = notification.Code;
var authorizationCodeReceived = new AuthorizationCodeReceivedMessage()
{
SignedInUserNameIdentifier = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value
};
_oidcNotificationHandlerService.OnAuthorizationCodeReceived(authorizationCodeReceived);
var userTokenCache =
new MSALSessionCache(
authorizationCodeReceived.SignedInUserNameIdentifier,
notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase
).GetMsalCacheInstance();
// TokenCache appTokenCache = null;
var cca =
new ConfidentialClientApplication(
_ib2COidcConfidentialClientSettingsConfiguration.ClientId,
_ib2COidcConfidentialClientSettingsConfiguration.AuthorityUri, // "https://login.microsoftonline.com/tfp/{tenantAuthorityName}/{defaultPolicyId}/v2.0/.well-known/openid-configuration"
_ib2COidcConfidentialClientSettingsConfiguration.ClientRedirectUri, // eg: "https://localhost:44311"
new ClientCredential(_ib2COidcConfidentialClientSettingsConfiguration.ClientSecret),
userTokenCache,
null);
try
{
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, _fullyQualifiedScopesRequiredByTargetApi);
// this is actually wrong
//if (result.Scopes != null && result.Scopes.Any())
//{
// notification.AuthenticationTicket.Identity.AddClaim(new Claim(Infrastructure.Constants.IDA.ClaimTitles.ScopeElementId, string.Join(" ", result.Scopes).TrimEnd()));
//}
}
catch (Exception ex)
{
Console.Write(ex.Message);
throw;
}
}
public override async Task Invoke(IOwinContext context)
{
string code = context.Request.Query["code"];
if (code != null)
{
//extract state
string state = HttpUtility.UrlDecode(context.Request.Query["state"]);
string session_state = context.Request.Query["session_state"];
string signedInUserID = context.Authentication.User.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier).Value;
HttpContextBase hcb = context.Environment["System.Web.HttpContextBase"] as HttpContextBase;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, hcb).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(options.ClientId, options.RedirectUri, new ClientCredential(options.ClientSecret), userTokenCache, null);
//validate state
CodeRedemptionData crd = OAuth2RequestManager.ValidateState(state, hcb);
if (crd != null)
{
//If Valid redeem code
try
{
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, crd.Scopes);
}
catch (Exception ex)
{
context.Response.Write(ex.Message);
}
//redirect to original requestor
context.Response.StatusCode = 302;
context.Response.Set("Location", crd.RequestOriginatorUrl);
}
else
{
context.Response.StatusCode = 302;
context.Response.Set("Location", "/Error?message" + "code_redeem_failed");
}
}
else
{
await this.Next.Invoke(context);
}
}
private async Task OnAuthorization(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
string signedInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new MSALSessionCache(signedInUserId, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(clientId, redirectUri, new ClientCredential(appKey), userTokenCache, null);
string[] scopes = { "Mail.Read" };
try
{
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
}
catch (Exception ex) {
context.Response.Write(ex.Message);
}
}
