private async Task RunPromptTestForUserAsync(LabResponse labResponse, Prompt prompt, bool useLoginHint)
{
var pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithDefaultRedirectUri()
.WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
.WithTestLogging()
.Build();
AcquireTokenInteractiveParameterBuilder builder = pca
.AcquireTokenInteractive(s_scopes)
.WithPrompt(prompt)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, prompt, useLoginHint));
if (useLoginHint)
{
builder = builder.WithLoginHint(labResponse.User.Upn);
}
AuthenticationResult result = await builder
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
}
private async Task ValidateAuthResultAsync(
AuthenticationResult authResult,
LabResponse labResponse)
{
MsalAssert.AssertAuthResult(authResult, labResponse.User);
var at1 = authResult.AccessToken;
// If test fails with "user needs to consent to the application, do an interactive request" error - see UsernamePassword tests
Trace.WriteLine("Part 2 - Acquire a token silently, with forceRefresh = true");
IAccount account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, authResult).ConfigureAwait(false);
authResult = await pca.AcquireTokenSilent(s_scopes, account)
.WithForceRefresh(true)
.ExecuteAsync()
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult, labResponse.User);
var at2 = authResult.AccessToken;
Trace.WriteLine("Part 3 - Acquire a token silently with a login hint, with forceRefresh = true");
authResult = await pca.AcquireTokenSilent(s_scopes, labResponse.User.Upn)
.WithForceRefresh(true)
.ExecuteAsync()
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult, labResponse.User);
var at3 = authResult.AccessToken;
Assert.IsFalse(at1.Equals(at2, System.StringComparison.InvariantCultureIgnoreCase));
Assert.IsFalse(at1.Equals(at3, System.StringComparison.InvariantCultureIgnoreCase));
Assert.IsFalse(at2.Equals(at3, System.StringComparison.InvariantCultureIgnoreCase));
Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
}
private async Task <AuthenticationResult> RunTestForUserAsync(LabResponse labResponse, bool directToAdfs = false)
{
IPublicClientApplication pca;
if (directToAdfs)
{
pca = PublicClientApplicationBuilder
.Create(Adfs2019LabConstants.PublicClientId)
.WithRedirectUri(Adfs2019LabConstants.ClientRedirectUri)
.WithAdfsAuthority(Adfs2019LabConstants.Authority)
.BuildConcrete();
}
else
{
pca = PublicClientApplicationBuilder
.Create(labResponse.AppId)
.WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
.Build();
}
Trace.WriteLine("Part 1 - Acquire a token interactively, no login hint");
AuthenticationResult result = await pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, Prompt.SelectAccount, false, directToAdfs))
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
IAccount account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
Trace.WriteLine("Part 2 - Clear the cache");
await pca.RemoveAsync(account).ConfigureAwait(false);
Assert.IsFalse((await pca.GetAccountsAsync().ConfigureAwait(false)).Any());
Trace.WriteLine("Part 3 - Acquire a token interactively again, with login hint");
result = await pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, Prompt.ForceLogin, true, directToAdfs))
.WithPrompt(Prompt.ForceLogin)
.WithLoginHint(labResponse.User.HomeUPN)
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
Trace.WriteLine("Part 4 - Acquire a token silently");
result = await pca
.AcquireTokenSilent(s_scopes, account)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
return(result);
}
public async Task Interactive_SSHCert_Async()
{
LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
IPublicClientApplication pca = PublicClientApplicationBuilder
.Create(labResponse.AppId)
.WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
.Build();
TokenCacheAccessRecorder userCacheAccess = pca.UserTokenCache.RecordAccess();
Trace.WriteLine("Part 1 - Acquire an SSH cert interactively ");
string jwk = CreateJwk();
AuthenticationResult result = await pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, Prompt.ForceLogin))
.WithSSHCertificateAuthenticationScheme(jwk, "key1")
.WithExtraQueryParameters(GetTestSliceParams()) // TODO: remove this once feature is in PROD
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(0, 1);
Assert.AreEqual("ssh-cert", result.TokenType);
IAccount account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(1, 1); // the assert calls GetAccounts
Trace.WriteLine("Part 2 - Acquire a token silent with the same keyID - should be served from the cache");
result = await pca
.AcquireTokenSilent(s_scopes, account)
.WithSSHCertificateAuthenticationScheme(jwk, "key1")
.WithExtraQueryParameters(GetTestSliceParams()) // TODO: remove this once feature is in PROD
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(2, 1);
account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(3, 1);
Trace.WriteLine("Part 3 - Acquire a token silent with a different keyID - should not sbe served from the cache");
result = await pca
.AcquireTokenSilent(s_scopes, account)
.WithSSHCertificateAuthenticationScheme(jwk, "key2")
.WithExtraQueryParameters(GetTestSliceParams()) // TODO: remove this once feature is in PROD
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
Assert.AreEqual("ssh-cert", result.TokenType);
userCacheAccess.AssertAccessCounts(4, 2);
await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
}
public async Task SilentAuth_ForceRefresh_Async()
{
var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
var user = labResponse.User;
var pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithAuthority("https://login.microsoftonline.com/organizations")
.Build();
Trace.WriteLine("Part 1 - Acquire a token with U/P");
AuthenticationResult authResult = await pca
.AcquireTokenByUsernamePassword(s_scopes, user.Upn, new NetworkCredential("", user.GetOrFetchPassword()).SecurePassword)
.ExecuteAsync(new CancellationTokenSource().Token)
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult, user);
var at1 = authResult.AccessToken;
// If test fails with "user needs to consent to the application, do an interactive request" error - see UsernamePassword tests
Trace.WriteLine("Part 2 - Acquire a token silently, with forceRefresh = true");
IAccount account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, authResult).ConfigureAwait(false);
authResult = await pca.AcquireTokenSilent(s_scopes, account)
.WithForceRefresh(true)
.ExecuteAsync()
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult, user);
var at2 = authResult.AccessToken;
Trace.WriteLine("Part 3 - Acquire a token silently with a login hint, with forceRefresh = true");
authResult = await pca.AcquireTokenSilent(s_scopes, user.Upn)
.WithForceRefresh(true)
.ExecuteAsync()
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult, user);
var at3 = authResult.AccessToken;
Assert.IsFalse(at1.Equals(at2, System.StringComparison.InvariantCultureIgnoreCase));
Assert.IsFalse(at1.Equals(at3, System.StringComparison.InvariantCultureIgnoreCase));
Assert.IsFalse(at2.Equals(at3, System.StringComparison.InvariantCultureIgnoreCase));
}
private async Task <AuthenticationResult> RunTestForUserAsync(LabResponse labResponse, bool directToAdfs = false)
{
HttpSnifferClientFactory factory = null;
IPublicClientApplication pca;
if (directToAdfs)
{
pca = PublicClientApplicationBuilder
.Create(Adfs2019LabConstants.PublicClientId)
.WithRedirectUri(Adfs2019LabConstants.ClientRedirectUri)
.WithAdfsAuthority(Adfs2019LabConstants.Authority)
.WithTestLogging()
.Build();
}
else
{
pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
.WithAuthority(labResponse.Lab.Authority + "common")
.WithTestLogging(out factory)
.Build();
}
var userCacheAccess = pca.UserTokenCache.RecordAccess();
Trace.WriteLine("Part 1 - Acquire a token interactively, no login hint");
AuthenticationResult result = await pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, Prompt.SelectAccount, false, directToAdfs))
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
Assert.IsTrue(result.AuthenticationResultMetadata.DurationTotalInMs > 0);
Assert.IsTrue(result.AuthenticationResultMetadata.DurationInHttpInMs > 0);
userCacheAccess.AssertAccessCounts(0, 1);
IAccount account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(1, 1); // the assert calls GetAccounts
Assert.IsFalse(userCacheAccess.LastAfterAccessNotificationArgs.IsApplicationCache);
Trace.WriteLine("Part 2 - Clear the cache");
await pca.RemoveAsync(account).ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(1, 2);
Assert.IsFalse((await pca.GetAccountsAsync().ConfigureAwait(false)).Any());
userCacheAccess.AssertAccessCounts(2, 2);
Assert.IsFalse(userCacheAccess.LastAfterAccessNotificationArgs.IsApplicationCache);
if (factory?.RequestsAndResponses != null)
{
factory.RequestsAndResponses.Clear();
}
Trace.WriteLine("Part 3 - Acquire a token interactively again, with login hint");
result = await pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(CreateSeleniumCustomWebUI(labResponse.User, Prompt.ForceLogin, true, directToAdfs))
.WithPrompt(Prompt.ForceLogin)
.WithLoginHint(labResponse.User.Upn)
.ExecuteAsync(new CancellationTokenSource(_interactiveAuthTimeout).Token)
.ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(2, 3);
AssertCcsRoutingInformationIsSent(factory, labResponse);
account = await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
userCacheAccess.AssertAccessCounts(3, 3);
Assert.IsFalse(userCacheAccess.LastAfterAccessNotificationArgs.IsApplicationCache);
if (factory?.RequestsAndResponses != null)
{
factory.RequestsAndResponses.Clear();
}
Trace.WriteLine("Part 4 - Acquire a token silently");
result = await pca
.AcquireTokenSilent(s_scopes, account)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
Trace.WriteLine("Part 5 - Acquire a token silently with force refresh");
result = await pca
.AcquireTokenSilent(s_scopes, account)
.WithForceRefresh(true)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
await MsalAssert.AssertSingleAccountAsync(labResponse, pca, result).ConfigureAwait(false);
Assert.IsFalse(userCacheAccess.LastAfterAccessNotificationArgs.IsApplicationCache);
AssertCcsRoutingInformationIsSent(factory, labResponse);
return(result);
}
