public AdalServiceAuthorizer()
{
try
{
// Use AuthenticationParameters to send a request to the RP and receive tenant information in the 401 challenge.
AuthenticationParameters parameters = AuthenticationParameters.CreateFromResourceUrl(new Uri(_resourceBaseAddress + "ExpenseService.svc"));
_authority = parameters.Authority;
// validate resourceId that is obtained in a 401 challenge out of band to mitigate attacks from a malicious RP impersonating as a valid RP.
// here we are doing a sanity check by verifying that the resourceId is bound to the physical address of the resource
if (parameters.Resource.Contains(this._resourceBaseAddress.Host))
{
_resourceAppIdUri = parameters.Resource;
}
else
{
throw new Exception(string.Format("The resource obtained in 401 challenge, {0}, is not bound to the resource's physical address, {1}", parameters.Resource, this._resourceBaseAddress));
}
// Initialize the AuthenticationContext by providing the tenant authority endpoint.
// By default, address validation of the authority endpoint is on. Always validate the tenant endpoint that's received in 401 challenge.
// CredManCache is a custom cache that uses windows Credential Manager to manage the token cache.
// When the authority is ADFS, apps must do authority validation out of band, so pass false as the second parameter in the below constructor.
_authenticationContext = new AuthenticationContext(_authority, new CredManCache());
}
catch (Exception e)
{
MessageBox.Show("401 discovery failed ", e.Message);
return;
}
}