private static IConfidentialClientApplication CreateApp(CredentialType credentialType, IConfidentialAppSettings settings)
{
var builder = ConfidentialClientApplicationBuilder
.Create(settings.ClientId)
.WithAuthority(settings.Authority, true)
.WithTestLogging();
switch (credentialType)
{
case CredentialType.Cert:
builder.WithCertificate(settings.GetCertificate());
break;
case CredentialType.Secret:
builder.WithClientSecret(settings.GetSecret());
break;
case CredentialType.ClientAssertion_Manual:
var aud = settings.Cloud == Cloud.Adfs ?
settings.Authority + "/oauth2/token" :
settings.Authority + "/oauth2/v2.0/token";
string signedAssertionManual = GetSignedClientAssertionManual(
settings.ClientId,
aud, // for AAD use v2.0, but not for ADFS
settings.GetCertificate());
builder.WithClientAssertion(signedAssertionManual);
break;
case CredentialType.ClientAssertion_Wilson:
var aud2 = settings.Cloud == Cloud.Adfs ?
settings.Authority + "/oauth2/token" :
settings.Authority + "/oauth2/v2.0/token";
string clientAssertion = GetSignedClientAssertionUsingWilson(
settings.ClientId,
aud2,
settings.GetCertificate());
builder.WithClientAssertion(clientAssertion);
break;
case CredentialType.ClientClaims_ExtraClaims:
builder.WithClientClaims(settings.GetCertificate(), GetClaims(true), mergeWithDefaultClaims: false);
break;
case CredentialType.ClientClaims_MergeClaims:
builder.WithClientClaims(settings.GetCertificate(), GetClaims(false), mergeWithDefaultClaims: true);
break;
default:
throw new NotImplementedException();
}
var confidentialApp = builder.Build();
return(confidentialApp);
}
private IConfidentialClientApplication BuildCCA(
IConfidentialAppSettings settings,
HttpSnifferClientFactory factory,
bool useClaims = false,
string region = ConfidentialClientApplication.AttemptRegionDiscovery)
{
var builder = ConfidentialClientApplicationBuilder.Create(settings.ClientId);
if (useClaims)
{
builder.WithClientAssertion(GetSignedClientAssertionUsingMsalInternal(settings.ClientId, GetClaims(settings)));
}
else
{
builder.WithCertificate(settings.GetCertificate());
}
builder.WithAuthority($@"https://{settings.Environment}/{settings.TenantId}")
.WithTestLogging()
.WithExperimentalFeatures(true)
.WithHttpClientFactory(factory);
if (region != null)
{
builder.WithAzureRegion(region);
}
return(builder.Build());
}
public async Task LegacyPoPAsync()
{
IConfidentialAppSettings settings = ConfidentialAppSettings.GetSettings(Cloud.Public);
X509Certificate2 clientCredsCert = settings.GetCertificate();
RsaSecurityKey popKey = CreateRsaSecurityKey();
var cca = ConfidentialClientApplicationBuilder
.Create(settings.ClientId)
.WithAuthority(settings.Authority, true)
.WithExperimentalFeatures(true)
.WithTestLogging()
.Build();
var result = await cca.AcquireTokenForClient(settings.AppScopes)
.WithProofOfPosessionKeyId(popKey.KeyId)
.OnBeforeTokenRequest((data) =>
{
ModifyRequestWithLegacyPop(data, settings, clientCredsCert, popKey);
return(Task.CompletedTask);
})
.ExecuteAsync().ConfigureAwait(false);
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
MsalAccessTokenCacheItem at = (cca.AppTokenCache as ITokenCacheInternal).Accessor.GetAllAccessTokens().Single();
Assert.AreEqual(at.KeyId, popKey.KeyId);
result = await cca.AcquireTokenForClient(settings.AppScopes)
.WithProofOfPosessionKeyId(popKey.KeyId)
.OnBeforeTokenRequest((data) =>
{
ModifyRequestWithLegacyPop(data, settings, clientCredsCert, popKey);
return(Task.CompletedTask);
}).ExecuteAsync().ConfigureAwait(false);
Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
at = (cca.AppTokenCache as ITokenCacheInternal).Accessor.GetAllAccessTokens().Single();
Assert.AreEqual(at.KeyId, popKey.KeyId);
RsaSecurityKey popKey2 = CreateRsaSecurityKey();
result = await cca.AcquireTokenForClient(settings.AppScopes)
.WithProofOfPosessionKeyId(popKey2.KeyId)
.OnBeforeTokenRequest((data) =>
{
ModifyRequestWithLegacyPop(data, settings, clientCredsCert, popKey2);
return(Task.CompletedTask);
}).ExecuteAsync().ConfigureAwait(false);
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
var ats = (cca.AppTokenCache as ITokenCacheInternal).Accessor.GetAllAccessTokens();
Assert.IsNotNull(ats.SingleOrDefault(a => a.KeyId == popKey2.KeyId));
Assert.IsNotNull(ats.SingleOrDefault(a => a.KeyId == popKey.KeyId));
}
private static async Task AcquireTokenAsync(string region, bool setEnvVariable = true)
{
if (!string.IsNullOrEmpty(region) && setEnvVariable)
{
Environment.SetEnvironmentVariable(s_environmentVarName, s_region);
}
string[] scopes = new string[] { $"{s_appSettings.ClientId}/.default", };
Dictionary <string, string> dict = new Dictionary <string, string>
{
["allowestsrnonmsi"] = "true"
};
var builder = ConfidentialClientApplicationBuilder.Create(s_appSettings.ClientId)
.WithAuthority(s_appSettings.Authority, false)
.WithCertificate(s_appSettings.GetCertificate())
.WithLogging(Log, LogLevel.Verbose, true);
// Regional if region specified, global otherwise
if (!string.IsNullOrEmpty(region))
{
builder.WithAzureRegion(region);
}
var cca = builder.Build();
Console.WriteLine($"CCA created. Is regional:{region}, Set env var:{setEnvVariable}.");
AuthenticationResult result = await cca.AcquireTokenForClient(scopes)
.WithExtraQueryParameters(dict)
.ExecuteAsync()
.ConfigureAwait(false);
Console.WriteLine("Access token:" + result.AccessToken);
if (!string.IsNullOrEmpty(region) && setEnvVariable)
{
Environment.SetEnvironmentVariable(s_environmentVarName, null);
}
}
public async Task WithOnBeforeTokenRequest_TestAsync(Cloud cloud, RunOn runOn)
{
IConfidentialAppSettings settings = ConfidentialAppSettings.GetSettings(cloud);
AuthenticationResult authResult;
IConfidentialClientApplication confidentialApp = ConfidentialClientApplicationBuilder
.Create(settings.ClientId)
.WithAuthority(settings.Authority, true)
.WithExperimentalFeatures(true)
.WithTestLogging()
.Build();
authResult = await confidentialApp
.AcquireTokenForClient(settings.AppScopes)
.OnBeforeTokenRequest((data) =>
{
ModifyRequest(data, settings.GetCertificate()); // Adding a certificate via handler instead of using WithCertificate
return(Task.CompletedTask);
})
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
// Call again to ensure token cache is hit
authResult = await confidentialApp
.AcquireTokenForClient(settings.AppScopes)
.OnBeforeTokenRequest((data) =>
{
throw new InvalidOperationException("Should not be invoking this callback when the token is fetched from the cache");
})
.ExecuteAsync()
.ConfigureAwait(false);
Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
}