/// <summary>
/// When the Web API needs consent, it can sent a 403 with information in the WWW-Authenticate header in
/// order to challenge the user
/// </summary>
/// <param name="response">HttpResonse received from the service</param>
/// <returns></returns>
private async Task HandleChallengeFromWebApi(HttpResponseMessage response, IAccount account)
{
WwwAuthenticateParameters wwwAuthenticateParameters = WwwAuthenticateParameters.CreateFromResponseHeaders(response.Headers);
string claims = wwwAuthenticateParameters.Claims;
string proposedAction = wwwAuthenticateParameters["proposedAction"];
string consentUri = wwwAuthenticateParameters["consentUri"];
string loginHint = account?.Username;
string domainHint = IsConsumerAccount(account) ? "consumers" : "organizations";
string extraQueryParameters = $"claims={claims}&domainHint={domainHint}";
if (proposedAction == "forceRefresh")
{
// Removes the account, but then re-signs-in
await _app.RemoveAsync(account);
await _app.AcquireTokenInteractive(new string[] { "user.read" })
.WithPrompt(Prompt.Consent)
.WithLoginHint(loginHint)
.WithExtraQueryParameters(extraQueryParameters)
.WithAuthority(_app.Authority)
.ExecuteAsync()
.ConfigureAwait(false);
}
else if (proposedAction == "consent")
{
if (System.Windows.MessageBox.Show("You need to consent to the Web API. If you press Ok, you'll be redirected to a browser page to consent",
"Consent needed for the Web API",
MessageBoxButton.OKCancel) == MessageBoxResult.OK)
{
Process.Start(consentUri);
}
}
}
public void CreateRawParameters_ClaimsAndErrorReturned(string claims)
{
// Arrange
HttpResponseMessage httpResponse = CreateClaimsHttpResponse(claims);
// Act
var authParams = WwwAuthenticateParameters.CreateFromResponseHeaders(httpResponse.Headers);
// Assert
const string errorValue = "insufficient_claims";
Assert.IsTrue(authParams.RawParameters.TryGetValue(AuthorizationUriKey, out string authorizationUri));
Assert.AreEqual(AuthorizationValue, authorizationUri);
Assert.AreEqual(AuthorizationValue, authParams[AuthorizationUriKey]);
Assert.IsTrue(authParams.RawParameters.ContainsKey(Realm));
Assert.IsTrue(authParams.RawParameters.TryGetValue(Realm, out string realmValue));
Assert.AreEqual(string.Empty, realmValue);
Assert.AreEqual(string.Empty, authParams[Realm]);
Assert.IsTrue(authParams.RawParameters.TryGetValue(ClaimsKey, out string claimsValue));
Assert.AreEqual(claims, claimsValue);
Assert.AreEqual(claimsValue, authParams[ClaimsKey]);
Assert.IsTrue(authParams.RawParameters.TryGetValue(ErrorKey, out string errorValueParam));
Assert.AreEqual(errorValue, errorValueParam);
Assert.AreEqual(errorValue, authParams[ErrorKey]);
}
public void CreateWwwAuthenticateResponse(string resource, string authorizationUri)
{
// Arrange
HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
httpResponse.Headers.Add(WwwAuthenticateHeaderName, $"Bearer realm=\"\", {resource}, {authorizationUri}");
// Act
var authParams = WwwAuthenticateParameters.CreateFromResponseHeaders(httpResponse.Headers);
// Assert
Assert.AreEqual(TestConstants.AuthorityCommonTenant.TrimEnd('/'), authParams.Authority);
Assert.AreEqual(3, authParams.RawParameters.Count);
Assert.IsNull(authParams.Claims);
Assert.IsNull(authParams.Error);
}
public void CreateRawParameters(string resourceHeaderKey, string authorizationUriHeaderKey)
{
// Arrange
HttpResponseMessage httpResponse = CreateGraphHttpResponse(resourceHeaderKey, authorizationUriHeaderKey);
// Act
var authParams = WwwAuthenticateParameters.CreateFromResponseHeaders(httpResponse.Headers);
// Assert
Assert.IsTrue(authParams.RawParameters.ContainsKey(resourceHeaderKey));
Assert.IsTrue(authParams.RawParameters.ContainsKey(authorizationUriHeaderKey));
Assert.IsTrue(authParams.RawParameters.ContainsKey(Realm));
Assert.AreEqual(string.Empty, authParams[Realm]);
Assert.AreEqual(GraphGuid, authParams[resourceHeaderKey]);
Assert.ThrowsException <KeyNotFoundException>(
() => authParams[ErrorKey]);
Assert.ThrowsException <KeyNotFoundException>(
() => authParams[ClaimsKey]);
}
public void CreateWwwAuthenticateResponse(string resource, string authorizationUri)
{
// Arrange
HttpResponseMessage httpResponse = new HttpResponseMessage((HttpStatusCode)401)
{
};
httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", {resource}, {authorizationUri}");
// Act
var authParams = WwwAuthenticateParameters.CreateFromResponseHeaders(httpResponse.Headers);
// Assert
Assert.AreEqual(GraphGuid, authParams.Resource);
Assert.AreEqual(TestConstants.AuthorityCommonTenant.TrimEnd('/'), authParams.Authority);
Assert.AreEqual($"{GraphGuid}/.default", authParams.Scopes.FirstOrDefault());
Assert.AreEqual(3, authParams.RawParameters.Count);
Assert.IsNull(authParams.Claims);
Assert.IsNull(authParams.Error);
}