public async Task AuthenticateResourceAsync_HandleAdalException()
{
this.adalServiceInfo.ClientSecret = "clientSecret";
var resource = "https://resource.sharepoint.com/";
var expectedAuthenticationResult = new MockAuthenticationResult();
var adalException = new AdalException("code");
this.authenticationContextWrapper
.Setup(wrapper => wrapper.AcquireTokenByAuthorizationCodeAsync(
It.IsAny <string>(),
It.IsAny <Uri>(),
It.IsAny <ClientCredential>(),
It.IsAny <string>()))
.Throws(adalException);
try
{
var authenticationResult = await this.authenticationProvider.AuthenticateResourceAsyncWrapper(resource);
}
catch (OneDriveException exception)
{
Assert.AreEqual(OneDriveErrorCode.AuthenticationFailure.ToString(), exception.Error.Code, "Unexpected error thrown.");
Assert.AreEqual("An error occurred during Azure Active Directory authentication.", exception.Error.Message, "Unexpected error thrown.");
Assert.AreEqual(adalException, exception.InnerException, "Unexpected inner exception.");
throw;
}
}
public SecurityToken RequestToken(string issuer, string appliesTo, RecordsManagerCredentials credentials)
{
var authContext = new AuthenticationContext(Constants.WAAD_AUTHORITY);
AuthenticationResult result = null;
// first, try to get a token silently
try
{
result = authContext.AcquireTokenSilentAsync(appId, Constants.WAAD_CLIENTID).Result;
}
catch (AggregateException exc)
{
AdalException ex = exc.InnerException as AdalException;
// There is no token in the cache; prompt the user to sign-in.
if (ex != null && ex.ErrorCode != "failed_to_acquire_token_silently")
{
throw;
}
}
if (result == null)
{
result = this.RunSync(async() =>
{
return(await authContext.AcquireTokenAsync(appId, Constants.WAAD_CLIENTID, new UserPasswordCredential(credentials.Username, credentials.Password)));
});
}
return(new SecurityToken(result.AccessToken, result.AccessTokenType, result.ExpiresOn.DateTime));
}
private async Task <string> GetAzureKeyVaultAccessTokenAsync(
AuthenticationContext authenticationContext,
UserCredential userCredential,
string resourceId,
string clientId) //scope
{
AuthenticationResult result = null;
// first, try to get a token silently
try
{
result = authenticationContext.AcquireTokenSilentAsync(resourceId, clientId).Result;
}
catch (AggregateException exc)
{
AdalException ex = exc.InnerException as AdalException;
// There is no token in the cache; prompt the user to sign-in.
if (ex != null && ex.ErrorCode != "failed_to_acquire_token_silently") //this is an expected error
{
// An unexpected error occurred.
throw ex;
}
}
//try to acquire token by explicitly providing credentials
if (result == null)
{
result = await authenticationContext.AcquireTokenAsync(resourceId, clientId, userCredential);
}
return(result.AccessToken);
}
/// <summary>
/// Creates custom AAD Client exception
/// </summary>
/// <param name="adalException">ADAL Exception object</param>
private static void HandleAzureActiveDirectoryClientException(AdalException adalException)
{
if (!string.IsNullOrEmpty(adalException.ErrorCode))
{
//trace.TraceWarning($"AzureActiveDirectoryClientException;ErrorCode={adalException.ErrorCode}, AdalException={adalException}");
}
else
{
//trace.TraceWarning($"AzureActiveDirectoryClientException;ErrorMessage={adalException.Message}, AdalException={adalException}");
}
}
private void HandleAdalException(AdalException e, IAADLogger Logger)
{
// Exception: AdalException
// Represents a library exception generated by ADAL .NET.
// e.ErrorCode contains the error code
// Action: Case 1, Non-Retryable
// Do not perform an immediate retry. Only retry after user action.
// Example Errors: network_not_available, default case
Logger.Log($"AdalException Message: {e.Message}");
Logger.Log($"AdalException Error Code: {e.ErrorCode.ToString()}");
}
static public void Log(AdalException authException, ref string strErrors)
{
string strMessage = authException.Message;
string strDetail = null;
if (authException.InnerException != null)
{
// You should implement retry and back-off logic per the guidance given here:http://msdn.microsoft.com/en-us/library/dn168916.aspx
// InnerException.Message contains the HTTP error status codes mentioned in the link above
strDetail = authException.InnerException.Message;
strErrors += strDetail;
}
GraphHelperEventSource.Log.AuthFailure(strMessage, strDetail);
}
private void VerifyNotOnMainThread()
{
Looper looper = Looper.MyLooper();
if (looper != null && looper == mContext.MainLooper)
{
Exception exception = new AdalException(
"calling this from your main thread can lead to deadlock");
CallState.Logger.Error(null, exception.ToString());
CallState.Logger.ErrorPii(null, exception);
if (mContext.ApplicationInfo.TargetSdkVersion >= BuildVersionCodes.Froyo)
{
throw exception;
}
}
}
public Intent GetIntentForBrokerActivity(AuthenticationRequest request, Activity callerActivity)
{
Intent intent = null;
IAccountManagerFuture result = null;
try
{
// Callback is not passed since it is making a blocking call to get
// intent. Activity needs to be launched from calling app
// to get the calling app's metadata if needed at BrokerActivity.
Bundle addAccountOptions = GetBrokerOptions(request);
result = mAcctManager.AddAccount(BrokerConstants.BrokerAccountType,
BrokerConstants.AuthtokenType, null, addAccountOptions, null,
null, new Handler(callerActivity.MainLooper));
// Making blocking request here
Bundle bundleResult = (Bundle)result.Result;
// Authenticator should throw OperationCanceledException if
// token is not available
intent = (Intent)bundleResult.GetParcelable(AccountManager.KeyIntent);
// Add flag to this intent to signal that request is for broker
// logic
if (intent != null)
{
intent.PutExtra(BrokerConstants.BrokerRequest, BrokerConstants.BrokerRequest);
}
}
catch (OperationCanceledException e)
{
CallState.Logger.Error(null, e);
CallState.Logger.ErrorPii(null, e);
}
catch (Exception e)
{
// Authenticator gets problem from webrequest or file read/write
var ex = new AdalException("Authenticator cancels the request", e);
CallState.Logger.Error(null, ex);
CallState.Logger.ErrorPii(null, ex);
}
return(intent);
}
public async Task UserRealmDiscoveryTest()
{
AuthenticationContext context = new AuthenticationContext(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/"
+ TestConstants.DefaultDisplayableId, new TokenCache());
await context.Authenticator.UpdateFromTemplateAsync(null);
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/"
+ TestConstants.DefaultDisplayableId)
{
Method = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent("{\"ver\":\"1.0\",\"account_type\":\"Federated\",\"domain_name\":\"microsoft.com\"," +
"\"federation_protocol\":\"WSTrust\",\"federation_metadata_url\":" +
"\"https://msft.sts.microsoft.com/adfs/services/trust/mex\"," +
"\"federation_active_auth_url\":\"https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed\"" +
",\"cloud_instance_name\":\"login.microsoftonline.com\"}")
},
QueryParams = new Dictionary <string, string>()
{
{ "api-version", "1.0" }
}
});
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId,
CallState.Default);
VerifyUserRealmResponse(userRealmResponse, "Federated");
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/"
+ TestConstants.DefaultDisplayableId)
{
Method = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent("{\"ver\":\"1.0\",\"account_type\":\"Unknown\",\"cloud_instance_name\":\"login.microsoftonline.com\"}")
},
QueryParams = new Dictionary <string, string>()
{
{ "api-version", "1.0" }
}
});
userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId, CallState.Default);
VerifyUserRealmResponse(userRealmResponse, "Unknown");
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/"
+ null)
{
Method = HttpMethod.Get,
ResponseMessage = MockHelpers.CreateFailureResponseMessage("unknown_user")
});
AdalException ex = AssertException.TaskThrows <AdalException>(() =>
UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, null, CallState.Default));
Assert.AreEqual(AdalError.UnknownUser, ex.Message);
// All mocks are consumed
Assert.AreEqual(0, HttpMessageHandlerFactory.MockHandlersCount());
}
public bool Authenticate(bool throwOnError = false, string resource = ManagementAzureCom, PromptBehavior prompt = PromptBehavior.Never)
{
Log.Debug("azure ad:enter");
_resource = resource;
if (_tokenExpirationHalfLife > DateTime.Now)
{
Log.Debug("token still valid");
return(false);
}
else if (!IsAuthenticated)
{
Log.Info("authenticating to azure", ConsoleColor.Green);
}
else
{
Log.Warning($"refreshing aad token. token expiration half life: {_tokenExpirationHalfLife}");
}
try
{
AuthenticationContext authContext = new AuthenticationContext(
_baseAuthUrl + (string.IsNullOrEmpty(Config.AzureTenantId) ? "common" : Config.AzureTenantId), _tokenCache);
if (Config.IsClientIdConfigured())
{
// no prompt with clientid and secret
AuthenticationResult = authContext.AcquireTokenAsync(resource,
new ClientCredential(Config.AzureClientId, Config.AzureClientSecret)).Result;
}
else
{
// normal azure auth with prompt if needed
AuthenticationResult = authContext.AcquireTokenAsync(resource,
_wellKnownClientId,
_replyUrl,
new PlatformParameters(prompt)).Result;
}
BearerToken = AuthenticationResult.AccessToken;
long tickDiff = ((AuthenticationResult.ExpiresOn.ToLocalTime().Ticks - DateTime.Now.Ticks) / 2) + DateTime.Now.Ticks;
_tokenExpirationHalfLife = new DateTimeOffset(new DateTime(tickDiff));
Log.Info($"authentication result:", ConsoleColor.Green, null, AuthenticationResult);
Log.Highlight($"aad token expiration: {AuthenticationResult.ExpiresOn.ToLocalTime()}");
Log.Highlight($"aad token half life expiration: {_tokenExpirationHalfLife}");
_timer = new Timer(Reauthenticate, null, Convert.ToInt32((_tokenExpirationHalfLife - DateTime.Now).TotalMilliseconds), Timeout.Infinite);
IsAuthenticated = true;
return(true);
}
catch (AggregateException ae)
{
Log.Exception($"aggregate exception:{ae}");
if (ae.GetBaseException() is AdalException)
{
AdalException ad = ae.GetBaseException() as AdalException;
Log.Exception($"adal exception:{ad}");
if (ad.ErrorCode.Contains("interaction_required") && prompt == PromptBehavior.Never)
{
return(Authenticate(throwOnError, resource, PromptBehavior.Auto));
}
}
return(false);
}
catch (Exception e)
{
Log.Exception($"{e}");
if (throwOnError)
{
throw e;
}
IsAuthenticated = false;
return(false);
}
}
static async Task PostTodo()
{
// Get an access token from Azure AD using client credentials.
// If the attempt to get a token fails because the server is unavailable, retry twice after 3 seconds each.
AuthenticationResult result = null;
int retryCount = 0;
bool retry = false;
do
{
retry = false;
try
{ // ADAL includes an in memory cache, so this call will only send a message to the server if the cached token is expired.
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);
}
catch (Exception ex)
{
AdalException exc = ex as AdalException;
if (exc.ErrorCode == "temporarily_unavailable")
{
retry = true;
retryCount++;
Thread.Sleep(3000);
}
Console.WriteLine(
String.Format("An error occurred while acquiring a token\nTime: {0}\nError: {1}\nRetry: {2}\n",
DateTime.Now.ToString(),
ex.ToString(),
retry.ToString()));
}
} while ((retry == true) && (retryCount < 3));
if (result == null)
{
Console.WriteLine("Canceling attempt to contact To Do list service.\n");
return;
}
//
// Post an item to the To Do list service.
//
// Add the access token to the authorization header of the request.
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
// Forms encode To Do item and POST to the todo list web api.
string timeNow = DateTime.Now.ToString();
Console.WriteLine("Posting to To Do list at {0}", timeNow);
string todoText = "Task at time: " + timeNow;
HttpContent content = new FormUrlEncodedContent(new[] { new KeyValuePair <string, string>("Title", todoText) });
HttpResponseMessage response = await httpClient.PostAsync(todoListBaseAddress + "/api/todolist", content);
if (response.IsSuccessStatusCode == true)
{
Console.WriteLine("Successfully posted new To Do item: {0}\n", todoText);
}
else
{
Console.WriteLine("Failed to post a new To Do item\nError: {0}\n", response.ReasonPhrase);
}
}
/// <summary>
/// Wrap an exception thrown by the ADAL library. This prevents client dependencies on a particular version fo ADAL.
/// </summary>
/// <param name="message">The exception message</param>
/// <param name="innerException">The inner AdalException with additional details</param>
internal AuthenticationException(string message, AdalException innerException) :
base(string.Format(CultureInfo.CurrentCulture, message, innerException.Message), innerException)
{
}
// Add a new ToDo in the list of the current user.
// If there is no valid token available, obtain a new one.
static void AddTodo()
{
#region Obtain token
AuthenticationResult result = null;
// first, try to get a token silently
try
{
result = authContext.AcquireTokenSilentAsync(todoListResourceId, clientId).Result;
}
catch (AggregateException exc)
{
AdalException ex = exc.InnerException as AdalException;
// There is no token in the cache; prompt the user to sign-in.
if (ex != null && ex.ErrorCode != "failed_to_acquire_token_silently")
{
// An unexpected error occurred.
ShowError(ex);
return;
}
}
if (result == null)
{
UserCredential uc = TextualPrompt();
// if you want to use Windows integrated auth, comment the line above and uncomment the one below
// UserCredential uc = new UserCredential();
try
{
result = authContext.AcquireTokenAsync(todoListResourceId, clientId, uc).Result;
}
catch (Exception ee)
{
ShowError(ee);
return;
}
}
#endregion
#region Call Web API
Console.WriteLine("Enter new todo description >");
string descr = Console.ReadLine();
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpContent content = new FormUrlEncodedContent(new[] { new KeyValuePair <string, string>("Title", descr) });
var response = httpClient.PostAsync(todoListBaseAddress + "/api/todolist", content).Result;
if (response.IsSuccessStatusCode)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("New ToDo '{0}' successfully added.", descr);
}
#endregion
#region Error handling
else
{
Console.ForegroundColor = ConsoleColor.Red;
if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
// If the To Do list service returns access denied, clear the token cache and have the user sign-in again.
Console.WriteLine("Sorry, you don't have access to the To Do Service. You might need to sign up.");
authContext.TokenCache.Clear();
}
else
{
Console.WriteLine("Sorry, an error occurred accessing your To Do list. Please try again.");
}
}
#endregion
}
/// <summary>
/// Wrap an exception thrown by the ADAL library. This prevents client dependencies on a particular version fo ADAL.
/// </summary>
/// <param name="message">The exception message</param>
/// <param name="innerException">The inner AdalException with additional details</param>
internal AuthenticationException(string message, AdalException innerException) :
base(string.Format(CultureInfo.CurrentCulture, message, (innerException == null)? string.Empty : innerException?.Message), innerException)
{
}
internal AdalAuthException(string message, AdalException innerException) : base(message, innerException)
{
}
