/// <summary>
/// <see cref="MyCompany.Travel.Web.Security.IADGraphApi"/>
/// http://code.msdn.microsoft.com/Windows-Azure-AD-Graph-API-a8c72e18
/// </summary>
/// <param name="userPrincipalName"><see cref="MyCompany.Travel.Web.Security.IADGraphApi"/></param>
/// <param name="groupName"><see cref="MyCompany.Travel.Web.Security.IADGraphApi"/></param>
/// <returns><see cref="MyCompany.Travel.Web.Security.IADGraphApi"/></returns>
public bool IsInGroup(string userPrincipalName, string groupName)
{
string clientId = WebConfigurationManager.AppSettings["ida:ClientId"];
string key = WebConfigurationManager.AppSettings["ida:Key"];
string tenant = WebConfigurationManager.AppSettings["ida:Tenant"];
// get a token using the helper
AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenant, clientId, key);
// initialize a graphService instance using the token acquired from previous step
var graphService = new DirectoryDataService(tenant, token);
var users = graphService.users;
var response = users.Execute() as QueryOperationResponse <User>;
List <User> userList = response.Where(u => u.userPrincipalName == userPrincipalName).ToList();
if (userList.Any())
{
var user = userList.First();
List <string> _groupMemberships;
_groupMemberships = new List <string>();
string queryString = string.Format("https://graph.windows.net/{0}/{1}/{2}/{3}", tenant, "users", user.objectId.ToString(), "memberOf");
var query = graphService.Execute <Group>(new Uri(queryString));
var groups = query.Where(a => a.objectType == "Group" && a.displayName == groupName);
var groupList = groups as IList <Group>;
if (groupList != null)
{
var directoryObjects = groups as IList <Group> ?? groups.ToList();
return(directoryObjects.Any());
}
}
return(false);
}
public ActionResult List()
{
/*HELPER CONSTRUCTOR*/
//get the tenantName
string tenantName = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// retrieve the clientId and password values from the Web.config file
string clientId = ConfigurationManager.AppSettings["AppPrincipalId"];
string password = ConfigurationManager.AppSettings["Password"];
/*NEEDS TO BE CACHED*/
// get a token using the helper
AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantName, clientId, password);
// initialize a graphService instance using the token acquired from previous step
DirectoryDataService graphService = new DirectoryDataService(tenantName, token);
// get Users
var users = graphService.users;
QueryOperationResponse <User> response;
response = users.Execute() as QueryOperationResponse <User>;
List <User> userList = response.ToList();
ViewBag.userList = userList;
// For subsequent Graph Calls, the existing token should be used.
// The following checks to see if the existing token is expired or about to expire in 2 mins
// if true, then get a new token and refresh the graphService
//
int tokenMins = 2;
if (token.IsExpired || token.WillExpireIn(tokenMins))
{
AADJWTToken newToken = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantName, clientId, password);
token = newToken;
graphService = new DirectoryDataService(tenantName, token);
}
// get tenant information
var tenant = graphService.tenantDetails;
QueryOperationResponse <TenantDetail> responseTenantQuery;
responseTenantQuery = tenant.Execute() as QueryOperationResponse <TenantDetail>;
List <TenantDetail> tenantInfo = responseTenantQuery.ToList();
ViewBag.OtherMessage = "User List from tenant: " + tenantInfo[0].displayName;
return(View(userList));
}
private async void DoDemo_Click(object sender, RoutedEventArgs e)
{
var authCtx = new AuthenticationContext("https://login.windows.net/waadthefsck.onmicrosoft.com");
AuthenticationResult authRes = authCtx.AcquireToken(Resource, ClientId, new Uri(AppId));
// Note: The external library has been modified to use AuthenticationResult,
// the old AADJwtToken was removed (plus dependent [extension] classes)
var ds = new DirectoryDataService("waadthefsck.onmicrosoft.com", authRes);
var user = ds.directoryObjects.OfType <User>()
.Where(it => (it.userPrincipalName == "*****@*****.**"))
.SingleOrDefault();
MessageBox.Show(user.displayName);
}
public static string GetGroupObjectIdFromName(DirectoryDataService directoryService, string name)
{
QueryOperationResponse <Group> response;
//WebRetryHelper is a retries function with exponential back off in the case of transient exception
DataServiceQuery <Group> groups = new WebRetryHelper <DataServiceQuery <Group> >(() => directoryService.groups).Value;
groups = (DataServiceQuery <Group>)(groups.Where(group => String.Compare(group.displayName, name) == 0));
response = groups.Execute() as QueryOperationResponse <Group>;
List <Group> groupList = response.ToList();
if (groupList.Count == 0)
{
return(null);
}
return(groupList[0].objectId);
}
private static string GetDisplayNameFromObjectId(DirectoryDataService directoryService, string id)
{
try
{
Group group = directoryService.groups.Where(it => (it.objectId == id)).SingleOrDefault();
return(group.displayName);
}
catch
{
try
{
User user = directoryService.users.Where(it => (it.objectId == id)).SingleOrDefault();
return(user.displayName);
}
catch
{
return(null);
}
}
}
public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated)
{
// Get the claims required to make further Graph API enquiries about the user
Claim tenantClaim = incomingPrincipal.FindFirst(TenantIdClaim);
if (tenantClaim == null)
{
throw new NotSupportedException("Tenant claim not available, role authentication is not supported");
}
Claim objectIdentifierClaim = incomingPrincipal.FindFirst(ObjectIdentifierClaim);
if (objectIdentifierClaim == null)
{
throw new NotSupportedException("Object identifier claim not available, role authentication is not supported");
}
string tenantId = tenantClaim.Value;
string currentUserObjectId = objectIdentifierClaim.Value;
// Connect to the graph service
AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantId, _clientId, _password);
DirectoryDataService graphService = new DirectoryDataService(tenantId, token);
// Find the user in the graph
// ReSharper disable once ReplaceWithSingleCallToSingleOrDefault - SingleOrDefault not supported on directory service directly
User currentUser = graphService.directoryObjects.OfType <User>().Where(it => (it.objectId == currentUserObjectId)).SingleOrDefault();
if (currentUser == null)
{
throw new SecurityException("User cannot be found in graph");
}
// Find the groups the user is a member of and add them as role claims
graphService.LoadProperty(currentUser, "memberOf");
List <Group> currentRoles = currentUser.memberOf.OfType <Group>().ToList();
foreach (Group role in currentRoles)
{
((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, role.displayName, ClaimValueTypes.String, _issuer));
}
}
return(base.Authenticate(resourceName, incomingPrincipal));
}
public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
{
//get the tenantId
string tenantId = incomingPrincipal.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// Use the DirectoryDataServiceAuthorizationHelper graph helper API
// to get a token to access the Windows Azure AD Graph
string clientId = ConfigurationManager.AppSettings["ClientId"];
string password = ConfigurationManager.AppSettings["Password"];
AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantId, clientId, password);
// initialize a graphService instance. Use the JWT token acquired in the previous step.
DirectoryDataService graphService = new DirectoryDataService(tenantId, token);
// get the user's ObjectId
String currentUserObjectId = incomingPrincipal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// Get the User object by querying Windows Azure AD Graph
User currentUser = new WebRetryHelper <User>(() => graphService.directoryObjects.OfType <User>().Where(it => (it.objectId == currentUserObjectId)).SingleOrDefault()).Value;
/*
* TaskTracker defines four roles that are specific to this app:
* "Admin", "Observer", "Writer", "Approver". These app roles are
* different from the roles that are built into Windows Azure AD,
* e.g. "Company Administrator", "User Account Administrator".
*
* This code uses the memberOf property of the User object to get
* the user's built-in roles. If the user has the "Company Administrator"
* built-in role, the app assigns the user to the "Admin" app role.
*/
// get the user's built-in roles
new WebRetryHelper <object>(() => graphService.LoadProperty(currentUser, "memberOf"));
List <Role> currentRoles = currentUser.memberOf.OfType <Role>().ToList();
//if the user is a Company Administrator (Global Administrator),
// assign them the "Admin" role in the app.
foreach (Role role in currentRoles)
{
if (role.displayName.Equals("Company Administrator"))
{
((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "Admin", ClaimValueTypes.String, "TaskTrackerSampleApplication"));
}
}
/*
* To determine the user's group membership, TaskTracker uses
* the getCompleteGroupMembership function, which calls the getMemberGroups
* function, which returns the transitive group membership of the user.
*/
// Now, query transitive group membership of the user
List <string> completeGroupMembership = new WebRetryHelper <List <String> >(() => graphService.GetCompleteGroupMembership(tenantId, currentUserObjectId, token)).Value;
//Store the user's groups as claims of type "Group"
foreach (string groupId in completeGroupMembership)
{
Debug.WriteLine("adding " + groupId);
((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim("Group", groupId, ClaimValueTypes.String, "WindowsAzureADGraph"));
}
//Get role assignments
foreach (string role in getRoles(currentUserObjectId, completeGroupMembership))
{
//Store the user's application roles as claims of type Role
((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, role, ClaimValueTypes.String, "TaskTrackerSampleApplication"));
}
}
return(incomingPrincipal);
}
public ActionResult Users()
{
//get the user's objectID
Boolean onACL = false;
String userObjectId = ((ClaimsIdentity)User.Identity).FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
List <ACLElem> ACLElems = XmlHelper.GetACLElemsFromXml();
foreach (ACLElem elem in ACLElems)
{
//is user's objectId in the ACL?
if (elem.ObjectId.Equals(userObjectId))
{
onACL = true;
}
else
{
foreach (Claim groupClaim in ((ClaimsIdentity)User.Identity).FindAll("Group"))
{
//is a group the user belongs to in the ACL?
if (elem.ObjectId.Equals(groupClaim.Value))
{
onACL = true;
break;
}
}
}
// exit as soon as you find the user or a group in the ACL
if (onACL)
{
break;
}
}
//if user is not in ACL - do not grant permission
if (!onACL)
{
return(RedirectToAction("Error", "Home", new { errorMessage = "Access Denied. To view this resource, have an admin add you or your group to the ACL." }));
}
//get the tenantName
string tenantName = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// get the clientId and password values from the Web.config file
string clientId = ConfigurationManager.AppSettings["ClientId"];
string password = ConfigurationManager.AppSettings["Password"];
// use the Graph help to get a token
AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantName, clientId, password);
// use the token to initialize a graphService instance
DirectoryDataService graphService = new DirectoryDataService(tenantName, token);
// get Users
//
var users = graphService.users;
QueryOperationResponse <User> response;
response = users.Execute() as QueryOperationResponse <User>;
List <User> userList = response.ToList();
ViewBag.userList = userList;
// Use the token for subsequent Graph calls.
// Is the existing token expire or about to expire in 2 mins?
// if true, get a new token and refresh the graph service
//
int tokenMins = 2;
if (token.IsExpired || token.WillExpireIn(tokenMins))
{
AADJWTToken newToken = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantName, clientId, password);
token = newToken;
graphService = new DirectoryDataService(tenantName, token);
}
// get tenant information
//
var tenant = graphService.tenantDetails;
QueryOperationResponse <TenantDetail> responseTenantQuery;
responseTenantQuery = tenant.Execute() as QueryOperationResponse <TenantDetail>;
List <TenantDetail> tenantInfo = responseTenantQuery.ToList();
ViewBag.OtherMessage = "User List from tenant: " + tenantInfo[0].displayName;
return(View(userList));
}
