Exemplo n.º 1
0
        private async Task <IConfidentialClientApplication> RunOnBehalfOfTestAsync(LabUser user, bool silentCallShouldSucceed)
        {
            SecureString         securePassword = new NetworkCredential("", user.GetOrFetchPassword()).SecurePassword;
            AuthenticationResult authResult;

            var pca = PublicClientApplicationBuilder
                      .Create(PublicClientID)
                      .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                      .Build();

            s_inMemoryTokenCache.Bind(pca.UserTokenCache);

            try
            {
                authResult = await pca
                             .AcquireTokenSilent(s_oboServiceScope, user.Upn)
                             .ExecuteAsync()
                             .ConfigureAwait(false);
            }
            catch (MsalUiRequiredException)
            {
                Assert.IsFalse(silentCallShouldSucceed, "ATS should have found a token, but it didn't");
                authResult = await pca
                             .AcquireTokenByUsernamePassword(s_oboServiceScope, user.Upn, securePassword)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);
            }

            MsalAssert.AssertAuthResult(authResult, user);
            Assert.IsTrue(authResult.Scopes.Any(s => string.Equals(s, s_oboServiceScope.Single(), StringComparison.OrdinalIgnoreCase)));

            var cca = ConfidentialClientApplicationBuilder
                      .Create(OboConfidentialClientID)
                      .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true)
                      .WithClientSecret(_confidentialClientSecret)
                      .Build();

            s_inMemoryTokenCache.Bind(cca.UserTokenCache);

            try
            {
                authResult = await cca
                             .AcquireTokenSilent(s_scopes, user.Upn)
                             .ExecuteAsync()
                             .ConfigureAwait(false);
            }
            catch (MsalUiRequiredException)
            {
                Assert.IsFalse(silentCallShouldSucceed, "ATS should have found a token, but it didn't");

                authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(authResult.AccessToken))
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);
            }

            MsalAssert.AssertAuthResult(authResult, user);
            Assert.IsTrue(authResult.Scopes.Any(s => string.Equals(s, s_scopes.Single(), StringComparison.OrdinalIgnoreCase)));

            return(cca);
        }
Exemplo n.º 2
0
        public async Task WAM_AccountIds_GetMerged_Async()
        {
            // Arrange
            using (var httpManager = new MockHttpManager())
            {
                var cache = new InMemoryTokenCache();
                httpManager.AddInstanceDiscoveryMockHandler();

                var mockBroker = Substitute.For <IBroker>();
                mockBroker.IsBrokerInstalledAndInvokable().Returns(true);

                var msalTokenResponse1 = CreateMsalTokenResponseFromWam("wam1");
                var msalTokenResponse2 = CreateMsalTokenResponseFromWam("wam2");
                var msalTokenResponse3 = CreateMsalTokenResponseFromWam("wam3");

                // 2 apps must share the token cache, like FOCI apps, for this test to be interesting
                var pca1 = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
                           .WithExperimentalFeatures(true)
                           .WithBroker(true)
                           .WithHttpManager(httpManager)
                           .BuildConcrete();

                var pca2 = PublicClientApplicationBuilder.Create(TestConstants.ClientId2)
                           .WithExperimentalFeatures(true)
                           .WithBroker(true)
                           .WithHttpManager(httpManager)
                           .BuildConcrete();

                cache.Bind(pca1.UserTokenCache);
                cache.Bind(pca2.UserTokenCache);

                pca1.ServiceBundle.PlatformProxy.SetBrokerForTest(mockBroker);
                pca2.ServiceBundle.PlatformProxy.SetBrokerForTest(mockBroker);

                // Act
                mockBroker.AcquireTokenInteractiveAsync(null, null).ReturnsForAnyArgs(Task.FromResult(msalTokenResponse1));
                await pca1.AcquireTokenInteractive(TestConstants.s_scope).ExecuteAsync().ConfigureAwait(false);

                // this should override wam1 id
                mockBroker.AcquireTokenInteractiveAsync(null, null).ReturnsForAnyArgs(Task.FromResult(msalTokenResponse2));
                await pca1.AcquireTokenInteractive(TestConstants.s_scope).ExecuteAsync().ConfigureAwait(false);

                mockBroker.AcquireTokenInteractiveAsync(null, null).ReturnsForAnyArgs(Task.FromResult(msalTokenResponse3));
                await pca2.AcquireTokenInteractive(TestConstants.s_scope).ExecuteAsync().ConfigureAwait(false);

                var accounts1 = await pca1.GetAccountsAsync().ConfigureAwait(false);

                var accounts2 = await pca2.GetAccountsAsync().ConfigureAwait(false);

                // Assert
                var wamAccountIds = (accounts1.Single() as IAccountInternal).WamAccountIds;
                Assert.AreEqual(2, wamAccountIds.Count);
                Assert.AreEqual("wam2", wamAccountIds[TestConstants.ClientId]);
                Assert.AreEqual("wam3", wamAccountIds[TestConstants.ClientId2]);
                CoreAssert.AssertDictionariesAreEqual(wamAccountIds, (accounts2.Single() as IAccountInternal).WamAccountIds, StringComparer.Ordinal);
            }
        }
Exemplo n.º 3
0
        public async Task TokensAreInterchangable_Regional_To_NonRegional_Async()
        {
            using (var httpManager = new MockHttpManager())
            {
                httpManager.AddRegionDiscoveryMockHandler(TestConstants.Region);
                httpManager.AddMockHandler(CreateTokenResponseHttpHandler(true));

                IConfidentialClientApplication appWithRegion = CreateCca(
                    httpManager,
                    ConfidentialClientApplication.AttemptRegionDiscovery);
                InMemoryTokenCache memoryTokenCache = new InMemoryTokenCache();
                memoryTokenCache.Bind(appWithRegion.AppTokenCache);

                IConfidentialClientApplication appWithoutRegion = CreateCca(
                    httpManager,
                    null);
                memoryTokenCache.Bind(appWithoutRegion.AppTokenCache);

                AuthenticationResult result = await appWithRegion
                                              .AcquireTokenForClient(TestConstants.s_scope)
                                              .ExecuteAsync(CancellationToken.None)
                                              .ConfigureAwait(false);

                Assert.AreEqual(TestConstants.Region, result.ApiEvent.RegionUsed);
                Assert.AreEqual(TestConstants.Region, result.ApiEvent.AutoDetectedRegion);
                Assert.AreEqual(RegionAutodetectionSource.Imds, result.ApiEvent.RegionAutodetectionSource);
                Assert.AreEqual(RegionOutcome.AutodetectSuccess, result.ApiEvent.RegionOutcome);
                Assert.AreEqual(TestConstants.Region, result.AuthenticationResultMetadata.RegionDetails.RegionUsed);
                Assert.AreEqual(RegionOutcome.AutodetectSuccess, result.AuthenticationResultMetadata.RegionDetails.RegionOutcome);
                Assert.IsNull(result.AuthenticationResultMetadata.RegionDetails.AutoDetectionError);

                // when switching to non-region, token is found in the cache
                result = await appWithoutRegion
                         .AcquireTokenForClient(TestConstants.s_scope)
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

                Assert.AreEqual(null, result.ApiEvent.RegionUsed);
                Assert.IsNull(result.ApiEvent.AutoDetectedRegion);
                Assert.AreEqual(RegionAutodetectionSource.None, result.ApiEvent.RegionAutodetectionSource);
                Assert.AreEqual(RegionOutcome.None, result.ApiEvent.RegionOutcome);
                Assert.IsTrue(result.AuthenticationResultMetadata.TokenSource == TokenSource.Cache);
                Assert.IsNull(result.AuthenticationResultMetadata.RegionDetails.RegionUsed);
                Assert.AreEqual(RegionOutcome.None, result.AuthenticationResultMetadata.RegionDetails.RegionOutcome);
                Assert.IsNull(result.AuthenticationResultMetadata.RegionDetails.AutoDetectionError);
            }
        }
        public async Task TokensAreInterchangable_NonRegional_To_Regional_Async()
        {
            using (var httpManager = new MockHttpManager())
            {
                httpManager.AddInstanceDiscoveryMockHandler();
                httpManager.AddMockHandler(CreateTokenResponseHttpHandler(false));

                IConfidentialClientApplication appWithRegion = CreateCca(
                    httpManager,
                    ConfidentialClientApplication.AttemptRegionDiscovery);
                InMemoryTokenCache memoryTokenCache = new InMemoryTokenCache();
                memoryTokenCache.Bind(appWithRegion.AppTokenCache);

                IConfidentialClientApplication appWithoutRegion = CreateCca(
                    httpManager,
                    null);
                memoryTokenCache.Bind(appWithoutRegion.AppTokenCache);

                AuthenticationResult result = await appWithoutRegion
                                              .AcquireTokenForClient(TestConstants.s_scope)
                                              .ExecuteAsync(CancellationToken.None)
                                              .ConfigureAwait(false);

                Assert.IsTrue(result.AuthenticationResultMetadata.TokenSource == TokenSource.IdentityProvider);

                httpManager.AddRegionDiscoveryMockHandler("uscentral");

                // when switching to non-region, token is found in the cache
                result = await appWithRegion
                         .AcquireTokenForClient(TestConstants.s_scope)
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

                Assert.IsTrue(result.AuthenticationResultMetadata.TokenSource == TokenSource.Cache);
            }
        }
Exemplo n.º 5
0
        private PublicClientApplication CreatePca(MockHttpManager httpManager, bool populateUserCache = false)
        {
            PublicClientApplication pca = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
                                          .WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), false)
                                          .WithHttpManager(httpManager)
                                          .BuildConcrete();

            if (populateUserCache)
            {
                TokenCacheHelper.PopulateCache(pca.UserTokenCacheInternal.Accessor);
            }
            InMemoryTokenCache memoryTokenCache = new InMemoryTokenCache(withOperationDelay: true, shouldClearExistingCache: false);

            memoryTokenCache.Bind(pca.UserTokenCache);

            return(pca);
        }
        public async Task TelemetrySerializedTokenCacheTestAsync()
        {
            Environment.SetEnvironmentVariable(TestConstants.RegionName, TestConstants.Region);

            var inMemoryTokenCache = new InMemoryTokenCache();

            inMemoryTokenCache.Bind(_app.AppTokenCache);

            Trace.WriteLine("Acquire token for client with token serialization.");
            var result = await RunAcquireTokenForClientAsync(AcquireTokenForClientOutcome.Success).ConfigureAwait(false);

            AssertCurrentTelemetry(result.HttpRequest,
                                   ApiIds.AcquireTokenForClient,
                                   "1",
                                   isCacheSerialized: true);
            AssertPreviousTelemetry(result.HttpRequest, expectedSilentCount: 0);
        }
Exemplo n.º 7
0
        public async Task MetricsUpdatedSucessfully_AcquireTokenForClient_Async()
        {
            using (var harness = CreateTestHarness())
            {
                harness.HttpManager.AddInstanceDiscoveryMockHandler();
                harness.HttpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();

                ConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                                                    .WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), false)
                                                    .WithRedirectUri(TestConstants.RedirectUri)
                                                    .WithClientSecret(TestConstants.ClientSecret)
                                                    .WithHttpManager(harness.HttpManager)
                                                    .BuildConcrete();

                InMemoryTokenCache memoryTokenCache = new InMemoryTokenCache(withOperationDelay: true, shouldClearExistingCache: false);
                memoryTokenCache.Bind(cca.AppTokenCache);

                // Act - AcquireTokenForClient
                AuthenticationResult result = await cca.AcquireTokenForClient(TestConstants.s_scope.ToArray()).ExecuteAsync(CancellationToken.None).ConfigureAwait(false);

                Assert.IsNotNull(result);
                Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
                Assert.IsTrue(result.AuthenticationResultMetadata.DurationInCacheInMs > 0);
                Assert.IsTrue(result.AuthenticationResultMetadata.DurationTotalInMs > 0);
                Assert.AreEqual(
                    "https://login.microsoftonline.com/common/oauth2/v2.0/token",
                    result.AuthenticationResultMetadata.TokenEndpoint);
                Assert.AreEqual(1, Metrics.TotalAccessTokensFromIdP);
                Assert.AreEqual(0, Metrics.TotalAccessTokensFromCache);
                Assert.AreEqual(0, Metrics.TotalAccessTokensFromBroker);

                // Act - AcquireTokenForClient returns result from cache
                result = await cca.AcquireTokenForClient(TestConstants.s_scope.ToArray()).ExecuteAsync(CancellationToken.None).ConfigureAwait(false);

                Assert.IsNotNull(result);
                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
                Assert.IsTrue(result.AuthenticationResultMetadata.DurationInCacheInMs > 0);
                Assert.IsTrue(result.AuthenticationResultMetadata.DurationInHttpInMs == 0);
                Assert.IsTrue(result.AuthenticationResultMetadata.DurationTotalInMs > 0);
                Assert.AreEqual(1, Metrics.TotalAccessTokensFromIdP);
                Assert.AreEqual(1, Metrics.TotalAccessTokensFromCache);
                Assert.AreEqual(0, Metrics.TotalAccessTokensFromBroker);
                Assert.IsTrue(Metrics.TotalDurationInMs > 0);
                Assert.IsNull(result.AuthenticationResultMetadata.TokenEndpoint);
            }
        }
        public void GlobalSetup()
        {
            var cca = ConfidentialClientApplicationBuilder
                      .Create(TestConstants.ClientId)
                      .WithAuthority(new Uri(TestConstants.AuthorityTestTenant))
                      .WithRedirectUri(TestConstants.RedirectUri)
                      .WithClientSecret(TestConstants.ClientSecret)
                      .BuildConcrete();

            var inMemoryTokenCache = new InMemoryTokenCache();

            inMemoryTokenCache.Bind(cca.AppTokenCache);

            TokenCacheHelper tokenCacheHelper = new TokenCacheHelper();

            tokenCacheHelper.PopulateCacheForClientCredential(cca.AppTokenCacheInternal.Accessor, TokenCacheSize);

            _acquireTokenForClientBuilder = cca
                                            .AcquireTokenForClient(TestConstants.s_scope)
                                            .WithForceRefresh(false);
        }
        public async Task TelemetryTestSerializedTokenCacheAsync()
        {
            using (_harness = CreateTestHarness())
            {
                _harness.HttpManager.AddInstanceDiscoveryMockHandler();

                _app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
                       .WithHttpManager(_harness.HttpManager)
                       .WithDefaultRedirectUri()
                       .WithLogging((lvl, msg, pii) => Trace.WriteLine($"[MSAL_LOG][{lvl}] {msg}"))
                       .BuildConcrete();

                var inMemoryTokenCache = new InMemoryTokenCache();
                inMemoryTokenCache.Bind(_app.UserTokenCache);

                Trace.WriteLine("Step 1. Acquire Token Interactive successful");
                var result = await RunAcquireTokenInteractiveAsync(AcquireTokenInteractiveOutcome.Success).ConfigureAwait(false);

                AssertCurrentTelemetry(result.HttpRequest, ApiIds.AcquireTokenInteractive, CacheInfoTelemetry.None, isCacheSerialized: true);
                AssertPreviousTelemetry(result.HttpRequest, expectedSilentCount: 0);
            }
        }
        public static async Task <string> GetLabAccessTokenAsync(string authority, string[] scopes, LabAccessAuthenticationType authType, string clientId, string certThumbprint, string clientSecret)
        {
            AuthenticationResult           authResult;
            IConfidentialClientApplication confidentialApp;
            X509Certificate2 cert;

            switch (authType)
            {
            case LabAccessAuthenticationType.ClientCertificate:
                var clientIdForCertAuth  = String.IsNullOrEmpty(clientId) ? LabAccessConfidentialClientId : clientId;
                var certThumbprintForLab = String.IsNullOrEmpty(clientId) ? LabAccessThumbPrint : certThumbprint;

                cert = CertificateHelper.FindCertificateByThumbprint(certThumbprintForLab);
                if (cert == null)
                {
                    throw new InvalidOperationException(
                              "Test setup error - cannot find a certificate in the My store for KeyVault. This is available for Microsoft employees only.");
                }

                confidentialApp = ConfidentialClientApplicationBuilder
                                  .Create(clientIdForCertAuth)
                                  .WithAuthority(new Uri(authority), true)
                                  .WithCertificate(cert)
                                  .Build();

                s_staticCache.Bind(confidentialApp.AppTokenCache);

                authResult = await confidentialApp
                             .AcquireTokenForClient(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            case LabAccessAuthenticationType.ClientSecret:
                var clientIdForSecretAuth = String.IsNullOrEmpty(clientId) ? LabAccessConfidentialClientId : clientId;
                var clientSecretForLab    = String.IsNullOrEmpty(clientId) ? s_secret : clientSecret;

                confidentialApp = ConfidentialClientApplicationBuilder
                                  .Create(clientIdForSecretAuth)
                                  .WithAuthority(new Uri(authority), true)
                                  .WithClientSecret(clientSecretForLab)
                                  .Build();
                s_staticCache.Bind(confidentialApp.AppTokenCache);

                authResult = await confidentialApp
                             .AcquireTokenForClient(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            case LabAccessAuthenticationType.UserCredential:
                var clientIdForPublicClientAuth = String.IsNullOrEmpty(clientId) ? LabAccessPublicClientId : clientId;
                var publicApp = PublicClientApplicationBuilder
                                .Create(clientIdForPublicClientAuth)
                                .WithAuthority(new Uri(authority), true)
                                .Build();
                s_staticCache.Bind(publicApp.UserTokenCache);

                authResult = await publicApp
                             .AcquireTokenByIntegratedWindowsAuth(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            default:
                throw new ArgumentOutOfRangeException();
            }

            return(authResult?.AccessToken);
        }
Exemplo n.º 11
0
        private async Task <(HttpRequestMessage HttpRequest, Guid Correlationid)> RunAcquireTokenForClientAsync(
            AcquireTokenForClientOutcome outcome, bool forceRefresh = false, bool serializeCache = false)
        {
            MockHttpMessageHandler tokenRequestHandler = null;
            Guid correlationId = default;

            switch (outcome)
            {
            case AcquireTokenForClientOutcome.Success:

                var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                          .WithAuthority(AzureCloudInstance.AzurePublic, TestConstants.TenantId, false)
                          .WithClientSecret(TestConstants.ClientSecret)
                          .WithHttpManager(_harness.HttpManager)
                          .WithAzureRegion()
                          .WithExperimentalFeatures(true)
                          .BuildConcrete();

                if (serializeCache)
                {
                    InMemoryTokenCache mem = new InMemoryTokenCache();
                    mem.Bind(app.AppTokenCache);
                }

                tokenRequestHandler = _harness.HttpManager.AddSuccessTokenResponseMockHandlerForPost(authority: TestConstants.AuthorityRegional);
                var authResult = await app
                                 .AcquireTokenForClient(TestConstants.s_scope)
                                 .WithForceRefresh(forceRefresh)
                                 .ExecuteAsync()
                                 .ConfigureAwait(false);

                correlationId = authResult.CorrelationId;
                break;

            case AcquireTokenForClientOutcome.FallbackToGlobal:
                _harness.HttpManager.AddInstanceDiscoveryMockHandler();
                tokenRequestHandler = _harness.HttpManager.AddSuccessTokenResponseMockHandlerForPost(authority: TestConstants.AuthorityTenant);

                var app2 = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                           .WithAuthority(AzureCloudInstance.AzurePublic, TestConstants.TenantId, false)
                           .WithClientSecret(TestConstants.ClientSecret)
                           .WithHttpManager(_harness.HttpManager)
                           .WithAzureRegion()
                           .WithExperimentalFeatures(true)
                           .BuildConcrete();

                authResult = await app2
                             .AcquireTokenForClient(TestConstants.s_scope)
                             .WithForceRefresh(forceRefresh)
                             .ExecuteAsync()
                             .ConfigureAwait(false);

                correlationId = authResult.CorrelationId;
                break;

            case AcquireTokenForClientOutcome.UserProvidedRegion:

                tokenRequestHandler = _harness.HttpManager.AddSuccessTokenResponseMockHandlerForPost(authority: TestConstants.AuthorityRegional);


                var app3 = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                           .WithAuthority(AzureCloudInstance.AzurePublic, TestConstants.TenantId, false)
                           .WithClientSecret(TestConstants.ClientSecret)
                           .WithHttpManager(_harness.HttpManager)
                           .WithAzureRegion(TestConstants.Region)
                           .WithExperimentalFeatures(true)
                           .BuildConcrete();
                authResult = await app3
                             .AcquireTokenForClient(TestConstants.s_scope)
                             .WithForceRefresh(forceRefresh)
                             .ExecuteAsync()
                             .ConfigureAwait(false);

                correlationId = authResult.CorrelationId;
                break;

            case AcquireTokenForClientOutcome.AADUnavailableError:
                correlationId = Guid.NewGuid();

                var app5 = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                           .WithAuthority(AzureCloudInstance.AzurePublic, TestConstants.TenantId, false)
                           .WithClientSecret(TestConstants.ClientSecret)
                           .WithHttpManager(_harness.HttpManager)
                           .WithAzureRegion()
                           .WithExperimentalFeatures(true)
                           .BuildConcrete();

                tokenRequestHandler = new MockHttpMessageHandler()
                {
                    ExpectedMethod  = HttpMethod.Post,
                    ResponseMessage = MockHelpers.CreateFailureMessage(
                        System.Net.HttpStatusCode.GatewayTimeout, "gateway timeout")
                };
                var tokenRequestHandler2 = new MockHttpMessageHandler()
                {
                    ExpectedMethod  = HttpMethod.Post,
                    ResponseMessage = MockHelpers.CreateFailureMessage(
                        System.Net.HttpStatusCode.GatewayTimeout, "gateway timeout")
                };

                // 2 of these are needed because MSAL has a "retry once" policy for 5xx errors
                _harness.HttpManager.AddMockHandler(tokenRequestHandler2);
                _harness.HttpManager.AddMockHandler(tokenRequestHandler);

                var serviceEx = await AssertException.TaskThrowsAsync <MsalServiceException>(() =>
                                                                                             app5
                                                                                             .AcquireTokenForClient(TestConstants.s_scope)
                                                                                             .WithForceRefresh(true)
                                                                                             .WithCorrelationId(correlationId)
                                                                                             .ExecuteAsync())
                                .ConfigureAwait(false);

                break;

            default:
                throw new NotImplementedException();
            }

            Assert.AreEqual(0, _harness.HttpManager.QueueSize);

            return(tokenRequestHandler?.ActualRequestMessage, correlationId);
        }
        private async Task <string> AuthenticationCallbackAsync(string authority, string resource, string scope)
        {
            var scopes = new[] { resource + "/.default" };

            AuthenticationResult           authResult;
            IConfidentialClientApplication confidentialApp;
            X509Certificate2 cert;

            switch (_config.AuthType)
            {
            case KeyVaultAuthenticationType.ClientCertificate:
                cert = CertificateHelper.FindCertificateByThumbprint(_config.CertThumbprint);
                if (cert == null)
                {
                    throw new InvalidOperationException(
                              "Test setup error - cannot find a certificate in the My store for KeyVault. This is available for Microsoft employees only.");
                }

                confidentialApp = ConfidentialClientApplicationBuilder
                                  .Create(KeyVaultConfidentialClientId)
                                  .WithAuthority(new Uri(authority), true)
                                  .WithCertificate(cert)
                                  .Build();

                s_staticCache.Bind(confidentialApp.AppTokenCache);

                authResult = await confidentialApp
                             .AcquireTokenForClient(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            case KeyVaultAuthenticationType.ClientSecret:
                confidentialApp = ConfidentialClientApplicationBuilder
                                  .Create(KeyVaultConfidentialClientId)
                                  .WithAuthority(new Uri(authority), true)
                                  .WithClientSecret(_config.KeyVaultSecret)
                                  .Build();
                s_staticCache.Bind(confidentialApp.AppTokenCache);

                authResult = await confidentialApp
                             .AcquireTokenForClient(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            case KeyVaultAuthenticationType.UserCredential:
                var publicApp = PublicClientApplicationBuilder
                                .Create(KeyVaultPublicClientId)
                                .WithAuthority(new Uri(authority), true)
                                .Build();
                s_staticCache.Bind(publicApp.UserTokenCache);

                authResult = await publicApp
                             .AcquireTokenByIntegratedWindowsAuth(scopes)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                break;

            default:
                throw new ArgumentOutOfRangeException();
            }

            return(authResult?.AccessToken);
        }
Exemplo n.º 13
0
        public async Task OboAndSilent_Async(bool serializeCache, bool usePartitionedSerializationCache)
        {
            // Setup: Get lab users, create PCA and get user tokens
            var user1 = (await LabUserHelper.GetSpecificUserAsync("*****@*****.**").ConfigureAwait(false)).User;
            var user2 = (await LabUserHelper.GetSpecificUserAsync("*****@*****.**").ConfigureAwait(false)).User;
            var partitionedInMemoryTokenCache    = new InMemoryPartitionedTokenCache();
            var nonPartitionedInMemoryTokenCache = new InMemoryTokenCache();
            var oboTokens = new HashSet <string>();

            var pca = PublicClientApplicationBuilder
                      .Create(PublicClientID)
                      .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                      .Build();

            var user1AuthResult = await pca
                                  .AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, new NetworkCredential("", user1.GetOrFetchPassword()).SecurePassword)
                                  .ExecuteAsync(CancellationToken.None)
                                  .ConfigureAwait(false);

            var user2AuthResult = await pca
                                  .AcquireTokenByUsernamePassword(s_oboServiceScope, user2.Upn, new NetworkCredential("", user2.GetOrFetchPassword()).SecurePassword)
                                  .ExecuteAsync(CancellationToken.None)
                                  .ConfigureAwait(false);

            Assert.AreEqual(user1AuthResult.TenantId, user2AuthResult.TenantId);

            var cca = CreateCCA();

            // Asserts
            // Silent calls should throw
            await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
                                                                            cca.AcquireTokenSilent(s_scopes, user1.Upn)
                                                                            .ExecuteAsync(CancellationToken.None)
                                                                            ).ConfigureAwait(false);

            await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
                                                                            cca.AcquireTokenSilent(s_scopes, user2.Upn)
                                                                            .ExecuteAsync(CancellationToken.None)
                                                                            ).ConfigureAwait(false);

            // User1 - no AT, RT in cache - retrieves from IdP
            var authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(user1AuthResult.AccessToken))
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

            Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
            Assert.AreEqual(CacheRefreshReason.NoCachedAccessToken, authResult.AuthenticationResultMetadata.CacheRefreshReason);
            oboTokens.Add(authResult.AccessToken);

            // User1 - finds AT in cache
            authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(user1AuthResult.AccessToken))
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

            Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
            Assert.AreEqual(CacheRefreshReason.NotApplicable, authResult.AuthenticationResultMetadata.CacheRefreshReason);
            oboTokens.Add(authResult.AccessToken);

            // User2 - no AT, RT - retrieves from IdP
            authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(user2AuthResult.AccessToken))
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

            Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
            Assert.AreEqual(CacheRefreshReason.NoCachedAccessToken, authResult.AuthenticationResultMetadata.CacheRefreshReason);
            oboTokens.Add(authResult.AccessToken);

            // User2 - finds AT in cache
            authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(user2AuthResult.AccessToken))
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

            Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
            Assert.AreEqual(CacheRefreshReason.NotApplicable, authResult.AuthenticationResultMetadata.CacheRefreshReason);
            oboTokens.Add(authResult.AccessToken);

            Assert.AreEqual(2, oboTokens.Count);

            // Silent calls should throw
            await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
                                                                            cca.AcquireTokenSilent(s_scopes, user1.Upn)
                                                                            .ExecuteAsync(CancellationToken.None)
                                                                            ).ConfigureAwait(false);

            await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
                                                                            cca.AcquireTokenSilent(s_scopes, user2.Upn)
                                                                            .ExecuteAsync(CancellationToken.None)
                                                                            ).ConfigureAwait(false);

            IConfidentialClientApplication CreateCCA()
            {
                var app = ConfidentialClientApplicationBuilder
                          .Create(OboConfidentialClientID)
                          .WithAuthority(new Uri($"https://login.microsoftonline.com/{user1AuthResult.TenantId}"), true)
                          .WithClientSecret(_confidentialClientSecret)
                          .WithLegacyCacheCompatibility(false)
                          .Build();

                if (serializeCache)
                {
                    if (usePartitionedSerializationCache)
                    {
                        partitionedInMemoryTokenCache.Bind(app.UserTokenCache);
                    }
                    else
                    {
                        nonPartitionedInMemoryTokenCache.Bind(app.UserTokenCache);
                    }
                }

                return(app);
            }
        }
Exemplo n.º 14
0
        private async Task <IConfidentialClientApplication> RunOnBehalfOfTestAsync(
            LabUser user,
            bool silentCallShouldSucceed,
            bool forceRefresh = false)
        {
            SecureString         securePassword = new NetworkCredential("", user.GetOrFetchPassword()).SecurePassword;
            AuthenticationResult authResult;

            var pca = PublicClientApplicationBuilder
                      .Create(PublicClientID)
                      .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                      .WithTestLogging()
                      .Build();

            s_inMemoryTokenCache.Bind(pca.UserTokenCache);
            try
            {
                authResult = await pca
                             .AcquireTokenSilent(s_oboServiceScope, user.Upn)
                             .ExecuteAsync()
                             .ConfigureAwait(false);

                Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
            }
            catch (MsalUiRequiredException)
            {
                Assert.IsFalse(silentCallShouldSucceed, "ATS should have found a token, but it didn't");
                authResult = await pca
                             .AcquireTokenByUsernamePassword(s_oboServiceScope, user.Upn, securePassword)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
            }

            MsalAssert.AssertAuthResult(authResult, user);
            Assert.IsTrue(authResult.Scopes.Any(s => string.Equals(s, s_oboServiceScope.Single(), StringComparison.OrdinalIgnoreCase)));

            var cca = ConfidentialClientApplicationBuilder
                      .Create(OboConfidentialClientID)
                      .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true)
                      .WithTestLogging(out HttpSnifferClientFactory factory)
                      .WithClientSecret(_confidentialClientSecret)
                      .Build();

            s_inMemoryTokenCache.Bind(cca.UserTokenCache);

            authResult = await cca.AcquireTokenOnBehalfOf(s_scopes, new UserAssertion(authResult.AccessToken))
                         .WithForceRefresh(forceRefresh)
                         .WithCcsRoutingHint("597f86cd-13f3-44c0-bece-a1e77ba43228", "f645ad92-e38d-4d1a-b510-d1b09a74a8ca")
                         .ExecuteAsync(CancellationToken.None)
                         .ConfigureAwait(false);

            if (!forceRefresh)
            {
                Assert.AreEqual(
                    silentCallShouldSucceed,
                    authResult.AuthenticationResultMetadata.TokenSource == TokenSource.Cache);
            }
            else
            {
                Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
            }

            MsalAssert.AssertAuthResult(authResult, user);
            Assert.IsNotNull(authResult.IdToken); // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1950
            Assert.IsTrue(authResult.Scopes.Any(s => string.Equals(s, s_scopes.Single(), StringComparison.OrdinalIgnoreCase)));
            AssertExtraHTTPHeadersAreSent(factory);

            return(cca);
        }
        public async Task AuthorityMigrationTestAsync()
        {
            // make sure that for all network calls "preferred_cache" environment is used
            // (it is taken from metadata in instance discovery response),
            // except very first network call - instance discovery

            using (var harness = base.CreateTestHarness())
            {
                var httpManager  = harness.HttpManager;
                var authorityUri = new Uri(
                    string.Format(
                        CultureInfo.InvariantCulture,
                        "https://{0}/common",
                        TestConstants.ProductionNotPrefEnvironmentAlias));

                httpManager.AddInstanceDiscoveryMockHandler(authorityUri.AbsoluteUri);

                PublicClientApplication app = PublicClientApplicationBuilder
                                              .Create(TestConstants.ClientId)
                                              .WithAuthority(authorityUri, true)
                                              .WithHttpManager(httpManager)
                                              //.WithUserTokenLegacyCachePersistenceForTest(new TestLegacyCachePersistance())
                                              .WithTelemetry(new TraceTelemetryConfig())
                                              .WithDebugLoggingCallback()
                                              .BuildConcrete();

                InMemoryTokenCache cache = new InMemoryTokenCache();
                cache.Bind(app.UserTokenCache);

                app.ServiceBundle.ConfigureMockWebUI(
                    AuthorizationResult.FromUri(app.AppConfig.RedirectUri + "?code=some-code"),
                    null,
                    TestConstants.ProductionPrefNetworkEnvironment);

                // mock token request
                httpManager.AddMockHandler(new MockHttpMessageHandler
                {
                    ExpectedUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}/common/oauth2/v2.0/token",
                                                TestConstants.ProductionPrefNetworkEnvironment),
                    ExpectedMethod  = HttpMethod.Post,
                    ResponseMessage = MockHelpers.CreateSuccessTokenResponseMessage()
                });

                AuthenticationResult result = await app.AcquireTokenInteractive(TestConstants.s_scope).ExecuteAsync().ConfigureAwait(false);

                // make sure that all cache entities are stored with "preferred_cache" environment
                // (it is taken from metadata in instance discovery response)
                await ValidateCacheEntitiesEnvironmentAsync(app.UserTokenCacheInternal, TestConstants.ProductionPrefCacheEnvironment).ConfigureAwait(false);

                // silent request targeting at, should return at from cache for any environment alias
                foreach (var envAlias in TestConstants.s_prodEnvAliases)
                {
                    var app2 = PublicClientApplicationBuilder
                               .Create(TestConstants.ClientId)
                               .WithAuthority($"https://{envAlias}/common", true)
                               .WithHttpManager(httpManager)
                               .WithTelemetry(new TraceTelemetryConfig())
                               .WithDebugLoggingCallback()
                               .BuildConcrete();

                    cache.Bind(app2.UserTokenCache);

                    result = await app2
                             .AcquireTokenSilent(
                        TestConstants.s_scope,
                        app.GetAccountsAsync().Result.First())
                             .WithAuthority(string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", envAlias, TestConstants.Utid))
                             .WithForceRefresh(false)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

                    Assert.IsNotNull(result);
                }

                // silent request targeting rt should find rt in cache for authority with any environment alias
                foreach (var envAlias in TestConstants.s_prodEnvAliases)
                {
                    result = null;

                    httpManager.AddMockHandler(new MockHttpMessageHandler()
                    {
                        ExpectedUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/oauth2/v2.0/token",
                                                    TestConstants.ProductionPrefNetworkEnvironment, TestConstants.Utid),
                        ExpectedMethod   = HttpMethod.Post,
                        ExpectedPostData = new Dictionary <string, string>()
                        {
                            { "grant_type", "refresh_token" }
                        },
                        // return not retriable status code
                        ResponseMessage = MockHelpers.CreateInvalidGrantTokenResponseMessage()
                    });

                    try
                    {
                        var app3 = PublicClientApplicationBuilder
                                   .Create(TestConstants.ClientId)
                                   .WithAuthority($"https://{envAlias}/common", true)
                                   .WithHttpManager(httpManager)
                                   .WithTelemetry(new TraceTelemetryConfig())
                                   .WithDebugLoggingCallback()
                                   .BuildConcrete();

                        cache.Bind(app3.UserTokenCache);

                        result = await app3
                                 .AcquireTokenSilent(
                            TestConstants.s_scopeForAnotherResource,
                            (await app.GetAccountsAsync().ConfigureAwait(false)).First())
                                 .WithAuthority(string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", envAlias, TestConstants.Utid))
                                 .WithForceRefresh(false)
                                 .ExecuteAsync(CancellationToken.None).ConfigureAwait(false);
                    }
                    catch (MsalUiRequiredException)
                    {
                    }


                    Assert.IsNull(result);
                }
            }
        }