public async Task <ActionResult> CreateLocalAccountPost(EducationRegisterViewModel model)
{
var tenantId = User.GetTenantId();
var graphServiceClient = await AuthenticationHelper.GetGraphServiceClientAsync();
IGraphClient graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
var tenant = await graphClient.GetTenantAsync(tenantId);
model.Email = user.Mail ?? user.UserPrincipalName;
model.FavoriteColors = Constants.FavoriteColors;
// Create a new local user
var localUser = new ApplicationUser
{
Email = model.Email,
UserName = model.Email,
FavoriteColor = model.FavoriteColor
};
var result = await userManager.CreateAsync(localUser);
if (!result.Succeeded)
{
AddErrors(result);
return(View(model));
}
// Update the local user
await applicationService.UpdateLocalUserAsync(localUser, user, tenant);
SetCookiesForO365User(user.GivenName + " " + user.Surname, user.Mail);
return(RedirectToAction("Index", "Schools"));
}
private async Task CallGraphInternalAsync(DialogContext dc, string token, HttpClient httpClient, CancellationToken cancellationToken)
{
IGraphServiceClient graphClient = MSGraphClient.GetAuthenticatedClient(token, httpClient);
var parameters = new Dictionary <string, object>(StringComparer.OrdinalIgnoreCase);
this.PopulateParameters(dc.State, parameters);
Stopwatch sw = new Stopwatch();
Exception exCaught = null;
try
{
sw.Start();
await this.CallGraphServiceAsync(graphClient, parameters, cancellationToken).ConfigureAwait(false);
}
catch (ServiceException ex)
{
exCaught = ex;
this.HandleServiceException(ex);
}
#pragma warning disable CA1031 // Do not catch general exception types. We're firing an event for this exception.
catch (Exception ex)
#pragma warning restore CA1031 // Do not catch general exception types
{
exCaught = ex;
}
finally
{
sw.Stop();
this.FireTelemetryEvent(sw.ElapsedMilliseconds, exCaught);
}
}
//
// GET: /Link/LoginLocal
public async Task <ActionResult> LoginLocal(LoginViewModel model)
{
var graphServiceClient = await AuthenticationHelper.GetGraphServiceClientAsync();
IGraphClient graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
var localUser = userManager.FindByEmail(string.IsNullOrEmpty(user.Mail)? user.UserPrincipalName:user.Mail);
if (localUser == null)
{
foreach (var modelValue in ModelState.Values)
{
modelValue.Errors.Clear();
}
return(View(model));
}
var tenantId = User.GetTenantId();
if (localUser.O365UserId.IsNotNullAndEmpty())
{
ModelState.AddModelError("Email", "The local account has already been linked to another Office 365 account.");
return(View(model));
}
var tenant = await graphClient.GetTenantAsync(tenantId);
await applicationService.UpdateLocalUserAsync(localUser, user, tenant);
SetCookiesForO365User(user.GivenName + " " + user.Surname, user.Mail);
TempData["Message"] = Resources.LinkO365AccountSuccess;
TempData[HandleAdalExceptionAttribute.ChallengeImmediatelyTempDataKey] = true;
return(RedirectToAction("Index", "Schools"));
}
public MicrosoftGraphController(ReadAppSettings settings)
{
tenant = settings.microsoft_tenant;
clientId = settings.microsoft_client_id;
clientSecret = settings.microsoft_client_secret;
client = new MSGraphClient(clientId, clientSecret, tenant);
}
// GET: UserProfile
public async Task <ActionResult> Index()
{
try
{
MSGraphClient msGraphClient = new MSGraphClient(ConfigHelper.Authority, new ADALTokenCache(Util.GetSignedInUsersObjectIdFromClaims()));
User user = await msGraphClient.GetMeAsync();
UserGroupsAndDirectoryRoles userGroupsAndDirectoryRoles = await msGraphClient.GetCurrentUserGroupsAndRolesAsync();
//IList<Group> groups = await msGraphClient.GetCurrentUserGroupsAsync();
//IList<DirectoryRole> directoryRoles = await msGraphClient.GetCurrentUserDirectoryRolesAsync();
ViewData["overageOccurred"] = userGroupsAndDirectoryRoles.HasOverageClaim;
ViewData["myGroups"] = userGroupsAndDirectoryRoles.Groups;
ViewData["myDirectoryRoles"] = userGroupsAndDirectoryRoles.DirectoryRoles;
return(View(user));
}
catch (AdalException)
{
// Return to error page.
return(View("Error"));
}
// if the above failed, the user needs to explicitly re-authenticate for the app to obtain the required token
catch (Exception)
{
return(View("Relogin"));
}
}
public void InitializeTest()
{
this.testGraphClient = new Mock <IGraphServiceClient>();
this.TestUsers = new List <User>();
this.UserRequests = new Dictionary <string, IUserRequestBuilder>(StringComparer.OrdinalIgnoreCase);
this.SetupMe();
this.SetupSearch();
MSGraphClient.RegisterTestInstance(this.testGraphClient.Object);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// inject msgraph client as transient to make sure bearer token is always renewed
services.AddTransient(provider =>
{
var options = new MSGraphOptions();
Configuration.Bind("MicrosoftGraph", options);
var client = new MSGraphClient(options);
return(client);
});
// add AADB2C authentication
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(
AzureADB2CDefaults.BearerAuthenticationScheme,
AzureADB2CDefaults.JwtBearerAuthenticationScheme,
options => { Configuration.Bind("AzureAdB2C", options); });
// configure identity post token validation to retrieve user roles and add them to identity claims
services.PostConfigure <JwtBearerOptions>(AzureADB2CDefaults.JwtBearerAuthenticationScheme,
options =>
{
options.Events = new JwtBearerEvents
{
OnTokenValidated = async context =>
{
// get AADB2C identity by client ID
var applicationId = Configuration["AzureAdB2C:ClientId"];
var identity = context.Principal.Identities.First(o => o.HasClaim("aud", applicationId));
// get authenticated user ID
var subjectId = identity.FindFirst(ClaimTypes.NameIdentifier).Value;
// query user roles
var client = _serviceProvider.GetRequiredService <MSGraphClient>();
var roles = await client.GetUserRolesAsync(subjectId);
// add roles to identity's claims collection with the right type
foreach (var role in roles)
{
var roleClaim = new Claim(identity.RoleClaimType, role);
identity.AddClaim(roleClaim);
}
}
};
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
// save DI container reference
_serviceProvider = services.BuildServiceProvider();
}
public async Task GetUser()
{
var client = new HttpClient();
var SFResult = await client.GetAsync(sfEndPoint);
var SFUsers = JsonConvert.DeserializeObject <List <SalesforceUser> >(await SFResult.Content.ReadAsStringAsync());
MSGraphClient msclient = new MSGraphClient(clientId, clientSecret, tenant);
var msusers = await msclient.GetUsers("");
var ADUsersResponse = JsonConvert.DeserializeObject <MSGraphUserListResponse>(msusers);
var ADUsers = ADUsersResponse.value;
var ADUsersToDelete = new List <User>();
var SFUsersToDelete = new List <SalesforceUser>();
foreach (var adUser in ADUsers)
{
foreach (var sfUser in SFUsers)
{
if (sfUser.EMail == adUser.mail)
{
SFUsersToDelete.Add(sfUser);
ADUsersToDelete.Add(adUser);
}
}
}
foreach (var adUser in ADUsersToDelete)
{
ADUsers.Remove(adUser);
}
foreach (var sfUser in SFUsersToDelete)
{
SFUsers.Remove(sfUser);
}
foreach (var sfUser in SFUsers)
{
var inviteResponse = await inviteClient.InviteUser(sfUser);
var invitation = JsonConvert.DeserializeObject <Invitation>(inviteResponse);
var uid = invitation.invitedUser.id;
Console.WriteLine(inviteResponse);
}
}
/// <summary>
/// Get all loggedon user groups and display name from AD.
/// </summary>
/// <param name="key"></param>
/// <param name="dn"></param>
/// <returns></returns>
public static async Task <List <string> > GetAllGroups(System.Security.Claims.ClaimsIdentity claimsIdentity)
{
List <string> lgroups = new List <string>();
ObjectCache cache = MemoryCache.Default;
var cacheKey = GetCacheKey(claimsIdentity);
// If the claims identity is not populated, return an empty list
if (String.IsNullOrEmpty(cacheKey))
{
return(lgroups);
}
// If the claims identity is populated and already in the cache, just return the cached list
if (cache.Contains(cacheKey))
{
return(cache.Get(cacheKey) as List <string>);
}
// If the claims identity is populated and NOT in the cache, call the Graph API and populate the cache
try
{
MSGraphClient msGraphClient = new MSGraphClient(
ConfigHelper.Authority,
new ADALTokenCache(claimsIdentity.FindFirst("oid")?.Value));
System.Collections.Generic.IList <Group> groups = await msGraphClient.GetCurrentUserGroupsAsync();
var groupNameList = await GetGroupNameList(groups);
return(cache.AddOrGetExisting(cacheKey, groupNameList, _CacheItemPolicy) as List <string>);
}
catch (AdalException ex)
{
//TODO: error handling
return(new List <string>());
}
catch (Exception ex)
{
//TODO: error handling
return(new List <string>());
}
}
//
// GET: /Link/Index
public async Task <ActionResult> Index()
{
var userContext = await applicationService.GetUserContextAsync();
if (userContext.IsO365Account && !userContext.AreAccountsLinked)
{
var graphServiceClient = await AuthenticationHelper.GetGraphServiceClientAsync();
var graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
var email = user.Mail ?? user.UserPrincipalName;
if (await userManager.Users.AnyAsync(i => i.Email == email))
{
ViewBag.LocalAccountExistedMessage = $"There is a local account: {email} matching your O365 account.";
}
}
return(View(userContext));
}
private async static Task RunFlow()
{
Console.WriteLine("Press A to run AAD Graph API flow/Press any other key to run MS Graph API flow");
var input = Console.ReadLine();
if (input.Trim().ToUpper() == "A")
{
Console.WriteLine("Press 1 to run as App mode/Press any other key to run in user mode");
input = Console.ReadLine();
if (input.Trim().ToUpper() == "1")
{
Console.WriteLine("Getting users using AAD graph api");
AADGraphClient graphClient = new AADGraphClient();
await graphClient.GetAllUsers();
}
else
{
Console.WriteLine("Getting logged in user details using AAD graph api");
AADGraphClient graphClient = new AADGraphClient(true);
await graphClient.GetLoggedInUserDetails();
}
}
else
{
Console.WriteLine("Press 1 to run as App mode/Press any other key to run in user mode");
input = Console.ReadLine();
if (input.Trim().ToUpper() == "1")
{
Console.WriteLine("Getting users using MS graph api");
MSGraphClient graphClient = new MSGraphClient();
await graphClient.GetAllUsers();
}
else
{
Console.WriteLine("Getting logged in user details using MS graph api");
MSGraphClient graphClient = new MSGraphClient(true);
await graphClient.GetLoggedInUserDetails();
}
}
}
//
// GET: /Link/ProcessCode
public async Task <ActionResult> ProcessCode(string code, string error, string error_description, string resource, string state)
{
if (TempData[StateKey] as string != state)
{
TempData["Error"] = "Invalid operation. Please try again";
return(RedirectToAction("Index"));
}
var authResult = await AuthenticationHelper.GetAuthenticationResultAsync(code);
var tenantId = authResult.TenantId;
var graphServiceClient = authResult.CreateGraphServiceClient();
IGraphClient graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
var tenant = await graphClient.GetTenantAsync(tenantId);
var isAccountLinked = await applicationService.IsO365AccountLinkedAsync(user.Id);
if (isAccountLinked)
{
TempData["Error"] = $"Failed to link accounts. The Office 365 account '{ user.Mail ?? user.UserPrincipalName}' is already linked to another local account.";
return(RedirectToAction("Index"));
}
// Link the AAD User with local user.
var localUser = await applicationService.GetCurrentUserAsync();
await applicationService.UpdateLocalUserAsync(localUser, user, tenant);
// Re-sign in user. Required claims (roles, tenent id and user object id) will be added to current user's identity.
await signInManager.SignInAsync(localUser, isPersistent : false, rememberBrowser : false);
TempData["Message"] = Resources.LinkO365AccountSuccess;
TempData[HandleAdalExceptionAttribute.ChallengeImmediatelyTempDataKey] = true;
SetCookiesForO365User(user.GivenName + " " + user.Surname, user.UserPrincipalName);
return(RedirectToAction("Index", "Home"));
}
public async Task <ActionResult> LoginLocalPost(LoginViewModel model)
{
if (!ModelState.IsValid)
{
return(View(model));
}
var localUser = userManager.FindByEmail(model.Email);
if (localUser == null)
{
ModelState.AddModelError("", "Invalid login attempt.");
return(View(model));
}
if (localUser.O365UserId.IsNotNullAndEmpty())
{
ModelState.AddModelError("Email", "The local account has already been linked to another Office 365 account.");
return(View(model));
}
if (!await userManager.CheckPasswordAsync(localUser, model.Password))
{
ModelState.AddModelError("", "Invalid login attempt.");
return(View(model));
}
var tenantId = User.GetTenantId();
var graphServiceClient = await AuthenticationHelper.GetGraphServiceClientAsync();
IGraphClient graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
var tenant = await graphClient.GetTenantAsync(tenantId);
await applicationService.UpdateLocalUserAsync(localUser, user, tenant);
SetCookiesForO365User(user.GivenName + " " + user.Surname, user.Mail);
return(RedirectToAction("Index", "Schools"));
}
public async Task <ActionResult> ProcessCode(string code, string error, string error_description, string resource, string state)
{
var redirectUrl = (TempData[AdminConsentRedirectUrlKey] as string) ?? Url.Action("Index");
if (TempData[StateKey] as string != state)
{
TempData["Error"] = "Invalid operation. Please try again";
return(Redirect(redirectUrl));
}
// Get the tenant
var authResult = await AuthenticationHelper.GetAuthenticationResultAsync(code);
var graphServiceClient = authResult.CreateGraphServiceClient();
var graphClient = new MSGraphClient(graphServiceClient);
var tenant = await graphClient.GetTenantAsync(authResult.TenantId);
// Create (or update) an organization, and make it as AdminConsented
await applicationService.CreateOrUpdateOrganizationAsync(tenant, true);
TempData["Message"] = "Admin consented successfully!";
redirectUrl += (redirectUrl.Contains("?") ? "&" : "?") + "consented=true";
return(Redirect(redirectUrl));
}
/// <summary>
/// Handler for <see cref="ServiceException"/>.
/// </summary>
/// <param name="ex">Exception to handle.</param>
protected virtual void HandleServiceException(ServiceException ex)
{
throw MSGraphClient.HandleGraphAPIException(ex);
}
public void ConfigureAADAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
Caption = "Microsoft Work or school account",
ClientId = Constants.AADClientId,
Authority = Constants.Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
CookieService cookieService = new CookieService();
string hint = cookieService.GetCookiesOfEmail();
if (!string.IsNullOrEmpty(hint))
{
context.ProtocolMessage.LoginHint = hint;
}
return(Task.FromResult(0));
},
AuthorizationCodeReceived = async(context) =>
{
var identity = context.AuthenticationTicket.Identity;
// Get token with authorization code
var redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
var credential = new ClientCredential(Constants.AADClientId, Constants.AADClientSecret);
var authContext = AuthenticationHelper.GetAuthenticationContext(identity, Permissions.Delegated);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.Code, redirectUri, credential, Constants.Resources.MSGraph);
// Get user's roles and add them to claims
var graphServiceClient = authResult.CreateGraphServiceClient();
var graphClient = new MSGraphClient(graphServiceClient);
var user = await graphClient.GetCurrentUserAsync();
foreach (var role in user.Roles)
{
identity.AddClaim(ClaimTypes.Role, role);
}
},
AuthenticationFailed = (context) =>
{
var redirectUrl = "/Error?message=" + Uri.EscapeDataString(context.Exception.Message);
context.OwinContext.Response.Redirect(redirectUrl);
context.HandleResponse(); // Suppress the exception
return(Task.FromResult(0));
}
}
});
}
