public GraphAuthProvider(IMemoryCache memoryCache, IConfiguration configuration)
{
var azureOptions = new AzureAdOptions();
configuration.Bind("AzureAd", azureOptions);
_appId = azureOptions.ClientId;
_aadInstance = azureOptions.Instance;
_appSecret = azureOptions.ClientSecret;
_credential = new Microsoft.Identity.Client.ClientCredential(azureOptions.ClientSecret); // For development mode purposes only. Production apps should use a client certificate.
_scopes = azureOptions.GraphScopes.Split(new[] { ' ' });
_redirectUri = azureOptions.BaseUrl + azureOptions.CallbackPath;
_graphResourceId = azureOptions.GraphResourceId;
_tenantId = azureOptions.TenantId;
_memoryCache = memoryCache;
}
protected override void ProcessRecord()
{
AuthenticationResult authenticationResult;
if (Scopes != null)
{
var clientApplication = new PublicClientApplication(MSALPnPPowerShellClientId);
// Acquire an access token for the given scope
authenticationResult = clientApplication.AcquireTokenAsync(Scopes).GetAwaiter().GetResult();
}
else
{
var appCredentials = new ClientCredential(AppSecret);
var authority = new Uri(AADLogin, AADDomain).AbsoluteUri;
var clientApplication = new ConfidentialClientApplication(authority, AppId, RedirectUri, appCredentials, null);
authenticationResult = clientApplication.AcquireTokenForClient(DefaultScope, null).GetAwaiter().GetResult();
}
// Get back the Access Token and the Refresh Token
PnPAzureADConnection.AuthenticationResult = authenticationResult;
}
/// <summary>
///
/// </summary>
/// <param name="authority"></param>
/// <param name="clientId"></param>
/// <param name="redirectUri"></param>
/// <param name="clientCredential"></param>
/// <param name="userTokenCache"></param>
public ConfidentialClientApplication(string authority, string clientId, string redirectUri, ClientCredential clientCredential, TokenCache userTokenCache) :base(authority, clientId, redirectUri, true)
{
this.ClientCredential = clientCredential;
this.UserTokenCache = userTokenCache;
this.AppTokenCache = TokenCache.DefaultSharedAppTokenCache;
}
/// <summary>
///
/// </summary>
/// <param name="clientId"></param>
/// <param name="redirectUri"></param>
/// <param name="clientCredential"></param>
/// <param name="userTokenCache"></param>
public ConfidentialClientApplication(string clientId, string redirectUri,
ClientCredential clientCredential, TokenCache userTokenCache):this(DefaultAuthority, clientId, redirectUri, clientCredential, userTokenCache)
{
}
public void ConfidentialClientUsingCertificateTest()
{
ClientCredential cc = new ClientCredential(new ClientAssertionCertificate(new X509Certificate2("valid_cert.pfx", "password")));
ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId,
TestConstants.DefaultRedirectUri, cc, new TokenCache());
app.AppTokenCache = new TokenCache();
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage()
};
Task<AuthenticationResult> task = app.AcquireTokenForClient(TestConstants.DefaultScope.ToArray(),
TestConstants.DefaultPolicy);
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.IsNotNull("header.payload.signature", result.Token);
Assert.AreEqual(TestConstants.DefaultScope.AsSingleString(), result.ScopeSet.AsSingleString());
//make sure user token cache is empty
Assert.AreEqual(0, app.UserTokenCache.Count);
//check app token cache count to be 1
Assert.AreEqual(1, app.AppTokenCache.Count);
//make sure refresh token is null
foreach (var value in app.AppTokenCache.tokenCacheDictionary.Values)
{
Assert.IsNull(value.RefreshToken);
}
//assert client credential
Assert.IsNotNull(cc.ClientAssertion);
Assert.AreNotEqual(0, cc.ValidTo);
//save client assertion.
string cachedAssertion = cc.ClientAssertion.Assertion;
long cacheValidTo = cc.ValidTo;
HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage()
};
task = app.AcquireTokenForClient(TestConstants.ScopeForAnotherResource.ToArray(),
TestConstants.DefaultPolicy);
result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual(cacheValidTo, cc.ValidTo);
Assert.AreEqual(cachedAssertion, cc.ClientAssertion.Assertion);
}
/// <summary>
///
/// </summary>
/// <param name="authority"></param>
/// <param name="clientId"></param>
/// <param name="redirectUri"></param>
/// <param name="clientCredential"></param>
/// <param name="userTokenCache"></param>
public ConfidentialClientApplication(string authority, string clientId, string redirectUri, ClientCredential clientCredential, TokenCache userTokenCache) : base(authority, clientId, redirectUri, true)
{
this.ClientCredential = clientCredential;
this.UserTokenCache = userTokenCache;
this.AppTokenCache = TokenCache.DefaultSharedAppTokenCache;
}
/// <summary>
///
/// </summary>
/// <param name="clientId"></param>
/// <param name="redirectUri"></param>
/// <param name="clientCredential"></param>
/// <param name="userTokenCache"></param>
public ConfidentialClientApplication(string clientId, string redirectUri,
ClientCredential clientCredential, TokenCache userTokenCache) : this(DefaultAuthority, clientId, redirectUri, clientCredential, userTokenCache)
{
}
/// <summary>
/// Constructor for a confidential client application requesting tokens with the default authority (<see cref="ClientApplicationBase.DefaultAuthority"/>)
/// </summary>
/// <param name="clientId">Client ID (also known as App ID) of the application as registered in the
/// application registration portal (https://aka.ms/msal-net-register-app)/. REQUIRED</param>
/// <param name="redirectUri">URL where the STS will call back the application with the security token. REQUIRED</param>
/// <param name="clientCredential">Credential, previously shared with Azure AD during the application registration and proving the identity
/// of the application. An instance of <see cref="ClientCredential"/> can be created either from an application secret, or a certificate. REQUIRED.</param>
/// <param name="userTokenCache">Token cache for saving user tokens. Can be set to null if the confidential client
/// application only uses the Client Credentials grants (that is requests token in its own name and not in the name of users).
/// Otherwise should be provided. REQUIRED</param>
/// <param name="appTokenCache">Token cache for saving application (that is client token). Can be set to <c>null</c> except if the application
/// uses the client credentials grants</param>
/// <remarks>
/// See https://aka.ms/msal-net-client-applications for a description of confidential client applications (and public client applications)
/// Client credential grants are overrides of <see cref="ConfidentialClientApplication.AcquireTokenForClientAsync(IEnumerable{string})"/>
/// </remarks>
/// <seealso cref="ConfidentialClientApplication"/> which
/// enables app developers to specify the authority
public ConfidentialClientApplication(string clientId, string redirectUri,
ClientCredential clientCredential, TokenCache userTokenCache, TokenCache appTokenCache)
: this(clientId, DefaultAuthority, redirectUri, clientCredential, userTokenCache, appTokenCache)
{
GuardMobileFrameworks();
}
