/// <summary>
/// Authenticates with the currently set environment parameters.
/// </summary>
/// <param name="promptBehavior">The ADAL prompt behavior (default is "Auto")</param>
/// <returns>The authentication result.</returns>
/// <exception cref="AdalException">If authentication fails</exception>
internal static SdkAuthResult Auth(PromptBehavior promptBehavior = PromptBehavior.Auto)
{
// If there have been no successful logins with the module and the PromptBehavior is anything other than "Never", force an interactive window
if (LatestAdalAuthResult == null && promptBehavior != PromptBehavior.Never)
{
promptBehavior = PromptBehavior.SelectAccount;
}
// Get the environment parameters
EnvironmentParameters environmentParameters = AuthUtils.CurrentEnvironmentParameters;
// Create auth context that we will use to connect to the AAD endpoint
AuthenticationContext authContext = new AuthenticationContext(environmentParameters.AuthUrl);
// Get the AuthenticationResult from AAD
AuthenticationResult authenticationResult = authContext.AcquireTokenAsync(
environmentParameters.ResourceId,
environmentParameters.AppId,
new Uri(environmentParameters.RedirectLink),
new PlatformParameters(promptBehavior))
.GetAwaiter().GetResult();
// Convert the auth result into our own type
SdkAuthResult authResult = authenticationResult.ToSdkAuthResult();
// Save the auth result
AuthUtils.LatestAdalAuthResult = authResult;
return(authResult);
}
/// <summary>
/// Authenticates using the device code flow. See here for more information:
/// https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-deviceprofile/.
/// </summary>
/// <param name="displayDeviceCodeMessageToUser">
/// The action which displays the message from ADAL (containing the retrieved device code) to the user.
/// The message will instruct the user to enter the device code by navigating to http://aka.ms/devicelogin/.
/// </param>
/// <param name="useAdminConsentFlow">
/// Whether or not to trigger the admin consent flow for this app ID.
/// </param>
/// <returns>The HTTP header to use when making calls.</returns>
internal static SdkAuthResult AuthWithDeviceCode(
Action <string> displayDeviceCodeMessageToUser,
bool useAdminConsentFlow = false)
{
if (displayDeviceCodeMessageToUser == null)
{
throw new ArgumentNullException(nameof(displayDeviceCodeMessageToUser));
}
// Get the environment parameters
EnvironmentParameters environmentParameters = AuthUtils.CurrentEnvironmentParameters;
// Create auth context that we will use to connect to the AAD endpoint
AuthenticationContext authContext = new AuthenticationContext(environmentParameters.AuthUrl);
if (useAdminConsentFlow)
{
// Remove this user's token from the token cache so they have to log in again (we must use the "Auto" Prompt behavior to add query parameters)
SdkAuthResult currentLogin = AuthUtils.LatestAdalAuthResult;
if (currentLogin != null)
{
// Find all the items in the cache with the logged in user ID, client ID and resource ID
IEnumerable <TokenCacheItem> toRemove = authContext.TokenCache.ReadItems()
.Where(
tokenCacheItem => tokenCacheItem.UniqueId == currentLogin.UserUniqueId &&
tokenCacheItem.ClientId == environmentParameters.AppId &&
tokenCacheItem.Resource == environmentParameters.ResourceId);
// Remove the items
foreach (TokenCacheItem tokenCacheItem in toRemove)
{
authContext.TokenCache.DeleteItem(tokenCacheItem);
}
}
}
// Get the device code
DeviceCodeResult deviceCodeResult = authContext.AcquireDeviceCodeAsync(
environmentParameters.ResourceId,
environmentParameters.AppId,
useAdminConsentFlow ? AuthUtils.AdminConsentQueryParameter : null)
.GetAwaiter().GetResult();
// Display the device code
displayDeviceCodeMessageToUser(deviceCodeResult.Message);
// Get the auth token
//TODO: Figure out why this call hangs and crashes the PowerShell session if the first login was cancelled and the second login times out
AuthenticationResult authenticationResult = authContext.AcquireTokenByDeviceCodeAsync(deviceCodeResult)
.GetAwaiter().GetResult();
// Convert the auth result into our own type
SdkAuthResult authResult = authenticationResult.ToSdkAuthResult();
// Save the auth result
AuthUtils.LatestAdalAuthResult = authResult;
return(authResult);
}
/// <summary>
/// Performs an admin consent interaction.
/// </summary>
internal static SdkAuthResult GrantAdminConsent()
{
// Get the environment parameters
EnvironmentParameters environmentParameters = AuthUtils.CurrentEnvironmentParameters;
// Create auth context that we will use to connect to the AAD endpoint
AuthenticationContext authContext = new AuthenticationContext(environmentParameters.AuthUrl);
// Remove this user's token from the token cache so they have to log in again (we must use the "Auto" Prompt behavior to add query parameters)
SdkAuthResult currentLogin = AuthUtils.LatestAdalAuthResult;
if (currentLogin != null)
{
// Find all the items in the cache with the logged in user ID, client ID and resource ID
IEnumerable <TokenCacheItem> toRemove = authContext.TokenCache.ReadItems()
.Where(
tokenCacheItem => tokenCacheItem.UniqueId == currentLogin.UserUniqueId &&
tokenCacheItem.ClientId == environmentParameters.AppId &&
tokenCacheItem.Resource == environmentParameters.ResourceId);
// Remove the items
foreach (TokenCacheItem tokenCacheItem in toRemove)
{
authContext.TokenCache.DeleteItem(tokenCacheItem);
}
}
// Get the AuthenticationResult from AAD
AuthenticationResult authenticationResult = authContext.AcquireTokenAsync(
environmentParameters.ResourceId,
environmentParameters.AppId,
new Uri(environmentParameters.RedirectLink),
new PlatformParameters(PromptBehavior.Auto),
UserIdentifier.AnyUser,
AdminConsentQueryParameter)
.GetAwaiter().GetResult();
// Convert the auth result into our own type
SdkAuthResult authResult = authenticationResult.ToSdkAuthResult();
// Save the auth result
AuthUtils.LatestAdalAuthResult = authResult;
return(authResult);
}
/// <summary>
/// Authenticates with the currently set environment parameters and the provided client certificate identified by thumbprint.
/// </summary>
/// <param name="certificateThumbprint">The client secret</param>
/// <returns>The authentication result.</returns>
internal static SdkAuthResult AuthWithCertificateThumbprint(string certificateThumbprint)
{
// Get the environment parameters
EnvironmentParameters environmentParameters = AuthUtils.CurrentEnvironmentParameters;
// Create auth context that we will use to connect to the AAD endpoint
AuthenticationContext authContext = new AuthenticationContext(environmentParameters.AuthUrl);
// Get certificate with specified Thumbprint from "My" store
X509Certificate2 xCertificate = null;
using (X509Store xStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
xStore.Open(OpenFlags.ReadOnly);
// Get unexpired certificates with the specified name.
X509Certificate2Collection unexpiredCerts = xStore.Certificates
.Find(X509FindType.FindByTimeValid, DateTime.Now, false)
.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
if (unexpiredCerts == null)
{
throw new Exception($"{certificateThumbprint} certificate was not found or has expired.");
}
// Only return current cert.
xCertificate = unexpiredCerts
.OfType <X509Certificate2>()
.OrderByDescending(c => c.NotBefore)
.FirstOrDefault();
}
// Build clientAssertionCertificate for the request
ClientAssertionCertificate clientAssertionCertificate = new ClientAssertionCertificate(CurrentEnvironmentParameters.AppId, xCertificate);
// Acquire token for Microsoft Graph via certificate credentials from AAD
AuthenticationResult authenticationResult = authContext.AcquireTokenAsync(CurrentEnvironmentParameters.GraphBaseAddress, clientAssertionCertificate).GetAwaiter().GetResult();
// Convert the auth result into our own type
SdkAuthResult authResult = authenticationResult.ToSdkAuthResult();
// Save the auth result
AuthUtils.LatestAdalAuthResult = authResult;
return(authResult);
}
/// <summary>
/// Authenticates with the currently set environment parameters and the provided client secret.
/// </summary>
/// <param name="clientSecret">The client secret</param>
/// <returns>The authentication result.</returns>
internal static SdkAuthResult AuthWithClientCredentials(string clientSecret)
{
// Get the environment parameters
EnvironmentParameters environmentParameters = AuthUtils.CurrentEnvironmentParameters;
// Create auth context that we will use to connect to the AAD endpoint
AuthenticationContext authContext = new AuthenticationContext(environmentParameters.AuthUrl);
// Get the AuthenticationResult from AAD
AuthenticationResult authenticationResult = authContext.AcquireTokenAsync(
environmentParameters.ResourceId,
new ClientCredential(environmentParameters.AppId, clientSecret))
.GetAwaiter().GetResult();
// Convert the auth result into our own type
SdkAuthResult authResult = authenticationResult.ToSdkAuthResult();
// Save the auth result
AuthUtils.LatestAdalAuthResult = authResult;
return(authResult);
}
