public void SilentRefreshFailedNoCacheItemFoundTest()
{
using (var harness = new MockHttpTestHarness(TestConstants.AuthorityHomeTenant))
{
var parameters = harness.CreateRequestParams(
harness.Cache,
ScopeHelper.CreateSortedSetFromEnumerable(
new[]
{
"some-scope1",
"some-scope2"
}),
authorityOverride: AuthorityInfo.FromAuthorityUri(TestConstants.AuthorityHomeTenant, false));
var silentParameters = new AcquireTokenSilentParameters()
{
Account = new Account(TestConstants.HomeAccountId, TestConstants.DisplayableId, TestConstants.ProductionPrefCacheEnvironment),
};
try
{
var request = new SilentRequest(harness.ServiceBundle, parameters, silentParameters);
Task <AuthenticationResult> task = request.RunAsync(CancellationToken.None);
var authenticationResult = task.Result;
Assert.Fail("MsalUiRequiredException should be thrown here");
}
catch (AggregateException ae)
{
var exc = ae.InnerException as MsalUiRequiredException;
Assert.IsNotNull(exc, "Actual exception type is " + ae.InnerException.GetType());
Assert.AreEqual(MsalError.NoTokensFoundError, exc.ErrorCode);
}
}
}
protected SortedSet <string> GetDecoratedScope(SortedSet <string> inputScope)
{
SortedSet <string> set = new SortedSet <string>(inputScope.ToArray());
set.UnionWith(ScopeHelper.CreateSortedSetFromEnumerable(OAuth2Value.ReservedScopes));
return(set);
}
public AuthenticationRequestParameters(
IServiceBundle serviceBundle,
ITokenCacheInternal tokenCache,
AcquireTokenCommonParameters commonParameters,
RequestContext requestContext)
{
_commonParameters = commonParameters;
Authority = Authority.CreateAuthorityForRequest(serviceBundle.Config.AuthorityInfo, commonParameters.AuthorityOverride);
ClientId = serviceBundle.Config.ClientId;
CacheSessionManager = new CacheSessionManager(tokenCache, this, serviceBundle.TelemetryManager);
Scope = ScopeHelper.CreateSortedSetFromEnumerable(commonParameters.Scopes);
RedirectUri = new Uri(serviceBundle.Config.RedirectUri);
RequestContext = requestContext;
IsBrokerEnabled = serviceBundle.Config.IsBrokerEnabled;
// Set application wide query parameters.
ExtraQueryParameters = serviceBundle.Config.ExtraQueryParameters ?? new Dictionary <string, string>();
// Copy in call-specific query parameters.
if (commonParameters.ExtraQueryParameters != null)
{
foreach (KeyValuePair <string, string> kvp in commonParameters.ExtraQueryParameters)
{
ExtraQueryParameters[kvp.Key] = kvp.Value;
}
}
}
public InteractiveRequest(
IServiceBundle serviceBundle,
AuthenticationRequestParameters authenticationRequestParameters,
ApiEvent.ApiIds apiId,
IEnumerable <string> extraScopesToConsent,
string loginHint,
UIBehavior uiBehavior,
IWebUI webUi)
: base(serviceBundle, authenticationRequestParameters, apiId)
{
RedirectUriHelper.Validate(authenticationRequestParameters.RedirectUri);
webUi?.ValidateRedirectUri(authenticationRequestParameters.RedirectUri);
_extraScopesToConsent = new SortedSet <string>();
if (!extraScopesToConsent.IsNullOrEmpty())
{
_extraScopesToConsent = ScopeHelper.CreateSortedSetFromEnumerable(extraScopesToConsent);
}
ValidateScopeInput(_extraScopesToConsent);
authenticationRequestParameters.LoginHint = loginHint;
if (!string.IsNullOrWhiteSpace(authenticationRequestParameters.ExtraQueryParameters) &&
authenticationRequestParameters.ExtraQueryParameters[0] == '&')
{
authenticationRequestParameters.ExtraQueryParameters =
authenticationRequestParameters.ExtraQueryParameters.Substring(1);
}
_webUi = webUi;
_uiBehavior = uiBehavior;
AuthenticationRequestParameters.RequestContext.Logger.Info(
"Additional scopes - " + _extraScopesToConsent.AsSingleString() + ";" +
"UIBehavior - " + _uiBehavior.PromptValue);
}
private Dictionary <string, string> CreateAuthorizationRequestParameters(Uri redirectUriOverride = null)
{
var extraScopesToConsent = new SortedSet <string>();
if (!_interactiveParameters.ExtraScopesToConsent.IsNullOrEmpty())
{
extraScopesToConsent = ScopeHelper.CreateSortedSetFromEnumerable(_interactiveParameters.ExtraScopesToConsent);
}
if (extraScopesToConsent.Contains(_requestParams.ClientId))
{
throw new ArgumentException("API does not accept client id as a user-provided scope");
}
SortedSet <string> unionScope = GetDecoratedScope(
new SortedSet <string>(_requestParams.Scope.Union(extraScopesToConsent)));
var authorizationRequestParameters = new Dictionary <string, string>
{
[OAuth2Parameter.Scope] = unionScope.AsSingleString(),
[OAuth2Parameter.ResponseType] = OAuth2ResponseType.Code,
[OAuth2Parameter.ClientId] = _requestParams.ClientId,
[OAuth2Parameter.RedirectUri] = redirectUriOverride?.OriginalString ?? _requestParams.RedirectUri.OriginalString
};
if (!string.IsNullOrWhiteSpace(_requestParams.ClaimsAndClientCapabilities))
{
authorizationRequestParameters[OAuth2Parameter.Claims] = _requestParams.ClaimsAndClientCapabilities;
}
if (!string.IsNullOrWhiteSpace(_interactiveParameters.LoginHint))
{
authorizationRequestParameters[OAuth2Parameter.LoginHint] = _interactiveParameters.LoginHint;
}
if (_requestParams.RequestContext.CorrelationId != Guid.Empty)
{
authorizationRequestParameters[OAuth2Parameter.CorrelationId] =
_requestParams.RequestContext.CorrelationId.ToString();
}
foreach (KeyValuePair <string, string> kvp in MsalIdHelper.GetMsalIdParameters(_requestParams.RequestContext.Logger))
{
authorizationRequestParameters[kvp.Key] = kvp.Value;
}
if (_interactiveParameters.Prompt.PromptValue != Prompt.NoPrompt.PromptValue)
{
authorizationRequestParameters[OAuth2Parameter.Prompt] = _interactiveParameters.Prompt.PromptValue;
}
return(authorizationRequestParameters);
}
public void SilentRefreshFailedNoCacheItemFoundTest()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager);
var aadInstanceDiscovery = new AadInstanceDiscovery(httpManager, new TelemetryManager());
var authority = Authority.CreateAuthority(serviceBundle, MsalTestConstants.AuthorityHomeTenant, false);
_cache = new TokenCache()
{
ClientId = MsalTestConstants.ClientId,
ServiceBundle = serviceBundle
};
httpManager.AddInstanceDiscoveryMockHandler();
var parameters = new AuthenticationRequestParameters()
{
Authority = authority,
ClientId = MsalTestConstants.ClientId,
Scope = ScopeHelper.CreateSortedSetFromEnumerable(
new[]
{
"some-scope1",
"some-scope2"
}),
TokenCache = _cache,
Account = new Account(MsalTestConstants.UserIdentifier, MsalTestConstants.DisplayableId, null),
RequestContext = new RequestContext(null, new MsalLogger(Guid.NewGuid(), null))
};
var crypto = PlatformProxyFactory.GetPlatformProxy().CryptographyManager;
var telemetryManager = new TelemetryManager();
try
{
var request = new SilentRequest(serviceBundle, parameters, ApiEvent.ApiIds.None, false);
Task <AuthenticationResult> task = request.RunAsync(CancellationToken.None);
var authenticationResult = task.Result;
Assert.Fail("MsalUiRequiredException should be thrown here");
}
catch (AggregateException ae)
{
var exc = ae.InnerException as MsalUiRequiredException;
Assert.IsNotNull(exc, "Actual exception type is " + ae.InnerException.GetType());
Assert.AreEqual(MsalUiRequiredException.NoTokensFoundError, exc.ErrorCode);
}
}
}
protected void ValidateScopeInput(SortedSet <string> scopesToValidate)
{
// Check if scope or additional scope contains client ID.
// TODO: instead of failing in the validation, could we simply just remove what the user sets and log that we did so instead?
if (scopesToValidate.Intersect(ScopeHelper.CreateSortedSetFromEnumerable(OAuth2Value.ReservedScopes)).Any())
{
throw new ArgumentException("MSAL always sends the scopes 'openid profile offline_access'. " +
"They cannot be suppressed as they are required for the " +
"library to function. Do not include any of these scopes in the scope parameter.");
}
if (scopesToValidate.Contains(AuthenticationRequestParameters.ClientId))
{
throw new ArgumentException("API does not accept client id as a user-provided scope");
}
}
public InteractiveRequest(
IServiceBundle serviceBundle,
AuthenticationRequestParameters authenticationRequestParameters,
AcquireTokenInteractiveParameters interactiveParameters,
IWebUI webUi)
: base(serviceBundle, authenticationRequestParameters, interactiveParameters)
{
_webUi = webUi; // can be null just to generate the authorization uri
_interactiveParameters = interactiveParameters;
RedirectUriHelper.Validate(authenticationRequestParameters.RedirectUri);
// todo(migration): can't this just come directly from interactive parameters instead of needing do to this?
_extraScopesToConsent = new SortedSet <string>();
if (!_interactiveParameters.ExtraScopesToConsent.IsNullOrEmpty())
{
_extraScopesToConsent = ScopeHelper.CreateSortedSetFromEnumerable(_interactiveParameters.ExtraScopesToConsent);
}
ValidateScopeInput(_extraScopesToConsent);
_interactiveParameters.LogParameters(authenticationRequestParameters.RequestContext.Logger);
}