public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { // The `Authority` represents the Microsoft v2.0 authentication and authorization service. // The `Scope` describes the permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/ ClientId = appId, Authority = "https://login.microsoftonline.com/common/v2.0", PostLogoutRedirectUri = redirectUri, RedirectUri = redirectUri, Scope = "openid email profile offline_access " + graphScopes, TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, // In a real application you would use IssuerValidator for additional checks, // like making sure the user's organization has signed up for your app. // IssuerValidator = (issuer, token, tvp) => // { // if (MyCustomTenantValidation(issuer)) // return issuer; // else // throw new SecurityTokenInvalidIssuerException("Invalid issuer"); // }, }, Notifications = new OpenIdConnectAuthenticationNotifications { AuthorizationCodeReceived = async (context) => { var code = context.Code; string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value; ConfidentialClientApplication cca = new ConfidentialClientApplication( appId, redirectUri, new ClientCredential(appSecret), new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase)); string[] scopes = graphScopes.Split(new char[] { ' ' }); AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code); }, AuthenticationFailed = (context) => { context.HandleResponse(); context.Response.Redirect("/Error?message=" + context.Exception.Message); return Task.FromResult(0); } } }); }
public void GetAuthorizationRequestUrlDuplicateParamsTest() { ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); try { Task<Uri> task = app.GetAuthorizationRequestUrlAsync(TestConstants.DefaultScope.AsArray(), TestConstants.DefaultDisplayableId, "[email protected]"); Uri uri = task.Result; Assert.Fail("MSALException should be thrown here"); } catch (Exception exc) { Assert.IsTrue(exc.InnerException is MsalException); Assert.AreEqual("duplicate_query_parameter", ((MsalException)exc.InnerException).ErrorCode); Assert.AreEqual("Duplicate query parameter 'login_hint' in extraQueryParameters", ((MsalException)exc.InnerException).Message); } }
// Get an access token. First tries to get the token from the token cache. public async Task<string> GetUserAccessTokenAsync() { string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value; tokenCache = new SessionTokenCache( signedInUserID, HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase); //var cachedItems = tokenCache.ReadItems(appId); // see what's in the cache ConfidentialClientApplication cca = new ConfidentialClientApplication( appId, redirectUri, new ClientCredential(appSecret), tokenCache); try { AuthenticationResult result = await cca.AcquireTokenSilentAsync(scopes.Split(new char[] { ' ' })); return result.Token; } // Unable to retrieve the access token silently. catch (MsalSilentTokenAcquisitionException) { HttpContext.Current.Request.GetOwinContext().Authentication.Challenge( new AuthenticationProperties() { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType); throw new Exception(Resource.Error_AuthChallengeNeeded); } }
public void ConfidentialClientUsingSecretTest() { ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); app.AppTokenCache = new TokenCache(); HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage() }; Task<AuthenticationResult> task = app.AcquireTokenForClient(TestConstants.DefaultScope.ToArray(), TestConstants.DefaultPolicy); AuthenticationResult result = task.Result; Assert.IsNotNull(result); Assert.IsNotNull("header.payload.signature", result.Token); Assert.AreEqual(TestConstants.DefaultScope.AsSingleString(), result.ScopeSet.AsSingleString()); //make sure user token cache is empty Assert.AreEqual(0, app.UserTokenCache.Count); //check app token cache count to be 1 Assert.AreEqual(1, app.AppTokenCache.Count); //make sure refresh token is null foreach (var value in app.AppTokenCache.tokenCacheDictionary.Values) { Assert.IsNull(value.RefreshToken); } }
public static async Task <string> FetchTokenConfidentalAsync(string[] scopes) { try { Microsoft.Identity.Client.ConfidentialClientApplication cc = new Microsoft.Identity.Client.ConfidentialClientApplication(PBIConfig.ClientId, PBIConfig.RedirectUrl, new Microsoft.Identity.Client.ClientCredential(PBIConfig.ClientSecret), null, null); // var accounts = await cc.GetAccountsAsync(); // Microsoft.Identity.Client.AuthenticationResult result = await cc.AcquireTokenSilentAsync(scopes, accounts.First()); Microsoft.Identity.Client.AuthenticationResult result = await cc.AcquireTokenForClientAsync(scopes); return(result.AccessToken); } catch (Exception e) { Console.WriteLine(e.Message); } return(null); }
public void ConstructorsTest() { ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); Assert.IsNotNull(app); Assert.IsNotNull(app.UserTokenCache); Assert.IsNotNull(app.AppTokenCache); Assert.AreEqual("https://login.microsoftonline.com/common/", app.Authority); Assert.AreEqual(TestConstants.DefaultClientId, app.ClientId); Assert.AreEqual(TestConstants.DefaultRedirectUri, app.RedirectUri); Assert.AreEqual("https://login.microsoftonline.com/common/", app.Authority); Assert.IsNotNull(app.ClientCredential); Assert.IsNotNull(app.ClientCredential.Secret); Assert.AreEqual(TestConstants.DefaultClientSecret, app.ClientCredential.Secret); Assert.IsNull(app.ClientCredential.Certificate); Assert.IsNull(app.ClientCredential.ClientAssertion); Assert.AreEqual(0, app.ClientCredential.ValidTo); app = new ConfidentialClientApplication(TestConstants.DefaultAuthorityGuestTenant, TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential("secret"), new TokenCache()); Assert.AreEqual(TestConstants.DefaultAuthorityGuestTenant, app.Authority); }
internal AcquireTokenByAuthorizationCodeParameterBuilder(IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor) : base(confidentialClientApplicationExecutor) { ConfidentialClientApplication.GuardMobileFrameworks(); }
/// <inheritdoc /> internal ConfidentialClientApplicationBuilder(ApplicationConfiguration configuration) : base(configuration) { ConfidentialClientApplication.GuardMobileFrameworks(); }
public void GetAuthorizationRequestUrlCustomRedirectUriTest() { ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); Task<Uri> task = app.GetAuthorizationRequestUrlAsync(TestConstants.DefaultScope.AsArray(), "custom://redirect-uri", TestConstants.DefaultDisplayableId, "extra=qp&prompt=none", TestConstants.ScopeForAnotherResource.AsArray(), TestConstants.DefaultAuthorityGuestTenant, TestConstants.DefaultPolicy); Uri uri = task.Result; Assert.IsNotNull(uri); Assert.IsTrue(uri.AbsoluteUri.StartsWith(TestConstants.DefaultAuthorityGuestTenant, StringComparison.CurrentCulture)); Dictionary<string, string> qp = EncodingHelper.ParseKeyValueList(uri.Query.Substring(1), '&', true, null); Assert.IsNotNull(qp); Assert.AreEqual(12, qp.Count); Assert.AreEqual("r1/scope1 r1/scope2 r2/scope1 r2/scope2 openid offline_access", qp["scope"]); Assert.AreEqual(TestConstants.DefaultClientId, qp["client_id"]); Assert.AreEqual("code", qp["response_type"]); Assert.AreEqual("custom://redirect-uri", qp["redirect_uri"]); Assert.AreEqual(TestConstants.DefaultDisplayableId, qp["login_hint"]); Assert.AreEqual("MSAL.Desktop", qp["x-client-sku"]); Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-ver"])); Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-cpu"])); Assert.IsFalse(string.IsNullOrEmpty(qp["x-client-os"])); Assert.AreEqual("qp", qp["extra"]); Assert.AreEqual("none", qp["prompt"]); Assert.AreEqual(TestConstants.DefaultPolicy, qp["p"]); }
public void OBOUserAssertionHashUsernamePassedTest() { TokenCache cache = TokenCacheHelper.CreateCacheWithItems(); string someAssertion = "some-assertion-passed-by-developer"; TokenCacheKey key = cache.tokenCacheDictionary.Keys.First(); //update cache entry with hash of an assertion that will not match cache.tokenCacheDictionary[key].UserAssertionHash = new CryptographyHelper().CreateSha256Hash(someAssertion); ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); app.UserTokenCache = cache; //this is a fail safe. No call should go on network HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = MockHelpers.CreateInvalidGrantTokenResponseMessage() }; UserAssertion assertion = new UserAssertion(someAssertion, AssertionType, key.DisplayableId); Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(), assertion, key.Authority, TestConstants.DefaultPolicy); AuthenticationResult result = task.Result; Assert.IsNotNull(result); Assert.AreEqual(key.UniqueId, result.User.UniqueId); Assert.AreEqual(key.DisplayableId, result.User.DisplayableId); Assert.AreEqual(HashAccessToken, cache.tokenCacheDictionary[key].UserAssertionHash); }
public void OBOUserAssertionHashNotFoundTest() { TokenCache cache = TokenCacheHelper.CreateCacheWithItems(); string someAssertion = "some-assertion-passed-by-developer"; TokenCacheKey key = cache.tokenCacheDictionary.Keys.First(); //update cache entry with hash of an assertion that will not match cache.tokenCacheDictionary[key].UserAssertionHash = new CryptographyHelper().CreateSha256Hash(someAssertion + "-but-not-in-cache"); ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, new ClientCredential(TestConstants.DefaultClientSecret), new TokenCache()); app.UserTokenCache = cache; string[] scope = {"mail.read"}; HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = MockHelpers.CreateSuccessTokenResponseMessage("unique_id_3", "*****@*****.**", "root_id_3", scope) }; UserAssertion assertion = new UserAssertion(someAssertion, AssertionType); Task<AuthenticationResult> task = app.AcquireTokenOnBehalfOfAsync(key.Scope.AsArray(), assertion, key.Authority, TestConstants.DefaultPolicy); AuthenticationResult result = task.Result; Assert.IsNotNull(result); Assert.AreEqual("unique_id_3", result.User.UniqueId); Assert.AreEqual("*****@*****.**", result.User.DisplayableId); //check for new assertion Hash AuthenticationResultEx resultEx = cache.tokenCacheDictionary.Values.First(r => r.Result.User.UniqueId.Equals("unique_id_3")); Assert.AreEqual(HashAccessToken, resultEx.UserAssertionHash); }
public void ConfidentialClientUsingCertificateTest() { ClientCredential cc = new ClientCredential(new ClientAssertionCertificate(new X509Certificate2("valid_cert.pfx", "password"))); ConfidentialClientApplication app = new ConfidentialClientApplication(TestConstants.DefaultClientId, TestConstants.DefaultRedirectUri, cc, new TokenCache()); app.AppTokenCache = new TokenCache(); HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage() }; Task<AuthenticationResult> task = app.AcquireTokenForClient(TestConstants.DefaultScope.ToArray(), TestConstants.DefaultPolicy); AuthenticationResult result = task.Result; Assert.IsNotNull(result); Assert.IsNotNull("header.payload.signature", result.Token); Assert.AreEqual(TestConstants.DefaultScope.AsSingleString(), result.ScopeSet.AsSingleString()); //make sure user token cache is empty Assert.AreEqual(0, app.UserTokenCache.Count); //check app token cache count to be 1 Assert.AreEqual(1, app.AppTokenCache.Count); //make sure refresh token is null foreach (var value in app.AppTokenCache.tokenCacheDictionary.Values) { Assert.IsNull(value.RefreshToken); } //assert client credential Assert.IsNotNull(cc.ClientAssertion); Assert.AreNotEqual(0, cc.ValidTo); //save client assertion. string cachedAssertion = cc.ClientAssertion.Assertion; long cacheValidTo = cc.ValidTo; HttpMessageHandlerFactory.MockHandler = new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage() }; task = app.AcquireTokenForClient(TestConstants.ScopeForAnotherResource.ToArray(), TestConstants.DefaultPolicy); result = task.Result; Assert.IsNotNull(result); Assert.AreEqual(cacheValidTo, cc.ValidTo); Assert.AreEqual(cachedAssertion, cc.ClientAssertion.Assertion); }
/// <inheritdoc /> public override Task <AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken) { ConfidentialClientApplication.GuardMobileFrameworks(); ValidateAndCalculateApiId(); return(ExecuteInternalAsync(cancellationToken)); }
internal AbstractConfidentialClientAcquireTokenParameterBuilder(IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor) : base(confidentialClientApplicationExecutor.ServiceBundle) { ConfidentialClientApplication.GuardMobileFrameworks(); ConfidentialClientApplicationExecutor = confidentialClientApplicationExecutor; }
/// <summary> /// Constructor of client (application) credentials from a <see cref="ClientAssertionCertificate"/> /// </summary> /// <param name="certificate">contains information about the certificate previously shared with AAD at application /// registration to prove the identity of the application (the client) requesting the tokens.</param> public ClientCredential(ClientAssertionCertificate certificate) { ConfidentialClientApplication.GuardMobileFrameworks(); Certificate = certificate; }