AzureADQuickStarts
diff --git a/‎NativeClient-DotNet.sln‎
Lines changed: 10 additions & 2 deletions b/‎NativeClient-DotNet.sln‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 104 additions & 1 deletion b/‎README.md‎
Lines changed: 104 additions & 1 deletion
diff --git a/‎TodoListClient/App.config‎
Lines changed: 6 additions & 4 deletions b/‎TodoListClient/App.config‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎TodoListClient/MainWindow.xaml.cs‎
Lines changed: 12 additions & 14 deletions b/‎TodoListClient/MainWindow.xaml.cs‎
Lines changed: 12 additions & 14 deletions
diff --git a/‎…IdConnectCachingSecurityTokenProvider.cs‎ ‎…rt/OpenIdConnectSecurityTokenProvider.cs‎TodoListService/App_Start/OpenIdConnectCachingSecurityTokenProvider.cs renamed to TodoListService/App_Start/OpenIdConnectSecurityTokenProvider.cs
Lines changed: 13 additions & 14 deletions b/‎…IdConnectCachingSecurityTokenProvider.cs‎ ‎…rt/OpenIdConnectSecurityTokenProvider.cs‎TodoListService/App_Start/OpenIdConnectCachingSecurityTokenProvider.cs renamed to TodoListService/App_Start/OpenIdConnectSecurityTokenProvider.cs
Lines changed: 13 additions & 14 deletions
diff --git a/‎TodoListService/App_Start/Startup.Auth.cs‎
Lines changed: 16 additions & 20 deletions b/‎TodoListService/App_Start/Startup.Auth.cs‎
Lines changed: 16 additions & 20 deletions
@@ -1,12 +1,17 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.21005.1
+# Visual Studio 15
+VisualStudioVersion = 15.0.27130.2027
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListService", "TodoListService\TodoListService.csproj", "{047CDEF7-D5BA-4B1E-9748-910B610CCA51}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListClient", "TodoListClient\TodoListClient.csproj", "{005E6BB1-F422-4366-B548-1BDE150F0073}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{45D9F709-B54B-446B-9837-0052C0B5E75F}"
+	ProjectSection(SolutionItems) = preProject
+		README.md = README.md
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -25,4 +30,7 @@ Global
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {AFF3D3FB-F054-4729-802D-F148E1224E7D}
+	EndGlobalSection
 EndGlobal
@@ -1 +1,104 @@
-# AppModelv2-NativeClient-DotNet
+---
+services: active-directory
+platforms: dotnet
+author: jmprieur
+level: 200
+client: Windows Desktop WPF
+service: ASP.NET Web API
+endpoint: AAD V2
+---
+
+# Calling an ASP.NET Web API protected by the Azure AD V2 endpoint from an Windows Desktop (WPF) application
+
+## About this sample
+
+### Scenario
+
+You expose a Web API and you want to protect it so that only authenticated user can access it. This sample shows how to expose a ASP.NET Web API so it can accept tokens issued by personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Azure Active Directory.
+
+The sample also include a Windows Desktop application (WPF) that demonstrate how you can request an access token to access a Web APIs.
+
+## How to run this sample
+
+> Pre-requisites: This sample requires Visual Studio 2017. If you don't have it, download [Visual Studio 2017 for free](https://www.visualstudio.com/downloads/).
+
+### Step 1: Download or clone this sample
+
+You can clone this sample from your shell or command line:
+
+  ```console
+  git clone https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet.git
+  ```
+
+### Step 2: Register your Web API - *TodoListService* in the *Application registration portal*
+
+1. Sign in to the [Application registration portal](https://apps.dev.microsoft.com/portal/register-app) either using a personal Microsoft account (live.com or hotmail.com) or work or school account.
+1. Give a name to your Application, such as `AppModelv2-NativeClient-DotNet-TodoListService`. Make sure that the *Guided Setup* option is **Unchecked** then press **Create**. The portal will assign your app a globally unique *Application ID* that you'll use later in your code.
+1. Click **Add Platform**, and select **Web API**
+1. Click **Save**
+
+> Note: When you add a *Web API* the Application registration portal, it adds a pre-defined App Id URI and Scope, using the format *api://{Application Id}/{Scope Name}* named **access_as_user** (you can review it by clicking 'Edit' button). This sample code uses this default scope.
+
+### Step 3: Configure your *TodoListService* and *TodoListClient* projects to match the Web API you just registered
+
+1. Open the solution in Visual Studio and then open the **Web.config** file under the root of **TodoListService** project.
+1. Replace the value of `ida:ClientId` parameter with the **Application Id** from the application you just registered in the Application Registration Portal.
+
+#### Step 3.1: Add the new scope to the *TodoListClient*`s app.config
+
+1. Open the **app.config** file located in **TodoListClient** project's root folder and then paste **Application Id** from the application you just registered for your *TodoListService* under `TodoListServiceScope` parameter, replacing the string `{Enter the Application Id of your TodoListService from the app registration portal}`. 
+
+    > Note: Make sure it uses has the format `api://{TodoListService-Application-Id}/access_as_user` (where {TodoListService-Application-Id} is the Guid representing the Application Id for your TodoListService).
+
+### Step 4: Register the *TodoListClient* application in the *Application registration portal*
+
+In this step, you configure your *TodoListClient* project by registering a new application in the Application registration portal. In the cases where the client and server are considered *the same application* you may also just reuse the same application registered in the 'Step 2.'.
+
+1. Go back to [Application registration portal](https://apps.dev.microsoft.com/portal/register-app) to register a new application
+1. Give a name to your Application, such as `NativeClient-DotNet-TodoListClient`, make sure that the *Guided Setup* option is **Unchecked** then press **Create**.
+1. Click **Add Platform**, and select **Native**.
+1. Click **Save**
+
+### Step 5: Configure your *TodoListClient* project
+
+1. In the *Application registration portal*, copy the value of the **Application Id**
+1. Open the **app.config** file located in the **TodoListClient** project's root folder and then paste the value in the `ida:ClientId` parameter value
+
+### Step 6: Run your project
+
+1. Press `<F5>` to run your project. Your *TodoListClient* should open.
+1. Select **Sign in** in the top right and sign in with the same user you have used to register your aplication, or a user in the same directory.
+1. At this point, if you are signing in for the first time, you may be prompted to consent to *TodoListService* Web Api.
+1. The sign-in also request the access token to the *access_as_user* scope to access *TodoListService* Web Api and manipulate the *To-Do* list.
+
+### Step 7: Pre-authorize your client application
+
+One of the ways to allow users from other directories to acces your Web API is by *pre-authorizing* the client applications to access your Web API by adding the Application Ids from client applications in the list of *pre-authorized* applications for your Web API. By adding a pre-authorized client, you will not require user to consent to use your Web API. Follow the steps below to pre-authorize your Web Application::
+
+1. Go back to the *Application registration portal* and open the properties of your **TodoListService**.
+1. In the **Web API platform**, click on **Add application** under the *Pre-authorized applications* section.
+1. In the *Application ID* field, paste the application ID of the `TodoListClient` application.
+1. In the *Scope* field, click on the **Select** combo box and select the scope for this Web API `api://<Application ID>/access_as_user`.
+1. Press the **Save** button at the bottom of the page.
+
+### Step 8: Run your project
+
+1. Press `<F5>` to run your project. Your *TodoListClient* should open.
+1. Select **Sign in** in the top right (or Clear Cache/Sign-in) and then sign-in either using a personal Microsoft account (live.com or hotmail.com) or work or school account.
+
+## Optional: Restrict sign-in access to your application
+
+By default, when you download this code sample and configure the application to use the Azure Active Directory v2 endpoint following the preceeding steps, both personal accounts - like outlook.com, live.com, and others - as well as Work or school accounts from any organizations that are integrated with Azure AD can request tokens and access your Web API. 
+
+To restrict who can sign in to your application, use one of the options:
+
+### Option 1: Restrict access to a single organization (single-tenant)
+
+You can restrict sign-in access for your application to only user accounts that are in a single Azure AD tenant - including *guest accounts* of that tenant. This scenario is a common for *line-of-business applications*:
+
+1. In the **web.config** file of your **TodoListService**, change the value for the `Tenant` parameter from `Common` to the tenant name of the organization, such as `contoso.onmicrosoft.com` or the *Tenant Id*.
+2. Open **App_Start\Startup.Auth** file and set the `ValidateIssuer` argument to `true`.
+
+#### Option 2: Use a custom method to validate issuers
+
+You can implement a custom method to validate issuers by using the **IssuerValidator** parameter. For more information about how to use this parameter, read about the [TokenValidationParameters class](https://msdn.microsoft.com/library/system.identitymodel.tokens.tokenvalidationparameters.aspx) on MSDN.
@@ -6,9 +6,10 @@
   <appSettings>
     <!-- ida:Client is a GUID representing the Application Id for the TodoListClient app that you copied from
          the App Registration Portal (https://apps.dev.microsoft.com) -->
+
     <add key="ida:ClientId" value="{Enter the Application Id that you copied from the App Registration Portal.}" />
 
-    <!-- todo:Scope is either:
+    <!-- TodoListServiceScope is either:
      - the same as ida:ClientId, as V2 apps enable several platforms for a same application (a GUID)
      - or otherwise the scope of the Web API created with aht App Registration portal, for instance api://[V2-WebApi-AppId]/access_as_user
        where [V2-WebApi-AppId] is a GUID representing the Application ID of the Web API.
@@ -17,8 +18,9 @@
        In that case (V1 app), the Authority used to build the PubliClientApplication in MainWindow.xaml.cs should be set to 
        "https://login.microsoftonline.com/organizations/" instead of "https://login.microsoftonline.com/common/"
     -->
-    <add key="todo:Scope" value="{Enter the scope of the Web API, as copied from the App Registration Portal, for instance api://[WebApi-AppId]/access_as_user where [WebApi-AppId] is a GUID" />
-  
-    <add key="todo:TodoListBaseAddress" value="https://localhost:44321/" />
+
+    <add key="TodoListServiceScope" value="{Enter the Application Id of your TodoListService from the app registration portal}" />
+    <add key="TodoListServiceBaseAddress" value="https://localhost:44321/" />
+
   </appSettings>
 </configuration>
@@ -39,28 +39,26 @@ public partial class MainWindow : Window
         // The Authority is the sign-in URL.
 
 
-        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        private string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        
+        // The todoListServiceBaseAddress is the address of your Web API
+        private string todoListServiceBaseAddress = ConfigurationManager.AppSettings["TodoListServiceBaseAddress"];
+        private string todoListServiceScope = ConfigurationManager.AppSettings["TodoListServiceScope"];
 
-        // The todoListBaseAddress is the address of your Web API
-        private static string todoListBaseAddress = ConfigurationManager.AppSettings["todo:TodoListBaseAddress"];
-        private static string todoListScope = ConfigurationManager.AppSettings["todo:Scope"];
 
         private HttpClient httpClient = new HttpClient();
         private PublicClientApplication app = null;
 
-        private string[] Scopes
-        {
-            get
-            {
-                return new string[] { todoListScope };
-            }
-        }
+        private string[] Scopes = null;
+        
         protected override async void OnInitialized(EventArgs e)
         {
             base.OnInitialized(e);
 
+            Scopes = new string[] {todoListServiceScope};
+
             // Initialize the PublicClientApplication
-            app = new PublicClientApplication(clientId, "https://login.microsoftonline.com/common/", TokenCacheHelper.GetUserCache());
+            app = new PublicClientApplication(clientId, "https://login.microsoftonline.com/common/v2.0", TokenCacheHelper.GetUserCache());
             AuthenticationResult result = null;
 
             // TODO: Check if the user is already signed in. 
@@ -155,7 +153,7 @@ private async void GetTodoList()
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
 
             // Call the To Do list service.
-            HttpResponseMessage response = await httpClient.GetAsync(todoListBaseAddress + "/api/todolist");
+            HttpResponseMessage response = await httpClient.GetAsync(todoListServiceBaseAddress + "/api/todolist");
 
             if (response.IsSuccessStatusCode)
             {
@@ -211,7 +209,7 @@ private async void AddTodoItem(object sender, RoutedEventArgs e)
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
 
             HttpContent content = new FormUrlEncodedContent(new[] { new KeyValuePair<string, string>("Title", TodoText.Text) });
-            HttpResponseMessage response = await httpClient.PostAsync(todoListBaseAddress + "/api/todolist", content);
+            HttpResponseMessage response = await httpClient.PostAsync(todoListServiceBaseAddress + "/api/todolist", content);
 
             if (response.IsSuccessStatusCode)
             {
 
@@ -1,28 +1,27 @@
-using Microsoft.IdentityModel.Protocols;
-using Microsoft.Owin.Security.Jwt;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading;
-using System.Threading.Tasks;
+using System.Collections.Generic;
 using System.IdentityModel.Tokens;
+using System.Threading;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.Owin.Security.Jwt;
 
-namespace TodoListService.App_Start
+namespace TodoListService
 {
-    public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider
+    // This class is necessary because the OAuthBearer Middleware does not leverage
+    // the OpenID Connect metadata endpoint exposed by the STS by default.
+
+    public class OpenIdConnectSecurityTokenProvider : IIssuerSecurityTokenProvider
     {
-        public ConfigurationManager<OpenIdConnectConfiguration> _configManager;
+        public ConfigurationManager<OpenIdConnectConfiguration> ConfigManager;
         private string _issuer;
         private IEnumerable<SecurityToken> _tokens;
         private readonly string _metadataEndpoint;
 
         private readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();
 
-        public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)
+        public OpenIdConnectSecurityTokenProvider(string metadataEndpoint)
         {
             _metadataEndpoint = metadataEndpoint;
-            _configManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint);
+            ConfigManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint);
 
             RetrieveMetadata();
         }
@@ -78,7 +77,7 @@ private void RetrieveMetadata()
             _synclock.EnterWriteLock();
             try
             {
-                OpenIdConnectConfiguration config = _configManager.GetConfigurationAsync().Result;
+                OpenIdConnectConfiguration config = ConfigManager.GetConfigurationAsync().Result;
                 _issuer = config.Issuer;
                 _tokens = config.SigningTokens;
             }
 
@@ -5,40 +5,36 @@
 using Microsoft.Owin.Security;
 using Owin;
 using System.IdentityModel.Tokens;
-using TodoListService.App_Start;
 using Microsoft.Owin.Security.Jwt;
 using Microsoft.Owin.Security.OAuth;
 
 namespace TodoListService
 {
     public partial class Startup
     {
-        private static string audience = ConfigurationManager.AppSettings["ida:Audience"];
+        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
 
         public void ConfigureAuth(IAppBuilder app)
         {
-            var tvps = new TokenValidationParameters
-            {
-                ValidAudience = audience,
-
-                // In a real applicaiton, you might use issuer validation to
-                // verify that the user's organization (if applicable) has 
-                // signed up for the app.  Here, we'll just turn it off.
-                ValidateIssuer = false,
-            };
-
-            // Set up the OWIN auth pipeline to use OAuth 2.0 Bearer authentication.
-            // The options provided here tell the middleware about the type of tokens
-            // that will be recieved, which are JWTs for the v2.0 endpoint.
-
-            // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthenticaitonMiddleware uses a
+            // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthentication middleware uses a
             // metadata endpoint which is not supported by the v2.0 endpoint.  Instead, this 
-            // OpenIdConenctCachingSecurityTokenProvider can be used to fetch & use the OpenIdConnect
-            // metadata document.
+            // OpenIdConnectSecurityTokenProvider implementation can be used to fetch & use the OpenIdConnect
+            // metadata document - which for the v2 endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
 
             app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
             {
-                AccessTokenFormat = new Microsoft.Owin.Security.Jwt.JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")),
+                AccessTokenFormat = new JwtFormat(
+                    new TokenValidationParameters
+                    {
+                        // Check if the audience is intended to be this application
+                        ValidAudience = clientId,
+
+                        // Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
+                        ValidateIssuer = false,
+
+                    },
+                    new OpenIdConnectSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")
+                ),
             });
         }
     }