Merge from complete

Author: jmprieur

README.md

@@ -32,56 +32,97 @@ You can clone this sample from your shell or command line:
 
 ### Step 2: Register your Web API - *TodoListService* in the *Application registration portal*
 
-1. Sign in to the [Application registration portal](https://apps.dev.microsoft.com/portal/register-app) either using a personal Microsoft account (live.com or hotmail.com) or work or school account.
-1. Give a name to your Application, such as `AppModelv2-NativeClient-DotNet-TodoListService`. Make sure that the *Guided Setup* option is **Unchecked** then press **Create**. The portal will assign your app a globally unique *Application ID* that you'll use later in your code.
-1. Click **Add Platform**, and select **Web API**
-1. Click **Save**
-
-> Note: When you add a *Web API* the Application registration portal, it adds a pre-defined App Id URI and Scope, using the format *api://{Application Id}/{Scope Name}* named **access_as_user** (you can review it by clicking 'Edit' button). This sample code uses this default scope.
-
-### Step 3: Configure your *TodoListService* and *TodoListClient* projects to match the Web API you just registered
+#### Choose the Azure AD tenant where you want to create your applications
+
+If you want to register your apps manually, as a first step you'll need to:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account.
+1. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then **switch directory**.
+   Change your portal session to the desired Azure AD tenant.
+
+#### Register the service app (TodoListService)
+
+1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+1. Select **New registration**.
+1. When the **Register an application page** appears, enter your application's registration information:
+   - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `AppModelv2-NativeClient-DotNet-TodoListService`.
+   - Change **Supported account types** to **Accounts in any organizational directory**.
+   - Select **Register** to create the application.
+
+1. On the app **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the Visual Studio configuration file for this project (`ClientId` in `TodoListService\Web.config`).
+1. Select the **Expose an API** section, and:
+   - Select **Add a scope**
+   - accept the proposed Application ID URI (api://{clientId}) by selecting **Save and Continue**
+   - Enter the following parameters:
+     - for **Scope name** use `access_as_user`
+     - Ensure the **Admins and users** option is selected for **Who can consent**
+     - in **Admin consent display name** type `Access TodoListService as a user`
+     - in **Admin consent description** type `Accesses the TodoListService Web API as a user`
+     - in **User consent display name** type `Access TodoListService as a user`
+     - in **User consent description** type `Accesses the TodoListService Web API as a user`
+     - Keep **State** as **Enabled**
+     - Select **Add scope**
+
+#### Configure your *TodoListService* and *TodoListClient* projects to match the Web API you just registered
 
 1. Open the solution in Visual Studio and then open the **Web.config** file under the root of **TodoListService** project.
-1. Replace the value of `ida:ClientId` parameter with the **Application Id** from the application you just registered in the Application Registration Portal.
+1. Replace the value of `ida:ClientId` parameter with the **Client ID (Application Id)** from the application you just registered in the Application Registration Portal.
+
+#### Add the new scope to the *TodoListClient*`s app.config
 
-#### Step 3.1: Add the new scope to the *TodoListClient*`s app.config
+1. Open the **app.config** file located in **TodoListClient** project's root folder and then paste **Application Id** from the application you just registered for your *TodoListService* under `TodoListServiceScope` parameter, replacing the string `{Enter the Application Id of your TodoListService from the app registration portal}`.
 
-1. Open the **app.config** file located in **TodoListClient** project's root folder and then paste **Application Id** from the application you just registered for your *TodoListService* under `TodoListServiceScope` parameter, replacing the string `{Enter the Application Id of your TodoListService from the app registration portal}`. 
+   > Note: Make sure it uses the following format:
+   >
+   > `api://{TodoListService-Application-Id}/access_as_user` 
+   >
+   >(where {TodoListService-Application-Id} is the Guid representing the Application Id for your TodoListService).
 
-    > Note: Make sure it uses has the format `api://{TodoListService-Application-Id}/access_as_user` (where {TodoListService-Application-Id} is the Guid representing the Application Id for your TodoListService).
+### Step 3:  Register the client app (TodoListClient)
 
-### Step 4: Register the *TodoListClient* application in the *Application registration portal*
+In this step, you configure your *TodoListClient* project by registering a new application in the Application registration portal. In the cases where the client and server are considered *the same application* you may also just reuse the same application registered in the 'Step 2.'. Using the same application is actually needed if you want users to sign-in with Microsoft personal accounts
 
-In this step, you configure your *TodoListClient* project by registering a new application in the Application registration portal. In the cases where the client and server are considered *the same application* you may also just reuse the same application registered in the 'Step 2.'.
+#### Register the *TodoListClient* application in the *Application registration portal*
 
-1. Go back to [Application registration portal](https://apps.dev.microsoft.com/portal/register-app) to register a new application
-1. Give a name to your Application, such as `NativeClient-DotNet-TodoListClient`, make sure that the *Guided Setup* option is **Unchecked** then press **Create**.
-1. Click **Add Platform**, and select **Native**.
-1. Click **Save**
+1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+1. Select **New registration**.
+1. When the **Register an application page** appears, enter your application's registration information:
+   - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `NativeClient-DotNet-TodoListClient`.
+   - Change **Supported account types** to **Accounts in any organizational directory**.
+   - Select **Register** to create the application.
+1. From the app's Overview page, select the **Authentication** section.
+   - In the **Redirect URLs** | **Suggested Redirect URLs for public clients (mobile, desktop)** section, check **urn:ietf:wg:oauth:2.0:oob**
+   - Select **Save**.
+1. Select the **API permissions** section
+   - Click the **Add a permission** button and then,
+   - Select the **My APIs** tab.
+   - In the list of APIs, select the `AppModelv2-NativeClient-DotNet-TodoListService API`, or the name you entered for the Web API.
+   - Check the **access_as_user** permission if it's not already checked. Use the search box if necessary.
+   - Select the **Add permissions** button
 
-### Step 5: Configure your *TodoListClient* project
+#### Configure your *TodoListClient* project
 
-1. In the *Application registration portal*, copy the value of the **Application Id**
+1. In the *Application registration portal*, in the **Overview** page copy the value of the **Application (client) Id**
 1. Open the **app.config** file located in the **TodoListClient** project's root folder and then paste the value in the `ida:ClientId` parameter value
 
-### Step 6: Run your project
+### Step 4: Run your project
 
 1. Press `<F5>` to run your project. Your *TodoListClient* should open.
-1. Select **Sign in** in the top right and sign in with the same user you have used to register your aplication, or a user in the same directory.
+1. Select **Sign in** in the top right and sign in with the same user you have used to register your application, or a user in the same directory.
 1. At this point, if you are signing in for the first time, you may be prompted to consent to *TodoListService* Web Api.
 1. The sign-in also request the access token to the *access_as_user* scope to access *TodoListService* Web Api and manipulate the *To-Do* list.
 
-### Step 7: Pre-authorize your client application
+### Step 5: Pre-authorize your client application
 
-One of the ways to allow users from other directories to acces your Web API is by *pre-authorizing* the client applications to access your Web API by adding the Application Ids from client applications in the list of *pre-authorized* applications for your Web API. By adding a pre-authorized client, you will not require user to consent to use your Web API. Follow the steps below to pre-authorize your Web Application::
+One of the ways to allow users from other directories to access your Web API is by *pre-authorizing* the client applications to access your Web API by adding the Application Ids from client applications in the list of *pre-authorized* applications for your Web API. By adding a pre-authorized client, you will not require user to consent to use your Web API. Follow the steps below to pre-authorize your Web Application::
 
 1. Go back to the *Application registration portal* and open the properties of your **TodoListService**.
-1. In the **Web API platform**, click on **Add application** under the *Pre-authorized applications* section.
-1. In the *Application ID* field, paste the application ID of the `TodoListClient` application.
-1. In the *Scope* field, click on the **Select** combo box and select the scope for this Web API `api://<Application ID>/access_as_user`.
-1. Press the **Save** button at the bottom of the page.
+1. In the **Expose an API** section, click on **Add a client application** under the *Authorized client applications* section.
+1. In the *Client ID* field, paste the application ID of the `TodoListClient` application.
+1. In the *Authorized scopes* section, select the scope for this Web API `api://<Application ID>/access_as_user`.
+1. Press the **Add application** button at the bottom of the page.
 
-### Step 8: Run your project
+### Step 6:  Run your project
 
 1. Press `<F5>` to run your project. Your *TodoListClient* should open.
 1. Select **Sign in** in the top right (or Clear Cache/Sign-in) and then sign-in either using a personal Microsoft account (live.com or hotmail.com) or work or school account.
@@ -96,8 +137,8 @@ To restrict who can sign in to your application, use one of the options:
 
 You can restrict sign-in access for your application to only user accounts that are in a single Azure AD tenant - including *guest accounts* of that tenant. This scenario is a common for *line-of-business applications*:
 
-1. In the **web.config** file of your **TodoListService**, change the value for the `Tenant` parameter from `Common` to the tenant name of the organization, such as `contoso.onmicrosoft.com` or the *Tenant Id*.
-2. Open **App_Start\Startup.Auth** file and set the `ValidateIssuer` argument to `true`.
+1. Open the **App_Start\Startup.Auth** file, and change the value of the metadata endpoint that's passed into the `OpenIdConnectSecurityTokenProvider` to `"https://login.microsoftonline.com/{Tenant ID}/v2.0/.well-known/openid-configuration"` (you can also use the Tenant Name, such as `contoso.onmicrosoft.com`).
+2. In the same file, set the `ValidIssuer` property on the `TokenValidationParameters` to `"https://sts.windows.net/{Tenant Id}/"` and the `ValidateIssuer` argument to `true`.
 
 #### Option 2: Use a custom method to validate issuers
 

TodoListClient/App.config

@@ -33,7 +33,7 @@
         clientId of a legacy application, created in the https://portal.azure.com portal.
     -->
 
-    <add key="TodoListServiceScope" value="{Enter the Application Id of your TodoListService from the app registration portal}" />
+    <add key="TodoListServiceScope" value="api://{Enter the Application Id of your TodoListService from the app registration portal}/access_as_user" />
     <add key="TodoListServiceBaseAddress" value="https://localhost:44321/" />
 
   </appSettings>

TodoListClient/TokenCacheHelper.cs

@@ -1,5 +1,29 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
 
 using System.IO;
 using System.Security.Cryptography;
@@ -8,7 +32,8 @@
 namespace TodoListClient
 {
     static class TokenCacheHelper
-    { 
+    {
+ 
         /// <summary>
         /// Path to the token cache
         /// </summary>

TodoListService/App_Start/Startup.Auth.cs

@@ -17,19 +17,21 @@ public partial class Startup
         public void ConfigureAuth(IAppBuilder app)
         {
             // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthentication middleware uses a
-            // metadata endpoint which is not supported by the v2.0 endpoint.  Instead, this 
+            // metadata endpoint which is not supported by the Microsoft identity platform endpoint.  Instead, this 
             // OpenIdConnectSecurityTokenProvider implementation can be used to fetch & use the OpenIdConnect
-            // metadata document - which for the v2 endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
+            // metadata document - which for the identity platform endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
 
             app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
             {
                 AccessTokenFormat = new JwtFormat(
                     new TokenValidationParameters
                     {
                         // Check if the audience is intended to be this application
-                        ValidAudience = clientId,
+                        ValidAudiences = new [] { clientId, $"api://{clientId}" },
 
                         // Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
+                        // Note that this is a simplification for the quickstart here. You should validate the issuer. For details, 
+                        // see https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore
                         ValidateIssuer = false,
 
                     },