Update 2018 to add and check scopes

Author: andretms

NativeClient-DotNet.sln

@@ -1,12 +1,17 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.21005.1
+# Visual Studio 15
+VisualStudioVersion = 15.0.27130.2027
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListService", "TodoListService\TodoListService.csproj", "{047CDEF7-D5BA-4B1E-9748-910B610CCA51}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListClient", "TodoListClient\TodoListClient.csproj", "{005E6BB1-F422-4366-B548-1BDE150F0073}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{45D9F709-B54B-446B-9837-0052C0B5E75F}"
+	ProjectSection(SolutionItems) = preProject
+		README.md = README.md
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -25,4 +30,7 @@ Global
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {AFF3D3FB-F054-4729-802D-F148E1224E7D}
+	EndGlobalSection
 EndGlobal

TodoListClient/App.config

@@ -6,9 +6,10 @@
   <appSettings>
     <!-- ida:Client is a GUID representing the Application Id for the TodoListClient app that you copied from
          the App Registration Portal (https://apps.dev.microsoft.com) -->
+
     <add key="ida:ClientId" value="{Enter the Application Id that you copied from the App Registration Portal.}" />
 
-    <!-- todo:Scope is either:
+    <!-- TodoListServiceScope is either:
      - the same as ida:ClientId, as V2 apps enable several platforms for a same application (a GUID)
      - or otherwise the scope of the Web API created with aht App Registration portal, for instance api://[V2-WebApi-AppId]/access_as_user
        where [V2-WebApi-AppId] is a GUID representing the Application ID of the Web API.
@@ -17,8 +18,9 @@
        In that case (V1 app), the Authority used to build the PubliClientApplication in MainWindow.xaml.cs should be set to 
        "https://login.microsoftonline.com/organizations/" instead of "https://login.microsoftonline.com/common/"
     -->
-    <add key="todo:Scope" value="{Enter the scope of the Web API, as copied from the App Registration Portal, for instance api://[WebApi-AppId]/access_as_user where [WebApi-AppId] is a GUID" />
-  
-    <add key="todo:TodoListBaseAddress" value="https://localhost:44321/" />
+
+    <add key="TodoListServiceScope" value="{Enter the Application Id of your TodoListService from the app registration portal}" />
+    <add key="TodoListServiceBaseAddress" value="https://localhost:44321/" />
+
   </appSettings>
 </configuration>

TodoListClient/MainWindow.xaml.cs

@@ -39,28 +39,26 @@ public partial class MainWindow : Window
         // The Authority is the sign-in URL.
 
 
-        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        private string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        
+        // The todoListServiceBaseAddress is the address of your Web API
+        private string todoListServiceBaseAddress = ConfigurationManager.AppSettings["TodoListServiceBaseAddress"];
+        private string todoListServiceScope = ConfigurationManager.AppSettings["TodoListServiceScope"];
 
-        // The todoListBaseAddress is the address of your Web API
-        private static string todoListBaseAddress = ConfigurationManager.AppSettings["todo:TodoListBaseAddress"];
-        private static string todoListScope = ConfigurationManager.AppSettings["todo:Scope"];
 
         private HttpClient httpClient = new HttpClient();
         private PublicClientApplication app = null;
 
-        private string[] Scopes
-        {
-            get
-            {
-                return new string[] { todoListScope };
-            }
-        }
+        private string[] Scopes = null;
+        
         protected override async void OnInitialized(EventArgs e)
         {
             base.OnInitialized(e);
 
+            Scopes = new string[] {todoListServiceScope};
+
             // Initialize the PublicClientApplication
-            app = new PublicClientApplication(clientId, "https://login.microsoftonline.com/common/", TokenCacheHelper.GetUserCache());
+            app = new PublicClientApplication(clientId, "https://login.microsoftonline.com/common/v2.0", TokenCacheHelper.GetUserCache());
             AuthenticationResult result = null;
 
             // TODO: Check if the user is already signed in. 
@@ -155,7 +153,7 @@ private async void GetTodoList()
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
 
             // Call the To Do list service.
-            HttpResponseMessage response = await httpClient.GetAsync(todoListBaseAddress + "/api/todolist");
+            HttpResponseMessage response = await httpClient.GetAsync(todoListServiceBaseAddress + "/api/todolist");
 
             if (response.IsSuccessStatusCode)
             {
@@ -211,7 +209,7 @@ private async void AddTodoItem(object sender, RoutedEventArgs e)
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
 
             HttpContent content = new FormUrlEncodedContent(new[] { new KeyValuePair<string, string>("Title", TodoText.Text) });
-            HttpResponseMessage response = await httpClient.PostAsync(todoListBaseAddress + "/api/todolist", content);
+            HttpResponseMessage response = await httpClient.PostAsync(todoListServiceBaseAddress + "/api/todolist", content);
 
             if (response.IsSuccessStatusCode)
             {

…IdConnectCachingSecurityTokenProvider.cs …rt/OpenIdConnectSecurityTokenProvider.csTodoListService/App_Start/OpenIdConnectCachingSecurityTokenProvider.cs renamed to TodoListService/App_Start/OpenIdConnectSecurityTokenProvider.cs TodoListService/App_Start/OpenIdConnectCachingSecurityTokenProvider.cs renamed to TodoListService/App_Start/OpenIdConnectSecurityTokenProvider.cs

@@ -1,28 +1,27 @@
-using Microsoft.IdentityModel.Protocols;
-using Microsoft.Owin.Security.Jwt;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading;
-using System.Threading.Tasks;
+using System.Collections.Generic;
 using System.IdentityModel.Tokens;
+using System.Threading;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.Owin.Security.Jwt;
 
-namespace TodoListService.App_Start
+namespace TodoListService
 {
-    public class OpenIdConnectCachingSecurityTokenProvider : IIssuerSecurityTokenProvider
+    // This class is necessary because the OAuthBearer Middleware does not leverage
+    // the OpenID Connect metadata endpoint exposed by the STS by default.
+
+    public class OpenIdConnectSecurityTokenProvider : IIssuerSecurityTokenProvider
     {
-        public ConfigurationManager<OpenIdConnectConfiguration> _configManager;
+        public ConfigurationManager<OpenIdConnectConfiguration> ConfigManager;
         private string _issuer;
         private IEnumerable<SecurityToken> _tokens;
         private readonly string _metadataEndpoint;
 
         private readonly ReaderWriterLockSlim _synclock = new ReaderWriterLockSlim();
 
-        public OpenIdConnectCachingSecurityTokenProvider(string metadataEndpoint)
+        public OpenIdConnectSecurityTokenProvider(string metadataEndpoint)
         {
             _metadataEndpoint = metadataEndpoint;
-            _configManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint);
+            ConfigManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataEndpoint);
 
             RetrieveMetadata();
         }
@@ -78,7 +77,7 @@ private void RetrieveMetadata()
             _synclock.EnterWriteLock();
             try
             {
-                OpenIdConnectConfiguration config = _configManager.GetConfigurationAsync().Result;
+                OpenIdConnectConfiguration config = ConfigManager.GetConfigurationAsync().Result;
                 _issuer = config.Issuer;
                 _tokens = config.SigningTokens;
             }

TodoListService/App_Start/Startup.Auth.cs

@@ -5,40 +5,36 @@
 using Microsoft.Owin.Security;
 using Owin;
 using System.IdentityModel.Tokens;
-using TodoListService.App_Start;
 using Microsoft.Owin.Security.Jwt;
 using Microsoft.Owin.Security.OAuth;
 
 namespace TodoListService
 {
     public partial class Startup
     {
-        private static string audience = ConfigurationManager.AppSettings["ida:Audience"];
+        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
 
         public void ConfigureAuth(IAppBuilder app)
         {
-            var tvps = new TokenValidationParameters
-            {
-                ValidAudience = audience,
-
-                // In a real applicaiton, you might use issuer validation to
-                // verify that the user's organization (if applicable) has 
-                // signed up for the app.  Here, we'll just turn it off.
-                ValidateIssuer = false,
-            };
-
-            // Set up the OWIN auth pipeline to use OAuth 2.0 Bearer authentication.
-            // The options provided here tell the middleware about the type of tokens
-            // that will be recieved, which are JWTs for the v2.0 endpoint.
-
-            // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthenticaitonMiddleware uses a
+            // NOTE: The usual WindowsAzureActiveDirectoryBearerAuthentication middleware uses a
             // metadata endpoint which is not supported by the v2.0 endpoint.  Instead, this 
-            // OpenIdConenctCachingSecurityTokenProvider can be used to fetch & use the OpenIdConnect
-            // metadata document.
+            // OpenIdConnectSecurityTokenProvider implementation can be used to fetch & use the OpenIdConnect
+            // metadata document - which for the v2 endpoint is https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
 
             app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
             {
-                AccessTokenFormat = new Microsoft.Owin.Security.Jwt.JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")),
+                AccessTokenFormat = new JwtFormat(
+                    new TokenValidationParameters
+                    {
+                        // Check if the audience is intended to be this application
+                        ValidAudience = clientId,
+
+                        // Change below to 'true' if you want this Web API to accept tokens issued to one Azure AD tenant only (single-tenant)
+                        ValidateIssuer = false,
+
+                    },
+                    new OpenIdConnectSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")
+                ),
             });
         }
     }

TodoListService/Controllers/TodoListController.cs

@@ -36,14 +36,40 @@ public class TodoListController : ApiController
         //
         static ConcurrentBag<TodoItem> todoBag = new ConcurrentBag<TodoItem>();
 
+        private ClaimsIdentity userClaims;
+
+        public TodoListController()
+        {
+            userClaims = User.Identity as ClaimsIdentity;
+        }
+
+        /// <summary>
+        /// Assure the presence of a scope claim containing a specific scope (i.e. access_as_user)
+        /// </summary>
+        /// <param name="scopeName">The name of the scope</param>
+        private void CheckAccessTokenScope(string scopeName)
+        {
+            // Make sure access_as_user scope is present
+            string scopeClaimValue = userClaims.FindFirst("http://schemas.microsoft.com/identity/claims/scope")?.Value;
+            if (!string.Equals(scopeClaimValue, scopeName, StringComparison.InvariantCultureIgnoreCase))
+            {
+                throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Forbidden)
+                {
+                    ReasonPhrase = @"Please request an access token to scope '{scopeName}'"
+                });
+            }
+        }
+
         // GET api/todolist
         public IEnumerable<TodoItem> Get()
         {
+            CheckAccessTokenScope("access_as_user");
+            
             // You can use the ClaimsPrincipal to access information about the
             // user making the call.  In this case, we use the 'sub' or
             // NameIdentifier claim to serve as a key for the tasks in the data store.
-			// the NameIdentififier claim contains an immutable, unique identifier for the use
-
+            // the NameIdentififier claim contains an immutable, unique identifier for the use
+            
             Claim subject = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);
 
             return from todo in todoBag
@@ -54,6 +80,8 @@ public IEnumerable<TodoItem> Get()
         // POST api/todolist
         public void Post(TodoItem todo)
         {
+            CheckAccessTokenScope("access_as_user");
+
             if (null != todo && !string.IsNullOrWhiteSpace(todo.Title))
             {
                 todoBag.Add(new TodoItem { Title = todo.Title, Owner = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value });

TodoListService/Controllers/ValuesController.cs

@@ -143,7 +143,7 @@
   <ItemGroup>
     <Compile Include="App_Start\BundleConfig.cs" />
     <Compile Include="App_Start\FilterConfig.cs" />
-    <Compile Include="App_Start\OpenIdConnectCachingSecurityTokenProvider.cs" />
+    <Compile Include="App_Start\OpenIdConnectSecurityTokenProvider.cs" />
     <Compile Include="App_Start\RouteConfig.cs" />
     <Compile Include="App_Start\Startup.Auth.cs" />
     <Compile Include="App_Start\WebApiConfig.cs" />
@@ -177,7 +177,6 @@
     <Compile Include="Areas\HelpPage\XmlDocumentationProvider.cs" />
     <Compile Include="Controllers\HomeController.cs" />
     <Compile Include="Controllers\TodoListController.cs" />
-    <Compile Include="Controllers\ValuesController.cs" />
     <Compile Include="Global.asax.cs">
       <DependentUpon>Global.asax</DependentUpon>
     </Compile>

TodoListService/TodoListService.csproj

@@ -9,7 +9,7 @@
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
-    <add key="ida:Audience" value="{Enter the Application Id that you copied from the App Registration Portal.}" /> 
+    <add key="ida:ClientId" value="{Enter the Application Id that you copied from the App Registration Portal.}" /> 
   </appSettings>
   <system.web>
     <compilation debug="true" targetFramework="4.5" />