Microsoft.Identity.Web refactor (#272)

* Renamings:
- AddMicrosoftIdentityPlatformAuthentication => AddSignIn
- AddMsal => AddWebAppCallProtectedWebApi

* More renaming for consistency

* Updating the README.md with a breaking changes section

* Attempt to move to pure OIDC and JwtBearer implementation (dropping the comfort AzureAD layers)
This code does not work yet ....

* Raw OIDC configuration suggestion

* missing commit

* Using AzureAD appsettings section

* Experimenting UI as external RazorLibrary project

* fix some comments and namings (#244)

* Removing AzureADOptions class

* Added missing OpenIdConnectOptions binding

Added logic to check if authority has v2.0 before modifying it

* removed Microsoft.AspNetCore.Authentication.AzureAD.UI reference from web project

* reversing testing method

* Commented non-working method

* Partial changes for B2C login

* Fixes for B2C sign-in

* Fixed B2C NameClaimType to "name"

* Renaming2 (#269)

* Renaming GetAccessTokenOnBehalfOfUserAsync into GetAccessTokenForUserAsync
as the OnBehalfOfUser was telling too much about OBO, whereas in the case of a Web App this was not the OBO flow.
* Addressing PR feedback

* New class MicrosoftIdentityOptions, so we can merge AAD and B2C options in the same class

Add AuthorityHelpers
Helper method to check if authority is V2
Helper method to build AAD or B2C AuthorityHelpers
Refactored AddSignIn so parameters shows in a logical order

* Attempt to merge B2C and AAD acquireToken logic

* Allowing multiple OIDC schemes to be configured

* Added B2C ResetPassword and EditProfile in UI project

Added B2C exclusive OIDC event handlers
Fixed 1-5 samples to use Microsoft.Identity.UI project

* Added comments and preparation for PR

* Preparation for PR

* Havin the authority in the appsettings is not mandatory

* Fixed sample 5-1 to use refactored code

* missing commit

* Samples 5-2 to use refactored code

* Moved samesite cookie logic to CookiePolicyOptionsExtensions class

* Gitignore for test project

* Added IsV2Authority tests

* Added license info

* Added BuildAuthority unit tests

* Addressing PR reviews

* Added B2C tests on AadIssuerValidatorTests

* Renaming policy to userFlow

* Fix spelling mistakes

* Added missing error page in UI project

* Addressing PR comments about overwriting custom OIDC and JWT events from the developer

* Fixed MT scenarios

Fixed broken unit test
Added b2c NameClaimType config inside AddSignIn

* Fixed all samples in folder 1 to use refactored code

* Updated all samples to use new code

* Renaming policy to user flow

* Added B2C Password Reset Policy

Added B2C Password Reset Policy ID to app settings.

* Moving Web app calling Web API to its own sub folder

* Jmprieur/webappwebapib2c (#298)

* Experiment for a B2C Web app calling a B2C Web API.
Needs more work.

* Test and fix B2C web app calls web api scenario
Fix issue in AadIssuerValidator when certains claims are not present (ex. policy) in the token
Fix bug w/scopes and scopeKeySection
Send "client_info=1" to request to get client info back from AAD B2C
Add ClientInfo class + methods to pull out the TenantId from the ClientInfo
Add full value to UserFlow as it was not picking up on short version
In TokenAcquisition, check first for b2c and then do null tenant and then tenant specific, was using the wrong authority for b2c previously
Fix bug in determining audience validation

* Fixing missing references

* Uncommenting a needed line

* Fixing a build break

* Fixing the configuration and a problem brought bad a by merge by jmprieur

* add uitid to the claims for b2c

* moving Web app calling Web API with B2C in own folder

* Reading the 4-1-MyOrg folder

* Update README.md

Co-authored-by: jennyf19 <jeferrie@microsoft.com>

* - Cleaned appsettings

- Removed DisallowsSameSiteNone from WebAppServiceCollectionExtensions because it got moved to another class
- Added edit profile button on login bar
- Fixed merge on AuthorizeForScopesAttribute
- Added options.TokenValidationParameters.NameClaimType = "name" on web api Startup to fix todo list

* Added older role claim const

* Added policy on APIs to check for scope 'read'

* Refactored scopes policy

* Renamings and PR comments

* Fixing the failing unit test (because the tenant ID is now retrieved from the issuer) (#302)

Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>
Co-authored-by: jennyf19 <jeferrie@microsoft.com>
Co-authored-by: pmaytak <34331512+pmaytak@users.noreply.github.com>

Author: 4 people

.gitignore

@@ -8,6 +8,10 @@
 /Microsoft.Identity.Web/.vs
 /Microsoft.Identity.Web/bin
 /Microsoft.Identity.Web/obj
+/Microsoft.Identity.Web.UI/.vs
+/Microsoft.Identity.Web.UI/bin
+/Microsoft.Identity.Web.UI/obj
+/Microsoft.Identity.Web.Test/.vs
 /Microsoft.Identity.Web.UI/bin
 /Microsoft.Identity.Web.UI/obj
 /Microsoft.Identity.Web.Test/bin
@@ -37,9 +41,6 @@
 /2-WebApp-graph-user/2-2-TokenCache/.vs
 /2-WebApp-graph-user/2-2-TokenCache/bin
 /2-WebApp-graph-user/2-2-TokenCache/obj
-/2-WebApp-graph-user/2-3-Best-Practices/.vs
-/2-WebApp-graph-user/2-3-Best-Practices/bin
-/2-WebApp-graph-user/2-3-Best-Practices/obj
 /2-WebApp-graph-user/2-3-Multi-Tenant/.vs
 /2-WebApp-graph-user/2-3-Multi-Tenant/bin
 /2-WebApp-graph-user/2-3-Multi-Tenant/obj
@@ -118,6 +119,13 @@
 /4-WebApp-your-API/Client/obj
 /2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin
 /2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/obj
+/4-WebApp-your-API/4-1-MyOrg/.vs
+/4-WebApp-your-API/4-1-MyOrg/Client/bin
+/4-WebApp-your-API/4-1-MyOrg/Client/obj
+/4-WebApp-your-API/4-1-MyOrg/TodoListService/bin
+/4-WebApp-your-API/4-1-MyOrg/TodoListService/obj
 /4-WebApp-your-API/4-2-B2C/.vs
 /4-WebApp-your-API/4-2-B2C/Client/obj
 /4-WebApp-your-API/4-2-B2C/TodoListService/obj
+/4-WebApp-your-API/4-2-B2C/Client/bin
+/4-WebApp-your-API/4-2-B2C/TodoListService/bin

1-WebApp-OIDC/1-1-MyOrg/README.md

@@ -164,7 +164,7 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
      by this line:
 
      ```CSharp
-      services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+      services.AddSignIn(Configuration);
      ```
 
      This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.

1-WebApp-OIDC/1-1-MyOrg/Startup.cs

@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -7,6 +8,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 
 namespace WebApp_OpenIDConnect_DotNet
 {
@@ -32,16 +34,19 @@ public void ConfigureServices(IServiceCollection services)
             });
 
             // Sign-in users with the Microsoft identity platform
-            services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+            //services.AddSignIn(Configuration);
+            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+                .AddSignIn("AzureAD", Configuration, options => Configuration.Bind("AzureAD", options));
 
             services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
                     .RequireAuthenticatedUser()
                     .Build();
                 options.Filters.Add(new AuthorizeFilter(policy));
-            });
-           services.AddRazorPages();
+            }).AddMicrosoftIdentityUI();
+
+            services.AddRazorPages();
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

1-WebApp-OIDC/1-1-MyOrg/Views/Shared/_LoginPartial.cshtml

@@ -7,13 +7,13 @@
             <span class="navbar-text text-dark">Hello @User.Identity.Name!</span>
         </li>
         <li class="nav-item">
-            <a class="nav-link text-dark" asp-area="AzureAD" asp-controller="Account" asp-action="SignOut">Sign out</a>
+            <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Sign out</a>
         </li>
 }
 else
 {
         <li class="nav-item">
-            <a class="nav-link text-dark" asp-area="AzureAD" asp-controller="Account" asp-action="SignIn">Sign in</a>
+            <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">Sign in</a>
         </li>
 }
 </ul>

1-WebApp-OIDC/1-1-MyOrg/WebApp-OpenIDConnect-DotNet.csproj

@@ -19,10 +19,17 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="3.0.0" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.0.0" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.0.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.0.0" />
+    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.0.0" />
   </ItemGroup>
 
   <ItemGroup>
+    <ProjectReference Include="..\..\Microsoft.Identity.Web.UI\Microsoft.Identity.Web.UI.csproj" />
     <ProjectReference Include="..\..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
   </ItemGroup>
 

1-WebApp-OIDC/1-1-MyOrg/WebApp-OpenIDConnect-DotNet.sln

@@ -1,12 +1,14 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.27130.2027
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29519.87
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WebApp-OpenIDConnect-DotNet", "WebApp-OpenIDConnect-DotNet.csproj", "{8DCFEEC2-0A85-4C7E-B96A-21C9184470B1}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web", "..\..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj", "{E0CEF26A-6CE6-4505-851B-6580D5564752}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Web.UI", "..\..\Microsoft.Identity.Web.UI\Microsoft.Identity.Web.UI.csproj", "{57CF1884-743D-4BF3-B14B-4F8660469038}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -21,6 +23,10 @@ Global
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Release|Any CPU.Build.0 = Release|Any CPU
+		{57CF1884-743D-4BF3-B14B-4F8660469038}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{57CF1884-743D-4BF3-B14B-4F8660469038}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{57CF1884-743D-4BF3-B14B-4F8660469038}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{57CF1884-743D-4BF3-B14B-4F8660469038}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

1-WebApp-OIDC/1-1-MyOrg/appsettings.json

@@ -1,18 +1,18 @@
-{
-  "AzureAd": {
-    "Instance": "https://login.microsoftonline.com/",
-    "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
-    "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
-    "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
-    "CallbackPath": "/signin-oidc",
-    "SignedOutCallbackPath ": "/signout-callback-oidc"
-  },
-  "Logging": {
-    "LogLevel": {
-      "Default": "Information",
-      "Microsoft": "Warning",
-      "Microsoft.Hosting.Lifetime": "Information"
-    }
-  },
-  "AllowedHosts": "*"
+{
+    "AzureAd": {
+        "Instance": "https://login.microsoftonline.com/",
+        "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+        "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
+        "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
+        "CallbackPath": "/signin-oidc",
+        "SignedOutCallbackPath ": "/signout-callback-oidc"
+    },
+    "Logging": {
+        "LogLevel": {
+            "Default": "Information",
+            "Microsoft": "Warning",
+            "Microsoft.Hosting.Lifetime": "Information"
+        }
+    },
+    "AllowedHosts": "*"
 }

1-WebApp-OIDC/1-2-AnyOrg/README-1-1-to-1-2.md

@@ -57,14 +57,14 @@ The actual sign-in audience (accounts to sign-in) is the lowest set of what is s
 
 In order to restrict users from specific organizations from signing-in to your web app, you'll need to customize your code a bit more to restrict issuers. In Azure AD, the token issuers are the Azure AD tenants which issue tokens to applications.
 
-In the `Startup.cs` file, in the `ConfigureServices` method, after `services.AddMicrosoftIdentityPlatformAuthentication(Configuration)` add some code to filter  issuers by overriding the `TokenValidationParameters.IssuerValidator` delegate.
+In the `Startup.cs` file, in the `ConfigureServices` method, after `services.AddSignIn(Configuration)` add some code to validate specific issuers by overriding the `TokenValidationParameters.IssuerValidator` delegate.
 
 ```CSharp
     public void ConfigureServices(IServiceCollection services)
     {
     ...
     // Sign-in users with the Microsoft identity platform
-    services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+    services.AddSignIn(Configuration);
 
     // Restrict users to specific belonging to specific tenants
     services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>

1-WebApp-OIDC/1-2-AnyOrg/README.md

@@ -156,7 +156,7 @@ cd "1-WebApp-OIDC\1-2-AnyOrg"
      by this line:
 
      ```CSharp
-      services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+      services.AddSignIn(Configuration);
      ```
 
      This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.

1-WebApp-OIDC/1-2-AnyOrg/Startup.cs

@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -7,6 +8,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 
 namespace WebApp_OpenIDConnect_DotNet
 {
@@ -32,15 +34,17 @@ public void ConfigureServices(IServiceCollection services)
             });
 
             // Sign-in users with the Microsoft identity platform
-            services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+                .AddSignIn("AzureAD", Configuration, options => Configuration.Bind("AzureAD", options));
 
             services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
                     .RequireAuthenticatedUser()
                     .Build();
                 options.Filters.Add(new AuthorizeFilter(policy));
-            });
+            }).AddMicrosoftIdentityUI();
+
            services.AddRazorPages();
         }