c3s2 ready

Author: derisen

1-Authentication/2-sign-in-b2c/SPA/src/app/app.module.ts

@@ -14,7 +14,7 @@ import { HomeComponent } from './home/home.component';
 import { GuardedComponent } from './guarded/guarded.component';
 
 import { HttpClientModule } from '@angular/common/http';
-import { IPublicClientApplication, PublicClientApplication, InteractionType, BrowserCacheLocation, LogLevel } from '@azure/msal-browser';
+import { IPublicClientApplication, PublicClientApplication, InteractionType } from '@azure/msal-browser';
 import { MsalGuard, MsalBroadcastService, MsalModule, MsalService, MSAL_GUARD_CONFIG, MSAL_INSTANCE, MsalGuardConfiguration, MsalRedirectComponent } from '@azure/msal-angular';
 
 import { msalConfig } from './auth-config';

3-Authorization-II/1-call-api/README-incremental.md

@@ -19,10 +19,8 @@ This sample demonstrates an Angular single-page application (SPA) calling a ASP.
 
 ## Scenario
 
-- The client Angular SPA uses [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular) to sign-in a user.
-- The app then obtains an [access token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** for the signed-in user.
-- The **access token** is then used to authorize the call to the service .NET Core web API.
-- .NET Core web API uses *M.I.W* to protect its endpoint and accept authorized calls.
+1. The client Angular SPA uses **MSAL Angular** to sign-in and obtain a JWT access token from **Azure AD**.
+2. The access token is used as a bearer token to authorize the user to call the .NET Core web API protected by **Azure AD**.
 
 ![Topology](./ReadmeFiles/topology.png)
 
@@ -43,7 +41,7 @@ This sample demonstrates an Angular single-page application (SPA) calling a ASP.
 
 ```console
  cd ms-identity-javascript-angular-tutorial
- cd 3-Authorization-II/API
+ cd 3-Authorization-II/1-call-api/API
  dotnet restore
 ```
 
@@ -154,7 +152,7 @@ Open the project in your IDE to configure the code.
 1. Open the `SPA\src\app\auth-config.ts` file.
 1. Find the key `Enter_the_Application_Id_Here` and replace the existing value with the application ID (clientId) of `msal-angular-spa` app copied from the Azure Portal.
 1. Find the key `Enter_the_Tenant_Info_Here` and replace the existing value with your Azure AD tenant ID.
-1. Find the key `Enter_the_Web_Api_Scope_here` and replace the existing value with *scope* you created earlier `api://{clientId}/access_as_user`.
+1. Find the key `Enter_the_Web_Api_Scope_here` and replace the existing value with *scope* you created earlier e.g. `api://{clientId}/access_as_user`.
 
 ## Run the sample
 

3-Authorization-II/1-call-api/README.md

@@ -19,10 +19,8 @@ This sample demonstrates an Angular single-page application (SPA) calling a ASP.
 
 ## Scenario
 
-- The client Angular SPA uses [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular) to sign-in a user.
-- The app then obtains an [access token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** for the signed-in user.
-- The **access token** is then used to authorize the call to the service .NET Core web API.
-- .NET Core web API uses *M.I.W* to protect its endpoint and accept authorized calls.
+1. The client Angular SPA uses **MSAL Angular** to sign-in and obtain a JWT access token from **Azure AD**.
+2. The access token is used as a bearer token to authorize the user to call the .NET Core web API protected by **Azure AD**.
 
 ![Topology](./ReadmeFiles/topology.png)
 
@@ -59,7 +57,7 @@ or download and extract the repository .zip file.
 
 ```console
  cd ms-identity-javascript-angular-tutorial
- cd 3-Authorization-II/API
+ cd 3-Authorization-II/1-call-api/API
  dotnet restore
 ```
 
@@ -176,7 +174,7 @@ Open the project in your IDE to configure the code.
 1. Open the `SPA\src\app\auth-config.ts` file.
 1. Find the key `Enter_the_Application_Id_Here` and replace the existing value with the application ID (clientId) of `msal-angular-spa` app copied from the Azure Portal.
 1. Find the key `Enter_the_Tenant_Info_Here` and replace the existing value with your Azure AD tenant ID.
-1. Find the key `Enter_the_Web_Api_Scope_here` and replace the existing value with *scope* you created earlier `api://{clientId}/access_as_user`.
+1. Find the key `Enter_the_Web_Api_Scope_here` and replace the existing value with *scope* you created earlier e.g. `api://{clientId}/access_as_user`.
 
 ## Run the sample
 

3-Authorization-II/2-call-api-b2c/API/Controllers/TodoListController.cs

@@ -0,0 +1,130 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.EntityFrameworkCore;
+using TodoListAPI.Models;
+using System.Security.Claims;
+using Microsoft.Identity.Web.Resource;
+
+namespace TodoListAPI.Controllers
+{
+ [Authorize]
+ [Route("api/[controller]")]
+ [ApiController]
+ public class TodoListController : ControllerBase
+ {
+ // The Web API will only accept tokens 1) for users, and 
+ // 2) having the access_as_user scope for this API
+ static readonly string[] scopeRequiredByApi = new string[] { "demo.read" };
+
+ private readonly TodoContext _context;
+
+ public TodoListController(TodoContext context)
+ {
+ _context = context;
+ }
+
+ // GET: api/TodoItems
+ [HttpGet]
+ public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ string owner = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
+ return await _context.TodoItems.Where(item => item.Owner == owner).ToListAsync();
+ }
+
+ // GET: api/TodoItems/5
+ [HttpGet("{id}")]
+ public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ 
+ var todoItem = await _context.TodoItems.FindAsync(id);
+
+ if (todoItem == null)
+ {
+ return NotFound();
+ }
+
+ return todoItem;
+ }
+
+ // PUT: api/TodoItems/5
+ // To protect from overposting attacks, please enable the specific properties you want to bind to, for
+ // more details see https://aka.ms/RazorPagesCRUD.
+ [HttpPut("{id}")]
+ public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
+ if (id != todoItem.Id)
+ {
+ return BadRequest();
+ }
+
+ _context.Entry(todoItem).State = EntityState.Modified;
+
+ try
+ {
+ await _context.SaveChangesAsync();
+ }
+ catch (DbUpdateConcurrencyException)
+ {
+ if (!TodoItemExists(id))
+ {
+ return NotFound();
+ }
+ else
+ {
+ throw;
+ }
+ }
+
+ return NoContent();
+ }
+
+ // POST: api/TodoItems
+ // To protect from overposting attacks, please enable the specific properties you want to bind to, for
+ // more details see https://aka.ms/RazorPagesCRUD.
+ [HttpPost]
+ public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ string owner = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
+ todoItem.Owner = owner;
+ todoItem.Status = false;
+
+ _context.TodoItems.Add(todoItem);
+ await _context.SaveChangesAsync();
+
+ return CreatedAtAction("GetTodoItem", new { id = todoItem.Id }, todoItem);
+ }
+
+ // DELETE: api/TodoItems/5
+ [HttpDelete("{id}")]
+ public async Task<ActionResult<TodoItem>> DeleteTodoItem(int id)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
+ var todoItem = await _context.TodoItems.FindAsync(id);
+ if (todoItem == null)
+ {
+ return NotFound();
+ }
+
+ _context.TodoItems.Remove(todoItem);
+ await _context.SaveChangesAsync();
+
+ return todoItem;
+ }
+
+ private bool TodoItemExists(int id)
+ {
+ return _context.TodoItems.Any(e => e.Id == id);
+ }
+ }
+}

3-Authorization-II/2-call-api-b2c/API/Models/TodoContext.cs

@@ -0,0 +1,15 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace TodoListAPI.Models
+{
+ public class TodoContext : DbContext
+ {
+ public TodoContext(DbContextOptions<TodoContext> options)
+ : base(options)
+ {
+
+ }
+
+ public DbSet<TodoItem> TodoItems { get; set; }
+ }
+}

3-Authorization-II/2-call-api-b2c/API/Models/TodoItem.cs

@@ -0,0 +1,18 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace TodoListAPI.Models
+{
+ public class TodoItem
+ {
+ [Key]
+ [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
+ public int Id { get; set; }
+ public string Owner { get; set; }
+ public string Description { get; set; }
+ public bool Status { get; set; }
+ }
+}

3-Authorization-II/2-call-api-b2c/API/Program.cs

@@ -0,0 +1,21 @@
+
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
+
+namespace TodoListAPI
+{
+ public class Program
+ {
+ public static void Main(string[] args)
+ {
+ CreateHostBuilder(args).Build().Run();
+ }
+
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ {
+ webBuilder.UseStartup<Startup>();
+ });
+ }
+}

3-Authorization-II/2-call-api-b2c/API/Properties/launchSettings.json

@@ -0,0 +1,30 @@
+{
+ "$schema": "http://json.schemastore.org/launchsettings.json",
+ "iisSettings": {
+ "windowsAuthentication": false,
+ "anonymousAuthentication": true,
+ "iisExpress": {
+ "applicationUrl": "https://localhost:44351",
+ "sslPort": 44351
+ }
+ },
+ "profiles": {
+ "IIS Express": {
+ "commandName": "IISExpress",
+ "launchBrowser": true,
+ "launchUrl": "https://localhost:44351/api/todolist",
+ "environmentVariables": {
+ "ASPNETCORE_ENVIRONMENT": "Development"
+ }
+ },
+ "TodoListAPI": {
+ "commandName": "Project",
+ "launchBrowser": true,
+ "environmentVariables": {
+ "ASPNETCORE_ENVIRONMENT": "Development"
+ },
+ "applicationUrl": "https://localhost:44351/",
+ "sslPort": 44351
+ }
+ }
+}

3-Authorization-II/2-call-api-b2c/API/Startup.cs

@@ -0,0 +1,82 @@
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Identity.Web;
+using TodoListAPI.Models;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+
+namespace TodoListAPI
+{
+ public class Startup
+ {
+ public Startup(IConfiguration configuration)
+ {
+ Configuration = configuration;
+ }
+
+ public IConfiguration Configuration { get; }
+
+ // This method gets called by the runtime. Use this method to add services to the container.
+ public void ConfigureServices(IServiceCollection services)
+ {
+ 
+ // Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
+ services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApi(options =>
+ {
+ Configuration.Bind("AzureAdB2C", options);
+
+ options.TokenValidationParameters.NameClaimType = "name";
+ },
+ options => { Configuration.Bind("AzureAdB2C", options); });
+
+ // Creating policies that wraps the authorization requirements
+ services.AddAuthorization();
+
+ services.AddDbContext<TodoContext>(opt => opt.UseInMemoryDatabase("TodoList"));
+
+ services.AddControllers();
+ 
+ // Allowing CORS for all domains and methods for the purpose of the sample
+ // In production, modify this with the actual domains you want to allow
+ services.AddCors(o => o.AddPolicy("default", builder =>
+ {
+ builder.AllowAnyOrigin()
+ .AllowAnyMethod()
+ .AllowAnyHeader();
+ }));
+ }
+
+ // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+ {
+ if (env.IsDevelopment())
+ {
+ // Since IdentityModel version 5.2.1 (or since Microsoft.AspNetCore.Authentication.JwtBearer version 2.2.0),
+ // Personal Identifiable Information is not written to the logs by default, to be compliant with GDPR.
+ // For debugging/development purposes, one can enable additional detail in exceptions by setting IdentityModelEventSource.ShowPII to true.
+ // Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
+ app.UseDeveloperExceptionPage();
+ }
+ else
+ {
+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+ app.UseHsts();
+ }
+
+ app.UseCors("default");
+ app.UseHttpsRedirection();
+ app.UseRouting();
+ app.UseAuthentication();
+ app.UseAuthorization();
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapControllers();
+ });
+ }
+ }
+}

3-Authorization-II/2-call-api-b2c/API/TodoListAPI.csproj

@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+ <PropertyGroup>
+ <TargetFramework>netcoreapp3.1</TargetFramework>
+ <UserSecretsId>aspnet-TodoListAPI-BA938C29-8BAB-4664-A688-8FD54049C1C3</UserSecretsId>
+ <WebProject_DirectoryAccessLevelKey>1</WebProject_DirectoryAccessLevelKey>
+ </PropertyGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Microsoft.EntityFrameworkCore" Version="3.1.9" />
+ <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="3.1.9" />
+ <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.1.9" />
+ <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.9">
+ <PrivateAssets>all</PrivateAssets>
+ <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+ </PackageReference>
+ <PackageReference Include="Microsoft.Identity.Web" Version="1.8.0" />
+ <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.4" />
+ <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="3.1.9" Condition="'$(Configuration)' == 'Debug'" />
+ </ItemGroup>
+
+</Project>