update graph api endpoint for fetching groups

Author: derisen

5-AccessControl/2-call-api-groups/API/TodoListAPI/Services/GraphHelper.cs

@@ -62,16 +62,8 @@ public static async Task ProcessAnyGroupsOverage(TokenValidatedContext context,
  // Remove any existing 'groups' claim
  RemoveExistingGroupsClaims(identity);
 
- // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
- foreach (var group in usergroups)
- {
- // The following code adds group ids to the 'groups' claim. But depending upon your requirement and the format of the 'groups' claim selected in
- // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
-
- // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
- // identity.AddClaim(new Claim("groups", group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
- identity.AddClaim(new Claim("groups", group));
- }
+ // And re-populate
+ RepopulateGroupsClaim(usergroups, identity);
 
  // Here we add the groups in a cache variable so that calls to Graph can be minimized to fetch all the groups for a user.
  // IMPORTANT: Group list is cached for 1 hr by default, and thus cached groups will miss any changes to a users group membership for this duration.
@@ -109,7 +101,7 @@ private static bool IsAccessToken(ClaimsIdentity identity)
  /// <param name="context">TokenValidatedContext</param>
  private static async Task<List<string>> ProcessUserGroupsForOverage(TokenValidatedContext context, List<string> requiredGroupIds)
  {
- var allgroups = new List<Group>();
+ var allgroups = new List<string>();
 
  try
  {
@@ -135,55 +127,42 @@ private static async Task<List<string>> ProcessUserGroupsForOverage(TokenValidat
  context.HttpContext.Items.Add(Cached_Graph_Token_Key, context.SecurityToken as JwtSecurityToken);
  }
 
- // MS Graph call to fetch the entire set of group membership..
-
- // The properties that we want to retrieve from MemberOf endpoint.
- string select = "id,displayName,onPremisesNetBiosName,onPremisesDomainName,onPremisesSamAccountNameonPremisesSecurityIdentifier";
-
- IUserMemberOfCollectionWithReferencesPage memberPage = new UserMemberOfCollectionWithReferencesPage();
-
  try
  {
  // Request to get groups and directory roles that the user is a direct member of.
- memberPage = await graphClient.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
- }
- catch (Exception graphEx)
- {
- var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
- Debug.WriteLine("Call to Microsoft Graph failed: " + exMsg);
- }
+ var memberPage = await graphClient.Me.CheckMemberGroups(requiredGroupIds).Request().PostAsync().ConfigureAwait(false);
+ allgroups = memberPage.ToList<string>();
 
- if (memberPage?.Count > 0)
- {
- // There is a limit to number of groups returned in a page, so the method below make further calls to Microsoft graph to get all the groups.
- allgroups = ProcessIGraphServiceMemberOfCollectionPage(memberPage, requiredGroupIds);
+ // There is a limit to number of groups returned in a page, so the method below make further calls to Microsoft graph to get all the groups.
+ // allgroups = ProcessIGraphServiceMemberOfCollectionPage(memberPage, requiredGroupIds);
 
- if (allgroups?.Count > 0)
- {
- var principal = context.Principal;
-
- if (principal != null)
+ if (allgroups?.Count > 0)
  {
- var identity = principal.Identity as ClaimsIdentity;
+ var principal = context.Principal;
 
- // Checks if token is for protected APIs i.e., if token is 'Access Token'.
- if (IsAccessToken(identity))
+ if (principal != null)
  {
- // Remove existing groups claims
- RemoveExistingGroupsClaims(identity);
+ var identity = principal.Identity as ClaimsIdentity;
+
+ // Checks if token is for protected APIs i.e., if token is 'Access Token'.
+ if (IsAccessToken(identity))
+ {
+ // Remove existing groups claims
+ RemoveExistingGroupsClaims(identity);
 
- // And re-populate
- RepopulateGroupsClaim(allgroups, identity);
+ // And re-populate
+ RepopulateGroupsClaim(allgroups, identity);
+ }
  }
- }
 
- // return the full list of security groups
- return allgroups.Select(x => x.Id).ToList();
- }
+  // return the full list of security groups
+  return allgroups;
+  }
  }
- else
+ catch (Exception graphEx)
  {
- throw new ArgumentNullException("SecurityToken", "Group membership cannot be fetched if no token has been provided.");
+ var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
+ Debug.WriteLine("Call to Microsoft Graph failed: " + exMsg);
  }
  }
  }
@@ -212,16 +191,16 @@ private static async Task<List<string>> ProcessUserGroupsForOverage(TokenValidat
  /// <param name="allgroups">The user's entire security group membership.</param>
  /// <param name="identity">The identity.</param>
  /// <autogeneratedoc />
- private static void RepopulateGroupsClaim(List<Group> allgroups, ClaimsIdentity identity)
+ private static void RepopulateGroupsClaim(List<string> allgroups, ClaimsIdentity identity)
  {
- foreach (Group group in allgroups)
+ foreach (string group in allgroups)
  {
  // The following code adds group ids to the 'groups' claim. But depending upon your requirement and the format of the 'groups' claim selected in
  // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
 
  // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
  // identity.AddClaim(new Claim("groups", group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
- identity.AddClaim(new Claim("groups", group.Id));
+ identity.AddClaim(new Claim("groups", group));
  }
  }
 
@@ -294,52 +273,5 @@ private static void SaveUsersGroupsToCache(List<string> usersGroups, ClaimsPrinc
 
  _memoryCache.Set(cacheKey, usersGroups, cacheEntryOptions);
  }
-
- /// <summary>
- /// Paginates through the group membership page and fetches all subsequent pages to retrieve the entire list of a user's group membership
- /// </summary>
- /// <param name="membersCollectionPage">First page having collection of directory roles and groups</param>
- /// <returns>List of groups</returns>
- private static List<Group> ProcessIGraphServiceMemberOfCollectionPage(IUserMemberOfCollectionWithReferencesPage membersCollectionPage, List<string> requiredGroupIds)
- {
- List<Group> allGroups = new List<Group>();
-
- try
- {
- if (membersCollectionPage != null)
- {
- do
- {
- // Page through results
- foreach (DirectoryObject directoryObject in membersCollectionPage.CurrentPage)
- {
- // Collection contains directory roles and groups of the user.
- // Checks and adds groups only to the list.
- if (directoryObject is Group && requiredGroupIds.Contains(directoryObject.Id))
- {
- allGroups.Add(directoryObject as Group);
- }
- }
-
- // Are there more pages (i.e has a @odata.nextLink) AND did we already found all the required groups
- if (membersCollectionPage.NextPageRequest != null && allGroups.Count() != requiredGroupIds.Count())
- {
- membersCollectionPage = membersCollectionPage.NextPageRequest.GetAsync().Result;
- }
- else
- {
- membersCollectionPage = null;
- }
- } while (membersCollectionPage != null);
- }
- }
- catch (ServiceException ex)
- {
- Console.WriteLine($"We could not process the groups page: {ex}");
- return null;
- }
-
- return allGroups;
- }
  }
 }

5-AccessControl/2-call-api-groups/API/TodoListAPI/Startup.cs

@@ -20,11 +20,25 @@ namespace TodoListAPI
 {
  public class Startup
  {
+ public List<string> allowedClientApps;
+ public List<string> requiredGroupsIds;
+ public CacheSettings cacheSettings;
  public IConfiguration Configuration { get; }
 
  public Startup(IConfiguration configuration)
  {
  Configuration = configuration;
+
+ allowedClientApps = new List<string>() { Configuration["AzureAd:ClientId"] };
+
+ requiredGroupsIds = Configuration.GetSection("AzureAd:Groups")
+ .AsEnumerable().Select(x => x.Value).Where(x => x != null).ToList();
+
+ cacheSettings = new CacheSettings
+ {
+ SlidingExpirationInSeconds = Configuration.GetValue<string>("CacheSettings:SlidingExpirationInSeconds"),
+ AbsoluteExpirationInSeconds = Configuration.GetValue<string>("CacheSettings:AbsoluteExpirationInSeconds")
+ };
  }
 
  // This method gets called by the runtime. Use this method to add services to the container.
@@ -62,24 +76,13 @@ public void ConfigureServices(IServiceCollection services)
 
  options.Events.OnTokenValidated = async context =>
  {
- string[] allowedClientApps = { Configuration["AzureAd:ClientId"] };
-
- List<string> requiredGroupsIds = Configuration.GetSection("AzureAd:Groups")
- .AsEnumerable().Select(x => x.Value).Where(x => x != null).ToList();
-
- CacheSettings cacheSettings = new CacheSettings
- {
- SlidingExpirationInSeconds = Configuration.GetValue<string>("CacheSettings:SlidingExpirationInSeconds"),
- AbsoluteExpirationInSeconds = Configuration.GetValue<string>("CacheSettings:AbsoluteExpirationInSeconds")
- };
-
  string clientAppId = context?.Principal?.Claims
  .FirstOrDefault(x => x.Type == "azp" || x.Type == "appid")?.Value;
 
  // In this scenario, client and service (API) share the same clientId and we disallow all calls to this API, except from the SPA
  if (!allowedClientApps.Contains(clientAppId))
  {
- throw new Exception("This client is not authorized to call this Api");
+ throw new Exception("This client is not authorized to call this API");
  }
 
  if (context != null)

5-AccessControl/2-call-api-groups/API/TodoListAPI/appsettings.json

@@ -4,7 +4,6 @@
  "TenantId": "Enter the ID of your Azure AD tenant copied from the Azure portal",
  "ClientId": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
  "ClientSecret": "Enter the Client Secret of the 'TodoListAPI' application copied from the Azure portal",
- "ClientCapabilities": [ "cp1" ],
  "Scopes": [ "access_via_group_assignments" ],
  "Groups": {
  "GroupAdmin": "Enter the object ID for GroupAdmin group copied from Azure Portal",