review changes

Author: derisen

3-Authorization-II/1-call-api/API/TodoListAPI/Startup.cs

@@ -6,7 +6,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Identity.Web;
-using System.IdentityModel.Tokens.Jwt;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 using TodoListAPI.Models;
 
@@ -25,7 +25,36 @@ public Startup(IConfiguration configuration)
  public void ConfigureServices(IServiceCollection services)
  {
  // Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
- services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
+ services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApi(options =>
+ {
+ Configuration.Bind("AzureAd", options);
+ options.Events = new JwtBearerEvents();
+
+ /// <summary>
+ /// Below you can do extended token validation and check for additional claims, such as:
+ ///
+ /// - check if the caller's tenant is in the allowed tenants list via the 'tid' claim (for multi-tenant applications)
+ /// - check if the caller's account is homed or guest via the 'acct' optional claim
+ /// - check if the caller belongs to right roles or groups via the 'roles' or 'groups' claim, respectively
+ ///
+ /// Bear in mind that you can do any of the above checks within the individual routes and/or controllers as well.
+ /// For more information, visit: https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validate-the-user-has-permission-to-access-this-data
+ /// </summary>
+ options.Events.OnTokenValidated = async context =>
+ {
+ // Uncomment the lines below to validate the caller's tenant ID.
+
+ // string[] allowedTenants = {/* add a list of tenant IDs */ };
+ // string tenantId = context.Principal.Claims.FirstOrDefault(x => x.Type == "tid")?.Value;
+
+ // if (!allowedTenants.Contains(tenantId))
+ // {
+ // throw new Exception("This tenant is not authorized");
+ // }
+
+ };
+ }, options => { Configuration.Bind("AzureAd", options); });
 
  services.AddDbContext<TodoContext>(opt => opt.UseInMemoryDatabase("TodoList"));
 

3-Authorization-II/1-call-api/SPA/src/app/app-routing.module.ts

@@ -27,6 +27,10 @@ const routes: Routes = [
  MsalGuard
  ]
  },
+ {
+ path: 'redirect',
+ component: TodoViewComponent,
+ },
  {
  // Needed for hash routing
  path: 'error',

3-Authorization-II/1-call-api/SPA/src/app/app.module.ts

@@ -17,6 +17,7 @@ import { MatFormFieldModule } from '@angular/material/form-field'
 import { AppRoutingModule } from './app-routing.module';
 import { AppComponent } from './app.component';
 import { HomeComponent } from './home/home.component';
+import { RedirectComponent } from './redirect/redirect.component';
 import { TodoEditComponent } from './todo-edit/todo-edit.component';
 import { TodoViewComponent } from './todo-view/todo-view.component';
 import { TodoService } from './todo.service';
@@ -29,7 +30,6 @@ import {
 } from '@azure/msal-angular';
 
 import { msalConfig, loginRequest, protectedResources } from './auth-config';
-
 /**
  * Here we pass the configuration parameters to create an MSAL instance.
  * For more info, visit: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md
@@ -62,7 +62,7 @@ export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  */
 export function MSALGuardConfigFactory(): MsalGuardConfiguration {
  return {
- interactionType: InteractionType.Redirect,
+ interactionType: InteractionType.Popup,
  authRequest: loginRequest
  };
 }
@@ -72,7 +72,8 @@ export function MSALGuardConfigFactory(): MsalGuardConfiguration {
  AppComponent,
  HomeComponent,
  TodoViewComponent,
- TodoEditComponent
+ TodoEditComponent,
+ RedirectComponent
  ],
  imports: [
  BrowserModule,

3-Authorization-II/1-call-api/SPA/src/app/auth-config.ts

@@ -18,7 +18,7 @@ export const msalConfig: Configuration = {
  auth: {
  clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply.
  authority: 'https://login.microsoftonline.com/Enter_the_Tenant_Info_Here', // Defaults to "https://login.microsoftonline.com/common"
- redirectUri: '/', // Points to window.location.origin. You must register this URI on Azure portal/App Registration.
+ redirectUri: '/redirect', // Points to window.location.origin. You must register this URI on Azure portal/App Registration.
  clientCapabilities: ['CP1'] // This lets the resource server know that this client can handle claim challenges.
  },
  cache: {

3-Authorization-II/1-call-api/SPA/src/app/home/home.component.ts

@@ -25,7 +25,6 @@ export class HomeComponent implements OnInit {
  filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_SUCCESS),
  )
  .subscribe((result: EventMessage) => {
- console.log(result);
  const payload = result.payload as AuthenticationResult;
  this.authService.instance.setActiveAccount(payload.account);
  });
@@ -45,7 +44,9 @@ export class HomeComponent implements OnInit {
  }
 
  getClaims(claims: any) {
- const claimsTable = createClaimsTable(claims);
- this.dataSource = [...claimsTable];
+ if (claims) {
+ const claimsTable = createClaimsTable(claims);
+ this.dataSource = [...claimsTable];
+ }
  }
 }

3-Authorization-II/1-call-api/SPA/src/app/redirect/redirect.component.css

@@ -0,0 +1 @@
+<p>This page is left blank intentionally</p>

3-Authorization-II/1-call-api/SPA/src/app/redirect/redirect.component.html

@@ -0,0 +1,15 @@
+import { Component, OnInit } from '@angular/core';
+
+@Component({
+ selector: 'app-redirect',
+ templateUrl: './redirect.component.html',
+ styleUrls: ['./redirect.component.css']
+})
+export class RedirectComponent implements OnInit {
+
+ constructor() { }
+
+ ngOnInit(): void {
+ }
+
+}