update scope name

Author: derisen

5-AccessControl/1-call-api-roles/API/TodoListAPI/Controllers/TodoListController.cs

@@ -27,7 +27,7 @@ public TodoListController(TodoContext context)
  // GET: api/todolist/getAll
  [HttpGet]
  [Route("getAll")]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskAdminRoleRequired)]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetAll()
  {
@@ -36,7 +36,7 @@ public async Task<ActionResult<IEnumerable<TodoItem>>> GetAll()
 
  // GET: api/TodoItems
  [HttpGet]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
  {
@@ -57,7 +57,7 @@ public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
 
  // GET: api/TodoItems/5
  [HttpGet("{id}")]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
  {
@@ -68,7 +68,7 @@ public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPut("{id}")]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
  {
@@ -106,7 +106,7 @@ public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPost]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
  {
@@ -121,7 +121,7 @@ public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
 
  // DELETE: api/TodoItems/5
  [HttpDelete("{id}")]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<ActionResult<TodoItem>> DeleteTodoItem(int id)
  {

5-AccessControl/1-call-api-roles/API/TodoListAPI/appsettings.json

@@ -4,10 +4,7 @@
  "Domain": "Enter the domain of your Azure AD tenant, e.g. 'contoso.onmicrosoft.com'",
  "TenantId": "Enter the tenant ID",
  "ClientId": "Enter the Client ID (aka 'Application ID')",
- "Scopes": {
- "Read": ["TodoList.Read", "TodoList.ReadWrite"],
- "Write": ["TodoList.ReadWrite"]
- },
+ "Scopes": ["access_as_user"],
  "Roles": {
  "TaskAdmin": "TaskAdmin",
  "TaskUser": "TaskUser"

5-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1

@@ -221,14 +221,7 @@ Function ConfigureApplications
  }
 
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
- $scope = CreateScope -value TodoList.Read `
- -userConsentDisplayName "Access msal-angular-app" `
- -userConsentDescription "Allow the application to access msal-angular-app on your behalf." `
- -adminConsentDisplayName "Access msal-angular-app" `
- -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of an admin."
- 
- $scopes.Add($scope)
- $scope = CreateScope -value TodoList.ReadWrite `
+ $scope = CreateScope -value access_as_user `
  -userConsentDisplayName "Access msal-angular-app" `
  -userConsentDescription "Allow the application to access msal-angular-app on your behalf." `
  -adminConsentDisplayName "Access msal-angular-app" `
@@ -249,7 +242,7 @@ Function ConfigureApplications
  # Add Required Resources Access (from 'client' to 'client')
  Write-Host "Getting access from 'client' to 'client'"
  $requiredPermissions = GetRequiredPermissions -applicationDisplayName "msal-angular-app" `
- -requiredDelegatedPermissions "TodoList.Read|TodoList.ReadWrite" `
+ -requiredDelegatedPermissions "access_as_user" `
 
 
  $requiredResourcesAccess.Add($requiredPermissions)
@@ -266,7 +259,7 @@ Function ConfigureApplications
 
  # Update config file for 'client'
  $configFile = $pwd.Path + "\..\SPA\src\app\auth-config.ts"
- $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Scope_here" = ("api://"+$clientAadApplication.AppId+"/access_as_user") };
+ $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Application_Id_Here" = $clientAadApplication.AppId };
 
  Write-Host "Updating the sample code ($configFile)"
 

5-AccessControl/1-call-api-roles/AppCreationScripts/sample.json

@@ -6,7 +6,7 @@
  "Service": ".NET Core web API",
  "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
  "Endpoint": "AAD v2.0",
- "Languages": ["TypeScript", "CSharp"],
+ "Languages": ["typescript", "csharp"],
  "Description": "Angular single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
  "products": ["azure-active-directory", "msal-js", "msal-angular", "microsoft-identity-web"]
  },
@@ -18,21 +18,15 @@
  "Audience": "AzureADMyOrg",
  "HomePage": "http://localhost:4200/",
  "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
- "Scopes": [
- "TodoList.Read",
- "TodoList.ReadWrite"
- ],
+ "Scopes": ["access_as_user"],
  "Sample": {
  "SampleSubPath": "5-AccessControl\\1-call-api-roles\\SPA",
  "ProjectDirectory": "\\1-call-api-roles\\SPA"
  },
  "RequiredResourcesAccess": [
  {
  "Resource": "client",
- "DelegatedPermissions": [
- "TodoList.Read",
- "TodoList.ReadWrite"
- ]
+ "DelegatedPermissions": ["access_as_user"]
  }
  ],
  "AppRoles": [
@@ -95,8 +89,8 @@
  "value": "$tenantId"
  },
  {
- "key": "Enter_the_Web_Api_Scope_here",
- "value": "client.Scope"
+ "key": "Enter_the_Web_Api_Application_Id_Here",
+ "value": "client.AppId"
  }
  ]
  }

5-AccessControl/1-call-api-roles/README.md

@@ -163,15 +163,14 @@ To manually register the apps, as a first step you'll need to:
 
 1. All APIs must publish a minimum of one [scope](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code), also called [Delegated Permission](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#permission-types), for the client apps to obtain an access token for a *user* successfully. To publish a scope, follow these steps:
 1. Select **Add a scope** button open the **Add a scope** screen and Enter the values as indicated below:
- 1. For **Scope name**, use `TodoList.Read`.
+ 1. For **Scope name**, use `access_as_user`.
  1. Select **Admins and users** options for **Who can consent?**.
  1. For **Admin consent display name** type in the details, `e.g. Allow the users of the app msal-angular-app to read ToDo list items`.
  1. For **Admin consent description** type in the details `e.g. Allows the app msal-angular-app to read the signed-in users ToDo list items.`
- 1. For **User consent display name** type in the details `e.g. Read ToDo list items as yourself`.
- 1. For **User consent description** type in the details `e.g. Allow the app msal-angular-app to read ToDo list items on your behalf.`
+ 1. For **User consent display name** type in the details `e.g. Read Todolist items as yourself`.
+ 1. For **User consent description** type in the details `e.g. Allow the app msal-angular-app to read Todolist items on your behalf.`
  1. Keep **State** as **Enabled**.
  1. Select the **Add scope** button on the bottom to save this scope.
- > Repeat the steps above for another scope named **TodoList.ReadWrite**
 1. Select the **Manifest** blade on the left.
  1. Set `accessTokenAcceptedVersion` property to **2**.
  1. Select on **Save**.
@@ -186,7 +185,7 @@ To manually register the apps, as a first step you'll need to:
  1. Ensure that the **My APIs** tab is selected.
  1. In the list of APIs, select the API `msal-angular-app`.
  * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users.
- 1. In the **Delegated permissions** section, select the **TodoList.Read**, **TodoList.ReadWrite** in the list. Use the search box if necessary.
+ 1. In the **Delegated permissions** section, select the **access_as_user** in the list. Use the search box if necessary.
  1. Select the **Add permissions** button at the bottom.
 
 ##### Publish Application Roles for users and groups
@@ -222,7 +221,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 1. Open the `SPA\src\app\auth-config.ts` file.
 1. Find the key `Enter_the_Application_Id_Here` and replace the existing value with the application ID (clientId) of `msal-angular-app` app copied from the Azure portal.
 1. Find the key `Enter_the_Tenant_Info_Here` and replace the existing value with your Azure AD tenant ID.
-1. Find the key `Enter_the_Web_Api_Scope_here` and replace the existing value with Scope.
+1. Find the key `Enter_the_Web_Api_Application_Id_Here` and replace the existing value with the application ID (clientId) of the web API -in this scenario, this is the same application ID with `msal-angular-app`.
 
 ### Step 6: Running the sample
 

5-AccessControl/1-call-api-roles/SPA/src/app/app.module.ts

@@ -46,24 +46,7 @@ export function MSALInstanceFactory(): IPublicClientApplication {
 export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string | ProtectedResourceScopes> | null>();
 
- protectedResourceMap.set(protectedResources.apiTodoList.endpoint, [
- {
- httpMethod: 'GET',
- scopes: [...protectedResources.apiTodoList.scopes.read]
- },
- {
- httpMethod: 'POST',
- scopes: [...protectedResources.apiTodoList.scopes.write]
- },
- {
- httpMethod: 'PUT',
- scopes: [...protectedResources.apiTodoList.scopes.write]
- },
- {
- httpMethod: 'DELETE',
- scopes: [...protectedResources.apiTodoList.scopes.write]
- }
- ]);
+ protectedResourceMap.set(protectedResources.apiTodoList.endpoint, [...protectedResources.apiTodoList.scopes]);
 
  return {
  interactionType: InteractionType.Popup,

5-AccessControl/1-call-api-roles/SPA/src/app/auth-config.ts

@@ -48,10 +48,7 @@ export const msalConfig: Configuration = {
 export const protectedResources = {
  apiTodoList: {
  endpoint: "https://localhost:44351/api/todolist",
- scopes: {
- read: ["api://Enter_the_Web_Api_Application_Id_Here/TodoList.Read"],
- write: ["api://Enter_the_Web_Api_Application_Id_Here/TodoList.ReadWrite"]
- }
+ scopes: ["api://Enter_the_Web_Api_Application_Id_Here/access_as_user"]
  }
 }
 
@@ -62,7 +59,7 @@ export const protectedResources = {
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
  */
 export const loginRequest = {
- scopes: []
+ scopes: [...protectedResources.apiTodoList.scopes]
 };
 
 export const roles = {