add role guard, update config

Author: derisen

5-AccessControl/1-call-api-roles/API/TodoListAPI/appsettings.json

@@ -1,9 +1,9 @@
 {
  "AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
- "Domain": "Enter the domain of your Azure AD tenant, e.g. 'contoso.onmicrosoft.com'",
- "TenantId": "Enter the tenant ID",
- "ClientId": "Enter the Client ID (aka 'Application ID')",
+ "Domain": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
+ "TenantId": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "ClientId": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
  "Scopes": ["access_as_user"],
  "Roles": {
  "TaskAdmin": "TaskAdmin",

5-AccessControl/1-call-api-roles/AppCreationScripts/sample.json

@@ -1,98 +1,115 @@
 {
- "Sample": {
- "Title": "Angular single-page application calling a protected web API and using App Roles to implement Role-Based Access Control",
- "Level": 300,
- "Client": "Angular SPA",
- "Service": ".NET Core web API",
- "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
- "Endpoint": "AAD v2.0",
- "Languages": ["typescript", "csharp"],
- "Description": "Angular single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
- "products": ["azure-active-directory", "msal-js", "msal-angular", "microsoft-identity-web"]
- },
- "AADApps": [
- {
- "Id": "client",
- "Name": "msal-angular-app",
- "Kind": "SinglePageApplication",
- "Audience": "AzureADMyOrg",
- "HomePage": "http://localhost:4200/",
- "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
- "Scopes": ["access_as_user"],
- "Sample": {
- "SampleSubPath": "5-AccessControl\\1-call-api-roles\\SPA",
- "ProjectDirectory": "\\1-call-api-roles\\SPA"
- },
- "RequiredResourcesAccess": [
- {
- "Resource": "client",
- "DelegatedPermissions": ["access_as_user"]
- }
- ],
- "AppRoles": [
- {
- "AllowedMemberTypes": [
- "User"
- ],
- "Name": "TaskAdmin",
- "Description": "Admins can read any user's todo list"
- },
- {
- "AllowedMemberTypes": [
- "User"
- ],
- "Name": "TaskUser",
- "Description": "Users can read and modify their todo lists"
- }
- ],
- "ManualSteps": [
- {
- "Comment": "To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions."
- },
- {
- "Comment": "Or you can run the .\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
- }
- ]
- }
- ],
- "CodeConfiguration": [
- {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
- "Mappings": [
- {
- "key": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
- "value": "$tenantName"
- },
- {
- "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
- "value": "$tenantId"
- },
- {
- "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
- "value": "client.AppId"
- }
- ]
+ "Sample": {
+ "Title": "Angular single-page application calling a protected web API and using App Roles to implement Role-Based Access Control",
+ "Level": 300,
+ "Client": "Angular SPA",
+ "Service": ".NET Core web API",
+ "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
+ "Endpoint": "AAD v2.0",
+ "Languages": [
+ "typescript",
+ "csharp"
+ ],
+ "Description": "Angular single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
+ "products": [
+ "azure-active-directory",
+ "msal-js",
+ "msal-angular",
+ "microsoft-identity-web"
+ ]
  },
- {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
- "Mappings": [
+ "AADApps": [
  {
- "key": "Enter_the_Application_Id_Here",
- "value": "client.AppId"
- },
+ "Id": "client",
+ "Name": "msal-angular-app",
+ "Kind": "SinglePageApplication",
+ "Audience": "AzureADMyOrg",
+ "HomePage": "http://localhost:4200/",
+ "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
+ "Scopes": [
+ "access_as_user"
+ ],
+ "Sample": {
+ "SampleSubPath": "5-AccessControl\\1-call-api-roles\\SPA",
+ "ProjectDirectory": "\\1-call-api-roles\\SPA"
+ },
+ "RequiredResourcesAccess": [
+ {
+ "Resource": "client",
+ "DelegatedPermissions": [
+ "access_as_user"
+ ]
+ }
+ ],
+ "AppRoles": [
+ {
+ "AllowedMemberTypes": [
+ "User"
+ ],
+ "Name": "TaskAdmin",
+ "Description": "Admins can read any user's todo list"
+ },
+ {
+ "AllowedMemberTypes": [
+ "User"
+ ],
+ "Name": "TaskUser",
+ "Description": "Users can read and modify their todo lists"
+ }
+ ],
+ "OptionalClaims": {
+ "IdTokenClaims": [
+ "acct"
+ ]
+ },
+ "ManualSteps": [
+ {
+ "Comment": "To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions."
+ },
+ {
+ "Comment": "Or you can run the .\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
+ }
+ ]
+ }
+ ],
+ "CodeConfiguration": [
  {
- "key": "Enter_the_Tenant_Info_Here",
- "value": "$tenantId"
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
+ "Mappings": [
+ {
+ "key": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
+ "value": "$tenantName"
+ },
+ {
+ "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
+ "value": "client.AppId"
+ }
+ ]
  },
  {
- "key": "Enter_the_Web_Api_Application_Id_Here",
- "value": "client.AppId"
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
+ "Mappings": [
+ {
+ "key": "Enter_the_Application_Id_Here",
+ "value": "client.AppId"
+ },
+ {
+ "key": "Enter_the_Tenant_Info_Here",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter_the_Web_Api_Application_Id_Here",
+ "value": "client.AppId"
+ }
+ ]
  }
- ]
- }
- ]
+ ]
 }

5-AccessControl/1-call-api-roles/SPA/src/app/app-routing.module.ts

@@ -20,7 +20,6 @@ const routes: Routes = [
  path: 'todo-edit/:id',
  component: TodoEditComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -31,7 +30,6 @@ const routes: Routes = [
  path: 'todo-view',
  component: TodoViewComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -42,7 +40,6 @@ const routes: Routes = [
  path: 'dashboard',
  component: DashboardComponent,
  canActivate: [
- MsalGuard,
  RoleGuard,
  ],
  data: {

5-AccessControl/1-call-api-roles/SPA/src/app/app.module.ts

@@ -24,11 +24,12 @@ import { TodoService } from './todo.service';
 import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
 import { IPublicClientApplication, PublicClientApplication, InteractionType } from '@azure/msal-browser';
 import {
- MsalGuard, MsalInterceptor, MsalBroadcastService, MsalInterceptorConfiguration, MsalModule, MsalService,
+ MsalInterceptor, MsalBroadcastService, MsalInterceptorConfiguration, MsalModule, MsalService,
  MSAL_GUARD_CONFIG, MSAL_INSTANCE, MSAL_INTERCEPTOR_CONFIG, MsalGuardConfiguration, MsalRedirectComponent, ProtectedResourceScopes
 } from '@azure/msal-angular';
 
 import { msalConfig, loginRequest, protectedResources } from './auth-config';
+import { RoleGuard } from './role.guard';
 
 /**
  * Here we pass the configuration parameters to create an MSAL instance.
@@ -109,7 +110,7 @@ export function MSALGuardConfigFactory(): MsalGuardConfiguration {
  useFactory: MSALInterceptorConfigFactory
  },
  MsalService,
- MsalGuard,
+ RoleGuard,
  MsalBroadcastService,
  TodoService
  ],