Merge pull request Azure-Samples#2 from Azure-Samples/dev

New chapter: advanced scenarios

Author: derisen

6-Multitenancy/1-call-api-mt/README-incremental.md

@@ -0,0 +1,155 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Linq;
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.Resource;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Graph;
+using ProfileAPI.Models;
+using Newtonsoft.Json;
+using Microsoft.Extensions.Options;
+
+namespace ProfileAPI.Controllers
+{
+ [Authorize]
+ [Route("api/[controller]")]
+ [ApiController]
+ public class ProfileController : ControllerBase
+ {
+ /// <summary>
+ /// The Web API will only accept tokens 1) for users, and 
+ /// 2) having the access_as_user scope for this API
+ /// </summary>
+ static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
+
+ private readonly ProfileContext _context;
+ private readonly ITokenAcquisition _tokenAcquisition;
+ private readonly GraphServiceClient _graphServiceClient;
+ private readonly IOptions<MicrosoftGraphOptions> _graphOptions;
+
+ public ProfileController(ProfileContext context, ITokenAcquisition tokenAcquisition, GraphServiceClient graphServiceClient, IOptions<MicrosoftGraphOptions> graphOptions)
+ {
+ _context = context;
+ _tokenAcquisition = tokenAcquisition;
+ _graphServiceClient = graphServiceClient;
+ _graphOptions = graphOptions;
+ }
+
+ // GET: api/ProfileItems/5
+ [HttpGet("{id}")]
+ public async Task<ActionResult<ProfileItem>> GetProfileItem(string id)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
+ var profileItem = await _context.ProfileItems.FindAsync(id);
+
+ if (profileItem == null)
+ {
+ return NotFound();
+ }
+
+ return profileItem;
+ }
+
+ // POST api/values
+ [HttpPost]
+ public async Task<ActionResult<ProfileItem>> PostProfileItem(ProfileItem profileItem)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
+ profileItem.FirstLogin = false;
+
+ // This is a synchronous call, so that the clients know, when they call Get, that the 
+ // call to the downstream API (Microsoft Graph) has completed.
+ try
+ {
+ User profile = await _graphServiceClient.Me.Request().GetAsync();
+
+ profileItem.Id = profile.Id;
+ profileItem.UserPrincipalName = profile.UserPrincipalName;
+ profileItem.GivenName = profile.GivenName;
+ profileItem.Surname = profile.Surname;
+ profileItem.JobTitle = profile.JobTitle;
+ profileItem.MobilePhone = profile.MobilePhone;
+ profileItem.PreferredLanguage = profile.PreferredLanguage;
+ }
+ catch (MsalException ex)
+ {
+ HttpContext.Response.ContentType = "application/json";
+ HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+ await HttpContext.Response.WriteAsync(JsonConvert.SerializeObject("An authentication error occurred while acquiring a token for downstream API\n" + ex.ErrorCode + "\n" + ex.Message));
+ }
+ catch (Exception ex)
+ {
+ if (ex.InnerException is MicrosoftIdentityWebChallengeUserException challengeException)
+ {
+ await _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(_graphOptions.Value.Scopes.Split(' '),
+ challengeException.MsalUiRequiredException);
+ HttpContext.Response.ContentType = "application/json";
+ HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+ await HttpContext.Response.WriteAsync(JsonConvert.SerializeObject("interaction required"));
+ }
+ else
+ {
+ HttpContext.Response.ContentType = "application/json";
+ HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+ await HttpContext.Response.WriteAsync(JsonConvert.SerializeObject("An error occurred while calling the downstream API\n" + ex.Message));
+ }
+ }
+
+ _context.ProfileItems.Add(profileItem);
+ await _context.SaveChangesAsync();
+
+ return CreatedAtAction("GetProfileItem", new { id = profileItem.Id }, profileItem);
+ }
+
+
+
+ // PUT: api/ProfileItems/5
+ // To protect from overposting attacks, please enable the specific properties you want to bind to, for
+ // more details see https://aka.ms/RazorPagesCRUD.
+ [HttpPut("{id}")]
+ public async Task<IActionResult> PutProfileItem(string id, ProfileItem profileItem)
+ {
+ HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
+ if (id != profileItem.Id)
+ {
+ return BadRequest();
+ }
+
+ _context.Entry(profileItem).State = EntityState.Modified;
+
+ try
+ {
+ await _context.SaveChangesAsync();
+ }
+ catch (DbUpdateConcurrencyException)
+ {
+ if (!ProfileItemExists(id))
+ {
+ return NotFound();
+ }
+ else
+ {
+ throw;
+ }
+ }
+
+ return NoContent();
+ }
+
+ private bool ProfileItemExists(string id)
+ {
+ return _context.ProfileItems.Any(e => e.Id == id);
+ }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Controllers/ProfileController.cs

@@ -0,0 +1,14 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace ProfileAPI.Models
+{
+ public class ProfileContext : DbContext
+ {
+ public ProfileContext(DbContextOptions<ProfileContext> options)
+ : base(options)
+ {
+
+ }
+ public DbSet<ProfileItem> ProfileItems { get; set; }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Models/ProfileContext.cs

@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.ComponentModel.DataAnnotations;
+
+namespace ProfileAPI.Models
+{
+ public class ProfileItem
+ { 
+ [Key]
+ public string Id { get; set; }
+ public string UserPrincipalName { get; set; }
+ public string GivenName { get; set; }
+ public string Surname { get; set; }
+ public string JobTitle { get; set; }
+ public string MobilePhone { get; set; }
+ public string PreferredLanguage { get; set; }
+ public bool FirstLogin { get; set; }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Models/ProfileItem.cs

@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+ <PropertyGroup>
+ <TargetFramework>netcoreapp3.1</TargetFramework>
+ <UserSecretsId>aspnet-ProfileAPI-03230DB1-5145-408C-A48B-BE3DAFC56C30</UserSecretsId>
+ <WebProject_DirectoryAccessLevelKey>0</WebProject_DirectoryAccessLevelKey>
+ </PropertyGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.12" />
+ <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="3.1.12" Condition="'$(Configuration)' == 'Debug'" />
+ <PackageReference Include="Microsoft.EntityFrameworkCore" Version="3.1.12" />
+ <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="3.1.12" />
+ </ItemGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.12" />
+ <PackageReference Include="Microsoft.Identity.Web" Version="1.8.2" />
+ <PackageReference Include="Microsoft.Identity.Web.MicrosoftGraph" Version="1.8.2" />
+ </ItemGroup>
+
+</Project>

7-AdvancedScenarios/1-call-api-obo/API/ProfileAPI.csproj

@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
+
+namespace ProfileAPI
+{
+ public class Program
+ {
+ public static void Main(string[] args)
+ {
+ CreateHostBuilder(args).Build().Run();
+ }
+
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ {
+ webBuilder.UseStartup<Startup>();
+ });
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Program.cs

@@ -0,0 +1,30 @@
+{
+ "$schema": "http://json.schemastore.org/launchsettings.json",
+ "iisSettings": {
+ "windowsAuthentication": false,
+ "anonymousAuthentication": true,
+ "iisExpress": {
+ "applicationUrl": "https://localhost:44351",
+ "sslPort": 44351
+ }
+ },
+ "profiles": {
+ "IIS Express": {
+ "commandName": "IISExpress",
+ "launchBrowser": true,
+ "launchUrl": "https://localhost:44351/api/profile",
+ "environmentVariables": {
+ "ASPNETCORE_ENVIRONMENT": "Development"
+ }
+ },
+ "ProfileAPI": {
+ "commandName": "Project",
+ "launchBrowser": true,
+ "environmentVariables": {
+ "ASPNETCORE_ENVIRONMENT": "Development"
+ },
+ "applicationUrl": "https://localhost:44351/",
+ "sslPort": 44351
+ }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Properties/launchSettings.json

@@ -0,0 +1,77 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.EntityFrameworkCore;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Identity.Web;
+using ProfileAPI.Models;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+
+namespace ProfileAPI
+{
+ public class Startup
+ {
+ public Startup(IConfiguration configuration)
+ {
+ Configuration = configuration;
+ }
+
+ public IConfiguration Configuration { get; }
+
+ // This method gets called by the runtime. Use this method to add services to the container.
+ public void ConfigureServices(IServiceCollection services)
+ {
+ services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApi(Configuration)
+ .EnableTokenAcquisitionToCallDownstreamApi()
+ .AddMicrosoftGraph(Configuration.GetSection("DownstreamAPI"))
+ .AddInMemoryTokenCaches();
+
+ services.AddDbContext<ProfileContext>(opt => opt.UseInMemoryDatabase("Profile"));
+
+ services.AddControllers();
+
+ // Allowing CORS for all domains and methods for the purpose of sample
+ services.AddCors(o => o.AddPolicy("default", builder =>
+ {
+ builder.AllowAnyOrigin()
+ .AllowAnyMethod()
+ .AllowAnyHeader()
+ .WithExposedHeaders("WWW-Authenticate");
+ }));
+ }
+
+ // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+ {
+ if (env.IsDevelopment())
+ {
+ // Since IdentityModel version 5.2.1 (or since Microsoft.AspNetCore.Authentication.JwtBearer version 2.2.0),
+ // PII hiding in log files is enabled by default for GDPR concerns.
+ // For debugging/development purposes, one can enable additional detail in exceptions by setting IdentityModelEventSource.ShowPII to true.
+ // Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
+ app.UseDeveloperExceptionPage();
+ }
+ else
+ {
+ app.UseHsts();
+ }
+
+ app.UseCors("default");
+ app.UseHttpsRedirection();
+ app.UseRouting();
+
+ app.UseAuthentication();
+ app.UseAuthorization();
+
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapControllers();
+ });
+ }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/Startup.cs

@@ -0,0 +1,9 @@
+{
+ "Logging": {
+ "LogLevel": {
+ "Default": "Debug",
+ "System": "Information",
+ "Microsoft": "Information"
+ }
+ }
+}

7-AdvancedScenarios/1-call-api-obo/API/appsettings.Development.json

@@ -0,0 +1,22 @@
+{
+ "AzureAd": {
+"Instance": "https://login.microsoftonline.com/",
+"Domain": "Enter the domain of your Azure AD tenant, e.g. 'contoso.onmicrosoft.com'",
+"ClientId": "Enter the Client ID (aka 'Application ID')",
+"TenantId": "Enter the Tenant ID",
+ "ClientSecret": "Enter the Client Secret"
+ },
+ "DownstreamAPI": {
+ "Scopes": "User.Read",
+ "BaseUrl": "https://graph.microsoft.com/v1.0/"
+ },
+ "https_port": 44351,
+ "Logging": {
+ "LogLevel": {
+ "Default": "Information",
+ "Microsoft": "Warning",
+ "Microsoft.Hosting.Lifetime": "Information"
+ }
+ },
+ "AllowedHosts": "*"
+}