revise new chapters

Author: derisen

.gitignore

@@ -104,8 +104,8 @@ dist
 .tern-port
 
 # .NET binaries
-bin
-obj
+bin/
+obj/
 
 # Visual Studio cache
 .vs

6-AccessControl/1-call-api-roles/AppCreationScripts/Cleanup.ps1

@@ -59,9 +59,9 @@ Function Cleanup
  # Removes the applications
  Write-Host "Cleaning-up applications from tenant '$tenantName'"
 
- Write-Host "Removing 'service' (TodoListAPI) if needed"
- Get-AzureADApplication -Filter "DisplayName eq 'TodoListAPI'" | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
- $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListAPI'"
+ Write-Host "Removing 'service' (msal-dotnet-api) if needed"
+ Get-AzureADApplication -Filter "DisplayName eq 'msal-dotnet-api'" | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+ $apps = Get-AzureADApplication -Filter "DisplayName eq 'msal-dotnet-api'"
  if ($apps)
  {
  Remove-AzureADApplication -ObjectId $apps.ObjectId
@@ -70,14 +70,14 @@ Function Cleanup
  foreach ($app in $apps) 
  {
  Remove-AzureADApplication -ObjectId $app.ObjectId
- Write-Host "Removed TodoListAPI.."
+ Write-Host "Removed msal-dotnet-api.."
  }
  # also remove service principals of this app
- Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListAPI'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+ Get-AzureADServicePrincipal -filter "DisplayName eq 'msal-dotnet-api'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
 
- Write-Host "Removing 'client' (TodoListSPA) if needed"
- Get-AzureADApplication -Filter "DisplayName eq 'TodoListSPA'" | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
- $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListSPA'"
+ Write-Host "Removing 'client' (msal-angular-spa) if needed"
+ Get-AzureADApplication -Filter "DisplayName eq 'msal-angular-spa'" | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+ $apps = Get-AzureADApplication -Filter "DisplayName eq 'msal-angular-spa'"
  if ($apps)
  {
  Remove-AzureADApplication -ObjectId $apps.ObjectId
@@ -86,10 +86,10 @@ Function Cleanup
  foreach ($app in $apps) 
  {
  Remove-AzureADApplication -ObjectId $app.ObjectId
- Write-Host "Removed TodoListSPA.."
+ Write-Host "Removed msal-angular-spa.."
  }
  # also remove service principals of this app
- Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListSPA'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+ Get-AzureADServicePrincipal -filter "DisplayName eq 'msal-angular-spa'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
 
 }
 

6-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1

@@ -197,9 +197,9 @@ Function ConfigureApplications
  $user = Get-AzureADUser -ObjectId $creds.Account.Id
 
  # Create the service AAD application
- Write-Host "Creating the AAD application (TodoListAPI)"
+ Write-Host "Creating the AAD application (msal-dotnet-api)"
  # create the application 
- $serviceAadApplication = New-AzureADApplication -DisplayName "TodoListAPI" `
+ $serviceAadApplication = New-AzureADApplication -DisplayName "msal-dotnet-api" `
  -HomePage "https://localhost:44351/api/todolist" `
  -PublicClient $False
 
@@ -228,48 +228,50 @@ Function ConfigureApplications
  # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
 
- if ($scopes.Count -ge 0) 
+ # delete default scope i.e. User_impersonation
+ $scope = $serviceAadApplication.Oauth2Permissions | Where-Object { $_.Value -eq "User_impersonation" }
+ if($scope -ne $null)
  {
- # add all existing scopes first
- $serviceAadApplication.Oauth2Permissions | foreach-object { $scopes.Add($_) }
-
- $scope = $serviceAadApplication.Oauth2Permissions | Where-Object { $_.Value -eq "User_impersonation" }
+ # disable the scope
+ $scope.IsEnabled = $false
+ $scopes.Add($scope)
+ Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -Oauth2Permissions $scopes
+
+ # clear the scope
+ $scopes.Clear()
+ Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -Oauth2Permissions $scopes
+ }
 
- if ($scope -ne $null) 
- {
- $scope.Value = "access_as_user"
- }
- else 
- {
- # Add scope
- $scope = CreateScope -value "access_as_user" `
- -userConsentDisplayName "Access TodoListAPI" `
- -userConsentDescription "Allow the application to access TodoListAPI on your behalf." `
- -adminConsentDisplayName "Access TodoListAPI" `
+ if ($scopes.Count -ge 0) 
+ {
+ $scope = CreateScope -value access_as_user `
+ -userConsentDisplayName "Access msal-dotnet-api" `
+ -userConsentDescription "Allow the application to access msal-dotnet-api on your behalf." `
+ -adminConsentDisplayName "Access msal-dotnet-api" `
  -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
 
- $scopes.Add($scope)
-  } 
+  $scopes.Add($scope)
+ 
  }
 
  # add/update scopes
  Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -OAuth2Permission $scopes
 
- Write-Host "Done creating the service application (TodoListAPI)"
+ Write-Host "Done creating the service application (msal-dotnet-api)"
 
  # URL of the AAD application in the Azure portal
  # Future? $servicePortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId+"/isMSAApp/"
  $servicePortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId+"/isMSAApp/"
- Add-Content -Value "<tr><td>service</td><td>$currentAppId</td><td><a href='$servicePortalUrl'>TodoListAPI</a></td></tr>" -Path createdApps.html
+ Add-Content -Value "<tr><td>service</td><td>$currentAppId</td><td><a href='$servicePortalUrl'>msal-dotnet-api</a></td></tr>" -Path createdApps.html
 
 
  # Create the client AAD application
- Write-Host "Creating the AAD application (TodoListSPA)"
+ Write-Host "Creating the AAD application (msal-angular-spa)"
  # create the application 
- $clientAadApplication = New-AzureADApplication -DisplayName "TodoListSPA" `
+ $clientAadApplication = New-AzureADApplication -DisplayName "msal-angular-spa" `
  -HomePage "http://localhost:4200/" `
  -ReplyUrls "http://localhost:4200/" `
- -IdentifierUris "https://$tenantName/TodoListSPA" `
+ -IdentifierUris "https://$tenantName/msal-angular-spa" `
  -PublicClient $False
 
  # create the service principal of the newly created application 
@@ -292,18 +294,18 @@ Function ConfigureApplications
  $appRoles.Add($newRole)
  Set-AzureADApplication -ObjectId $clientAadApplication.ObjectId -AppRoles $appRoles
 
- Write-Host "Done creating the client application (TodoListSPA)"
+ Write-Host "Done creating the client application (msal-angular-spa)"
 
  # URL of the AAD application in the Azure portal
  # Future? $clientPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.ObjectId+"/isMSAApp/"
  $clientPortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.ObjectId+"/isMSAApp/"
- Add-Content -Value "<tr><td>client</td><td>$currentAppId</td><td><a href='$clientPortalUrl'>TodoListSPA</a></td></tr>" -Path createdApps.html
+ Add-Content -Value "<tr><td>client</td><td>$currentAppId</td><td><a href='$clientPortalUrl'>msal-angular-spa</a></td></tr>" -Path createdApps.html
 
  $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
 
  # Add Required Resources Access (from 'client' to 'service')
  Write-Host "Getting access from 'client' to 'service'"
- $requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListAPI" `
+ $requiredPermissions = GetRequiredPermissions -applicationDisplayName "msal-dotnet-api" `
  -requiredDelegatedPermissions "access_as_user" `
 
  $requiredResourcesAccess.Add($requiredPermissions)
@@ -313,31 +315,37 @@ Function ConfigureApplications
  Write-Host "Granted permissions."
 
  # Update config file for 'service'
- $configFile = $pwd.Path + "\..\TodoListAPI\appsettings.json"
+ $configFile = $pwd.Path + "\..\API\appsettings.json"
  Write-Host "Updating the sample code ($configFile)"
  $dictionary = @{ "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com" = $tenantName;"Enter the ID of your Azure AD tenant copied from the Azure portal" = $tenantId;"Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal" = $serviceAadApplication.AppId };
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
 
  # Update config file for 'client'
- $configFile = $pwd.Path + "\..\TodoListSPA\src\app\auth-config.json"
+ $configFile = $pwd.Path + "\..\SPA\src\app\auth-config.ts"
  Write-Host "Updating the sample code ($configFile)"
- $dictionary = @{ "Enter the application ID (clientId) of the 'TodoListSPA' application copied from the Azure portal" = $clientAadApplication.AppId;"Enter the ID of your Azure AD tenant copied from the Azure portal" = $tenantId;"Enter the endpoint for TodoListAPI, e.g. https://localhost:44351/api/todolist" = $serviceAadApplication.HomePage;"Enter the API scopes as declared in the app registration 'Expose an API' blade, e.g. api://{clientId}/access_as_user" = ("api://"+$serviceAadApplication.AppId+"/access_as_user") };
+ $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Scope_here" = ("api://"+$serviceAadApplication.AppId+"/access_as_user") };
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
  Write-Host ""
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
  Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
  Write-Host "- For 'service'"
  Write-Host " - Navigate to '$servicePortalUrl'"
- Write-Host " - To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://docs.microsoft.com/azure/active-directory/manage-apps/assign-user-or-group-access-portal#assign-a-user-to-an-app---portal provides step by step instructions." -ForegroundColor Red 
+ Write-Host " - To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this service instance. The guide, https://aka.ms/userassignmentrequired provides step by step instructions." -ForegroundColor Red 
  Write-Host " - Or you can run the ..\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app." -ForegroundColor Red 
  Write-Host "- For 'client'"
  Write-Host " - Navigate to '$clientPortalUrl'"
  Write-Host " - Navigate to the portal and set the 'replyUrlsWithType' to 'Spa' in the application manifest" -ForegroundColor Red 
- Write-Host " - To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://docs.microsoft.com/azure/active-directory/manage-apps/assign-user-or-group-access-portal#assign-a-user-to-an-app---portal provides step by step instructions." -ForegroundColor Red 
+ Write-Host " - To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions." -ForegroundColor Red 
  Write-Host " - Or you can run the ..\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app." -ForegroundColor Red 
 
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
- 
+ if($isOpenSSL -eq 'Y')
+ {
+ Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+ Write-Host "You have generated certificate using OpenSSL so follow below steps: "
+ Write-Host "Install the certificate on your system from current folder."
+ Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+ }
  Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html 
 }
 

6-AccessControl/1-call-api-roles/AppCreationScripts/sample.json

@@ -1,16 +1,16 @@
 {
  "Sample": {
- "Title": "An Angular single-page application (SPA) calling a protected web API and using App Roles to implement Role-Based Access Control (RBAC)",
+ "Title": "Angular single-page application calling a protected web API and using App Roles to implement Role-Based Access Control",
  "Level": 300,
- "Client": "Angular SPA TodoListSPA",
- "Service": ".NET Core web API TodoListAPI",
- "RepositoryUrl": "ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups",
+ "Client": "Angular SPA",
+ "Service": ".NET Core web API",
+ "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
  "Endpoint": "AAD v2.0"
  },
  "AADApps": [
  {
  "Id": "service",
- "Name": "TodoListAPI-chapter1",
+ "Name": "msal-dotnet-api",
  "Kind": "WebApi",
  "Audience": "AzureADMyOrg",
  "HomePage": "https://localhost:44351/api/todolist",
@@ -33,7 +33,7 @@
  },
  {
  "Id": "client",
- "Name": "TodoListSPA-chapter1",
+ "Name": "msal-angular-spa",
  "Kind": "SinglePageApplication",
  "Audience": "AzureADMyOrg",
  "HomePage": "http://localhost:4200/",
@@ -67,7 +67,7 @@
  {
  "App": "service",
  "SettingKind": "Replace",
- "SettingFile": "\\..\\TodoListAPI\\appsettings.json",
+ "SettingFile": "\\..\\API\\appsettings.json",
  "Mappings": [
  {
  "key": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
@@ -87,22 +87,18 @@
  {
  "App": "client",
  "SettingKind": "Replace",
- "SettingFile": "\\..\\TodoListSPA\\src\\app\\auth-config.json",
+ "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
  "Mappings": [
  {
- "key": "Enter the application ID (clientId) of the 'TodoListSPA' application copied from the Azure portal",
+ "key": "Enter_the_Application_Id_Here",
  "value": "client.AppId"
  },
  {
- "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "key": "Enter_the_Tenant_Info_Here",
  "value": "$tenantId"
  },
  {
- "key": "Enter the endpoint for TodoListAPI, e.g. https://localhost:44351/api/todolist",
- "value": "service.HomePage"
- },
- {
- "key": "Enter the API scopes as declared in the app registration 'Expose an API' blade, e.g. api://{clientId}/access_as_user",
+ "key": "Enter_the_Web_Api_Scope_here",
  "value": "service.Scope"
  }
  ]