Ready for review

Author: Kalyan Krishna

AppCreationScripts/Configure.ps1

@@ -208,7 +208,7 @@ Function ConfigureApplications
    # Update config file for 'client'
    $configFile = $pwd.Path + "\..\TodoListClient\App.Config"
    Write-Host "Updating the sample code ($configFile)"
-   ReplaceSetting -configFilePath $configFile -key "ida:Tenant" -newValue $tenantName
+   ReplaceSetting -configFilePath $configFile -key "ida:TenantId" -newValue $tenantId
    ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue $clientAadApplication.AppId
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue $serviceIdentifierUri
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue $serviceAadApplication.HomePage

AppCreationScripts/sample.json

@@ -69,8 +69,8 @@
       "SettingFile": "\\..\\TodoListClient\\App.Config",
       "Mappings": [
         {
-          "key": "ida:Tenant",
-          "value": "$tenantName"
+          "key": "ida:TenantId",
+          "value": "$tenantId"
         },
         {
           "key": "ida:ClientId",

TodoListClient/App.config

@@ -9,5 +9,6 @@
     <add key="todo:TodoListResourceId" value="[Enter App ID URI of TodoListService-ManualJwt, e.g. api://{clientID}]" />
     <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}/v2.0" />
     <add key="todo:TodoListBaseAddress" value="https://localhost:44324" />
+    <add key="todo:TodoListScope" value="user_impersonation" />
   </appSettings>
 </configuration>

TodoListClient/MainWindow.xaml.cs

@@ -198,7 +198,7 @@ private async void AddTodoItem(object sender, RoutedEventArgs e)
             // There is no access token in the cache, so prompt the user to sign-in.
             catch (MsalUiRequiredException)
             {
-                MessageBox.Show("Please re-sign");
+                MessageBox.Show("Please re-signIn");
                 SignInButton.Content = signInString;
             }
             catch (MsalException ex)
@@ -269,7 +269,7 @@ private async void SignIn(object sender = null, RoutedEventArgs args = null)
             //
             try
             {
-                // Force a sign-in (PromptBehavior.Always), as the ADAL web browser might contain cookies for the current user, and using .Auto
+                // Force a sign-in (PromptBehavior.Always), as the MSAL web browser might contain cookies for the current user, and using .Auto
                 // would re-sign-in the same user
                 var result = await _app.AcquireTokenInteractive(scopes)
                     .WithAccount(accounts.FirstOrDefault())
@@ -303,6 +303,7 @@ private async void SignIn(object sender = null, RoutedEventArgs args = null)
                 }
 
                 UserName.Content = Properties.Resources.UserNotSignedIn;
+                //SignInButton.Content = signInString;
             }
         }
 

TodoListService-ManualJwt/Global.asax.cs

@@ -26,6 +26,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
 using System;
+using System.Collections.Generic;
 using System.Configuration;
 using System.Globalization;
 using System.IdentityModel.Tokens.Jwt;
@@ -71,16 +72,16 @@ internal class TokenValidationHandler : DelegatingHandler
         private string _authority;
         private string _clientId;
         private ConfigurationManager<OpenIdConnectConfiguration> _configManager;
-
+        private string _tenant;
         private ISecurityTokenValidator _tokenValidator;
 
         public TokenValidationHandler()
         {
             _audience = ConfigurationManager.AppSettings["ida:Audience"];
             _clientId = ConfigurationManager.AppSettings["ida:ClientId"];
             var aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
-            var tenant = ConfigurationManager.AppSettings["ida:Tenant"];
-            _authority = string.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
+            _tenant = ConfigurationManager.AppSettings["ida:TenantId"];
+            _authority = string.Format(CultureInfo.InvariantCulture, aadInstance, _tenant);
             _configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{_authority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
             _tokenValidator = new JwtSecurityTokenHandler();
         }
@@ -93,6 +94,9 @@ public TokenValidationHandler()
         /// <returns>A <see cref="HttpResponseMessage"/>.</returns>
         protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         {
+            // For debugging/development purposes, one can enable additional detail in exceptions by setting IdentityModelEventSource.ShowPII to true.
+            Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
+
             // check if there is a jwt in the authorization header, return 'Unauthorized' error if the token is null.
             if (request.Headers.Authorization == null || request.Headers.Authorization.Parameter == null)
                 return BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
@@ -104,19 +108,35 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             {
                 config = await _configManager.GetConfigurationAsync(cancellationToken).ConfigureAwait(false);
             }
-            catch (Exception)
+            catch (Exception ex)
             {
+#if DEBUG
+                return BuildResponseErrorMessage(HttpStatusCode.InternalServerError, ex.Message);
+#else
                 return new HttpResponseMessage(HttpStatusCode.InternalServerError);
+#endif
             }
 
+            // You can get a list of issuers for the various Azure AD deployments (global & sovereign) from the following endpoint
+            //https://login.microsoftonline.com/common/discovery/instance?authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize&api-version=1.1;
+
+            IList<string> validissuers = new List<string>()
+            {
+                $"https://login.microsoftonline.com/{_tenant}/",
+                $"https://login.microsoftonline.com/{_tenant}/v2.0",
+                $"https://login.windows.net/{_tenant}/",
+                $"https://login.microsoft.com/{_tenant}/",
+                $"https://sts.windows.net/{_tenant}/"
+            };
+
             // Initialize the token validation parameters
             TokenValidationParameters validationParameters = new TokenValidationParameters
             {
                 // App Id URI and AppId of this service application are both valid audiences.
                 ValidAudiences = new[] { _audience, _clientId },
 
                 // Support Azure AD V1 and V2 endpoints.
-                ValidIssuers = new[] { config.Issuer, $"{config.Issuer}/v2.0" },
+                ValidIssuers = validissuers,
                 IssuerSigningKeys = config.SigningKeys
             };
 
@@ -130,7 +150,11 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 if (!claimsPrincipal.Claims.Any(x => x.Type == ClaimConstants.ScopeClaimType)
                    && !claimsPrincipal.Claims.Any(y => y.Type == ClaimConstants.RolesClaimType))
                 {
-                    throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");
+#if DEBUG
+                    return BuildResponseErrorMessage(HttpStatusCode.Forbidden, "Neither 'scope' or 'roles' claim was found in the bearer token.");
+#else
+                    return BuildResponseErrorMessage(HttpStatusCode.Forbidden);
+#endif
                 }
 #pragma warning restore 1998
 
@@ -147,22 +171,30 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
                 return await base.SendAsync(request, cancellationToken);
             }
-            catch (SecurityTokenValidationException)
+            catch (SecurityTokenValidationException stex)
             {
+#if DEBUG
+                return BuildResponseErrorMessage(HttpStatusCode.Unauthorized, stex.Message);
+#else
                 return BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
+#endif
             }
-            catch (Exception)
+            catch (Exception ex)
             {
+#if DEBUG
+                return BuildResponseErrorMessage(HttpStatusCode.InternalServerError, ex.Message);
+#else
                 return new HttpResponseMessage(HttpStatusCode.InternalServerError);
+#endif
             }
         }
 
-        private HttpResponseMessage BuildResponseErrorMessage(HttpStatusCode statusCode)
+        private HttpResponseMessage BuildResponseErrorMessage(HttpStatusCode statusCode, string error_description = "")
         {
             var response = new HttpResponseMessage(statusCode);
 
             // The Scheme should be "Bearer", authorization_uri should point to the tenant url and resource_id should point to the audience.
-            var authenticateHeader = new AuthenticationHeaderValue("Bearer", "authorization_uri=\"" + _authority + "\"" + "," + "resource_id=" + _audience);
+            var authenticateHeader = new AuthenticationHeaderValue("Bearer", "authorization_uri=\"" + _authority + "\"" + "," + "resource_id=" + _audience + $",error_description={error_description}");
             response.Headers.WwwAuthenticate.Add(authenticateHeader);
             return response;
         }

TodoListService-ManualJwt/Web.config

@@ -9,8 +9,8 @@
     <add key="webpages:Enabled" value="false" />
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
-    <add key="ida:ClientId" value="[Enter the Application Id (also named ClientId) for the application]" />
-    <add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
+    <add key="ida:ClientId" value="[Enter the Application Id (also named ClientId) for the application]" />    
+    <add key="ida:TenantId" value="[Enter the tenant/Directory Id name, e.g b898afb8-75af-4d05-ba80-6177b3a6a1e1]" />
     <add key="ida:Audience" value="[Enter App ID URI of TodoListService-ManualJwt, e.g. api://{client Id of TodoListService-ManualJwt]}" />
     <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}/v2.0" />
   </appSettings>