CustomHandler added and described

Kalyan Krishna · Kalyan Krishna · commit 85063f187c43 · 2021-10-15T13:19:29.000-07:00
diff --git a/README.md b/README.md
@@ -27,12 +27,22 @@ endpoint: AAD v2.0
   - [Validating the claims](#validating-the-claims)
 - [Prerequisites](#prerequisites)
 - [Setup](#setup)
+  - [Step 1:  Clone or download this repository](#step-1--clone-or-download-this-repository)
+  - [Register the sample application(s) with your Azure Active Directory tenant](#register-the-sample-applications-with-your-azure-active-directory-tenant)
+  - [Choose the Azure AD tenant where you want to create your applications](#choose-the-azure-ad-tenant-where-you-want-to-create-your-applications)
+  - [Register the service app (TodoListService-ManualJwt)](#register-the-service-app-todolistservice-manualjwt)
+  - [Register the client app (TodoListClient-ManualJwt)](#register-the-client-app-todolistclient-manualjwt)
+- [Running the sample](#running-the-sample)
 - [Explore the sample](#explore-the-sample)
 - [About The Code](#about-the-code)
+  - [Providing your own Custom token validation handler](#providing-your-own-custom-token-validation-handler)
 - [How To Recreate This Sample](#how-to-recreate-this-sample)
   - [Creating the TodoListService-ManualJwt Project](#creating-the-todolistservice-manualjwt-project)
   - [Creating the TodoListClient Project](#creating-the-todolistclient-project)
 - [How to deploy this sample to Azure](#how-to-deploy-this-sample-to-azure)
+  - [Create and publish the `TodoListService-ManualJwt` to an Azure Web Site](#create-and-publish-the-todolistservice-manualjwt-to-an-azure-web-site)
+  - [Update the Active Directory tenant application registration for `TodoListService-ManualJwt`](#update-the-active-directory-tenant-application-registration-for-todolistservice-manualjwt)
+  - [Update the `TodoListClient-ManualJwt` to call the `TodoListService-ManualJwt` Running in Azure Web Sites](#update-the-todolistclient-manualjwt-to-call-the-todolistservice-manualjwt-running-in-azure-web-sites)
 - [Azure Government Deviations](#azure-government-deviations)
 - [Troubleshooting](#troubleshooting)
 - [Community Help and Support](#community-help-and-support)
@@ -257,24 +267,79 @@ Explore the sample by signing in, adding items to the To Do list, removing the u
 
 ## About The Code
 
-The manual JWT validation occurs in the [TokenValidationHandler](https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/master/TodoListService-ManualJwt/Global.asax.cs#L58) implementation in the `Global.aspx.cs` file in the TodoListService-ManualJwt project. Each time a call is made to the web API, the [TokenValidationHandler.SendAsync()](https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/4b80657c5506c8cb30af67b9f61bb6aa68dfca58/TodoListService-ManualJwt/Global.asax.cs#L80) handler is executed:
+The manual JWT validation occurs in the [TokenValidationHandler](https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/master/TodoListService-ManualJwt/Global.asax.cs#L58) implementation in the `Global.aspx.cs` file in the TodoListService-ManualJwt project. 
+Each time a call is made to the web API, the [TokenValidationHandler.SendAsync()](https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/4b80657c5506c8cb30af67b9f61bb6aa68dfca58/TodoListService-ManualJwt/Global.asax.cs#L80) handler is executed:
 
 This method:
 
-1. gets the token from the Authorization headers
-1. gets the open ID configuration from the Azure AD discovery endpoint
-1. ensures that the web API is consented to and provisioned in the Azure AD tenant from where the access token originated
-1. verifies that the token has not expired
-1. sets the parameters to validate:
+1. Gets the token from the Authorization headers
+1. Gets the open ID configuration, including keys from the Azure AD discovery endpoint
+1. Sets the parameters to validate in `GetTokenValidationParameters()`
     - the audience - the application accepts both its App ID URI and its AppID/clientID
     - the valid issuers - the application accepts both Azure AD V1 and Azure AD V2
-
-1. then it delegates to the `JwtSecurityTokenHandler` class (provided by the `Microsoft.IdentityModel.Tokens` library)
+1. Then the token is validated
+1. An asp.net claims principal is created after a successful validation
+1. ensures that the web API is consented to and provisioned in the Azure AD tenant from where the access token originated
+1. Finally, a check for scopes that the web API expects from the caller is carried out
 
 The `TokenValidationHandler` class is registered with ASP.NET in the `TodoListService-ManualJwt/Global.asx.cs` file, in the [Application_Start()](https://github.com/Azure-Samples/active-directory-dotnet-webapi-manual-jwt-validation/blob/4b80657c5506c8cb30af67b9f61bb6aa68dfca58/TodoListService-ManualJwt/Global.asax.cs#L54) method.
 
 For more validation options, please refer to [TokenValidationParameters.cs](https://docs.microsoft.com/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)
 
+### Providing your own Custom token validation handler
+
+If you do not wish to control the token validation from its very beginning to the end as laid out in the `Global.asax.cs`, but only limit yourself to validate business logic based on claims in the presented token, you can craft a Custom token handler as provided in the example below.  
+The provided example, validates to allow callers from a list of whitelisted tenants only.
+
+1. Create a custom handler implementation
+
+```CSharp
+
+public class CustomTokenHandler : JwtSecurityTokenHandler
+{
+   public override ClaimsPrincipal ValidateToken(
+      string token, TokenValidationParameters validationParameters,
+      out SecurityToken validatedToken)
+   {
+      try
+      {
+            var claimsPrincipal = base.ValidateToken(token, validationParameters, out validatedToken);
+
+            string[] allowedTenants = { "14c2f153-90a7-4689-9db7-9543bf084dad", "af8cc1a0-d2aa-4ca7-b829-00d361edb652", "979f4440-75dc-4664-b2e1-2cafa0ac67d1" };
+            string tenantId = claimsPrincipal.Claims.FirstOrDefault(x => x.Type == "tid" || x.Type == "http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
+
+            if (!allowedTenants.Contains(tenantId))
+            {
+               throw new Exception("This tenant is not authorized");
+            }
+
+            return claimsPrincipal;
+      }
+      catch (Exception e)
+      {            
+            throw;
+      }
+   }
+}
+
+   ```
+
+1. Assign the custom handler in `Startup.Auth.cs`
+
+  ```CSharp
+
+app.UseWindowsAzureActiveDirectoryBearerAuthentication(
+               new WindowsAzureActiveDirectoryBearerAuthenticationOptions
+               {
+                  Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
+                  TokenValidationParameters = new TokenValidationParameters
+                  {
+                     ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
+                  },
+                  TokenHandler = new CustomTokenHandler()
+               });
+   ```
+
 ## How To Recreate This Sample
 
 First, in Visual Studio 2017 create an empty solution to host the projects.  Then, follow these steps to create each project.
@@ -386,7 +451,7 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 
 ## More information
 
-- [Microsoft identity platform (Azure Active Directory for developers)](https://docs.microsoft.com/en-us/azure/active-directory/develop/)
+- [Microsoft identity platform (Azure Active Directory for developers)](https://docs.microsoft.com/azure/active-directory/develop/)
 - [MSAL.NET's conceptual documentation](https://aka.ms/msal-net)
 - [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app)
 - [Quickstart: Configure a client application to access web APIs](https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis)
diff --git a/TodoListClient/TodoListClient-ManualJwt.csproj b/TodoListClient/TodoListClient-ManualJwt.csproj
@@ -63,6 +63,9 @@
       <Generator>MSBuild:Compile</Generator>
       <SubType>Designer</SubType>
     </ApplicationDefinition>
+    <Compile Include="..\TodoListService-ManualJwt\Models\TodoItem.cs">
+      <Link>TodoItem.cs</Link>
+    </Compile>
     <Compile Include="FileCache.cs" />
     <Page Include="MainWindow.xaml">
       <Generator>MSBuild:Compile</Generator>
@@ -107,12 +110,6 @@
       <SubType>Designer</SubType>
     </None>
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\Shared\Shared.csproj">
-      <Project>{f4e8b876-762e-4eec-99bc-7ef12b01799d}</Project>
-      <Name>Shared</Name>
-    </ProjectReference>
-  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
        Other similar extension points exist, see Microsoft.Common.targets.
diff --git a/TodoListService-ManualJwt/App_Start/Startup.Auth.cs b/TodoListService-ManualJwt/App_Start/Startup.Auth.cs
@@ -0,0 +1,11 @@
+﻿using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+
+namespace TodoListService_ManualJwt.App_Start
+{
+    public class Startup
+    {
+    }
+}
diff --git a/TodoListService-ManualJwt/Global.asax.cs b/TodoListService-ManualJwt/Global.asax.cs
@@ -72,7 +72,6 @@ internal class TokenValidationHandler : DelegatingHandler
         private string _audience = ConfigurationManager.AppSettings["ida:Audience"];
         private string _clientId = ConfigurationManager.AppSettings["ida:ClientId"];
         private string _tenant = ConfigurationManager.AppSettings["ida:TenantId"];
-        private ISecurityTokenValidator _tokenValidator;
         private string _authority;
         private ConfigurationManager<OpenIdConnectConfiguration> _configManager;
 
@@ -81,8 +80,6 @@ public TokenValidationHandler()
             _authority = string.Format(CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["ida:AADInstance"], _tenant);
             // The ConfigurationManager class holds properties to control the metadata refresh interval. For more details, https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.protocols.configurationmanager-1?view=azure-dotnet
             _configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{_authority}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
-
-            _tokenValidator = new JwtSecurityTokenHandler();
         }
 
         /// <summary>
diff --git a/TodoListService-ManualJwt/Models/TodoItem.cs b/TodoListService-ManualJwt/Models/TodoItem.cs
@@ -0,0 +1,32 @@
+﻿/*
+ The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+namespace Shared.Models
+{
+    public class TodoItem
+    {
+        public string Title { get; set; }
+        public string Owner { get; set; }
+    }
+}
diff --git a/TodoListService-ManualJwt/Services/CustomTokenHandler.cs b/TodoListService-ManualJwt/Services/CustomTokenHandler.cs
@@ -0,0 +1,43 @@
+﻿using Microsoft.IdentityModel.Tokens;
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Security.Claims;
+using System.Web;
+
+namespace TodoListService_ManualJwt.Services
+{
+    /// <summary>
+    /// Custom token handler to apply custom logic to token validation
+    /// </summary>
+    /// <seealso cref="JwtSecurityTokenHandler" />
+    public class CustomTokenHandler : JwtSecurityTokenHandler
+    {
+        public override ClaimsPrincipal ValidateToken(
+            string token, TokenValidationParameters validationParameters,
+            out SecurityToken validatedToken)
+        {
+            try
+            {
+                var claimsPrincipal = base.ValidateToken(token, validationParameters, out validatedToken);
+
+                // Custom token validation to allow callers from a list of whitelisted tenants
+                string[] allowedTenants = { "14c2f153-90a7-4689-9db7-9543bf084dad", "af8cc1a0-d2aa-4ca7-b829-00d361edb652", "979f4440-75dc-4664-b2e1-2cafa0ac67d1", "4d39e77c-b0f3-4253-ae0b-7068ddd47949", "556b80b7-c9fc-41fd-92da-c3635f7918e5" };
+                string tenantId = claimsPrincipal.Claims.FirstOrDefault(x => x.Type == "tid" || x.Type == "http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
+
+                if (!allowedTenants.Contains(tenantId))
+                {
+                    throw new Exception("This tenant is not authorized to this web api");
+                }
+
+                return claimsPrincipal;
+            }
+            catch (Exception e)
+            {
+
+                throw;
+            }
+        }
+    }
+}
diff --git a/TodoListService-ManualJwt/TodoListService-ManualJwt.csproj b/TodoListService-ManualJwt/TodoListService-ManualJwt.csproj
@@ -168,7 +168,9 @@
     <Compile Include="Global.asax.cs">
       <DependentUpon>Global.asax</DependentUpon>
     </Compile>
+    <Compile Include="Models\TodoItem.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Services\CustomTokenHandler.cs" />
     <Compile Include="Utils\ClaimConstants.cs" />
   </ItemGroup>
   <ItemGroup>
@@ -239,12 +241,6 @@
     <Content Include="Views\Shared\_Layout.cshtml" />
     <Content Include="Scripts\jquery-2.1.1.min.map" />
   </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="..\Shared\Shared.csproj">
-      <Project>{F4E8B876-762E-4EEC-99BC-7EF12B01799D}</Project>
-      <Name>Shared</Name>
-    </ProjectReference>
-  </ItemGroup>
   <ItemGroup>
     <None Include="Project_Readme.html" />
   </ItemGroup>
diff --git a/WebAPI-ManuallyValidateJwt-DotNet.sln b/WebAPI-ManuallyValidateJwt-DotNet.sln
@@ -7,8 +7,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListClient-ManualJwt",
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TodoListService-ManualJwt", "TodoListService-ManualJwt\TodoListService-ManualJwt.csproj", "{67104329-E1DA-4A37-A556-834684DBC409}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shared", "Shared\Shared.csproj", "{F4E8B876-762E-4EEC-99BC-7EF12B01799D}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -23,10 +21,6 @@ Global
 		{67104329-E1DA-4A37-A556-834684DBC409}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{67104329-E1DA-4A37-A556-834684DBC409}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{67104329-E1DA-4A37-A556-834684DBC409}.Release|Any CPU.Build.0 = Release|Any CPU
-		{F4E8B876-762E-4EEC-99BC-7EF12B01799D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{F4E8B876-762E-4EEC-99BC-7EF12B01799D}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{F4E8B876-762E-4EEC-99BC-7EF12B01799D}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{F4E8B876-762E-4EEC-99BC-7EF12B01799D}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
