Merge pull request #25 from Azure-Samples/samplesupdate

Updated "System.IdentityModel.Tokens.Jwt" to "5.2.4" and minor typos addressed

Author: Kalyan Krishna

AppCreationScripts/Configure.ps1

@@ -1,3 +1,10 @@
+[CmdletBinding()]
+    param(
+        [PSCredential] $Credential,
+        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+        [string] $tenantId
+    )
+
 <#
  This script creates the Azure AD applications needed for this sample and updates the configuration files
  for the visual Studio projects from the data in the Azure AD applications.
@@ -8,6 +15,10 @@
  2) in the PowerShell window, type: Install-Module AzureAD
 
  There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
+
+ # Parameters
+ # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
+ # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
 #>
 
 # Adds the requiredAccesses (expressed as a pipe separated string) to the requiredAccess structure
@@ -55,7 +66,7 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
     {
         AddResourcePermission $requiredAccess -exposedPermissions $sp.Oauth2Permissions -requiredAccesses $requiredDelegatedPermissions -permissionType "Scope"
     }
-    
+
     # $sp.AppRoles | Select Id,AdminConsentDisplayName,Value: To see the list of all the Application permissions for the application
     if ($requiredApplicationPermissions)
     {
@@ -92,18 +103,7 @@ Function ConfigureApplications
    This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
    configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
    so that they are consistent with the Applications parameters
-#> 
-    [CmdletBinding()]
-    param(
-        [PSCredential] $Credential,
-        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-        [string] $tenantId
-    )
-
-   process
-   {
-    # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
-    # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
+#>
 
     # Login to Azure PowerShell (interactive if credentials are not already provided:
     # you'll need to sign-in with creds enabling your to create apps in the tenant)
@@ -140,6 +140,12 @@ Function ConfigureApplications
 
    $currentAppId = $serviceAadApplication.AppId
    $serviceServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+
+   # add this user as app owner
+   $user = Get-AzureADUser -ObjectId $creds.Account.Id
+   Add-AzureADApplicationOwner -ObjectId $serviceAadApplication.ObjectId -RefObjectId $user.ObjectId
+   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceAadApplication.DisplayName)'"
+
    Write-Host "Done."
 
    # URL of the AAD application in the Azure portal
@@ -155,6 +161,11 @@ Function ConfigureApplications
 
    $currentAppId = $clientAadApplication.AppId
    $clientServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+
+   # add this user as app owner
+   Add-AzureADApplicationOwner -ObjectId $clientAadApplication.ObjectId -RefObjectId $user.ObjectId
+   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
+
    Write-Host "Done."
 
    # URL of the AAD application in the Azure portal
@@ -170,6 +181,13 @@ Function ConfigureApplications
    Set-AzureADApplication -ObjectId $clientAadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
    Write-Host "Granted."
 
+   # Configure known client applications for service
+   Write-Host "Configure known client applications for the 'service'"
+   $knowApplications = New-Object System.Collections.Generic.List[System.String]
+   $knowApplications.Add($clientAadApplication.AppId)
+   Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -KnownClientApplications $knowApplications
+   Write-Host "Configured."
+
    # Update config file for 'service'
    $configFile = $pwd.Path + "\..\TodoListService-ManualJwt\Web.Config"
    Write-Host "Updating the sample code ($configFile)"
@@ -186,8 +204,7 @@ Function ConfigureApplications
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue $serviceAadApplication.IdentifierUris
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue $serviceAadApplication.HomePage
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html
-
-  }
+  
 }
 
 

README.md

@@ -27,9 +27,14 @@ A token represents the outcome of an authentication operation with some artifact
 
 With Azure Active Directory taking the full responsibility of verifying user's raw credentials, the token receiver's responsibility shifts from verifying raw credentials to verifying that their caller did indeed go through your identity provider of choice and successfully authenticated. The identity provider represents successful authentication operations by issuing a token, hence the job now becomes to validate that token.
 
+### What to validate 
+While you should always validate tokens issued to the resources (audience) that you are developineg, your application will also obtain access tokens for other resources from AAD. AAD will provide an access token in whatever token format that is appropriate to that resource. 
+This access token itself should be treated like an opaque blob by your application, as your app isn’t the access token’s intended audience and thus your app should not bother itself with looking into the contents of this access token. 
+Your app should just pass it in the call to the resource. It's the called resource's responsibility to validate this access token token.
+
 ### Validating the claims
 
-When an application receives an ID token upon user sign-in, it should also perform a few checks against the claims in the ID token. These verifications include but are not limited to:
+When an application receives an access token upon user sign-in, it should also perform a few checks against the claims in the access token. These verifications include but are not limited to:
 
 - **audience** claim, to verify that the ID token was intended to be given to your application
 - **not before** and "expiration time" claims, to verify that the ID token has not expired
@@ -95,7 +100,7 @@ of the Azure Active Directory window respectively as *Name* and *Directory ID*
 #### Register the TodoListClient client app
 
 1. Click on **App registrations** and choose **New application registration**.
-1. Enter a friendly name for the application, for example 'TodoListClient-DotNet' and select 'Native' as the Application Type. For the redirect URI, enter `https://TodoListClient`. Please note that the Redirect URI will not be used in this sample, but it needs to be defined nonetheless. Click on **Create** to create the application.
+1. Enter a friendly name for the application, for example 'TodoListClient-ManualJwt' and select 'Native' as the Application Type. For the redirect URI, enter `https://TodoListClient`. Please note that the Redirect URI will not be used in this sample, but it needs to be defined nonetheless. Click on **Create** to create the application.
 1. In the succeeding page, Find the **Application ID** value and copy it to the clipboard.
 1. Then click on **Settings** and choose **Properties**.
 1. Configure Permissions for your application - in the Settings menu, choose the **Required permissions** section, click on **Add**, then **Select an API**, and type 'TodoListService' in the textbox and hit enter. Select 'TodoListService-ManualJwt' from the results and click the 'Select' button. Then, click on  **Select Permissions** and select 'Access TodoListService-ManualJwt'. Click the 'Select' button again to close this screen. Click on **Done** to finish adding the permission.

TodoListClient/App.config

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
-    <startup> 
-        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
-    </startup>
+  <startup>
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+  </startup>
   <appSettings>
     <add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
     <add key="ida:ClientId" value="[Enter client ID as obtained from Azure Portal, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />

TodoListClient/FileCache.cs

@@ -37,15 +37,15 @@ class FileCache : TokenCache
         private static readonly object FileLock = new object();
 
         // Initializes the cache against a local file.
-        // If the file is already rpesent, it loads its content in the ADAL cache
+        // If the file is already present, it loads its content in the ADAL cache
         public FileCache(string filePath=@".\TokenCache.dat")
         {
-            CacheFilePath = filePath;
-            this.AfterAccess = AfterAccessNotification;
-            this.BeforeAccess = BeforeAccessNotification;
+            this.CacheFilePath = filePath;
+            this.AfterAccess = this.AfterAccessNotification;
+            this.BeforeAccess = this.BeforeAccessNotification;
             lock (FileLock)
             {
-                this.Deserialize(File.Exists(CacheFilePath) ? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath), null, DataProtectionScope.CurrentUser) : null);
+                this.Deserialize(File.Exists(this.CacheFilePath) ? ProtectedData.Unprotect(File.ReadAllBytes(this.CacheFilePath), null, DataProtectionScope.CurrentUser) : null);
             }
         }
 
@@ -62,7 +62,7 @@ void BeforeAccessNotification(TokenCacheNotificationArgs args)
         {
             lock (FileLock)
             {
-                this.Deserialize(File.Exists(CacheFilePath) ?  ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),null,DataProtectionScope.CurrentUser) : null);
+                this.Deserialize(File.Exists(this.CacheFilePath) ?  ProtectedData.Unprotect(File.ReadAllBytes(this.CacheFilePath),null,DataProtectionScope.CurrentUser) : null);
             }
         }
 
@@ -75,7 +75,7 @@ void AfterAccessNotification(TokenCacheNotificationArgs args)
                 lock (FileLock)
                 {                    
                     // reflect changes in the persistent store
-                    File.WriteAllBytes(CacheFilePath, ProtectedData.Protect(this.Serialize(),null,DataProtectionScope.CurrentUser));
+                    File.WriteAllBytes(this.CacheFilePath, ProtectedData.Protect(this.Serialize(),null,DataProtectionScope.CurrentUser));
                     // once the write operation took place, restore the HasStateChanged bit to false
                     this.HasStateChanged = false;
                 }                

TodoListService-ManualJwt/Global.asax.cs

@@ -14,32 +14,28 @@
 //    limitations under the License.
 //----------------------------------------------------------------------------------------------
 
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
 using System;
 using System.Collections.Generic;
-using System.Linq;
+using System.Configuration;
+using System.Globalization;
+using System.IdentityModel.Tokens.Jwt;
+using System.Net;
+
+// The following using statements were added for this sample.
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Threading;
+using System.Threading.Tasks;
 using System.Web;
 using System.Web.Http;
 using System.Web.Mvc;
 using System.Web.Optimization;
 using System.Web.Routing;
 
-// The following using statements were added for this sample.
-using System.Net.Http;
-using System.IdentityModel.Tokens;
-using System.Threading.Tasks;
-using System.Threading;
-using System.Net;
-using System.IdentityModel.Selectors;
-using System.Security.Claims;
-using System.Net.Http.Headers;
-using System.IdentityModel.Metadata;
-using System.ServiceModel.Security;
-using System.Xml;
-using System.Security.Cryptography.X509Certificates;
-using System.Globalization;
-using System.Configuration;
-using Microsoft.IdentityModel.Protocols;
-
 namespace TodoListService_ManualJwt
 {
     public class WebApiApplication : System.Web.HttpApplication
@@ -63,17 +59,18 @@ internal class TokenValidationHandler : DelegatingHandler
         // The Authority is the sign-in URL of the tenant.
         // The Audience is the value the service expects to see in tokens that are addressed to it.
         //
-        static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
-        static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
-        static string audience = ConfigurationManager.AppSettings["ida:Audience"];
-        static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
-        string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
-
-        static string _issuer = string.Empty;
-        static List<SecurityToken> _signingTokens = null;
-        static DateTime _stsMetadataRetrievalTime = DateTime.MinValue;
-        static string scopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
-        
+        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
+
+        private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
+        private static string audience = ConfigurationManager.AppSettings["ida:Audience"];
+        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        private string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
+
+        private static string _issuer = string.Empty;
+        private static ICollection<SecurityKey> _signingKeys = null;
+        private static DateTime _stsMetadataRetrievalTime = DateTime.MinValue;
+        private static string scopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
+
         //
         // SendAsync checks that incoming requests have a valid access token, and sets the current user identity using that access token.
         //
@@ -89,32 +86,32 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
             if (jwtToken == null)
             {
-                HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
+                HttpResponseMessage response = this.BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
                 return response;
             }
 
             string issuer;
-            List<SecurityToken> signingTokens;
+            ICollection<SecurityKey> signingKeys;
 
             try
             {
-                // The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true.            
+                // The issuer and signingKeys are cached for 24 hours. They are updated if any of the conditions in the if condition is true.
                 if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24
                     || string.IsNullOrEmpty(_issuer)
-                    || _signingTokens == null)
+                    || _signingKeys == null)
                 {
                     // Get tenant information that's used to validate incoming jwt tokens
-                    string stsDiscoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority);
-                    ConfigurationManager<OpenIdConnectConfiguration> configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint);
-                    OpenIdConnectConfiguration config = await configManager.GetConfigurationAsync();
+                    string stsDiscoveryEndpoint = $"{this.authority}/.well-known/openid-configuration";
+                    var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(stsDiscoveryEndpoint, new OpenIdConnectConfigurationRetriever());
+                    var config = await configManager.GetConfigurationAsync(cancellationToken);
                     _issuer = config.Issuer;
-                    _signingTokens = config.SigningTokens.ToList();
-                    
+                    _signingKeys = config.SigningKeys;
+
                     _stsMetadataRetrievalTime = DateTime.UtcNow;
                 }
 
                 issuer = _issuer;
-                signingTokens = _signingTokens;
+                signingKeys = _signingKeys;
             }
             catch (Exception)
             {
@@ -129,9 +126,8 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 ValidAudiences = new[] { audience, clientId },
 
                 // Supports both the Azure AD V1 and V2 endpoint
-                ValidIssuers = new [] { issuer, $"{issuer}/v2.0" },
-                IssuerSigningTokens = signingTokens,
-                CertificateValidator = X509CertificateValidator.None // Certificate validation does not make sense since AAD's metadata document is signed with a self-signed certificate.
+                ValidIssuers = new[] { issuer, $"{issuer}/v2.0" },
+                IssuerSigningKeys = signingKeys
             };
 
             try
@@ -152,15 +148,15 @@ protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 // If the token is scoped, verify that required permission is set in the scope claim.
                 if (ClaimsPrincipal.Current.FindFirst(scopeClaimType) != null && ClaimsPrincipal.Current.FindFirst(scopeClaimType).Value != "user_impersonation")
                 {
-                    HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Forbidden);
+                    HttpResponseMessage response = this.BuildResponseErrorMessage(HttpStatusCode.Forbidden);
                     return response;
                 }
 
                 return await base.SendAsync(request, cancellationToken);
             }
             catch (SecurityTokenValidationException)
             {
-                HttpResponseMessage response = BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
+                HttpResponseMessage response = this.BuildResponseErrorMessage(HttpStatusCode.Unauthorized);
                 return response;
             }
             catch (Exception)
@@ -176,11 +172,11 @@ private HttpResponseMessage BuildResponseErrorMessage(HttpStatusCode statusCode)
             //
             // The Scheme should be "Bearer", authorization_uri should point to the tenant url and resource_id should point to the audience.
             //
-            AuthenticationHeaderValue authenticateHeader = new AuthenticationHeaderValue("Bearer", "authorization_uri=\"" + authority + "\"" + "," + "resource_id=" + audience);
+            AuthenticationHeaderValue authenticateHeader = new AuthenticationHeaderValue("Bearer", "authorization_uri=\"" + this.authority + "\"" + "," + "resource_id=" + audience);
 
             response.Headers.WwwAuthenticate.Add(authenticateHeader);
 
             return response;
         }
     }
-}
+}