Minor fixes and enhancements

Author: Kalyan Krishna

AppCreationScripts/Configure.ps1

@@ -1,3 +1,10 @@
+[CmdletBinding()]
+    param(
+        [PSCredential] $Credential,
+        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+        [string] $tenantId
+    )
+
 <#
  This script creates the Azure AD applications needed for this sample and updates the configuration files
  for the visual Studio projects from the data in the Azure AD applications.
@@ -8,6 +15,10 @@
  2) in the PowerShell window, type: Install-Module AzureAD
 
  There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
+
+ # Parameters
+ # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
+ # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
 #>
 
 # Adds the requiredAccesses (expressed as a pipe separated string) to the requiredAccess structure
@@ -92,18 +103,7 @@ Function ConfigureApplications
    This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
    configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
    so that they are consistent with the Applications parameters
-#> 
-    [CmdletBinding()]
-    param(
-        [PSCredential] $Credential,
-        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-        [string] $tenantId
-    )
-
-   process
-   {
-    # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
-    # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
+#>
 
     # Login to Azure PowerShell (interactive if credentials are not already provided:
     # you'll need to sign-in with creds enabling your to create apps in the tenant)
@@ -140,6 +140,12 @@ Function ConfigureApplications
 
    $currentAppId = $serviceAadApplication.AppId
    $serviceServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+
+   # add this user as app owner
+   $user = Get-AzureADUser -ObjectId $creds.Account.Id
+   Add-AzureADApplicationOwner -ObjectId $serviceAadApplication.ObjectId -RefObjectId $user.ObjectId
+   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceAadApplication.DisplayName)'"
+
    Write-Host "Done."
 
    # URL of the AAD application in the Azure portal
@@ -155,6 +161,11 @@ Function ConfigureApplications
 
    $currentAppId = $clientAadApplication.AppId
    $clientServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+
+   # add this user as app owner
+   Add-AzureADApplicationOwner -ObjectId $clientAadApplication.ObjectId -RefObjectId $user.ObjectId
+   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
+
    Write-Host "Done."
 
    # URL of the AAD application in the Azure portal
@@ -186,8 +197,7 @@ Function ConfigureApplications
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue $serviceAadApplication.IdentifierUris
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue $serviceAadApplication.HomePage
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html
-
-  }
+  
 }
 
 

README.md

@@ -27,9 +27,14 @@ A token represents the outcome of an authentication operation with some artifact
 
 With Azure Active Directory taking the full responsibility of verifying user's raw credentials, the token receiver's responsibility shifts from verifying raw credentials to verifying that their caller did indeed go through your identity provider of choice and successfully authenticated. The identity provider represents successful authentication operations by issuing a token, hence the job now becomes to validate that token.
 
+### What to validate 
+While you should always validate tokens issued to the resources (audience) that you are developineg, your application will also obtain access tokens for other resources from AAD. AAD will provide an access token in whatever token format that is appropriate to that resource. 
+This access token itself should be treated like an opaque blob by your application, as your app isn’t the access token’s intended audience and thus your app should not bother itself with looking into the contents of this access token. 
+Your app should just pass it in the call to the resource. It's the called resource's responsibility to validate this access token token.
+
 ### Validating the claims
 
-When an application receives an ID token upon user sign-in, it should also perform a few checks against the claims in the ID token. These verifications include but are not limited to:
+When an application receives an access token upon user sign-in, it should also perform a few checks against the claims in the access token. These verifications include but are not limited to:
 
 - **audience** claim, to verify that the ID token was intended to be given to your application
 - **not before** and "expiration time" claims, to verify that the ID token has not expired
@@ -95,7 +100,7 @@ of the Azure Active Directory window respectively as *Name* and *Directory ID*
 #### Register the TodoListClient client app
 
 1. Click on **App registrations** and choose **New application registration**.
-1. Enter a friendly name for the application, for example 'TodoListClient-DotNet' and select 'Native' as the Application Type. For the redirect URI, enter `https://TodoListClient`. Please note that the Redirect URI will not be used in this sample, but it needs to be defined nonetheless. Click on **Create** to create the application.
+1. Enter a friendly name for the application, for example 'TodoListClient-ManualJwt' and select 'Native' as the Application Type. For the redirect URI, enter `https://TodoListClient`. Please note that the Redirect URI will not be used in this sample, but it needs to be defined nonetheless. Click on **Create** to create the application.
 1. In the succeeding page, Find the **Application ID** value and copy it to the clipboard.
 1. Then click on **Settings** and choose **Properties**.
 1. Configure Permissions for your application - in the Settings menu, choose the **Required permissions** section, click on **Add**, then **Select an API**, and type 'TodoListService' in the textbox and hit enter. Select 'TodoListService-ManualJwt' from the results and click the 'Select' button. Then, click on  **Select Permissions** and select 'Access TodoListService-ManualJwt'. Click the 'Select' button again to close this screen. Click on **Done** to finish adding the permission.

TodoListClient/App.config

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
-    <startup> 
-        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
-    </startup>
+  <startup>
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+  </startup>
   <appSettings>
     <add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
     <add key="ida:ClientId" value="[Enter client ID as obtained from Azure Portal, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />

TodoListClient/FileCache.cs

@@ -37,15 +37,15 @@ class FileCache : TokenCache
         private static readonly object FileLock = new object();
 
         // Initializes the cache against a local file.
-        // If the file is already rpesent, it loads its content in the ADAL cache
+        // If the file is already present, it loads its content in the ADAL cache
         public FileCache(string filePath=@".\TokenCache.dat")
         {
-            CacheFilePath = filePath;
-            this.AfterAccess = AfterAccessNotification;
-            this.BeforeAccess = BeforeAccessNotification;
+            this.CacheFilePath = filePath;
+            this.AfterAccess = this.AfterAccessNotification;
+            this.BeforeAccess = this.BeforeAccessNotification;
             lock (FileLock)
             {
-                this.Deserialize(File.Exists(CacheFilePath) ? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath), null, DataProtectionScope.CurrentUser) : null);
+                this.Deserialize(File.Exists(this.CacheFilePath) ? ProtectedData.Unprotect(File.ReadAllBytes(this.CacheFilePath), null, DataProtectionScope.CurrentUser) : null);
             }
         }
 
@@ -62,7 +62,7 @@ void BeforeAccessNotification(TokenCacheNotificationArgs args)
         {
             lock (FileLock)
             {
-                this.Deserialize(File.Exists(CacheFilePath) ?  ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),null,DataProtectionScope.CurrentUser) : null);
+                this.Deserialize(File.Exists(this.CacheFilePath) ?  ProtectedData.Unprotect(File.ReadAllBytes(this.CacheFilePath),null,DataProtectionScope.CurrentUser) : null);
             }
         }
 
@@ -75,7 +75,7 @@ void AfterAccessNotification(TokenCacheNotificationArgs args)
                 lock (FileLock)
                 {                    
                     // reflect changes in the persistent store
-                    File.WriteAllBytes(CacheFilePath, ProtectedData.Protect(this.Serialize(),null,DataProtectionScope.CurrentUser));
+                    File.WriteAllBytes(this.CacheFilePath, ProtectedData.Protect(this.Serialize(),null,DataProtectionScope.CurrentUser));
                     // once the write operation took place, restore the HasStateChanged bit to false
                     this.HasStateChanged = false;
                 }                

TodoListService-ManualJwt/Web.config

@@ -18,7 +18,7 @@
     <compilation debug="true" targetFramework="4.5" />
     <httpRuntime targetFramework="4.5" />
   </system.web>
-  
+
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
@@ -59,11 +59,12 @@
       </dependentAssembly>
     </assemblyBinding>
   </runtime>
-<system.webServer>
+  <system.webServer>
     <handlers>
       <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
       <remove name="OPTIONSVerbHandler" />
       <remove name="TRACEVerbHandler" />
       <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
     </handlers>
-  </system.webServer></configuration>
+  </system.webServer>
+</configuration>