diff --git a/src/Microsoft.Identity.Web/Constants/Constants.cs b/src/Microsoft.Identity.Web/Constants/Constants.cs index c14f33ccb..a0f95edf7 100644 --- a/src/Microsoft.Identity.Web/Constants/Constants.cs +++ b/src/Microsoft.Identity.Web/Constants/Constants.cs @@ -55,6 +55,12 @@ public static class Constants /// public const string Policy = "policy"; + /// + /// SpaAuthCode. + /// Key to retreive SpaAuthCode from the HttpContext. + /// + public const string SpaAuthCode = "SpaAuthCode"; + // IssuerMetadata internal const string TenantDiscoveryEndpoint = "tenant_discovery_endpoint"; internal const string ApiVersion = "api-version"; diff --git a/src/Microsoft.Identity.Web/MergedOptions.cs b/src/Microsoft.Identity.Web/MergedOptions.cs index 781ae856e..1500ec398 100644 --- a/src/Microsoft.Identity.Web/MergedOptions.cs +++ b/src/Microsoft.Identity.Web/MergedOptions.cs @@ -202,6 +202,7 @@ internal static void UpdateMergedOptionsFromMicrosoftIdentityOptions(MicrosoftId mergedOptions.SaveTokens = microsoftIdentityOptions.SaveTokens; mergedOptions.SecurityTokenValidator ??= microsoftIdentityOptions.SecurityTokenValidator; mergedOptions.SendX5C = microsoftIdentityOptions.SendX5C; + mergedOptions.WithSpaAuthCode = microsoftIdentityOptions.WithSpaAuthCode; mergedOptions.SignedOutCallbackPath = microsoftIdentityOptions.SignedOutCallbackPath; if (string.IsNullOrEmpty(mergedOptions.SignedOutRedirectUri) && !string.IsNullOrEmpty(microsoftIdentityOptions.SignedOutRedirectUri)) { diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml index 977d78d49..41be5756a 100644 --- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml +++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml @@ -153,6 +153,12 @@ The name of the policy to check against a specific user flow. + + + SpaAuthCode. + Key to retreive SpaAuthCode from the HttpContext. + + Constants related to the error messages. @@ -163,6 +169,2136 @@ Constants related to the log messages. + + + Extension class containing cookie policies (work around for same site). + + + + + Handles SameSite cookie issue according to the https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1. + The default list of user agents that disallow "SameSite=None", + was taken from https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/. + + to update. + to chain. + + + + Handles SameSite cookie issue according to the docs: https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1 + The default list of user agents that disallow "SameSite=None", was taken from https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/. + + to update. + If you don't want to use the default user agent list implementation, + the method sent in this parameter will be run against the user agent and if returned true, SameSite value will be set to Unspecified. + The default user agent list used can be found at: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/. + to chain. + + + + Checks if the specified user agent supports "SameSite=None" cookies. + + Browser user agent. + + Incompatible user agents include: + + Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). + Versions of UC Browser on Android prior to version 12.13.2. + Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12. + + Reference: https://www.chromium.org/updates/same-site/incompatible-clients. + + True, if the user agent does not allow "SameSite=None" cookie; otherwise, false. + + + + Implementation for the downstream web API. + + + + + Constructor. + + Token acquisition service. + Named options provider. + HTTP client. + Configuration options. + + + + + + + + + + + + + Merge the options from configuration and override from caller. + + Named configuration. + Delegate to override the configuration. + + + + Extension methods to support downstream web API services. + + + + + Adds a named downstream web API service related to a specific configuration section. + + Builder. + Name of the configuration for the service. + This is the name used when calling the service from controller/pages. + Configuration. + The builder for chaining. + + + + Adds a named downstream web API service initialized with delegates. + + Builder. + Name of the configuration for the service. + This is the name which will be used when calling the service from controller/pages. + Action to configure the options. + The builder for chaining. + + + + Extensions for the downstream web API. + + + + + Get a strongly typed response from the web API. + + Output type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Path to the API endpoint relative to the base URL specified in the configuration. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + A strongly typed response from the web API. + + + + Calls the web API with an HttpPost, providing strongly typed input and getting + strongly typed output. + + Output type. + Input type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Path to the API endpoint relative to the base URL specified in the configuration. + Input data sent to the API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + A strongly typed response from the web API. + + + + Calls the web API endpoint with an HttpPut, providing strongly typed input data. + + Input type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Path to the API endpoint relative to the base URL specified in the configuration. + Input data sent to the API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + The value returned by the downstream web API. + + + + Calls the web API endpoint with an HttpPut, provinding strongly typed input data + and getting back strongly typed data. + + Output type. + Input type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Path to the API endpoint relative to the base URL specified in the configuration. + Input data sent to the API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + A strongly typed response from the web API. + + + + Call a web API endpoint with an HttpGet, + and return strongly typed data. + + Output type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + The value returned by the downstream web API. + + + + Call a web API with a strongly typed input, with an HttpGet. + + Input type. + The downstream web API. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Input data. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + The value returned by the downstream web API. + + + + Options passed-in to call downstream web APIs. To call Microsoft Graph, see rather + MicrosoftGraphOptions in the Microsoft.Identity.Web.MicrosoftGraph assembly. + + + + + Base URL for the called downstream web API. For instance "https://graph.microsoft.com/beta/".. + + + + + Path relative to the (for instance "me"). + + + + + HTTP method used to call this downstream web API (by default Get). + + + + + Provides an opportunity to customize the HttpRequestMessage. For example, + to customize the headers. This is called after the message was formed, including + the Authorization header, and just before the message is sent. + + + + + Clone the options (to be able to override them). + + A clone of the options. + + + + Return the downstream web API URL. + + URL of the downstream web API. + + + + Clone the options (to be able to override them). + + A clone of the options. + + + + Interface used to call a downstream web API, for instance from controllers. + + + + + Calls the downstream web API for the user, based on a description of the + downstream web API in the configuration. + + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful on platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + HTTP context in the case where is + , , . + An that the application will process. + + + + Calls the downstream web API for the user, based on a description of the + downstream web API in the configuration. + + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful on platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + HTTP context in the case where is + , , . + An that the application will process. + + + + Calls a downstream web API consuming JSON with some data and returns data. + + Input type. + Output type. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Input parameter to the downstream web API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + The value returned by the downstream web API. + + A list method that returns an IEnumerable<MyItem>>. + + public Task<IEnumerable<MyItem>> GetAsync() + { + return _downstreamWebApi.CallWebApiForUserAsync<object, IEnumerable<MyItem>>( + ServiceName, + null, + options => + { + options.RelativePath = $"api/todolist"; + }); + } + + + Example of editing. + + public Task<MyItem> EditAsync(MyItem myItem) + { + return _downstreamWebApi.CallWebApiForUserAsync<MyItem, MyItem>( + ServiceName, + nyItem, + options => + { + options.HttpMethod = HttpMethod.Patch; + options.RelativePath = $"api/todolist/{myItem.Id}"; + }); + } + + + + + + Calls a downstream web API consuming JSON with some data and returns data. + + Input type. + Output type. + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Input parameter to the downstream web API. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Overrides the options proposed in the configuration described + by . + [Optional] Claims representing a user. This is useful in platforms like Blazor + or Azure Signal R, where the HttpContext is not available. In other platforms, the library + will find the user from the HttpContext. + The value returned by the downstream web API. + + A list method that returns an IEnumerable<MyItem>>. + + public Task<IEnumerable<MyItem>> GetAsync() + { + return _downstreamWebApi.CallWebApiForUserAsync<object, IEnumerable<MyItem>>( + ServiceName, + null, + options => + { + options.RelativePath = $"api/todolist"; + }); + } + + + Example of editing. + + public Task<MyItem> EditAsync(MyItem myItem) + { + return _downstreamWebApi.CallWebApiForUserAsync<MyItem, MyItem>( + ServiceName, + nyItem, + options => + { + options.HttpMethod = HttpMethod.Patch; + options.RelativePath = $"api/todolist/{myItem.Id}"; + }); + } + + + + + + Calls the downstream web API for the app, with the required scopes. + + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Overrides the options proposed in the configuration described + by . + HTTP content in the case where is + , , . + An that the application will process. + + + + Calls the downstream web API for the app, with the required scopes. + + Name of the service describing the downstream web API. There can + be several configuration named sections mapped to a , + each for one downstream web API. You can pass-in null, but in that case + needs to be set. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Overrides the options proposed in the configuration described + by . + HTTP content in the case where is + , , . + An that the application will process. + + + + A DelegatingHandler implementation that add an authorization header with a token for the application. + + + + + Initializes a new instance of the class. + + Token acquisition service. + Named options provider. + Name of the service describing the downstream web API. + + + + + + + Base class for Microsoft Identity authentication message handlers. + + + + + Gets the token acquisition service. + + + + + Initializes a new instance of the class. + + Token acquisition service. + Named options provider. + Name of the service describing the downstream web API. + + + + Gets the options for the specified request. + + The request. + The configured options. + + + + Base options passed-in to authenticate with Microsoft Identity. + + + + + Space separated scopes required to call the downstream web API. + For instance "user.read mail.read". + + + + + [Optional] tenant ID. This is used for specific scenarios where + the application needs to call a downstream web API on behalf of a user in several tenants. + It would mostly be used from code, not from the configuration. + + + + + [Optional]. User flow (in the case of a B2C downstream web API). If not + specified, the B2C downstream web API will be called with the default user flow from + . + + + + + Modifies the token acquisition request so that the acquired token is a Proof of Possession token (PoP), + rather than a Bearer token. + PoP tokens are similar to Bearer tokens, but are bound to the HTTP request and to a cryptographic key, + which MSAL can manage. See https://aka.ms/msal-net-pop. + Set to true to enable PoP tokens automatically. + + + + + Options passed-in to create the token acquisition object which calls into MSAL .NET. + + + + + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + + + + + Returns the scopes. + + Scopes. + + + + Extension for IHttpClientBuilder for startup initialization of Microsoft Identity authentication handlers. + + + + + Adds a named Microsoft Identity user authentication message handler related to a specific configuration section. + + Builder. + Name of the configuration for the service. + Configuration. + The builder for chaining. + + + + Adds a named Microsoft Identity user authentication message handler initialized with delegates. + + Builder. + Name of the configuration for the service. + Action to configure the options. + The builder for chaining. + + + + Adds a named Microsoft Identity application authentication message handler related to a specific configuration section. + + Builder. + Name of the configuration for the service. + Configuration. + The builder for chaining. + + + + Adds a named Microsoft Identity application authentication message handler initialized with delegates. + + Builder. + Name of the configuration for the service. + Action to configure the options. + The builder for chaining. + + + + Options passed-in to Microsoft Identity message handlers. + + + + + Clone the options (to be able to override them). + + A clone of the options. + + + + Clone the options (to be able to override them). + + A clone of the options. + + + + A DelegatingHandler implementation that add an authorization header with a token on behalf of the current user. + + + + + Initializes a new instance of the class. + + Token acquisition service. + Named options provider. + Configuration options. + Name of the service describing the downstream web API. + + + + + + + Extension methods. + + + + Determines whether the specified string collection contains any. + The search for. + The string collection. + + true if the specified string collection contains any; otherwise, false. + + + + Keep the validated token associated with the HTTP request. + + HTTP context. + Token to preserve after the token is validated so that + it can be used in the actions. + + + + Get the parsed information about the token used to call the web API. + + HTTP context associated with the current request. + used to call the web API. + + + + Provides access to get or set the current error status. + The default implementation will use TempData and be enabled when run under Development. + + + + + Gets the error message for the current request. + + Current . + The current error message if available. + + + + Sets the error message for the current request. + + Current . + Error message to set. + + + + Gets whether error messages should be displayed. + + + + + Helper methods to handle incremental consent and conditional access in + a web app. + + + + + Can the exception be solved by re-signing-in the user?. + + Exception from which the decision will be made. + Returns true if the issue can be solved by signing-in + the user, and false, otherwise. + + + + Build authentication properties needed for incremental consent. + + Scopes to request. + instance. + User. + Userflow being invoked for AAD B2C. + AuthenticationProperties. + + + + An implementation of IConfigurationRetriever geared towards Azure AD issuers metadata. + + + + Retrieves a populated configuration given an address and an . + Address of the discovery document. + The to use to read the discovery document. + A cancellation token that can be used by other objects or threads to receive notice of cancellation. . + + A that, when completed, returns from the configuration. + + address - Azure AD Issuer metadata address URL is required + or retriever - No metadata document retriever is provided. + + + + Model class to hold information parsed from the Azure AD issuer endpoint. + + + + + Issuer associated with the OIDC endpoint. + + + + + Interface for the token acquisition service (encapsulating MSAL.NET). + + + + + Typically used from an ASP.NET Core web app or web API controller. This method gets an access token + for a downstream API on behalf of the user account for which the claims are provided in the + member of the controller's parameter. + + Scopes to request for the downstream API to call. + Enables to override the tenant/account for the same identity. This is useful in the + cases where a given account is guest in other tenants, and you want to acquire tokens for a specific tenant. + Azure AD B2C UserFlow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest in. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token to call on behalf of the user, the downstream API characterized by its scopes. + + + + Typically used from an ASP.NET Core web app or web API controller. This method gets an access token + for a downstream API on behalf of the user account for which the claims are provided in the + member of the controller's parameter. + + Scopes to request for the downstream API to call. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Enables to override the tenant/account for the same identity. This is useful in the + cases where a given account is guest in other tenants, and you want to acquire tokens for a specific tenant. + Azure AD B2C UserFlow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest in. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token to call on behalf of the user, the downstream API characterized by its scopes. + + + + Typically used from an ASP.NET Core web app or web API controller. This method gets an access token + for a downstream API on behalf of the user account for which the claims are provided in the + member of the controller's parameter. + + Scopes to request for the downstream API to call. + Enables to override the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Azure AD B2C UserFlow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest in. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An to call on behalf of the user, the downstream API characterized by its scopes. + + + + Typically used from an ASP.NET Core web app or web API controller. This method gets an access token + for a downstream API on behalf of the user account for which the claims are provided in the + member of the controller's parameter. + + Scopes to request for the downstream API to call. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web APIs. + Enables to override the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Azure AD B2C UserFlow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest in. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An to call on behalf of the user, the downstream API characterized by its scopes. + + + + Acquires a token from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + Enables overriding of the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token for the app itself, based on its scopes. + + + + Acquires a token from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Enables overriding of the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token for the app itself, based on its scopes. + + + + Acquires an authentication result from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, and cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + Enables overriding of the tenant/account for the same identity. This is useful + for multi tenant apps or daemons. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An authentication result for the app itself, based on its scopes. + + + + Acquires an authentication result from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, and cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Enables overriding of the tenant/account for the same identity. This is useful + for multi tenant apps or daemons. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An authentication result for the app itself, based on its scopes. + + + + Used in web APIs (which therefore cannot have an interaction with the user). + Replies to the client through the HttpResponse by sending a 403 (forbidden) and populating wwwAuthenticateHeaders so that + the client can trigger an interaction with the user so the user can consent to more scopes. + + Scopes to consent to. + triggering the challenge. + The to update. + + + + Used in web APIs (which therefore cannot have an interaction with the user). + Replies to the client through the HttpResponse by sending a 403 (forbidden) and populating wwwAuthenticateHeaders so that + the client can trigger an interaction with the user so the user can consent to more scopes. + + Scopes to consent to. + triggering the challenge. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + The to update. + + + + Get the effective authentication scheme based on the context. + + Proposed authentication scheme. + Effective authenticationScheme which is the authentication scheme + if it's not null, or otherwise OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + + + + Used in web APIs (which therefore cannot have an interaction with the user). + Replies to the client through the HttpResponse by sending a 403 (forbidden) and populating wwwAuthenticateHeaders so that + the client can trigger an interaction with the user so the user can consent to more scopes. + + Scopes to consent to. + triggering the challenge. + The to update. + A representing the asynchronous operation. + + + + Interface for the internal operations of token acquisition service (encapsulating MSAL.NET). + + + + + In a web app, adds, to the MSAL.NET cache, the account of the user authenticating to the web app, when the authorization code is received (after the user + signed-in and consented) + An On-behalf-of token contained in the is added to the cache, so that it can then be used to acquire another token on-behalf-of the + same user in order to call to downstream APIs. + + The context used when an 'AuthorizationCode' is received over the OpenIdConnect protocol. + Scopes to request. + Authentication scheme to use. + A that represents a completed add to cache operation. + + From the configuration of the Authentication of the ASP.NET Core web API: + OpenIdConnectOptions options; + + Subscribe to the authorization code received event: + + options.Events = new OpenIdConnectEvents(); + options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived; + } + + + And then in the OnAuthorizationCodeRecieved method, call : + + private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context) + { + var tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>(); + await _tokenAcquisition.AddAccountToCacheFromAuthorizationCode(context, new string[] { "user.read" }); + } + + + + + + Removes the account associated with context.HttpContext.User from the MSAL.NET cache. + + RedirectContext passed-in to a + OpenID Connect event. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web APIs. + A that represents a completed remove from cache operation. + + + + EventIds for Logging. + + + + + Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes. + Merges the MicrosoftIdentityWebOptions and the ConfidentialClientApplicationOptions. + + + + + Base class for web app and web API Microsoft Identity authentication + builders. + + + + + Constructor. + + The services being configured. + Optional configuration section. + + + + The services being configured. + + + + + Configuration section from which to bind options. + + It can be null if the configuration happens with delegates + rather than configuration. + + + + Extensions for IServerSideBlazorBuilder for startup initialization of web APIs. + + + + + Add the incremental consent and conditional access handler for Blazor + server side pages. + + Service side blazor builder. + The builder. + + + + Add the incremental consent and conditional access handler for + web app pages, Razor pages, controllers, views, etc... + + Service collection. + The service collection. + + + + Handler for Blazor specific APIs to handle incremental consent + and conditional access. + + + + + Initializes a new instance of the class. + + Service provider to get the HttpContextAccessor for the current HttpContext, when available. + + + + Boolean to determine if server is Blazor. + + + + + Current user. + + + + + Base URI to use in forming the redirect. + + + + + For Blazor/Razor pages to process the exception from + a user challenge. + + Exception. + + + + Forces the user to consent to specific scopes and perform + Conditional Access to get specific claims. Use on a Razor/Blazor + page or controller to proactively ensure the scopes and/or claims + before acquiring a token. The other mechanism + ensures claims and scopes requested by Azure AD after a failed token acquisition attempt. + See https://aka.ms/ms-id-web/ca_incremental-consent for details. + + Scopes to request. + Claims to ensure. + Userflow being invoked for AAD B2C. + + + + Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes. + + + + + Gets or sets the Azure Active Directory instance, e.g. "https://login.microsoftonline.com". + + + + + Gets or sets the tenant ID. + + + + + Gets or sets the domain of the Azure Active Directory tenant, e.g. contoso.onmicrosoft.com. + + + + + Gets or sets the edit profile user flow name for B2C, e.g. b2c_1_edit_profile. + + + + + Gets or sets the sign up or sign in user flow name for B2C, e.g. b2c_1_susi. + + + + + Gets or sets the reset password user flow name for B2C, e.g. B2C_1_password_reset. + + + + + Gets the default user flow (which is signUpsignIn). + + + + + Enables legacy ADAL cache serialization and deserialization. + Performance improvements when working with MSAL only apps. + Set to true if you have a shared cache with ADAL apps. + + The default is false. + + + + Is considered B2C if the attribute SignUpSignInPolicyId is defined. + + + + + Is considered to have client credentials if the attribute ClientCertificates + or ClientSecret is defined. + + + + + Description of the certificates used to prove the identity of the web app or web API. + For the moment only the first certificate is considered. + + An example in the appsetting.json: + + "ClientCertificates": [ + { + "SourceType": "StoreWithDistinguishedName", + "CertificateStorePath": "CurrentUser/My", + "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert" + } + ] + + See also https://aka.ms/ms-id-web-certificates. + + + + + Description of the certificates used to decrypt an encrypted token in a web API. + + An example in the appsetting.json: + + "TokenDecryptionCertificates": [ + { + "SourceType": "StoreWithDistinguishedName", + "CertificateStorePath": "CurrentUser/My", + "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert" + } + ] + + See also https://aka.ms/ms-id-web-certificates. + + + + + Specifies if the x5c claim (public key of the certificate) should be sent to the STS. + Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD: + this method will send the public certificate to Azure AD along with the token request, + so that Azure AD can use it to validate the subject name based on a trusted issuer policy. + This saves the application admin from the need to explicitly manage the certificate rollover + (either via portal or PowerShell/CLI operation). For details see https://aka.ms/msal-net-sni. + + The default is false. + + + + Daemon applications can validate a token based on roles, or using the ACL-based authorization + pattern to control tokens without a roles claim. If using ACL-based authorization, + Microsoft Identity Web will not throw if roles or scopes are not in the Claims. + For details see https://aka.ms/ms-identity-web/daemon-ACL. + + The default is false. + + + + Used, when deployed to Azure, to specify explicitly a user assigned managed identity. + See https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal. + + + + + Sets the ResetPassword route path. + Defaults to /MicrosoftIdentity/Account/ResetPassword, + which is the value used by Microsoft.Identity.Web.UI. + + + + + Sets the Error route path. + Defaults to the value /MicrosoftIdentity/Account/Error, + which is the value used by Microsoft.Identity.Web.UI. + + + + + Microsoft Identity Web specific exception class for + use in Blazor or Razor pages to process the user challenge. + Handles the . + + + + + Exception thrown by MSAL when a user challenge is encountered. + + + + + Scopes to request. + + + + + Specified userflow. + + + + + Handles the user challenge for Blazor or Razor pages. + + Exception thrown by MSAL when a user challenge is encountered. + Scopes to request. + Userflow used in B2C. + + + + Prototype of certificate-less authentication using a signed assertion + acquired with MSI (federated identity). + + The signed assertion. + + + + This is the metadata that describes required auth scopes for a given endpoint + in a web API. It's the underlying data structure the requirement will look for + in order to validate scopes in the scope claims. + + + + + Scopes accepted by this web API. + + + + + Fully qualified name of the configuration key containing the required scopes (separated + by spaces). + + + + + Extensions for building the RequiredScope policy during application startup. + + + + services.AddAuthorization(o => + { o.AddPolicy("Custom", + policyBuilder =>policyBuilder.RequireScope("access_as_user")); + }); + + + + + + Adds a to the current instance which requires + that the current user has the specified claim and that the claim value must be one of the allowed values. + + Used for building policies during application startup. + Values the claim must process one or more of for evaluation to succeed. + A reference to this instance after the operation has completed. + + + + Adds a to the current instance which requires + that the current user has the specified claim and that the claim value must be one of the allowed values. + + Used for building policies during application startup. + Values the claim must process one or more of for evaluation to succeed. + A reference to this instance after the operation has completed. + + + + This attribute is used on a controller, pages, or controller actions + to declare (and validate) the scopes required by a web API. These scopes can be declared + in two ways: hardcoding them, or declaring them in the configuration. Depending on your + choice, use either one or the other of the constructors. + For details, see https://aka.ms/ms-id-web/required-scope-attribute. + + + + + Scopes accepted by this web API. + + + + + Fully qualified name of the configuration key containing the required scopes (separated + by spaces). + + + If the appsettings.json file contains a section named "AzureAd", in which + a property named "Scopes" contains the required scopes, the attribute on the + controller/page/action to protect should be set to the following: + + [RequiredScope(RequiredScopesConfigurationKey="AzureAd:Scopes")] + + + + + + Verifies that the web API is called with the right scopes. + If the token obtained for this API is on behalf of the authenticated user does not have + any of these in its scope claim, the + method updates the HTTP response providing a status code 403 (Forbidden) + and writes to the response body a message telling which scopes are expected in the token. + + Scopes accepted by this web API. + When the scopes don't match, the response is a 403 (Forbidden), + because the user is authenticated (hence not 401), but not authorized. + + Add the following attribute on the controller/page/action to protect: + + + [RequiredScope("access_as_user")] + + + and + if you want to express the required scopes from the configuration. + + + + Default constructor. + + + + [RequiredScope(RequiredScopesConfigurationKey="AzureAD:Scope")] + class Controller : BaseController + { + } + + + + + + Unused: Compatibility of interface with the Authorization Filter. + + + + + Interface implemented by diagnostics for the JWT Bearer middleware. + + + + + Called to subscribe to . + + JWT Bearer events. + The events (for chaining). + + + + Diagnostics used in the OpenID Connect middleware + (used in web apps). + + + + + Method to subscribe to . + + OpenID Connect events. + + + + Diagnostics for the JwtBearer middleware (used in web APIs). + + + + + Constructor for a . This constructor + is used by dependency injection. + + Logger. + + + + Invoked if exceptions are thrown during request processing. The exceptions will be re-thrown after this event unless suppressed. + + + + + Invoked when a protocol message is first received. + + + + + Invoked after the security token has passed validation and a ClaimsIdentity has been generated. + + + + + Invoked before a challenge is sent back to the caller. + + + + + Subscribes to all the JwtBearer events, to help debugging, while + preserving the previous handlers (which are called). + + Events to subscribe to. + for chaining. + + + + Factory class for creating the IssuerValidator per authority. + + + + + Initializes a new instance of the class. + + Options passed-in to create the AadIssuerValidator object. + HttpClientFactory. + + + + Gets an for an authority. + + The authority to create the validator for, e.g. https://login.microsoftonline.com/. + A for the aadAuthority. + if is null or empty. + + + + Diagnostics used in the OpenID Connect middleware + (used in web apps). + + + + + Constructor of the , used + by dependency injection. + + Logger used to log the diagnostics. + + + + Invoked before redirecting to the identity provider to authenticate. This can + be used to set ProtocolMessage.State that will be persisted through the authentication + process. The ProtocolMessage can also be used to add or customize parameters + sent to the identity provider. + + + + + Invoked when a protocol message is first received. + + + + + Invoked after security token validation if an authorization code is present + in the protocol message. + + + + + Invoked after "authorization code" is redeemed for tokens at the token endpoint. + + + + + Invoked when an IdToken has been validated and produced an AuthenticationTicket. + + + + + Invoked when user information is retrieved from the UserInfoEndpoint. + + + + + Invoked if exceptions are thrown during request processing. The exceptions will + be re-thrown after this event unless suppressed. + + + + + Invoked when a request is received on the RemoteSignOutPath. + + + + + Invoked before redirecting to the identity provider to sign out. + + + + + Invoked before redirecting to the Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignedOutRedirectUri + at the end of a remote sign-out flow. + + + + + Subscribes to all the OpenIdConnect events, to help debugging, while + preserving the previous handlers (which are called). + + Events to subscribe to. + + + + Generic class that registers the token audience from the provided Azure AD authority. + + + + + Default validation of the audience: + - when registering an Azure AD web API in the app registration portal (and adding a scope) + the default App ID URI generated by the portal is api://{clientID} + - However, the audience (aud) of the token acquired to access this web API is different depending + on the "accepted access token version" for the web API: + - if accepted token version is 1.0, the audience provided in the token + by the Microsoft identity platform (formerly Azure AD v2.0) endpoint is: api://{ClientID} + - if the accepted token version is 2.0, the audience provided by Azure AD v2.0 in the token + is {CliendID} + When getting an access token for an Azure AD B2C web API the audience in the token is + api://{ClientID}. + + When web API developers don't provide the "Audience" in the configuration, Microsoft.Identity.Web + considers that this is the default App ID URI as explained above. When developer provides the + "Audience" member, it's available in the TokenValidationParameter.ValidAudience. + + Audiences in the security token. + Security token from which to validate the audiences. + Token validation parameters. + True if the token is valid; false, otherwise. + + + + Extension class providing the extension methods for that + can be used in web APIs to validate the roles in controller actions. + + + + + When applied to an , verifies that the application + has the expected roles. + + HttpContext (from the controller). + Roles accepted by this web API. + When the roles don't match, the response is a 403 (Forbidden), + because the app does not have the expected roles. + + + + Extension class providing the extension + methods for that + can be used in web APIs to validate scopes in controller actions. + We recommend using instead the RequiredScope Attribute on the controller, the page or the action. + See https://aka.ms/ms-id-web/required-scope-attribute. + + + + + When applied to an , verifies that the user authenticated in the + web API has any of the accepted scopes. + If there is no authenticated user, the response is a 401 (Unauthenticated). + If the authenticated user does not have any of these , the + method updates the HTTP response providing a status code 403 (Forbidden) + and writes to the response body a message telling which scopes are expected in the token. + We recommend using instead the RequiredScope Attribute on the controller, the page or the action. + See https://aka.ms/ms-id-web/required-scope-attribute. + + HttpContext (from the controller). + Scopes accepted by this web API. + + + + Extensions for building the required scope attribute during application startup. + + + + + This method adds support for the required scope attribute. It adds a default policy that + adds a scope requirement. This requirement looks for IAuthRequiredScopeMetadata on the current endpoint. + + The services being configured. + Services. + + + + This method adds metadata to route endpoint to describe required scopes. It's the imperative version of + the [RequiredScope] attribute. + + Class implementing . + To customize the endpoints. + Scope. + Builder. + + + + RequireScopeOptions. + + + + + Sets the default policy. + + + + + + + + Scope authorization handler that needs to be called for a specific requirement type. + In this case, . + + + + + Constructor for the scope authorization handler, which takes a configuration. + + Configuration. + + + + Makes a decision if authorization is allowed based on a specific requirement. + + AuthorizationHandlerContext. + Scope authorization requirement. + Task. + + + + Implements an + which requires at least one instance of the specified claim type, and, if allowed values are specified, + the claim value must be any of the allowed values. + + + + + Creates a new instance of . + + The optional list of scope values. + + + + Gets the optional list of scope values. + + + + + Gets the optional list of scope values from configuration. + + + + + + + + Options passed-in to create the AadIssuerValidator object. + + + + + Sets the name of the HttpClient to get from the IHttpClientFactory for use with the configuration manager. + Needed when customizing the client such as configuring a proxy. + + + + + Extensions for IServiceCollection for startup initialization of web APIs. + + + + + Add the token acquisition service. + + Service collection. + Specifies if an instance of should be a singleton. + The service collection. + + This method is typically called from the ConfigureServices(IServiceCollection services) in Startup.cs. + Note that the implementation of the token cache can be chosen separately. + + + // Token acquisition service and its cache implementation as a session cache + services.AddTokenAcquisition() + .AddDistributedMemoryCache() + .AddSession() + .AddSessionBasedTokenCache(); + + + + + + An implementation of that uses to track error messages. + + + + + Token acquisition service. + + + LoggingMessage class for TokenAcquisition. + + + + + Please call GetOrBuildConfidentialClientApplication instead of accessing this field directly. + + + + + Constructor of the TokenAcquisition service. This requires the Azure AD Options to + configure the confidential client application and a token cache provider. + This constructor is called by ASP.NET Core dependency injection. + + The App token cache provider. + Access to the HttpContext of the request. + Configuration options. + HTTP client factory. + Logger. + Service provider. + + + + Scopes which are already requested by MSAL.NET. They should not be re-requested;. + + + + + Meta-tenant identifiers which are not allowed in client credentials. + + + + + This handler is executed after the authorization code is received (once the user signs-in and consents) during the + authorization code flow in a web app. + It uses the code to request an access token from the Microsoft identity platform and caches the tokens and an entry about the signed-in user's account in the MSAL's token cache. + The access token (and refresh token) provided in the , once added to the cache, are then used to acquire more tokens using the + on-behalf-of flow for the signed-in user's account, + in order to call to downstream APIs. + + The context used when an 'AuthorizationCode' is received over the OpenIdConnect protocol. + scopes to request access to. + Authentication scheme to use (by default, OpenIdConnectDefaults.AuthenticationScheme). + + From the configuration of the Authentication of the ASP.NET Core web API: + OpenIdConnectOptions options; + + Subscribe to the authorization code received event: + + options.Events = new OpenIdConnectEvents(); + options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived; + } + + + And then in the OnAuthorizationCodeRecieved method, call : + + private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context) + { + var tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>(); + await _tokenAcquisition.AddAccountToCacheFromAuthorizationCode(context, new string[] { "user.read" }); + } + + + + + + Typically used from a web app or web API controller, this method retrieves an access token + for a downstream API using; + 1) the token cache (for web apps and web APIs) if a token exists in the cache + 2) or the on-behalf-of flow + in web APIs, for the user account that is ascertained from claims provided in the + instance of the current HttpContext. + + Scopes to request for the downstream API to call. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web APIs. + Enables overriding of the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest. + Azure AD B2C user flow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant, like where the user is a guest. + Options passed-in to create the token acquisition options object which calls into MSAL .NET. + An access token to call the downstream API and populated with this downstream API's scopes. + Calling this method from a web API supposes that you have previously called, + in a method called by JwtBearerOptions.Events.OnTokenValidated, the HttpContextExtensions.StoreTokenUsedToCallWebAPI method + passing the validated token (as a JwtSecurityToken). Calling it from a web app supposes that + you have previously called AddAccountToCacheFromAuthorizationCodeAsync from a method called by + OpenIdConnectOptions.Events.OnAuthorizationCodeReceived. + + + + Acquires an authentication result from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, and cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + AuthenticationScheme to use. + Enables overriding of the tenant/account for the same identity. This is useful + for multi tenant apps or daemons. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An authentication result for the app itself, based on its scopes. + + + + Acquires a token from the authority configured in the app, for the confidential client itself (not on behalf of a user) + using the client credentials flow. See https://aka.ms/msal-net-client-credentials. + + The scope requested to access a protected API. For this flow (client credentials), the scope + should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft + Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration + in the portal, and cannot be overridden in the application, as you can request a token for only one resource at a time (use + several calls to get tokens for other resources). + AuthenticationScheme to use. + Enables overriding of the tenant/account for the same identity. This is useful + for multi tenant apps or daemons. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token for the app itself, based on its scopes. + + + + Typically used from a web app or web API controller, this method retrieves an access token + for a downstream API using; + 1) the token cache (for web apps and web APIs) if a token exists in the cache + 2) or the on-behalf-of flow + in web APIs, for the user account that is ascertained from the claims provided in the + instance of the current HttpContext. + + Scopes to request for the downstream API to call. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + Enables overriding of the tenant/account for the same identity. This is useful in the + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Azure AD B2C user flow to target. + Optional claims principal representing the user. If not provided, will use the signed-in + user (in a web app), or the user for which the token was received (in a web API) + cases where a given account is a guest in other tenants, and you want to acquire tokens for a specific tenant. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + An access token to call the downstream API and populated with this downstream API's scopes. + Calling this method from a web API supposes that you have previously called, + in a method called by JwtBearerOptions.Events.OnTokenValidated, the HttpContextExtensions.StoreTokenUsedToCallWebAPI method + passing the validated token (as a JwtSecurityToken). Calling it from a web app supposes that + you have previously called AddAccountToCacheFromAuthorizationCodeAsync from a method called by + OpenIdConnectOptions.Events.OnAuthorizationCodeReceived. + + + + Used in web APIs (no user interaction). + Replies to the client through the HTTP response by sending a 403 (forbidden) and populating the 'WWW-Authenticate' header so that + the client, in turn, can trigger a user interaction so that the user consents to more scopes. + + Scopes to consent to. + The that triggered the challenge. + The to update. + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + + + + Used in web APIs (no user interaction). + Replies to the client through the HTTP response by sending a 403 (forbidden) and populating the 'WWW-Authenticate' header so that + the client, in turn, can trigger a user interaction so that the user consents to more scopes. + + Scopes to consent to. + The that triggered the challenge. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + The to update. + + + + Removes the account associated with context.HttpContext.User from the MSAL.NET cache. + + RedirectContext passed-in to a + OpenID Connect event. + Authentication scheme. If null, will use OpenIdConnectDefault.AuthenticationScheme + if called from a web app, and JwtBearerDefault.AuthenticationScheme if called from a web API. + A that represents a completed account removal operation. + + + + + + + Creates an MSAL confidential client application. + + + + + Gets an access token for a downstream API on behalf of the user described by its claimsPrincipal. + + . + Claims principal for the user on behalf of whom to get a token. + Scopes for the downstream API to call. + (optional) TenantID based on a specific tenant for which to acquire a token to access the scopes + on behalf of the user described in the claimsPrincipal. + Merged options. + Azure AD B2C user flow to target. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + + + + Gets an access token for a downstream API on behalf of the user whose account is passed as an argument. + + . + User IAccount for which to acquire a token. + See . + Scopes for the downstream API to call. + TenantID based on a specific tenant for which to acquire a token to access the scopes + on behalf of the user. + Merged options. + Azure AD B2C user flow. + Options passed-in to create the token acquisition object which calls into MSAL .NET. + + + + Logger for handling MSAL exceptions in TokenAcquisition. + + ILogger. + Specific log message from TokenAcquisition. + Exception from MSAL.NET. + + + + Logger for handling information specific to MSAL in token acquisition. + + ILogger. + durationTotalInMs. + durationInHttpInMs. + durationInCacheInMs. + cache or IDP. + correlationId. + cacheRefreshReason. + Exception from MSAL.NET. + + + + Options passed-in to create the token acquisition object which calls into MSAL .NET. + + + + + Sets the correlation id to be used in the authentication request + to the /token endpoint. + + + + + Sets Extra Query Parameters for the query string in the HTTP authentication request. + + + + + A string with one or multiple claims to request. + Normally used with Conditional Access. + + + + + Specifies if the token request will ignore the access token in the token cache + and will attempt to acquire a new access token. + If true, the request will ignore the token cache. The default is false. + Use this option with care and only when needed, for instance, if you know that conditional access policies have changed, + for it induces performance degradation, as the token cache is not utilized. + + + + + Modifies the token acquisition request so that the acquired token is a Proof of Possession token (PoP), + rather than a Bearer token. + PoP tokens are similar to Bearer tokens, but are bound to the HTTP request and to a cryptographic key, + which MSAL can manage. See https://aka.ms/msal-net-pop. + + + + + Cancellation token to be used when calling the token acquisition methods. + + + + + Key used for long running web APIs that need to call downstream web + APIs on behalf of the user. Can be null, if you are not developing a long + running web API, if you want + Microsoft.Identity.Web to allocate a session key for you, or your own string + if you want to associate the session with some information you have externally + (for instance a Microsoft Graph hook identifier). + + + + + Value that can be used for so that + MSAL.NET allocates the long running web api session key for the developer. + + + + + Clone the options (to be able to override them). + + A clone of the options. + + + + An implementation of token cache for confidential clients backed by an HTTP session. + + + For this session cache to work effectively, the ASP.NET Core session has to be configured properly. + The latest guidance is provided at https://docs.microsoft.com/aspnet/core/fundamentals/app-state + + In the method public void ConfigureServices(IServiceCollection services) in Startup.cs, add the following: + + services.AddSession(option => + { + option.Cookie.IsEssential = true; + }); + + In the method public void Configure(IApplicationBuilder app, IHostingEnvironment env) in Startup.cs, add the following: + + app.UseSession(); // Before UseMvc() + + + https://aka.ms/msal-net-token-cache-serialization + + LoggingMessage class for MsalSessionTokenCacheProvider. + + + + + MSAL Token cache provider constructor. + + Session for the current user. + Logger. + + + + Read a blob representing the token cache from its key. + + Key representing the token cache + (account or app). + Read blob. + + + + Read a blob representing the token cache from its key. + + Key representing the token cache + (account or app). + Hints for the cache serialization implementation optimization. + Read blob. + + + + Writes the token cache identified by its key to the serialization mechanism. + + Key for the cache (account ID or app ID). + Blob to write to the cache. + A that completes when a write operation has completed. + + + + Removes a cache described by its key. + + Key of the token cache (user account or app ID). + A that completes when key removal has completed. + + + + LoggingMessage class for MsalSessionTokenCacheProvider. + + + + + Session cache logging. + + ILogger. + /// Cache operation (Read, Write, etc...). + Session Id. + MSAL.NET cache key. + Exception. + + + + Session cache deserialized. + + ILogger. + MSAL.NET cache key. + Session Id. + Exception. + + + + Extension class to add a session token cache serializer to MSAL. + + + + + Adds an HTTP session-based application token cache to the service collection. + + + For this session cache to work effectively the ASP.NET Core session has to be configured properly. + The latest guidance is provided at https://docs.microsoft.com/aspnet/core/fundamentals/app-state. + + In the method public void ConfigureServices(IServiceCollection services) in Startup.cs, add the following: + + services.AddSession(option => + { + option.Cookie.IsEssential = true; + }); + + In the method public void Configure(IApplicationBuilder app, IHostingEnvironment env) in Startup.cs, add the following: + + app.UseSession(); // Before UseMvc() + + Because session token caches are added with scoped lifetime, they should not be used when TokenAcquisition is also used as a singleton (for example, when using Microsoft Graph SDK). + + The services collection to add to. + The service collection. + + + + Adds an HTTP session-based per-user token cache to the service collection. + + + For this session cache to work effectively the ASP.NET Core session has to be configured properly. + The latest guidance is provided at https://docs.microsoft.com/aspnet/core/fundamentals/app-state. + + In the method public void ConfigureServices(IServiceCollection services) in Startup.cs, add the following: + + services.AddSession(option => + { + option.Cookie.IsEssential = true; + }); + + In the method public void Configure(IApplicationBuilder app, IHostingEnvironment env) in Startup.cs, add the following: + + app.UseSession(); // Before UseMvc() + + Because session token caches are added with scoped lifetime, they should not be used when TokenAcquisition is also used as a singleton (for example, when using Microsoft Graph SDK). + + The services collection to add to. + The service collection. + Encoding table. diff --git a/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs b/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs index cf0e464d6..282ed4f82 100644 --- a/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs +++ b/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs @@ -119,6 +119,13 @@ internal bool HasClientCredentials /// The default is false. public bool SendX5C { get; set; } + /// + /// Requests an auth code for the frontend (SPA using MSAL.js for instance). + /// See https://aka.ms/msal-net/spa-auth-code for details. + /// + /// The default is false. + public bool WithSpaAuthCode { get; set; } + /// /// Daemon applications can validate a token based on roles, or using the ACL-based authorization /// pattern to control tokens without a roles claim. If using ACL-based authorization, diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs index cad707d08..8e590bfef 100644 --- a/src/Microsoft.Identity.Web/TokenAcquisition.cs +++ b/src/Microsoft.Identity.Web/TokenAcquisition.cs @@ -189,7 +189,8 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync( .AcquireTokenByAuthorizationCode(scopes.Except(_scopesRequestedByMsal), context!.ProtocolMessage!.Code) .WithSendX5C(mergedOptions.SendX5C) .WithPkceCodeVerifier(codeVerifier) - .WithCcsRoutingHint(backUpAuthRoutingHint); + .WithCcsRoutingHint(backUpAuthRoutingHint) + .WithSpaAuthorizationCode(mergedOptions.WithSpaAuthCode); if (mergedOptions.IsB2C) { @@ -202,6 +203,10 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync( .ConfigureAwait(false); context.HandleCodeRedemption(null, result.IdToken); + if (!string.IsNullOrEmpty(result.SpaAuthCode)) + { + CurrentHttpContext?.Session.SetString(Constants.SpaAuthCode, result.SpaAuthCode); + } } catch (MsalServiceException exMsal) when (IsInvalidClientCertificateError(exMsal)) {