Azure-Samples
diff --git a/‎TodoListService/TodoListService.csproj
Lines changed: 1 addition & 1 deletion b/‎TodoListService/TodoListService.csproj
Lines changed: 1 addition & 1 deletion
diff --git a/‎TodoListWebApp/Controllers/AccountController.cs
Lines changed: 11 additions & 5 deletions b/‎TodoListWebApp/Controllers/AccountController.cs
Lines changed: 11 additions & 5 deletions
diff --git a/‎TodoListWebApp/Controllers/TodoController.cs
Lines changed: 185 additions & 0 deletions b/‎TodoListWebApp/Controllers/TodoController.cs
Lines changed: 185 additions & 0 deletions
diff --git a/‎TodoListWebApp/Extensions/AzureAdAuthenticationBuilderExtensions.cs
Lines changed: 48 additions & 6 deletions b/‎TodoListWebApp/Extensions/AzureAdAuthenticationBuilderExtensions.cs
Lines changed: 48 additions & 6 deletions
diff --git a/‎TodoListWebApp/Extensions/AzureAdOptions.cs
Lines changed: 49 additions & 0 deletions b/‎TodoListWebApp/Extensions/AzureAdOptions.cs
Lines changed: 49 additions & 0 deletions
diff --git a/‎TodoListWebApp/Models/TodoItem.cs
Lines changed: 8 additions & 0 deletions b/‎TodoListWebApp/Models/TodoItem.cs
Lines changed: 8 additions & 0 deletions
@@ -11,7 +11,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
   </ItemGroup>
 
   <ItemGroup>
 
@@ -1,11 +1,10 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using System.Security.Claims;
+using TodoListWebApp;
 
 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
@@ -24,6 +23,13 @@ public IActionResult SignIn()
         [HttpGet]
         public IActionResult SignOut()
         {
+            // Remove all cache entries for this user and send an OpenID Connect sign-out request.
+            string userObjectID = User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
+            var authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority,
+                                                        new NaiveSessionCache(userObjectID, HttpContext.Session));
+            authContext.TokenCache.Clear();
+
+            // Let Azure AD sign-out
             var callbackUrl = Url.Action(nameof(SignedOut), "Account", values: null, protocol: Request.Scheme);
             return SignOut(
                 new AuthenticationProperties { RedirectUri = callbackUrl },
 
@@ -0,0 +1,185 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using Newtonsoft.Json;
+using TodoListWebApp.Models;
+
+// For more information on enabling MVC for empty projects, visit http://go.microsoft.com/fwlink/?LinkID=397860
+
+namespace TodoListWebApp.Controllers
+{
+    [Authorize]
+    public class TodoController : Controller
+    {
+        // GET: /<controller>/
+        public async Task<IActionResult> Index()
+        {
+            AuthenticationResult result = null;
+            List<TodoItem> itemList = new List<TodoItem>();
+
+            try
+            {
+                // Because we signed-in already in the WebApp, the userObjectId is know
+                string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
+
+                // Using ADAL.Net, get a bearer token to access the TodoListService
+                AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
+                ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
+                result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
+
+                // Retrieve the user's To Do List.
+                HttpClient client = new HttpClient();
+                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, AzureAdOptions.Settings.TodoListBaseAddress + "/api/todolist");
+                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
+                HttpResponseMessage response = await client.SendAsync(request);
+
+                // Return the To Do List in the view.
+                if (response.IsSuccessStatusCode)
+                {
+                    List<Dictionary<String, String>> responseElements = new List<Dictionary<String, String>>();
+                    JsonSerializerSettings settings = new JsonSerializerSettings();
+                    String responseString = await response.Content.ReadAsStringAsync();
+                    responseElements = JsonConvert.DeserializeObject<List<Dictionary<String, String>>>(responseString, settings);
+                    foreach (Dictionary<String, String> responseElement in responseElements)
+                    {
+                        TodoItem newItem = new TodoItem();
+                        newItem.Title = responseElement["title"];
+                        newItem.Owner = responseElement["owner"];
+                        itemList.Add(newItem);
+                    }
+
+                    return View(itemList);
+                }
+                else
+                {
+                    //
+                    // If the call failed with access denied, then drop the current access token from the cache, 
+                    //     and show the user an error indicating they might need to sign-in again.
+                    //
+                    if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+                    {
+                        var todoTokens = authContext.TokenCache.ReadItems().Where(a => a.Resource == AzureAdOptions.Settings.TodoListResourceId);
+                        foreach (TokenCacheItem tci in todoTokens)
+                            authContext.TokenCache.DeleteItem(tci);
+
+                        ViewBag.ErrorMessage = "UnexpectedError";
+                        TodoItem newItem = new TodoItem();
+                        newItem.Title = "(No items in list)";
+                        itemList.Add(newItem);
+                        return View(itemList);
+                    }
+                }
+            }
+            catch (Exception ee)
+            {
+                if (HttpContext.Request.Query["reauth"] == "True")
+                {
+                    //
+                    // Send an OpenID Connect sign-in request to get a new set of tokens.
+                    // If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
+                    // The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
+                    //
+                    return new ChallengeResult(OpenIdConnectDefaults.AuthenticationScheme);
+                }
+                //
+                // The user needs to re-authorize.  Show them a message to that effect.
+                //
+                TodoItem newItem = new TodoItem();
+                newItem.Title = "(Sign-in required to view to do list.)";
+                itemList.Add(newItem);
+                ViewBag.ErrorMessage = "AuthorizationRequired";
+                return View(itemList);
+            }
+            //
+            // If the call failed for any other reason, show the user an error.
+            //
+            return View("Error");
+        }
+
+
+
+        [HttpPost]
+        public async Task<ActionResult> Index(string item)
+        {
+            if (ModelState.IsValid)
+            {
+                //
+                // Retrieve the user's tenantID and access token since they are parameters used to call the To Do service.
+                //
+                AuthenticationResult result = null;
+                List<TodoItem> itemList = new List<TodoItem>();
+
+                try
+                {
+                    string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
+                    AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
+                    ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
+                    result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
+
+                    // Forms encode todo item, to POST to the todo list web api.
+                    HttpContent content = new StringContent(JsonConvert.SerializeObject(new { Title = item }), System.Text.Encoding.UTF8, "application/json");
+
+                    //
+                    // Add the item to user's To Do List.
+                    //
+                    HttpClient client = new HttpClient();
+                    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, AzureAdOptions.Settings.TodoListBaseAddress + "/api/todolist");
+                    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
+                    request.Content = content;
+                    HttpResponseMessage response = await client.SendAsync(request);
+
+                    //
+                    // Return the To Do List in the view.
+                    //
+                    if (response.IsSuccessStatusCode)
+                    {
+                        return RedirectToAction("Index");
+                    }
+                    else
+                    {
+                        //
+                        // If the call failed with access denied, then drop the current access token from the cache, 
+                        //     and show the user an error indicating they might need to sign-in again.
+                        //
+                        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+                        {
+                            var todoTokens = authContext.TokenCache.ReadItems().Where(a => a.Resource == AzureAdOptions.Settings.TodoListResourceId);
+                            foreach (TokenCacheItem tci in todoTokens)
+                                authContext.TokenCache.DeleteItem(tci);
+
+                            ViewBag.ErrorMessage = "UnexpectedError";
+                            TodoItem newItem = new TodoItem();
+                            newItem.Title = "(No items in list)";
+                            itemList.Add(newItem);
+                            return View(newItem);
+                        }
+                    }
+                }
+                catch (Exception ee)
+                {
+                    //
+                    // The user needs to re-authorize.  Show them a message to that effect.
+                    //
+                    TodoItem newItem = new TodoItem();
+                    newItem.Title = "(No items in list)";
+                    itemList.Add(newItem);
+                    ViewBag.ErrorMessage = "AuthorizationRequired";
+                    return View(itemList);
+                }
+                //
+                // If the call failed for any other reason, show the user an error.
+                //
+                return View("Error");
+            }
+            return View("Error");
+        }
+    }
+}
@@ -1,13 +1,15 @@
-using System;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.Extensions.Configuration;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using System;
+using System.Threading.Tasks;
+using TodoListWebApp;
 
 namespace Microsoft.AspNetCore.Authentication
 {
     public static class AzureAdAuthenticationBuilderExtensions
-    {        
+    {
         public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builder)
             => builder.AddAzureAd(_ => { });
 
@@ -19,7 +21,7 @@ public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builde
             return builder;
         }
 
-        private class ConfigureAzureOptions: IConfigureNamedOptions<OpenIdConnectOptions>
+        private class ConfigureAzureOptions : IConfigureNamedOptions<OpenIdConnectOptions>
         {
             private readonly AzureAdOptions _azureOptions;
 
@@ -31,16 +33,56 @@ public ConfigureAzureOptions(IOptions<AzureAdOptions> azureOptions)
             public void Configure(string name, OpenIdConnectOptions options)
             {
                 options.ClientId = _azureOptions.ClientId;
-                options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}";
+                options.Authority = _azureOptions.Authority;
                 options.UseTokenLifetime = true;
                 options.CallbackPath = _azureOptions.CallbackPath;
                 options.RequireHttpsMetadata = false;
+                options.ClientSecret = _azureOptions.ClientSecret;
+                options.Resource = "https://graph.windows.net"; // AAD graph
+
+                // Without overriding the response type (which by default is id_token), the OnAuthorizationCodeReceived event is not called.
+                // but instead OnTokenValidated event is called. Here we request both so that OnTokenValidated is called first which 
+                // ensures that context.Principal has a non-null value when OnAuthorizeationCodeReceived is called
+                options.ResponseType = "id_token code";
+
+                // Subscribing to the OIDC events
+                options.Events.OnAuthorizationCodeReceived = OnAuthorizationCodeReceived;
+                options.Events.OnAuthenticationFailed = OnAuthenticationFailed;
             }
 
             public void Configure(OpenIdConnectOptions options)
             {
                 Configure(Options.DefaultName, options);
             }
+
+            /// <summary>
+            /// Redeems the authorization code by calling AcquireTokenByAuthorizationCodeAsync in order to ensure
+            /// that the cache has a token for the signed-in user, which will then enable the controllers (like the
+            /// TodoController, to call AcquireTokenSilentAsync successfully.
+            /// </summary>
+            private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
+            {
+                // Acquire a Token for the Graph API and cache it using ADAL. In the TodoListController, we'll use the cache to acquire a token for the Todo List API
+                string userObjectId = (context.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
+                var authContext = new AuthenticationContext(context.Options.Authority, new NaiveSessionCache(userObjectId, context.HttpContext.Session));
+                var credential = new ClientCredential(context.Options.ClientId, context.Options.ClientSecret);
+
+                var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
+                    new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential, context.Options.Resource);
+
+                // Notify the OIDC middleware that we already took care of code redemption.
+                context.HandleCodeRedemption(authResult.AccessToken, context.ProtocolMessage.IdToken);
+            }
+
+            /// <summary>
+            /// this method is invoked if exceptions are thrown during request processing
+            /// </summary>
+            private Task OnAuthenticationFailed(AuthenticationFailedContext context)
+            {
+                context.HandleResponse();
+                context.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
+                return Task.FromResult(0);
+            }
         }
     }
 }
@@ -1,17 +1,66 @@
 namespace Microsoft.AspNetCore.Authentication
 {
+    /// <summary>
+    /// Settings relative to the AzureAD applications involved in this Web Application
+    /// These are deserialized from the AzureAD section of the appsettings.json file
+    /// </summary>
     public class AzureAdOptions
     {
+        /// <summary>
+        /// ClientId (Application Id) of this Web Application
+        /// </summary>
         public string ClientId { get; set; }
 
+        /// <summary>
+        /// Client Secret (Application password) added in the Azure portal in the Keys section for the application
+        /// </summary>
         public string ClientSecret { get; set; }
 
+        /// <summary>
+        /// Azure AD Cloud instance
+        /// </summary>
         public string Instance { get; set; }
 
+        /// <summary>
+        ///  domain of your tenant, e.g. contoso.onmicrosoft.com
+        /// </summary>
         public string Domain { get; set; }
 
+        /// <summary>
+        /// Tenant Id, as obtained from the Azure portal:
+        /// (Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs)
+        /// </summary>
         public string TenantId { get; set; }
 
+        /// <summary>
+        /// URL on which this Web App will be called back by Azure AD (normally "/signin-oidc")
+        /// </summary>
         public string CallbackPath { get; set; }
+
+        /// <summary>
+        /// Authority delivering the token for your tenant
+        /// </summary>
+        public string Authority
+        {
+            get
+            {
+                return $"{Instance}{TenantId}";
+            }
+        }
+
+        /// <summary>
+        /// Client Id (Application ID) of the TodoListService, obtained from the Azure portal for that application
+        /// </summary>
+        public string TodoListResourceId { get; set; }
+
+        /// <summary>
+        /// Base URL of the TodoListService
+        /// </summary>
+        public string TodoListBaseAddress { get; set; }
+
+        /// <summary>
+        /// Instance of the settings for this Web application (to be used in controllers)
+        /// </summary>
+        public static AzureAdOptions Settings { set; get; }
     }
 }
@@ -0,0 +1,8 @@
+namespace TodoListWebApp.Models
+{
+    public class TodoItem
+    {
+        public string Owner { get; set; }
+        public string Title { get; set; }
+    }
+}