Update POC with master (#1752)

* update xml (#1719)

* update lab cert thumbprint (#1718)

* changelog 1.24.1 (#1720)

* Create TokenAcquisitionAppTokenCredential.cs (#1722)

Extends Azure ADK support to include requesting tokens as the app.

This is a copy of TokenAcquisitionTokenCredential.cs with changes to class name and changes to use _tokenAcquisition.GetAuthenticationResultForAppAsync() instead of GetAuthenticationResultForUserAsync().

* fix build, add using (#1729)

* fix build, add using

* add header in test

* Adding support for .net 6 simplified templates apps (#1736)

* Jennyf/scopes roles (#1742)

* initial commit for app permissions

* add test coverage

* remove IEnumerable and use string[]

* PR comments

* IJwtBearerMiddlewareDiagnostics from singleton to transient (#1741)

* fix tests after merge from fork (#1744)

* fix for 1738 (#1743)

* changelog for 1.25 (#1747)

* update testing files to 1.25 (#1748)

* update to wilson 6.19 (#1749)

* fix: include StatusCode in HttpRequestException for .NET 5 (#1750)

* update XML (#1751)

* try 5.0.0 for config.binder in OWIN to resolve issue

* don't build owin sample

* add condition

* remove release mode

Co-authored-by: Chris Brooks <cbrooks@microsoft.com>
Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>
Co-authored-by: sciocoder <sciocoder@hotmail.it>
Co-authored-by: Herman Jensen <hjanimations@hotmail.com>

Microsoft.Identity.Web.sln

@@ -323,9 +323,7 @@ Global
 		{8C557C25-25C9-45B6-B2D3-77093893EBC5}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8C557C25-25C9-45B6-B2D3-77093893EBC5}.Release|Any CPU.Build.0 = Release|Any CPU
 		{E3611BED-B43A-40BD-A0A3-98AD65B5DAA4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E3611BED-B43A-40BD-A0A3-98AD65B5DAA4}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E3611BED-B43A-40BD-A0A3-98AD65B5DAA4}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{E3611BED-B43A-40BD-A0A3-98AD65B5DAA4}.Release|Any CPU.Build.0 = Release|Any CPU
 		{98F57CC8-01A0-49F3-B859-DDC4F8F5CD2F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{98F57CC8-01A0-49F3-B859-DDC4F8F5CD2F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{98F57CC8-01A0-49F3-B859-DDC4F8F5CD2F}.Release|Any CPU.ActiveCfg = Release|Any CPU

ProjectTemplates/AspNetCoreMicrosoftIdentityWebProjectTemplates.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <!--This should be passed from the VSTS build-->
-    <ClientSemVer Condition="'$(ClientSemVer)' == ''">1.24.0</ClientSemVer>
+    <ClientSemVer Condition="'$(ClientSemVer)' == ''">1.25.0</ClientSemVer>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <PackageVersion>$(ClientSemVer)</PackageVersion>
 

ProjectTemplates/test-aspnet-templates-from-nuget.bat

@@ -1,6 +1,6 @@
 echo "Ensure ClientSemVer"
 if "%ClientSemVer%" == "" (
-set ClientSemVer=1.24.0
+set ClientSemVer=1.25.0
 )
 
 REM: This is to test Microsoft.Identity.Web templates

ProjectTemplates/test-templates-from-nuget.bat

@@ -1,6 +1,6 @@
 echo "Ensure ClientSemVer"
 if "%ClientSemVer%" == "" (
-set ClientSemVer=1.24.0
+set ClientSemVer=1.25.0
 )
 
 REM: This is to test Microsoft.Identity.Web templates

ProjectTemplates/test-templates.bat

@@ -1,6 +1,6 @@
 echo "Ensure ClientSemVer"
 if "%ClientSemVer%" == "" (
-set ClientSemVer=1.24.0
+set ClientSemVer=1.25.0
 )
 Set TemplateNugetPackageName="Microsoft.Identity.Web.ProjectTemplates"
 

TESTING.md

@@ -34,7 +34,7 @@ In a Developer Command Prompt:
 
 3. Set the version of the templates to test.
 
-   `Set ClientSemVer=1.24.0`
+   `Set ClientSemVer=1.25.0`
 
 4. In ProjectTemplates open the Configuration.json file and add the client secrets (or your own config file) .
 
@@ -73,7 +73,7 @@ In a Developer Command Prompt:
 
 2. Set the version of the templates to test.
 
-   `Set ClientSemVer=1.24.0`
+   `Set ClientSemVer=1.25.0`
 
 3. Add client secrets to the `ProjectTemplates\Configuration.json` file
 

changelog.md

@@ -1,3 +1,18 @@
+1.25.0
+==========
+### New Features:
+**Microsoft.Identity.Web now supports checking for scopes or app permissions,** via the `RequestedScopeOrAppPermissionAttribute`. See issue [#1641](https://github.com/AzureAD/microsoft-identity-web/issues/1641) for details.
+**Extend TokenAcquisitionTokenCredential concept to support tokens as app**. See issue [#1723](https://github.com/AzureAD/microsoft-identity-web/issues/1723) for details.
+
+### Bug Fixes:
+**IJwtBearerMiddlewareDiagnostics is now transient and not a singleton**. See issue [#1710](https://github.com/AzureAD/microsoft-identity-web/issues/1710) for details.
+**In web API scenario, use the `tid` claim of the incoming assertion, unless overridden**. See issue [#1738](https://github.com/AzureAD/microsoft-identity-web/issues/1738) for details.
+
+1.24.1
+==========
+### Bug Fixes:
+**Microsoft.Identity.Web now returns `TokenValidatedContext.Fail` instead of throwing `UnauthorizedAccessException` in case of missing roles or scopes**, which enables a better developer experience. See issue [#1716](https://github.com/AzureAD/microsoft-identity-web/issues/1716) for details.
+
 1.24.0
 ==========
 Update to Microsoft.IdentityModel 6.17.0.

src/Microsoft.Identity.Web.OWIN/Microsoft.Identity.Web.OWIN.csproj

@@ -83,7 +83,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.24" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="3.1.24" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="5.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="3.1.24" />
     <PackageReference Include="Microsoft.Graph" Version="4.11.0" />
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(IdentityModelVersion)" />

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -654,11 +654,25 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
                 if (builder != null)
                 {
                     builder.WithSendX5C(mergedOptions.SendX5C);
+
+                    ClaimsPrincipal? user = _tokenAcquisitionHost.GetUserFromRequest();
+                    var userTenant = string.Empty;
+                    if (user != null)
+                    {
+                        userTenant = user.GetTenantId();
+                        builder.WithCcsRoutingHint(user.GetObjectId(), userTenant);
+                    }
                     if (!string.IsNullOrEmpty(tenantId))
                     {
                         builder.WithTenantId(tenantId);
                     }
-
+                    else
+                    {
+                        if (!string.IsNullOrEmpty(userTenant))
+                        {
+                            builder.WithTenantId(userTenant);
+                        }
+                    }
                     if (tokenAcquisitionOptions != null)
                     {
                         builder.WithExtraQueryParameters(tokenAcquisitionOptions.ExtraQueryParameters);
@@ -669,13 +683,7 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
                         {
                             builder.WithProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
                         }
-                    }
-
-                    ClaimsPrincipal? user = _tokenAcquisitionHost.GetUserFromRequest();
-                    if (user != null)
-                    {
-                        builder.WithCcsRoutingHint(user.GetObjectId(), user.GetTenantId());
-                    }
+                    }                    
 
                     return await builder.ExecuteAsync(tokenAcquisitionOptions != null ? tokenAcquisitionOptions.CancellationToken : CancellationToken.None)
                                         .ConfigureAwait(false);

src/Microsoft.Identity.Web/AzureSdkSupport/TokenAcquisitionAppTokenCredential.cs

@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Azure SDK token credential for App tokens based on the ITokenAcquisition service.
+    /// </summary>
+    public class TokenAcquisitionAppTokenCredential : TokenCredential
+    {
+        private ITokenAcquisition _tokenAcquisition;
+
+        /// <summary>
+        /// Constructor from an ITokenAcquisition service.
+        /// </summary>
+        /// <param name="tokenAcquisition">Token acquisition.</param>
+        public TokenAcquisitionAppTokenCredential(ITokenAcquisition tokenAcquisition)
+        {
+            _tokenAcquisition = tokenAcquisition;
+        }
+
+        /// <inheritdoc/>
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            AuthenticationResult result = _tokenAcquisition.GetAuthenticationResultForAppAsync(requestContext.Scopes.First())
+                .GetAwaiter()
+                .GetResult();
+            return new AccessToken(result.AccessToken, result.ExpiresOn);
+        }
+
+        /// <inheritdoc/>
+        public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            AuthenticationResult result = await _tokenAcquisition.GetAuthenticationResultForAppAsync(requestContext.Scopes.First()).ConfigureAwait(false);
+            return new AccessToken(result.AccessToken, result.ExpiresOn);
+        }
+    }
+}

src/Microsoft.Identity.Web/DownstreamWebApiSupport/DownstreamWebApi.cs

@@ -124,7 +124,11 @@ public async Task<HttpResponseMessage> CallWebApiForUserAsync(
             {
                 string error = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
 
+#if DOTNET_50_AND_ABOVE
+                throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}", null, response.StatusCode);
+#else
                 throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}");
+#endif
             }
 
             string content = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

src/Microsoft.Identity.Web/DownstreamWebApiSupport/DownstreamWebApiGenericExtensions.cs

@@ -294,7 +294,11 @@ private static StringContent ConvertFromInput<TInput>(TInput input)
             {
                 string error = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
 
+#if DOTNET_50_AND_ABOVE
+                throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}", null, response.StatusCode);
+#else
                 throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}");
+#endif
             }
 
             string content = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

src/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -24,7 +24,7 @@
     <PackageReleaseNotes>The release notes are available at https://github.com/AzureAD/microsoft-identity-web/releases and the roadmap at https://github.com/AzureAD/microsoft-identity-web/wiki#roadmap </PackageReleaseNotes>
     <PackageTags>Microsoft Identity Web;Microsoft identity platform;Microsoft.Identity.Web;.NET;ASP.NET Core;Web App;Web API;B2C;Azure Active Directory;AAD;Identity;Authentication;Authorization</PackageTags>
     <ProjectGuid>{FD55C071-48D1-4FE8-8B1D-773E067FEC91}</ProjectGuid>
-    <IdentityModelVersion>6.17.0</IdentityModelVersion>
+    <IdentityModelVersion>6.19.0</IdentityModelVersion>
   </PropertyGroup>
   <PropertyGroup Label="Source Link">
     <PublishRepositoryUrl>true</PublishRepositoryUrl>