AzureAD · jennyf19 · Feb 23, 2021 · Feb 23, 2021
@@ -68,6 +68,5 @@ internal static class IDWebErrorMessage
 
  // Obsolete messages IDW10800 = "IDW10800:"
  public const string AadIssuerValidatorGetIssuerValidatorIsObsolete = "IDW10800: Use MicrosoftIdentityIssuerValidatorFactory.GetAadIssuerValidator. See https://aka.ms/ms-id-web/1.2.0";
- public const string VerifyUserHasAnyAcceptedScopeIsObsolete = "IDW10801: Use the RequiredScope Attribute on the controller, the page or the action. See https://aka.ms/ms-id-web/required-scope-attribute";
  }
 }
@@ -5,27 +5,33 @@
 using System.Globalization;
 using System.Linq;
 using System.Net;
+using System.Net.Http;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
 
 namespace Microsoft.Identity.Web.Resource
 {
  /// <summary>
- /// This extension class is now Obsolete.
- /// Use instead the RequiredScope Attribute on the controller, the page or the action.
+ /// Extension class providing the extension
+ /// methods for <see cref="HttpContent"/> that
+ /// can be used in web APIs to validate scopes in controller actions.
+ /// We recommend using instead the RequiredScope Attribute on the controller, the page or the action.
  /// See https://aka.ms/ms-id-web/required-scope-attribute.
  /// </summary>
- [Obsolete(IDWebErrorMessage.VerifyUserHasAnyAcceptedScopeIsObsolete, false)]
  public static class ScopesRequiredHttpContextExtensions
  {
  /// <summary>
- /// This method is now Obsolete.
- /// Use instead the RequiredScope Attribute on the controller, the page or the action.
+ /// When applied to an <see cref="HttpContext"/>, verifies that the user authenticated in the
+ /// web API has any of the accepted scopes.
+ /// If there is no authenticated user, the response is a 401 (Unauthenticated).
+ /// If the authenticated user does not have any of these <paramref name="acceptedScopes"/>, the
+ /// method updates the HTTP response providing a status code 403 (Forbidden)
+ /// and writes to the response body a message telling which scopes are expected in the token.
+ /// We recommend using instead the RequiredScope Attribute on the controller, the page or the action.
  /// See https://aka.ms/ms-id-web/required-scope-attribute.
  /// </summary>
  /// <param name="context">HttpContext (from the controller).</param>
  /// <param name="acceptedScopes">Scopes accepted by this web API.</param>
- [Obsolete(IDWebErrorMessage.VerifyUserHasAnyAcceptedScopeIsObsolete, false)]
  public static void VerifyUserHasAnyAcceptedScope(this HttpContext context, params string[] acceptedScopes)
  {
  if (acceptedScopes == null)

@@ -13,7 +13,6 @@ namespace Microsoft.Identity.Web.Test.Resource
  public class ScopesRequiredHttpContextExtensionsTests
  {
  [Fact]
- [Obsolete("Method is obsolete")]
  public void VerifyUserHasAnyAcceptedScope_NullParameters_ThrowsException()
  {
  HttpContext httpContext = null;
@@ -25,7 +24,6 @@ public void VerifyUserHasAnyAcceptedScope_NullParameters_ThrowsException()
  }
 
  [Fact]
- [Obsolete("Method is obsolete")]
  public void VerifyUserHasAnyAcceptedScope_NoClaims_ThrowsException()
  {
  var acceptedScopes = new[] { "acceptedScope1", "acceptedScope2" };
@@ -38,7 +36,6 @@ public void VerifyUserHasAnyAcceptedScope_NoClaims_ThrowsException()
  }
 
  [Fact]
- [Obsolete("Method is obsolete")]
  public void VerifyUserHasAnyAcceptedScope_NoAcceptedScopes_ThrowsException()
  {
  var acceptedScopes = new[] { "acceptedScope1", "acceptedScope2" };
@@ -52,7 +49,6 @@ public void VerifyUserHasAnyAcceptedScope_NoAcceptedScopes_ThrowsException()
  }
 
  [Fact]
- [Obsolete("Method is obsolete")]
  public void VerifyUserHasAnyAcceptedScope_MatchesAcceptedScopes_ExecutesSuccessfully()
  {
  var httpContext = HttpContextUtilities.CreateHttpContext(new[] { "acceptedScope1" }, new string[] { });