From 92ee2471fc4a58fcdcd7d28f89876f0106ecb608 Mon Sep 17 00:00:00 2001 From: pmaytak <34331512+pmaytak@users.noreply.github.com> Date: Wed, 5 Aug 2020 15:33:00 -0700 Subject: [PATCH 1/2] Add optional HttpResponse parameter to ReplyForbiddenWithWwwAuthenticateHeaderAsync. Handle null context. --- src/Microsoft.Identity.Web/ITokenAcquisition.cs | 4 +++- src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml | 6 ++++-- src/Microsoft.Identity.Web/TokenAcquisition.cs | 8 +++++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/Microsoft.Identity.Web/ITokenAcquisition.cs b/src/Microsoft.Identity.Web/ITokenAcquisition.cs index 599f21b9d..bdd755baa 100644 --- a/src/Microsoft.Identity.Web/ITokenAcquisition.cs +++ b/src/Microsoft.Identity.Web/ITokenAcquisition.cs @@ -51,9 +51,11 @@ Task GetAccessTokenForUserAsync( /// /// Scopes to consent to. /// triggering the challenge. + /// The to update. /// A representing the asynchronous operation. Task ReplyForbiddenWithWwwAuthenticateHeaderAsync( IEnumerable scopes, - MsalUiRequiredException msalSeviceException); + MsalUiRequiredException msalSeviceException, + HttpResponse? httpResponse = null); } } diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml index b80c2e436..56dbc04a8 100644 --- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml +++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml @@ -669,7 +669,7 @@ in the portal, and cannot be overridden in the application. An access token for the app itself, based on its scopes. - + Used in Web APIs (which therefore cannot have an interaction with the user). Replies to the client through the HttpResponse by sending a 403 (forbidden) and populating wwwAuthenticateHeaders so that @@ -677,6 +677,7 @@ Scopes to consent to. triggering the challenge. + The to update. A representing the asynchronous operation. @@ -1564,7 +1565,7 @@ on behalf of the user. Azure AD B2C user flow. - + Used in web APIs (which therefore cannot have an interaction with the user). Replies to the client through the HTTP response by sending a 403 (forbidden) and populating 'WWW-Authenticate' header so that @@ -1572,6 +1573,7 @@ Scopes to consent to. The that triggered the challenge. + The to update. A representing the asynchronous operation. diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs index 487ce60c5..31b03f3d0 100644 --- a/src/Microsoft.Identity.Web/TokenAcquisition.cs +++ b/src/Microsoft.Identity.Web/TokenAcquisition.cs @@ -533,8 +533,9 @@ private async Task GetAccessTokenForWebAppWithAccountFromCacheAsync( /// /// Scopes to consent to. /// The that triggered the challenge. + /// The to update. /// A representing the asynchronous operation. - public async Task ReplyForbiddenWithWwwAuthenticateHeaderAsync(IEnumerable scopes, MsalUiRequiredException msalServiceException) + public async Task ReplyForbiddenWithWwwAuthenticateHeaderAsync(IEnumerable scopes, MsalUiRequiredException msalServiceException, HttpResponse? httpResponse = null) { // A user interaction is required, but we are in a web API, and therefore, we need to report back to the client through a 'WWW-Authenticate' header https://tools.ietf.org/html/rfc6750#section-3.1 string proposedAction = Constants.Consent; @@ -562,9 +563,10 @@ public async Task ReplyForbiddenWithWwwAuthenticateHeaderAsync(IEnumerable $"{p.Key}=\"{p.Value}\"")); - if (CurrentHttpContext != null) + httpResponse ??= CurrentHttpContext?.Response; + + if (httpResponse != null) { - var httpResponse = CurrentHttpContext.Response; var headers = httpResponse.Headers; httpResponse.StatusCode = (int)HttpStatusCode.Forbidden; From 3b9c94ad76f530d5586ae95ccb43611a0367d18a Mon Sep 17 00:00:00 2001 From: pmaytak <34331512+pmaytak@users.noreply.github.com> Date: Thu, 6 Aug 2020 11:16:40 -0700 Subject: [PATCH 2/2] PR feedback. --- .../Constants/IDWebErrorMessage.cs | 3 ++- src/Microsoft.Identity.Web/ITokenAcquisition.cs | 4 ++-- .../Microsoft.Identity.Web.xml | 8 +++++++- src/Microsoft.Identity.Web/TokenAcquisition.cs | 16 +++++++++------- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs b/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs index 85874b392..a11689b57 100644 --- a/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs +++ b/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs @@ -9,7 +9,8 @@ namespace Microsoft.Identity.Web internal static class IDWebErrorMessage { // General IDW10000 = "IDW10000:" - public const string HttpContextIsNull = "IDW10000: HttpContext is null. "; + public const string HttpContextIsNull = "IDW10001: HttpContext is null. "; + public const string HttpContextAndHttpResponseAreNull = "IDW10002: Current HttpContext and HttpResponse argument are null. Pass an HttpResponse argument. "; // Configuration IDW10100 = "IDW10100:" public const string ProvideEitherScopeKeySectionOrScopes = "IDW10101: Either provide the '{0}' or the '{1}' to the 'AuthorizeForScopes'. "; diff --git a/src/Microsoft.Identity.Web/ITokenAcquisition.cs b/src/Microsoft.Identity.Web/ITokenAcquisition.cs index bdd755baa..f47d11659 100644 --- a/src/Microsoft.Identity.Web/ITokenAcquisition.cs +++ b/src/Microsoft.Identity.Web/ITokenAcquisition.cs @@ -50,12 +50,12 @@ Task GetAccessTokenForUserAsync( /// the client can trigger an interaction with the user so the user can consent to more scopes. /// /// Scopes to consent to. - /// triggering the challenge. + /// triggering the challenge. /// The to update. /// A representing the asynchronous operation. Task ReplyForbiddenWithWwwAuthenticateHeaderAsync( IEnumerable scopes, - MsalUiRequiredException msalSeviceException, + MsalUiRequiredException msalServiceException, HttpResponse? httpResponse = null); } } diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml index 56dbc04a8..ec818ef3e 100644 --- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml +++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml @@ -676,7 +676,7 @@ the client can trigger an interaction with the user so the user can consent to more scopes. Scopes to consent to. - triggering the challenge. + triggering the challenge. The to update. A representing the asynchronous operation. @@ -743,6 +743,12 @@ and conditional access. + + + Initializes a new instance of the class. + + Accessor for the current HttpContext, when available. + Boolean to determine if server is Blazor. diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs index 31b03f3d0..39bcc2d6a 100644 --- a/src/Microsoft.Identity.Web/TokenAcquisition.cs +++ b/src/Microsoft.Identity.Web/TokenAcquisition.cs @@ -565,22 +565,24 @@ public async Task ReplyForbiddenWithWwwAuthenticateHeaderAsync(IEnumerable GetAuthenticatedUserAsync(ClaimsPrincipal? user)