AzureAD · jmprieur · Aug 13, 2020 · Aug 3, 2020 · Aug 4, 2020 · Aug 4, 2020
@@ -58,8 +58,13 @@ internal static class Constants
         public const string Bearer = "Bearer";
         public const string LoginHint = "loginHint";
         public const string DomainHint = "domainHint";
+        public const string Authorization = "Authorization";
 
-        // Blazor challenge uri
+        // Blazor challenge URI
         public const string BlazorChallengeUri = "MicrosoftIdentity/Account/Challenge?redirectUri=";
+
+        // Microsoft Graph
+        public const string UserReadScope = "user.read";
+        public const string GraphBaseUrlV1 = "https://graph.microsoft.com/v1.0";
     }
 }
@@ -31,6 +31,7 @@ internal static class IDWebErrorMessage
         public const string UnauthenticatedUser = "IDW10204:The user is unauthenticated. The HttpContext does not contain any claims. ";
         public const string BlazorServerBaseUriNotSet = "IDW10205: Using Blazor server but the base URI was not properly set. ";
         public const string BlazorServerUserNotSet = "IDW10206: Using Blazor server but the user was not properly set. ";
+        public const string CalledApiScopesAreNull = "IDW10207: The CalledApiScopes cannot be null. ";
 
         // Token Validation IDW10300 = "IDW10300:"
         public const string IssuerMetadataUrlIsRequired = "IDW10301: Azure AD Issuer metadata address URL is required. ";

diff --git a/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamApiOptions.cs b/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamApiOptions.cs
@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Net.Http;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Options passed-in to call web APIs. To call Microsoft Graph, see rather
+    /// <see cref="MicrosoftGraphOptions"/>.
+    /// </summary>
+    public class DownstreamApiOptions
+    {
+        /// <summary>
+        /// Base URL for the called Web API. For instance <c>"https://graph.microsoft.com/beta/".</c>.
+        /// </summary>
+        public string BaseUrl { get; set; } = "https://graph.microsoft.com/v1.0";
+
+        /// <summary>
+        /// Path relative to the <see cref="BaseUrl"/> (for instance "me").
+        /// </summary>
+        public string RelativePath { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Space separated scopes required to call the Web API.
+        /// For instance "user.read mail.read".
+        /// </summary>
+        public string? Scopes { get; set; } = null;
+
+        /// <summary>
+        /// [Optional] tenant ID. This is used for specific scenarios where
+        /// the application needs to call a Web API on behalf of a user in several tenants.
+        /// It would mostly be used from code, not from the configuration.
+        /// </summary>
+        public string? Tenant { get; set; } = null;
+
+        /// <summary>
+        /// [Optional]. User flow (in the case of a B2C Web API). If not
+        /// specified, the B2C web API will be called with the default user flow from
+        /// <see cref="MicrosoftIdentityOptions.DefaultUserFlow"/>.
+        /// </summary>
+        public string? UserFlow { get; set; } = null;
+
+        /// <summary>
+        /// Http method used to call this API (by default Get).
+        /// </summary>
+        public HttpMethod HttpMethod { get; set; } = HttpMethod.Get;
+
+        /// <summary>
+        /// Clone the options (to be able to override them).
+        /// </summary>
+        /// <returns>A clone of the options.</returns>
+        public DownstreamApiOptions Clone()
+        {
+            return new DownstreamApiOptions
+            {
+                BaseUrl = BaseUrl,
+                RelativePath = RelativePath,
+                Scopes = Scopes,
+                Tenant = Tenant,
+                UserFlow = UserFlow,
+                HttpMethod = HttpMethod,
+            };
+        }
+
+        /// <summary>
+        /// Return the Api URL.
+        /// </summary>
+        /// <returns>URL of the API.</returns>
+#pragma warning disable CA1055 // Uri return values should not be strings
+        public string GetApiUrl()
+#pragma warning restore CA1055 // Uri return values should not be strings
+        {
+            return BaseUrl?.TrimEnd('/') + $"/{RelativePath}";
+        }
+
+        /// <summary>
+        /// Returns the scopes.
+        /// </summary>
+        /// <returns>Scopes.</returns>
+        public string[] GetScopes()
+        {
+            return string.IsNullOrWhiteSpace(Scopes) ? new string[0] : Scopes.Split(' ');
+        }
+    }
+}
diff --git a/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamWebApi.cs b/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamWebApi.cs
@@ -0,0 +1,172 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Security.Claims;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.Graph;
+using Microsoft.Identity.Web;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Implementation for the downstream API.
+    /// </summary>
+    public class DownstreamWebApi : IDownstreamWebApi
+    {
+        private readonly ITokenAcquisition _tokenAcquisition;
+        private readonly HttpClient _httpClient;
+        private readonly IOptionsMonitor<DownstreamApiOptions> _namedOptions;
+        private readonly JsonSerializerOptions _jsonOptions = new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true,
+        };
+
+        /// <summary>
+        /// Constructor.
+        /// </summary>
+        /// <param name="tokenAcquisition">Token acquisition service.</param>
+        /// <param name="namedOptions">Named options provider.</param>
+        /// <param name="httpClient">Http client.</param>
+        public DownstreamWebApi(
+            ITokenAcquisition tokenAcquisition,
+            IOptionsMonitor<DownstreamApiOptions> namedOptions,
+            HttpClient httpClient)
+        {
+            _tokenAcquisition = tokenAcquisition;
+            _namedOptions = namedOptions;
+            _httpClient = httpClient;
+        }
+
+        /// <inheritdoc/>
+        public async Task<HttpResponseMessage> CallWebApiForUserAsync(
+            string optionsInstanceName,
+            Action<DownstreamApiOptions>? calledApiOptionsOverride,
+            ClaimsPrincipal? user,
+            StringContent? requestContent)
+        {
+            DownstreamApiOptions effectiveOptions = MergeOptions(optionsInstanceName, calledApiOptionsOverride);
+
+            // verify scopes is not null
+            if (string.IsNullOrEmpty(effectiveOptions.Scopes))
+            {
+                throw new ArgumentException("Scopes need to be passed-in either by configuration or by the delegate overring it.");
+            }
+
+            string accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(effectiveOptions.GetScopes(), effectiveOptions.Tenant)
+                .ConfigureAwait(false);
+
+            HttpResponseMessage response;
+            using (HttpRequestMessage httpRequestMessage = new HttpRequestMessage(effectiveOptions.HttpMethod, effectiveOptions.GetApiUrl()))
+            {
+                if (requestContent != null)
+                {
+                    httpRequestMessage.Content = requestContent;
+                }
+
+                httpRequestMessage.Headers.Add("Authorization", $"bearer {accessToken}");
+                response = await _httpClient.SendAsync(httpRequestMessage).ConfigureAwait(false);
+            }
+
+            return response;
+        }
+
+        /// <summary>
+        /// Merge the options from configuration and override from caller.
+        /// </summary>
+        /// <param name="optionsInstanceName">Named configuration.</param>
+        /// <param name="calledApiOptionsOverride">Delegate to override the configuration.</param>
+        internal /* for tests */ DownstreamApiOptions MergeOptions(
+            string optionsInstanceName,
+            Action<DownstreamApiOptions>? calledApiOptionsOverride)
+        {
+            // Gets the options from configuration (or default value)
+            DownstreamApiOptions options;
+            if (optionsInstanceName != null)
+            {
+                options = _namedOptions.Get(optionsInstanceName);
+            }
+            else
+            {
+                options = _namedOptions.CurrentValue;
+            }
+
+            // Give a chance to the called to override defaults for this call
+            DownstreamApiOptions clonedOptions = options.Clone();
+            calledApiOptionsOverride?.Invoke(clonedOptions);
+            return clonedOptions;
+        }
+
+        /// <inheritdoc/>
+        public async Task<TOutput?> CallWebApiForUserAsync<TInput, TOutput>(
+            string optionsInstanceName,
+            TInput input,
+            Action<DownstreamApiOptions>? downstreamApiOptionsOverride = null,
+            ClaimsPrincipal? user = null)
+            where TOutput : class
+        {
+            StringContent? jsoncontent;
+            if (input != null)
+            {
+                var jsonRequest = JsonSerializer.Serialize(input);
+                jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json");
+// case of patch?               jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json-patch+json");
+            }
+            else
+            {
+                jsoncontent = null;
+            }
+
+            HttpResponseMessage response = await CallWebApiForUserAsync(
+                optionsInstanceName,
+                downstreamApiOptionsOverride,
+                user,
+                jsoncontent).ConfigureAwait(false);
+
+            if (response.StatusCode == HttpStatusCode.OK)
+            {
+                string content = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+                TOutput? output = JsonSerializer.Deserialize<TOutput>(content, _jsonOptions);
+                return output;
+            }
+            else
+            {
+                string error = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+                throw new HttpRequestException($"Invalid status code in the HttpResponseMessage: {response.StatusCode}: {error}");
+            }
+        }
+
+        /// <inheritdoc/>
+        public async Task<HttpResponseMessage> CallWebApiForAppAsync(
+            string optionsInstanceName,
+            Action<DownstreamApiOptions>? downstreamApiOptionsOverride = null,
+            StringContent? requestContent = null)
+        {
+            DownstreamApiOptions effectiveOptions = MergeOptions(optionsInstanceName, downstreamApiOptionsOverride);
+
+            if (effectiveOptions.Scopes == null)
+            {
+                throw new ArgumentException("Scopes need to be passed-in either by configuration or by the delegate overring it.");
+            }
+
+            string accessToken = await _tokenAcquisition.GetAccessTokenForAppAsync(effectiveOptions.Scopes, effectiveOptions.Tenant)
+                .ConfigureAwait(false);
+
+            HttpResponseMessage response;
+            using (HttpRequestMessage httpRequestMessage = new HttpRequestMessage(effectiveOptions.HttpMethod, effectiveOptions.GetApiUrl()))
+            {
+                httpRequestMessage.Headers.Add("Authorization", $"bearer {accessToken}");
+                response = await _httpClient.SendAsync(httpRequestMessage).ConfigureAwait(false);
+            }
+
+            return response;
+        }
+    }
+}
diff --git a/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamWebApiExtensions.cs b/src/Microsoft.Identity.Web/DownstreamApiSupport/DownstreamWebApiExtensions.cs
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Extension methods to support downstream api services.
+    /// </summary>
+    public static class DownstreamApiServiceExtensions
+    {
+        /// <summary>
+        /// Adds a named downstream API service related to a specific configuration section.
+        /// </summary>
+        /// <param name="builder">Builder.</param>
+        /// <param name="optionsInstanceName">Name of the configuration for the service.
+        /// This is the name which will be used when calling the service from controller/pages.</param>
+        /// <param name="configuration">Configuration.</param>
+        /// <returns>The builder for chaining.</returns>
+        public static MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddDownstreamApiService(
+            this MicrosoftIdentityAppCallsWebApiAuthenticationBuilder builder,
+            string optionsInstanceName,
+            IConfiguration configuration)
+        {
+            if (builder is null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.Configure<DownstreamApiOptions>(optionsInstanceName, configuration);
+            builder.Services.AddHttpClient<IDownstreamWebApi, DownstreamWebApi>();
+            return builder;
+        }
+
+        /// <summary>
+        /// Adds a named downstream API service initialized with delegates.
+        /// </summary>
+        /// <param name="builder">Builder.</param>
+        /// <param name="optionsInstanceName">Name of the configuration for the service.
+        /// This is the name which will be used when calling the service from controller/pages.</param>
+        /// <param name="configureOptions">Action to configure the options.</param>
+        /// <returns>The builder for chaining.</returns>
+        public static MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddDownstreamApiService(
+            this MicrosoftIdentityAppCallsWebApiAuthenticationBuilder builder,
+            string optionsInstanceName,
+            Action<DownstreamApiOptions> configureOptions)
+        {
+            if (builder is null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.Configure<DownstreamApiOptions>(optionsInstanceName, configureOptions);
+
+            // https://docs.microsoft.com/en-us/dotnet/standard/microservices-architecture/implement-resilient-applications/use-httpclientfactory-to-implement-resilient-http-requests
+            builder.Services.AddHttpClient<IDownstreamWebApi, DownstreamWebApi>();
+            builder.Services.Configure(optionsInstanceName, configureOptions);
+            return builder;
+        }
+    }
+}