@@ -37,72 +37,72 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
3737
3838namespace GroupManager
3939{
40- public partial class Startup
41- {
42- private void ConfigureAuth ( IAppBuilder app )
43- {
44- app . SetDefaultSignInAsAuthenticationType ( CookieAuthenticationDefaults . AuthenticationType ) ;
40+ public partial class Startup
41+ {
42+ private void ConfigureAuth ( IAppBuilder app )
43+ {
44+ app . SetDefaultSignInAsAuthenticationType ( CookieAuthenticationDefaults . AuthenticationType ) ;
4545
46- app . UseCookieAuthentication ( new CookieAuthenticationOptions { } ) ;
46+ app . UseCookieAuthentication ( new CookieAuthenticationOptions { } ) ;
4747
48- app . UseOpenIdConnectAuthentication (
49- new OpenIdConnectAuthenticationOptions
50- {
51- Authority = Globals . Authority ,
52- ClientId = Globals . ClientId ,
53- RedirectUri = Globals . RedirectUri ,
54- PostLogoutRedirectUri = Globals . RedirectUri ,
55- Scope = Globals . BasicSignInScopes , // a basic set of permissions for user sign in & profile access
56- TokenValidationParameters = new TokenValidationParameters
57- {
58- // In a real application you would use ValidateIssuer = true for additional checks and security.
59- ValidateIssuer = false ,
60- NameClaimType = "name" ,
61- } ,
62- Notifications = new OpenIdConnectAuthenticationNotifications ( )
63- {
64- SecurityTokenValidated = OnSecurityTokenValidated ,
65- AuthorizationCodeReceived = OnAuthorizationCodeReceived ,
66- AuthenticationFailed = OnAuthenticationFailed ,
67- }
68- } ) ;
69- }
48+ app . UseOpenIdConnectAuthentication (
49+ new OpenIdConnectAuthenticationOptions
50+ {
51+ Authority = Globals . Authority ,
52+ ClientId = Globals . ClientId ,
53+ RedirectUri = Globals . RedirectUri ,
54+ PostLogoutRedirectUri = Globals . RedirectUri ,
55+ Scope = Globals . BasicSignInScopes , // a basic set of permissions for user sign in & profile access
56+ TokenValidationParameters = new TokenValidationParameters
57+ {
58+ // In a real application you would use ValidateIssuer = true for additional checks and security.
59+ ValidateIssuer = false ,
60+ NameClaimType = "name" ,
61+ } ,
62+ Notifications = new OpenIdConnectAuthenticationNotifications ( )
63+ {
64+ SecurityTokenValidated = OnSecurityTokenValidated ,
65+ AuthorizationCodeReceived = OnAuthorizationCodeReceived ,
66+ AuthenticationFailed = OnAuthenticationFailed ,
67+ }
68+ } ) ;
69+ }
7070
71- private Task OnAuthenticationFailed ( AuthenticationFailedNotification < OpenIdConnectMessage , OpenIdConnectAuthenticationOptions > context )
72- {
73- // Handle any unexpected errors during sign in
74- context . OwinContext . Response . Redirect ( "/Error?message=" + context . Exception . Message ) ;
75- context . HandleResponse ( ) ; // Suppress the exception
76- return Task . FromResult ( 0 ) ;
77- }
71+ private Task OnAuthenticationFailed ( AuthenticationFailedNotification < OpenIdConnectMessage , OpenIdConnectAuthenticationOptions > context )
72+ {
73+ // Handle any unexpected errors during sign in
74+ context . OwinContext . Response . Redirect ( "/Error?message=" + context . Exception . Message ) ;
75+ context . HandleResponse ( ) ; // Suppress the exception
76+ return Task . FromResult ( 0 ) ;
77+ }
7878
79- private async Task OnAuthorizationCodeReceived ( AuthorizationCodeReceivedNotification context )
80- {
81- /*
79+ private async Task OnAuthorizationCodeReceived ( AuthorizationCodeReceivedNotification context )
80+ {
81+ /*
8282 The `MSALPerUserMemoryTokenCache` is created and hooked in the `UserTokenCache` used by `IConfidentialClientApplication`.
8383 At this point, if you inspect `ClaimsPrinciple.Current` you will notice that the Identity is still unauthenticated and it has no claims,
8484 but `MSALPerUserMemoryTokenCache` needs the claims to work properly. Because of this sync problem, we are using the constructor that
8585 receives `ClaimsPrincipal` as argument and we are getting the claims from the object `AuthorizationCodeReceivedNotification context`.
8686 This object contains the property `AuthenticationTicket.Identity`, which is a `ClaimsIdentity`, created from the token received from
8787 Azure AD and has a full set of claims.
8888 */
89- IConfidentialClientApplication confidentialClient = MsalAppBuilder . BuildConfidentialClientApplication ( new ClaimsPrincipal ( context . AuthenticationTicket . Identity ) ) ;
89+ IConfidentialClientApplication confidentialClient = MsalAppBuilder . BuildConfidentialClientApplication ( new ClaimsPrincipal ( context . AuthenticationTicket . Identity ) ) ;
9090
91- // Upon successful sign in, get & cache a token using MSAL
92- AuthenticationResult result = await confidentialClient . AcquireTokenByAuthorizationCode ( new [ ] { "user.readbasic.all" } , context . Code ) . ExecuteAsync ( ) ;
93- }
91+ // Upon successful sign in, get & cache a token using MSAL
92+ AuthenticationResult result = await confidentialClient . AcquireTokenByAuthorizationCode ( new [ ] { "user.readbasic.all" } , context . Code ) . ExecuteAsync ( ) ;
93+ }
9494
95- private Task OnSecurityTokenValidated ( SecurityTokenValidatedNotification < OpenIdConnectMessage , OpenIdConnectAuthenticationOptions > context )
96- {
97- // Verify the user signing in is a business user, not a consumer user.
98- string [ ] issuer = context . AuthenticationTicket . Identity . FindFirst ( Globals . IssuerClaim ) . Value . Split ( '/' ) ;
99- string tenantId = issuer [ ( issuer . Length - 2 ) ] ;
100- if ( tenantId == Globals . ConsumerTenantId )
101- {
102- throw new SecurityTokenValidationException ( "Consumer accounts are not supported for the Group Manager App. Please log in with your work account." ) ;
103- }
95+ private Task OnSecurityTokenValidated ( SecurityTokenValidatedNotification < OpenIdConnectMessage , OpenIdConnectAuthenticationOptions > context )
96+ {
97+ // Verify the user signing in is a business user, not a consumer user.
98+ string [ ] issuer = context . AuthenticationTicket . Identity . FindFirst ( Globals . IssuerClaim ) . Value . Split ( '/' ) ;
99+ string tenantId = issuer [ ( issuer . Length - 2 ) ] ;
100+ if ( tenantId == Globals . ConsumerTenantId )
101+ {
102+ throw new SecurityTokenValidationException ( "Consumer accounts are not supported for the Group Manager App. Please log in with your work account." ) ;
103+ }
104104
105- return Task . FromResult ( 0 ) ;
106- }
107- }
105+ return Task . FromResult ( 0 ) ;
106+ }
107+ }
108108}
0 commit comments