Add example to use delegating handlers for auth

Author: qetza

3-WebApp-multi-APIs/Controllers/HomeController.cs

@@ -20,14 +20,17 @@ public class HomeController : Controller
         readonly ITokenAcquisition tokenAcquisition;
         private readonly IGraphApiOperations graphApiOperations;
         private readonly IArmOperations armOperations;
+        private readonly IArmOperationsWithImplicitAuth armOperationsWithImplicitAuth;
 
         public HomeController(ITokenAcquisition   tokenAcquisition,
                               IGraphApiOperations graphApiOperations,
-                              IArmOperations armOperations)
+                              IArmOperations armOperations,
+                              IArmOperationsWithImplicitAuth armOperationsWithImplicitAuth)
         {
             this.tokenAcquisition   = tokenAcquisition;
             this.graphApiOperations = graphApiOperations;
             this.armOperations = armOperations;
+            this.armOperationsWithImplicitAuth = armOperationsWithImplicitAuth;
         }
 
         public IActionResult Index()
@@ -67,9 +70,23 @@ public async Task<IActionResult> Tenants()
 
             return View();
         }
-		
-		[AuthorizeForScopes(Scopes = new[] { "https://storage.azure.com/user_impersonation" })]
 
+        // Requires that the app has added the Azure Service Management / user_impersonation scope, and that
+        // the admin tenant does not require admin consent for ARM.
+        [AuthorizeForScopes(Scopes = new[] { "https://management.core.windows.net/user_impersonation" })]
+        public async Task<IActionResult> TenantsWithImplicitAuth()
+        {
+            var tenantIds = await armOperationsWithImplicitAuth.EnumerateTenantsIds();
+            /*
+                        var tenantsIdsAndNames =  await graphApiOperations.EnumerateTenantsIdAndNameAccessibleByUser(tenantIds,
+                            async tenantId => { return await tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "Directory.Read.All" }, tenantId); });
+            */
+            ViewData["tenants"] = tenantIds;
+
+            return View(nameof(Tenants));
+        }
+
+        [AuthorizeForScopes(Scopes = new[] { "https://storage.azure.com/user_impersonation" })]
         public async Task<IActionResult> Blob()
         {
             string message = "Blob failed to create";

3-WebApp-multi-APIs/README.md

@@ -191,6 +191,39 @@ insert
   <li><a asp-area="" asp-controller="Home" asp-action="Blob">Blob</a></li>
 ```
 
+### Using implicit authentication (ArmApiOperationsServiceWithImplicitAuth)
+When calling an API, instead of explicitly giving the token in each call you can use a delegating handler on your HTTP client to automatically inject the access token.
+
+In `Startup.cs` after `services.AddHttpClient<IArmOperations, ArmApiOperationService>();` add `.services.AddHttpClient<IArmOperationsWithImplicitAuth, ArmApiOperationServiceWithImplicitAuth>()...`:
+
+```CSharp
+public void ConfigureServices(IServiceCollection services)
+{
+    . . .
+    services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
+        .EnableTokenAcquisitionToCallDownstreamApi( new string[] { Constants.ScopeUserRead })
+        .AddInMemoryTokenCaches();
+    services.AddHttpClient<IArmOperations, ArmApiOperationService>();
+    services.AddHttpClient<IArmOperationsWithImplicitAuth, ArmApiOperationServiceWithImplicitAuth>()
+        .AddMicrosoftIdentityUserAuthenticationHandler(
+            "arm", 
+            options => options.Scopes = $"{ArmApiOperationService.ArmResource}user_impersonation");
+```
+
+In `HomeController.cs` add `TenantsWithImplicitAuth`:
+```CSharp
+    // Requires that the app has added the Azure Service Management / user_impersonation scope, and that
+    // the admin tenant does not require admin consent for ARM.
+    [AuthorizeForScopes(Scopes = new[] { "https://management.core.windows.net/user_impersonation" })]
+    public async Task<IActionResult> TenantsWithImplicitAuth()
+    {
+        var tenantIds = await armOperationsWithImplicitAuth.EnumerateTenantsIds();
+        ViewData["tenants"] = tenantIds;
+
+        return View(nameof(Tenants));
+    }
+```
+
 ## Troubleshooting
 
 To access Azure Resource Management (ARM), you'll need a work or school account (AAD account) and an Azure subscription. If your Azure subscription is for a Microsoft personal account, just create a new user in your directory, and use this user to run the sample

3-WebApp-multi-APIs/Services/ARM/ArmApiOperationServiceWithImplicitAuth.cs

@@ -0,0 +1,37 @@
+using Microsoft.Extensions.Options;
+
+using Newtonsoft.Json;
+
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Threading.Tasks;
+
+using WebApp_OpenIDConnect_DotNet.Services.GraphOperations;
+
+namespace WebApp_OpenIDConnect_DotNet.Services.Arm
+{
+    public class ArmApiOperationServiceWithImplicitAuth : IArmOperationsWithImplicitAuth
+    {
+        private readonly HttpClient httpClient;
+
+        public ArmApiOperationServiceWithImplicitAuth(HttpClient httpClient)
+        {
+            this.httpClient = httpClient;
+        }
+
+        /// <summary>
+        /// Enumerates the list of Tenant IDs. Token for the user or app needs to be configured on the HTTP client.
+        /// </summary>
+        /// <returns></returns>
+        public async Task<IEnumerable<string>> EnumerateTenantsIds()
+        {
+            var httpResult = await httpClient.GetAsync(ArmListTenantUrl);
+            string json = await httpResult.Content.ReadAsStringAsync();
+            ArmResult armTenants = JsonConvert.DeserializeObject<ArmResult>(json);
+            return armTenants.value.Select(t => t.tenantId);
+        }
+
+        protected string ArmListTenantUrl { get; } = "https://management.azure.com/tenants?api-version=2016-06-01";
+    }
+}

3-WebApp-multi-APIs/Services/ARM/IArmOperationsWithImplicitAuth.cs

@@ -0,0 +1,10 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.Services.Arm
+{
+    public interface IArmOperationsWithImplicitAuth
+    {
+        Task<IEnumerable<string>> EnumerateTenantsIds();
+    }
+}

3-WebApp-multi-APIs/Startup.cs

@@ -46,6 +46,10 @@ public void ConfigureServices(IServiceCollection services)
             // Add APIs
             services.AddGraphService(Configuration);
             services.AddHttpClient<IArmOperations, ArmApiOperationService>();
+            services.AddHttpClient<IArmOperationsWithImplicitAuth, ArmApiOperationServiceWithImplicitAuth>()
+                .AddMicrosoftIdentityUserAuthenticationHandler(
+                    "arm", 
+                    options => options.Scopes = $"{ArmApiOperationService.ArmResource}user_impersonation");
 
             services.AddControllersWithViews(options =>
             {

3-WebApp-multi-APIs/Views/Shared/_Layout.cshtml

@@ -33,6 +33,7 @@
                     <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
                     <li><a asp-area="" asp-controller="Home" asp-action="Profile">Profile</a></li>
                     <li><a asp-area="" asp-controller="Home" asp-action="Tenants">Tenants</a></li>
+                    <li><a asp-area="" asp-controller="Home" asp-action="TenantsWithImplicitAuth">Tenants (with implicit auth)</a></li>
                     <li><a asp-area="" asp-controller="Home" asp-action="Blob">Blob</a></li>
                 </ul>
                 <partial name="_LoginPartial" />