Merge branch 'master' into update-multitenant-routes

Author: Kalyan Krishna

.gitignore

@@ -136,3 +136,4 @@ packages
 /4-WebApp-your-API/4-1-MyOrg/.vscode/settings.json
 /5-WebApp-AuthZ/5-1-Roles/.vscode/settings.json
 /.vscode
+/2-WebApp-graph-user/2-1-Call-MSGraph/Properties/PublishProfiles

1-WebApp-OIDC/1-1-MyOrg/WebApp-OpenIDConnect-DotNet.csproj

@@ -24,8 +24,8 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.22.2" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.22.2" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.2" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.2" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.0.0" />
   </ItemGroup>
 

1-WebApp-OIDC/1-2-AnyOrg/WebApp-OpenIDConnect-DotNet.csproj

@@ -18,8 +18,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.22.2" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.22.2" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.2" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.2" />
   </ItemGroup>
 
 </Project>

1-WebApp-OIDC/1-3-AnyOrgOrPersonal/WebApp-OpenIDConnect-DotNet.csproj

@@ -18,8 +18,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.22.2" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.22.2" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.2" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.2" />
   </ItemGroup>
 
 </Project>

1-WebApp-OIDC/1-4-Sovereign/WebApp-OpenIDConnect-DotNet.csproj

@@ -18,8 +18,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.22.2" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.22.2" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.2" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.2" />
   </ItemGroup>
 
 </Project>

1-WebApp-OIDC/1-5-B2C/ReadmeFiles/sign-in.png

@@ -63,7 +63,6 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseHttpsRedirection();
             app.UseStaticFiles();
-            app.UseCookiePolicy();
 
             app.UseRouting();
             app.UseAuthentication();

1-WebApp-OIDC/1-5-B2C/Startup.cs

@@ -38,13 +38,11 @@
         </div>
     </nav>
 
-    <partial name="_CookieConsentPartial" />
-
     <div class="container body-content">
         @RenderBody()
         <hr />
         <footer>
-            <p>&copy; 2018 -  WebApp_OpenIDConnect_DotNet</p>
+            <p>&copy; 2022 -  WebApp_OpenIDConnect_DotNet</p>
         </footer>
     </div>
 

1-WebApp-OIDC/1-5-B2C/Views/Shared/_CookieConsentPartial.cshtml

@@ -18,8 +18,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.22.2" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.22.2" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.2" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.2" />
   </ItemGroup>
 
 </Project>

1-WebApp-OIDC/1-5-B2C/Views/Shared/_Layout.cshtml

@@ -22,4 +22,4 @@ In this chapter of the tutorial, You'll learn how to use the [Microsoft.Identity
 ## Next chapters
 
 - If you signed-in users with Work or School accounts, or Microsoft personal accounts, you might want to learn how to call an API, starting with [Microsoft Graph](./2-WebApp-graph-user/2-1-Call-MSGraph/README.md).
-- If you wish to protect your web APIs using the Microsoft Identity Platform, please look into [call your own Web API directly](./4-WebApp-your-API/4-1-MyOrg/README.md).
+- If you wish to protect your web APIs using the Microsoft Identity Platform, please look into [call your own Web API directly](./4-1-MyOrg/README.md).

1-WebApp-OIDC/1-5-B2C/WebApp-OpenIDConnect-DotNet.csproj

@@ -0,0 +1,57 @@
+### Process the CAE challenge from Microsoft Graph
+
+To process the CAE challenge from Microsoft Graph, the controller actions need to extract it from the `wwwAuthenticate` header. It is returned when MS Graph rejects a seemingly valid Access tokens for MS Graph. For this you need to:
+
+1. Inject and instance of `MicrosoftIdentityConsentAndConditionalAccessHandler` in the controller constructor. The beginning of the HomeController becomes:
+
+   ```CSharp
+   public class HomeController : Controller
+   {
+    private readonly ILogger<HomeController> _logger;
+    private readonly GraphServiceClient _graphServiceClient;
+    private readonly MicrosoftIdentityConsentAndConditionalAccessHandler _consentHandler;
+    private string[] _graphScopes = new[] { "user.read" };
+    public HomeController(ILogger<HomeController> logger,
+                          IConfiguration configuration,
+                          GraphServiceClient graphServiceClient,
+                          MicrosoftIdentityConsentAndConditionalAccessHandler consentHandler)
+    {
+      _logger = logger;
+      _graphServiceClient = graphServiceClient;
+      this._consentHandler = consentHandler;
+      // Capture the Scopes for Graph that were used in the original request for an Access token (AT) for MS Graph as
+      // they'd be needed again when requesting a fresh AT for Graph during claims challenge processing
+      _graphScopes = configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
+    }
+    
+    // more code here
+    ```
+1. The process to handle CAE challenges from MS Graph comprises of the following steps:
+    1. Catch a Microsoft Graph SDK's `ServiceException` and extract the required `claims`. This is done by wrapping the call to Microsoft Graph into a try/catch block that processes the challenge:
+    ```CSharp
+    currentUser = await _graphServiceClient.Me.Request().GetAsync();
+    ```
+    1. Then redirect the user back to Azure AD with the new requested `claims`. Azure AD will use this `claims` payload to discern what or if any additional processing is required, example being the user needs to sign-in again or do multi-factor authentication.
+  ```CSharp
+    try
+    {
+        currentUser = await _graphServiceClient.Me.Request().GetAsync();
+    }
+    // Catch CAE exception from Graph SDK
+    catch (ServiceException svcex) when (svcex.Message.Contains("Continuous access evaluation resulted in claims challenge"))
+    {
+      try
+      {
+        Console.WriteLine($"{svcex}");
+        string claimChallenge = WwwAuthenticateParameters.GetClaimChallengeFromResponseHeaders(svcex.ResponseHeaders);
+        _consentHandler.ChallengeUser(_graphScopes, claimChallenge);
+        return new EmptyResult();
+      }
+      catch (Exception ex2)
+      {
+        _consentHandler.HandleException(ex2);
+      }
+    }        
+  ```
+
+   The `AuthenticationHeaderHelper` class is available from the `Helpers\AuthenticationHeaderHelper.cs file`.