changed to getting Owner as Object Id

Author: aremo-ms

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1

@@ -205,6 +205,14 @@ Function ConfigureApplications
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceServicePrincipal.DisplayName)'"
     }
 
+    # Add application permissions/user roles
+    $appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
+    $newRole = CreateAppRole -types "Application" -name "ToDoList.Read.All" -description "Application can only read ToDo list"
+    $appRoles.Add($newRole)
+    $newRole = CreateAppRole -types "Application" -name "ToDoList.ReadWrite.All" -description "Application can read and write into ToDo list"
+    $appRoles.Add($newRole)
+    Update-MgApplication -ApplicationId $serviceAadApplication.Id -AppRoles $appRoles
+    
     # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
 
     # delete default scope i.e. User_impersonation
@@ -231,7 +239,7 @@ Function ConfigureApplications
     -adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
 
     $scopes.Add($scope)
-    $scope = CreateScope -value ToDoList.Write  `
+    $scope = CreateScope -value ToDoList.ReadWrite  `
     -userConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
     -userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf."  `
     -adminConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
@@ -262,6 +270,9 @@ Function ConfigureApplications
                                                           RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
                                                           HomePageUrl = "https://localhost:44321/"; `
                                                           LogoutUrl = "https://localhost:44321/signout-oidc"; `
+                                                          ImplicitGrantSettings = @{ `
+                                                              EnableAccessTokenIssuance=$true; `
+                                                          } `
                                                         } `
                                                        -SignInAudience AzureADMyOrg `
                                                       #end of command
@@ -294,7 +305,7 @@ Function ConfigureApplications
     # Add Required Resources Access (from 'client' to 'service')
     Write-Host "Getting access from 'client' to 'service'"
     $requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
-        -requiredDelegatedPermissions "ToDoList.Read|ToDoList.Write" `
+        -requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `
 
 
     $requiredResourcesAccess.Add($requiredPermissions)
@@ -311,7 +322,7 @@ Function ConfigureApplications
 
     # Update config file for 'client'
     $configFile = $pwd.Path + "\..\Client\appsettings.json"
-    $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
+    $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
 
     Write-Host "Updating the sample code ($configFile)"
 

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json

@@ -94,19 +94,19 @@
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\TodoListService"
       },
-      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
-      //"AppRoles": [
-      //  {
-      //    "Types": [ "Application" ],
-      //    "Name": "ToDoList.Read.All",
-      //    "Description": "Application can only read ToDo list"
-      //  },
-      //  {
-      //    "Types": [ "Application" ],
-      //    "Name": "ToDoList.ReadWrite.All",
-      //    "Description": "Application can read and write into ToDo list"
-      //  }
-      //]
+      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ],
+      "AppRoles": [
+        {
+          "Types": [ "Application" ],
+          "Name": "ToDoList.Read.All",
+          "Description": "Application can only read ToDo list"
+        },
+        {
+          "Types": [ "Application" ],
+          "Name": "ToDoList.ReadWrite.All",
+          "Description": "Application can read and write into ToDo list"
+        }
+      ]
     },
     {
       "Id": "client",
@@ -120,7 +120,7 @@
       "RequiredResourcesAccess": [
         {
           "Resource": "service",
-          "DelegatedPermissions": [ "ToDoList.Read", "ToDoList.Write" ]
+          "DelegatedPermissions": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
         }
       ],
       "ManualSteps": [],

4-WebApp-your-API/4-1-MyOrg/TodoListService/Controllers/TodoListController.cs

@@ -4,6 +4,7 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
 using System;
 using System.Collections.Generic;
@@ -30,8 +31,8 @@ public TodoListController(IHttpContextAccessor contextAccessor)
             // Pre-populate with sample data
             if (TodoStore.Count == 0)
             {
-                TodoStore.Add(1, new Todo() { Id = 1, Owner = $"{_contextAccessor.HttpContext.User.Identity.Name}", Title = "Pick up groceries" });
-                TodoStore.Add(2, new Todo() { Id = 2, Owner = $"{_contextAccessor.HttpContext.User.Identity.Name}", Title = "Finish invoice report" });
+                TodoStore.Add(1, new Todo() { Id = 1, Owner = $"{GetObjectIdClaim(_contextAccessor.HttpContext.User)}", Title = "Pick up groceries" });
+                TodoStore.Add(2, new Todo() { Id = 2, Owner = $"{GetObjectIdClaim(_contextAccessor.HttpContext.User)}", Title = "Finish invoice report" });
                 TodoStore.Add(3, new Todo() { Id = 3, Owner = "Other User", Title = "Rent a car" });
                 TodoStore.Add(4, new Todo() { Id = 4, Owner = "Other User", Title = "Get vaccinated" });
             }
@@ -45,11 +46,11 @@ public TodoListController(IHttpContextAccessor contextAccessor)
             )]
         public IEnumerable<Todo> Get()
         {
-            if (IsInScopes(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
+            if (HasDelegatedPermissions(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
             {
-                return TodoStore.Values.Where(x => x.Owner == User.Identity.Name);
+                return TodoStore.Values.Where(x => x.Owner == GetObjectIdClaim(User));
             }
-            else if (IsInPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
+            else if (HasApplicationPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
             {
                 return TodoStore.Values;
             }
@@ -68,11 +69,11 @@ public Todo Get(int id)
             //then it will be t.id==id && x.Owner == owner
             //if it has app permissions the it will return  t.id==id
 
-            if (IsInScopes(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
+            if (HasDelegatedPermissions(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
             {
-                return TodoStore.Values.FirstOrDefault(t => t.Id == id && t.Owner == User.Identity.Name);
+                return TodoStore.Values.FirstOrDefault(t => t.Id == id && t.Owner == GetObjectIdClaim(User));
             }
-            else if (IsInPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
+            else if (HasApplicationPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
             {
                 return TodoStore.Values.FirstOrDefault(t => t.Id == id);
             }
@@ -90,11 +91,11 @@ public void Delete(int id)
             if (
                 (
 
-                IsInScopes(new string[] { "ToDoList.ReadWrite" }) && TodoStore.Values.Any(x => x.Id == id && x.Owner == User.Identity.Name))
+                HasDelegatedPermissions(new string[] { "ToDoList.ReadWrite" }) && TodoStore.Values.Any(x => x.Id == id && x.Owner == GetObjectIdClaim(User)))
 
                 ||
 
-                IsInPermissions(new string[] { "ToDoList.ReadWrite.All" })
+                HasApplicationPermissions(new string[] { "ToDoList.ReadWrite.All" })
                 )
             {
                 TodoStore.Remove(id);
@@ -113,9 +114,9 @@ public void Delete(int id)
             AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })]
         public IActionResult Post([FromBody] Todo todo)
         {
-            var owner = HttpContext.User.Identity.Name;
+            var owner = GetObjectIdClaim(User);
 
-            if (IsInPermissions(new string[] { "ToDoList.ReadWrite.All" }))
+            if (HasApplicationPermissions(new string[] { "ToDoList.ReadWrite.All" }))
             {
                 //with such a permission any owner name is accepted from UI
                 owner = todo.Owner;
@@ -141,13 +142,13 @@ public IActionResult Patch(int id, [FromBody] Todo todo)
             }
 
             if (
-                IsInScopes(new string[] { "ToDoList.ReadWrite" }) 
-                && TodoStore.Values.Any(x => x.Id == id && x.Owner == User.Identity.Name)
-                && todo.Owner == User.Identity.Name
+                HasDelegatedPermissions(new string[] { "ToDoList.ReadWrite" })
+                && TodoStore.Values.Any(x => x.Id == id && x.Owner == GetObjectIdClaim(User))
+                && todo.Owner == GetObjectIdClaim(User)
 
                 ||
 
-                IsInPermissions(new string[] { "ToDoList.ReadWrite.All" })
+                HasApplicationPermissions(new string[] { "ToDoList.ReadWrite.All" })
 
                 )
             {
@@ -162,21 +163,29 @@ public IActionResult Patch(int id, [FromBody] Todo todo)
         }
 
         //check if the permission is inside claims
-        private bool IsInPermissions(string[] permissionsNames)
+        private bool HasApplicationPermissions(string[] permissionsNames)
         {
-            var result = User.Claims.Where(c => c.Type.Equals(ClaimTypes.Role)).FirstOrDefault()?
-                .Value.Split(' ').Any(v => permissionsNames.Any(p => p.Equals(v)));
+            var rolesClaim = User.Claims.Where(
+              c => c.Type == ClaimConstants.Roles || c.Type == ClaimConstants.Role)
+              .SelectMany(c => c.Value.Split(' '));
 
-            return result ?? false;
+            var result = rolesClaim.Any(v => permissionsNames.Any(p => p.Equals(v)));
+
+            return result;
         }
 
         //check if the scope is inside claims
-        private bool IsInScopes(string[] scopesNames)
+        private bool HasDelegatedPermissions(string[] scopesNames)
         {
-            var result = User.Claims.Where(c => c.Type.Equals(Constants.ScopeClaimType)).FirstOrDefault()?
+            var result = (User.FindFirst(ClaimConstants.Scp) ?? User.FindFirst(ClaimConstants.Scope))?
                 .Value.Split(' ').Any(v => scopesNames.Any(s => s.Equals(v)));
 
             return result ?? false;
         }
+
+        private string GetObjectIdClaim(ClaimsPrincipal user)
+        {
+            return (user.FindFirst(ClaimConstants.Oid) ?? user.FindFirst(ClaimConstants.ObjectId))?.Value;
+        }
     }
 }

4-WebApp-your-API/4-1-MyOrg/TodoListService/Startup.cs

@@ -7,6 +7,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
+using System.IdentityModel.Tokens.Jwt;
 
 namespace TodoListService
 {
@@ -26,7 +27,7 @@ public void ConfigureServices(IServiceCollection services)
             // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
             // 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'
             // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
-            // JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+            JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
 
             // Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
             services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
@@ -51,7 +52,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             }
 
             app.UseHttpsRedirection();
-            
+
             app.UseRouting();
             app.UseAuthentication();
             app.UseAuthorization();