From 21fb64789a4075911405378489b6378747e5beef Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 12:56:25 +0100 Subject: [PATCH 1/6] Adding flexibility for the authority and audience (to enable the Azure AD v2.0 endpoint) --- .../src/AzureADOptions.cs | 44 ++++++++++++++++--- .../src/JwtBearerOptionsConfiguration.cs | 8 ++-- .../src/OpenIdConnectOptionsConfiguration.cs | 5 ++- 3 files changed, 46 insertions(+), 11 deletions(-) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs index 89a8a84beb5e..15ae1d908705 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs @@ -1,4 +1,4 @@ -// Copyright (c) .NET Foundation. All rights reserved. +// Copyright (c) .NET Foundation. All rights reserved. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.Cookies; @@ -30,30 +30,62 @@ public class AzureADOptions public string JwtBearerSchemeName { get; internal set; } /// - /// Gets or sets the client Id. + /// Gets or sets the client Id (Application Id) of the Azure AD application /// public string ClientId { get; set; } /// - /// Gets or sets the client secret. + /// Gets or sets the client secret for the application (application password) /// + /// + /// The client secret is only used if the Web app or Web API + /// calls a Web API + /// public string ClientSecret { get; set; } /// - /// Gets or sets the tenant Id. + /// Gets or sets the tenant id. The tenant id can have one of the following values: + /// + /// a proper tenant IDA GUID representing the ID of the Azure Active Directory Tenant (directory ID) + /// a domain nameassociated with the Azure Active Directory tenant + /// commonif the is Azure AD v2.0, enables to sign-in users from any + /// Work and School account or Microsoft Personal Account. If Authority is Azure AD v1.0, enables sign-in from any Work and School accounts + /// organizationsif the is Azure AD v2.0, enables to sign-in users from any + /// Work and School account + /// consumersif the is Azure AD v2.0, enables to sign-in users from any + /// Microsoft personal account + /// /// public string TenantId { get; set; } /// /// Gets or sets the Azure Active Directory instance. + /// Typical values are: + /// + /// https://login.microsoftonline.comFor Microsoft Azure public cloud + /// https://login.microsoftonline.usFor Azure US Government + /// https://login.partner.microsoftonline.cnFor Azure China 21Vianet + /// https://login.microsoftonline.deFor Azure Germany + /// /// - public string Instance { get; set; } + public string Instance { get; set; } = "https://login.microsoftonline.com"; /// - /// Gets or sets the domain of the Azure Active Directory tennant. + /// Gets or sets the domain associated with the Azure Active Directory tenant. /// public string Domain { get; set; } + /// + /// Azure Active Directory Authority + /// + public string Authority { get; set; } = "https://{Instance}/{TenantId}"; + + /// + /// Gets or sets the audience for a Web API (This audience needs + /// to match the audience of the tokens sent to access this application) + /// + public string Audience { get; set; } = "{ClientId}"; + /// /// Gets or sets the sign in callback path. /// diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/JwtBearerOptionsConfiguration.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/JwtBearerOptionsConfiguration.cs index 5754ee3798e9..28f1a6cf4b1d 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/JwtBearerOptionsConfiguration.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/JwtBearerOptionsConfiguration.cs @@ -1,4 +1,4 @@ -// Copyright (c) .NET Foundation. All rights reserved. +// Copyright (c) .NET Foundation. All rights reserved. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using System; @@ -30,8 +30,10 @@ public void Configure(string name, JwtBearerOptions options) return; } - options.Audience = azureADOptions.ClientId; - options.Authority = new Uri(new Uri(azureADOptions.Instance), azureADOptions.TenantId).ToString(); + options.Audience = string.Format(azureADOptions.Audience?.Replace("{ClientId}", "{0}"), + azureADOptions.ClientId); + options.Authority = string.Format(azureADOptions.Authority.Replace("{Instance}", "{0}").Replace("{TenantId}", "{1}"), + azureADOptions.Instance, azureADOptions.TenantId); } public void Configure(JwtBearerOptions options) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/OpenIdConnectOptionsConfiguration.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/OpenIdConnectOptionsConfiguration.cs index 57ca1329a434..6f38536b3920 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/OpenIdConnectOptionsConfiguration.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/OpenIdConnectOptionsConfiguration.cs @@ -1,4 +1,4 @@ -// Copyright (c) .NET Foundation. All rights reserved. +// Copyright (c) .NET Foundation. All rights reserved. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using System; @@ -29,7 +29,8 @@ public void Configure(string name, OpenIdConnectOptions options) options.ClientId = azureADOptions.ClientId; options.ClientSecret = azureADOptions.ClientSecret; - options.Authority = new Uri(new Uri(azureADOptions.Instance), azureADOptions.TenantId).ToString(); + options.Authority = string.Format(azureADOptions.Authority.Replace("{Instance}", "{0}").Replace("{TenantId}", "{1}"), + azureADOptions.Instance, azureADOptions.TenantId); options.CallbackPath = azureADOptions.CallbackPath ?? options.CallbackPath; options.SignedOutCallbackPath = azureADOptions.SignedOutCallbackPath ?? options.SignedOutCallbackPath; options.SignInScheme = azureADOptions.CookieSchemeName; From 0db0dc875f10dc7aa02444a44ec7f5382aebb175 Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 13:27:17 +0100 Subject: [PATCH 2/6] fixing the Authority --- .../AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs index 15ae1d908705..4435fead5bc0 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs @@ -78,7 +78,7 @@ public class AzureADOptions /// /// Azure Active Directory Authority /// - public string Authority { get; set; } = "https://{Instance}/{TenantId}"; + public string Authority { get; set; } = "{Instance}/{TenantId}"; /// /// Gets or sets the audience for a Web API (This audience needs From 3d0ccfd22cbdfcb0c2b4dc5c67b902c1e5dc566c Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 13:28:49 +0100 Subject: [PATCH 3/6] Avoid unnecessary changes (don't remove / for instance) --- .../Authentication.AzureAD.UI/src/AzureADOptions.cs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs index 4435fead5bc0..b50b18d745b5 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs @@ -62,13 +62,13 @@ public class AzureADOptions /// Gets or sets the Azure Active Directory instance. /// Typical values are: /// - /// https://login.microsoftonline.comFor Microsoft Azure public cloud - /// https://login.microsoftonline.usFor Azure US Government - /// https://login.partner.microsoftonline.cnFor Azure China 21Vianet - /// https://login.microsoftonline.deFor Azure Germany + /// https://login.microsoftonline.com/For Microsoft Azure public cloud + /// https://login.microsoftonline.us/For Azure US Government + /// https://login.partner.microsoftonline.cn/For Azure China 21Vianet + /// https://login.microsoftonline.de/For Azure Germany /// /// - public string Instance { get; set; } = "https://login.microsoftonline.com"; + public string Instance { get; set; } = "https://login.microsoftonline.com/"; /// /// Gets or sets the domain associated with the Azure Active Directory tenant. @@ -78,7 +78,7 @@ public class AzureADOptions /// /// Azure Active Directory Authority /// - public string Authority { get; set; } = "{Instance}/{TenantId}"; + public string Authority { get; set; } = "{Instance}{TenantId}"; /// /// Gets or sets the audience for a Web API (This audience needs From efefe0392287f47a0b8c41876c60660764bee586 Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 13:49:01 +0100 Subject: [PATCH 4/6] Updating the project templates according to the product change --- .../content/WebApi-CSharp/appsettings.json | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/src/ProjectTemplates/Web.ProjectTemplates/content/WebApi-CSharp/appsettings.json b/src/ProjectTemplates/Web.ProjectTemplates/content/WebApi-CSharp/appsettings.json index 456da1fb8e57..ae1cd03c882a 100644 --- a/src/ProjectTemplates/Web.ProjectTemplates/content/WebApi-CSharp/appsettings.json +++ b/src/ProjectTemplates/Web.ProjectTemplates/content/WebApi-CSharp/appsettings.json @@ -1,23 +1,24 @@ { -////#if (IndividualB2CAuth) -// "AzureAdB2C": { -// "Instance": "https:////login.microsoftonline.com/tfp/", -// "ClientId": "11111111-1111-1111-11111111111111111", -// "Domain": "qualified.domain.name", -// "SignUpSignInPolicyId": "MySignUpSignInPolicyId" -// }, -////#elseif (OrganizationalAuth) -// "AzureAd": { -//#if (!SingleOrgAuth) -// "Instance": "https:////login.microsoftonline.com/common", -//#else -// "Instance": "https:////login.microsoftonline.com/", -// "Domain": "qualified.domain.name", -// "TenantId": "22222222-2222-2222-2222-222222222222", -//#endif -// "ClientId": "11111111-1111-1111-11111111111111111" -// }, -//#endif + ////#if (IndividualB2CAuth) + // "AzureAdB2C": { + // "Instance": "https:////login.microsoftonline.com/tfp/", + // "ClientId": "11111111-1111-1111-11111111111111111", + // "Domain": "qualified.domain.name", + // "SignUpSignInPolicyId": "MySignUpSignInPolicyId" + // }, + ////#elseif (OrganizationalAuth) + // "AzureAd": { + // "Autority": "{Instance}{TenantId}/v2.0", + // "Instance": "https:////login.microsoftonline.com/", + //#if (!SingleOrgAuth) + // "TenantId": "organizations", + //#else + // "Domain": "qualified.domain.name", + // "TenantId": "22222222-2222-2222-2222-222222222222", + //#endif + // "ClientId": "11111111-1111-1111-11111111111111111" + // }, + //#endif "Logging": { "LogLevel": { "Default": "Warning", From 3cc80161627ed23ec31af7be1ce0553451f69c92 Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 13:50:24 +0100 Subject: [PATCH 5/6] Updating the project templates according to the product change --- .../RazorPagesWeb-CSharp/appsettings.json | 65 ++++++++++--------- .../StarterWeb-CSharp/appsettings.json | 5 +- 2 files changed, 36 insertions(+), 34 deletions(-) diff --git a/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/appsettings.json b/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/appsettings.json index 526319943f8d..a251f3ea11ce 100644 --- a/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/appsettings.json +++ b/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/appsettings.json @@ -1,36 +1,37 @@ { -////#if (IndividualB2CAuth) -// "AzureAdB2C": { -// "Instance": "https:////login.microsoftonline.com/tfp/", -// "ClientId": "11111111-1111-1111-11111111111111111", -// "CallbackPath": "/signin-oidc", -// "Domain": "qualified.domain.name", -// "SignUpSignInPolicyId": "MySignUpSignInPolicyId", -// "ResetPasswordPolicyId": "MyResetPasswordPolicyId", -// "EditProfilePolicyId": "MyEditProfilePolicyId" -// }, -////#elseif (OrganizationalAuth) -// "AzureAd": { -//#if (MultiOrgAuth) -// "Instance": "https:////login.microsoftonline.com/common", -//#elseif (SingleOrgAuth) -// "Instance": "https:////login.microsoftonline.com/", -// "Domain": "qualified.domain.name", -// "TenantId": "22222222-2222-2222-2222-222222222222", -//#endif -// "ClientId": "11111111-1111-1111-11111111111111111", -// "CallbackPath": "/signin-oidc" -// }, -//#endif -////#if (IndividualLocalAuth) -// "ConnectionStrings": { -////#if (UseLocalDB) -// "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=aspnet-Company.WebApplication1-53bc9b9d-9d6a-45d4-8429-2a2761773502;Trusted_Connection=True;MultipleActiveResultSets=true" -////#else -// "DefaultConnection": "DataSource=app.db" -//#endif -// }, -//#endif + ////#if (IndividualB2CAuth) + // "AzureAdB2C": { + // "Instance": "https:////login.microsoftonline.com/tfp/", + // "ClientId": "11111111-1111-1111-11111111111111111", + // "CallbackPath": "/signin-oidc", + // "Domain": "qualified.domain.name", + // "SignUpSignInPolicyId": "MySignUpSignInPolicyId", + // "ResetPasswordPolicyId": "MyResetPasswordPolicyId", + // "EditProfilePolicyId": "MyEditProfilePolicyId" + // }, + ////#elseif (OrganizationalAuth) + // "AzureAd": { + // "Instance": "https:////login.microsoftonline.com/", + // "Autority": "{Instance}{TenantId}/v2.0", + //#if (MultiOrgAuth) + // "TenantId": "organizations", + //#elseif (SingleOrgAuth) + // "Domain": "qualified.domain.name", + // "TenantId": "22222222-2222-2222-2222-222222222222", + //#endif + // "ClientId": "11111111-1111-1111-11111111111111111", + // "CallbackPath": "/signin-oidc" + // }, + //#endif + ////#if (IndividualLocalAuth) + // "ConnectionStrings": { + ////#if (UseLocalDB) + // "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=aspnet-Company.WebApplication1-53bc9b9d-9d6a-45d4-8429-2a2761773502;Trusted_Connection=True;MultipleActiveResultSets=true" + ////#else + // "DefaultConnection": "DataSource=app.db" + //#endif + // }, + //#endif "Logging": { "LogLevel": { "Default": "Warning", diff --git a/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/appsettings.json b/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/appsettings.json index 526319943f8d..55b821001efa 100644 --- a/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/appsettings.json +++ b/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/appsettings.json @@ -11,10 +11,11 @@ // }, ////#elseif (OrganizationalAuth) // "AzureAd": { + // "Instance": "https:////login.microsoftonline.com/", + // "Autority": "{Instance}{TenantId}/v2.0", //#if (MultiOrgAuth) -// "Instance": "https:////login.microsoftonline.com/common", + // "TenantId": "organizations", //#elseif (SingleOrgAuth) -// "Instance": "https:////login.microsoftonline.com/", // "Domain": "qualified.domain.name", // "TenantId": "22222222-2222-2222-2222-222222222222", //#endif From bf5923c8a16b3c48c7f609be02e81af28aa146d1 Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Mon, 25 Feb 2019 21:37:03 +0100 Subject: [PATCH 6/6] updating Authority computation --- .../AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs index b50b18d745b5..3e8e94b92d09 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs @@ -78,7 +78,7 @@ public class AzureADOptions /// /// Azure Active Directory Authority /// - public string Authority { get; set; } = "{Instance}{TenantId}"; + public string Authority { get; set; } = "{Instance}{TenantId}/"; /// /// Gets or sets the audience for a Web API (This audience needs