Refactored WwwAuthenticateParameters

src/client/Microsoft.Identity.Client/WwwAuthenticateParameters.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;
@@ -7,6 +7,7 @@
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace Microsoft.Identity.Client
@@ -32,7 +33,7 @@ public IEnumerable<string> Scopes
         {
             get
             {
-                if (_scopes != null)
+                if (_scopes is object)
                 {
                     return _scopes;
                 }
@@ -134,13 +135,14 @@ public static WwwAuthenticateParameters CreateFromWwwAuthenticateHeaderValue(str
         /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
         /// </summary>
         /// <param name="resourceUri">URI of the resource.</param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the un-authenticated call.</returns>
-        public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri)
+        public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default)
         {
             // call this endpoint and see what the header says and return that
             HttpClient httpClient = new HttpClient();
             HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, resourceUri);
-            HttpResponseMessage httpResponseMessage = await httpClient.SendAsync(httpRequestMessage).ConfigureAwait(false);
+            HttpResponseMessage httpResponseMessage = await httpClient.SendAsync(httpRequestMessage, cancellationToken).ConfigureAwait(false);
             var wwwAuthParam = CreateFromResponseHeaders(httpResponseMessage.Headers);
             return wwwAuthParam;
         }
@@ -160,20 +162,11 @@ public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAs
                 httpResponseHeaders,
                 scheme);
 
-            try
+            // read the header and checks if it contains an error with insufficient_claims value.
+            if (string.Equals(parameters.Error, "insufficient_claims", StringComparison.OrdinalIgnoreCase) &&
+                parameters.Claims is object)
             {
-                // read the header and checks if it contains an error with insufficient_claims value.
-                if (null != parameters.Error && "insufficient_claims" == parameters.Error)
-                {
-                    if (null != parameters.Claims)
-                    {
-                        return parameters.Claims;
-                    }
-                }
-            }
-            catch (Exception ex)
-            {
-                throw ex;
+                return parameters.Claims;
             }
 
             return null;
@@ -183,8 +176,8 @@ internal static WwwAuthenticateParameters CreateWwwAuthenticateParameters(IDicti
         {
             WwwAuthenticateParameters wwwAuthenticateParameters = new WwwAuthenticateParameters();
             wwwAuthenticateParameters.RawParameters = values;
-            string value;
 
+            string value;
             if (values.TryGetValue("authorization_uri", out value))
             {
                 wwwAuthenticateParameters.Authority = value.Replace("/oauth2/authorize", string.Empty);
@@ -325,7 +318,7 @@ private static string GetJsonFragment(string inputString)
                 var decoded = Encoding.UTF8.GetString(decodedBase64Bytes);
                 return decoded;
             }
-            catch (Exception)
+            catch
             {
                 return inputString;
             }

tests/Microsoft.Identity.Test.Integration.netfx/HeadlessTests/WwwAuthenticateParametersIntegrationTests.cs

@@ -37,5 +37,31 @@ public async Task CreateWwwAuthenticateResponseFromGraphUrlAsync()
             Assert.IsNull(authParams.Claims);
             Assert.IsNull(authParams.Error);
         }
+
+        /// <summary>
+        /// Makes unauthorized call to Azure Resource Manager REST API https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/get.
+        /// Expects response 401 Unauthorized. Analyzes the WWW-Authenticate header values.
+        /// </summary>
+        /// <param name="hostName">ARM endpoint, e.g. Production or Dogfood</param>
+        /// <param name="subscriptionId">Well-known subscription ID</param>
+        /// <param name="authority">AAD endpoint, e.g. Production or PPE</param>
+        /// <param name="tenantId">Expected Tenant ID</param>
+        [DataRow("management.azure.com", "c1686c51-b717-4fe0-9af3-24a20a41fb0c", "login.windows.net", "72f988bf-86f1-41af-91ab-2d7cd011db47")]
+        [DataRow("api-dogfood.resources.windows-int.net", "1835ad3d-4585-4c5f-b55a-b0c3cbda1103", "login.windows-ppe.net", "f686d426-8d16-42db-81b7-ab578e110ccd")]
+        [DataTestMethod]
+        public async Task CreateWwwAuthenticateResponseFromAzureResourceManagerUrlAsync(string hostName, string subscriptionId, string authority, string tenantId)
+        {
+            const string apiVersion = "2020-08-01"; // current latest API version for /subscriptions/get
+            var url = $"https://{hostName}/subscriptions/{subscriptionId}?api-version={apiVersion}";
+
+            var authParams = await WwwAuthenticateParameters.CreateFromResourceResponseAsync(url).ConfigureAwait(false);
+
+            Assert.IsNull(authParams.Resource);
+            Assert.AreEqual($"https://{authority}/{tenantId}", authParams.Authority); // authority consists of AAD endpoint and tenant ID
+            Assert.IsNull(authParams.Scopes);
+            Assert.AreEqual(3, authParams.RawParameters.Count);
+            Assert.IsNull(authParams.Claims);
+            Assert.AreEqual("invalid_token", authParams.Error);
+        }
     }
 }

tests/Microsoft.Identity.Test.Unit/WwwAuthenticateParametersTests.cs

@@ -1,33 +1,33 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Net.Http;
-using Microsoft.VisualStudio.TestTools.UnitTesting;
 using Microsoft.Identity.Client;
-using System.Collections.Generic;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
 
 namespace Microsoft.Identity.Test.Unit
 {
     [TestClass]
     public class WwwAuthenticateParametersTests
     {
-        const string ClientIdKey = "client_id";
-        const string ResourceIdKey = "resource_id";
-        const string ResourceKey = "resource";
-        const string GraphGuid = "00000003-0000-0000-c000-000000000000";
-        const string AuthorizationUriKey = "authorization_uri";
-        const string AuthorizationKey = "authorization";
-        const string AuthorityKey = "authority";
-        const string AuthorizationValue = "https://login.microsoftonline.com/common/oauth2/authorize";
-        const string Realm = "realm";
-        const string EncodedClaims = "eyJpZF90b2tlbiI6eyJhdXRoX3RpbWUiOnsiZXNzZW50aWFsIjp0cnVlfSwiYWNyIjp7InZhbHVlcyI6WyJ1cm46bWFjZTppbmNvbW1vbjppYXA6c2lsdmVyIl19fX0=";
-        const string DecodedClaims = "{\"id_token\":{\"auth_time\":{\"essential\":true},\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]}}}";
-        const string DecodedClaimsHeader = "{\\\"id_token\\\":{\\\"auth_time\\\":{\\\"essential\\\":true},\\\"acr\\\":{\\\"values\\\":[\\\"urn:mace:incommon:iap:silver\\\"]}}}";
-        const string SomeClaims = "some_claims";
-        const string ClaimsKey = "claims";
-        const string ErrorKey = "error";
+        private const string ClientIdKey = "client_id";
+        private const string ResourceIdKey = "resource_id";
+        private const string ResourceKey = "resource";
+        private const string GraphGuid = "00000003-0000-0000-c000-000000000000";
+        private const string AuthorizationUriKey = "authorization_uri";
+        private const string AuthorizationKey = "authorization";
+        private const string AuthorityKey = "authority";
+        private const string AuthorizationValue = "https://login.microsoftonline.com/common/oauth2/authorize";
+        private const string Realm = "realm";
+        private const string EncodedClaims = "eyJpZF90b2tlbiI6eyJhdXRoX3RpbWUiOnsiZXNzZW50aWFsIjp0cnVlfSwiYWNyIjp7InZhbHVlcyI6WyJ1cm46bWFjZTppbmNvbW1vbjppYXA6c2lsdmVyIl19fX0=";
+        private const string DecodedClaims = "{\"id_token\":{\"auth_time\":{\"essential\":true},\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]}}}";
+        private const string DecodedClaimsHeader = "{\\\"id_token\\\":{\\\"auth_time\\\":{\\\"essential\\\":true},\\\"acr\\\":{\\\"values\\\":[\\\"urn:mace:incommon:iap:silver\\\"]}}}";
+        private const string SomeClaims = "some_claims";
+        private const string ClaimsKey = "claims";
+        private const string ErrorKey = "error";
 
         [TestMethod]
         [DataRow("client_id=00000003-0000-0000-c000-000000000000", "authorization_uri=\"https://login.microsoftonline.com/common/oauth2/authorize\"")]
@@ -39,9 +39,7 @@ public class WwwAuthenticateParametersTests
         public void CreateWwwAuthenticateResponse(string resource, string authorizationUri)
         {
             // Arrange
-            HttpResponseMessage httpResponse = new HttpResponseMessage((HttpStatusCode)401)
-            {
-            };
+            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
             httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", {resource}, {authorizationUri}");
 
             // Act
@@ -99,7 +97,7 @@ public void CreateRawParameters_ClaimsAndErrorReturned(string claims)
             var authParams = WwwAuthenticateParameters.CreateFromResponseHeaders(httpResponse.Headers);
 
             // Assert
-            string errorValue = "insufficient_claims";
+            const string errorValue = "insufficient_claims";
             Assert.IsTrue(authParams.RawParameters.TryGetValue(AuthorizationUriKey, out string authorizationUri));
             Assert.AreEqual(AuthorizationValue, authorizationUri);
             Assert.AreEqual(AuthorizationValue, authParams[AuthorizationUriKey]);
@@ -125,20 +123,18 @@ public void CreateRawParameters_ClaimsAndErrorReturned(string claims)
         public void CreateWwwAuthenticateParamsFromWwwAuthenticateHeader(string clientId, string authorizationUri)
         {
             // Arrange
-            HttpResponseMessage httpResponse = new HttpResponseMessage((HttpStatusCode)401)
-            {
-            };
+            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
             httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", {clientId}, {authorizationUri}");
 
-            var wwwAuthenticateResponse = httpResponse.Headers.WwwAuthenticate.FirstOrDefault().Parameter;
+            var wwwAuthenticateResponse = httpResponse.Headers.WwwAuthenticate.First().Parameter;
 
             // Act
             var authParams = WwwAuthenticateParameters.CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateResponse);
-            
+
             // Assert
             Assert.AreEqual(GraphGuid, authParams.Resource);
             Assert.AreEqual(TestConstants.AuthorityCommonTenant.TrimEnd('/'), authParams.Authority);
-            Assert.AreEqual($"{GraphGuid}/.default", authParams.Scopes.FirstOrDefault());
+            Assert.AreEqual($"{GraphGuid}/.default", authParams.Scopes.First());
             Assert.AreEqual(3, authParams.RawParameters.Count);
             Assert.IsNull(authParams.Claims);
             Assert.IsNull(authParams.Error);
@@ -183,26 +179,20 @@ public void ExtractClaimChallengeFromHeader_IncorrectError_ReturnNull()
         private static HttpResponseMessage CreateClaimsHttpResponse(string claims)
         {
             HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
-            {
-            };
             httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", client_id=\"00000003-0000-0000-c000-000000000000\", authorization_uri=\"https://login.microsoftonline.com/common/oauth2/authorize\", error=\"insufficient_claims\", claims=\"{claims}\"");
             return httpResponse;
         }
 
         private static HttpResponseMessage CreateErrorHttpResponse()
         {
-            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized)
-            {
-            };
+            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
             httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", client_id=\"00000003-0000-0000-c000-000000000000\", authorization_uri=\"https://login.microsoftonline.com/common/oauth2/authorize\", error=\"some_error\", claims=\"{DecodedClaimsHeader}\"");
             return httpResponse;
         }
 
         private static HttpResponseMessage CreateHttpResponseHeaders(string resourceHeaderKey, string authorizationUriHeaderKey)
         {
-            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized)
-            {
-            };
+            HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
             httpResponse.Headers.Add("WWW-Authenticate", $"Bearer realm=\"\", {resourceHeaderKey}=\"{GraphGuid}\", {authorizationUriHeaderKey}=\"{AuthorizationValue}\"");
             return httpResponse;
         }