CTI Bug fixes for release7.0-preview5 (#1935)

* Fix config for blazor wasm * Fix config for blazor wasm (#1927) * Add service principal when exposing API scopes (#1931) * Add service principal when exposing API scopes * Remove commented method * Add service principal when exposing API scopes * Remove commented method * expose scopes * Fix scopes * Fix config for blazor wasm
dotnet · Jun 13, 2022 · 0a60d36 · 0a60d36
1 parent bcd0a6b
commit 0a60d36
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 32 deletions.
diff --git a/...tityScaffolding/Microsoft.DotNet.MSIdentity/AuthenticationParameters/AzureAdProperties.cs b/...tityScaffolding/Microsoft.DotNet.MSIdentity/AuthenticationParameters/AzureAdProperties.cs
@@ -35,7 +35,8 @@ public static class DefaultProperties
         public const bool ValidateAuthority = true;
 
         public const string MicrosoftGraphBaseUrl = "https://graph.microsoft.com/v1.0";
-        public const string DefaultScopes = "user.read";
+        public const string MicrosoftGraphScopes = "user.read";
+        public const string ApiScopes = "access_as_user";
     }
 
     public class AzureAdBlock
@@ -77,15 +78,15 @@ public AzureAdBlock UpdateFromJToken(JToken azureAdToken)
         {
             JObject azureAdObj = JObject.FromObject(azureAdToken);
 
-            ClientId ??= azureAdObj.Value<string>(PropertyNames.ClientId); // here, if the applicationparameters value is null, we use the existing app settings value
-            Instance ??= azureAdObj.Value<string>(PropertyNames.Instance);
-            Domain ??= azureAdObj.Value<string>(PropertyNames.Domain);
-            TenantId ??= azureAdObj.Value<string>(PropertyNames.TenantId);
-            Authority ??= azureAdObj.Value<string>(PropertyNames.Authority);
-            CallbackPath ??= azureAdObj.Value<string>(PropertyNames.CallbackPath);
-            Scopes ??= azureAdObj.Value<string>(PropertyNames.Scopes);
-            ClientSecret ??= azureAdObj.Value<string>(PropertyNames.ClientSecret);
-            ClientCertificates ??= azureAdObj.Value<string[]>(PropertyNames.ClientCertificates);
+            ClientId ??= azureAdObj.GetValue(PropertyNames.ClientId)?.ToString(); // here, if the applicationparameters value is null, we use the existing app settings value
+            Instance ??= azureAdObj.GetValue(PropertyNames.Instance)?.ToString();
+            Domain ??= azureAdObj.GetValue(PropertyNames.Domain)?.ToString();
+            TenantId ??= azureAdObj.GetValue(PropertyNames.TenantId)?.ToString();
+            Authority ??= azureAdObj.GetValue(PropertyNames.Authority)?.ToString();
+            CallbackPath ??= azureAdObj.GetValue(PropertyNames.CallbackPath)?.ToString();
+            Scopes ??= azureAdObj.GetValue(PropertyNames.Scopes)?.ToString();
+            ClientSecret ??= azureAdObj.GetValue(PropertyNames.ClientSecret)?.ToString();
+            ClientCertificates ??= azureAdObj.GetValue(PropertyNames.ClientCertificates)?.ToObject<string[]>();
 
             return this;
         }
@@ -113,7 +114,7 @@ public AzureAdBlock UpdateFromJToken(JToken azureAdToken)
             TenantId = TenantId ?? DefaultProperties.TenantId,
             ClientId = ClientId ?? DefaultProperties.ClientId,
             CallbackPath = CallbackPath ?? DefaultProperties.CallbackPath,
-            Scopes = Scopes ?? DefaultProperties.DefaultScopes,
+            Scopes = Scopes ?? DefaultProperties.ApiScopes,
             ClientSecret = ClientSecret ?? DefaultProperties.ClientSecret,
             ClientCertificates = ClientCertificates ?? Array.Empty<string>()
         };

diff --git a/...icrosoft.DotNet.MSIdentity/CodeReaderWriter/CodeModifierConfigs/cm_dotnet_blazorwasm.json b/...icrosoft.DotNet.MSIdentity/CodeReaderWriter/CodeModifierConfigs/cm_dotnet_blazorwasm.json
@@ -281,6 +281,9 @@
     },
     {
       "FileName": "FetchData.razor",
+      "Options": [
+        "DownstreamApi"
+      ],
       "Replacements": [
         {
           "MultiLineBlock": [

diff --git a/...yScaffolding/Microsoft.DotNet.MSIdentity/MicrosoftIdentityPlatform/AppSettingsModifier.cs b/...yScaffolding/Microsoft.DotNet.MSIdentity/MicrosoftIdentityPlatform/AppSettingsModifier.cs
@@ -93,7 +93,7 @@ public void ModifyAppSettings(ApplicationParameters applicationParameters, IEnum
             if (_provisioningToolOptions.CallsGraph)
             {
                 // update MicrosoftGraph Block
-                var microsoftGraphBlock = GetApiBlock(appSettings, MicrosoftGraph, DefaultProperties.DefaultScopes, DefaultProperties.MicrosoftGraphBaseUrl);
+                var microsoftGraphBlock = GetApiBlock(appSettings, MicrosoftGraph, DefaultProperties.MicrosoftGraphScopes, DefaultProperties.MicrosoftGraphBaseUrl);
                 if (microsoftGraphBlock != null)
                 {
                     changesMade = true;
@@ -104,7 +104,7 @@ public void ModifyAppSettings(ApplicationParameters applicationParameters, IEnum
             if (_provisioningToolOptions.CallsDownstreamApi)
             {
                 // update DownstreamAPI Block
-                var updatedDownstreamApiBlock = GetApiBlock(appSettings, DownstreamApi, DefaultProperties.DefaultScopes, DefaultProperties.MicrosoftGraphBaseUrl);
+                var updatedDownstreamApiBlock = GetApiBlock(appSettings, DownstreamApi, DefaultProperties.ApiScopes, DefaultProperties.MicrosoftGraphBaseUrl);
                 if (updatedDownstreamApiBlock != null)
                 {
                     changesMade = true;
@@ -174,7 +174,7 @@ internal bool NeedsUpdate(JObject existingBlock, JObject updatedBlock)
         {
             var inputParameters = JObject.FromObject(new ApiSettingsBlock
             {
-                Scopes = string.IsNullOrEmpty(scopes) ? DefaultProperties.DefaultScopes : scopes,
+                Scopes = string.IsNullOrEmpty(scopes) ? DefaultProperties.MicrosoftGraphScopes : scopes,
                 BaseUrl = string.IsNullOrEmpty(baseUrl) ? DefaultProperties.MicrosoftGraphBaseUrl : baseUrl
             });
 

diff --git a/...otNet.MSIdentity/MicrosoftIdentityPlatform/MicrosoftIdentityPlatformApplicationManager.cs b/...otNet.MSIdentity/MicrosoftIdentityPlatform/MicrosoftIdentityPlatformApplicationManager.cs
@@ -67,21 +67,19 @@ public class MicrosoftIdentityPlatformApplicationManager
                 .Request()
                 .AddAsync(application);
 
-            if (applicationParameters.IsB2C) // TODO B2C not fully supported at the moment
+            // Create service principal, necessary for Web API applications
+            // and useful for Blazorwasm hosted applications. We create it always.
+            ServicePrincipal servicePrincipal = new ServicePrincipal
             {
-                // Creates a service principal (needed for B2C) // TODO: What if it's not B2C?
-                ServicePrincipal servicePrincipal = new ServicePrincipal
-                {
-                    AppId = createdApplication.AppId,
-                };
+                AppId = createdApplication.AppId,
+            };
 
-                // B2C does not allow user consent, and therefore we need to explicity create
-                // a service principal and permission grants. It's also useful for Blazorwasm hosted
-                // applications. We create it always.
-                ServicePrincipal? createdServicePrincipal = await graphServiceClient.ServicePrincipals
-                    .Request()
-                    .AddAsync(servicePrincipal).ConfigureAwait(false);
+            ServicePrincipal? createdServicePrincipal = await graphServiceClient.ServicePrincipals
+                .Request()
+                .AddAsync(servicePrincipal).ConfigureAwait(false);
 
+            if (applicationParameters.IsB2C) // TODO B2C not fully supported at the moment
+            {
                 // B2C does not allow user consent, and therefore we need to explicity grant permissions
                 if (applicationParameters.IsB2C)
                 {
@@ -103,7 +101,7 @@ public class MicrosoftIdentityPlatformApplicationManager
                 && createdApplication.Api != null
                 && (createdApplication.IdentifierUris == null || !createdApplication.IdentifierUris.Any()))
             {
-                await ExposeScopes(graphServiceClient, createdApplication);
+                await ExposeScopesForNewWebApi(graphServiceClient, createdApplication);
 
                 // Re-reading the app to be sure to have everything.
                 createdApplication = (await graphServiceClient.Applications
@@ -402,7 +400,7 @@ internal static bool UpdateImplicitGrantSettings(Application app, ProvisioningTo
             var requiredResourceAccess = new List<RequiredResourceAccess>();
             var resourcesAccessAndScopes = new List<ResourceAndScope>
                 {
-                    new ResourceAndScope($"api://{createdApplication.AppId}", "access_as_user")
+                    new ResourceAndScope($"api://{createdApplication.AppId}", DefaultProperties.ApiScopes)
                     {
                          ResourceServicePrincipalId = createdServicePrincipal.Id
                     }
@@ -430,7 +428,7 @@ internal static bool UpdateImplicitGrantSettings(Application app, ProvisioningTo
                     ConsentType = "AllPrincipals",
                     PrincipalId = null,
                     ResourceId = createdServicePrincipal.Id,
-                    Scope = "access_as_user"
+                    Scope = DefaultProperties.ApiScopes
                 };
 
                 await graphServiceClient.Oauth2PermissionGrants
@@ -504,7 +502,7 @@ internal static async Task<string> ExposeScopes(GraphServiceClient graphServiceC
                 IsEnabled = true,
                 UserConsentDescription = "Allows this app to access the web API on your behalf",
                 UserConsentDisplayName = "Access the API on your behalf",
-                Value = "access_as_user",
+                Value = DefaultProperties.ApiScopes,
             };
 
             scopes.Add(newScope);
@@ -522,7 +520,7 @@ internal static async Task<string> ExposeScopes(GraphServiceClient graphServiceC
         /// <param name="graphServiceClient"></param>
         /// <param name="createdApplication"></param>
         /// <returns></returns>
-        internal static async Task ExposeScopes(GraphServiceClient graphServiceClient, Application createdApplication)
+        internal static async Task ExposeScopesForNewWebApi(GraphServiceClient graphServiceClient, Application createdApplication)
         {
             var scopes = createdApplication.Api.Oauth2PermissionScopes?.ToList() ?? new List<PermissionScope>();
             await ExposeScopes(graphServiceClient, createdApplication.AppId, createdApplication.Id, scopes);

diff --git a/src/MSIdentityScaffolding/Microsoft.DotNet.MSIdentity/Tool/AppProvisioningTool.cs b/src/MSIdentityScaffolding/Microsoft.DotNet.MSIdentity/Tool/AppProvisioningTool.cs
@@ -330,7 +330,7 @@ private async Task<ApplicationParameters> ConfigureBlazorWasmHostedClientAsync(A
             clientToolOptions.ProjectType = "blazorwasm-client";
             clientToolOptions.AppDisplayName = string.Concat(clientToolOptions.AppDisplayName ?? serverApplicationParameters.ApplicationDisplayName, "-Client");
             clientToolOptions.HostedAppIdUri = serverApplicationParameters.AppIdUri;
-            clientToolOptions.HostedApiScopes = $"{serverApplicationParameters.AppIdUri}/access_as_user";
+            clientToolOptions.HostedApiScopes = $"{serverApplicationParameters.AppIdUri}/{DefaultProperties.ApiScopes}";
 
             // Provision client app registration
             var provisionClientAppRegistration = new AppProvisioningTool(Commands.CREATE_APP_REGISTRATION_COMMAND, clientToolOptions, silent: true);