Skip to content

Commit

Permalink
Minor edits after architect review
Browse files Browse the repository at this point in the history
  • Loading branch information
Kalyan Krishna committed Sep 8, 2022
1 parent 6593bc8 commit db48a2d
Show file tree
Hide file tree
Showing 8 changed files with 100 additions and 186 deletions.
28 changes: 18 additions & 10 deletions 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Cleanup.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,17 @@ Function Cleanup
Write-Host "Removing 'service' (TodoListService-aspnetcore-webapi) if needed"
try
{
Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
}
catch
{
Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
}

Write-Host "Making sure there are no more (TodoListService-aspnetcore-webapi) applications found, will remove if needed..."
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain

if ($apps)
{
Expand All @@ -62,24 +64,28 @@ Function Cleanup
# also remove service principals of this app
try
{
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
}
catch
{
Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
}
Write-Host "Removing 'client' (TodoListClient-aspnetcore-webapi) if needed"
try
{
Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
}
catch
{
Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
}

Write-Host "Making sure there are no more (TodoListClient-aspnetcore-webapi) applications found, will remove if needed..."
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain

if ($apps)
{
Expand All @@ -95,11 +101,13 @@ Function Cleanup
# also remove service principals of this app
try
{
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
}
catch
{
Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
}
# remove self-signed certificate
Write-Host "Removing CN=TodoListClient-aspnetcore-webapi certificate from Cert:/CurrentUser/My"
Expand Down
35 changes: 27 additions & 8 deletions 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Configure.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,27 +358,37 @@ Function ConfigureApplications

# Add Required Resources Access (from 'client' to 'service')
Write-Host "Getting access from 'client' to 'service'"
$requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
$requiredPermission = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
-requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `


$requiredResourcesAccess.Add($requiredPermissions)
$requiredResourcesAccess.Add($requiredPermission)
Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
Write-Host "Granted permissions."

Write-Host "Successfully registered and configured that app registration for 'TodoListClient-aspnetcore-webapi' at" -ForegroundColor Green

# print the registered app portal URL for any further navigation
$clientPortalUrl

# Update config file for 'service'
$configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
# $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
$configFile = $(Resolve-Path ($pwd.Path + "\..\TodoListService\appsettings.json"))

$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $serviceAadApplication.AppId };

Write-Host "Updating the sample code ($configFile)"
Write-Host "Updating the sample config '$configFile' with the following config values"
$dictionary

UpdateTextFile -configFilePath $configFile -dictionary $dictionary

# Update config file for 'client'
$configFile = $pwd.Path + "\..\Client\appsettings.json"
# $configFile = $pwd.Path + "\..\Client\appsettings.json"
$configFile = $(Resolve-Path ($pwd.Path + "\..\Client\appsettings.json"))

$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };

Write-Host "Updating the sample code ($configFile)"
Write-Host "Updating the sample config '$configFile' with the following config values"
$dictionary

UpdateTextFile -configFilePath $configFile -dictionary $dictionary
Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------"
Expand Down Expand Up @@ -410,7 +420,16 @@ Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the
$ErrorActionPreference = "Stop"

# Run interactively (will ask you for the tenant ID)
ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName

try
{
ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
}
catch
{
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
}
Write-Host "Disconnecting from tenant"
Disconnect-MgGraph
5 changes: 3 additions & 2 deletions 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/sample.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"Endpoint": "AAD v2.0",
"Description": "This sample demonstrates an ASP.NET Core client Web App calling an ASP.NET Core Web API that is secured using Azure AD.",
"Languages": [ "csharp" ],
"Products": [ "aspnet-core", "azure-active-directory" ]
"Products": [ "aspnet-core", "azure-active-directory" ],
"Platform": "AspNetCore"
},

/*
Expand Down Expand Up @@ -127,7 +128,7 @@
"OptionalClaims": {
"IdTokenClaims": [ "acct" ]
},
"Certificate":"the name will be assigned automatically by PowerShell script and it will be equal to the Application name",
"Certificate": "the name will be assigned automatically by PowerShell script and it will be equal to the Application name",
"ManualSteps": [],
"Sample": {
"SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
Expand Down
28 changes: 18 additions & 10 deletions 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Cleanup.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,17 @@ Function Cleanup
Write-Host "Removing 'service' (TodoListService-aspnetcore-webapi) if needed"
try
{
Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
}
catch
{
Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
}

Write-Host "Making sure there are no more (TodoListService-aspnetcore-webapi) applications found, will remove if needed..."
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain

if ($apps)
{
Expand All @@ -62,24 +64,28 @@ Function Cleanup
# also remove service principals of this app
try
{
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
}
catch
{
Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
}
Write-Host "Removing 'client' (TodoListClient-aspnetcore-webapi) if needed"
try
{
Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
}
catch
{
Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
}

Write-Host "Making sure there are no more (TodoListClient-aspnetcore-webapi) applications found, will remove if needed..."
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"
$apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain

if ($apps)
{
Expand All @@ -95,11 +101,13 @@ Function Cleanup
# also remove service principals of this app
try
{
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
}
catch
{
Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
}
}

Expand Down
35 changes: 27 additions & 8 deletions 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,27 +348,37 @@ Function ConfigureApplications

# Add Required Resources Access (from 'client' to 'service')
Write-Host "Getting access from 'client' to 'service'"
$requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
$requiredPermission = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
-requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `


$requiredResourcesAccess.Add($requiredPermissions)
$requiredResourcesAccess.Add($requiredPermission)
Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
Write-Host "Granted permissions."

Write-Host "Successfully registered and configured that app registration for 'TodoListClient-aspnetcore-webapi' at" -ForegroundColor Green

# print the registered app portal URL for any further navigation
$clientPortalUrl

# Update config file for 'service'
$configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
# $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
$configFile = $(Resolve-Path ($pwd.Path + "\..\TodoListService\appsettings.json"))

$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $serviceAadApplication.AppId };

Write-Host "Updating the sample code ($configFile)"
Write-Host "Updating the sample config '$configFile' with the following config values"
$dictionary

UpdateTextFile -configFilePath $configFile -dictionary $dictionary

# Update config file for 'client'
$configFile = $pwd.Path + "\..\Client\appsettings.json"
# $configFile = $pwd.Path + "\..\Client\appsettings.json"
$configFile = $(Resolve-Path ($pwd.Path + "\..\Client\appsettings.json"))

$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };

Write-Host "Updating the sample code ($configFile)"
Write-Host "Updating the sample config '$configFile' with the following config values"
$dictionary

UpdateTextFile -configFilePath $configFile -dictionary $dictionary
Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------"
Expand Down Expand Up @@ -400,7 +410,16 @@ Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the
$ErrorActionPreference = "Stop"

# Run interactively (will ask you for the tenant ID)
ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName

try
{
ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
}
catch
{
$message = $_
Write-Warning $Error[0]
Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
}
Write-Host "Disconnecting from tenant"
Disconnect-MgGraph
3 changes: 2 additions & 1 deletion 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@
"Description": "This sample demonstrates an ASP.NET Core Web App signing-in a user and calling an ASP.NET Core Web API that is secured with Azure AD.",
"Languages": [ "csharp" ],
"Products": [ "aspnet-core", "azure-active-directory" ],
"Library":["Microsoft.Identity.Web"]
"Library": [ "Microsoft.Identity.Web" ],
"Platform": "AspNetCore"
},

/*
Expand Down
8 changes: 5 additions & 3 deletions 4-WebApp-your-API/4-1-MyOrg/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,9 +300,11 @@ To provide a recommendation, visit the following [User Voice page](https://feedb
* `AddMicrosoftIdentityWebApiAuthentication()` protects the Web API by [validating Access tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validating-tokens) sent tho this API. Check out [Protected web API: Code configuration](https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-app-configuration) which explains the inner workings of this method in more detail.
* There is a bit of code (commented) provided under this method that can be used to used do **extended token validation** and do checks based on additional claims, such as:
* check if the client app's appid (azp) is in some sort of an allowed list via the 'azp' claim, in case you wanted to restrict the API to a list of client apps.
* check if the caller's account is homed or guest via the 'acct' optional claim
* check if the caller belongs to right roles or groups via the 'roles' or 'groups' claim, respectively
* check if the client app's `appid (azp)` is in some sort of an allowed list via the 'azp' claim, in case you wanted to restrict the API to a list of client apps.
* check if the caller's account is homed or guest via the `acct` optional claim
* check if the caller belongs to right roles or groups via the `roles` or `groups` claim, respectively

See [How to manually validate a JWT access token using the Microsoft identity platform](https://aka.ms/extendtokenvalidation) for more details on to further verify the caller using this method.
1. Then in the controllers `TodoListController.cs`, the `[Authorize]` added on top of the class to protect this route.
* Further in the controller, the [RequiredScopeOrAppPermission](https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#checking-for-scopes-or-app-permissions=) is used to list the ([Delegated permissions](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent)), that the user should consent for, before the method can be called.
Expand Down
Loading

0 comments on commit db48a2d

Please sign in to comment.