active-directory-aspnetcore-webapp-openidconnect-v2 Task 1924572 Sample 4-1 basher update

Added App Permissions and enhanced new attribute that combines Roles and Scopes altogether. ToDoList Service Api was refactored for best practices Readme file was updated as well.

Jun 14 '22 00:06 aremo-ms

The client ASP.NET Core Web App uses the Microsoft.Identity.Web to sign-in and obtain a JWT Access Tokens from Azure AD.

to sign-in a user

In reply to: 1156836710

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:37 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

All APIs have to publish a minimum of two scopes, also called Delegated Permissions, for the client's to obtain an access token successfully. To publish a scope, follow these steps:

minimum is one, so change to one here, but the steps below will remain the same

In reply to: 1156839720

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:137 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

In the TodoListService project, first the package Microsoft.Identity.Webis added from NuGet.

find the package Microsoft.Identity.Weband add it from NuGet.

In reply to: 1156847059

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:281 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

* at the top of the file, the following two using directives were added:

one :)

In reply to: 1156847267

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:285 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

* `AddMicrosoftIdentityWebApiAuthentication()` protects the Web API by validating Access tokens sent tho this API. Check out [Protected web API: Code configuration](https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-app-configuration) which explains the inner workings of this method in more detail.

link to "https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validating-tokens"

In reply to: 1156847970

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:297 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

  [RequiredScope(new string[] { "ToDoList.Read", "ToDoList.Write" })

list both delegated and app permissions
Explain here that "while this sample only uses delegated permissions, the attribute [attribute name], protects this API method for both delegated and app permissions

In reply to: 1156850339

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:305 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

  string owner = User.Identity.Name;

add check here that if there are only delegated permissions , this check is used and so on..

In reply to: 1156850993

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:309 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

* Then in the controllers `TodoListController.cs`, the `[Authorize]` added on top of the class to protect this route.

Change the ToDoListController such that it works w/o any change for both delegated and app only scenarios. We DO NOT provide separate advise for app only scenario..

In reply to: 1156851866

Refers to: 4-WebApp-your-API/4-1-MyOrg/README.md:299 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

$clientAadApplication = New-MgApplication -DisplayName "TodoListClient-aspnetcore-webapi" `

check with Salman on also generating AcceptidAccessTokenVersion = 2

In reply to: 1156859405

Refers to: 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1:267 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

@aremo-ms should we allow the owner field to be editable here?

Screenshot 2022-06-15 124609

In reply to: 1156859829

Jun 15 '22 19:06 derisen

[CmdletBinding()]

see requested changes in the other configure.ps1

In reply to: 1156860523

Refers to: 4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Configure.ps1:2 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

    private async Task PrepareAuthenticatedClient()

comment please

In reply to: 1156862340

Refers to: 4-WebApp-your-API/4-1-MyOrg/Client/Services/TodoListService.cs:127 in 55e3a1c. [](commit_id = 55e3a1ce49a84a9debe9ae941e21ce1bfc6e2e29, deletion_comment = False)

Jun 15 '22 19:06 kalyankrishna1

Is there a way to handle insufficient permissions cases more gracefully? (e.g. trying to create a task without Todolist.ReadWrite permission)

Screenshot 2022-06-15 130103

In reply to: 1156879960

Jun 15 '22 20:06 derisen

this is a Http response, not sure we want to be more descriptive here

In reply to: 1156879960

Jul 14 '22 09:07 kalyankrishna1

well it'd be nice, but not required

In reply to: 1156859829

Jul 14 '22 11:07 kalyankrishna1

active-directory-aspnetcore-webapp-openidconnect-v2 active-directory-aspnetcore-webapp-openidconnect-v2 copied to clipboard

Task 1924572 Sample 4-1 basher update

active-directory-aspnetcore-webapp-openidconnect-v2
active-directory-aspnetcore-webapp-openidconnect-v2 copied to clipboard