Merge pull request #25 from damienbod/dev-cae-net6-features

CAE and  .NET6 features

Author: damienbod

Changelog.md

@@ -2,6 +2,15 @@
 
 [Readme](https://github.com/damienbod/Blazor.BFF.AzureB2C.Template/blob/main/README.md) 
 
+**2022-03-20** 1.2.0
+- use new top-level statements and remove
+- enable ImplicitUsings
+- add IAntiforgeryHttpClientFactory/AntiforgeryHttpClientFactory
+- Replace of IdentityModel with System.Security.Claims and remove IdentityModel nuget package
+- Add support for Azure AD Continuous Access Evaluation CAE
+- Add 404, 401, response handling
+- Update nuget packages
+
 **2022-03-20** 1.1.0
 - Updated nuget packages
 - Using nullable enabled

README-NUGET.md

@@ -10,6 +10,7 @@ This template can be used to create a Blazor WASM application hosted in an ASP.N
 - BFF with Azure B2C using Microsoft.Identity.Web
 - OAuth2 and OpenID Connect OIDC
 - No tokens in the browser
+- Azure AD Continuous Access Evaluation CAE support
 
 ## Using the template
 
@@ -62,6 +63,112 @@ Add the permissions for Microsoft Graph if required, application scopes are used
 },
 ```
 
+### Use Continuous Access Evaluation CAE with a downstream API (access_token)
+
+#### Azure app registration manifest
+
+```json
+"optionalClaims": {
+	"idToken": [],
+	"accessToken": [
+		{
+			"name": "xms_cc",
+			"source": null,
+			"essential": false,
+			"additionalProperties": []
+		}
+	],
+	"saml2Token": []
+},
+```
+
+Any API call for the Blazor WASM could be implemented like this:
+
+```
+[HttpGet]
+public async Task<IActionResult> Get()
+{
+  try
+  {
+	// Do logic which calls an API and throws claims challenge 
+	// WebApiMsalUiRequiredException. The WWW-Authenticate header is set
+	// using the OpenID Connect standards and Signals spec.
+  }
+  catch (WebApiMsalUiRequiredException hex)
+  {
+	var claimChallenge = WwwAuthenticateParameters
+		.GetClaimChallengeFromResponseHeaders(hex.Headers);
+		
+	return Unauthorized(claimChallenge);
+  }
+}
+```
+
+The downstream API call could be implemented something like this:
+
+```
+public async Task<T> CallApiAsync(string url)
+{
+	var client = _clientFactory.CreateClient();
+
+	// ... add bearer token
+	
+	var response = await client.GetAsync(url);
+	if (response.IsSuccessStatusCode)
+	{
+		var stream = await response.Content.ReadAsStreamAsync();
+		var payload = await JsonSerializer.DeserializeAsync<T>(stream);
+
+		return payload;
+	}
+
+	// You can check the WWW-Authenticate header first, if it is a CAE challenge
+	
+	throw new WebApiMsalUiRequiredException($"Error: {response.StatusCode}.", response);
+}
+```
+
+### Use Continuous Access Evaluation CAE in a standalone app (id_token)
+
+#### Azure app registration manifest
+
+```json
+"optionalClaims": {
+	"idToken": [
+		{
+			"name": "xms_cc",
+			"source": null,
+			"essential": false,
+			"additionalProperties": []
+		}
+	],
+	"accessToken": [],
+	"saml2Token": []
+},
+```
+If using a CAE Authcontext in a standalone project, you only need to challenge against the claims in the application.
+
+```
+private readonly CaeClaimsChallengeService _caeClaimsChallengeService;
+
+public AdminApiCallsController(CaeClaimsChallengeService caeClaimsChallengeService)
+{
+  _caeClaimsChallengeService = caeClaimsChallengeService;
+}
+
+[HttpGet]
+public IActionResult Get()
+{
+  // if CAE claim missing in id token, the required claims challenge is returned
+  var claimsChallenge = _caeClaimsChallengeService
+	.CheckForRequiredAuthContextIdToken(AuthContextId.C1, HttpContext);
+
+  if (claimsChallenge != null)
+  {
+	return Unauthorized(claimsChallenge);
+  }
+```
+
 ### uninstall
 
 ```
@@ -72,7 +179,6 @@ dotnet new -u Blazor.BFF.AzureB2C.Template
 ## Credits, Used NuGet packages + ASP.NET Core 6.0 standard packages
 
 - NetEscapades.AspNetCore.SecurityHeaders
-- IdentityModel
 
 ## Links
 

README.md

@@ -12,6 +12,7 @@ This template can be used to create a Blazor WASM application hosted in an ASP.N
 - BFF with Azure B2C using Microsoft.Identity.Web
 - OAuth2 and OpenID Connect OIDC
 - No tokens in the browser
+- - Azure AD Continuous Access Evaluation CAE support
 
 ## Other templates
 
@@ -70,6 +71,112 @@ Add the permissions for Microsoft Graph if required, application scopes are used
 },
 ```
 
+### Use Continuous Access Evaluation CAE with a downstream API (access_token)
+
+#### Azure app registration manifest
+
+```json
+"optionalClaims": {
+	"idToken": [],
+	"accessToken": [
+		{
+			"name": "xms_cc",
+			"source": null,
+			"essential": false,
+			"additionalProperties": []
+		}
+	],
+	"saml2Token": []
+},
+```
+
+Any API call for the Blazor WASM could be implemented like this:
+
+```
+[HttpGet]
+public async Task<IActionResult> Get()
+{
+  try
+  {
+	// Do logic which calls an API and throws claims challenge 
+	// WebApiMsalUiRequiredException. The WWW-Authenticate header is set
+	// using the OpenID Connect standards and Signals spec.
+  }
+  catch (WebApiMsalUiRequiredException hex)
+  {
+	var claimChallenge = WwwAuthenticateParameters
+		.GetClaimChallengeFromResponseHeaders(hex.Headers);
+		
+	return Unauthorized(claimChallenge);
+  }
+}
+```
+
+The downstream API call could be implemented something like this:
+
+```
+public async Task<T> CallApiAsync(string url)
+{
+	var client = _clientFactory.CreateClient();
+
+	// ... add bearer token
+	
+	var response = await client.GetAsync(url);
+	if (response.IsSuccessStatusCode)
+	{
+		var stream = await response.Content.ReadAsStreamAsync();
+		var payload = await JsonSerializer.DeserializeAsync<T>(stream);
+
+		return payload;
+	}
+
+	// You can check the WWW-Authenticate header first, if it is a CAE challenge
+	
+	throw new WebApiMsalUiRequiredException($"Error: {response.StatusCode}.", response);
+}
+```
+
+### Use Continuous Access Evaluation CAE in a standalone app (id_token)
+
+#### Azure app registration manifest
+
+```json
+"optionalClaims": {
+	"idToken": [
+		{
+			"name": "xms_cc",
+			"source": null,
+			"essential": false,
+			"additionalProperties": []
+		}
+	],
+	"accessToken": [],
+	"saml2Token": []
+},
+```
+If using a CAE Authcontext in a standalone project, you only need to challenge against the claims in the application.
+
+```
+private readonly CaeClaimsChallengeService _caeClaimsChallengeService;
+
+public AdminApiCallsController(CaeClaimsChallengeService caeClaimsChallengeService)
+{
+  _caeClaimsChallengeService = caeClaimsChallengeService;
+}
+
+[HttpGet]
+public IActionResult Get()
+{
+  // if CAE claim missing in id token, the required claims challenge is returned
+  var claimsChallenge = _caeClaimsChallengeService
+	.CheckForRequiredAuthContextIdToken(AuthContextId.C1, HttpContext);
+
+  if (claimsChallenge != null)
+  {
+	return Unauthorized(claimsChallenge);
+  }
+```
+
 ### uninstall
 
 ```
@@ -91,7 +198,7 @@ nuget pack content/Blazor.BFF.AzureB2C.Template.nuspec
 Locally built nupkg:
 
 ```
-dotnet new -i Blazor.BFF.AzureB2C.Template.1.1.0.nupkg
+dotnet new -i Blazor.BFF.AzureB2C.Template.1.2.0.nupkg
 ```
 
 Local folder:
@@ -111,7 +218,6 @@ https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-ap
 ## Credits, Used NuGet packages + ASP.NET Core 6.0 standard packages
 
 - NetEscapades.AspNetCore.SecurityHeaders
-- IdentityModel.AspNetCore
 
 ## Links
 

content/Blazor.BFF.AzureB2C.Template.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
 	<metadata>
 		<id>Blazor.BFF.AzureB2C.Template</id>
-		<version>1.1.0</version>
+		<version>1.2.0</version>
 		<title>Blazor.BFF.AzureB2C.Template</title>
 		<license type="file">LICENSE</license>
 		<description>Blazor BFF template for WASM ASP.NET Core hosted</description>
@@ -15,7 +15,7 @@
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<copyright>2022 damienbod</copyright>
 		<summary>This template provides a simple Blazor template with BFF server authentication WASM hosted</summary>
-		<releaseNotes>Updated nuget packages, using nullable enabled</releaseNotes>
+		<releaseNotes>use new top-level statements and remove, enable ImplicitUsings, add IAntiforgeryHttpClientFactory/AntiforgeryHttpClientFactory, Replace of IdentityModel with System.Security.Claims and remove IdentityModel nuget package, Add support for Azure AD Continuous Access Evaluation CAE, Add 404, 401, response handling, Update nuget packages</releaseNotes>
 		<repository type="git" url="https://github.com/damienbod/Blazor.BFF.AzureB2C.Template" />
 		<packageTypes>
 			<packageType name="Template" />

content/BlazorBffAzureB2C/Client/BlazorBffAzureB2C.Client.csproj

@@ -4,17 +4,17 @@
     <TargetFramework>net6.0</TargetFramework>
     <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
     <Nullable>enable</Nullable>
+	<ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="6.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="6.0.3" PrivateAssets="all" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="6.0.5" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="6.0.5" PrivateAssets="all" />
     <PackageReference Include="Microsoft.Extensions.Http" Version="6.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="6.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="6.0.5" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\Shared\BlazorBffAzureB2C.Shared.csproj" />
   </ItemGroup>
-
 </Project>

content/BlazorBffAzureB2C/Client/Pages/DirectApi.razor

@@ -1,5 +1,5 @@
 @page "/directapi"
-@inject IHttpClientFactory httpClientFactory 
+@inject IAntiforgeryHttpClientFactory httpClientFactory
 @inject IJSRuntime JSRuntime
 
 <h1>Data from Direct API</h1>
@@ -28,16 +28,12 @@ else
 }
 
 @code {
-    private string[] apiData;
+    private string[]? apiData;
 
     protected override async Task OnInitializedAsync()
     {
-        var token = await JSRuntime.InvokeAsync<string>("getAntiForgeryToken");
-
-        var client = httpClientFactory.CreateClient("authorizedClient");
-        client.DefaultRequestHeaders.Add("X-XSRF-TOKEN", token);
+        var client = await httpClientFactory.CreateClientAsync();
 
         apiData = await client.GetFromJsonAsync<string[]>("api/DirectApi");
     }
-
 }

content/BlazorBffAzureB2C/Client/Pages/GraphApiCall.razor

@@ -1,5 +1,5 @@
 @page "/graphapicall"
-@inject IHttpClientFactory httpClientFactory 
+@inject IAntiforgeryHttpClientFactory httpClientFactory
 @inject IJSRuntime JSRuntime
 
 <h1>Data from Graph API</h1>
@@ -28,16 +28,12 @@ else
 }
 
 @code {
-    private string[] apiData;
+    private string[]? apiData;
 
     protected override async Task OnInitializedAsync()
     {
-        var token = await JSRuntime.InvokeAsync<string>("getAntiForgeryToken");
-
-        var client = httpClientFactory.CreateClient("authorizedClient");
-        client.DefaultRequestHeaders.Add("X-XSRF-TOKEN", token);
+        var client = await httpClientFactory.CreateClientAsync();
 
         apiData = await client.GetFromJsonAsync<string[]>("api/GraphApiCalls");
     }
-
 }