Allow customization of the user

Author: javiercn

src/Components/WebAssembly/Authentication.Msal/src/MsalWebAssemblyServiceCollectionExtensions.cs

@@ -37,7 +37,22 @@ public static IServiceCollection AddMsalAuthentication(this IServiceCollection s
         public static IServiceCollection AddMsalAuthentication<TRemoteAuthenticationState>(this IServiceCollection services, Action<RemoteAuthenticationOptions<MsalProviderOptions>> configure)
             where TRemoteAuthenticationState : RemoteAuthenticationState, new()
         {
-            services.AddRemoteAuthentication<RemoteAuthenticationState, MsalProviderOptions>(configure);
+            AddMsalAuthentication<TRemoteAuthenticationState, RemoteUserAccount>(services, configure);
+            return services;
+        }
+
+        /// <summary>
+        /// Adds authentication using msal.js to Blazor applications.
+        /// </summary>
+        /// <typeparam name="TRemoteAuthenticationState">The type of the remote authentication state.</typeparam>
+        /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+        /// <param name="configure">The <see cref="Action{RemoteAuthenticationOptions{MsalProviderOptions}}"/> to configure the <see cref="RemoteAuthenticationOptions{MsalProviderOptions}"/>.</param>
+        /// <returns>The <see cref="IServiceCollection"/>.</returns>
+        public static IServiceCollection AddMsalAuthentication<TRemoteAuthenticationState, TAccount>(this IServiceCollection services, Action<RemoteAuthenticationOptions<MsalProviderOptions>> configure)
+            where TRemoteAuthenticationState : RemoteAuthenticationState, new()
+            where TAccount : RemoteUserAccount
+        {
+            services.AddRemoteAuthentication<RemoteAuthenticationState, TAccount, MsalProviderOptions>(configure);
             services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<RemoteAuthenticationOptions<MsalProviderOptions>>, MsalDefaultOptionsConfiguration>());
 
             return services;

src/Components/WebAssembly/WebAssembly.Authentication/src/IAccessTokenProviderAccessor.cs

@@ -0,0 +1,20 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal
+{
+    /// <summary>
+    /// This is an internal API that supports the Microsoft.AspNetCore.Components.WebAssembly.Authentication
+    /// infrastructure and not subject to the same compatibility standards as public APIs.
+    /// It may be changed or removed without notice in any release.
+    /// </summary>
+    public interface IAccessTokenProviderAccessor
+    {
+        /// <summary>
+        /// This is an internal API that supports the Microsoft.AspNetCore.Components.WebAssembly.Authentication
+        /// infrastructure and not subject to the same compatibility standards as public APIs.
+        /// It may be changed or removed without notice in any release.
+        /// </summary>
+        IAccessTokenProvider TokenProvider { get; }
+    }
+}

src/Components/WebAssembly/WebAssembly.Authentication/src/IRemoteAuthenticationBuilder.cs

@@ -0,0 +1,19 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    /// <summary>
+    /// An interface for configuring remote authentication services.
+    /// </summary>
+    /// <typeparam name="TRemoteAuthenticationState">The remote authentication state type.</typeparam>
+    /// <typeparam name="TAccount">The account type.</typeparam>
+    public interface IRemoteAuthenticationBuilder<TRemoteAuthenticationState, TAccount>
+        where TRemoteAuthenticationState : RemoteAuthenticationState
+        where TAccount : RemoteUserAccount
+    {
+        IServiceCollection Services { get; }
+    }
+}

src/Components/WebAssembly/WebAssembly.Authentication/src/Interop/AuthenticationService.ts

@@ -63,12 +63,32 @@ export interface AuthorizeService {
 
 class OidcAuthorizeService implements AuthorizeService {
     private _userManager: UserManager;
-
+    private _intialSilentSignIn: Promise<void> | undefined;
     constructor(userManager: UserManager) {
         this._userManager = userManager;
     }
 
+    async trySilentSignIn() {
+        if (!this._intialSilentSignIn) {
+            this._intialSilentSignIn = (async () => {
+                try {
+                    await this._userManager.signinSilent();
+                    return;
+                } catch (e) {
+                }
+            })();
+        }
+
+        return this._intialSilentSignIn;
+    }
+
     async getUser() {
+        if (window.parent == window && !window.opener && !window.frameElement &&
+            !location.href.startsWith(this._userManager.settings.redirect_uri!)) {
+            // If we are not inside a hidden iframe, try authenticating silently.
+            await AuthenticationService.instance.trySilentSignIn();
+        }
+
         const user = await this._userManager.getUser();
         return user && user.profile;
     }
@@ -253,21 +273,61 @@ class OidcAuthorizeService implements AuthorizeService {
 export class AuthenticationService {
 
     static _infrastructureKey = 'Microsoft.AspNetCore.Components.WebAssembly.Authentication';
-    static _initialized : Promise<void>;
+    static _initialized: Promise<void>;
     static instance: OidcAuthorizeService;
+    static _pendingOperations: { [key: string]: Promise<AuthenticationResult> | undefined } = {}
 
     public static async init(settings: UserManagerSettings & AuthorizeServiceSettings) {
         // Multiple initializations can start concurrently and we want to avoid that.
         // In order to do so, we create an initialization promise and the first call to init
         // tries to initialize the app and sets up a promise other calls can await on.
         if (!AuthenticationService._initialized) {
-            this._initialized = (async () => {
-                const userManager = await this.createUserManager(settings);
+            AuthenticationService._initialized = AuthenticationService.InitializeCore(settings);
+
+            await AuthenticationService._initialized;
+        }
+
+        return AuthenticationService._initialized;
+    }
+
+    public static handleCallback() {
+        return AuthenticationService.InitializeCore();
+    }
+
+    private static async InitializeCore(settings?: UserManagerSettings & AuthorizeServiceSettings) {
+        let finalSettings = settings || AuthenticationService.resolveCachedSettings();
+        if (!settings && finalSettings) {
+            const userManager = AuthenticationService.createUserManagerCore(finalSettings);
+
+            if (window.parent != window && !window.opener && (window.frameElement &&
+                location.href.startsWith(userManager.settings.redirect_uri!))) {
+                // If we are inside a hidden iframe, try completing the sign in early.
                 AuthenticationService.instance = new OidcAuthorizeService(userManager);
-            })();
+                AuthenticationService._initialized = (async (): Promise<void> => {
+                    await AuthenticationService.instance.completeSignIn(location.href);
+                    return;
+                })();
+            }
+
+            return;
+        } else if (settings) {
+            const userManager = await AuthenticationService.createUserManager(settings);
+            AuthenticationService.instance = new OidcAuthorizeService(userManager);
+        } else {
+            // HandleCallback gets called unconditionally, so we do nothing for normal paths.
+            // Cached settings are only used on handling the redirect_uri path and if the settings are not there
+            // the app will fallback to the default logic for handling the redirect.
         }
+    }
 
-        await this._initialized;
+    private static resolveCachedSettings(): UserManagerSettings | undefined {
+        let finalSettings: UserManagerSettings | undefined;
+        const cachedSettings = window.sessionStorage.getItem(`${AuthenticationService._infrastructureKey}.CachedAuthSettings`);
+        if (cachedSettings) {
+            finalSettings = JSON.parse(cachedSettings);
+        }
+
+        return finalSettings;
     }
 
     public static getUser() {
@@ -282,16 +342,30 @@ export class AuthenticationService {
         return AuthenticationService.instance.signIn(state);
     }
 
-    public static completeSignIn(url: string) {
-        return AuthenticationService.instance.completeSignIn(url);
+    public static async completeSignIn(url: string) {
+        let operation = this._pendingOperations[url];
+        if (!operation) {
+            operation = AuthenticationService.instance.completeSignIn(url);
+            await operation;
+            this._pendingOperations[url] = undefined;
+        }
+
+        return operation;
     }
 
     public static signOut(state: any) {
         return AuthenticationService.instance.signOut(state);
     }
 
-    public static completeSignOut(url: string) {
-        return AuthenticationService.instance.completeSignOut(url);
+    public static async completeSignOut(url: string) {
+        let operation = this._pendingOperations[url];
+        if (!operation) {
+            operation = AuthenticationService.instance.completeSignOut(url);
+            await operation;
+            this._pendingOperations[url] = undefined;
+        }
+
+        return operation;
     }
 
     private static async createUserManager(settings: OidcAuthorizeServiceSettings): Promise<UserManager> {
@@ -304,11 +378,6 @@ export class AuthenticationService {
 
             const downloadedSettings = await response.json();
 
-            window.sessionStorage.setItem(`${AuthenticationService._infrastructureKey}.CachedAuthSettings`, JSON.stringify(settings));
-
-            downloadedSettings.automaticSilentRenew = true;
-            downloadedSettings.includeIdTokenInSilentRenew = true;
-
             finalSettings = downloadedSettings;
         } else {
             if (!settings.scope) {
@@ -323,12 +392,16 @@ export class AuthenticationService {
             finalSettings = settings;
         }
 
-        const userManager = new UserManager(finalSettings);
+        window.sessionStorage.setItem(`${AuthenticationService._infrastructureKey}.CachedAuthSettings`, JSON.stringify(finalSettings));
 
+        return AuthenticationService.createUserManagerCore(finalSettings);
+    }
+
+    private static createUserManagerCore(finalSettings: UserManagerSettings) {
+        const userManager = new UserManager(finalSettings);
         userManager.events.addUserSignedOut(async () => {
-            await userManager.removeUser();
+            userManager.removeUser();
         });
-
         return userManager;
     }
 }
@@ -337,4 +410,6 @@ declare global {
     interface Window { AuthenticationService: AuthenticationService; }
 }
 
+AuthenticationService.handleCallback();
+
 window.AuthenticationService = AuthenticationService;

src/Components/WebAssembly/WebAssembly.Authentication/src/Interop/package.json

@@ -4,7 +4,7 @@
     "build": "npm run build:release",
     "build:release": "webpack --mode production --env.production --env.configuration=Release",
     "build:debug": "webpack --mode development --env.configuration=Debug",
-    "watch": "webpack --watch --mode development"
+    "watch": "webpack --watch --mode development --env.configuration=Debug"
   },
   "devDependencies": {
     "ts-loader": "^6.2.1",

src/Components/WebAssembly/WebAssembly.Authentication/src/Models/RemoteUserAccount.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace Microsoft.AspNetCore.Components.WebAssembly.Authentication
+{
+    /// <summary>
+    /// A user account.
+    /// </summary>
+    /// <remarks>
+    /// The information in this type will be use to produce a <see cref="System.Security.Claims.ClaimsPrincipal"/> for the application.
+    /// </remarks>
+    public class RemoteUserAccount
+    {
+        /// <summary>
+        /// Gets or sets properties not explicitly mapped about the user.
+        /// </summary>
+        [JsonExtensionData]
+        public IDictionary<string, object> AdditionalProperties { get; set; }
+    }
+}

src/Components/WebAssembly/WebAssembly.Authentication/src/Options/DefaultApiAuthorizationOptionsConfiguration.cs

@@ -17,6 +17,7 @@ public void Configure(RemoteAuthenticationOptions<ApiAuthorizationProviderOption
             options.AuthenticationPaths.RemoteRegisterPath ??= "Identity/Account/Register";
             options.AuthenticationPaths.RemoteProfilePath ??= "Identity/Account/Manage";
             options.UserOptions.ScopeClaim ??= "scope";
+            options.UserOptions.RoleClaim ??= "role";
             options.UserOptions.AuthenticationType ??= _applicationName;
         }
 

src/Components/WebAssembly/WebAssembly.Authentication/src/RemoteAuthenticationBuilder.cs

@@ -0,0 +1,17 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.Components.WebAssembly.Authentication
+{
+    internal class RemoteAuthenticationBuilder<TRemoteAuthenticationState, TAccount>
+        : IRemoteAuthenticationBuilder<TRemoteAuthenticationState, TAccount>
+        where TRemoteAuthenticationState : RemoteAuthenticationState
+        where TAccount : RemoteUserAccount
+    {
+        public RemoteAuthenticationBuilder(IServiceCollection services) => Services = services;
+
+        public IServiceCollection Services { get; }
+    }
+}

src/Components/WebAssembly/WebAssembly.Authentication/src/RemoteAuthenticationBuilderExtensions.cs

@@ -0,0 +1,55 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Microsoft.AspNetCore.Components.WebAssembly.Authentication
+{
+    /// <summary>
+    /// Extensions for remote authentication services.
+    /// </summary>
+    public static class RemoteAuthenticationBuilderExtensions
+    {
+        /// <summary>
+        /// Replaces the existing <see cref="UserFactory{TAccount}"/> with the user factory defined by <typeparamref name="TUserFactory"/>.
+        /// </summary>
+        /// <typeparam name="TRemoteAuthenticationState">The remote authentication state.</typeparam>
+        /// <typeparam name="TAccount">The account type.</typeparam>
+        /// <typeparam name="TUserFactory">The new user factory type.</typeparam>
+        /// <param name="builder">The <see cref="IRemoteAuthenticationBuilder{TRemoteAuthenticationState, TAccount}"/>.</param>
+        /// <returns>The <see cref="IRemoteAuthenticationBuilder{TRemoteAuthenticationState, TAccount}"/>.</returns>
+        public static IRemoteAuthenticationBuilder<TRemoteAuthenticationState, TAccount> AddUserFactory<TRemoteAuthenticationState, TAccount, TUserFactory>(
+            this IRemoteAuthenticationBuilder<TRemoteAuthenticationState, TAccount> builder)
+            where TRemoteAuthenticationState : RemoteAuthenticationState, new()
+            where TAccount : RemoteUserAccount
+            where TUserFactory : UserFactory<TAccount>
+        {
+            builder.Services.Replace(ServiceDescriptor.Scoped<UserFactory<TAccount>, TUserFactory>());
+
+            return builder;
+        }
+
+        /// <summary>
+        /// Replaces the existing <see cref="UserFactory{Account}"/> with the user factory defined by <typeparamref name="TUserFactory"/>.
+        /// </summary>
+        /// <typeparam name="TRemoteAuthenticationState">The remote authentication state.</typeparam>
+        /// <typeparam name="TUserFactory">The new user factory type.</typeparam>
+        /// <param name="builder">The <see cref="IRemoteAuthenticationBuilder{TRemoteAuthenticationState, Account}"/>.</param>
+        /// <returns>The <see cref="IRemoteAuthenticationBuilder{TRemoteAuthenticationState, Account}"/>.</returns>
+        public static IRemoteAuthenticationBuilder<TRemoteAuthenticationState, RemoteUserAccount> AddUserFactory<TRemoteAuthenticationState, TUserFactory>(
+            this IRemoteAuthenticationBuilder<TRemoteAuthenticationState, RemoteUserAccount> builder)
+            where TRemoteAuthenticationState : RemoteAuthenticationState, new()
+            where TUserFactory : UserFactory<RemoteUserAccount> => builder.AddUserFactory<TRemoteAuthenticationState, RemoteUserAccount, TUserFactory>();
+
+        /// <summary>
+        /// Replaces the existing <see cref="UserFactory{TAccount}"/> with the user factory defined by <typeparamref name="TUserFactory"/>.
+        /// </summary>
+        /// <typeparam name="TUserFactory">The new user factory type.</typeparam>
+        /// <param name="builder">The <see cref="IRemoteAuthenticationBuilder{RemoteAuthenticationState, Account}"/>.</param>
+        /// <returns>The <see cref="IRemoteAuthenticationBuilder{RemoteAuthenticationState, Account}"/>.</returns>
+        public static IRemoteAuthenticationBuilder<RemoteAuthenticationState, RemoteUserAccount> AddUserFactory<TUserFactory>(
+            this IRemoteAuthenticationBuilder<RemoteAuthenticationState, RemoteUserAccount> builder)
+            where TUserFactory : UserFactory<RemoteUserAccount> => builder.AddUserFactory<RemoteAuthenticationState, RemoteUserAccount, TUserFactory>();
+    }
+}