2

We are currently getting a list of our Users using MS Graph and the directoryObjects/getByIds endpoint.

In the Startup of the ASP NET Core API we are using Microsoft.IdentityModel.Clients.ActiveDirectory and this code

services.AddHttpClient("GraphApi", async hc =>
{
    AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/" + this.configuration["GraphApi:Tenant"]);
    ClientCredential credential = new ClientCredential(this.configuration["GraphApi:ClientId"], this.configuration["GraphApi:ClientSecret"]);
    hc.BaseAddress = new Uri($"https://graph.microsoft.com/v1.0/");
    hc.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credential);
    hc.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
});

I am creating a new Azure Function and need to do the same thing again. I was going to use the same code and Microsoft.IdentityModel.Clients.ActiveDirectory but that package has been deprecated and we should be using Microsoft.Identity.Client.

I can see lots of samples for various scenarios but they seem to be all calling the public MS Graph whereas I want to get the users from our own Azure B2C. Can someone point me at the right resources\demo.

The Azure Function will not be running in the context of a user so Managed Identity or Client Secret approach would be useful

Pat Long - Munkii Yebee
  • 3,592
  • 2
  • 34
  • 68

1 Answers1

0

I have implemented a similar kind of scenario for getting Azure AD user but different way in MVC

CODE

I have used these NuGet packages

using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;

Startup class

public class Startup
    {
        string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];

        string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];

        static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];

        string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);

        public void Configuration(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,
                    RedirectUri = redirectUri,
                    PostLogoutRedirectUri = redirectUri,
                    Scope = OpenIdConnectScope.OpenIdProfile,
                    ResponseType = OpenIdConnectResponseType.CodeIdToken,
                    TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidateIssuer = false // This is a simplification
                    },
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        AuthenticationFailed = OnAuthenticationFailed
                    },
                }
            );
        }

        private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
        {
            context.HandleResponse();
            context.Response.Redirect("/?errormessage=" + context.Exception.Message);
            return Task.FromResult(0);
        }

HomeController

public void SignIn()
        {
            if (!Request.IsAuthenticated)
            {

                HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
            }
        }

        public void SignOut()
        {
            HttpContext.GetOwinContext().Authentication.SignOut( OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
        }

ClaimsController

public ActionResult Index()
        {
            var userClaims = User.Identity as System.Security.Claims.ClaimsIdentity;

            ViewBag.Name = userClaims?.FindFirst("name")?.Value;
            ViewBag.Username = userClaims?.FindFirst("preferred_username")?.Value;
            ViewBag.Subject = userClaims?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
            ViewBag.TenantId = userClaims?.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
            return View();
        }

I tried to cover all possible implementations. Hope it will work in your case

Thanks

Kishan Vaishnani
  • 234
  • 1
  • 12
  • OWIN is As Far As I Know to be used for Web App to Web APi where you are authenticating a user and then calling APIs on their behalf. This is an Azure function that is not running in the context of a User. We using MSAL everywhere else and I'd want to continue doing that – Pat Long - Munkii Yebee Apr 27 '22 at 09:09
  • @PatLong-MunkiiYebee I hope this resource will help you https://youtu.be/8GSH2GMQpbs – Kishan Vaishnani Apr 27 '22 at 16:46