Sync with ASP.NET Core Web app tutorial's Microsoft.Identity.Web (#113)

* Sync with ASP.NET Core Web app tutorial's Microsoft.Identity.Web

* a few small edits (#114)

Author: jmprieur

Microsoft.Identity.Web/README.md

@@ -338,12 +338,49 @@ In order to troubleshoot your web API you can set the `subscribeToJwtBearerMiddl
 
 In both cases, you can set a breakpoint in the methods of the  `OpenIdConnectMiddlewareDiagnostics` and `JwtBearerMiddlewareDiagnostics` classes respectively to observe values under the debugger.
 
-## Learn more how the library works
+## More customizations
+
+If you want to customize the `OpenIdConnectOption` or `JwtBearerOption` but still want to benefit from the implementation provided by Microsoft.Identity.Web, you can easily do it from your `Startup.cs` file:
+
+Let's take for example the method `AddProtectedWebApi`. If you check the code inside it, you have this event setup:
+
+```
+options.Events.OnTokenValidated = async context =>
+{
+    // This check is required to ensure that the Web API only accepts tokens from tenants where it has been consented and provisioned.
+    if (!context.Principal.Claims.Any(x => x.Type == ClaimConstants.Scope)
+    && !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Scp)
+    && !context.Principal.Claims.Any(y => y.Type == ClaimConstants.Roles))
+    {
+         throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");
+    }
+
+    await Task.FromResult(0);
+};
+```
+
+Let's say you want to augment the current `ClaimsPrincipal` by adding claims to it, and you have to do it on `OnTokenValidated `, however you don't want to lose this `UnauthorizedAccessException` check existing in the event. To do so, on your `Startup.cs` you would have:
+
+```
+services.AddProtectedWebApi(Configuration);
+services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options => 
+{
+  var existingOnTokenValidatedHandler = options.Events.OnTokenValidated ;
+  options.Events.OnTokenValidated = async context =>
+  {
+       await existingOnTokenValidatedHandler(context);
+      // your code to add extra claims that will be executed after the current event implementation.
+  }    
+}
+
+```
+
+## Learn more about how the library works
 
 You can learn more about the tokens by looking at the following articles in MSAL.NET's conceptual documentation:
 
 - The [Authorization code flow](https://aka.ms/msal-net-authorization-code), which is used, after the user signed-in with Open ID Connect, in order to get a token and cache it for a later use. See [TokenAcquisition L 107](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/f99e913cc032e16c59b748241111e97108e87918/Extensions/TokenAcquisition.cs#L107) for details of this code
-- [AcquireTokenSilent](https://aka.ms/msal-net-acquiretokensilent ), which is used by the controller to get an access token for the downstream API. See [TokenAcquisition L 168](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/f99e913cc032e16c59b748241111e97108e87918/Extensions/TokenAcquisition.cs#L168) for details of this code
+- [AcquireTokenSilent](https://aka.ms/msal-net-acquiretokensilent), which is used by the controller to get an access token for the downstream API. See [TokenAcquisition L 168](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/f99e913cc032e16c59b748241111e97108e87918/Extensions/TokenAcquisition.cs#L168) for details of this code
 - [Token cache serialization](msal-net-token-cache-serialization)
 
 The token validation is performed by the classes of the [Identity Model Extensions for DotNet](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) library. Learn about customizing

Microsoft.Identity.Web/TokenAcquisition.cs

@@ -29,8 +29,7 @@ public class TokenAcquisition : ITokenAcquisition
         private readonly AzureADOptions _azureAdOptions;
         private readonly ConfidentialClientApplicationOptions _applicationOptions;
 
-        private readonly IMsalAppTokenCacheProvider _appTokenCacheProvider;
-        private readonly IMsalUserTokenCacheProvider _userTokenCacheProvider;
+        private readonly IMsalTokenCacheProvider _tokenCacheProvider;
 
         private IConfidentialClientApplication application;
         private readonly IHttpContextAccessor _httpContextAccessor;
@@ -42,20 +41,18 @@ public class TokenAcquisition : ITokenAcquisition
         /// This constructor is called by ASP.NET Core dependency injection
         /// </summary>
         /// <param name="configuration"></param>
-        /// <param name="appTokenCacheProvider">The App token cache provider</param>
+        /// <param name="tokenCacheProvider">The App token cache provider</param>
         /// <param name="userTokenCacheProvider">The User token cache provider</param>
         public TokenAcquisition(
-            IMsalAppTokenCacheProvider appTokenCacheProvider,
-            IMsalUserTokenCacheProvider userTokenCacheProvider,
+            IMsalTokenCacheProvider tokenCacheProvider,
             IHttpContextAccessor httpContextAccessor,
             IOptions<AzureADOptions> azureAdOptions,
             IOptions<ConfidentialClientApplicationOptions> applicationOptions)
         {
             _httpContextAccessor = httpContextAccessor;
             _azureAdOptions = azureAdOptions.Value;
             _applicationOptions = applicationOptions.Value;
-            _appTokenCacheProvider = appTokenCacheProvider;
-            _userTokenCacheProvider = userTokenCacheProvider;
+            _tokenCacheProvider = tokenCacheProvider;
         }
 
         /// <summary>
@@ -170,6 +167,7 @@ public async Task<string> GetAccessTokenOnBehalfOfUserAsync(
                 throw new ArgumentNullException(nameof(scopes));
             }
 
+            // Use MSAL to get the right token to call the API
             var application = GetOrBuildConfidentialClientApplication();
             string accessToken;
 
@@ -232,7 +230,7 @@ public async Task RemoveAccountAsync(RedirectContext context)
             if (account != null)
             {
                 await app.RemoveAsync(account).ConfigureAwait(false);
-                _userTokenCacheProvider?.ClearAsync().ConfigureAwait(false);
+                _tokenCacheProvider?.ClearAsync().ConfigureAwait(false);
             }
         }
 
@@ -266,7 +264,7 @@ private IConfidentialClientApplication BuildConfidentialClientApplication()
                 request.PathBase,
                 azureAdOptions.CallbackPath ?? string.Empty);
 
-            string authority = $"{azureAdOptions.Instance}{azureAdOptions.TenantId}/";
+            string authority = $"{applicationOptions.Instance}{applicationOptions.TenantId}/";
 
             var app = ConfidentialClientApplicationBuilder
                 .CreateWithApplicationOptions(applicationOptions)
@@ -275,8 +273,8 @@ private IConfidentialClientApplication BuildConfidentialClientApplication()
                 .Build();
 
             // Initialize token cache providers
-            _appTokenCacheProvider?.InitializeAsync(app.AppTokenCache);
-            _userTokenCacheProvider?.InitializeAsync(app.UserTokenCache);
+            _tokenCacheProvider?.InitializeAsync(app.AppTokenCache);
+            _tokenCacheProvider?.InitializeAsync(app.UserTokenCache);
 
             return app;
         }

Microsoft.Identity.Web/TokenCacheProviders/Distributed/DistributedTokenCacheAdapterExtension.cs

@@ -29,7 +29,7 @@ public static IServiceCollection AddDistributedAppTokenCache(
             this IServiceCollection services)
         {
             services.AddDistributedMemoryCache();
-            services.AddSingleton<IMsalAppTokenCacheProvider, MsalAppDistributedTokenCacheProvider>();
+            services.AddSingleton<IMsalTokenCacheProvider, MsalDistributedTokenCacheAdapter>();
             return services;
         }
 
@@ -42,7 +42,7 @@ public static IServiceCollection AddDistributedUserTokenCache(
         {
             services.AddDistributedMemoryCache();
             services.AddHttpContextAccessor();
-            services.AddSingleton<IMsalUserTokenCacheProvider, MsalPerUserDistributedTokenCacheProvider>();
+            services.AddSingleton<IMsalTokenCacheProvider, MsalDistributedTokenCacheAdapter>();
             return services;
         }
     }

Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalAppDistributedTokenCacheProvider.cs

@@ -18,7 +18,7 @@ public interface IMsalTokenCacheProvider
         /// <param name="isAppTokenCache">Is the token cache an App token cache or
         /// a user token cache</param>
         /// <returns></returns>
-        Task InitializeAsync(ITokenCache tokenCache, bool isAppTokenCache);
+        Task InitializeAsync(ITokenCache tokenCache);
 
         /// <summary>
         /// Clear the cache

Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalPerUserDistributedTokenCacheProvider.cs

@@ -16,33 +16,10 @@ public static class InMemoryTokenCacheProviderExtension
         /// <returns></returns>
         public static IServiceCollection AddInMemoryTokenCaches(
             this IServiceCollection services)
-        {
-            AddInMemoryAppTokenCache(services);
-            AddInMemoryPerUserTokenCache(services);
-            return services;
-        }
-
-        /// <summary>Adds the in-memory based application token cache to the service collection.</summary>
-        /// <param name="services">The services collection to add to.</param>
-        /// <param name="cacheOptions">The MSALMemoryTokenCacheOptions allows the caller to set the token cache expiration</param>
-        public static IServiceCollection AddInMemoryAppTokenCache(
-            this IServiceCollection services)
-        {
-            services.AddMemoryCache();
-            services.AddSingleton<IMsalAppTokenCacheProvider, MsalAppMemoryTokenCacheProvider>();
-            return services;
-        }
-
-        /// <summary>Adds the in-memory based per user token cache to the service collection.</summary>
-        /// <param name="services">The services collection to add to.</param>
-        /// <param name="cacheOptions">The MSALMemoryTokenCacheOptions allows the caller to set the token cache expiration</param>
-        /// <returns></returns>
-        public static IServiceCollection AddInMemoryPerUserTokenCache(
-            this IServiceCollection services)
         {
             services.AddMemoryCache();
             services.AddHttpContextAccessor();
-            services.AddSingleton<IMsalUserTokenCacheProvider, MsalPerUserMemoryTokenCacheProvider>();
+            services.AddSingleton<IMsalTokenCacheProvider, MsalMemoryTokenCacheProvider>();
             return services;
         }
     }