Update setup

swiss-ssi-group · Dec 2, 2023 · ed69926 · ed69926
1 parent a95b1e8
commit ed69926
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/IssueVerifiableEmployee/RejectSessionCookieWhenAccountNotInCacheEvents.cs b/IssueVerifiableEmployee/RejectSessionCookieWhenAccountNotInCacheEvents.cs
@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Web;
+
+namespace BffMicrosoftEntraID.Server;
+
+public class RejectSessionCookieWhenAccountNotInCacheEvents : CookieAuthenticationEvents
+{
+    private readonly string[] _downstreamScopes;
+
+    public RejectSessionCookieWhenAccountNotInCacheEvents(string[] downstreamScopes)
+    {
+        _downstreamScopes = downstreamScopes;
+    }
+
+    public async override Task ValidatePrincipal(CookieValidatePrincipalContext context)
+    {
+        try
+        {
+            var tokenAcquisition = context.HttpContext.RequestServices
+                .GetRequiredService<ITokenAcquisition>();
+
+            string token = await tokenAcquisition.GetAccessTokenForUserAsync(scopes: _downstreamScopes, 
+                user: context.Principal);
+        }
+        catch (MicrosoftIdentityWebChallengeUserException ex) when (AccountDoesNotExitInTokenCache(ex))
+        {
+            context.RejectPrincipal();
+        }
+    }
+
+    private static bool AccountDoesNotExitInTokenCache(MicrosoftIdentityWebChallengeUserException ex)
+    {
+        return ex.InnerException is MsalUiRequiredException 
+            && (ex.InnerException as MsalUiRequiredException)!.ErrorCode == "user_null";
+    }
+}
diff --git a/IssueVerifiableEmployee/Startup.cs b/IssueVerifiableEmployee/Startup.cs
@@ -1,4 +1,6 @@
+using BffMicrosoftEntraID.Server;
 using IssuerVerifiableEmployee.Services.GraphServices;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.Identity.Web;
@@ -28,12 +30,20 @@ public void ConfigureServices(IServiceCollection services)
 
         services.AddDistributedMemoryCache();
 
+        var scopes = new string[] { "user.read" };
         services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
             .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
-            .EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user.read"})
+            .EnableTokenAcquisitionToCallDownstreamApi(scopes)
             .AddMicrosoftGraph()
             .AddDistributedTokenCaches();
 
+        // If using downstream APIs and in memory cache, you need to reset the cookie session if the cache is missing
+        // If you use persistent cache, you do not require this.
+        // You can also return the 403 with the required scopes, this needs special handling for ajax calls
+        // The check is only for single scopes
+        services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme,
+            options => options.Events = new RejectSessionCookieWhenAccountNotInCacheEvents(scopes));
+
         services.AddAuthorization(options =>
         {
             options.FallbackPolicy = options.DefaultPolicy;