Fix HTTP/HTTPS signout issue

- Apply redirect config as added by AzureAD/microsoft-identity-web#115
- Add Signout redirect
- Add Application Insights
- Covers issue #1 and even already some role-based experiments

NRZMyk.Components/App.razor

@@ -3,22 +3,12 @@
 <Router AppAssembly="@typeof(App).Assembly">
     <Found Context="routeData">
         <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
-        @*<RouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />*@
     </Found>
     <NotFound>
-        <LayoutView Layout="@typeof(MainLayout)">
-            <p>Sorry, there's nothing at this address.</p>
-        </LayoutView>
-    </NotFound>
-</Router>  
-
-@* <Router AppAssembly="@typeof(Program).Assembly">
-        <Found Context="routeData">
-            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
-        </Found>
-        <NotFound>
+        <CascadingAuthenticationState>
             <LayoutView Layout="@typeof(MainLayout)">
                 <p>Sorry, there's nothing at this address.</p>
             </LayoutView>
-        </NotFound>
-    </Router> *@
+        </CascadingAuthenticationState>
+    </NotFound>
+</Router> 

NRZMyk.Components/Pages/Counter.razor

@@ -3,4 +3,6 @@
 
 <h1>Counter</h1>
 <p>Current count: @CurrentCount</p>
+<p>Groups: @Groups</p>
+<p>Roles: @Roles</p>
 <button class="btn btn-primary" @onclick="IncrementCount">Click me</button>

NRZMyk.Components/Pages/CounterBase.cs

@@ -1,12 +1,32 @@
-using Microsoft.AspNetCore.Components;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
 
 namespace NRZMyk.Components.Pages
 {
     public class CounterBase : ComponentBase
     {
+        [Inject]
+        public AuthenticationStateProvider AuthenticationStateProvider { get; set; }
+
         public int CurrentCount { get; set; }
 
-        public void IncrementCount()
+        public string Groups { get; set; }
+
+        public string Roles { get; set; }
+
+        protected override async Task OnInitializedAsync()
+        {
+            var state = await AuthenticationStateProvider.GetAuthenticationStateAsync();
+            var user = state.User;
+            var claims = user.Claims;
+            Groups = string.Join(",", claims.Where(c => c.Type == "groups").Select(c => c.Value));
+            Roles = string.Join(",", claims.Where(c => c.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role").Select(c => c.Value));
+            await base.OnInitializedAsync();
+        }
+
+        public async Task IncrementCount()
         {
             CurrentCount++;
         }

NRZMyk.Components/Pages/Writer.razor

@@ -0,0 +1,5 @@
+@page "/writer"
+@attribute [Authorize(Roles = "Writer")]
+
+<h1>Writer</h1>
+<p>Access allowed for writer role only</p>

NRZMyk.Components/Shared/LoginDisplay.razor

@@ -1,9 +1,9 @@
 <AuthorizeView>
     <Authorized>
         Hello, @context.User.Identity.Name!
-        <a href="AzureAD/Account/SignOut">Log out</a>
+        <a href="MicrosoftIdentity/Account/SignOut">Log out</a>
     </Authorized>
     <NotAuthorized>
-        <a href="AzureAD/Account/SignIn">Log in</a>
+        <a href="MicrosoftIdentity/Account/SignIn">Log in</a>
     </NotAuthorized>
-</AuthorizeView>
+</AuthorizeView>

NRZMyk.Components/Shared/NavMenu.razor

@@ -24,5 +24,17 @@
                 <span class="oi oi-list-rich" aria-hidden="true"></span> Fetch data
             </NavLink>
         </li>
+
     </ul>
+    <AuthorizeView Roles="Writer">
+        <Authorized>
+            <ul class="nav flex-column">
+                <li class="nav-item px-3">
+                    <NavLink class="nav-link" href="writer">
+                        <span class="oi oi-list-rich" aria-hidden="true"></span> Writer access
+                    </NavLink>
+                </li>
+            </ul>
+        </Authorized>
+    </AuthorizeView>
 </div>

NRZMyk.Server/Areas/MicrosoftIdentity/Pages/Account/SignedOut.cshtml

@@ -0,0 +1,7 @@
+@page	
+@functions {	
+    public async Task<IActionResult> OnGet()	
+    {	
+        return Redirect("~/");	
+    }	
+}

NRZMyk.Server/Areas/MicrosoftIdentity/Pages/Account/SignedOut.cshtml.cs

@@ -0,0 +1,16 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace NRZMyk.Server.Areas.MicrosoftIdentity.Account
+{
+    public class SignedOutModel : PageModel
+    {
+        public void OnGet()
+        {
+        }
+    }
+}

NRZMyk.Server/Connected Services/Application Insights/ConnectedService.json

@@ -0,0 +1,4 @@
+{
+  "ProviderId": "Microsoft.ApplicationInsights.ConnectedService.ConnectedServiceProvider",
+  "Version": "16.0.0.0"
+}

NRZMyk.Server/NRZMyk.Server.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>netcoreapp3.1</TargetFramework>
@@ -7,10 +7,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="3.1.4" />
+    <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.13.1" />
     <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.1" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.1" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.1" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="0.1.4-preview" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="0.1.4-preview" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.9.10" />
   </ItemGroup>
 
@@ -19,4 +21,8 @@
     <ProjectReference Include="..\NRZMyk.Services\NRZMyk.Services.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <WCFMetadata Include="Connected Services" />
+  </ItemGroup>
+
 </Project>

NRZMyk.Server/Properties/serviceDependencies.json

@@ -0,0 +1,8 @@
+{
+  "dependencies": {
+    "appInsights1": {
+      "type": "appInsights",
+      "connectionId": null
+    }
+  }
+}

NRZMyk.Server/Properties/serviceDependencies.local.json

@@ -0,0 +1,8 @@
+{
+  "dependencies": {
+    "appInsights1": {
+      "type": "appInsights.sdk",
+      "connectionId": null
+    }
+  }
+}

NRZMyk.Server/Startup.cs

@@ -1,5 +1,5 @@
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Components.Authorization;
@@ -11,6 +11,8 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 using NRZMyk.Services.Data;
 using NRZMyk.Services.Service;
 
@@ -29,8 +31,7 @@ public Startup(IConfiguration configuration)
         // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
-                .AddAzureAD(options => Configuration.Bind("AzureAd", options));
+            services.AddSignIn(Configuration);
 
             services.AddControllersWithViews(options =>
             {
@@ -40,16 +41,18 @@ public void ConfigureServices(IServiceCollection services)
                 options.Filters.Add(new AuthorizeFilter(policy));
             });
 
-
             services.AddMvc().AddRazorPagesOptions(options => { options.RootDirectory = "/"; });
             services.AddDbContext<ApplicationDbContext>(options =>
                 options.UseSqlServer(
                     Configuration.GetConnectionString("DefaultConnection")));
-            services.AddRazorPages();
+            services.AddRazorPages().AddMicrosoftIdentityUI();
             services.AddServerSideBlazor();
             services.AddSingleton<WeatherForecastService>();
+
+            services.AddApplicationInsightsTelemetry();
         }
 
+
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {

NRZMyk.Server/appsettings.json

@@ -11,10 +11,11 @@
   },
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "Domain": "",
-    "TenantId": "",
-    "ClientId": "",
-    "CallbackPath": "/signin-oidc"
+    "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+    "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
+    "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
+    "CallbackPath": "/signin-oidc",
+    "SignedOutCallbackPath ": "/signout-callback-oidc"
   },
   "AllowedHosts": "*"
 }

README.md

@@ -27,4 +27,15 @@ This app authenticates with Azure AD. In order to run it locally you need to con
 
 - `AzureAd__Domain`: Your domain
 - `AzureAd__TenantId`: Your tenant ID
-- `AzureAd__ClientId`: Your apps client ID
+- `AzureAd__ClientId`: Your apps client ID
+
+## Deployment setup
+
+### Fix Azure AD redirect issues
+
+There are cases where RedirectUri is needed, for instance when you use a reverse proxy that transforms HTTPS
+URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for Web apps running
+in containers (for the same reasons). I.e. in case that AAD tries to redirect to <http://your.host.name/signin-oidc>
+you would need to override the following config value:
+
+- `AzureAd__RedirectUri`: `<https://your.host.name/signin-oidc>`