Azure-Samples
diff --git a/‎.github/workflows/node.js.yml
+1-1 b/‎.github/workflows/node.js.yml
+1-1
diff --git a/‎3-Authorization-II/1-call-api/API/TodoListAPI/Controllers/TodoListController.cs
+24-2 b/‎3-Authorization-II/1-call-api/API/TodoListAPI/Controllers/TodoListController.cs
+24-2
diff --git a/‎3-Authorization-II/1-call-api/API/TodoListAPI/Startup.cs
+13-7 b/‎3-Authorization-II/1-call-api/API/TodoListAPI/Startup.cs
+13-7
diff --git a/‎3-Authorization-II/1-call-api/AppCreationScripts/AppCreationScripts.md
+12-12 b/‎3-Authorization-II/1-call-api/AppCreationScripts/AppCreationScripts.md
+12-12
diff --git a/‎3-Authorization-II/1-call-api/AppCreationScripts/Cleanup.ps1
-96 b/‎3-Authorization-II/1-call-api/AppCreationScripts/Cleanup.ps1
-96
@@ -14,7 +14,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x]
+        node-version: [16.x]
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:
 
@@ -8,6 +8,7 @@
 using Microsoft.EntityFrameworkCore;
 using TodoListAPI.Models;
 using System.Security.Claims;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
 
 namespace TodoListAPI.Controllers
@@ -17,7 +18,7 @@ namespace TodoListAPI.Controllers
     [ApiController]
     public class TodoListController : ControllerBase
     {
-        // The Web API will only accept tokens 1) for users, and 
+        // The Web API will only accept tokens 1) for users, and
         // 2) having the access_as_user scope for this API
         static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
 
@@ -42,7 +43,7 @@ public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
         public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
         {
             HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- 
+
             var todoItem = await _context.TodoItems.FindAsync(id);
 
             if (todoItem == null)
@@ -126,5 +127,26 @@ private bool TodoItemExists(int id)
         {
             return _context.TodoItems.Any(e => e.Id == id);
         }
+
+        // Checks if the presented token has application permissions
+        private bool HasApplicationPermissions(string[] permissionsNames)
+        {
+            var rolesClaim = User.Claims.Where(
+              c => c.Type == ClaimConstants.Roles || c.Type == ClaimConstants.Role)
+              .SelectMany(c => c.Value.Split(' '));
+
+            var result = rolesClaim.Any(v => permissionsNames.Any(p => p.Equals(v)));
+
+            return result;
+        }
+
+        // Checks if the presented token has delegated permissions
+        private bool HasDelegatedPermissions(string[] scopesNames)
+        {
+            var result = (User.FindFirst(ClaimConstants.Scp) ?? User.FindFirst(ClaimConstants.Scope))?
+                .Value.Split(' ').Any(v => scopesNames.Any(s => s.Equals(v)));
+
+            return result ?? false;
+        }
     }
 }
@@ -6,8 +6,9 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Identity.Web;
+using System.IdentityModel.Tokens.Jwt;
+
 using TodoListAPI.Models;
-using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace TodoListAPI
 {
@@ -23,19 +24,24 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
+            // This is required to be instantiated before the OpenIdConnectOptions starts getting configured.
+            // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
+            // 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'
+            // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
+            JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+
             // Setting configuration for protected web api
-            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddMicrosoftIdentityWebApi(Configuration);
+            services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
 
             // Creating policies that wraps the authorization requirements
             services.AddAuthorization();
 
             services.AddDbContext<TodoContext>(opt => opt.UseInMemoryDatabase("TodoList"));
 
             services.AddControllers();
-            
-            // Allowing CORS for all domains and methods for the purpose of the sample
-            // In production, modify this with the actual domains you want to allow
+
+            // Allowing CORS for all domains and HTTP methods for the purpose of the sample
+            // In production, modify this with the actual domains and HTTP methods you want to allow
             services.AddCors(o => o.AddPolicy("default", builder =>
             {
                 builder.AllowAnyOrigin()
@@ -72,4 +78,4 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             });
         }
     }
-}
+}
@@ -77,21 +77,21 @@ The `Configure.ps1` will stop if it tries to create an Azure AD application whic
 
 ### (Optionally) install AzureAD PowerShell modules
 
-The scripts install the required PowerShell module (AzureAD) for the current user if needed. However, if you want to install if for all users on the machine, you can follow the following steps:
+The scripts install the required PowerShell module (Microsoft.Graph.Applications) for the current user if needed. However, if you want to install if for all users on the machine, you can follow the following steps:
 
-1. If you have never done it already, in the PowerShell window, install the AzureAD PowerShell modules. For this:
+1. If you have never done it already, in the PowerShell window, install the Graph PowerShell modules. For this:
 
    1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select Run as administrator).
    2. Type:
- 
+
       ```PowerShell
-      Install-Module AzureAD
+      Install-Module Microsoft.Graph.Applications
       ```
 
       or if you cannot be administrator on your machine, run:
- 
+
       ```PowerShell
-      Install-Module AzureAD -Scope CurrentUser
+      Install-Module Microsoft.Graph.Applications -Scope CurrentUser
       ```
 
 ### Run the script and start running
@@ -131,7 +131,7 @@ Note that the script will choose the tenant in which to create the applications,
 When you know the identity and credentials of the user in the name of whom you want to create the applications, you can use the non-interactive approach. It's more adapted to DevOps. Here is an example of script you'd want to run in a PowerShell Window
 
 ```PowerShell
-$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
+$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
 $mycreds = New-Object System.Management.Automation.PSCredential ("[login@tenantName here]", $secpasswd)
 . .\Cleanup.ps1 -Credential $mycreds
 . .\Configure.ps1 -Credential $mycreds
@@ -160,7 +160,7 @@ $tenantId = "yourTenantIdGuid"
 This option combines option 2 and option 3: it creates the application in a specific tenant. See option 3 for the way to get the tenant Id. Then run:
 
 ```PowerShell
-$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
+$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
 $mycreds = New-Object System.Management.Automation.PSCredential ("[login@tenantName here]", $secpasswd)
 $tenantId = "yourTenantIdGuid"
 . .\Cleanup.ps1 -Credential $mycreds -TenantId $tenantId
@@ -180,7 +180,7 @@ The acceptable values for this parameter are:
 
 Example:
 
- ```PowerShell
- . .\Cleanup.ps1 -AzureEnvironmentName "AzureGermanyCloud"
- . .\Configure.ps1 -AzureEnvironmentName "AzureGermanyCloud"
- ```
+```PowerShell
+. .\Cleanup.ps1 -AzureEnvironmentName "AzureGermanyCloud"
+. .\Configure.ps1 -AzureEnvironmentName "AzureGermanyCloud"
+```