When I run this application and click signup I'm redirected to login. Upon entering the login credentials for a global admin user on a test tenant I get the following login screen error.

AADSTS50020: User account [username] from identity provider 'live.com' does not exist in tenant [tenant] and cannot access the application [app id] in that tenant. The account needs to be added as an external user in the tenant first.

Correct me if I'm wrong; but isn't the idea of the signup process to on board new tenants? Or have I miscofigured something?

This sample is very old. It uses ASP.NET Core 1.x and ADAL 3.10 (!!!). I wasn't able to get it to run on modern .net core

@jmprieur - this sample is now referenced from the official https://docs.microsoft.com/en-gb/azure/active-directory/develop/sample-v1-code

An error occurred attempting to determine the process id of dotnet.exe. Keep getting this error. Unable to get it running on the default launch settings or any new https launch settings.

Updating to version 1.1.2 on VS 2017 causes failure to retrieve id_token. Another similar ASP.NET Core also suffers from this issue. For solution, see: Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore#15

Pulled down current release, updated client id/secret and url to point to custom api and seem to get the below error no matter what I do. What am I missing? It is a bug in the JSON code to not be able to handle some component of the TokenCache class?

An exception of type 'System.MissingMethodException' occurred in System.Private.CoreLib.ni.dll but was not handled in user code

Additional information: No parameterless constructor defined for this object.

Hi There, Im having alot of trouble trying to find some information on this subject so I am going through the motions of posting Everywhere in attempt to see If I can get it answered. Appreciate your patience.

I am trying to use on-behalf-of flow to aquire token AcquireTokenAsync, store it in token cache, and from there, refresh is it using AcquireTokenSilentAsync.

AcquireTokenAsync works fine. I can use the following authority endpoints to do so.

string authority = "https://login.microsoftonline.com/" + tenantId + "/oauth2/v2.0/token";

or

string authority = "https://login.microsoftonline.com/" + tenantId + "/oauth2/authorize";

These both work fine when using AcquireTokenAsync.

My AuthenticationResult looks like so

authenticationResult = await authenticationContext.AcquireTokenAsync(service, cac); service being graph endpoint, cac bring the loaded certificate.

But........

Here is what I have noticed. The aquiring of the token takes ALONG time, sometimes up to 10 seconds on my machine. This is insanly slow. So even though it does store the token in the cache, Im using RedisCache by the way, it does not seem to get it from there on subsequent results.

My assumption, or knowledge thus far is that one needs to use AcquireTokenSilentAsync to try and aquire a token, and if a non-expired token is in the cache, it will simply deliver this back to the caller, and negate the need to make another expensive request for another token from the azure ad identity server.

Am I right in this assumption/knowledge.

Here is what I am trying thus far. One I have aquired my token using AcquireTokenAsync and stored in the cache, I can successfully make calls against the microsoft graph api no problems.

So I have a token stored in cache which is good to go.

Then I fire up my console app again, using the following

UserIdentifier userIdentifier = new UserIdentifier(tenantId, UserIdentifierType.RequiredDisplayableId);
authenticationResult = await authenticationContext.AcquireTokenSilentAsync(service, cac, userIdentifier);

But it just doesnt work. Does the UserIdentifier even get used in this situation when using on-bahalf of flow? I havent found any good info on this?

Any help would be greatly appreciated. I will post this question on stack exchange, github and all other places, as I really REALLY want to know. Can one cache a on-behalf of token, store in cache and get it to deliver it back to the caller if its still valid and avoid the expensive re-aquire call to Azure AD? this would really speed things up

Cheers

I'm looking at this line of code:

On the GET request, the caller is validated that they can view/edit the data

// GET: /Todo/Edit/5
       public ActionResult Edit(int? id)
       {
           if (id == null)
           {
               return new BadRequestResult();
           }

           Todo todo = _db.Todoes.Where(t => t.ID == id).FirstOrDefault();
           string owner = User.FindFirst(ClaimTypes.NameIdentifier).Value;
           if (todo == null || (todo.Owner != owner))
           {
             
               return new NotFoundResult();
           }
           return View(todo);
       }

However the POST action has no validation.

  // POST: /Todo/Edit/5
        [HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult Edit([Bind("ID", "Description", "Owner")] Todo todo)
        {
            // TODO: make sure that only the OWNER can make changes here. 

            if (ModelState.IsValid)
            {
                _db.Entry(todo).State = EntityState.Modified;
                _db.SaveChanges();
                return new RedirectToActionResult("Index", "Todo", null);
            }
             
            return View(todo);
        }

This means to me, that any authenticated user (from any tenant), can use a HTTP POST to alter the contents of data that isn't theirs.

Please confirm if this is the case, or if there is some hidden validation I'm overlooking