Merge pull request #294 from jelledruyts/jelled

Number of updates to "Identity for Developers" hack based on recent delivery

.gitignore

@@ -11,7 +11,6 @@
 *.user
 *.userosscache
 *.sln.docstates
-*.vscode
 
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs

021-IdentityForApps/Coach/05-claims-enrichment.md

@@ -40,16 +40,14 @@ curl --location --request POST 'https://localhost:5001/Territory' \
 ## Tips
 
 1. Ensure that the User Flow collects both the Consultant ID **_and_** the Territory Name (even though Territory Name is populated by the API Connector). You can modify the custom HTML template to select the label and text box for Territory Name and set it to `display:none` for a style.
-2. To hide the custom attribute "Territory Name" from the SignUp page, you will need to add some JavaScript to your custom template. You may want your students to create a second custom template, one for signup/signin and one for profile edit. The template for signup/signin will hide the TerritoryName, but edit profile will still display it.
-3. You can hide the TerritoryName attribute by using this snippet of JavaScript:
-
-```Javascript
-  <script type="text/javascript">
-    $(document).ready(function () {
-      // Hide the elements that contain user attributes which the user should not see, as
-      // they will be populated afterwards with information anyway.
-      $("#extension_TerritoryName").parents("li").hide();
-    });
-  </script>
+2. To hide the custom attribute "Territory Name" from the SignUp page, you will need to add some CSS to your custom template. You may want your students to create a second custom template, one for signup/signin and one for profile edit. The template for signup/signin will hide the TerritoryName, but edit profile will still display it.
+3. You can hide the TerritoryName attribute by using this snippet of CSS:
+
+```CSS
+<style>
+    /* You may want to uncomment this to prevent displaying the Territory Name attribute! */
+    /* .extension_TerritoryName_li {
+      display: none;
+    } */
+</style>
 ```
-4. You also want to make sure your students go to the signup/signin User Flow, select Properties, and then enable the "Enable JavaScript enforcing page layout (preview)" toggle switch.

021-IdentityForApps/Student/00-pre-reqs.md

@@ -10,18 +10,19 @@ A smart cloud solution architect always has the right tools in their toolbox.
 
 In this challenge we'll be setting up all the tools we will need to complete our challenges.
 
-  - Make sure that you have joined the Teams group for this track. The first person on your team at your table should create a new channel in this Team with your team name.
-  - Install the recommended toolset:
-    - [Azure Subscription](#azure-subscription)
-    - [Visual Studio Code](#visual-studio-code)
-      - [Visual Studio Code plugins for B2C](#visual-studio-code-plugins-for-arm-templates)
-    - [Managing Cloud Resources](#managing-cloud-resources)
-      - [Azure Portal](#azure-portal)
-  - Locate and download the resources found in the "Files" tab of the Team's General channel. There are four folders each containing a different resource that you will use in various challenges:
-    - `/HarnessApp` contains an ASPNETCORE MVC application that will be used to test our various User Flows and Custom Policies. You will need this starting in Challenge 4.
-    - `/MSGraphApp` contains a DOTNETCORE Console application that will be used to query your B2C tenant. You will need this in Challenge 7.
-    - `/PageTemplates` contains various HTML/CSS/JS files that you will use to customize your Sign Up, Sign In, and Edit Profile User Flows. You will use these in Challenge 4.
-    - `/Verify-inator` contains an ASPNETCORE Web Api application that will be used to validate user attributes from your Sign Up User Flow. You will need this in Challenge 5.
+- If applicable, make sure that you have joined the Teams group for this track. The first person on your team at your table should create a new channel in this Team with your team name.
+- Install the recommended toolset:
+  - [Azure Subscription](#azure-subscription)
+  - [Visual Studio Code](#visual-studio-code)
+    - [Visual Studio Code plugins for B2C](#visual-studio-code-plugins-for-arm-templates)
+  - [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download/dotnet/3.1)
+  - [Managing Cloud Resources](#managing-cloud-resources)
+    - [Azure Portal](#azure-portal)
+- Locate and download the `Resources.zip` file found in the Files tab of your Teams channel. There are four folders in the zip file, each containing different resources that you will use in various challenges:
+  - `/HarnessApp` contains an ASPNETCORE MVC application that will be used to test our various User Flows and Custom Policies. You will need this starting in Challenge 4.
+  - `/MSGraphApp` contains a DOTNETCORE Console application that will be used to query your B2C tenant. You will need this in Challenge 7.
+  - `/PageTemplates` contains various HTML/CSS/JS files that you will use to customize your Sign Up, Sign In, and Edit Profile User Flows. You will use these in Challenge 4.
+  - `/Verify-inator` contains an ASPNETCORE Web Api application that will be used to validate user attributes from your Sign Up User Flow. You will need this in Challenge 5.
 
 ## Azure Subscription
 

021-IdentityForApps/Student/01-provision-b2c.md

@@ -4,7 +4,7 @@
 
 ## Introduction
 
-You are a cloud engineer at Contoso Manaufacturing (CMC). Recently, CMC IT Leadership has become interested in offering a fully feature white-label identity solution to individuals outside of the company. They do not wish to see these identities inside of your primary Azure AD tenant, nor do they want these identities to be used for collaborating in your Microsoft 365 environment.
+You are a cloud engineer at Contoso Manufacturing (CMC). Recently, CMC IT Leadership has become interested in offering a fully feature white-label identity solution to individuals outside of the company. They do not wish to see these identities inside of your primary Azure AD tenant, nor do they want these identities to be used for collaborating in your Microsoft 365 environment.
 
 ## Description
 
@@ -17,8 +17,8 @@ As an engineer, you have heard of Azure AD B2C. You know that your tenant will n
 
 ## Learning Resources
 
-- https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview
-- https://docs.microsoft.com/en-us/azure/active-directory-b2c/technical-overview
-- https://docs.microsoft.com/en-us/azure/active-directory-b2c/whats-new-docs
-- https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
-- https://docs.microsoft.com/en-us/azure/active-directory-b2c/billing#link-an-azure-ad-b2c-tenant-to-a-subscription
+- [What is Azure Active Directory B2C?](https://docs.microsoft.com/azure/active-directory-b2c/overview)
+- [Technical and feature overview of Azure Active Directory B2C](https://docs.microsoft.com/azure/active-directory-b2c/technical-overview)
+- [Azure Active Directory B2C: What's new](https://docs.microsoft.com/azure/active-directory-b2c/whats-new-docs)
+- [Tutorial: Create an Azure Active Directory B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant)
+- [Link an Azure AD B2C tenant to a subscription](https://docs.microsoft.com/azure/active-directory-b2c/billing#link-an-azure-ad-b2c-tenant-to-a-subscription)

021-IdentityForApps/Student/04-l14n.md

@@ -10,15 +10,16 @@ CMC IT Leadership is _extremely_ impressed with your SignUp / SignIn flow and ho
 
 First off, one of your developers has developed a _harness application_ where you can incorporate your SignUp / SignIn User Flow. Your developer has parameterized it so that you should only have to modify your application's settings in order to incorporate the User Flow.
 
-**NOTE:** This web application is located in the folder named **HarnessApp** in your Teams channel Files tab. 
+**NOTE:** This web application is located in the [**HarnessApp** folder](Resources/HarnessApp) within the `Resources.zip` file provided by your coach or in the Files tab of your Teams channel.
 
 ### Custom Templates and Themes
 
 CMC IT Leadership has decided that, while Slate Gray is a nice theme and all, it's pretty plain. They have asked you to add some custom branding, such as corporate logo and background images, and also to use a different layout for the SignUp / SignIn flow.
 
 CMC IT Leadership would like you to use the provided _HTML layout templates, styles, and images_. You will not need to modify the template unless you want, but you will have to find a place to host these resources. Also, examine the resources in this folder and understand how the templates, CSS files, and images are related. There's a marker for a storage account name in several files, so you may need to replace that at some point.
 
-**NOTE:** These files are located in the folder named **PageTemplates** in your Teams channel Files tab.
+**NOTE:** These files are located in the **PageTemplates** folder within the `Resources.zip` file provided by your coach or in the Files tab of your Teams channel.
+
 ### Custom Field Labels
 
 In addition to this, they would also like to customize some of the text on the pages, specifically they would like:
@@ -55,7 +56,7 @@ CMC IT Leadership will consider this step successfully completed if you have:
 
 - You don't have to deploy the web harness app to Azure; you can run it locally. However, it would be impressive to CMC IT Leadership if they see the application running in Azure.
 
-- For the custom templates, there is a placeholder for a storage account name. There are four files that have a number of "<your-storage-account-name>" markers. Do a global search-and-replace on that marker with your actual storage account name before you upload the files to your storage account.
+- For the custom templates, there is a placeholder for a storage account name. There are files that have a number of `<your-storage-account-name>` markers. Do a global search-and-replace on that marker with your actual storage account name before you upload the files to your storage account.
 
 - In order to upload many files to storage at once, this is a convenient Azure CLI command one might want to use:
 

021-IdentityForApps/Student/05-claims-enrichment.md

@@ -10,7 +10,7 @@ Azure Active Directory B2C provides the ability to integrate RESTful APIs into y
 
 CMC IT Leadership is really impressed with your work - you might get that sweet promotion you've been in line for over the past several years....BUT (oh no), you are hearing rumblings that QA has found an issue with your SignUp / SignIn policy. It seems that QA has been able to enter bogus CMC Consultant IDs during the SignUp process. As a result, anyone could sign up as a consultant with an invalid CMC Consultant ID, which would distort CMC's numbers.
 
-Luckily, a developer on your team has developed a CMC Consultant ID checker function, and named it the "CMC ID Verify-inator". It validates that the CMC Consultant ID entered adheres to the following rules:
+Luckily, a developer on your team has developed a CMC Consultant ID checker Web API, and named it the "CMC ID Verify-inator". It validates that the CMC Consultant ID entered adheres to the following rules:
 
 - the ID is 10 alphanumeric characters (no special characters or spaces allowed);
 - the first three characters are digits, the next four are letters, and the last three are digits;
@@ -26,7 +26,8 @@ You will call the Verify-inator at its `/Territory` endpoint. So if you deployed
 
 Lastly, CMC IT Leadership does not want to present the "Territory Name" attribute to the user during sign-up. They have asked you to please remove this field from the sign-up experience.
 
-**NOTE:** This ASPNETCORE web api application is located in the folder named **Verify-inator** in your Teams channel Files tab.
+**NOTE:** This ASPNETCORE web api application is located in the **Verify-inator** folder within the `Resources.zip` file provided by your coach or in the Files tab of your Teams channel.
+
 ## Background
 
 Azure AD B2C has a new feature named API Connectors, which allow your B2C User Flows to communicate with REST APIs during the user sign up process. Our application will take advantage of API Connectors.
@@ -64,7 +65,7 @@ Your UserFlow will update all claims that are returned (such as TerritoryName) a
 CMC IT Leadership considers success in dealing with this QA issue if you are able to:
 
 - Create the new custom attribute for Territory Name in your B2C tenant (named "TerritoryName");
-- Deploy the Azure function (the "CMC ID Verify-inator"), code located in [Resources](./Resources/Verify-inator) ;
+- Deploy the "CMC ID Verify-inator" code in the **Verify-inator** folder within the `Resources.zip` file provided by your coach or in the Files tab of your Teams channel;
 - Ensure that, during sign-up, a consultant enters a valid CMC Consultant ID; if they pass in an invalid ID, the consultant is presented with a friendly error message;
 - Ensure that, during sign-up, a territory name is generated and added to the consultant's account;
 - Ensure that, during sign-up, a consultant is not able to enter a territory name and that they do not see a field for territory name (HINT, you may want to alter your custom template just for signup/signin);

021-IdentityForApps/Student/07-admin-graph.md

@@ -12,7 +12,7 @@ Leadership would like you to build an app that can query the B2C tenant and outp
 
 Luckily, your innovative developer is still here (they haven't taken any time off either) and they've built a **console app** that can do some of this (but you'll need to make some modifications). Luckily, the developer has parameterized the B2C bits, so you'll have to just make some updates to the configuration settings file (appsettings.json) in order to connect to your B2C tenant.
 
-**NOTE:** This DOTNETCORE console application is located in the folder named **MSGraphApp** in your Teams channel Files tab.
+**NOTE:** This DOTNETCORE console application is located in the [**MSGraphApp** folder](Resources/MSGraphApp) within the `Resources.zip` file provided by your coach or in the Files tab of your Teams channel.
 
 The console app does quite a bit with your B2C tenant, so perhaps this could be useful later on with some B2C tasks. But for now, you're just concerned with querying the directory to view the users' Consultant ID and Territory Name (option 8 in the console app).
 ## Success Criteria

021-IdentityForApps/Student/Resources/HarnessApp/.vscode/launch.json

@@ -0,0 +1,29 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": ".NET Core Launch (web)",
+            "type": "coreclr",
+            "request": "launch",
+            "preLaunchTask": "build",
+            "program": "${workspaceFolder}/bin/Debug/netcoreapp3.1/WebApp-OpenIDConnect-DotNet.dll",
+            "args": [],
+            "cwd": "${workspaceFolder}",
+            "stopAtEntry": false,
+            "serverReadyAction": {
+                "action": "openExternally",
+                "pattern": "\\bNow listening on:\\s+(https?://\\S+)"
+            },
+            "env": {
+                "ASPNETCORE_ENVIRONMENT": "Development"
+            },
+            "sourceFileMap": {
+                "/Views": "${workspaceFolder}/Views"
+            }
+        }
+
+    ]
+}

021-IdentityForApps/Student/Resources/HarnessApp/.vscode/tasks.json

@@ -0,0 +1,25 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "build",
+            "command": "dotnet",
+            "type": "shell",
+            "args": [
+                "build",
+                "/property:GenerateFullPaths=true",
+                "/consoleloggerparameters:NoSummary"
+            ],
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "presentation": {
+                "reveal": "silent"
+            },
+            "problemMatcher": "$msCompile"
+        }
+    ]
+}

021-IdentityForApps/Student/Resources/HarnessApp/Controllers/HarnessAccountController.cs

@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI.Areas.MicrosoftIdentity.Controllers;
@@ -18,10 +19,13 @@ public class HarnessAccountController : Controller
     {
         private AccountController _accountController;
         private readonly IOptions<MicrosoftIdentityOptions> _options;
-        public HarnessAccountController(IOptions<MicrosoftIdentityOptions> microsoftIdentityOptions)
+        private readonly string _deleteAccountPolicyId;
+        public HarnessAccountController(IConfiguration configuration, IOptions<MicrosoftIdentityOptions> microsoftIdentityOptions)
         {
             _accountController = new AccountController(microsoftIdentityOptions);
             _options = microsoftIdentityOptions;
+            // Get the "Delete My Account" custom policy ID from configuration, or use the default value when missing.
+            _deleteAccountPolicyId = configuration.GetValue<string>("AzureAdB2C:DeleteAccountPolicyId") ?? "B2C_1A_delete_my_account";
         }
 
 
@@ -37,7 +41,7 @@ public IActionResult DeleteMyAccount([FromRoute] string scheme)
 
             var redirectUrl = Url.Content("~/");
             var properties = new AuthenticationProperties { RedirectUri = redirectUrl };
-            properties.Items[Constants.Policy] = "B2C_1A_delete_my_account";
+            properties.Items[Constants.Policy] = _deleteAccountPolicyId;
             return _accountController.Challenge(properties, scheme);
         }
     }

021-IdentityForApps/Student/Resources/HarnessApp/Startup.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
@@ -34,6 +35,10 @@ public void ConfigureServices(IServiceCollection services)
                 options.HandleSameSiteCookieCompatibility();
             });
 
+            // Don't map any standard OpenID Connect claims to Microsoft-specific claims.
+            // See https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/.
+            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
+
             // Configuration to sign-in users with Azure AD B2C
             services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
 
@@ -44,7 +49,11 @@ public void ConfigureServices(IServiceCollection services)
 
             //Configuring appsettings section AzureAdB2C, into IOptions
             services.AddOptions();
-            services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
+            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
+            {
+                // Don't remove any incoming claims so we really see all the claims coming in to the application.
+                options.ClaimActions.Clear();
+            });
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

021-IdentityForApps/Student/Resources/HarnessApp/appsettings.json

@@ -5,9 +5,10 @@
     "Domain": "<your-tenant>.onmicrosoft.com",
     "SignedOutCallbackPath": "/signout/<your-susi-policy-name>",
     "SignUpSignInPolicyId": "<your-susi-policy-name>",
-    "ResetPasswordPolicyId": "<your-pwd-reset-policy-name>",
+    "ResetPasswordPolicyId": "<your-pwd-reset-policy-name>", // Optional reset password policy
     "EditProfilePolicyId": "<your-profile-edit-policy-name>" // Optional profile editing policy
-    //"CallbackPath": "/signin/B2C_1_sign_up_in"  // defaults to /signin-oidc
+    //"DeleteAccountPolicyId": "B2C_1A_delete_my_account"
+    //"CallbackPath": "/signin/B2C_1_sign_up_in" // defaults to /signin-oidc
   },
   "Logging": {
     "LogLevel": {