review changes

Author: derisen

1-Authentication/1-sign-in/README.md

@@ -150,6 +150,7 @@ Locate the root of the sample folder. Then:
 
 1. Open your browser and navigate to `http://localhost:4000`.
 1. Select the **sign-in** button on the top right corner.
+1. Once signed in, select the **ID** button to see some of the claims in your ID token.
 
 ![Screenshot](./ReadmeFiles/screenshot.png)
 

1-Authentication/2-sign-in-b2c/README.md

@@ -15,7 +15,7 @@
 
 ## Overview
 
-This sample demonstrates a Node.js & Express web application that authenticates users against Azure AD, with the help of [Microsoft Authentication Library for Node.js](https://aka.ms/msalnode) (MSAL Node). In doing so, it illustrates authentication concepts such as [OpenID scopes](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes), [ID Tokens](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect), [ID Token validation](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect#validate-the-id-token), [user-flows](https://docs.microsoft.com/azure/active-directory-b2c/user-flow-overview) and more.
+This sample demonstrates a Node.js & Express web application that authenticates users against Azure AD B2C, with the help of [Microsoft Authentication Library for Node.js](https://aka.ms/msalnode) (MSAL Node). In doing so, it illustrates authentication concepts such as [OpenID scopes](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes), [ID Tokens](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect), [ID Token validation](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect#validate-the-id-token), [user-flows](https://docs.microsoft.com/azure/active-directory-b2c/user-flow-overview) and more.
 
 ## Scenario
 
@@ -108,7 +108,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 
 1. Open the `appSettings.json` file.
 1. Find the key `clientId` and replace the existing value with the application ID (clientId) of `msal-node-webapp` app copied from the Azure portal.
-1. Find the key `tenantId` and replace the existing value with your Azure AD tenant ID.
+1. Find the key `tenantId` and replace the existing value with your Azure AD B2C tenant ID.
 1. Find the key `clientSecret` and replace the existing value with the key you saved during the creation of `msal-node-webapp` copied from the Azure portal.
 1. Find the key `redirectUri` and replace the existing value with the Redirect URI for `msal-node-webapp`. (by default `http://localhost:4000`).
 1. Find the key `postLogoutRedirectUri` and replace the existing value with the base address of `msal-node-webapp` (by default `http://localhost:4000`).
@@ -125,7 +125,8 @@ Locate the root of the sample folder. Then:
 ## Explore the sample
 
 1. Open your browser and navigate to `http://localhost:4000`.
-1. Click the sign-in button on the top right corner.
+1. Click the **sign-in** button on the top right corner.
+1. Once signed in, select the **ID** button to see some of the claims in your ID token.
 
 ![Screenshot](./ReadmeFiles/screenshot.png)
 

2-Authorization-I/1-call-graph/README.md

@@ -159,7 +159,7 @@ The rest of the **key-value** pairs are for resources/APIs that you would like t
     "nameOfYourResource": {
         "callingPageRoute": "/<route_where_this_resource_will_be_called_from>",
         "endpoint": "<uri_coordinates_of_the_resource>",
-        "scopes": ["scope1_of_the_resource", "scope1_of_the_resource", "..."]
+        "scopes": ["scope1_of_the_resource", "scope2_of_the_resource", "..."]
     },
 ```
 

3-Authorization-II/2-call-api-b2c/README.md

@@ -162,7 +162,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 
 1. Open the `WebApp\appSettings.json` file.
 1. Find the key `clientId` and replace the existing value with the application ID (clientId) of `msal-node-webapp` app copied from the Azure portal.
-1. Find the key `tenantId` and replace the existing value with your Azure AD tenant ID.
+1. Find the key `tenantId` and replace the existing value with your Azure AD B2C tenant ID.
 1. Find the key `clientSecret` and replace the existing value with the key you saved during the creation of `msal-node-webapp` copied from the Azure portal.
 1. Find the key `redirectUri` and replace the existing value with the Redirect URI for `msal-node-webapp`. (by default `http://localhost:4000/`).
 1. Find the key `postLogoutRedirectUri` and replace the existing value with the base address of `msal-node-webapp` (by default `http://localhost:4000/`).

4-Deployment/README.md

@@ -13,7 +13,7 @@
 
 ## Overview
 
-This sample demonstrates how to deploy a Node.js & Express web application coupled with a Node.js & Express web API to **Azure Cloud** using the [Azure App Service](https://docs.microsoft.com/azure/app-service/). To do so, we will use the [same code sample from Chapter 3](../3-Authorization-II/1-call-api). One of the principles of security is to place credentials like secrets and certificates out of your code and use it in a manner that allows them to be replaced or rotated without incurring a downtime. To do this, we will make use [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates) to store client secrets.
+This sample demonstrates how to deploy a Node.js & Express web application coupled with a Node.js & Express web API to **Azure Cloud** using the [Azure App Service](https://docs.microsoft.com/azure/app-service/). To do so, we will use the [same code sample from Chapter 3](../3-Authorization-II/1-call-api). One of the principles of security is to place credentials like secrets and certificates out of your code and use it in a manner that allows them to be replaced or rotated without incurring a downtime. To do this, we will make use of the [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates) to store client secrets.
 
 > :information_source: The steps below apply similarly to B2C applications, for instance the [B2C sample from Chapter 3](../3-Authorization-II/2-call-api-b2c)
 
@@ -30,7 +30,7 @@ This sample demonstrates how to deploy a Node.js & Express web application coupl
 - [VS Code Azure Tools Extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) extension is recommended for interacting with **Azure** through VS Code interface.
 - An **Azure AD** tenant. For more information, see: [How to get an Azure AD tenant](https://azure.microsoft.com/documentation/articles/active-directory-howto-tenant/)
 - A user account in your **Azure AD** tenant.
-- An **Azure subscription**. This sample uses **Azure App Service**.
+- An **Azure subscription**. This sample uses **Azure App Service** and **Azure Key Vault**.
 
 ## Setup
 

4-Deployment/WebApp/App/routes/router.js

@@ -4,7 +4,8 @@ const express = require('express');
 const identity = require("@azure/identity");
 const keyvaultSecret = require('@azure/keyvault-secrets');
 
-const msalWrapper = require('msal-express-wrapper');
+// importing from Packages folder
+const msalWrapper = require('../../Package/index');
 
 const mainController = require('../controllers/mainController');
 

4-Deployment/WebApp/Package/AuthProvider.d.ts

@@ -0,0 +1,89 @@
+import { Request, Response, NextFunction } from 'express';
+import { ConfidentialClientApplication, Configuration, ICachePlugin, CryptoProvider } from '@azure/msal-node';
+import { TokenValidator } from './TokenValidator';
+import { UrlUtils } from './UrlUtils';
+import { AppSettings } from './Types';
+/**
+ * A simple wrapper around MSAL Node ConfidentialClientApplication object.
+ * It offers a collection of middleware and utility methods that automate
+ * basic authentication and authorization tasks in Express MVC web apps.
+ *
+ * You must have express and express-sessions package installed. Middleware
+ * here can be used with express sessions in route controllers.
+ *
+ * Session variables accessible are as follows:
+    * req.session.isAuthenticated: boolean
+    * req.session.isAuthorized: boolean
+    * req.session.account: AccountInfo
+    * req.session.<resourceName>.accessToken: string
+ */
+export declare class AuthProvider {
+    appSettings: AppSettings;
+    msalConfig: Configuration;
+    urlUtils: UrlUtils;
+    cryptoProvider: CryptoProvider;
+    tokenValidator: TokenValidator;
+    msalClient: ConfidentialClientApplication;
+    /**
+     * @param {JSON} appSettings
+     * @param {ICachePlugin} cache: cachePlugin
+     */
+    constructor(appSettings: AppSettings, cache?: ICachePlugin);
+    /**
+     * Initiate sign in flow
+     * @param {Request} req: express request object
+     * @param {Response} res: express response object
+     * @param {NextFunction} next: express next function
+     */
+    signIn: (req: Request, res: Response, next: NextFunction) => void;
+    /**
+     * Initiate sign out and clean the session
+     * @param {Request} req: express request object
+     * @param {Response} res: express response object
+     * @param {NextFunction} next: express next function
+     */
+    signOut: (req: Request, res: Response, next: NextFunction) => void;
+    /**
+     * Middleware that handles redirect depending on request state
+     * There are basically 2 stages: sign-in and acquire token
+     * @param {Request} req: express request object
+     * @param {Response} res: express response object
+     * @param {NextFunction} next: express next function
+     */
+    handleRedirect: (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    /**
+     * Middleware that gets tokens and calls web APIs
+     * @param {Object} req: express request object
+     * @param {Object} res: express response object
+     * @param {Function} next: express next
+     */
+    getToken: (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    /**
+     * Check if authenticated in session
+     * @param {Object} req: express request object
+     * @param {Object} res: express response object
+     * @param {Function} next: express next
+     */
+    isAuthenticated: (req: Request, res: Response, next: NextFunction) => void | Response;
+    /**
+     * Receives access token in req authorization header
+     * and validates it using the jwt.verify
+     * @param {Object} req: express request object
+     * @param {Object} res: express response object
+     * @param {Function} next: express next
+     */
+    isAuthorized: (req: Request, res: Response, next: NextFunction) => Promise<void | Response>;
+    /**
+     * This method is used to generate an auth code request
+     * @param {Object} req: express request object
+     * @param {Object} res: express response object
+     * @param {NextFunction} next: express next function
+     * @param {AuthCodeParams} params: modifies auth code request url
+     */
+    private getAuthCode;
+    /**
+     * Util method to get the resource name for a given callingPageRoute (appSettings.json)
+     * @param {string} path: /path string that the resource is associated with
+     */
+    private getResourceName;
+}

4-Deployment/WebApp/Package/ConfigurationUtils.d.ts

@@ -0,0 +1,16 @@
+import { Configuration, ICachePlugin } from '@azure/msal-node';
+import { AppSettings } from './Types';
+export declare class ConfigurationUtils {
+    /**
+     * Validates the fields in the custom JSON configuration file
+     * @param {JSON} config: configuration file
+     */
+    static validateAppSettings: (config: AppSettings) => void;
+    /**
+     * Maps the custom JSON configuration file to configuration
+     * object expected by MSAL Node ConfidentialClientApplication
+     * @param {JSON} config: configuration file
+     * @param {Object} cachePlugin: passed during initialization
+     */
+    static getMsalConfiguration: (config: AppSettings, cachePlugin?: ICachePlugin) => Configuration;
+}

4-Deployment/WebApp/Package/Constants.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Basic authentication stages used to determine
+ * appropriate action after redirect occurs
+ */
+export declare const AppStages: {
+    SIGN_IN: string;
+    SIGN_OUT: string;
+    ACQUIRE_TOKEN: string;
+};
+/**
+ * Allowed fields in JSON configuration file
+ */
+export declare const JsonConfiguration: {
+    CREDENTIALS: string;
+    CONFIGURATION: string;
+    RESOURCES: string;
+    POLICIES: string;
+    PROTECTED: string;
+};
+/**
+ * Various error constants
+ */
+export declare const ErrorMessages: {
+    NOT_PERMITTED: string;
+    INVALID_TOKEN: string;
+    CANNOT_DETERMINE_APP_STAGE: string;
+    NONCE_MISMATCH: string;
+    INTERACTION_REQUIRED: string;
+    TOKEN_NOT_FOUND: string;
+    TOKEN_NOT_DECODED: string;
+    TOKEN_NOT_VERIFIED: string;
+    KEYS_NOT_OBTAINED: string;
+    STATE_NOT_FOUND: string;
+};
+/**
+ * For more information, visit: https://login.microsoftonline.com/error
+ */
+export declare const ErrorCodes: {
+    65001: string;
+};

4-Deployment/WebApp/Package/TokenValidator.d.ts

@@ -0,0 +1,24 @@
+import { Configuration } from '@azure/msal-node';
+import { AppSettings } from './Types';
+export declare class TokenValidator {
+    appSettings: AppSettings;
+    msalConfig: Configuration;
+    constructor(appSettings: AppSettings, msalConfig: Configuration);
+    /**
+     * Validates the id token for a set of claims
+     * @param {Object} idTokenClaims: decoded id token claims
+     */
+    validateIdToken: (idTokenClaims: any) => boolean;
+    /**
+     * Validates the access token for signature and against a predefined set of claims
+     * @param {string} accessToken: raw JWT token
+     * @param {string} protectedRoute: used for checking scope
+     */
+    validateAccessToken: (accessToken: any, protectedRoute: any) => Promise<boolean>;
+    /**
+     * Fetches signing keys of an access token
+     * from the authority discovery endpoint
+     * @param {string} header
+     */
+    private getSigningKeys;
+}