AzureAD · jmprieur · Aug 13, 2020 · Aug 3, 2020 · Aug 4, 2020 · Aug 4, 2020
@@ -58,8 +58,13 @@ internal static class Constants
         public const string Bearer = "Bearer";
         public const string LoginHint = "loginHint";
         public const string DomainHint = "domainHint";
+        public const string Authorization = "Authorization";
 
-        // Blazor challenge uri
+        // Blazor challenge URI
         public const string BlazorChallengeUri = "MicrosoftIdentity/Account/Challenge?redirectUri=";
+
+        // Microsoft Graph
+        public const string UserReadScope = "user.read";
+        public const string GraphBaseUrlV1 = "https://graph.microsoft.com/v1.0";
     }
 }
@@ -31,6 +31,7 @@ internal static class IDWebErrorMessage
         public const string UnauthenticatedUser = "IDW10204:The user is unauthenticated. The HttpContext does not contain any claims. ";
         public const string BlazorServerBaseUriNotSet = "IDW10205: Using Blazor server but the base URI was not properly set. ";
         public const string BlazorServerUserNotSet = "IDW10206: Using Blazor server but the user was not properly set. ";
+        public const string CalledApiScopesAreNull = "IDW10207: The CalledApiScopes cannot be null. ";
 
         // Token Validation IDW10300 = "IDW10300:"
         public const string IssuerMetadataUrlIsRequired = "IDW10301: Azure AD Issuer metadata address URL is required. ";

@@ -94,6 +94,7 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
+    <PackageReference Include="Microsoft.Graph" Version="3.9.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.17.1" />
     <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.164">
       <PrivateAssets>all</PrivateAssets>

@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Options passed-in to call Microsoft Graph.
+    /// </summary>
+    public class MicrosoftGraphOptions
+    {
+        /// <summary>
+        /// Base URL for the Microsoft Graph API. By default: <c>"https://graph.microsoft.com/v1.0/"</c>
+        /// but it can be changed to use the Microsoft Graph Beta endpoint or national cloud versions
+        /// of MicrosoftGraph.
+        /// </summary>
+        public string BaseUrl { get; set; } = "https://graph.microsoft.com/v1.0/";
+
+        /// <summary>
+        /// Space separated scopes used to call Microsoft Graph,
+        /// for instance <c>user.read mail.read</c>.
+        /// </summary>
+        public string? Scopes { get; set; } = "user.read";
+    }
+}
@@ -0,0 +1,93 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.Graph;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Extensions methods on a MicrosoftIdentityAppCallingWebApiAuthenticationBuilder builder
+    /// to add support to call Microsoft Graph.
+    /// </summary>
+    public static class MicrosoftGraphServiceExtensions
+    {
+        /// <summary>
+        /// Add support to call Microsoft Graph. From a named option and a configuration section.
+        /// </summary>
+        /// <param name="builder">Builder.</param>
+        /// <param name="configurationSection">Configuration section.</param>
+        /// <returns>The builder to chain.</returns>
+        public static MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddMicrosoftGraphServiceClient(
+            this MicrosoftIdentityAppCallsWebApiAuthenticationBuilder builder,
+            IConfigurationSection configurationSection)
+        {
+            return builder.AddMicrosoftGraphServiceClient(
+                options => configurationSection.Bind(options));
+        }
+
+        /// <summary>
+        /// Add support to call Microsoft Graph. From a base Graph URL and a default scope.
+        /// </summary>
+        /// <param name="builder">Builder.</param>
+        /// <param name="graphBaseUrl">Named instance of option.</param>
+        /// <param name="defaultScopes">Configuration section.</param>
+        /// <returns>The builder to chain.</returns>
+        public static MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddMicrosoftGraphServiceClient(
+            this MicrosoftIdentityAppCallsWebApiAuthenticationBuilder builder,
+            string graphBaseUrl = Constants.GraphBaseUrlV1,
+            string defaultScopes = Constants.UserReadScope)
+        {
+            return builder.AddMicrosoftGraphServiceClient(
+                options =>
+                {
+                    options.BaseUrl = graphBaseUrl;
+                    options.Scopes = defaultScopes;
+                });
+        }
+
+        /// <summary>
+        /// Add support to call Microsoft Graph. From a named options and a configuration method.
+        /// </summary>
+        /// <param name="builder">Builder.</param>
+        /// <param name="configureMicrosoftGraphOptions">Method to configure the options.</param>
+        /// <returns>The builder to chain.</returns>
+        public static MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddMicrosoftGraphServiceClient(
+            this MicrosoftIdentityAppCallsWebApiAuthenticationBuilder builder,
+            Action<MicrosoftGraphOptions> configureMicrosoftGraphOptions)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            // https://docs.microsoft.com/en-us/dotnet/standard/microservices-architecture/implement-resilient-applications/use-httpclientfactory-to-implement-resilient-http-requests
+            builder.Services.AddOptions<MicrosoftGraphOptions>().Configure(configureMicrosoftGraphOptions);
+            builder.Services.AddTokenAcquisition(true);
+
+            builder.Services.AddSingleton<GraphServiceClient, GraphServiceClient>(serviceProvider =>
+            {
+                var tokenAquisitionService = serviceProvider.GetRequiredService<ITokenAcquisition>();
+                var options = serviceProvider.GetRequiredService<IOptions<MicrosoftGraphOptions>>();
+
+                var microsoftGraphOptions = options.Value;
+                if (microsoftGraphOptions.Scopes == null)
+                {
+                    throw new ArgumentException(IDWebErrorMessage.CalledApiScopesAreNull);
+                }
+
+                string graphBaseUrl = microsoftGraphOptions.BaseUrl;
+                string[] initialScopes = microsoftGraphOptions.Scopes.Split(' ');
+
+                GraphServiceClient client = string.IsNullOrWhiteSpace(graphBaseUrl) ?
+                            new GraphServiceClient(new TokenAcquisitionCredentialProvider(tokenAquisitionService, initialScopes)) :
+                            new GraphServiceClient(graphBaseUrl, new TokenAcquisitionCredentialProvider(tokenAquisitionService, initialScopes));
+                return client;
+            });
+            return builder;
+        }
+    }
+}
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Globalization;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Microsoft.Graph;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Authentication provider based on ITokenAcquisition.
+    /// </summary>
+    internal class TokenAcquisitionCredentialProvider : IAuthenticationProvider
+    {
+        public TokenAcquisitionCredentialProvider(ITokenAcquisition tokenAcquisition, IEnumerable<string> initialScopes)
+        {
+            _tokenAcquisition = tokenAcquisition;
+            _initialScopes = initialScopes;
+        }
+
+        private ITokenAcquisition _tokenAcquisition;
+        private IEnumerable<string> _initialScopes;
+
+        /// <summary>
+        /// Adds a bearer header to an HttpRequestMessage.
+        /// </summary>
+        /// <param name="request">HttpRequest message to authenticate.</param>
+        /// <returns>A Task (as this is an async method).</returns>
+        public async Task AuthenticateRequestAsync(HttpRequestMessage request)
+        {
+            request.Headers.Add(
+                Constants.Authorization,
+                string.Format(
+                    CultureInfo.InvariantCulture,
+                    "{0}{1}",
+                    Constants.Bearer,
+                    await _tokenAcquisition.GetAccessTokenForUserAsync(_initialScopes).ConfigureAwait(false)));
+        }
+    }
+}
@@ -23,7 +23,6 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="3.1.1" />
-    <PackageReference Include="Microsoft.Graph" Version="1.16.0" />
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.3" />
   </ItemGroup>
 

@@ -26,15 +26,13 @@ public Startup(IConfiguration configuration)
         // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
         public void ConfigureServices(IServiceCollection services)
         {
-            string[] scopes = Configuration.GetValue<string>("CalledApi:CalledApiScopes")?.Split(' ');
             services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                     .AddMicrosoftIdentityWebApp(Configuration, "AzureAd")
-                        .EnableTokenAcquisitionToCallDownstreamApi(scopes)
+                        .EnableTokenAcquisitionToCallDownstreamApi()
+                            .AddMicrosoftGraphServiceClient(Configuration.GetSection("GraphBeta"))
                         .AddInMemoryTokenCaches();
 
             services.AddDownstreamWebApiService(Configuration);
-            services.AddMicrosoftGraph(scopes,
-                                       Configuration.GetValue<string>("CalledApi:CalledApiUrl"));
             services.AddControllersWithViews()
                     .AddMicrosoftIdentityUI();
 

@@ -10,6 +10,10 @@
         // To call an API
         "ClientSecret": "secret-goes-here"
     },
+    "GraphBeta": {
+        "BaseUrl": "https://graph.microsoft.com/beta",
+        "Scopes": "user.read"
+    },
     "CalledApi": {
     /*
      'CalledApiScopes' contains space separated scopes of the Web API you want to call. This can be:

@@ -4,7 +4,6 @@
      <UserSecretsId>66e5c3c7-f757-4032-bfcf-68bd81948618</UserSecretsId>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Graph" Version="3.8.0" />
     <ProjectReference Include="..\..\src\Microsoft.Identity.Web.UI\Microsoft.Identity.Web.UI.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
   </ItemGroup>