diff --git a/src/Microsoft.Identity.Web.AgentIdentities/Microsoft.Identity.Web.AgentIdentities.csproj b/src/Microsoft.Identity.Web.AgentIdentities/Microsoft.Identity.Web.AgentIdentities.csproj
index d8231b45c..6a94cc28e 100644
--- a/src/Microsoft.Identity.Web.AgentIdentities/Microsoft.Identity.Web.AgentIdentities.csproj
+++ b/src/Microsoft.Identity.Web.AgentIdentities/Microsoft.Identity.Web.AgentIdentities.csproj
@@ -3,7 +3,7 @@
Microsoft Identity Web Agentic Identity support
Microsoft Identity Web for Agent Identities
- Helper methods for Agent applications to act as the agent identities.
+ Helper methods for Agent identity blueprint to act as the agent identities.
README.md
diff --git a/src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs b/src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs
index cc906f330..3744a3811 100644
--- a/src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs
+++ b/src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs
@@ -23,8 +23,10 @@ public static void AddValidateRequestEndpoints(this WebApplication app)
private static Results, ProblemHttpResult> ValidateEndpoint(HttpContext httpContext, IConfiguration configuration)
{
string scopeRequiredByApi = configuration["AzureAd:Scopes"] ?? string.Empty;
- httpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
+ if (!string.IsNullOrWhiteSpace(scopeRequiredByApi))
+ {
+ httpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ }
var claimsPrincipal = httpContext.User;
var token = claimsPrincipal.GetBootstrapToken() as JsonWebToken;
diff --git a/src/Microsoft.Identity.Web.Sidecar/appsettings.json b/src/Microsoft.Identity.Web.Sidecar/appsettings.json
index aa19d82f3..442be4ec0 100644
--- a/src/Microsoft.Identity.Web.Sidecar/appsettings.json
+++ b/src/Microsoft.Identity.Web.Sidecar/appsettings.json
@@ -20,7 +20,8 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
}
],
- "EnablePiiLogging": false
+ "EnablePiiLogging": false,
+ "AllowWebApiToBeAuthorizedByACL": true,
},
"DownstreamApi": {
@@ -37,7 +38,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
"Microsoft.AspNetCore": "Warning"
}
},
- "AllowedHosts": "*"
+ "AllowedHosts": "*",
}
diff --git a/tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj b/tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj
index 929682778..5619c2a8b 100644
--- a/tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj
+++ b/tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj
@@ -10,6 +10,15 @@
+
+
+
+
+ Always
+
+
+
+
diff --git a/tests/E2E Tests/Sidecar.Tests/ValidateEndpointTests.cs b/tests/E2E Tests/Sidecar.Tests/ValidateEndpointTests.cs
index 42d142304..8661a1b38 100644
--- a/tests/E2E Tests/Sidecar.Tests/ValidateEndpointTests.cs
+++ b/tests/E2E Tests/Sidecar.Tests/ValidateEndpointTests.cs
@@ -2,16 +2,29 @@
// Licensed under the MIT License.
using System.Net.Http.Headers;
+using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
using Microsoft.Identity.Web.Sidecar;
+using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
using Xunit;
namespace Sidecar.Tests;
public class SidecarApiFactory : WebApplicationFactory
{
- protected override void ConfigureWebHost(Microsoft.AspNetCore.Hosting.IWebHostBuilder builder)
+ protected override void ConfigureWebHost(IWebHostBuilder builder)
{
+ builder.ConfigureAppConfiguration(builder =>
+ {
+ builder.AddJsonFile(
+ path: Path.Combine(Directory.GetCurrentDirectory().ToString(), "appsettings.agentids.json"),
+ optional: false,
+ reloadOnChange: true);
+ });
builder.ConfigureServices(services =>
{
});
@@ -34,4 +47,50 @@ public async Task Validate_WhenBadTokenAsync()
var content = await response.Content.ReadAsStringAsync();
Assert.Contains("invalid_token", response.Headers.WwwAuthenticate.ToString(), StringComparison.CurrentCultureIgnoreCase);
}
+
+ [Fact]
+ public async Task Validate_WhenGoodTokenAsync()
+ {
+ // Getting a token to call the API.
+ string authorizationHeader = await GetAuthorizationHeaderToCallTheSideCarAsync();
+
+ // Calling the API
+ var client = _factory.CreateClient();
+
+ client.DefaultRequestHeaders.Authorization = AuthenticationHeaderValue.Parse(authorizationHeader);
+ var response = await client.GetAsync("/Validate");
+ Assert.Equal(System.Net.HttpStatusCode.OK, response.StatusCode);
+ var content = await response.Content.ReadAsStringAsync();
+
+ Assert.NotEmpty(content);
+ }
+
+ private static async Task GetAuthorizationHeaderToCallTheSideCarAsync()
+ {
+ ServiceCollection services = new();
+ IConfiguration configuration = new ConfigurationBuilder().AddInMemoryCollection().Build();
+ services.AddSingleton(configuration);
+ configuration["Instance"] = "https://login.microsoftonline.com/";
+ configuration["TenantId"] = "31a58c3b-ae9c-4448-9e8f-e9e143e800df";
+ configuration["ClientId"] = "5cbcd9ff-c994-49ac-87e7-08a93a9c0794";
+ configuration["SendX5C"] = "true";
+ configuration["ClientCredentials:0:SourceType"] = "StoreWithDistinguishedName";
+ configuration["ClientCredentials:0:CertificateStorePath"] = "LocalMachine/My";
+ configuration["ClientCredentials:0:CertificateDistinguishedName"] = "CN=LabAuth.MSIDLab.com";
+
+ services.AddTokenAcquisition().AddHttpClient().AddInMemoryTokenCaches();
+ services.Configure(configuration);
+ IServiceProvider serviceProvider = services.BuildServiceProvider();
+
+ IAuthorizationHeaderProvider authorizationHeaderProvider = serviceProvider.GetRequiredService();
+ string authorizationHeader = await authorizationHeaderProvider.CreateAuthorizationHeaderForAppAsync("api://d15884b6-a447-4dd5-a5a5-a668c49f6300/.default",
+ new AuthorizationHeaderProviderOptions()
+ {
+ AcquireTokenOptions = new AcquireTokenOptions()
+ {
+ AuthenticationOptionsName = ""
+ }
+ });
+ return authorizationHeader;
+ }
}
diff --git a/tests/E2E Tests/Sidecar.Tests/appsettings.agentids.json b/tests/E2E Tests/Sidecar.Tests/appsettings.agentids.json
new file mode 100644
index 000000000..56e4af366
--- /dev/null
+++ b/tests/E2E Tests/Sidecar.Tests/appsettings.agentids.json
@@ -0,0 +1,22 @@
+{
+ "$schema": "https://raw.githubusercontent.com/AzureAD/microsoft-identity-web/refs/heads/master/JsonSchemas/microsoft-identity-web.json",
+ "AzureAd": {
+ "Instance": "https://login.microsoftonline.com/",
+ "TenantId": "31a58c3b-ae9c-4448-9e8f-e9e143e800df",
+ "ClientId": "d15884b6-a447-4dd5-a5a5-a668c49f6300", // Agent application ClientId
+ "ClientCredentials": [
+ {
+ "SourceType": "StoreWithDistinguishedName",
+ "CertificateStorePath": "LocalMachine/My",
+ "CertificateDistinguishedName": "CN=LabAuth.MSIDLab.com"
+ }
+ ],
+ "Scopes": "",
+
+ "Audience": "d15884b6-a447-4dd5-a5a5-a668c49f6300"
+ },
+
+ "DownstreamApis": {
+
+ }
+}