Azure – DTan's Blog

Getting Started with Azure Data Catalog REST API

What is Azure Data Catalog? Simply put, Azure Data Catalog is a SaaS application hosted within Azure’s Cloud Stack. With Azure Data Catalog, enterprise customers can store information about their enterprise data source assets. There’s the concept of catalogs, assets and annotations and for more information, go to: https://azure.microsoft.com/en-us/services/data-catalog/

We use Azure Data Catalog to organize, discover and understand all of our backend data sources. With that in mind, I needed to find a solution where we can automate data source creation (Databases, Tables, etc…) to Azure Data Catalog and don’t want to spend the time creating/registering assets manually. It is a tedious process to manually specially if you have to deal with lots of databases and stored procedures J.

Microsoft exposes an API for you to use and work with Azure Data Catalog. There are plenty of documentation out there but it really took me a while to get everything setup and working correctly. At least from searching on existing assets and registering a new one.

Most of Microsoft’s documentation around the Azure Data Catalog API is located here:

https://docs.microsoft.com/en-us/rest/api/datacatalog/

This guide will walk you through the steps on registering a catalog asset with additional information to properly authenticate against Azure AD and a modified schema version to include annotations when registering or updating a catalog asset. Note that sample below uses Native Client Authentication to Azure Active Directory.

Part 1

The first section talks about creating an Azure Active Directory client app registration. We will use this to authenticate either using OAuth2 or Federation

Note: As of writing this blog post, the screenshots below have been taken from the recent UI on azure portal.

Register a client app in Azure Active Directory. When you register a client app in Azure Active Directory, you give your app access to the Data Catalog APIs. To register a client app:

1. Go to http://portal.azure.com

2. Click on “Azure Active Directory”

3. Click on “App Registrations”

4. Click on “Add” and provide a “Name”, “Application Type” and “Redirect UI”. NOTE: The redirect URI is a unique identifier for the client to send the access token back. This doesn’t have to be a valid URI however; you need to keep track of this. You will need it later to authenticate against the catalog api.

GRANT the app client access to the Azure Catalog API. To do this:

1. Click on “Settings” on the newly created app registration.

2. Click on “Required Permissions” then “Add”

3. On “Select an API”, pick “Microsoft Azure Data Catalog”

4. Take the defaults

5. IMPORTANT: Make sure you click on “GRANT PERMISSIONS” once you select “Microsoft Azure Data Catalog” as seen below. If you don’t do this, then your native client will not be able to authenticate properly on the Azure Data Catalog API.

Part 2

The second section talks about authenticating against Azure REST API. Particularly, authenticating against Azure Data Catalog API. The article below will guide you through steps on calling the Azure Data Catalog API via ADAL libraries for authentication. The information presented below from Microsoft’s site is accurate as of this writing.

Authenticate a client app

https://docs.microsoft.com/en-us/rest/api/datacatalog/authenticate-a-client-app

Couple of notes from the steps mentioned above:

· “Register a Client App”. You just did this in the preceding steps. Make sure to write down the Client ID (or APP ID of the newly created app in azure active directory)

· Don’t use HTTPWebRequest rather use HTTPClient to authenticate. HTTPClient has far more features that HTTPWebRequest. That said, refer to this Microsoft article for examples on HTTPClient.

Calling a Web API From a .NET Client (C#)

https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/calling-a-web-api-from-a-net-client

Part 3

Changes to the request body when registering Data Assets. This is the part where I’ve spend most of my research modifying the schema for registering or updating assets. In this case, adding annotations during the registration process. Microsoft provides basic schema definitions when registering assets but doesn’t provide enough details on other schema values such as annotation experts, tags and description. Here’s a modified version of the schema when registering an asset to include annotations.

{
  "properties": {
    "fromSourceSystem": false,
    "name": "table name",
    "dataSource": {
      "sourceType": "Db2",
      "objectType": "Table"
    },
    "dsl": {
      "protocol": "db2",
      "authentication": "windows",
      "address": {
        "server": "ServerName",
        "database": "DatabaseName",
        "object": "NameOfTable",
        "schema": "dbo"
      }
    },
    "lastRegisteredBy": {
      "upn": "smtp@address.com",
      "firstName": "Don",
      "lastName": "Tan"
    },
    "containerId": "containers/<SomeGuid>"
  },
  "annotations": {
    "schema": {
      "properties": {
        "fromSourceSystem": true,
        "columns": [
          {
            "name": "identity",
            "isNullable": false,
            "type": "Int32",
            "maxLength": 0,
            "precision": 0
          },
          {
            "name": "Other Column",
            "isNullable": false,
            "type": "String",
            "maxLength": 0,
            "precision": 0
          },
          {
            "name": "short_desc",
            "isNullable": false,
            "type": "String",
            "maxLength": 0,
            "precision": 0
          }
        ]
      }
    },
    //Add Other Annotation Details
    "experts": [
      {
        "properties": {
          "expert": {
            "upn": "smtp@address.com",
            "objectId": "<SomeGuid>"
          },
          "key": "<SomeGuid>",
          "fromSourceSystem": false
        }
      }
    ],
    "descriptions": [
      {
        "properties": {
          "key": "<SomeGuid>",
          "fromSourceSystem": false,
          "description": "Some Descrption"
        }
      }
    ],
    "tags": [
      {
        "properties": {
          "tag": "Dtan",
          "key": "<SomeGuid>",
          "fromSourceSystem": false
        }
      }
    ]
  }
}

Part 4:

Putting it all together: Here’s a complete sample on how to invoke the Azure Data Catalog using HTTPClient in C#.

// The ResourceURI is used by the application to uniquely identify itself to Azure AD.
// The ClientId is used by the application to uniquely identify itself to Azure AD.
// The AAD Instance is the instance of Azure, for example public Azure or Azure China.
// The Authority is the sign-in URL (either the tenant or OAuth2 provider)
// The RedirectUri gives AAD more details about the specific application that it will authenticate.
// NOTE: Make sure that the ClientID has sufficient permissions against the resourceURI. In this case, Azure Data Catalog
//See article: https://docs.microsoft.com/en-us/rest/api/datacatalog/Register-a-client-app?redirectedfrom=MSDN#client

var ClientId = ConfigurationManager.AppSettings["ClientId"];
var ResourceUri = ConfigurationManager.AppSettings["ResourceUri"];
var RedirectUri = new Uri(ConfigurationManager.AppSettings["RedirectUri"]);
var Tenant = ConfigurationManager.AppSettings["Tenant"];
var AadInstance = ConfigurationManager.AppSettings["AADInstance"];
//OAuth2 provider
//private static readonly string Authority = String.Format(CultureInfo.InvariantCulture, "https://login.windows.net/common/oauth2/authorize");
//Tenant Authority
var Authority = String.Format(CultureInfo.InvariantCulture, AadInstance, Tenant);
var authContext = new AuthenticationContext(Authority);
var authResult =
    authContext.AcquireTokenAsync(ResourceUri, ClientId, RedirectUri,
        new PlatformParameters(PromptBehavior.RefreshSession)).Result;

using (var httpClient = new HttpClient())
{
    var requestbody = "{\"properties\":{\"fromSourceSystem\":false,\"name\":\"air_allowed\",\"dataSource\":{\"sourceType\":\"Db2\",\"objectType\":\"Table\"},\"dsl\":{\"protocol\":\"db2\",\"authentication\":\"windows\",\"address\":{\"server\":\"YourServerName\",\"database\":\"YourDatabase\",\"object\":\"YourTable\",\"schema\":\"dbo\"}},\"lastRegisteredBy\":{\"upn\":\"smtp@address.com \",\"firstName\":\"Don\",\"lastName\":\"Tan\"},\"containerId\":\"containers/42070252-e318-4a0a-8c73-a33c0dc8fd65\"},\"annotations\":{\"schema\":{\"properties\":{\"fromSourceSystem\":true,\"columns\":[{\"name\":\"Column1\",\"isNullable\":false,\"type\":\"String\",\"maxLength\":0,\"precision\":0},{\"name\":\"Column2\",\"isNullable\":false,\"type\":\"String\",\"maxLength\":0,\"precision\":0},{\"name\":\"Column3\",\"isNullable\":false,\"type\":\"String\",\"maxLength\":0,\"precision\":0}]}},\"experts\":[{\"properties\":{\"expert\":{\"upn\":\"smtp@address.com\",\"objectId\":\"fb7d1a8a-4ae6-4ee2-aaaa-9de5b4c598df\"},\"key\":\"52c4543b-ee75-42d7-95e7-3a01437fee58\",\"fromSourceSystem\":false}}],\"descriptions\":[{\"properties\":{\"key\":\"791bab95-428a-4941-b633-7d2d0cd9c75e\",\"fromSourceSystem\":false,\"description\":\"SomeDescription\"}}],\"tags\":[{\"properties\":{\"tag\":\"Dtan\",\"key\":\"a2a3f272-14a3-4a03-b85d-65af33022dc4\",\"fromSourceSystem\":false}}]}}";
    var url = "https://api.azuredatacatalog.com/catalogs/<yourcatalog> /views/tables?api-version=2016-03-30";
    httpClient.DefaultRequestHeaders.Add("Authorization", authResult.CreateAuthorizationHeader());
    httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    var stringContent = new StringContent(requestbody);
    stringContent.Headers.ContentType = new MediaTypeHeaderValue("application/json");
    var response = httpClient.PostAsync(url, stringContent).Result;
}

Accelerate Release Cycle: Continuous Delivery Automation…

How you can apply Automation to accelerate release cycles, improve quality, safety and governance?

Last Tuesday I participated in an online panel on the subject of CD Automation, as part of Continuous Discussions (#c9d9), a series of community panels about Agile, Continuous Delivery and DevOps. Watch a recording of the panel:

https://www.youtube.com/watch?v=2-_bb9Q-rtw

Continuous Discussions is a community initiative by Electric Cloud, which powers Continuous Delivery at businesses like SpaceX, Cisco, GE and E*TRADE by automating their build, test and deployment processes.

Below are a few insights from my contribution to the panel:

Automation != Orchestration

Automation. There’s really a big opportunity, if I want to start talking about automation, people think about many things that are in automation, but in this context, for Continuous Delivery, it is the process of taking your application, getting it deployed faster, with the right set of quality gates, with the right set of people who will help you automate that process seamlessly. So in turn, it’s more about making sure your application is being deployed more frequently, with the right quality gates in it.

Fundamentally, the process, what you look at is this: you take your application and you build it, then you test it, make sure that the build is good. When you build it, then you deploy to a set of environments – what you think your test or your dev or your staging, your environments, then you test it again. So it’s that balance of how you build your application and test it.

And being a test architect, I’m obviously an advocate of quality, and I think there’s three things people have to figure out when they start thinking about Continuous Delivery: one, the velocity of things – how fast you deploy, two, the quality side of things – what set of quality gates you need to put in place when you build and deploy an application, and the last thing you have to figure out is after you have velocity, and you have your quality, what is the cost of doing things? What set of tool sets you have to use to make all of these things work together?

We have many teams here, and there could be many things and many people, but in terms of our orchestration, what you think about is, what is the current process that prevents us from deploying and what are those manual things that we can avoid. It’s a blend of how long does it take for us to build and deploy a current application, what are the manual processes involved in doing that? Now let’s try to dissect each one of them, and make things easier, because let’s be honest, if it takes you a long time to build your application, that’s going to be a big bottleneck for you to have this Continuous Delivery pipeline.

And on top of that, is, being in the airline industry, one other thing we have to think about when we start thinking about this CD process is the idea of having the right set of guidelines for it, or standards behind it. So if it takes your application, let’s say, minutes to build, hopefully not an hour, just a couple of minutes. Are there any current tool sets, or are there any current technologies we can utilize to make that process much faster, avoid the manual effort of doing it? I’ll give you a perfect example:

Before, I think it was pretty typical for us to deploy application to utilize scripts, some PowerShell scripts, and some batch files, ” x-copy this, copy that…” And certainly now in the world of technologies you really don’t have to do that because we have tools, there’s software that allows you to build and take those bits and automatically deploy them. You just need to utilize the right task. So those are the small things in terms of orchestration that you need to start thinking about. Then on top of that, OK, then what would I need for us to make sure that this current application when we deploy it has the right set of quality gates behind it?

So, looking at those different processes, orchestration, flow, helps a lot. I would strongly suggest taking a look at what your application does and how long does it take to build, and if there’s any way that can you minimize the amount of time to build and manually do it – automate it. There are many tools out there that can help you do it. (Too many…)

We’re using the same thing. You actually have the same orchestration processes, the only thing you have to think about differently is – don’t create a process where it’s dependent on each environment, think about your application when you deploy it, it targets any environment. You can be deploying, you can be using the same processes on a test environment, or a QA environment, but you shouldn’t be developing a process that is different from one environment to the other. Your process orchestration should target any environment, so anyone can take that same process, spin up a new environment, and follow through the same processes over again, utilizing the same quality gates in between.

Also, when you start talking about testing, there’s the traditional way of testing applications where you do a lot of the manual stuff, and sometimes you have a hundred, two hundred, three hundred test cases. Sometimes you have to think smartly when you start doing CD processes. For example, which test make sense to deploy this build, and does it cover the right set of test families? And a good way to tell that is this, and if you have an analytics in your organization, think about which of those scenarios are being utilized more by your customers.

Sometimes you create test cases and automate them just for the sake of automating, but what value do you get out from those automated test cases, if some of those test cases are not even used a lot? So optimize your test, take a look at the data, what you have for your app, and try to dissect that, and think about ways to make your tests smarter, and make that part of your process.

Challenges and Checkpoints of CD Pipelines

as.com, our main website, it’s a great group of people by the way – the way we approach software is – what is the primary reason we’re doing CD? It’s because we’re doing agile development, taking one step at a time, and based on the experience we have in continuing to observe and evaluate, we have a process where you make things easier for people to integrate with each other.

For example, the tools – pick a tool that can easily be used by people, and it works well for the development, the testing and the PM team. Because, one of the challenges is, for example, (and before you even talk about the tools, I want to go one step back), it’s understanding the culture. I think that is the big thing there, to understand the culture change, what people need to do and embrace that, changes are inevitable.

I’ll give you a good example: we’re all use to doing waterfall. Back in the old days, where you hand it off to someone, and hand it off to someone… Now when you start something – everyone’s engaged at that point of view, at that point of time. When I use the set of tools, there are things you have to sacrifice in between, that you’re not accustomed to, for example, for testing, traditionally, you probably still see it from time to time, but some test teams will still create test plans, and the superior views, when you try to do CD, you try to waste some of that time away, and, so, for doing web automation, tackle it at a good point, try to do less – there is a great article out there that talks about the testing pyramid. Where at the very bottom of the base you talk about the coverage of unit testing, in the middle layer you talk about services, then the top layer would be UX automation. Less emphasis on UX automation, more thorough test in the unit test, that way you get more coverage.

So my point is there are certain teams that use different tool sets for testing, while dev and PM use a different set of for managed work, so when the time comes to integrate and do this agile CD approach, what happens is no one has time to learn these tools. A developer will not have time to understand what tool that tester is using to automate stuff, and likewise for PM and other folks, and DevOps, and infrastructure. So think about a tool that will work well for the team, as that is one of the things that made it challenging for us, and even now we’re still evaluating some of these tools. There are many tools, and given that we’re in a world with a lot of open source, you can certainly take advantage of that, and take a look at what people are using out there: tools, culture, the process, also think about, when you start, when you’re doing Continuous Delivery, sometimes you think moving so fast, velocity, orchestration – but think about the small things that really help improve your app – security, performance testing. So my suggestions is, one of key challenges there, is, make sure you have a good monitoring system in place, when you start doing your CD process. Continue to monitor what your application is doing, even though you deploy it to a test environment, because I guarantee you there are certain things that will get exposed, when you actually have the right monitoring system in place.

I’ll take it as a startup company, where you got the walk, crawl, run phase – the walk phase is like this “Let’s do it!” Let’s get the right tools sets, let’s get it working, let’s go with it, yes, you’re delivering faster, you’re learning caveats, you’re learning some of these points where, “Oh we need to go back…” but the issue is, as you move forward, you start seeing more deficiencies, and a lot more people not standardizing the things. People do things differently, in fact, since we’re talking about Continuous Delivery, I should say people are delivering software differently from one team to the other. It becomes very challenging to standardize some things, not only in the tool sets but simply on the process as well.

Because one person can do the flow differently, then you have a different set of quality gates, then you have a different set of tools. We’re still learning, but at the end of the day – let’s be honest, you will not satisfy everybody. You’re not going to satisfy every team out there, but at least try to get a consensus of small things, standard things that worked well with everybody.

We still have teams that use different tools sets, but it’s not it’s not like one team is different from the other – now we have a big organization using the same tools, and that’s a good start, and we have another organization using the same tools, that’s a good start, then we have another organization using the same tool sets – now we have a lot of people talking with each other, just take it to the next level. Because the other thing to consider is while you’re standardizing the things, the big benefit of doing that as well is cost, you’re able to save the company money by standardizing certain things that worked well for you. So now you’re hitting two birds with one stone – obviously the next thing is, people will get more enticed to collaborate, share best practices, and provide governance around certain things that worked well for us.

Being in quality, quality is my forte, I can talk about web automation the whole day – unit testing, that kind of stuff, but certain people need to realize that when you do test automation there are certain things that you use to automate things that may not work with people. But at least try to establish a standard that will work well in terms of governance of the process, what you do about it, so making things easier for tracking and auditing is the other thing you have to consider.

Tools: Tips and Tricks

I’ll just make this straight – if I had one tip, when talking about Continuous Delivery, we know we want to be Agile, we want to release faster with quality. So have everybody be accountable of quality. If you think about quality from the get go, when you start doing Continuous Delivery, you’ll start expanding of all these tool sets, you’ll be able to define a process, you’ll be able to define your orchestration. In fact, it will actually even help determine what tools you will need to use, if you start thinking about quality at the get go, as part of your process, it’s mandatory.

I can’t stress this enough, when you talk about Continuous Delivery it’s all about release, release, release… features, features, features… at the end, you’ll spend more time thinking about fixing defects or bugs.

And even tools, sometimes tools don’t necessarily have the right set of features that help you deal with quality. So you keep everybody accountable of quality, because this is very important when you start thinking about Continuous Delivery out to your production servers. You’ll be able to write down the list of things, when you start thinking about quality: monitoring, automation, tools sets, orchestration, security, performance. If I had one big tip, it’s to have everybody be accountable for quality, it’s a shared practice by everybody, not by just the test team.

Enabling Targeted Environment Testing during Continuous Delivery (Release Management) in VSTS

In my previous post “Continuous Delivery using VSO Release Manager with Selenium Automated Tests on Azure Web Apps (PaaS)”, I’ve walked through the steps on how to enable continuous delivery by releasing builds to multiple environments. One caveat that I didn’t focus on is taking the same tests and running it against those target environments.

In this post, I’ll walk you through the steps on enabling or running the same tests targeting those environments that you have included as part of your continuous delivery pipeline. You’re basically taking the same tests however passing in different parameters such as the target URL and/or browser to run.

In a high level, these are the changes. The solution only requires:

· Create runsettings file and add your parameters.

· Modify your code to call the parameters from the .runsettings file

· Changes to the “Test Steps” in VSTS release or build

Create runsettings file

In Visual Studio, you have the ability to generate a “testsettings” file however not a “runsettings” file. What’s the difference between both file formats? Both can be used as a reference for executing tests. However the “runsettings” file is more optimized to be used for running Unit Tests. In this case our tests are unit tests.

For more information see: Configure unit tests by using a .runsettings file

https://msdn.microsoft.com/en-us/library/jj635153.aspx

Essentially:

1) Create an xml file with the extension of: .runsettings (e.g. ContinousDeliveryTests.runsettings)

2) Replace the contents of the file with the following:

<?xml version="1.0" encoding="utf-8"?>
<RunSettings>
   <TestRunParameters>
      <Parameter name="EnvURL" value="http://XXXXX.azurewebsites.net" />
      <Parameter name="Browser" value="headless" />
   </TestRunParameters>
  <!--<RunConfiguration> We will use this later so we can run multiple threads for tests
    <MaxCpuCount>4</MaxCpuCount>
  </RunConfiguration>-->
</RunSettings>

3) Save the file to your source control repository. In my case GIT in VSTS.

Modify your code to call the params from the .runsettings file

In your unit tests where you specify the URL, apply the following changes:

var envUrl = TestContext.Properties["EnvURL"].ToString();

At this point, you can refer the envUrl variable in your code for navigating through your tests.

Changes to the “Test Steps” in VSTS release or build

In VSTS Release Manager, modify the test steps to:

NOTE: As part of your build definition, ensure that you upload your runsettings file as part of your artifacts directory. Here’s a snippet in my build definition step:

Visual Studio Test step in Release Manager:

For each environment that you deploy your application, modify the Visual Studio Test Step to:

– Specify the runsettings file. You can browse through your build artifacts provided you’ve uploaded your runsettings file as part of your build artifacts

– Override the parameters with the correct value for your environment URL

One you make the following changes, your tests will execute targeting those environments specified in your continuous delivery pipeline.

Using OpenID to authenticate in MVC via Azure AD (Manual Steps)

Title says it all, we have some MVC apps using Azure AD via WSFed and want to convert using OpenID auth. While WSFED works well, we wanted to take a simple approach of using OpenID through Azure AD. These are the steps to either convert from WSFED or add OpenID in existing MVC Apps for Authentication.

I assume that you already have an application registered in Azure Active Directory for your website to use for authenticating AD users. If not, the first step is to create an Application in Azure Active Directory for your website to use to authenticate AD users. To do this:

Sign in to the Azure Management Portal (http://azure.microsoft.com).
Click on the Active Directory icon on the left menu, and then click on the desired directory.
On the top menu, click Applications. If no apps have been added to your directory, this page will only show the Add an App link. Click on the link, or alternatively you can click on the Add button on the command bar.
On the What do you want to do page, click on the link to Add an application my organization is developing.

On the Tell us about your application page, you must specify a name for your application as well as indicate the type of application you are registering with Azure AD. You can choose from a web application and/or web API (default) or native client application which represents an application that is installed on a device such as a phone or computer. For this guide, make sure to select Web Application and/or Web API

Once finished, click the arrow icon on the bottom-right corner of the page.
On the App properties page, provide the Sign-on URL (URL for your web application) and App ID URI (Unique URI for your application – Usually it’s a combination or your AD domain/application. Example: http://www.domain.com/mywebsite.somedomain.com) for your web application then click the checkbox in the bottom-right hand corner of the page.
Your application has been added, and you will be taken to the Quick Start page for your application.
Click on the “Configure” Tab. Generate a Key for your client access and write down the following information:
Federation Metadata Document (You can get this information by click on “VIEW ENDPOINTS” at the bottom section of the Configure tab)

Enable SSL on your Dev Machines

With OpenID, you need to have your MVC app enabled with SSL. In your development environment, you can set this by going to the properties of the MVC app, select “Web” on the left navigation and type “https” on the project URL box:

Add OpenID and OWIN nuget packages to your MVC Application:

Microsoft.IdentityModel.Protocol.Extensions
System.IdentityModel.Tokens.Jwt
Microsoft.Owin.Security.OpenIdConnect
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Host.SystemWeb
Active Directory Authentication Library

Create a class Startup.Auth.cs in the App_Start folder

Replace the code from below: Be sure to take the whole class definition!

Namespace references:


using Microsoft.IdentityModel.Clients.ActiveDirectory;

using Microsoft.Owin.Security;

using Microsoft.Owin.Security.Cookies;

using Microsoft.Owin.Security.OpenIdConnect;

using Owin;


public partial class Startup

   {

       //

       // The Client ID is used by the application to uniquely identify itself to Azure AD.

       // The App Key is a credential used to authenticate the application to Azure AD. Azure AD supports password and certificate credentials.

       // The Metadata Address is used by the application to retrieve the signing keys used by Azure AD.

       // The AAD Instance is the instance of Azure, for example public Azure or Azure China.

       // The Authority is the sign-in URL of the tenant.

       // The Post Logout Redirect Uri is the URL where the user will be redirected after they sign out.

       //

       private static string clientId = ConfigurationManager.AppSettings[&quot;ida:ClientId&quot;];

       private static string appKey = ConfigurationManager.AppSettings[&quot;ida:AppKey&quot;];

       private static string aadInstance = ConfigurationManager.AppSettings[&quot;ida:AADInstance&quot;];

       private static string tenant = ConfigurationManager.AppSettings[&quot;ida:Tenant&quot;];

       private static string postLogoutRedirectUri = ConfigurationManager.AppSettings[&quot;ida:PostLogoutRedirectUri&quot;];

       public static readonly string Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

       // This is the resource ID of the AAD Graph API. We'll need this to request a token to call the Graph API.

       string graphResourceId = ConfigurationManager.AppSettings[&quot;ida:GraphUrl&quot;];

       public void ConfigureAuth(IAppBuilder app)

       {

           app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

           app.UseCookieAuthentication(new CookieAuthenticationOptions());

           app.UseOpenIdConnectAuthentication(

               new OpenIdConnectAuthenticationOptions

               {

                   ClientId = clientId,

                   Authority = Authority,

                   PostLogoutRedirectUri = postLogoutRedirectUri,

                  Notifications = new OpenIdConnectAuthenticationNotifications()

                   {

                       //

                       // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.

                       //

                       AuthorizationCodeReceived = (context) =&gt;

                       {

                           var code = context.Code;

                           ClientCredential credential = new ClientCredential(clientId, appKey);

                           string userObjectID = context.AuthenticationTicket.Identity.FindFirst(

                                   &quot;http://schemas.microsoft.com/identity/claims/objectidentifier&quot;).Value;

                           AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectID));

                           AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(

                              code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);

                           AuthenticationHelper.token = result.AccessToken;

                           return Task.FromResult(0);

                       }

                   }

               });

       }

   }

Create Utility classes

In the project, create a new folder called Utils, create a class AuthenticationHelper.cs. Replace the code from below. Be sure to take the whole class definition!

References


using Microsoft.Azure.ActiveDirectory.GraphClient;


internal class AuthenticationHelper

   {

       public static string token;

       /// &lt;summary&gt;

       ///     Async task to acquire token for Application.

       /// &lt;/summary&gt;

       /// &lt;returns&gt;Async Token for application.&lt;/returns&gt;

       public static async Task&lt;string&gt; AcquireTokenAsync()

       {

           if (token == null || token.IsEmpty())

           {

               throw new Exception(&quot;Authorization Required.&quot;);

           }

           return token;

       }

       /// &lt;summary&gt;

       ///     Get Active Directory Client for Application.

       /// &lt;/summary&gt;

       /// &lt;returns&gt;ActiveDirectoryClient for Application.&lt;/returns&gt;

       public static ActiveDirectoryClient GetActiveDirectoryClient()

       {

           Uri baseServiceUri = new Uri(Constants.ResourceUrl);

           ActiveDirectoryClient activeDirectoryClient =

               new ActiveDirectoryClient(new Uri(baseServiceUri, Constants.TenantId),

                   async () =&gt; await AcquireTokenAsync());

           return activeDirectoryClient;

       }

   }

In the Utils folder, create a class Constants.cs. Replace the code from below. Be sure to take the whole class definition!


internal class Constants

   {

       public static string ResourceUrl = ConfigurationManager.AppSettings[&quot;ida:GraphUrl&quot;];

       public static string ClientId = ConfigurationManager.AppSettings[&quot;ida:ClientId&quot;];

       public static string AppKey = ConfigurationManager.AppSettings[&quot;ida:AppKey&quot;];

       public static string TenantId = ConfigurationManager.AppSettings[&quot;ida:TenantId&quot;];

       public static string AuthString = ConfigurationManager.AppSettings[&quot;ida:Auth&quot;] +

                                         ConfigurationManager.AppSettings[&quot;ida:Tenant&quot;];

       public static string ClientSecret = ConfigurationManager.AppSettings[&quot;ida:ClientSecret&quot;];

   }

In the Utils folder, create three new classes called NaiveSessionCache.cs. Replace the code from below. Be sure to take the whole class definition!

References:


using Microsoft.IdentityModel.Clients.ActiveDirectory;


public class NaiveSessionCache : TokenCache

   {

       private static readonly object FileLock = new object();

       private readonly string CacheId = string.Empty;

       private string UserObjectId = string.Empty;

       public NaiveSessionCache(string userId)

       {

           UserObjectId = userId;

           CacheId = UserObjectId + &quot;_TokenCache&quot;;

           AfterAccess = AfterAccessNotification;

           BeforeAccess = BeforeAccessNotification;

           Load();

       }

       public void Load()

       {

           lock (FileLock)

           {

               if (HttpContext.Current != null)

               {

                   Deserialize((byte[])HttpContext.Current.Session[CacheId]);

               }

           }

       }

        public void Persist()

       {

           lock (FileLock)

           {

               // reflect changes in the persistent store

               HttpContext.Current.Session[CacheId] = Serialize();

               // once the write operation took place, restore the HasStateChanged bit to false

               HasStateChanged = false;

           }

       }

       // Empties the persistent store.

       public override void Clear()

       {

           base.Clear();

           HttpContext.Current.Session.Remove(CacheId);

       }

       public override void DeleteItem(TokenCacheItem item)

       {

           base.DeleteItem(item);

           Persist();

       }

       // Triggered right before ADAL needs to access the cache.

       // Reload the cache from the persistent store in case it changed since the last access.

       private void BeforeAccessNotification(TokenCacheNotificationArgs args)

       {

           Load();

       }

       // Triggered right after ADAL accessed the cache.

       private void AfterAccessNotification(TokenCacheNotificationArgs args)

       {

           // if the access operation resulted in a cache update

           if (HasStateChanged)

           {

               Persist();

           }

       }

   }

Add OWIN Startup class

Right-click on the project, select Add, select “OWIN Startup class”, and name the class “Startup”. If “OWIN Startup Class” doesn’t appear in the menu, instead select “Class”, and in the search box enter “OWIN”. “OWIN Startup class” will appear as a selection; select it, and name the class Startup.cs .

In Startup.cs , replace the code from below. Again, note the definition changes from public class Startup to public partial class Startup .


using System;

using System.Threading.Tasks;

using Microsoft.Owin;

using Owin;

[assembly: OwinStartup(typeof(MVCProject.Startup))]

namespace MVCProject

{

   public partial class Startup

   {

       public void Configuration(IAppBuilder app)

       {

           ConfigureAuth(app);

       }

   }

}

Create UserProfile model

In the Models folder add a new class called UserProfile.cs . Copy the implementation of UserProfile from below:


public class UserProfile

   {

       public string DisplayName { get; set; }

       public string GivenName { get; set; }

       public string Surname { get; set; }

   }

Create new UserProfileController

Add a new empty MVC5 controller UserProfileController to the project. Copy the implementation from below. Remember to include the [Authorize] attribute on the class definition.

References:


using System.Net.Http;

using System.Net.Http.Headers;

using System.Security.Claims;

using System.Threading.Tasks;

using System.Web;

using System.Web.Mvc;

using Microsoft.IdentityModel.Clients.ActiveDirectory;

using Microsoft.Owin.Security.OpenIdConnect;

using Newtonsoft.Json;


[Authorize]

   public class UserProfileController : Controller

   {

       private const string TenantIdClaimType = &quot;http://schemas.microsoft.com/identity/claims/tenantid&quot;;

       private static readonly string clientId = ConfigurationManager.AppSettings[&quot;ida:ClientId&quot;];

       private static readonly string appKey = ConfigurationManager.AppSettings[&quot;ida:AppKey&quot;];

       private readonly string graphResourceId = ConfigurationManager.AppSettings[&quot;ida:GraphUrl&quot;];

       private readonly string graphUserUrl = &quot;https://graph.windows.net/{0}/me?api-version=&quot; +

                                              ConfigurationManager.AppSettings[&quot;ida:GraphApiVersion&quot;];

       //

       // GET: /UserProfile/

       public async Task&lt;ActionResult&gt; Index()

       {

           //

           // Retrieve the user's name, tenantID, and access token since they are parameters used to query the Graph API.

           //

           UserProfile profile;

           string tenantId = ClaimsPrincipal.Current.FindFirst(TenantIdClaimType).Value;

            AuthenticationResult result = null;

           try

           {

               // Get the access token from the cache

               string userObjectID =

                   ClaimsPrincipal.Current.FindFirst(&quot;http://schemas.microsoft.com/identity/claims/objectidentifier&quot;)

                       .Value;

               AuthenticationContext authContext = new AuthenticationContext(Startup.Authority,

                   new NaiveSessionCache(userObjectID));

               ClientCredential credential = new ClientCredential(clientId, appKey);

               result = authContext.AcquireTokenSilent(graphResourceId, credential,

                   new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

               // Call the Graph API manually and retrieve the user's profile.

               string requestUrl = String.Format(

                   CultureInfo.InvariantCulture,

                   graphUserUrl,

                   HttpUtility.UrlEncode(tenantId));

               HttpClient client = new HttpClient();

               HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);

               request.Headers.Authorization = new AuthenticationHeaderValue(&quot;Bearer&quot;, result.AccessToken);

               HttpResponseMessage response = await client.SendAsync(request);

               // Return the user's profile in the view.

               if (response.IsSuccessStatusCode)

               {

                   string responseString = await response.Content.ReadAsStringAsync();

                   profile = JsonConvert.DeserializeObject&lt;UserProfile&gt;(responseString);

               }

               else

               {

                   // If the call failed, then drop the current access token and show the user an error indicating they might need to sign-in again.

                   authContext.TokenCache.Clear();

                   profile = new UserProfile();

                   profile.DisplayName = &quot; &quot;;

                   profile.GivenName = &quot; &quot;;

                   profile.Surname = &quot; &quot;;

                   ViewBag.ErrorMessage = &quot;UnexpectedError&quot;;

               }

           }

           catch (Exception e)

           {

               if (Request.QueryString[&quot;reauth&quot;] == &quot;True&quot;)

              {

                   //

                   // Send an OpenID Connect sign-in request to get a new set of tokens.

                   // If the user still has a valid session with Azure AD, they will not be prompted for their credentials.

                   // The OpenID Connect middleware will return to this controller after the sign-in response has been handled.

                   //

                   HttpContext.GetOwinContext()

                       .Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);

               }

               //

               // The user needs to re-authorize. Show them a message to that effect.

               //

               profile = new UserProfile();

              profile.DisplayName = &quot; &quot;;

               profile.GivenName = &quot; &quot;;

               profile.Surname = &quot; &quot;;

               ViewBag.ErrorMessage = &quot;AuthorizationRequired&quot;;

           }

           return View(profile);

       }

   }

Create new AccountController

Add a new empty MVC5 controller AccountController to the project. Copy the implementation from below.

References:


using System.Security.Claims;

using Microsoft.IdentityModel.Clients.ActiveDirectory;

using Microsoft.Owin.Security;

using Microsoft.Owin.Security.Cookies;

using Microsoft.Owin.Security.OpenIdConnect;

using QualityEngineeringSite.Utils;


public class AccountController : Controller

   {

       public void SignIn()

       {

           // Send an OpenID Connect sign-in request.

           if (!Request.IsAuthenticated)

           {

               HttpContext.GetOwinContext()

                   .Authentication.Challenge(new AuthenticationProperties { RedirectUri = &quot;/&quot; },

                       OpenIdConnectAuthenticationDefaults.AuthenticationType);

           }

       }

       public void SignOut()

       {

           // Remove all cache entries for this user and send an OpenID Connect sign-out request.

           string userObjectID =

               ClaimsPrincipal.Current.FindFirst(&quot;http://schemas.microsoft.com/identity/claims/objectidentifier&quot;).Value;

           AuthenticationContext authContext = new AuthenticationContext(Startup.Authority,

               new NaiveSessionCache(userObjectID));

           authContext.TokenCache.Clear();

           AuthenticationHelper.token = null;

           HttpContext.GetOwinContext().Authentication.SignOut(

               OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);

       }

   }

Create a new partial view _LoginPartial.cshtml

In the Views –> Shared folder, create a new partial view _LoginPartial.cshtml. Replace the contents of the file from below


@using System

@{

   var user = &quot;Null User&quot;;

   if (!String.IsNullOrEmpty(User.Identity.Name))

   {

       user = User.Identity.Name;

   }

}

@if (Request.IsAuthenticated)

{

   &lt;text&gt;

       &lt;ul class=&quot;nav navbar-nav navbar-right&quot;&gt;

           &lt;li&gt;

               @Html.ActionLink(user, &quot;Index&quot;, &quot;UserProfile&quot;, routeValues: null, htmlAttributes: null)

           &lt;/li&gt;

           &lt;li&gt;

               @Html.ActionLink(&quot;Sign out&quot;, &quot;SignOut&quot;, &quot;Account&quot;)

           &lt;/li&gt;

       &lt;/ul&gt;

   &lt;/text&gt;

}

else

{

   &lt;ul class=&quot;nav navbar-nav navbar-right&quot;&gt;

       &lt;li&gt;@Html.ActionLink(&quot;Sign in&quot;, &quot;Index&quot;, &quot;UserProfile&quot;, routeValues: null, htmlAttributes: new { id = &quot;loginLink&quot; })&lt;/li&gt;

   &lt;/ul&gt;

}

Modify existing _Layout.cshtml

In the Views –> Shared folder, add a single line, @Html.Partial(“_LoginPartial”) , that lights up the previously added _LoginPartial view. See screenshot below

Authenticate Users

If you want the user to be required to sign-in before they can see any page of the app, then in the HomeController, decorate the HomeController class with the [Authorize] attribute. If you leave this out, the user will be able to see the home page of the app without having to sign-in first, and can click the sign-in link on that page to get signed in.

For more information around the AuthorizeAttribute, refer to:

AuthorizeAttribute Class

https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx

Web.Config Settings

In web.config , in <appSettings> , create keys for ida:ClientId , ida:AppKey , ida:AADInstance , ida:Tenant and ida:PostLogoutRedirectUri and set the values accordingly. For the public Azure AD, the value of ida:AADInstance is https://login.windows.net/{0} . See sample below:


&lt;!-- Values for OpenID and Graph API --&gt;

&lt;!-- ClientId is the application ID from your own Azure AD tenant --&gt;

   &lt;add key=&quot;ida:ClientId&quot; value=&quot;XXXXXXX&quot; /&gt;

   &lt;add key=&quot;ida:AppKey&quot; value=&quot;XXXXX&quot; /&gt;

   &lt;add key=&quot;ida:AADInstance&quot; value=&quot;https://login.windows.net/{0}&quot; /&gt;

&lt;!-- Tenant is the Tenant ID from your own Azure AD tenant. This is in a form of GUID.This is the value from your Federation Metadata Document URL' --&gt;

   &lt;add key=&quot;ida:Tenant&quot; value=&quot;XXXXXXXXX&quot; /&gt;

&lt;!-- Tenant is the Tenant ID from your own Azure AD tenant. This is in a form of GUID.This is the value from your Federation Metadata Document URL' --&gt;

   &lt;add key=&quot;ida:TenantId&quot; value=&quot;XXXXXXXX&quot; /&gt;

&lt;!-- PostLogoutRedirectUri is your application endpoint --&gt;

   &lt;add key=&quot;ida:PostLogoutRedirectUri&quot; value=&quot;http://xxxx.azurewebsites.net/&quot; /&gt;

   &lt;add key=&quot;aspnet:UseTaskFriendlySynchronizationContext&quot; value=&quot;true&quot; /&gt;

In web.config add this line in the <system.web> section: <sessionState timeout=”525600″ /> . This increases the ASP.Net session state timeout to its maximum value so that access tokens and refresh tokens cache in session state aren’t cleared after the default timeout of 20 minutes.