AzureAD · neha-bhargava · Nov 4, 2024 · Oct 23, 2024 · Oct 23, 2024 · Oct 23, 2024
@@ -20,6 +20,10 @@
       {
         "file": "*InternalAPI.Unshipped.txt",
         "_justification": "Unshipped public API."
+      },
+      {
+        "file": "ClaimConstants.cs",
+        "_justification": "Constant contains the word Password as it is for the ROPC flow password claim constant."
       }
     ]
   }
@@ -99,5 +99,15 @@
         /// Name Identifier ID claim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier".
         /// </summary>
         public const string NameIdentifierId = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
+
+        /// <summary>
+        /// Username claims for ROPC flow.
+        /// </summary>
+        public const string Username = "xms-username";
+
+        /// <summary>
+        /// Password claims for ROPC flow.
+        /// </summary>
+        public const string Password = "xms-password";
     }
 }
@@ -254,6 +254,21 @@
             try
             {
                 AuthenticationResult? authenticationResult;
+
+                // If the user is not null and has claims xms-username and xms-password, perform ROPC for CCA
+                authenticationResult = await TryGetAuthenticationResultForConfidentialClientUsingRopcAsync(
+                    application,
+                    scopes,
+                    user,
+                    mergedOptions,
+                    tokenAcquisitionOptions).ConfigureAwait(false);
+
+                if (authenticationResult != null)
+                {
+                    LogAuthResult(authenticationResult);
+                    return authenticationResult;
+                }
+
                 // Access token will return if call is from a web API
                 authenticationResult = await GetAuthenticationResultForWebApiToCallDownstreamApiAsync(
                     application,
@@ -313,6 +328,48 @@
             }
         }
 
+        private async Task<AuthenticationResult?> TryGetAuthenticationResultForConfidentialClientUsingRopcAsync(IConfidentialClientApplication application, IEnumerable<string> scopes, ClaimsPrincipal? user, MergedOptions mergedOptions, TokenAcquisitionOptions? tokenAcquisitionOptions)
+        {
+            if (user != null && user.HasClaim(c => c.Type == ClaimConstants.Username) && user.HasClaim(c => c.Type == ClaimConstants.Password))
+            {
+                string username = user.FindFirst(ClaimConstants.Username)?.Value ?? string.Empty;
+                string password = user.FindFirst(ClaimConstants.Password)?.Value ?? string.Empty;
+
+                var accounts = await application.GetAccountsAsync().ConfigureAwait(false);
+                var account = accounts.FirstOrDefault(account => account.Username == username);
+
+                if (account != null)
+                {
+                    try
+                    {
+                        // Silent flow
+                        return await application.AcquireTokenSilent(
+                            scopes.Except(_scopesRequestedByMsal),
+                            account)
+                            .ExecuteAsync()
+                            .ConfigureAwait(false);
+                    }
+                    catch
+                    {
+                        // Ignore this exception as we will retry with ROPC
+                    }
+
+                }
+
+                // ROPC flow
+                var authenticationResult = await ((IByUsernameAndPassword)application).AcquireTokenByUsernamePassword(
+                    scopes.Except(_scopesRequestedByMsal),
+                    username,
+                    password)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                return authenticationResult;
+            }
+
+            return null;
+        }
+
         private void LogAuthResult(AuthenticationResult? authenticationResult)
         {
             if (authenticationResult != null)

@@ -107,5 +107,22 @@
                     }));
             }
         }
+
+        /// <summary>
+        /// Instantiate a <see cref="ClaimsPrincipal"/> from a username and password.
+        /// This can be used for ROPC flow for testing purposes.
+        /// </summary>
+        /// <param name="username">UPN of the user for example username@domain.</param>
+        /// <param name="password">Password for the user.</param>
+        /// <returns>A <see cref="ClaimsPrincipal"/> containing these two claims.</returns>
+        public static ClaimsPrincipal FromUsernamePassword(string username, string password)
+        {
+            return new ClaimsPrincipal(
+                new CaseSensitiveClaimsIdentity(new[]
+                {
+                    new Claim(ClaimConstants.Username, username),
+                    new Claim(ClaimConstants.Password, password),
+                }));
+        }
     }
 }
@@ -12,7 +12,9 @@
 using Microsoft.Extensions.Options;
 using Microsoft.Graph;
 using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Lab.Api;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.Test.Common;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using Microsoft.IdentityModel.Tokens;
 using Xunit;
@@ -91,6 +93,38 @@
             Assert.NotEqual(tokenAcquirerA, tokenAcquirerC);
         }
 
+        [Fact]
+        public async Task AcquireToken_ROPC_CCAasync()
+        {
+            var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+            _ = tokenAcquirerFactory.Build();
+
+            var labResponse = await LabUserHelper.GetDefaultUserAsync();
+
+            ITokenAcquirer tokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(
+               authority: "https://login.microsoftonline.com/organizations",
+               clientId: "88f91eac-c606-4c67-a0e2-a5e8a186854f",
+               clientCredentials: new[]
+               {
+                   CertificateDescription.FromStoreWithDistinguishedName("CN=LabAuth.MSIDLab.com")
+               });
+
+            var user = ClaimsPrincipalFactory.FromUsernamePassword(labResponse.User.Upn, labResponse.User.GetOrFetchPassword());
+
+            var result = await tokenAcquirer.GetTokenForUserAsync(
+                scopes: new[] { "https://graph.microsoft.com/.default" }, user: user).ConfigureAwait(false);
+
+            Assert.NotNull(result);
+            Assert.NotNull(result.AccessToken);
+
+            var result2 = await tokenAcquirer.GetTokenForUserAsync(
+                scopes: new[] { "https://graph.microsoft.com/.default" }, user: user).ConfigureAwait(false);
+
+            Assert.NotNull(result2);
+            Assert.NotNull(result2.AccessToken);
+            Assert.Equal(result.AccessToken, result2.AccessToken);
+        }
+
         [Fact]
         public void AcquireToken_SafeFromMultipleThreads()
         {

@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.Identity.Lab.Api" Version="$(MicrosoftIdentityLabApiVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
     <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
@@ -19,6 +20,7 @@
   <ItemGroup>
     <ProjectReference Include="..\..\..\src\Microsoft.Identity.Web.GraphServiceClient\Microsoft.Identity.Web.GraphServiceClient.csproj" />
     <ProjectReference Include="..\..\..\src\Microsoft.Identity.Web.TokenAcquisition\Microsoft.Identity.Web.TokenAcquisition.csproj" />
+    <ProjectReference Include="..\..\Microsoft.Identity.Web.Test.Common\Microsoft.Identity.Web.Test.Common.csproj" />
   </ItemGroup>
 
 </Project>