Add call web API to BWA+OIDC samples (#526)

Author: guardrex

8.0/BlazorWebAppOidc/BlazorWebAppOidc.sln

@@ -7,6 +7,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorWebAppOidc", "BlazorW
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorWebAppOidc.Client", "BlazorWebAppOidc.Client\BlazorWebAppOidc.Client.csproj", "{7B3838A1-D145-479C-9B79-6D2CD1775B71}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MinimalApiJwt", "..\GitHub\blazor-samples\9.0\BlazorWebAppEntra\MinimalApiJwt\MinimalApiJwt.csproj", "{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -21,6 +23,10 @@ Global
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

8.0/BlazorWebAppOidc/BlazorWebAppOidc.slnLaunch.user

@@ -0,0 +1,17 @@
+[
+  {
+    "Name": "Start Projects",
+    "Projects": [
+      {
+        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
+        "Action": "StartWithoutDebugging",
+        "DebugTarget": "https"
+      },
+      {
+        "Path": "BlazorWebAppOidc\\BlazorWebAppOidc.csproj",
+        "Action": "Start",
+        "DebugTarget": "https"
+      }
+    ]
+  }
+]

8.0/BlazorWebAppOidc/BlazorWebAppOidc/Program.cs

@@ -36,6 +36,16 @@
         //oidcOptions.Scope.Add(OpenIdConnectScope.OpenIdProfile);
         // ........................................................................
 
+        // ........................................................................
+        // The "Weather.Get" scope for accessing the external web API for weather
+        // data. The following example is based on using Microsoft Entra ID in 
+        // an ME-ID tenant domain (the {APP ID URI} placeholder is found in
+        // the Entra or Azure portal where the web API is exposed). For any other
+        // identity provider, use the appropriate scope.
+
+        oidcOptions.Scope.Add("{APP ID URI}/Weather.Get");
+        // ........................................................................
+
         // ........................................................................
         // The following paths must match the redirect and post logout redirect 
         // paths configured when registering the application with the OIDC provider. 
@@ -138,6 +148,13 @@
 
 builder.Services.AddHttpContextAccessor();
 
+builder.Services.AddScoped<TokenHandler>();
+
+builder.Services.AddHttpClient("ExternalApi",
+      client => client.BaseAddress = new Uri(builder.Configuration["ExternalApiUri"] ?? 
+          throw new Exception("Missing base address!")))
+      .AddHttpMessageHandler<TokenHandler>();
+
 var app = builder.Build();
 
 // Configure the HTTP request pipeline.

8.0/BlazorWebAppOidc/BlazorWebAppOidc/TokenHandler.cs

@@ -0,0 +1,21 @@
+using System.Net.Http.Headers;
+using Microsoft.AspNetCore.Authentication;
+
+namespace BlazorWebAppOidc;
+
+public class TokenHandler(IHttpContextAccessor httpContextAccessor) : 
+    DelegatingHandler
+{
+    protected override async Task<HttpResponseMessage> SendAsync(
+        HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        var accessToken = httpContextAccessor.HttpContext?
+            .GetTokenAsync("access_token").Result ?? 
+            throw new Exception("No access token");
+
+        request.Headers.Authorization =
+            new AuthenticationHeaderValue("Bearer", accessToken);
+
+        return await base.SendAsync(request, cancellationToken);
+    }
+}

8.0/BlazorWebAppOidc/BlazorWebAppOidc/Weather/ServerWeatherForecaster.cs

@@ -2,25 +2,18 @@
 
 namespace BlazorWebAppOidc.Weather;
 
-internal sealed class ServerWeatherForecaster() : IWeatherForecaster
+internal sealed class ServerWeatherForecaster(IHttpClientFactory clientFactory) : IWeatherForecaster
 {
-    public readonly string[] summaries =
-    [
-        "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
-    ];
-
     public async Task<IEnumerable<WeatherForecast>> GetWeatherForecastAsync()
     {
-        // Simulate asynchronous loading to demonstrate streaming rendering
-        await Task.Delay(500);
+        var request = new HttpRequestMessage(HttpMethod.Get, "/weather-forecast");
+        var client = clientFactory.CreateClient("ExternalApi");
+
+        var response = await client.SendAsync(request);
+
+        response.EnsureSuccessStatusCode();
 
-        return Enumerable.Range(1, 5).Select(index =>
-            new WeatherForecast
-            (
-                DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
-                Random.Shared.Next(-20, 55),
-                summaries[Random.Shared.Next(summaries.Length)]
-            ))
-        .ToArray();
+        return await response.Content.ReadFromJsonAsync<WeatherForecast[]>() ??
+            throw new IOException("No weather forecast!");
     }
 }

8.0/BlazorWebAppOidc/BlazorWebAppOidc/appsettings.json

@@ -5,5 +5,6 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "ExternalApiUri": "https://localhost:7277"
 }

8.0/BlazorWebAppOidc/MinimalApiJwt/MinimalApiJwt.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <InvariantGlobalization>true</InvariantGlobalization>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.0" />
+  </ItemGroup>
+
+</Project>

8.0/BlazorWebAppOidc/MinimalApiJwt/MinimalApiJwt.http

@@ -0,0 +1,6 @@
+@MinimalApiJwt_HostAddress = http://localhost:5163
+
+GET {{MinimalApiJwt_HostAddress}}/weather-forecast/
+Accept: application/json
+
+###

8.0/BlazorWebAppOidc/MinimalApiJwt/Program.cs

@@ -0,0 +1,54 @@
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddAuthentication()
+    .AddJwtBearer("Bearer", jwtOptions =>
+    {
+        // {TENANT ID} is the directory (tenant) ID.
+        //
+        // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
+        //
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        //
+        jwtOptions.Authority = "{AUTHORITY}";
+        //
+        // The following should match just the path of the Application ID URI configured when adding the "Weather.Get" scope
+        // under "Expose an API" in the Azure or Entra portal. {CLIENT ID} is the application (client) ID of this 
+        // app's registration in the Azure portal.
+        // 
+        // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID}
+        // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}
+        //
+        jwtOptions.Audience = "{AUDIENCE}";
+    });
+builder.Services.AddAuthorization();
+
+var app = builder.Build();
+
+// Configure the HTTP request pipeline.
+app.UseHttpsRedirection();
+
+var summaries = new[]
+{
+    "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
+};
+
+app.MapGet("/weather-forecast", () =>
+{
+    var forecast = Enumerable.Range(1, 5).Select(index =>
+        new WeatherForecast
+        (
+            DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
+            Random.Shared.Next(-20, 55),
+            summaries[Random.Shared.Next(summaries.Length)]
+        ))
+        .ToArray();
+    return forecast;
+}).RequireAuthorization();
+
+app.Run();
+
+internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)
+{
+    public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+}

8.0/BlazorWebAppOidc/MinimalApiJwt/Properties/launchSettings.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "http://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "launchUrl": "weather-forecast",
+      "applicationUrl": "https://localhost:7277;http://localhost:5163",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

8.0/BlazorWebAppOidc/MinimalApiJwt/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

8.0/BlazorWebAppOidc/MinimalApiJwt/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

8.0/BlazorWebAppOidc/README.md

@@ -2,12 +2,11 @@
 
 This sample features:
 
-- A Blazor Web App with global Auto interactivity.
-  - This adds a `PersistingAuthenticationStateProvider` and `PersistentAuthenticationStateProvider` services to the
-    server and client Blazor apps respectively to capture authentication state and flow it between the server and client.
-- OIDC authentication with Microsoft Entra without using Entra-specific packages.
-  - The goal is that this sample can be used as a starting point for any OIDC authentication flow.
-- Automatic non-interactive token refresh with the help of a custom `CookieOidcRefresher`.
+* A Blazor Web App with global Auto interactivity.
+* `PersistingAuthenticationStateProvider` and `PersistentAuthenticationStateProvider` services are added to the server and client Blazor apps respectively to capture authentication state and flow it between the server and client.
+* OIDC authentication with Microsoft Entra without using Entra-specific packages. This sample can be used as a starting point for any OIDC authentication flow.
+* Automatic non-interactive token refresh with the help of a custom `CookieOidcRefresher`.
+* Secure web API call for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a custom `DelegatingHandler` service.
 
 ## Article for this sample app
 
@@ -24,8 +23,11 @@ Configure the OIDC provider using the comments in the `Program.cs` file.
 ### Visual Studio
 
 1. Open the `BlazorWebAppOidc` solution file in Visual Studio.
-1. Select the `BlazorWebAppOidc` project in **Solution Explorer** and start the app with either Visual Studio's Run button or by selecting **Start Debugging** from the **Debug** menu.
+1. Use the **Start Projects** launch profile to start the web API app and Blazor apps.
 
 ### .NET CLI
 
-In a command shell, navigate to the `BlazorWebAppOidc` project folder and use the `dotnet run` command to run the sample.
+In a command shell:
+
+* Navigate to the `MinimalApiJwt` project folder and use the `dotnet run` command to run the project.
+* Navigate to the `BlazorWebAppOidc` project folder and use the `dotnet watch` command to run the project.

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer.slnLaunch.user

@@ -3,13 +3,13 @@
     "Name": "Start Projects",
     "Projects": [
       {
-        "Path": "BlazorWebAppOidcServer\\BlazorWebAppOidcServer.csproj",
-        "Action": "Start",
+        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
+        "Action": "StartWithoutDebugging",
         "DebugTarget": "https"
       },
       {
-        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
-        "Action": "StartWithoutDebugging",
+        "Path": "BlazorWebAppOidcServer\\BlazorWebAppOidcServer.csproj",
+        "Action": "Start",
         "DebugTarget": "https"
       }
     ]

8.0/BlazorWebAppOidcServer/README.md

@@ -5,7 +5,7 @@ This sample features:
 * A Blazor Web App with global Server interactivity.
 * OIDC authentication with Microsoft Entra without using Entra-specific packages. This sample can be used as a starting point for any OIDC authentication flow.
 * Automatic non-interactive token refresh with the help of a custom `CookieOidcRefresher`.
-* Secure web API call for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a `DelegatingHandler` service.
+* Secure web API call for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a custom `DelegatingHandler` service.
 
 ## Article for this sample app
 
@@ -35,5 +35,5 @@ Configure the OIDC provider using the comments in the `Program.cs` file and the
 
 In a command shell:
 
-1. Navigate to the `MinimalApiJwt` project folder and use the `dotnet run` or `dotnet watch` command to run the project.
-1. Navigate to the `BlazorWebAppOidcServer` project folder and use the `dotnet run` or `dotnet watch` command to run the project.
+1. Navigate to the `MinimalApiJwt` project folder and use the `dotnet run` command to run the project.
+1. Navigate to the `BlazorWebAppOidcServer` project folder and use the `dotnet watch` command to run the project.

9.0/BlazorWebAppEntra/BlazorWebAppEntra.slnLaunch.user

@@ -3,13 +3,13 @@
     "Name": "Start Projects",
     "Projects": [
       {
-        "Path": "BlazorWebAppEntra\\BlazorWebAppEntra.csproj",
-        "Action": "Start",
+        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
+        "Action": "StartWithoutDebugging",
         "DebugTarget": "https"
       },
       {
-        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
-        "Action": "StartWithoutDebugging",
+        "Path": "BlazorWebAppEntra\\BlazorWebAppEntra.csproj",
+        "Action": "Start",
         "DebugTarget": "https"
       }
     ]

9.0/BlazorWebAppOidc/BlazorWebAppOidc.sln

@@ -7,6 +7,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorWebAppOidc", "BlazorW
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorWebAppOidc.Client", "BlazorWebAppOidc.Client\BlazorWebAppOidc.Client.csproj", "{7B3838A1-D145-479C-9B79-6D2CD1775B71}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MinimalApiJwt", "..\GitHub\blazor-samples\9.0\BlazorWebAppEntra\MinimalApiJwt\MinimalApiJwt.csproj", "{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -21,6 +23,10 @@ Global
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{7B3838A1-D145-479C-9B79-6D2CD1775B71}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9C2046C8-7491-5AB5-AAA9-FB558DCE801E}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

9.0/BlazorWebAppOidc/BlazorWebAppOidc.slnLaunch.user

@@ -0,0 +1,17 @@
+[
+  {
+    "Name": "Start Projects",
+    "Projects": [
+      {
+        "Path": "MinimalApiJwt\\MinimalApiJwt.csproj",
+        "Action": "StartWithoutDebugging",
+        "DebugTarget": "https"
+      },
+      {
+        "Path": "BlazorWebAppOidc\\BlazorWebAppOidc.csproj",
+        "Action": "Start",
+        "DebugTarget": "https"
+      }
+    ]
+  }
+]