remove app permission from sample

Author: salman90

6-AdvancedScenarios/1-call-api-obo/API/auth/permissionUtils.js

@@ -1,30 +1,3 @@
-/**
- * Indicates whether the access token was issued to a user or an application.
- * @param {Object} accessTokenPayload 
- * @returns {boolean}
- */
-const isAppOnlyToken = (accessTokenPayload) => {
-    /**
-     * An access token issued by Azure AD will have at least one of the two claims. Access tokens
-     * issued to a user will have the 'scp' claim. Access tokens issued to an application will have
-     * the roles claim. Access tokens that contain both claims are issued only to users, where the scp
-     * claim designates the delegated permissions, while the roles claim designates the user's role.
-     *
-     * To determine whether an access token was issued to a user (i.e delegated) or an application
-     * more easily, we recommend enabling the optional claim 'idtyp'. For more information, see:
-     * https://docs.microsoft.com/azure/active-directory/develop/access-tokens#user-and-application-tokens
-     */
-     if (!accessTokenPayload.hasOwnProperty('idtyp')) {
-        if (accessTokenPayload.hasOwnProperty('scp')) {
-            return false;
-        } else if (!accessTokenPayload.hasOwnProperty('scp') && accessTokenPayload.hasOwnProperty('roles')) {
-            return true;
-        }
-    }
-
-    return accessTokenPayload.idtyp === 'app';
-};
-
 /**
  * Ensures that the access token has the specified delegated permissions.
  * @param {Object} accessTokenPayload: Parsed access token payload
@@ -42,25 +15,6 @@ const isAppOnlyToken = (accessTokenPayload) => {
     return false;
 }
 
-/**
- * Ensures that the access token has the specified application permissions.
- * @param {Object} accessTokenPayload: Parsed access token payload
- * @param {Array} requiredPermission: list of required permissions
- * @returns {boolean}
- */
-const hasRequiredApplicationPermissions = (accessTokenPayload, requiredPermission) => {
-    const normalizedRequiredPermissions = requiredPermission.map(permission => permission.toUpperCase());
-
-    if (accessTokenPayload.hasOwnProperty('roles') && accessTokenPayload.roles
-        .some(claim => normalizedRequiredPermissions.includes(claim.toUpperCase()))) {
-        return true;
-    }
-
-    return false;
-}
-
 module.exports = {
-    isAppOnlyToken,
     hasRequiredDelegatedPermissions,
-    hasRequiredApplicationPermissions,
 }

6-AdvancedScenarios/1-call-api-obo/API/controllers/profileController.js

@@ -1,56 +1,27 @@
 const { getOboToken } = require('../MsalOnBehalfOfClient');
 const { getGraphClient } = require('../util/graphClient');
 const { ResponseType } = require('@microsoft/microsoft-graph-client');
-const  authConfig  = require('../authConfig');
+const authConfig = require('../authConfig');
 
 const {
-    isAppOnlyToken,
     hasRequiredDelegatedPermissions,
-    hasRequiredApplicationPermissions,
 } = require('../auth/permissionUtils');
 
-
 exports.getProfile = async (req, res, next) => {
-    if (isAppOnlyToken(req.authInfo)) {
-        if (
-            hasRequiredApplicationPermissions(
-                req.authInfo,
-                authConfig.resources.middleTierAPI.applicationPermissions.scopes
-            )
-        ) {
-            try {                
-                 accessToken = await getOboToken(tokenValue);
-                 let graphResponse = await getGraphClient(accessToken).api('/me').responseType(ResponseType.RAW).get();
-                 graphResponse = await graphResponse.json();
-                 res.status(200).send(graphResponse);
-             } catch (error) {
-                 next(error);
-             }
-        }else {
-             next(new Error('Application does not have the required permissions'));
+    const userToken = req.get('authorization');
+    const [bearer, tokenValue] = userToken.split(' ');
+
+    let accessToken;
+    if (hasRequiredDelegatedPermissions(req.authInfo, authConfig.resources.middleTierAPI.delegatedPermissions.scopes)) {
+        try {
+            accessToken = await getOboToken(tokenValue);
+            let graphResponse = await getGraphClient(accessToken).api('/me').responseType(ResponseType.RAW).get();
+            graphResponse = await graphResponse.json();
+            res.json(graphResponse);
+        } catch (error) {
+            next(error);
         }
     } else {
-        const userToken = req.get('authorization');
-        const [bearer, tokenValue] = userToken.split(' ');
-        
-        let accessToken;
-        if (
-            hasRequiredDelegatedPermissions(
-                req.authInfo,
-                authConfig.resources.middleTierAPI.delegatedPermissions.scopes
-            )
-        ) {
-            try {
-                accessToken = await getOboToken(tokenValue);
-                let graphResponse = await getGraphClient(accessToken).api('/me').responseType(ResponseType.RAW).get();
-                graphResponse = await graphResponse.json();
-                res.json(graphResponse);
-            } catch (error) {
-                next(error);
-            }
-        } else {
-            next(new Error('User does not have the required permissions'));
-        }
-        
-    } 
-};
+        next(new Error('User does not have the required permissions'));
+    }
+};