/// <summary>
/// Authenticates the specified user.
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public async Task Consume(ConsumeContext <IAuthenticateUser> context)
{
var checkResult = await _checkCredentialsRequest.Request(new CheckCredentials(context.Message.UserName, context.Message.Password));
if (!checkResult.Valid)
{
await context.RespondAsync(AuthenticateUserResult.Failed());
return;
}
var user = checkResult.User;
var roles = new List <string>();
// select delegated privileges
var delegatedRights = _databaseContext.DelegatedRights.Filter(x => x.Grantee == user.UserName);
var onBehalfOf = delegatedRights.Select(x => x.Grantor).ToArray();
// add manager role
if (user.IsManager || onBehalfOf.Length > 0)
{
roles.Add(WellKnownRoles.Manager);
}
/* IMPORTANT NOTE:
* This is a temporary solution. User group name cannot be hardcoded.
* We should provide a feature that allows to map User Groups to the application roles.
* But this is postponded, because of time limit.
*/
var userGroups = user.Groups;
if (userGroups.Any(x => x.DisplayName == "Access Control Clients"))
{
roles.Add(WellKnownRoles.ClientService);
}
// create a ticket
var ticket = new Ticket(user, roles.ToArray(), onBehalfOf);
var encryptedTicket = _encryptor.Encrypt(ticket);
await context.RespondAsync(new AuthenticateUserResult(true, encryptedTicket, user));
}
public async Task <ICommandResult> Handle(AuthenticateCommand command)
{
ICommandResult result = null;
try
{
var user = await _userRepository.Authenticate(command.Username, command.Password);
if (user != null)
{
result = new AuthenticateUserResult()
{
User = new UserDTO(user.Id, user.Username),
Token = GetToken(user)
};
}
}
catch (Exception ex)
{
AddNotification("AuthenticateCommand", ex.Message);
}
return(result);
}
public async Task <IActionResult> Callback(CancellationToken cancellationToken)
{
// read external identity from the temporary cookie
AuthenticateResult result = await HttpContext.AuthenticateAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (result?.Succeeded != true)
{
throw new Exception("External authentication error");
}
AuthenticateExternalUserRequest?authRequest = CreateAuthRequest(result);
AuthenticateUserResult authResult = await _userAccountService.AuthenticateExternalUserAsync(
authRequest,
cancellationToken);
if (authResult.Success)
{
var additionalLocalClaims = new List <Claim>();
var localSignInProps = new AuthenticationProperties();
ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
// issue authentication cookie for user
var isuser = new IdentityServerUser(authResult.User !.Id.ToString("N"))
{
DisplayName = authResult.User.Name,
IdentityProvider = authRequest.Provider,
AdditionalClaims = additionalLocalClaims
};
await HttpContext.SignInAsync(isuser, localSignInProps);
// delete temporary cookie used during external authentication
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
// retrieve return URL
var returnUrl = result.Properties.Items["returnUrl"] ?? "~/";
// check if external login is in the context of an OIDC request
AuthorizationRequest context = await _interaction.GetAuthorizationContextAsync(returnUrl);
await _events.RaiseAsync(new UserLoginSuccessEvent(
authRequest.Provider,
authRequest.UserIdentifier,
authResult.User.Id.ToString("N"),
authResult.User.Name,
true,
context?.Client.ClientId));
if (context != null)
{
if (context.IsNativeClient())
{
// The client is native, so this change in how to
// return the response is for better UX for the end user.
return(this.LoadingPage("Redirect", returnUrl));
}
}
return(Redirect(returnUrl));
}
else
{
var returnUrl = result.Properties.Items["returnUrl"] ?? "~/";
// check if external login is in the context of an OIDC request
AuthorizationRequest context = await _interaction.GetAuthorizationContextAsync(returnUrl);
var vm = new UserNotFoundViewModel
{
Provider = authRequest.Provider,
BackUrl = context?.RedirectUri ?? "/"
};
return(View("UserNotFound", vm));
}
}
