/// <summary>
/// Gets Identity Provider used by a user to initiate Login process.
/// </summary>
/// <param name="throwExceptionIfAbsent">Throw exception if current provider settings are missing.</param>
/// <returns>The Identity Provider.</returns>
public static IdentityProviderClientConfigurationElement GetCurrentProviderSettings(bool throwExceptionIfAbsent = true)
{
HttpCookie currentProviderCookie = HttpContext.Current.Request.Cookies.Get(OpenIdConnectUtilities.CookieCurrentProvider);
if (currentProviderCookie == null)
{
if (throwExceptionIfAbsent)
{
RetailLogger.Log.OnlineStoreCookieNotFound(OpenIdConnectUtilities.CookieCurrentProvider, "Required for OpenIdConnect signIn");
throw new SecurityException(string.Format("{0} cookie not found.", OpenIdConnectUtilities.CookieCurrentProvider));
}
else
{
return(null);
}
}
IdentityProviderClientConfigurationElement provider = Utilities.GetIdentityProviderFromConfiguration(currentProviderCookie.Value);
if (provider == null)
{
RetailLogger.Log.OnlineStoreIdentityProviderSpecifiedInRequestCookieNotSupported(currentProviderCookie.Name, currentProviderCookie.Value);
throw new SecurityException("Identity Provider specified on request could not be found in the app config. This could happen due to a timeout; login again.");
}
return(provider);
}
public ActionResult ProviderSelected()
{
string authenticationProviderName = this.Request.Form["SelectedAuthenticationProviderName"];
IdentityProviderClientConfigurationElement provider = Utilities.GetIdentityProviderFromConfiguration(authenticationProviderName);
switch (provider.ProviderType)
{
case IdentityProviderType.OpenIdConnect:
ControllerContext.HttpContext.GetOwinContext().Authentication.Challenge(provider.Name);
return(new HttpUnauthorizedResult());
case IdentityProviderType.ACS:
// Storing cookie with current provider (used in Logoff).
HttpCookie cookie = new HttpCookie(OpenIdConnectUtilities.CookieCurrentProvider, provider.Name);
cookie.Expires = DateTime.MaxValue;
cookie.HttpOnly = true;
cookie.Secure = true;
this.HttpContext.Response.Cookies.Add(cookie);
string url = string.Format("{0}v2/wsfederation?wa=wsignin1.0&wtrealm={1}", provider.Issuer, provider.RedirectUrl);
Response.Redirect(url, true);
break;
default:
RetailLogger.Log.OnlineStoreUnsupportedIdentityProviderTypeEncountered(provider.ProviderType.ToString());
SecurityException securityException = new SecurityException(string.Format("The identity provider type {0} is not supported", provider.ProviderType));
throw securityException;
}
return(null);
}
public ActionResult SignOut()
{
Uri externalLogOffUri = null;
if (this.Request.IsAuthenticated)
{
var ctx = Request.GetOwinContext();
ctx.Authentication.SignOut(CookieConstants.ApplicationCookieAuthenticationType);
IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings();
////ctx.Authentication.SignOut(providerClient.Name);
// Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)'
//// Begin workaround.
foreach (string cookieName in ControllerContext.HttpContext.Request.Cookies.AllKeys)
{
if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase))
{
OpenIdConnectUtilities.RemoveCookie(cookieName);
break;
}
}
//// End workaround.
externalLogOffUri = providerClient.LogOffUrl;
}
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider);
ServiceUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext);
return(this.View(SignInController.SignOutViewName, externalLogOffUri));
}
/// <summary>
/// Action invoked on being redirected from open identity provider.
/// </summary>
/// <returns>View after being redirected from open identity provider.</returns>
/// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception>
public ActionResult OAuthV2Redirect()
{
IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings();
// Check whether provider returned an error which could be a case if a user rejected a consent.
string errorCode = this.HttpContext.Request.Params["error"];
if (errorCode != null)
{
string message = string.Format(
CultureInfo.CurrentCulture,
"The provider {0} returned error code {1} while processing user's credentials.",
currentProvider.Name,
errorCode);
this.Response.Redirect("~", false);
this.HttpContext.ApplicationInstance.CompleteRequest();
return(null);
}
string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode();
if (authorizationCode == null)
{
string message = "Unable to find the authorization code for the login request.";
SecurityException securityException = new SecurityException(message);
throw securityException;
}
string bodyParameters = string.Format(
CultureInfo.InvariantCulture,
"grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}",
authorizationCode,
currentProvider.RedirectUrl,
currentProvider.ClientId,
currentProvider.ClientSecret);
OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer);
string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters);
TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson);
JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken);
Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, OpenIdConnectUtilities.Email, StringComparison.OrdinalIgnoreCase));
string email = null;
// IdentityServer does not return email claim.
if (emailClaim != null)
{
email = emailClaim.Value;
}
return(this.GetRedirectionBasedOnAssociatedCustomer(tokenResponse.IdToken, currentProvider.ProviderType, email));
}
/// <summary>
/// Action invoked on being redirected from open identity provider.
/// </summary>
/// <returns>View after being redirected from open identity provider.</returns>
/// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception>
public async Task <ActionResult> OAuthV2Redirect()
{
IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings();
// Check whether provider returned an error which could be a case if a user rejected a consent.
string errorCode = ControllerContext.HttpContext.Request.Params["error"];
if (errorCode != null)
{
string message = string.Format(
"The provider {0} returned error code {1} while processing user's credentials.", currentProvider.Name, errorCode);
System.Diagnostics.Trace.TraceWarning(message);
this.Response.Redirect("~", false);
this.HttpContext.ApplicationInstance.CompleteRequest();
return(null);
}
string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode(this.HttpContext);
if (authorizationCode == null)
{
SecurityException securityException = new SecurityException("Unable to find the authorization code for the login request.");
RetailLogger.Log.OnlineStoreAuthorizationCodeNotFoundForLogOnRequest(securityException);
throw securityException;
}
string bodyParameters = string.Format(
"grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}",
authorizationCode,
currentProvider.RedirectUrl,
currentProvider.ClientId,
currentProvider.ClientSecret);
OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer);
string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters);
TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson);
JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken);
Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, CookieConstants.Email, StringComparison.OrdinalIgnoreCase));
if (emailClaim == null)
{
RetailLogger.Log.OnlineStoreClaimNotFound(CookieConstants.Email, "Required for sign up using OpenIdAuth");
throw new SecurityException("Email claim does not exist.");
}
RedirectToRouteResult redirectResult = await this.GetRedirectionBasedOnAssociatedCustomer(this.HttpContext, tokenResponse.IdToken, currentProvider.ProviderType, emailClaim.Value);
return(redirectResult);
}
public ActionResult FederatedSignOut()
{
IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings();
Uri externalLogOffUri = providerClient.LogOffUrl;
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProviderType);
OpenIdConnectUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext);
var model = new FederatedSignOutApiModel()
{
LogOffUri = externalLogOffUri
};
return(this.View(model));
}
private static string GetAuthenticationProviderName(string authenticationProviderUrl)
{
IDictionary <string, IdentityProviderClientConfigurationElement> identityProviderDictionary = GetIdentityProvidersFromConfig();
IdentityProviderClientConfigurationElement providerConfig = identityProviderDictionary.Values.Where(v => string.Equals(v.Issuer.OriginalString, authenticationProviderUrl, StringComparison.OrdinalIgnoreCase)).SingleOrDefault();
if (providerConfig != null)
{
return(providerConfig.Name);
}
else
{
RetailLogger.Log.OnlineStoreUnsupportedIdentityProviderTypeEncountered(authenticationProviderUrl);
return(authenticationProviderUrl);
}
}
private static IEnumerable <AuthenticationDescription> GetAuthenticationProviders(HttpContextBase httpContextBase)
{
if (SignInController.authenticationProviders == null)
{
IDictionary <string, IdentityProviderClientConfigurationElement> identityProviderDictionary = GetIdentityProvidersFromConfig();
List <AuthenticationDescription> authDescriptions = new List <AuthenticationDescription>();
foreach (AuthenticationDescription openIdConnectDescription in httpContextBase.GetOwinContext().Authentication.GetAuthenticationTypes().Where(t => t.Properties.ContainsKey(CookieConstants.Caption)))
{
KeyValuePair <string, object> authenticationType = openIdConnectDescription.Properties.Single(p => p.Key == CookieConstants.AuthenticationType);
KeyValuePair <string, object> caption = openIdConnectDescription.Properties.Single(p => p.Key == CookieConstants.Caption);
AuthenticationDescription authDescription = new AuthenticationDescription()
{
AuthenticationType = authenticationType.Value.ToString(),
Caption = caption.Value.ToString()
};
IdentityProviderClientConfigurationElement identityProvider = identityProviderDictionary[authDescription.AuthenticationType];
authDescription.Properties.Add(SignInController.ImageUrl, identityProvider.ImageUrl);
authDescription.Properties.Add(SignInController.DisplayIndex, identityProvider.DisplayIndex);
authDescriptions.Add(authDescription);
}
foreach (IdentityProviderClientConfigurationElement identityProvider in identityProviderDictionary.Values)
{
if (identityProvider.ProviderType == IdentityProviderType.ACS)
{
AuthenticationDescription authDescription = new AuthenticationDescription()
{
AuthenticationType = identityProvider.Name,
Caption = identityProvider.Name
};
authDescription.Properties.Add(SignInController.ImageUrl, identityProvider.ImageUrl);
authDescription.Properties.Add(SignInController.DisplayIndex, identityProvider.DisplayIndex);
authDescriptions.Add(authDescription);
}
}
SignInController.authenticationProviders = authDescriptions.OrderBy(ad => ad.Properties[DisplayIndex]);
}
return(SignInController.authenticationProviders);
}
public ActionResult LoginPost(string provider)
{
IdentityProviderClientConfigurationElement providerConfig = OpenIdConnectUtilities.GetIdentityProviderFromConfiguration(provider);
switch (providerConfig.ProviderType)
{
case IdentityProviderType.OpenIdConnect:
this.ControllerContext.HttpContext.GetOwinContext().Authentication.Challenge(providerConfig.Name);
return(new HttpUnauthorizedResult());
case IdentityProviderType.ACS:
// Storing cookie with current provider (used in Logoff).
OpenIdConnectUtilities.SetCookie(
this.HttpContext,
OpenIdConnectUtilities.CookieCurrentProvider,
providerConfig.Name);
OpenIdConnectUtilities.SetCookie(
this.HttpContext,
OpenIdConnectUtilities.CookieCurrentProviderType,
providerConfig.ProviderType.ToString());
string url = string.Format(
CultureInfo.InvariantCulture,
"{0}v2/wsfederation?wa=wsignin1.0&wtrealm={1}",
providerConfig.Issuer,
providerConfig.RedirectUrl);
this.Response.Redirect(url, true);
break;
default:
SecurityException securityException =
new SecurityException(
string.Format(
CultureInfo.InvariantCulture,
"The identity provider type {0} is not supported",
providerConfig.ProviderType));
throw securityException;
}
return(null);
}
private static OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions(IdentityProviderClientConfigurationElement provider)
{
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = provider.Name,
Caption = provider.Name,
ClientId = provider.ClientId,
Authority = provider.Issuer.ToString(),
RedirectUri = provider.RedirectUrl.ToString(),
// Leveraging Authorization Code grant
ResponseType = "code",
Scope = "openid email",
Notifications = GetOpenIdConnectAuthenticationNotifications()
};
return(options);
}
