private static Lazy<OAuthBearerAuthenticationOptions> ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return new Lazy<OAuthBearerAuthenticationOptions>(() =>
{
if (options.EnableValidationResultCache)
{
if (options.ValidationResultCache == null)
{
options.ValidationResultCache = new InMemoryValidationResultCache(options);
}
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider),
};
if (!string.IsNullOrEmpty(options.ClientId) || options.IntrospectionHttpHandler != null)
{
bearerOptions.AccessTokenProvider = new IntrospectionEndpointTokenProvider(options, loggerFactory);
}
else
{
bearerOptions.AccessTokenProvider = new ValidationEndpointTokenProvider(options, loggerFactory);
}
return bearerOptions;
}, true);
}
public static void UseIdentityServerBearerTokenAuthentication(this IApplicationBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
app.UseOwin(addToPipeline =>
{
addToPipeline(next =>
{
var builder = new Microsoft.Owin.Builder.AppBuilder();
var loggerFactory = app.ApplicationServices.GetService<Microsoft.Extensions.Logging.ILoggerFactory>();
var lifetime = app.ApplicationServices.GetService<IApplicationLifetime>();
var owinLoggerFactory = new OwinLoggerFactory(loggerFactory);
var provider = app.ApplicationServices.GetService(typeof(Microsoft.AspNet.DataProtection.IDataProtectionProvider)) as Microsoft.AspNet.DataProtection.IDataProtectionProvider;
var properties = new AppProperties(builder.Properties);
properties.OnAppDisposing = lifetime.ApplicationStopping;
properties.DefaultApp = next;
builder.SetLoggerFactory(owinLoggerFactory);
builder.Properties["security.DataProtectionProvider"] = new DataProtectionProviderDelegate(purposes =>
{
var dataProtection = provider.CreateProtector(string.Join(",", purposes));
return new DataProtectionTuple(dataProtection.Protect, dataProtection.Unprotect);
});
builder.UseIdentityServerBearerTokenAuthentication(options);
return builder.Build(typeof(Func<IDictionary<string, object>, Task>)) as Func<IDictionary<string, object>, Task>;
});
});
}
public virtual IdentityServerBearerTokenAuthenticationOptions BuildIdentityServerBearerTokenAuthenticationOptions()
{
AppEnvironment activeAppEnvironment = _appEnvironmentProvider.GetActiveAppEnvironment();
IdentityServerBearerTokenAuthenticationOptions authOptions = new IdentityServerBearerTokenAuthenticationOptions
{
ClientId = activeAppEnvironment.Security.ClientId,
Authority = activeAppEnvironment.GetSsoUrl(),
DelayLoadMetadata = true,
RequiredScopes = activeAppEnvironment.Security.Scopes,
ClientSecret = activeAppEnvironment.Security.ClientSecret,
EnableValidationResultCache = true,
ValidationResultCacheDuration = TimeSpan.FromMinutes(15),
// ValidationMode = ValidationMode.ValidationEndpoint,
ValidationMode = ValidationMode.Local,
PreserveAccessToken = true,
SigningCertificate = _certificateProvider.GetSingleSignOnCertificate(),
BackchannelHttpHandler = GetHttpClientHandler(nameof(IdentityServerBearerTokenAuthenticationOptions.BackchannelHttpHandler)),
IntrospectionHttpHandler = GetHttpClientHandler(nameof(IdentityServerBearerTokenAuthenticationOptions.IntrospectionHttpHandler)),
IssuerName = activeAppEnvironment.GetSsoIssuerName()
};
return(authOptions);
}
public void InvokingConstructor_WithOptionsOnly_ShouldNotError()
{
var options = new IdentityServerBearerTokenAuthenticationOptions();
new InMemoryValidationResultCache(options);
}
/// <summary>
/// Add identity server token authentication to the pipeline.
/// </summary>
/// <param name="app">The application.</param>
/// <param name="options">The options.</param>
/// <returns></returns>
public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
if (string.IsNullOrEmpty(options.Authority))
{
throw new ArgumentException("Authority must be set", "authority");
}
var loggerFactory = app.GetLoggerFactory();
var middlewareOptions = new IdentityServerOAuthBearerAuthenticationOptions();
if (options.ValidationMode == ValidationMode.Both ||
options.ValidationMode == ValidationMode.Local)
{
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
}
if (options.ValidationMode == ValidationMode.Both ||
options.ValidationMode == ValidationMode.ValidationEndpoint)
{
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
}
if (options.TokenProvider != null)
{
middlewareOptions.TokenProvider = options.TokenProvider;
}
app.Use <IdentityServerBearerTokenValidationMiddleware>(middlewareOptions);
if (options.RequiredScopes.Any())
{
app.Use <ScopeRequirementMiddleware>(options.RequiredScopes);
}
if (options.PreserveAccessToken)
{
app.Use <PreserveAccessTokenMiddleware>();
}
return(app);
}
/// <summary>
/// Initializes a new instance of the <see cref="InMemoryValidationResultCache"/> class.
/// </summary>
/// <param name="options">The options.</param>
public InMemoryValidationResultCache(IdentityServerBearerTokenAuthenticationOptions options)
: this(options, new Clock(), new Cache())
{
}
public void Configuration(IAppBuilder app)
{
var config = System.Web.Http.GlobalConfiguration.Configuration;
config.Formatters.JsonFormatter.SerializerSettings.NullValueHandling =
Newtonsoft.Json.NullValueHandling.Ignore;
config.CacheOutputConfiguration().RegisterCacheOutputProvider(() => new CustomCacheProvider());
config.CacheOutputConfiguration().RegisterDefaultCacheKeyGeneratorProvider(() => new CustomCacheKeyGenerator());
ConfigureServices(app, config);
BundleConfig.RegisterBundles(BundleTable.Bundles);
System.Web.Http.GlobalConfiguration.Configuration.Formatters.JsonFormatter.SerializerSettings.NullValueHandling =
Newtonsoft.Json.NullValueHandling.Ignore;
app.CreatePerOwinContext(MiniSessionManager.Create);
app.CreatePerOwinContext <UserManager>(UserManager.Create);
app.CreatePerOwinContext(() =>
{
var signInManager = new SignInManager <IdentityUser, string>(
HttpContext.Current.GetOwinContext().GetUserManager <UserManager>(),
HttpContext.Current.GetOwinContext().Authentication
);
return(signInManager);
});
System.Web.Http.GlobalConfiguration.Configure(ThrottleConfig.Register);
System.Web.Http.GlobalConfiguration.Configure(APIRegistryConfig.Register);
int cookieValidationIntervalInSeconds = 1;
try
{
cookieValidationIntervalInSeconds = int.Parse(ConfigurationManager.AppSettings["AuthenticationCookieValidationIntervalInSeconds"]);
}
catch (Exception e)
{
log4net.LogManager.GetLogger("CookieValidationInterval").Error("Could not parse Cookie Validation Interval Setting! Using default...", e);
}
// Retrieve Session Storage cache settings, to sync with authentication cookie
var authenticationCookineExpirationTimeout = TimeSpan.FromMinutes(20);
//var authenticationCookineSlidingExpiration = true;
try
{
var cacheConfig = CacheFactory.FromConfiguration <object>(CacheManager.Core.ConfigurationBuilder.LoadConfiguration("SessionStateStorage"));
var sessionCacheHandle = cacheConfig.CacheHandles.FirstOrDefault();
authenticationCookineExpirationTimeout = sessionCacheHandle.Configuration.ExpirationTimeout;
//authenticationCookineSlidingExpiration = sessionCacheHandle.Configuration.ExpirationMode == ExpirationMode.Sliding;
}
catch (Exception e)
{
log4net.LogManager.GetLogger("SessionStateStorage").Error("Could not retrieve cache configuration for Session Storage!", e);
}
log4net.LogManager.GetLogger("AuthenticationCookie").Info($"Authentication Cookie Timeout: {authenticationCookineExpirationTimeout.Minutes} minute(s)");
//log4net.LogManager.GetLogger("AuthenticationCookie").Info($"Authentication Cookie Sliding Expiration Enabled: {authenticationCookineSlidingExpiration}");
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
CookieName = ConfigurationManager.AppSettings["AuthenticationCookieName"],
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
ExpireTimeSpan = authenticationCookineExpirationTimeout,
//SlidingExpiration = authenticationCookineSlidingExpiration, // Sliding expiration is always what happens despite this setting
LoginPath = new PathString("/SignInPage/Load"),
ReturnUrlParameter = "returnUrl",
Provider = new CookieAuthenticationProvider
{
OnApplyRedirect = context =>
{
log4net.LogManager.GetLogger("CookieAuthenticationProvider").Error("REDIRECTING!!!");
},
OnValidateIdentity = ApplicationCookieIdentityValidator.OnValidateIdentity(validateInterval: TimeSpan.FromSeconds(cookieValidationIntervalInSeconds)),
OnException = context => log4net.LogManager.GetLogger("IdentityLogger").DebugFormat("CookieAuthenticationProvider Error for req: {0}", context.Request.Path)
},
});
app.UseBasicAuthentication(new BasicAuthenticationOptions("", (id, secret) =>
{
try
{
if (!IdentityHelper.ValidateUser(id, secret))
{
return(Task.FromResult <IEnumerable <Claim> >(null));
}
var user = IdentityHelper.GetUserManager().FindByName(id);
if (user == null)
{
return(Task.FromResult <IEnumerable <Claim> >(new List <Claim>()));
}
var claims = user.User.Permissions.Select(p => new Claim(ClaimTypes.Permission, p.Name)).ToList();
claims.Add(new Claim(System.Security.Claims.ClaimTypes.Name, user.UserName));
if (!string.IsNullOrWhiteSpace(user.User.Email))
{
claims.Add(new Claim(System.Security.Claims.ClaimTypes.Email, user.User.Email));
}
var userRoles = user.User.Roles.Select(r => new Claim(System.Security.Claims.ClaimTypes.Role, r.Name));
claims.AddRange(userRoles);
return(Task.FromResult <IEnumerable <Claim> >(claims));
}
catch (Exception e)
{
log4net.LogManager.GetLogger("BasicAuthentication.CredentialValidationFunction").Error("Error validating identity!", e);
return(Task.FromResult <IEnumerable <Claim> >(null));
}
}));
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["idsrv:authority"]))
{
var options = new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["idsrv:authority"]
};
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["idsrv:scopes"]))
{
options.RequiredScopes = ConfigurationManager.AppSettings["idsrv:scopes"].Split(' ');
}
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["idsrv:clientid"]) &&
!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["idsrv:clientsecret"]))
{
options.ClientId = ConfigurationManager.AppSettings["idsrv:clientid"];
options.ClientSecret = ConfigurationManager.AppSettings["idsrv:clientsecret"];
}
app.UseIdentityServerBearerTokenAuthentication(options);
}
else
{
// Configure the application for OAuth based flow
var PublicClientId = "self";
var OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/OAuth/Token"),
Provider = new zAppDev.DotNet.Framework.Identity.AppOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/OAuth/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromHours(4),
AllowInsecureHttp = true // Don't do this in production ONLY FOR DEVELOPING: ALLOW INSECURE HTTP!
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
Microsoft.AspNet.SignalR.GlobalHost.DependencyResolver.Register(typeof(Newtonsoft.Json.JsonSerializer), () =>
{
return(Newtonsoft.Json.JsonSerializer.Create(new Newtonsoft.Json.JsonSerializerSettings
{
NullValueHandling = Newtonsoft.Json.NullValueHandling.Ignore,
ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore,
ContractResolver = new zAppDev.DotNet.Framework.Utilities.NHibernateContractResolver()
}));
});
app.MapSignalR();
zAppDev.DotNet.Framework.Identity.IdentityHelper.AllowMultipleSessionsPerUser = true;
zAppDev.DotNet.Framework.Identity.IdentityHelper.AdminCanResetPassword = false;
DSS3_LogisticsPoolingForUrbanDistribution.DatabaseSeeder databaseSeeder = new DSS3_LogisticsPoolingForUrbanDistribution.DatabaseSeeder();
databaseSeeder.UpdateAuthorizationTables();
ConfigeAuditTrailManager();
ServiceLocator.Current.GetInstance <zAppDev.DotNet.Framework.Workflow.ScheduleManager>();
ServiceLocator.Current.GetInstance <zAppDev.DotNet.Framework.Workflow.WorkflowManager>()
.Init(typeof(DSS3_LogisticsPoolingForUrbanDistribution.DAL.Repository).Assembly);
DSS3_LogisticsPoolingForUrbanDistribution.Hubs.EventsHub.RaiseApplicationStart();
zAppDev.DotNet.Framework.Mvc.FileHelper.ClearTempData();
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
// IdSrv3 hard-codes the value when issuing a token using the pattern below
var audience = options.IssuerName.EnsureTrailingSlash() + "resources";
// Use the configured values if present, otherwise fallback to the defaulted value
List <string> validAudiences;
if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0)
{
validAudiences = new List <string>(options.ValidAudiences);
}
else
{
validAudiences = new List <string>()
{
audience
}
};
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudiences = validAudiences,
ValidateAudience = true,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
// Use the configured values if present, otherwise fallback to the discovery document's value
// (which is actually hard-coded to _issuer + "/resources")
List <string> validAudiences;
if (options.ValidAudiences != null && options.ValidAudiences.Count() > 0)
{
validAudiences = new List <string>(options.ValidAudiences);
}
else
{
validAudiences = new List <string>()
{
issuerProvider.Audience
}
};
var valParams = new TokenValidationParameters
{
ValidAudiences = validAudiences,
ValidateAudience = true,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = ResolveRsaKeys;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
if (options == null)
{
throw new ArgumentNullException("options");
}
if (options.ValidationMode == ValidationMode.Local)
{
app.UseLocalValidation(options);
}
else if (options.ValidationMode == ValidationMode.ValidationEndpoint)
{
app.UseValidationEndpoint(options);
}
if (options.RequiredScopes.Any())
{
app.Use <ScopeRequirementMiddleware>(options.RequiredScopes);
}
return(app);
}
public static void UseIdentityServerBearerTokenAuthentication(this IApplicationBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
app.UseOwin(addToPipeline =>
{
addToPipeline(next =>
{
var builder = new Microsoft.Owin.Builder.AppBuilder();
var loggerFactory = app.ApplicationServices.GetService <Microsoft.Framework.Logging.ILoggerFactory>();
var lifetime = app.ApplicationServices.GetService <IApplicationLifetime>();
var owinLoggerFactory = new OwinLoggerFactory(loggerFactory);
var provider = app.ApplicationServices.GetService(typeof(Microsoft.AspNet.DataProtection.IDataProtectionProvider)) as Microsoft.AspNet.DataProtection.IDataProtectionProvider;
var properties = new AppProperties(builder.Properties);
properties.OnAppDisposing = lifetime.ApplicationStopping;
properties.DefaultApp = next;
builder.SetLoggerFactory(owinLoggerFactory);
builder.Properties["security.DataProtectionProvider"] = new DataProtectionProviderDelegate(purposes =>
{
var dataProtection = provider.CreateProtector(string.Join(",", purposes));
return(new DataProtectionTuple(dataProtection.Protect, dataProtection.Unprotect));
});
builder.UseIdentityServerBearerTokenAuthentication(options);
return(builder.Build(typeof(Func <IDictionary <string, object>, Task>)) as Func <IDictionary <string, object>, Task>);
});
});
}
public DiscoveryDocumentIssuerSecurityTokenProvider(string discoveryEndpoint, IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
_logger = loggerFactory.Create(this.GetType().FullName);
var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
if (options.BackchannelCertificateValidator != null)
{
// Set the cert validate callback
var webRequestHandler = handler as WebRequestHandler;
if (webRequestHandler == null)
{
throw new InvalidOperationException("The back channel handler must derive from WebRequestHandler in order to use a certificate validator");
}
webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
}
// _configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(discoveryEndpoint, new HttpClient(handler))
_configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(discoveryEndpoint, new OpenIdConnectConfigurationRetriever(), new HttpClient(handler))
{
AutomaticRefreshInterval = options.AutomaticRefreshInterval
};
if (!options.DelayLoadMetadata)
{
RetrieveMetadata();
}
}
internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
string audience = null;
bool validateAudience = true;
// if API name is set, do a strict audience check for
//https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192
if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation)
{
audience = options.ApiName;
}
else if (options.LegacyAudienceValidation)
{
audience = options.IssuerName.EnsureTrailingSlash() + "resources";
}
else
{
// no audience validation, rely on scope checks only
validateAudience = false;
}
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
ValidateAudience = validateAudience,
IssuerSigningKey = new X509SecurityKey(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
string audience = issuerProvider.Audience;
bool validateAudience = true;
// if API name is set, do a strict audience check for
//https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/677bf6863a27c851270436faf9dfac437f46d90d/src/IdentityServerAuthenticationOptions.cs#L192
if (string.IsNullOrWhiteSpace(audience) && !options.LegacyAudienceValidation)
{
// no audience validation, rely on scope checks only
validateAudience = false;
}
var valParams = new TokenValidationParameters
{
ValidAudience = audience,
ValidateAudience = validateAudience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
valParams.IssuerSigningKeyResolver = IssuerSigningKeyResolver;
}
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
public void Configuration(IAppBuilder app)
{
AntiForgeryConfig.UniqueClaimTypeIdentifier = Thinktecture.IdentityServer.Core.Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary <string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
var openIdConfig = new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:44301/identity",
ClientId = "baseballStats",
Scope = "openid profile roles baseballStatsApi",
RedirectUri = "https://localhost:44300/",
ResponseType = "id_token token",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var userInfoClient = new UserInfoClient(
new Uri(n.Options.Authority + "/connect/userinfo"),
n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
// create new identity and set name and role claim type
var nid = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
Thinktecture.IdentityServer.Core.Constants.ClaimTypes.GivenName,
Thinktecture.IdentityServer.Core.Constants.ClaimTypes.Role);
userInfo.Claims.ToList().ForEach(c => nid.AddClaim(new Claim(c.Item1, c.Item2)));
// keep the id_token for logout
nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
// add access token for sample API
nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));
// keep track of access token expiration
nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
n.Request.Headers.SetValues("Authorization ", new string[] { "Bearer ", n.ProtocolMessage.AccessToken });
}
}
};
app.UseOpenIdConnectAuthentication(openIdConfig);
app.UseResourceAuthorization(new AuthorizationManager());
app.Map("/api", inner =>
{
var bearerTokenOptions = new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://localhost:44301/identity",
RequiredScopes = new[] { "baseballStatsApi" }
};
inner.UseIdentityServerBearerTokenAuthentication(bearerTokenOptions);
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
inner.UseWebApi(config);
});
}
public void InvokingConstructor_WithNullIClock_ShouldError()
{
var options = new IdentityServerBearerTokenAuthenticationOptions();
Assert.Throws <ArgumentNullException>(() => new InMemoryValidationResultCache(options, null, new Cache()));
}
static void DebugToConsole(DateTime now, DateTimeOffset expiryClaimSaysTokenExpiresAt, IdentityServerBearerTokenAuthenticationOptions options, DateTimeOffset cacheExpiryEvictsTokenAt, DateTimeOffset expectedCacheExpiry)
{
Console.WriteLine("now: {0}", now);
Console.WriteLine("expiry claim says token expires at: {0}", expiryClaimSaysTokenExpiresAt);
Console.WriteLine("claims cache duration: {0}", options.ValidationResultCacheDuration);
Console.WriteLine("cache expiry evicts token at: {0}", cacheExpiryEvictsTokenAt);
Console.WriteLine("expected cache expiry: {0}", expectedCacheExpiry);
}
internal static Lazy<OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return new Lazy<OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
IssuerSigningToken = new X509SecurityToken(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, true);
}
private static Lazy <OAuthBearerAuthenticationOptions> ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
if (options.EnableValidationResultCache)
{
if (options.ValidationResultCache == null)
{
options.ValidationResultCache = new InMemoryValidationResultCache(options);
}
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider),
};
if (!string.IsNullOrEmpty(options.ClientId) || options.IntrospectionHttpHandler != null)
{
bearerOptions.AccessTokenProvider = new IntrospectionEndpointTokenProvider(options, loggerFactory);
}
else
{
bearerOptions.AccessTokenProvider = new ValidationEndpointTokenProvider(options, loggerFactory);
}
return bearerOptions;
}, true));
}
/// <summary>
/// Add identity server token authentication to the pipeline.
/// </summary>
/// <param name="app">The application.</param>
/// <param name="options">The options.</param>
/// <returns></returns>
public static IApplicationBuilder UseIdentityServerBearerTokenAuthentication(this IApplicationBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
var loggerFactory = app.GetLoggerFactory();
var middlewareOptions = new IdentityServerOAuthBearerAuthenticationOptions();
switch (options.ValidationMode)
{
case ValidationMode.Local:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
break;
case ValidationMode.ValidationEndpoint:
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
case ValidationMode.Both:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
default:
throw new Exception("ValidationMode has invalid value");
}
if (!options.DelayLoadMetadata)
{
// evaluate the lazy members so that they can do their job
if (middlewareOptions.LocalValidationOptions != null)
{
var ignore = middlewareOptions.LocalValidationOptions.Value;
}
if (middlewareOptions.EndpointValidationOptions != null)
{
var ignore = middlewareOptions.EndpointValidationOptions.Value;
}
}
if (options.TokenProvider != null)
{
middlewareOptions.TokenProvider = options.TokenProvider;
}
app.Use<IdentityServerBearerTokenValidationMiddleware>(app, middlewareOptions, loggerFactory);
if (options.RequiredScopes.Any())
{
var scopeOptions = new ScopeRequirementOptions
{
AuthenticationType = options.AuthenticationType,
RequiredScopes = options.RequiredScopes
};
app.Use<ScopeRequirementMiddleware>(scopeOptions);
}
if (options.PreserveAccessToken)
{
app.Use<PreserveAccessTokenMiddleware>();
}
return app;
}
/// <summary>
/// Add identity server token authentication to the pipeline.
/// </summary>
/// <param name="app">The application.</param>
/// <param name="options">The options.</param>
/// <returns></returns>
public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
var loggerFactory = app.GetLoggerFactory();
var middlewareOptions = new IdentityServerOAuthBearerAuthenticationOptions();
switch (options.ValidationMode)
{
case ValidationMode.Local:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
break;
case ValidationMode.ValidationEndpoint:
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
case ValidationMode.Both:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
default:
throw new Exception("ValidationMode has invalid value");
}
if (!options.DelayLoadMetadata)
{
// evaluate the lazy members so that they can do their job
if (middlewareOptions.LocalValidationOptions != null)
{
var ignore = middlewareOptions.LocalValidationOptions.Value;
}
if (middlewareOptions.EndpointValidationOptions != null)
{
var ignore = middlewareOptions.EndpointValidationOptions.Value;
}
}
if (options.TokenProvider != null)
{
middlewareOptions.TokenProvider = options.TokenProvider;
}
app.Use <IdentityServerBearerTokenValidationMiddleware>(app, middlewareOptions, loggerFactory);
if (options.RequiredScopes.Any())
{
var scopeOptions = new ScopeRequirementOptions
{
AuthenticationType = options.AuthenticationType,
RequiredScopes = options.RequiredScopes
};
app.Use <ScopeRequirementMiddleware>(scopeOptions);
}
if (options.PreserveAccessToken)
{
app.Use <PreserveAccessTokenMiddleware>();
}
app.UseStageMarker(PipelineStage.Authenticate);
return(app);
}
private static Lazy <OAuthBearerAuthenticationOptions> ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
if (options.EnableValidationResultCache)
{
if (options.ValidationResultCache == null)
{
options.ValidationResultCache = new InMemoryValidationResultCache(options);
}
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider),
};
if (!string.IsNullOrEmpty(options.ClientId) || options.IntrospectionHttpHandler != null)
{
bearerOptions.AccessTokenProvider = new IntrospectionEndpointTokenProvider(options, loggerFactory);
}
else
{
bearerOptions.AccessTokenProvider = new ValidationEndpointTokenProvider(options, loggerFactory);
}
//I'm not sure Realm is the correct way to use this enforcement, but it's available for now. If needing realm for anything else
//expand options with Issuer Enforcement.
bearerOptions.Realm = options.AllowOnlyTokenFromIssuer;;
return bearerOptions;
}, true));
}
