// Inject custom logic for validating which users we allow to sign in
        // Here we check that the user (or their tenant admin) has signed up for the application.
        private Task OnTokenValidated(TokenValidatedContext context)
        {
            // Retrieve the db service
            TodoListWebAppContext db = (TodoListWebAppContext)context.HttpContext.RequestServices.GetService(typeof(TodoListWebAppContext));

            // Retrieve caller data from the incoming principal
            string issuer   = context.Ticket.Principal.FindFirst(AzureADConstants.Issuer).Value;
            string objectID = context.Ticket.Principal.FindFirst(AzureADConstants.ObjectIdClaimType).Value;
            string tenantID = context.Ticket.Principal.FindFirst(AzureADConstants.TenantIdClaimType).Value;
            string upn      = context.Ticket.Principal.FindFirst(ClaimTypes.Upn).Value;

            // Look up existing sign up records from the database
            Tenant        tenant = db.Tenants.FirstOrDefault(a => a.IssValue.Equals(issuer));
            AADUserRecord user   = db.Users.FirstOrDefault(b => b.ObjectID.Equals(objectID));

            // If the user is signing up, add the user or tenant to the database record of sign ups.
            string adminConsentSignUp = null;

            if (context.Properties.Items.TryGetValue(Constants.AdminConsentKey, out adminConsentSignUp))
            {
                if (adminConsentSignUp == Constants.True)
                {
                    if (tenant == null)
                    {
                        tenant = new Tenant {
                            Created = DateTime.Now, IssValue = issuer, Name = context.Properties.Items[Constants.TenantNameKey], AdminConsented = true
                        };
                        db.Tenants.Add(tenant);
                    }
                    else
                    {
                        tenant.AdminConsented = true;
                    }
                }
                else if (user == null)
                {
                    user = new AADUserRecord {
                        UPN = upn, ObjectID = objectID
                    };
                    db.Users.Add(user);
                }

                db.SaveChanges();
            }

            // Ensure that the caller is recorded in the db of users who went through the individual onboarding
            // or if the caller comes from an admin-consented, recorded issuer.
            if ((tenant == null || !tenant.AdminConsented) && (user == null))
            {
                // If not, the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
                throw new SecurityTokenValidationException("Did you forget to sign-up?");
            }

            return(Task.FromResult(0));
        }
Beispiel #2
0
        public DbTokenCache(TodoListWebAppContext db, IHttpContextAccessor httpContextAccessor, IOptions <AzureADConfig> aadConfig)
        {
            this.BeforeAccess = BeforeAccessNotification;
            this.AfterAccess  = AfterAccessNotification;
            this.BeforeWrite  = BeforeWriteNotification;


            _aadConfig = aadConfig.Value;
            _userId    = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.ObjectIdClaimType).Value;
            string tenantId = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.TenantIdClaimType).Value;

            _authContext    = new AuthenticationContext(String.Format(_aadConfig.AuthorityFormat, tenantId), this);
            _appCredentials = new ClientCredential(_aadConfig.ClientId, _aadConfig.ClientSecret);
        }
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            string issuer   = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Issuer;
            string UPN      = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Value;
            string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;

            using (TodoListWebAppContext db = new TodoListWebAppContext())
            {
                if (!(
                        // Verifies if the organization to which the caller belongs is trusted.
                        // This onboarding style is not possible in the consent flow originated by a native app shown in this sample,
                        // but it could be achieved by triggering consent from an associated web application.
                        // For details, see the sample https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet
                        (db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) != null)
                        // Verifies if the caller is in the db of onboarded users.
                        || (db.Users.FirstOrDefault(b => (b.UPN == UPN) && (b.TenantID == tenantID)) != null)
                        ))
                {
                    actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized,
                                                                                       $"The user {UPN} has not been onboarded. Sign up and try again");
                }
            }
        }
Beispiel #4
0
 public TodoController(TodoListWebAppContext context)
 {
     _db = context;
 }