public static void ConfigureAuthentication(this IServiceCollection services, TokenProviderConfig cfg, string[] areas)
{
SymmetricSecurityKey signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(cfg.TokenSecurityKey));
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true, // The signing key must match!
IssuerSigningKey = signingKey,
ValidateIssuer = true, // Validate the JWT Issuer (iss) claim
ValidIssuer = cfg.TokenIssuer,
ValidateAudience = true, // Validate the JWT Audience (aud) claim
ValidAudience = cfg.TokenAudience,
ValidateLifetime = true, // Validate the token expiry
ClockSkew = TimeSpan.Zero // If you want to allow a certain amount of clock drift, set that here:
};
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Events = new JwtBearerEvents
{
OnChallenge = (context) =>
{
return(OnChallenge(context, areas));
}
};
options.SaveToken = true;
options.TokenValidationParameters = tokenValidationParameters;
})
.AddCookie(options =>
{
options.Cookie.Name = "access_token";
options.TicketDataFormat = new Model.TokenDataFormat(cfg.TokenSecurityAlgorithm, CookieAuthenticationDefaults.AuthenticationScheme, tokenValidationParameters);
});
}
public TokenController(IOptions <TokenProviderConfig> options,
UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IUserClaimsPrincipalFactory <ApplicationUser> userClaimsPrincipalFactory,
ITraffkTenantFinder traffkTenantFinder,
ILogger logger) : base(logger)
{
Options = options.Value;
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Options.SecretKey));
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
Requires.NonNull(Options.Issuer, nameof(Options.Issuer));
Requires.NonNull(Options.Audience, nameof(Options.Audience));
Requires.True(Options.Expiration > TimeSpan.Zero, nameof(Options.Expiration));
UserManager = userManager;
SignInManager = signInManager;
UserClaimsPrincipalFactory = userClaimsPrincipalFactory;
TraffkTenantFinder = traffkTenantFinder;
}
public static void UseTokenBasedAuthentication(this IApplicationBuilder app, TokenProviderConfig cfg, string[] areas)
{
SymmetricSecurityKey signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(cfg.TokenSecurityKey));
Func <JwtBearerChallengeContext, Task> onChallenge = (JwtBearerChallengeContext context) =>
{
if (context.Response.StatusCode == 302)
{
Uri location = context.Response.GetTypedHeaders().Location;
string referrer = context.Request.Headers[HeaderNames.Referer];
if (location != null && !string.IsNullOrEmpty(referrer))
{
string locationUri = new UriBuilder(location.Scheme, location.Host, location.Port, "Login").ToString();
string returnUrl = CreateReturnUrl(referrer, areas);
context.Response.Headers.Remove(HeaderNames.Location);
locationUri = QueryHelpers.AddQueryString(locationUri, "returnUrl", returnUrl);
if (!string.IsNullOrEmpty(context.Error))
{
locationUri = QueryHelpers.AddQueryString(locationUri, "errorCode", context.Error);
}
if (!string.IsNullOrEmpty(context.ErrorDescription))
{
locationUri = QueryHelpers.AddQueryString(locationUri, "errorDesc", context.ErrorDescription);
}
context.Response.Headers.Append(HeaderNames.Location, locationUri);
context.Response.StatusCode = 200;
}
}
context.Response.Headers.Append(HeaderNames.WWWAuthenticate, context.Options.Challenge);
return(Task.Factory.StartNew(() => context.HandleResponse()));
};
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true, // The signing key must match!
IssuerSigningKey = signingKey,
ValidateIssuer = true, // Validate the JWT Issuer (iss) claim
ValidIssuer = cfg.TokenIssuer,
ValidateAudience = true, // Validate the JWT Audience (aud) claim
ValidAudience = cfg.TokenAudience,
ValidateLifetime = true, // Validate the token expiry
ClockSkew = TimeSpan.Zero // If you want to allow a certain amount of clock drift, set that here:
};
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
SaveToken = true,
TokenValidationParameters = tokenValidationParameters,
Events = new JwtBearerEvents
{
OnChallenge = onChallenge
}
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = "Cookie",
CookieName = "access_token",
TicketDataFormat = new Model.TokenDataFormat(cfg.TokenSecurityAlgorithm, "Cookie", tokenValidationParameters)
});
}
