private AzureAdTokenAttribute GetAttributeWithRequiredSettings(AzureAdTokenAttribute attribute)
{
var configuredAttributeData = _configuration.GetSection(AzureAd).Get <TokenConfig>();
var audience = string.IsNullOrWhiteSpace(attribute?.Audience) ? configuredAttributeData.Audience : attribute.Audience;
var tenantId = string.IsNullOrWhiteSpace(attribute?.TenantId) ? configuredAttributeData.TenantId : attribute.TenantId;
var clientId = string.IsNullOrWhiteSpace(attribute?.ClientId) ? configuredAttributeData.ClientId : attribute.ClientId;
var roles = string.IsNullOrWhiteSpace(attribute?.Roles) ? configuredAttributeData.Roles : attribute.Roles;
var scopes = string.IsNullOrWhiteSpace(attribute?.Scopes) ? configuredAttributeData.Scopes : attribute.Scopes;
return(new AzureAdTokenAttribute(tenantId, clientId, audience, roles, scopes));
}
private async Task <AzureAdToken> GetAzureAdTokenAsync(AzureAdTokenAttribute attribute, CancellationToken cancellationToken)
{
if (attribute == null)
{
return(null);
}
var tokenAttribute = GetAttributeWithRequiredSettings(attribute);
var claimsPrincipal = await _customAuthorizationService.GetClaimsPrincipalAsync(tokenAttribute);
if (claimsPrincipal == null)
{
return(null);
}
return(new AzureAdToken
{
User = claimsPrincipal
});
}
public async Task <ClaimsPrincipal> GetClaimsPrincipalAsync(AzureAdTokenAttribute azureAdData)
{
if (!_httpContextAccessor.HttpContext.Request.Headers.TryGetValue(Authorization, out var headerData))
{
return(null);
}
var headerValue = headerData.FirstOrDefault();
if (headerValue == null)
{
return(null);
}
if (!headerValue.Contains(Bearer, StringComparison.OrdinalIgnoreCase))
{
return(null);
}
var token = headerValue.Substring($"{Bearer} ".Length);
if (string.IsNullOrEmpty(token))
{
return(null);
}
try
{
var openIdConfigurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(azureAdData.AuthorizeUrl, new OpenIdConnectConfigurationRetriever());
var openIdConnectConfigData = await openIdConfigurationManager.GetConfigurationAsync();
var validationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
RequireSignedTokens = true,
ClockSkew = TimeSpan.Zero,
ValidAudience = azureAdData.Audience,
IssuerSigningKeys = openIdConnectConfigData.SigningKeys,
ValidIssuer = openIdConnectConfigData.Issuer
};
var principal = _securityTokenValidator.ValidateToken(token, validationParameters, out var securityToken);
var requiredScopes = azureAdData.Scopes?.Replace(" ", string.Empty)?.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries)?.ToList();
var requiredRoles = azureAdData.Roles?.Replace(" ", string.Empty)?.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries)?.ToList();
var isValid = IsValid(principal, requiredScopes, requiredRoles);
return(isValid ? principal : null);
}
catch (Exception ex)
{
_logger.LogError(ex, "Error when validating the user token");
}
return(null);
}
