private AzureAdTokenAttribute GetAttributeWithRequiredSettings(AzureAdTokenAttribute attribute) { var configuredAttributeData = _configuration.GetSection(AzureAd).Get <TokenConfig>(); var audience = string.IsNullOrWhiteSpace(attribute?.Audience) ? configuredAttributeData.Audience : attribute.Audience; var tenantId = string.IsNullOrWhiteSpace(attribute?.TenantId) ? configuredAttributeData.TenantId : attribute.TenantId; var clientId = string.IsNullOrWhiteSpace(attribute?.ClientId) ? configuredAttributeData.ClientId : attribute.ClientId; var roles = string.IsNullOrWhiteSpace(attribute?.Roles) ? configuredAttributeData.Roles : attribute.Roles; var scopes = string.IsNullOrWhiteSpace(attribute?.Scopes) ? configuredAttributeData.Scopes : attribute.Scopes; return(new AzureAdTokenAttribute(tenantId, clientId, audience, roles, scopes)); }
private async Task <AzureAdToken> GetAzureAdTokenAsync(AzureAdTokenAttribute attribute, CancellationToken cancellationToken) { if (attribute == null) { return(null); } var tokenAttribute = GetAttributeWithRequiredSettings(attribute); var claimsPrincipal = await _customAuthorizationService.GetClaimsPrincipalAsync(tokenAttribute); if (claimsPrincipal == null) { return(null); } return(new AzureAdToken { User = claimsPrincipal }); }
public async Task <ClaimsPrincipal> GetClaimsPrincipalAsync(AzureAdTokenAttribute azureAdData) { if (!_httpContextAccessor.HttpContext.Request.Headers.TryGetValue(Authorization, out var headerData)) { return(null); } var headerValue = headerData.FirstOrDefault(); if (headerValue == null) { return(null); } if (!headerValue.Contains(Bearer, StringComparison.OrdinalIgnoreCase)) { return(null); } var token = headerValue.Substring($"{Bearer} ".Length); if (string.IsNullOrEmpty(token)) { return(null); } try { var openIdConfigurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(azureAdData.AuthorizeUrl, new OpenIdConnectConfigurationRetriever()); var openIdConnectConfigData = await openIdConfigurationManager.GetConfigurationAsync(); var validationParameters = new TokenValidationParameters { ValidateAudience = true, ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidateLifetime = true, RequireSignedTokens = true, ClockSkew = TimeSpan.Zero, ValidAudience = azureAdData.Audience, IssuerSigningKeys = openIdConnectConfigData.SigningKeys, ValidIssuer = openIdConnectConfigData.Issuer }; var principal = _securityTokenValidator.ValidateToken(token, validationParameters, out var securityToken); var requiredScopes = azureAdData.Scopes?.Replace(" ", string.Empty)?.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries)?.ToList(); var requiredRoles = azureAdData.Roles?.Replace(" ", string.Empty)?.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries)?.ToList(); var isValid = IsValid(principal, requiredScopes, requiredRoles); return(isValid ? principal : null); } catch (Exception ex) { _logger.LogError(ex, "Error when validating the user token"); } return(null); }