private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options)
{
var introspectionOptions = new OAuth2IntrospectionOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
ScopeName = options.ScopeName,
ScopeSecret = options.ScopeSecret,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
TokenRetriever = _tokenRetriever,
SaveTokensAsClaims = options.SaveTokensAsClaims,
DiscoveryTimeout = options.BackChannelTimeouts,
IntrospectionTimeout = options.BackChannelTimeouts
};
if (options.IntrospectionBackChannelHandler != null)
{
introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler;
}
if (options.IntrospectionDiscoveryHandler != null)
{
introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler;
}
return introspectionOptions;
}
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, Action<IdentityServerAuthenticationOptions> configureOptions)
{
var options = new IdentityServerAuthenticationOptions();
configureOptions(options);
return app.UseIdentityServerAuthentication(options);
}
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options)
{
var jwtOptions = new JwtBearerOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
RequireHttpsMetadata = options.RequireHttpsMetadata,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
BackchannelTimeout = options.BackChannelTimeouts,
RefreshOnIssuerKeyNotFound = true,
SaveToken = options.SaveToken,
Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = _tokenRetriever(e.Request);
return(options.JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => options.JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => options.JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => options.JwtBearerEvents.Challenge(e)
}
};
if (options.JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler;
}
// if API name is set, do an audience check
if (!string.IsNullOrWhiteSpace(options.ApiName))
{
jwtOptions.Audience = options.ApiName;
}
else
{
// otherwise don't check the aud
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType;
if (options.InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap = options.InboundJwtClaimTypeMap;
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
return(jwtOptions);
}
public ConfigureInternalOptions(
IdentityServerAuthenticationOptions identityServerOptions,
string scheme
)
{
_identityServerOptions = identityServerOptions;
_scheme = scheme;
}
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions();
combinedOptions.TokenRetriever = options.TokenRetriever;
combinedOptions.AuthenticationScheme = options.AuthenticationScheme;
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
app.UseMiddleware<IdentityServerAuthenticationMiddleware>(app, combinedOptions);
var allowedScopes = new List<string>();
if (!string.IsNullOrWhiteSpace(options.ScopeName))
{
allowedScopes.Add(options.ScopeName);
}
if (options.AdditionalScopes != null && options.AdditionalScopes.Any())
{
allowedScopes.AddRange(options.AdditionalScopes);
}
if (allowedScopes.Any())
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
app.AllowScopes(scopeOptions);
}
return app;
}
private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options)
{
if (String.IsNullOrWhiteSpace(options.ApiSecret))
{
return(null);
}
if (String.IsNullOrWhiteSpace(options.ApiName))
{
throw new ArgumentException("ApiName must be configured if ApiSecret is set.");
}
var introspectionOptions = new OAuth2IntrospectionOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
ClientId = options.ApiName,
ClientSecret = options.ApiSecret,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
TokenRetriever = _tokenRetriever,
SaveToken = options.SaveToken,
EnableCaching = options.EnableCaching,
CacheDuration = options.CacheDuration,
DiscoveryTimeout = options.BackChannelTimeouts,
IntrospectionTimeout = options.BackChannelTimeouts
};
if (options.IntrospectionBackChannelHandler != null)
{
introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler;
}
if (options.IntrospectionDiscoveryHandler != null)
{
introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler;
}
return(introspectionOptions);
}
private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options)
{
var introspectionOptions = new OAuth2IntrospectionOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
ScopeName = options.ScopeName,
ScopeSecret = options.ScopeSecret,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
TokenRetriever = _tokenRetriever,
SaveToken = options.SaveToken,
EnableCaching = options.EnableCaching,
CacheDuration = options.CacheDuration,
DiscoveryTimeout = options.BackChannelTimeouts,
IntrospectionTimeout = options.BackChannelTimeouts
};
if (options.IntrospectionBackChannelHandler != null)
{
introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler;
}
if (options.IntrospectionDiscoveryHandler != null)
{
introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler;
}
return(introspectionOptions);
}
public static CombinedAuthenticationOptions FromIdentityServerAuthenticationOptions(IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions()
{
TokenRetriever = options.TokenRetriever,
AuthenticationScheme = options.AuthenticationScheme,
PassThruOptions = new NopAuthenticationOptions()
{
AuthenticationScheme = options.AuthenticationScheme,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge
}
};
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
combinedOptions.ScopeValidationOptions = new ScopeValidationOptions
{
AllowedScopes = new string[] { }
};
if (options.ValidateScope)
{
var allowedScopes = new List <string>();
if (options.AllowedScopes != null && options.AllowedScopes.Any())
{
allowedScopes.AddRange(options.AllowedScopes);
}
if (allowedScopes.Any())
{
combinedOptions.ScopeValidationOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
}
}
return(combinedOptions);
}
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options)
{
var jwtOptions = new JwtBearerOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
RequireHttpsMetadata = options.RequireHttpsMetadata,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
BackchannelTimeout = options.BackChannelTimeouts,
RefreshOnIssuerKeyNotFound = true,
SaveToken = options.SaveToken,
Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = _tokenRetriever(e.Request);
return(options.JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => options.JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => options.JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => options.JwtBearerEvents.Challenge(e)
}
};
if (options.DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryClient.ParseUrl(options.Authority);
var httpClient = new HttpClient(options.JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = options.BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.discoveryEndpoint,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = options.RequireHttpsMetadata
})
{
AutomaticRefreshInterval = options.DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (options.JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation)
{
jwtOptions.Audience = options.ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType;
if (options.InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap = options.InboundJwtClaimTypeMap;
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
return(jwtOptions);
}
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options)
{
var jwtOptions = new JwtBearerOptions
{
AuthenticationScheme = options.AuthenticationScheme,
Authority = options.Authority,
RequireHttpsMetadata = false,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge,
BackchannelTimeout = options.BackChannelTimeouts,
RefreshOnIssuerKeyNotFound = true,
Events = new JwtBearerEvents
{
OnReceivingToken = e =>
{
e.Token = _tokenRetriever(e.Request);
return Task.FromResult(0);
},
OnValidatedToken = e =>
{
if (options.SaveTokensAsClaims)
{
e.AuthenticationTicket.Principal.Identities.First().AddClaim(
new Claim("access_token", _tokenRetriever(e.Request)));
}
return Task.FromResult(0);
}
}
};
if (options.JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler;
}
jwtOptions.TokenValidationParameters.ValidateAudience = false;
jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType;
return jwtOptions;
}
public static CombinedAuthenticationOptions FromIdentityServerAuthenticationOptions(IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions();
combinedOptions.TokenRetriever = options.TokenRetriever;
combinedOptions.AuthenticationScheme = options.AuthenticationScheme;
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
if (options.ValidateScope)
{
var allowedScopes = new List <string>();
if (!string.IsNullOrWhiteSpace(options.ScopeName))
{
allowedScopes.Add(options.ScopeName);
}
if (options.AdditionalScopes != null && options.AdditionalScopes.Any())
{
allowedScopes.AddRange(options.AdditionalScopes);
}
if (allowedScopes.Any())
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
combinedOptions.ScopeValidationOptions = scopeOptions;
}
else
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = new string[] { }
};
combinedOptions.ScopeValidationOptions = scopeOptions;
}
}
return(combinedOptions);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
loggerFactory.AddDebug();
app.UseExceptionHandler("/Home/Error");
app.UseCors("corsGlobalPolicy");
app.UseStaticFiles();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
{
Authority = "https://localhost:44318/",
AllowedScopes = new List<string> { "dataEventRecords" },
ApiSecret = "dataEventRecordsSecret",
ApiName = "dataEventRecords",
AutomaticAuthenticate = true,
SupportedTokens = SupportedTokens.Both,
// TokenRetriever = _tokenRetriever,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true,
};
app.UseIdentityServerAuthentication(identityServerValidationOptions);
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var angularRoutes = new[] {
"/Unauthorized",
"/Forbidden",
"/uihome",
"/dataeventrecords/",
"/dataeventrecords/create",
"/dataeventrecords/edit/",
"/dataeventrecords/list",
"/usermanagement",
};
app.Use(async (context, next) =>
{
if (context.Request.Path.HasValue && null != angularRoutes.FirstOrDefault(
(ar) => context.Request.Path.Value.StartsWith(ar, StringComparison.OrdinalIgnoreCase)))
{
context.Request.Path = new PathString("/");
}
await next();
});
app.UseDefaultFiles();
app.UseStaticFiles();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
// Does not work with HTTPS
//app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseIdentity();
app.UseIdentityServer();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
{
Authority = Config.HOST_URL + "/",
AllowedScopes = new List<string> { "dataEventRecords" },
ApiSecret = "dataEventRecordsSecret",
ApiName = "dataEventRecords",
AutomaticAuthenticate = true,
SupportedTokens = SupportedTokens.Both,
// TokenRetriever = _tokenRetriever,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true,
};
app.UseIdentityServerAuthentication(identityServerValidationOptions);
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}