// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/179
public async Task BearerTokenValidation()
{
var options = new JwtBearerOptions
{
Authority = "https://login.windows.net/tushartest.onmicrosoft.com",
Audience = "https://TusharTest.onmicrosoft.com/TodoListService-ManualJwt"
};
options.TokenValidationParameters.ValidateLifetime = false;
var server = CreateServer(options);
var newBearerToken = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrVDgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL1R1c2hhclRlc3Qub25taWNyb3NvZnQuY29tL1RvZG9MaXN0U2VydmljZS1NYW51YWxKd3QiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9hZmJlY2UwMy1hZWFhLTRmM2YtODVlNy1jZTA4ZGQyMGNlNTAvIiwiaWF0IjoxNDE4MzMwNjE0LCJuYmYiOjE0MTgzMzA2MTQsImV4cCI6MTQxODMzNDUxNCwidmVyIjoiMS4wIiwidGlkIjoiYWZiZWNlMDMtYWVhYS00ZjNmLTg1ZTctY2UwOGRkMjBjZTUwIiwiYW1yIjpbInB3ZCJdLCJvaWQiOiI1Mzk3OTdjMi00MDE5LTQ2NTktOWRiNS03MmM0Yzc3NzhhMzMiLCJ1cG4iOiJWaWN0b3JAVHVzaGFyVGVzdC5vbm1pY3Jvc29mdC5jb20iLCJ1bmlxdWVfbmFtZSI6IlZpY3RvckBUdXNoYXJUZXN0Lm9ubWljcm9zb2Z0LmNvbSIsInN1YiI6IkQyMm9aMW9VTzEzTUFiQXZrdnFyd2REVE80WXZJdjlzMV9GNWlVOVUwYnciLCJmYW1pbHlfbmFtZSI6Ikd1cHRhIiwiZ2l2ZW5fbmFtZSI6IlZpY3RvciIsImFwcGlkIjoiNjEzYjVhZjgtZjJjMy00MWI2LWExZGMtNDE2Yzk3ODAzMGI3IiwiYXBwaWRhY3IiOiIwIiwic2NwIjoidXNlcl9pbXBlcnNvbmF0aW9uIiwiYWNyIjoiMSJ9.N_Kw1EhoVGrHbE6hOcm7ERdZ7paBQiNdObvp2c6T6n5CE8p0fZqmUd-ya_EqwElcD6SiKSiP7gj0gpNUnOJcBl_H2X8GseaeeMxBrZdsnDL8qecc6_ygHruwlPltnLTdka67s1Ow4fDSHaqhVTEk6lzGmNEcbNAyb0CxQxU6o7Fh0yHRiWoLsT8yqYk8nKzsHXfZBNby4aRo3_hXaa4i0SZLYfDGGYPdttG4vT_u54QGGd4Wzbonv2gjDlllOVGOwoJS6kfl1h8mk0qxdiIaT_ChbDWgkWvTB7bTvBE-EgHgV0XmAo0WtJeSxgjsG3KhhEPsONmqrSjhIUV4IVnF2w";
var response = await SendAsync(server, "http://example.com/oauth", newBearerToken);
Assert.Equal(HttpStatusCode.OK, response.Response.StatusCode);
}
public async Task BearerTurns401To403IfAuthenticated()
{
var options = new JwtBearerOptions();
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new BlobTokenValidator("JWT"));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/unauthorized", "Bearer Token");
Assert.Equal(HttpStatusCode.Forbidden, response.Response.StatusCode);
}
public static void SetJwtBearer(this IApplicationBuilder app, Auth0Settings settings, Func<ClaimsIdentity, Task> onTokenValidated)
{
var options = new JwtBearerOptions()
{
Audience = settings.ClientId,
Authority = $"https://{settings.Domain}",
Challenge = $"Bearer realm=\"{settings.Domain}\", scope=\"client_id={settings.ClientId} service=\"",
Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
logger.LogDebug("Authentication failed.", context.Exception);
return Task.FromResult(0);
},
OnChallenge = context =>
{
logger.LogDebug("Bearer Auth OnChallenge.");
return Task.FromResult(true);
},
OnMessageReceived = context =>
{
logger.LogDebug("Bearer Auth OnMessageReceived");
return Task.FromResult(true);
},
OnTokenValidated = async context =>
{
var claimsIdentity = context.Ticket.Principal.Identity as ClaimsIdentity;
logger.LogInformation($"{claimsIdentity?.Name} authenticated using bearer authentication.");
await onTokenValidated(claimsIdentity);
}
}
};
app.UseJwtBearerAuthentication(options);
// this is a hack, which hopefully will be solved with RC2 of .net core
// * The problem has been discussed here: https://github.com/aspnet/Security/issues/555
// * The workaround got copied from here: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/191
app.Use(next => async context =>
{
try
{
await next(context);
}
catch (SecurityTokenException)
{
// If the headers have already been sent, you can't replace the status code.
// In this case, throw an exception to close the connection.
if (context.Response.HasStarted)
{
throw;
}
context.Response.StatusCode = 401;
}
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
var jwtBearerOptions = new JwtBearerOptions
{
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
AutomaticAuthenticate = true
};
jwtBearerOptions.SecurityTokenValidators.Clear();
jwtBearerOptions.SecurityTokenValidators.Add(new TicketDataFormatTokenValidator());
app.UseJwtBearerAuthentication(jwtBearerOptions);
app.UseMvc(
routes =>
{
routes.MapRoute(
"WebApi",
"api/{controller}/{action}/{id?}",
new { action = "Get" }
);
}
);
}
public BaseJwtBearerContext(HttpContext context, JwtBearerOptions options)
: base(context)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
Options = options;
}
/// <summary>
/// Adds the <see cref="JwtBearerMiddleware"/> middleware to the specified <see cref="IApplicationBuilder"/>, which enables Bearer token processing capabilities.
/// This middleware understands appropriately
/// formatted and secured tokens which appear in the request header. If the Options.AuthenticationMode is Active, the
/// claims within the bearer token are added to the current request's IPrincipal User. If the Options.AuthenticationMode
/// is Passive, then the current request is not modified, but IAuthenticationManager AuthenticateAsync may be used at
/// any time to obtain the claims from the request's bearer token.
/// See also http://tools.ietf.org/html/rfc6749
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
/// <param name="options">A <see cref="JwtBearerOptions"/> that specifies options for the middleware.</param>
/// <returns>A reference to this instance after the operation has completed.</returns>
public static IApplicationBuilder UseJwtBearerAuthentication(this IApplicationBuilder app, JwtBearerOptions options)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
return app.UseMiddleware<JwtBearerMiddleware>(Options.Create(options));
}
public static IApplicationBuilder UseJwtBearerIdentity(this IApplicationBuilder app)
{
if(app == null)
{
throw new ArgumentNullException(nameof(app));
}
var marker = app.ApplicationServices.GetService<IdentityMarkerService>();
if(marker == null)
{
throw new InvalidOperationException("Must Call AddJwtBearerIdentity");
}
var jwtOptions = app.ApplicationServices.GetRequiredService<IOptions<JwtBearerIdentityOptions>>().Value;
var options = new JwtBearerOptions();
// Basic settings - signing key to validate with, audience and issuer.
options.TokenValidationParameters.IssuerSigningKey = jwtOptions.SigningCredentials.Key;
options.TokenValidationParameters.ValidAudience = jwtOptions.Audience;
options.TokenValidationParameters.ValidIssuer = jwtOptions.Issuer;
options.TokenValidationParameters.RequireExpirationTime = true;
options.TokenValidationParameters.RequireSignedTokens = false;
// When receiving a token, check that we've signed it.
options.TokenValidationParameters.RequireSignedTokens = false;
//// When receiving a token, check that it is still valid.
options.TokenValidationParameters.ValidateLifetime = true;
// This defines the maximum allowable clock skew - i.e. provides a tolerance on the token expiry time
// when validating the lifetime. As we're creating the tokens locally and validating them on the same
// machines which should have synchronised time, this can be set to zero. Where external tokens are
// used, some leeway here could be useful.
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(0);
options.Events = new JwtBearerEvents
{
OnTokenValidated = JwtBearerEventImplementations.ValidatedTokenAsync,
OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync,
OnMessageReceived = JwtBearerEventImplementations.MessageReceivedAsync
};
app.UseJwtBearerAuthentication(options);
return app;
}
public static IApplicationBuilder UseJwtBearerAuthenticationWithTokenIssuer(this IApplicationBuilder app)
{
var jwtOptions = (IOptions <JwtAuthenticationOptions>)app.ApplicationServices.GetService(typeof(IOptions <JwtAuthenticationOptions>));
var options = new JwtBearerOptions
{
TokenValidationParameters = jwtOptions.Value.Parameters
};
app.UseJwtBearerAuthentication(options);
//JWT token endpoint
app.UseMiddleware <JwtBearerTokenIssuerMiddleware>();
return(app);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
loggerFactory.AddDebug();
app.UseExceptionHandler("/Home/Error");
app.UseCors("corsGlobalPolicy");
app.UseStaticFiles();
//JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
//app.UseIdentityServerAuthentication(options =>
//{
// options.Authority = "https://localhost:44345/";
// options.ScopeName = "dataEventRecords";
// options.ScopeSecret = "dataEventRecordsSecret";
// options.AutomaticAuthenticate = true;
// required if you want to return a 403 and not a 401 for forbidden responses
// options.AutomaticChallenge = true;
//});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap = new Dictionary<string, string>();
var jwtBearerOptions = new JwtBearerOptions()
{
Authority = "https://localhost:44345",
Audience = "https://localhost:44345/resources",
AutomaticAuthenticate = true,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true
};
app.UseJwtBearerAuthentication(jwtBearerOptions);
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
internal void ConfigureJwtBearer(JwtBearerOptions jwtOptions)
{
jwtOptions.Authority = Authority;
jwtOptions.RequireHttpsMetadata = RequireHttpsMetadata;
jwtOptions.BackchannelTimeout = BackChannelTimeouts;
jwtOptions.RefreshOnIssuerKeyNotFound = true;
jwtOptions.SaveToken = SaveToken;
jwtOptions.Events = new JwtBearerEvents
{
OnMessageReceived = e =>
{
e.Token = InternalTokenRetriever(e.Request);
return(JwtBearerEvents.MessageReceived(e));
},
OnTokenValidated = e => JwtBearerEvents.TokenValidated(e),
OnAuthenticationFailed = e => JwtBearerEvents.AuthenticationFailed(e),
OnChallenge = e => JwtBearerEvents.Challenge(e)
};
if (DiscoveryDocumentRefreshInterval.HasValue)
{
var parsedUrl = DiscoveryClient.ParseUrl(Authority);
var httpClient = new HttpClient(JwtBackChannelHandler ?? new HttpClientHandler())
{
Timeout = BackChannelTimeouts,
MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB
};
var manager = new ConfigurationManager <OpenIdConnectConfiguration>(
parsedUrl.discoveryEndpoint,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient)
{
RequireHttps = RequireHttpsMetadata
})
{
AutomaticRefreshInterval = DiscoveryDocumentRefreshInterval.Value
};
jwtOptions.ConfigurationManager = manager;
}
if (JwtBackChannelHandler != null)
{
jwtOptions.BackchannelHttpHandler = JwtBackChannelHandler;
}
// if API name is set, do a strict audience check for
if (!string.IsNullOrWhiteSpace(ApiName) && !LegacyAudienceValidation)
{
jwtOptions.Audience = ApiName;
}
else
{
// no audience validation, rely on scope checks only
jwtOptions.TokenValidationParameters.ValidateAudience = false;
}
jwtOptions.TokenValidationParameters.NameClaimType = NameClaimType;
jwtOptions.TokenValidationParameters.RoleClaimType = RoleClaimType;
if (InboundJwtClaimTypeMap != null)
{
var handler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = InboundJwtClaimTypeMap
};
jwtOptions.SecurityTokenValidators.Clear();
jwtOptions.SecurityTokenValidators.Add(handler);
}
}
private JwtBearerOptions GetJwtBearerOptions(TokenAuthorizationOptions tokenAuthorizationOptions) {
var options = new JwtBearerOptions();
options.TokenValidationParameters.IssuerSigningKey = tokenAuthorizationOptions.SigningCredentials.Key;
options.TokenValidationParameters.ValidAudience = tokenAuthorizationOptions.Audience;
options.TokenValidationParameters.ValidIssuer = tokenAuthorizationOptions.Issuer;
options.TokenValidationParameters.ValidateLifetime = true;
options.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
return options;
}
public async Task ExceptionsReportedInHeaderExposesUserDefinedError(string error, string description, string uri)
{
var options = new JwtBearerOptions
{
Events = new JwtBearerEvents
{
OnChallenge = context =>
{
context.Error = error;
context.ErrorDescription = description;
context.ErrorUri = uri;
return Task.FromResult(0);
}
}
};
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer someblob");
Assert.Equal(HttpStatusCode.Unauthorized, response.Response.StatusCode);
Assert.Equal("", response.ResponseText);
var builder = new StringBuilder(options.Challenge);
if (!string.IsNullOrEmpty(error))
{
builder.Append(" error=\"");
builder.Append(error);
builder.Append("\"");
}
if (!string.IsNullOrEmpty(description))
{
if (!string.IsNullOrEmpty(error))
{
builder.Append(",");
}
builder.Append(" error_description=\"");
builder.Append(description);
builder.Append('\"');
}
if (!string.IsNullOrEmpty(uri))
{
if (!string.IsNullOrEmpty(error) ||
!string.IsNullOrEmpty(description))
{
builder.Append(",");
}
builder.Append(" error_uri=\"");
builder.Append(uri);
builder.Append('\"');
}
Assert.Equal(builder.ToString(), response.Response.Headers.WwwAuthenticate.First().ToString());
}
public static IApplicationBuilder UseJwtAuthentication(this IApplicationBuilder app)
{
var Configuration = (IConfiguration)app.ApplicationServices.GetService(typeof(IConfiguration));
TicketJwtTokenHandler jwtHandler = new TicketJwtTokenHandler();
var tokenValidationParameters = new TokenValidationParameters
{
// The signing key must match!
ValidateIssuerSigningKey = true,
IssuerSigningKey = SigningKey,
// Validate the JWT Issuer (iss) claim
ValidateIssuer = true,
ValidIssuer = Configuration["ValidIssuer"],
// Validate the JWT Audience (aud) claim
ValidateAudience = true,
ValidAudience = Configuration["ValidAudience"],
// Validate the token expiry
ValidateLifetime = true,
// If you want to allow a certain amount of clock drift, set that here:
ClockSkew = TimeSpan.Zero,
};
JwtBearerOptions bearerOptions = new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = tokenValidationParameters,
Authority = Configuration["domain"],
RequireHttpsMetadata = false,
Audience = Configuration["ValidAudience"],
Configuration = new OpenIdConnectConfiguration
{
Issuer = Configuration["ValidIssuer"],
},
Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
return(Task.FromResult(0));
},
OnMessageReceived = context =>
{
return(Task.FromResult(0));
},
OnTokenValidated = context =>
{
var cacheService = app.ApplicationServices.GetService <UserCacheService <IdentityUser> >();
var identity = context.Ticket.Principal.Identity as TicketIdentity;
var idClaim = identity.Claims.FirstOrDefault(i => i.Type == "Id");
if (idClaim != null)
{
var cachedUser = cacheService.Get(idClaim.Value);
identity.User = cachedUser;
}
Console.Write(context.Ticket.Principal.Identity.Name);
return(Task.FromResult(0));
},
OnChallenge = context =>
{
return(Task.FromResult(0));
}
}
};
bearerOptions.SecurityTokenValidators.RemoveAt(0);
bearerOptions.SecurityTokenValidators.Add(jwtHandler);
app.UseJwtBearerAuthentication(bearerOptions);
return(app);
}
/// <summary>
/// Adds the <see cref="JwtBearerMiddleware"/> middleware to the specified <see cref="IApplicationBuilder"/>, which enables Bearer token processing capabilities.
/// This middleware understands appropriately
/// formatted and secured tokens which appear in the request header. If the Options.AuthenticationMode is Active, the
/// claims within the bearer token are added to the current request's IPrincipal User. If the Options.AuthenticationMode
/// is Passive, then the current request is not modified, but IAuthenticationManager AuthenticateAsync may be used at
/// any time to obtain the claims from the request's bearer token.
/// See also http://tools.ietf.org/html/rfc6749
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
/// <param name="options">A <see cref="JwtBearerOptions"/> that specifies options for the middleware.</param>
/// <returns>A reference to this instance after the operation has completed.</returns>
public static IApplicationBuilder UseJwtBearerAuthentication(this IApplicationBuilder app, JwtBearerOptions options)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
return(app.UseMiddleware <JwtBearerMiddleware>(Options.Create(options)));
}
public TokenValidatedContext(HttpContext context, JwtBearerOptions options)
: base(context, options)
{
}
private static TestServer CreateServer(JwtBearerOptions options, Func<HttpContext, bool> handler = null)
{
var builder = new WebHostBuilder()
.Configure(app =>
{
if (options != null)
{
app.UseJwtBearerAuthentication(options);
}
app.Use(async (context, next) =>
{
if (context.Request.Path == new PathString("/checkforerrors"))
{
var authContext = new AuthenticateContext(Http.Authentication.AuthenticationManager.AutomaticScheme);
await context.Authentication.AuthenticateAsync(authContext);
if (authContext.Error != null)
{
throw new Exception("Failed to authenticate", authContext.Error);
}
return;
}
else if (context.Request.Path == new PathString("/oauth"))
{
if (context.User == null ||
context.User.Identity == null ||
!context.User.Identity.IsAuthenticated)
{
context.Response.StatusCode = 401;
return;
}
var identifier = context.User.FindFirst(ClaimTypes.NameIdentifier);
if (identifier == null)
{
context.Response.StatusCode = 500;
return;
}
await context.Response.WriteAsync(identifier.Value);
}
else if (context.Request.Path == new PathString("/unauthorized"))
{
// Simulate Authorization failure
var result = await context.Authentication.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
await context.Authentication.ChallengeAsync(JwtBearerDefaults.AuthenticationScheme);
}
else if (context.Request.Path == new PathString("/signIn"))
{
await Assert.ThrowsAsync<NotSupportedException>(() => context.Authentication.SignInAsync(JwtBearerDefaults.AuthenticationScheme, new ClaimsPrincipal()));
}
else if (context.Request.Path == new PathString("/signOut"))
{
await Assert.ThrowsAsync<NotSupportedException>(() => context.Authentication.SignOutAsync(JwtBearerDefaults.AuthenticationScheme));
}
else
{
await next();
}
});
})
.ConfigureServices(services => services.AddAuthentication());
return new TestServer(builder);
}
public async Task EventOnAuthenticationFailedSkipped_NoMoreEventsExecuted()
{
var options = new JwtBearerOptions
{
Events = new JwtBearerEvents()
{
OnTokenValidated = context =>
{
throw new Exception("Test Exception");
},
OnAuthenticationFailed = context =>
{
context.SkipToNextMiddleware();
return Task.FromResult(0);
},
OnChallenge = context =>
{
throw new NotImplementedException();
},
}
};
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new BlobTokenValidator("JWT"));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/checkforerrors", "Bearer Token");
Assert.Equal(HttpStatusCode.OK, response.Response.StatusCode);
Assert.Equal(string.Empty, response.ResponseText);
}
public async Task ExceptionsReportedInHeaderForMultipleAuthenticationFailures()
{
var options = new JwtBearerOptions();
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new InvalidTokenValidator(typeof(SecurityTokenInvalidAudienceException)));
options.SecurityTokenValidators.Add(new InvalidTokenValidator(typeof(SecurityTokenSignatureKeyNotFoundException)));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer someblob");
Assert.Equal(HttpStatusCode.Unauthorized, response.Response.StatusCode);
Assert.Equal("Bearer error=\"invalid_token\", error_description=\"The audience is invalid; The signature key was not found\"",
response.Response.Headers.WwwAuthenticate.First().ToString());
Assert.Equal("", response.ResponseText);
}
public async Task RetrievingTokenFromAlternateLocation()
{
var options = new JwtBearerOptions()
{
Events = new JwtBearerEvents()
{
OnMessageReceived = context =>
{
context.Token = "CustomToken";
return Task.FromResult<object>(null);
}
}
};
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new BlobTokenValidator("JWT", token =>
{
Assert.Equal("CustomToken", token);
}));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer Token");
Assert.Equal(HttpStatusCode.OK, response.Response.StatusCode);
Assert.Equal("Bob le Tout Puissant", response.ResponseText);
}
public AuthenticationController(ILogger<AuthenticationController> logger, IOptions<JwtBearerOptions> authOptions, SigningCredentials signingCredentials)
{
_logger = logger;
_AuthOptions = authOptions.Value;
_SigningCredentials = signingCredentials;
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
var config =
new LoggerConfiguration()
.WriteTo.Seq(serverUrl: Configuration["Seq:Url"], apiKey: Configuration["Seq:Key"])
.Enrich.WithProperty("ApplicationName", "Music Store")
.Enrich.With(new HttpRequestIdEnricher());
Log.Logger = config.CreateLogger();
loggerFactory.AddSerilog();
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseCors(policy => policy
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
}
else
{
app.UseCors(policy => policy
.WithOrigins(Configuration["Cors:Url"])
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
}
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
// required for decryption
var keyAsBase64 = Configuration["Auth0:ClientSecret"].Replace('_', '/').Replace('-', '+');
var keyAsBytes = Convert.FromBase64String(keyAsBase64);
var jwtOptions = new JwtBearerOptions
{
Audience = Configuration["Auth0:ClientId"],
Authority = $"https://{Configuration["Auth0:Domain"]}",
Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
Log.Logger.Error("Authentication failed.", context.Exception);
return Task.FromResult(0);
}
},
TokenValidationParameters =
{
IssuerSigningKey = new SymmetricSecurityKey(keyAsBytes)
}
};
app.UseJwtBearerAuthentication(jwtOptions);
// Note: this line must be after the OAuth config above
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "",
defaults: new { controller = "Home", action = "Index" }
);
});
app.UseSwaggerUi();
app.UseSwagger();
app.UseRaygun();
app.UseApplicationInsightsRequestTelemetry();
app.UseApplicationInsightsExceptionTelemetry();
}
public async Task ExceptionNotReportedInHeaderForOtherFailures(Type errorType)
{
var options = new JwtBearerOptions();
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new InvalidTokenValidator(errorType));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer someblob");
Assert.Equal(HttpStatusCode.Unauthorized, response.Response.StatusCode);
Assert.Equal("Bearer error=\"invalid_token\"", response.Response.Headers.WwwAuthenticate.First().ToString());
Assert.Equal("", response.ResponseText);
}
public MessageReceivedContext(HttpContext context, JwtBearerOptions options)
: base(context, options)
{
}
public JwtBearerChallengeContext(HttpContext context, JwtBearerOptions options, AuthenticationProperties properties)
: base(context, options)
{
Properties = properties;
}
public static IApplicationBuilder UseJwtBearerAuthentication(this IApplicationBuilder app, JwtBearerOptions options)
{
throw new NotSupportedException("This method is no longer supported, see https://go.microsoft.com/fwlink/?linkid=845470");
}
public async Task CustomTokenValidated()
{
var options = new JwtBearerOptions
{
Events = new JwtBearerEvents()
{
OnTokenValidated = context =>
{
// Retrieve the NameIdentifier claim from the identity
// returned by the custom security token validator.
var identity = (ClaimsIdentity)context.Ticket.Principal.Identity;
var identifier = identity.FindFirst(ClaimTypes.NameIdentifier);
Assert.Equal("Bob le Tout Puissant", identifier.Value);
// Remove the existing NameIdentifier claim and replace it
// with a new one containing a different value.
identity.RemoveClaim(identifier);
// Make sure to use a different name identifier
// than the one defined by BlobTokenValidator.
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, "Bob le Magnifique"));
return Task.FromResult<object>(null);
}
}
};
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new BlobTokenValidator(options.AuthenticationScheme));
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer someblob");
Assert.Equal(HttpStatusCode.OK, response.Response.StatusCode);
Assert.Equal("Bob le Magnifique", response.ResponseText);
}
public AuthenticationFailedContext(HttpContext context, JwtBearerOptions options)
: base(context, options)
{
}
public async Task InvalidTokenReceived()
{
var options = new JwtBearerOptions
{
AutomaticAuthenticate = true
};
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new InvalidTokenValidator());
var server = CreateServer(options);
var response = await SendAsync(server, "http://example.com/oauth", "Bearer someblob");
Assert.Equal(HttpStatusCode.Unauthorized, response.Response.StatusCode);
Assert.Equal("", response.ResponseText);
}
