private void ConfigureAuthorization(IServiceCollection services)
{
var betaAccessOptions = AuthenticationBetaAppAccessOptions.Construct(Configuration);
services.AddAuthorization(options =>
{
options.AddPolicy(Constants.AuthorizationPolicies.AccessCatalog,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager, Constants.Roles.Partner,
Constants.Roles.Employee, Constants.Roles.IndividualCustomer));
options.AddPolicy(Constants.AuthorizationPolicies.AddToCatalog,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.Partner, Constants.Roles.Employee));
options.AddPolicy(Constants.AuthorizationPolicies.RemoveFromCatalog,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.Partner, Constants.Roles.Employee));
options.AddPolicy(Constants.AuthorizationPolicies.AccessPantry,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager, Constants.Roles.BusinessCustomerStocker));
options.AddPolicy(Constants.AuthorizationPolicies.AddToPantry,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager));
options.AddPolicy(Constants.AuthorizationPolicies.RemoveFromPantry,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager));
options.AddPolicy(Constants.AuthorizationPolicies.AccessTrolley,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.IndividualCustomer));
//options.AddPolicy(Constants.AuthorizationPolicies.AccessCheckout, policyBuilder => policyBuilder.Requirements.Add(new MfaRequirement("B2C_1A_WoodGrove_Dev_mfa")));
options.AddPolicy(Constants.AuthorizationPolicies.AccessCheckout,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.IndividualCustomer));
options.AddPolicy(Constants.AuthorizationPolicies.ChangeUserRole,
policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.BusinessCustomerManager));
options.AddPolicy(Constants.AuthorizationPolicies.BetaAppAccess, policyBuilder =>
{
if (betaAccessOptions.RequireFullAppAuth)
{
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddAuthenticationSchemes(
Constants.AuthenticationSchemes.CustomerAuth,
Constants.AuthenticationSchemes.BusinessCustomerAuth,
Constants.AuthenticationSchemes.PartnerOpenIdConnect,
Constants.AuthenticationSchemes.BetaAccessOpenIdConnect
);
}
else
{
policyBuilder.RequireAssertion(_ => true);
}
});
});
}
private void ConfigureBetaAppAuthentication(IConfiguration configuration, IServiceCollection services,
AuthenticationBuilder authenticationBuilder)
{
var authenticationOptions = AuthenticationBetaAppAccessOptions.Construct(configuration);
if (authenticationOptions.RequireFullAppAuth)
{
authenticationBuilder.AddOpenIdConnect(Constants.AuthenticationSchemes.BetaAccessOpenIdConnect, options =>
{
options.Authority = authenticationOptions.Authority;
options.CallbackPath = new PathString("/betaaccess-callback");
options.ClientId = authenticationOptions.ClientId;
options.ClientSecret = authenticationOptions.ClientSecret;
options.CorrelationCookie.Expiration = TimeSpan.FromHours(3);
options.ConfigurationManager = new PolicyConfigurationManager(
authenticationOptions.Authority,
new[] { authenticationOptions.Policy });
options.Events = CreateBetaAppOidcEvents();
options.Scope.Remove("profile");
//options.SignedOutCallbackPath = new PathString("/b2c-signout-callback");
options.TokenValidationParameters = new TokenValidationParameters {
NameClaimType = Constants.ClaimTypes.Name
};
});
//authenticationBuilder.AddOpenIdConnect(Constants.AuthenticationSchemes.BetaAccessOpenIdConnect, options =>
//{
// options.Authority = authenticationOptions.Authority;
// options.CallbackPath = new PathString("/betaaccess-callback");
// options.ClientId = authenticationOptions.ClientId;
// options.Events = CreateB2COpenIdConnectEvents();
// options.SignedOutCallbackPath = new PathString("/betaaccess-signout-callback");
// options.TokenValidationParameters = new TokenValidationParameters
// {
// NameClaimType = Constants.ClaimTypes.Name
// };
//});
}
services.AddSingleton <IdentityService, IdentityService>();
}
public bool IsUserLoggedIn(ClaimsPrincipal principal)
{
var config = AuthenticationBetaAppAccessOptions.Construct(_configuration);
if (!config.RequireFullAppAuth)
{
return(principal.Identity.IsAuthenticated);
}
if (!principal.Identity.IsAuthenticated)
{
return(false);
}
var tenantId = principal.FindFirstValue(Constants.ClaimTypes.TenantIdentifier);
return(tenantId != config.TenantId);
}
private OpenIdConnectEvents CreateBetaAppOidcEvents()
{
var authenticationOptions = AuthenticationBetaAppAccessOptions.Construct(Configuration);
return(new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
if (context.Failure.Message == "Correlation failed.")
{
//// [ log error ]
context.HandleResponse();
//// redirect to some help page or handle it as you wish
context.Response.Redirect("/");
}
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
context.Fail(context.Exception);
return Task.CompletedTask;
},
OnMessageReceived = context =>
{
if (context.ProtocolMessage.Parameters.Any(x => x.Key == "response"))
{
var jsonResponse = JsonConvert.DeserializeObject <Constants.JsonResponse>(context.ProtocolMessage.Parameters["response"]);
if (jsonResponse != null && !string.IsNullOrEmpty(jsonResponse.response) && jsonResponse.response.Contains("B2C_V1_90001"))
{
context.Response.Redirect("/Account/AgeGatingError");
context.HandleResponse();
return Task.CompletedTask;
}
}
if (!string.IsNullOrEmpty(context.ProtocolMessage.Error) && !string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription))
{
if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091"))
{
var policy = context.Properties.Items[Constants.AuthenticationProperties.Policy];
//if (policy == Constants.Policies.PasswordReset ||
// policy == Constants.Policies.SignUpOrSignInWithPersonalAccountLocalEmailAndSocial)
//{
// var command =
// $"{Constants.AuthenticationSchemes.CustomerAuth}:{Constants.Policies.SignUpOrSignInWithPersonalAccountLocalEmailAndSocial}";
// var uiLocale = string.Empty;
// if (context.Properties.Items.Any(x => x.Key == Constants.AuthenticationProperties.UILocales))
// {
// uiLocale = context.Properties.Items[Constants.AuthenticationProperties.UILocales];
// }
// context.Response.Redirect($"/Account/LogInFor?command={command}&uiLocale={uiLocale}");
// context.HandleResponse();
//}
//else
//{
// context.Response.Redirect("/");
// context.HandleResponse();
//}
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90118"))
{
var uiLocale = string.Empty;
if (context.Properties.Items.Any(x => x.Key == Constants.AuthenticationProperties.UILocales))
{
uiLocale = context.Properties.Items[Constants.AuthenticationProperties.UILocales];
}
context.Response.Redirect($"/Account/ResetPassword?uiLocale={uiLocale}");
context.HandleResponse();
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C99001"))
{
context.Response.Redirect($"/Account/LinkError??ReturnUrl={context.Properties.RedirectUri}");
context.HandleResponse();
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C99002"))
{
context.Response.Redirect("/Account/LogOut");
context.HandleResponse();
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90157"))
{
context.Response.Redirect("/Account/RetryExceededError");
context.HandleResponse();
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90037"))
{
context.Response.Redirect("/Account/AgeGatingError");
context.HandleResponse();
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90273"))
{
context.Response.Redirect("/");
context.HandleResponse();
}
}
return Task.CompletedTask;
},
OnRedirectToIdentityProvider = async context =>
{
var configuration = await GetB2COpenIdConnectConfigurationAsync(context, authenticationOptions.Policy);
context.ProtocolMessage.IssuerAddress = configuration.AuthorizationEndpoint;
},
OnRedirectToIdentityProviderForSignOut = async context =>
{
var configuration = await GetB2COpenIdConnectConfigurationAsync(context, authenticationOptions.Policy);
context.ProtocolMessage.IssuerAddress = configuration.EndSessionEndpoint;
},
OnTokenValidated = context =>
{
//var requestedPolicy = context.Properties.Items[Constants.AuthenticationProperties.Policy];
//var issuedPolicy = context.Principal.FindFirstValue(Constants.ClaimTypes.TrustFrameworkPolicy);
//if (!string.Equals(issuedPolicy, requestedPolicy, StringComparison.OrdinalIgnoreCase))
//{
// context.Fail($"Access denied: The issued policy '{issuedPolicy}' is different to the requested policy '{requestedPolicy}'.");
// return Task.CompletedTask;
//}
//string roleClaimValue;
//var identityProvider = context.Principal.FindFirstValue(Constants.ClaimTypes.IdentityProvider);
//if (identityProvider != null && identityProvider.StartsWith("https://sts.windows.net/"))
//{
// var businessCustomerRole = context.Principal.FindFirstValue(Constants.ClaimTypes.BusinessCustomerRole);
// if (businessCustomerRole == "Manager")
// {
// roleClaimValue = Constants.Roles.BusinessCustomerManager;
// }
// else
// {
// roleClaimValue = Constants.Roles.BusinessCustomerStocker;
// }
//}
//else
//{
// roleClaimValue = Constants.Roles.IndividualCustomer;
//}
//var claims = new List<Claim>
//{
// new Claim(ClaimTypes.Role, roleClaimValue)
//};
//var identity = new ClaimsIdentity(claims);
//context.Principal.AddIdentity(identity);
return Task.CompletedTask;
}
});
}
