protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
TokenRequirement requirement)
{
IAuthOptions authOptions = requirement.AuthOptions; //GeneralContext.GetService<IAuthOptions>();
var httpContext = GeneralContext.HttpContext;
string authHeader = httpContext.Request.Headers["Authorization"];
if (!string.IsNullOrEmpty(authHeader))
{
authHeader = authHeader.Replace("Bearer ", "");
if (Util.VerifyToken(authHeader, authOptions.KEY))
{
context.Succeed(requirement);
}
}
else
{
context.Fail();
throw new UnauthorizedAccessException();
}
await Task.CompletedTask;
}
internal static string[] GetScopes(this IAuthOptions options)
{
if (options.Scopes is null || options.Scopes.Length == 0)
{
return(new[] { $"{options.Tenant.GetTenantName()}/mobile/read" });
}
return(options.Scopes);
}
public JWTlabberValidationParameters(IAuthOptions authOptions) : base()
{
ValidateIssuer = true;
ValidateAudience = true;
ValidateLifetime = true;
ValidateIssuerSigningKey = true;
ValidIssuer = authOptions.Issuer;
ValidAudience = authOptions.Audience;
IssuerSigningKey = authOptions.GetSymmetricSecurityKey();
ClockSkew = TimeSpan.FromSeconds(0);
}
public static JwtBearerEvents ConfigureJwtBearerEvents()
{
return(new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
if (context.Exception.GetType() == typeof(SecurityTokenExpiredException))
{
context.Response.Headers.Add("Token-Expired", "true");
}
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
// Add the access_token as a claim, as we may actually need it
var accessToken = context.SecurityToken as JwtSecurityToken;
if (accessToken != null)
{
ClaimsIdentity identity = context.Principal.Identity as ClaimsIdentity;
if (identity != null)
{
identity.AddClaim(new Claim("access_token", accessToken.RawData));
IAuthOptions authOptions = GeneralContext.GetService <IAuthOptions>();
AppUser appUser = Util.ReadToken <AppUser>(accessToken.RawData, authOptions.KEY);
if (appUser != null)
{
context.Success();
}
else
{
context.Fail("Unauthorized");
}
}
}
if (!context.Result.Succeeded)
{
context.Response.Headers.Add("Token-OnTokenValidated", "false");
}
return Task.CompletedTask;
},
OnChallenge = context =>
{
if (context.Response.StatusCode < 200 || context.Response.StatusCode > 299)
{
context.Response.Headers.Add("Token-OnChallenge", "false");
}
return Task.CompletedTask;
},
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(
IApplicationBuilder app,
IWebHostEnvironment env,
ExperimentalToolLogger logger,
IAuthOptions options)
{
logger.LogExperimentMessage();
if (options.KeyAuthenticationMode == KeyAuthenticationMode.NoAuth)
{
logger.LogNoAuthMessage();
}
else
{
//Auth is enabled and we are binding on http. Make sure we log a warning.
string hostingUrl = Configuration.GetValue <string>(WebHostDefaults.ServerUrlsKey);
string[] urls = ConfigurationHelper.SplitValue(hostingUrl);
foreach (BindingAddress address in urls.Select(BindingAddress.Parse))
{
if (string.Equals(Uri.UriSchemeHttp, address.Scheme, StringComparison.OrdinalIgnoreCase))
{
logger.LogInsecureAuthMessage();
break;
}
}
}
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseAuthentication();
app.UseAuthorization();
CorsConfiguration corsConfiguration = new CorsConfiguration();
Configuration.Bind(nameof(CorsConfiguration), corsConfiguration);
if (!string.IsNullOrEmpty(corsConfiguration.AllowedOrigins))
{
app.UseCors(builder => builder.WithOrigins(corsConfiguration.GetOrigins()).AllowAnyHeader().AllowAnyMethod());
}
app.UseResponseCompression();
app.UseMvc();
}
/// <summary>
/// Add Authentication and Authorisation to the available app services
/// </summary>
/// <param name="services">The services collection to be configured</param>
/// <param name="authOptions">An AuthOptions instance containing Auth configuration data</param>
/// <param name="authClaims">An AuthClaims instance containing Claims configuration data</param>
public static void AddCrudRAuthentication(this IServiceCollection services,
IAuthOptions authOptions,
IAuthClaims authClaims)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Audience = authOptions.Audience;
if (!authOptions.UseLocalIssuerSigningKey)
{
options.Authority = authOptions.Authority;
}
if (authOptions.UseLocalIssuerSigningKey)
{
var signingKey = string.IsNullOrEmpty(authOptions.IssuerSigningKey) ?
new X509SecurityKey(new X509Certificate2(authOptions.IssuerSigningKeyFilePath)) :
new X509SecurityKey(new X509Certificate2(Encoding.ASCII.GetBytes(authOptions.IssuerSigningKey)));
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidIssuer = authOptions.Authority,
IssuerSigningKey = signingKey
};
}
});
services.AddAuthorization(options =>
{
options.AddPolicy("Get", policy =>
policy.AddRequirements(DiscernRequirements(authClaims.GetAllowAnonymous, authClaims.GetClaim, authClaims.GetClaimValue)));
options.AddPolicy("Post", policy =>
policy.AddRequirements(DiscernRequirements(authClaims.PostAllowAnonymous, authClaims.PostClaim, authClaims.PostClaimValue)));
options.AddPolicy("Put", policy =>
policy.AddRequirements(DiscernRequirements(authClaims.PutAllowAnonymous, authClaims.PutClaim, authClaims.PutClaimValue)));
options.AddPolicy("Delete", policy =>
policy.AddRequirements(DiscernRequirements(authClaims.DeleteAllowAnonymous, authClaims.DeleteClaim, authClaims.DeleteClaimValue)));
});
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
ClaimsPrincipal result = null;
SecurityToken token = null;
Task.WaitAll(Task.Run(() =>
{
IAuthOptions authOptions = GeneralContext.GetService <IAuthOptions>();
AppUser appUser = Util.ReadToken <AppUser>(securityToken, authOptions.KEY);
if (appUser == null)
{
result = null;
token = null;
}
else
{
var claims = new List <Claim> {
new Claim(ClaimTypes.Name, appUser.UserName)
};
var newClaimsIdentity = new ClaimsIdentity(claims);
result = new ClaimsPrincipal(newClaimsIdentity);
var key = Encoding.ASCII.GetBytes(authOptions.KEY);
token = new ApiSecurityToken(appUser.Id, "Token",
new SymmetricSecurityKey(key),
new SymmetricSecurityKey(key),
DateTime.Now,
DateTime.Now.AddDays(authOptions.LIFETIME));
var authProperties = new AuthenticationProperties
{
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.Now.AddDays(365),
IsPersistent = true,
};
//AuthenticationOptions
//await GeneralContext.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, result, authProperties);
//if (GeneralContext.HttpContext.User.Identity.IsAuthenticated)
//{
// //IAuthenticationService authenticationService = GeneralContext.GetService<IAuthenticationService>();
// await GeneralContext.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, result);
//}
}
}));
validatedToken = token;
return(result);
}
public async Task InvokeAsync(HttpContext context)
{
IAuthOptions authOptions = GeneralContext.GetService <IAuthOptions>();
var token = context.GetRequestHeader(HttpRequestHeader.Authorization);
var loggedUser = Util.ReadToken <AppUser>(token, authOptions.KEY);
//var loggedUser = JsonConvert.DeserializeObject<AppUser>(context.GetRequestHeader(HttpRequestXHeader.User));
if (loggedUser != null && !string.IsNullOrEmpty(loggedUser.FirstName))
{
loggedUser.FirstName = loggedUser.FirstName.ToStringUtf8();
}
if (loggedUser != null && !string.IsNullOrEmpty(loggedUser.LastName))
{
loggedUser.LastName = loggedUser.LastName.ToStringUtf8();
}
context.Items.TryAdd(SessionKeys.AppUser.GetDisplayName(), loggedUser);
var dataString = context.GetRequestHeader(HttpRequestXHeader.Data);
if (!string.IsNullOrEmpty(dataString))
{
var data = JsonConvert.DeserializeObject <Dictionary <string, string> >(context.GetRequestHeader(HttpRequestXHeader.Data));
if (data != null)
{
context.Items.TryAdd(SessionKeys.ClientName.GetDisplayName(), data[SessionKeys.ClientName.GetDisplayName()]);
context.Items.TryAdd(SessionKeys.DbName.GetDisplayName(), data[SessionKeys.DbName.GetDisplayName()]);
context.Items.TryAdd(SessionKeys.SelectedCultureName.GetDisplayName(), data[SessionKeys.SelectedCultureName.GetDisplayName()]);
context.Items.TryAdd(SessionKeys.SelectedOrganizationId.GetDisplayName(), data[SessionKeys.SelectedOrganizationId.GetDisplayName()]);
string selectedOrganizationName = Encoding.UTF8.GetString(Convert.FromBase64String(data[SessionKeys.SelectedOrganizationName.GetDisplayName()]));
context.Items.TryAdd(SessionKeys.SelectedOrganizationName.GetDisplayName(), selectedOrganizationName);
var culture = new CultureInfo(data[SessionKeys.SelectedCultureName.ToString()]);
CultureInfo.CurrentCulture = culture;
CultureInfo.CurrentUICulture = culture;
}
}
//var dbContext = GeneralContext.ServiceProvider.CreateDBContext<TMSDBContext>();
//GeneralContext.Container.RegisterInstance<IDbContext>(dbContext);
//GeneralContext.Container.BuildUp<IDbContext>(dbContext);
// Call the next delegate/middleware in the pipeline
await _next(context);
}
public static void ConfigureApiAuthentication(this IServiceCollection services, IAuthOptions authOptions)
{
AuthenticationBuilder authenticationBuilder;
if (authOptions.AuthenticationType == "Bearer")
{
authenticationBuilder = services
.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
//x.RequireAuthenticatedSignIn = false;
})
.AddJwtBearer(options =>
{
IAuthOptions authOptions = GeneralContext.GetService <IAuthOptions>();
var key = Encoding.ASCII.GetBytes(authOptions.KEY);
options.Events = ConfigureJwtBearerEvents();
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
RequireExpirationTime = false,
ValidateLifetime = true
};
//options.SecurityTokenValidators.Add(new ApiTokenValidator());
});
}
else
{
authenticationBuilder = services.AddAuthentication(ApiAuthSchemes.DefaultAuthScheme);
}
authenticationBuilder.AddCookie(ApiAuthSchemes.DefaultAuthScheme, options =>
{
options.LoginPath = new Microsoft.AspNetCore.Http.PathString("/AdminApi/Login");
});
}
public async Task InvokeAsync(HttpContext httpContext, IAuthOptions authOptions)
{
if (authOptions.AuthenticationType == "Bearer")
{
var token = httpContext.GetRequestToken();
if (!string.IsNullOrEmpty(token))
{
AppUser loggedUser = Util.ReadToken <AppUser>(token, authOptions.KEY);
if (loggedUser != null && !Convert.ToBoolean(httpContext?.User?.Identity?.IsAuthenticated))
{
httpContext.Items.TryAdd("loggedUser", loggedUser);
await GeneralContext.HttpContext.SignInAsync(loggedUser);
}
}
}
// Call the next delegate/middleware in the pipeline
await _next(httpContext);
}
public async Task <string> SendAsync(object data, string returnUrl)
{
var dataString = JsonConvert.SerializeObject(data);
//var userByteArray = loggedUser.ToByteArrayUtf8();
//var encryptData = Convert.ToBase64String(userByteArray);
IAuthOptions authOptions = GeneralContext.GetService <IAuthOptions>();
string encryptedData = Util.EncryptText(dataString, authOptions.KEY);
var httpRequestMessage = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = _httpClient.BaseAddress,
Content = new StringContent(encryptedData)
}; //GeneralContext.GetSessionData(_appConfig)
httpRequestMessage.Headers.Add(HttpRequestXHeader.Data.GetDisplayName(), encryptedData);
httpRequestMessage.Headers.Add(HttpRequestXHeader.ReturnUrl.GetDisplayName(), returnUrl);
var response = await _httpClient.SendAsync(httpRequestMessage);
return(response.StatusCode == HttpStatusCode.Redirect
? response.Headers.Location.OriginalString
: null);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(
IApplicationBuilder app,
IHostApplicationLifetime lifetime,
IWebHostEnvironment env,
ExperimentalToolLogger exprLogger,
IAuthOptions options,
AddressListenResults listenResults,
ILogger <Startup> logger)
{
exprLogger.LogExperimentMessage();
// These errors are populated before Startup.Configure is called because
// the KestrelServer class is configured as a prerequisite of
// GenericWebHostServer being instantiated. The GenericWebHostServer invokes
// Startup.Configure as part of its StartAsync method. This method is the
// first opportunity to log anything through ILogger (a dedicated HostedService
// could be written for this, but there is no guarantee that service would run
// after the GenericWebHostServer is instantiated but before it is started).
foreach (AddressListenResult result in listenResults.Errors)
{
logger.UnableToListenToAddress(result.Url, result.Exception);
}
// If we end up not listening on any ports, Kestrel defaults to port 5000. Make sure we don't attempt this.
// Startup.Configure is called before KestrelServer is started
// by the GenericWebHostServer, so there is no duplication of logging errors
// and Kestrel does not bind to default ports.
if (!listenResults.AnyAddresses)
{
// This is logged by GenericWebHostServer.StartAsync
throw new MonitoringException("Unable to bind any urls.");
}
lifetime.ApplicationStarted.Register(() => LogBoundAddresses(app.ServerFeatures, listenResults, logger));
if (options.KeyAuthenticationMode == KeyAuthenticationMode.NoAuth)
{
logger.NoAuthentication();
}
else
{
//Auth is enabled and we are binding on http. Make sure we log a warning.
string hostingUrl = Configuration.GetValue <string>(WebHostDefaults.ServerUrlsKey);
string[] urls = ConfigurationHelper.SplitValue(hostingUrl);
foreach (string url in urls)
{
BindingAddress address = null;
try
{
address = BindingAddress.Parse(url);
}
catch (Exception)
{
continue;
}
if (string.Equals(Uri.UriSchemeHttp, address.Scheme, StringComparison.OrdinalIgnoreCase))
{
logger.InsecureAuthenticationConfiguration();
break;
}
}
}
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
CorsConfiguration corsConfiguration = new CorsConfiguration();
Configuration.Bind(nameof(CorsConfiguration), corsConfiguration);
if (!string.IsNullOrEmpty(corsConfiguration.AllowedOrigins))
{
app.UseCors(builder => builder.WithOrigins(corsConfiguration.GetOrigins()).AllowAnyHeader().AllowAnyMethod());
}
app.UseResponseCompression();
//Note this must be after UseRouting but before UseEndpoints
app.UseMiddleware <Throttling>();
app.UseEndpoints(builder =>
{
builder.MapControllers();
});
}
public static string GetAuthority(this IAuthOptions options)
=> $"https://{options.Domain}";
internal static string RedirectUri(this IAuthOptions options)
{
return($"msal{options.ClientId}://auth");
}
public AzureAuthenticationCredentialProvider(IOptions <ApplicationOptions> appOptions, IAuthOptions authOptions)
{
_appOptions = appOptions;
_authOptions = authOptions;
}
public LoginJWT(IAuthOptions authOptions, IUserRepository userRepository)
{
_authOptions = authOptions;
_userRepository = userRepository;
}
public TokenHelper(IAuthOptions options, ITimeHelper timeHelper)
{
_options = options;
_timeHelper = timeHelper;
}
public AuthClient(IPublicClientApplication pca, UIParent uiParent, IAuthOptions options)
{
_pca = pca;
_uiParent = uiParent;
_options = options;
}
public TokenRequirement(IAuthOptions authOptions)
{
AuthOptions = authOptions;
}
internal static string GetPolicy(this IAuthOptions options)
{
return(string.IsNullOrEmpty(options.Policy) ? "B2C_1_SUSI" : options.Policy);
}
public AuthService(IAuthOptions authOptions)
{
_authOptions = authOptions;
}
public static void ConfigureApiAuthorization(this IServiceCollection services, IAuthOptions authOptions)
{
services.AddAuthorization(options =>
{
options.AddPolicy(PolicyTypes.ApiAuthPolicy, policy =>
policy.Requirements.Add(new TokenRequirement(authOptions)));
//options =>
//{
// options.AddPolicy("Over18", policy =>
// {
// policy.AuthenticationSchemes.Add("CrpmAuthenticationScheme");
// policy.RequireAuthenticatedUser();
// //policy.Requirements.Add(new MinimumAgeRequirement());
// });
//});
});
services.AddSingleton <IAuthorizationHandler, ApiAuthorizationHandler>();
}
internal static string GetB2CAuthority(this IAuthOptions options)
{
return($"https://login.microsoftonline.com/tfp/{options.Tenant.GetTenantName()}/{options.GetPolicy()}");
}
public UserDefinedConfiguration(IAuthOptions options)
{
_options = options;
}
public AccountController(IAuthOptions authOptions, ILoginJWT loginJWT)
{
_authOptions = authOptions;
_loginJWT = loginJWT;
}
