public SamlController(ILoggerFactory logger, IOptions <AuthConfiguration> spidConfiguration,
RequestOptionFactory requestOptionFactory, IAuthRequest authRequest, IAuthResponse authResponse, ILogoutResponse logoutResponse,
ITokenService tokenService, IdpHelper idpHelper, IDataProtectionService dataProtectionService)
{
_logger = logger.CreateLogger(LogCategories.AUTHENGINE);
_traceLogger = logger.CreateLogger(LogCategories.SAMLTRACE);
_sessionAuthLogger = logger.CreateLogger(LogCategories.AUTHSESSION);
_spidConfiguration = spidConfiguration?.Value;
_requestOptionFactory = requestOptionFactory;
_authRequest = authRequest;
_authResponse = authResponse;
_logoutResponse = logoutResponse;
_tokenService = tokenService;
_idpHelper = idpHelper;
_dataProtectionService = dataProtectionService;
}
/// <summary>
/// Registers a new user.
/// </summary>
public async Task <User> Post([FromBody] ProviderInfo info)
{
ProviderInfo result = await IdpHelper.GetUserInfoAsync(info.Provider, info.Token);
var user = new User
{
Name = result.Name,
Email = result.Email,
Auth = result,
PhotoUrl = result.PhotoUrl
};
Db.Users.Add(user);
await Db.SaveChangesAsync();
return(user);
}
/// <summary>
/// Authenticates a user.
/// </summary>
public async Task <User> Post([FromBody] ProviderInfo request)
{
var user = await Db.Users.FirstOrDefaultAsync(x => x.Email == request.Email);
if (null == user)
{
return(null);
}
ProviderInfo info = await IdpHelper.GetUserInfoAsync(request.Provider, request.Token);
if (info.Email == request.Email)
{
user.Auth = info;
return(user);
}
return(null);
}
/// <summary>
/// Checks that the user's claimed identity (email and token) matches
/// thier actual identity according to their provider.
/// </summary>
private async Task <HttpResponseMessage> Authorize()
{
// TODO: Consider more robust security.
// This sample provides a basic demonstration of how to use tokens to communicate
// with identity providers (IDPs) and authorize users. However, in a production application,
// making repeated calls to IDPs is not reccomended as it is not performant and may result
// in your app being rate-limited. Instead, you should perform an initial verification of
// the user's identity, and then persist it on your own token (or a similar mechanism).
string email = _context.Request.Headers.From;
string token = _context.Request.Headers.Authorization.Parameter;
ProviderType provider;
bool providerParsed = Enum.TryParse <ProviderType>(
_context.Request.Headers.Authorization.Scheme, out provider);
if (!providerParsed || String.IsNullOrEmpty(email) || String.IsNullOrEmpty(token))
{
return(_context.Request.CreateResponse(HttpStatusCode.Unauthorized));
}
var user = await _db.Users.FirstOrDefaultAsync(x => x.Email == email);
if (null == user)
{
return(_context.Request.CreateResponse(HttpStatusCode.Unauthorized));
}
ProviderInfo response = await IdpHelper.GetUserInfoAsync(provider, token);
if (response?.Email != email)
{
return(_context.Request.CreateResponse(HttpStatusCode.Unauthorized));
}
_context.ControllerContext.RequestContext.Principal =
new GenericPrincipal(new GenericIdentity(email), null);
return(new HttpResponseMessage(HttpStatusCode.OK));
}
public RequestOptionFactory(ILoggerFactory logger, IOptions <AuthConfiguration> spidConfiguration, IdpHelper idpHelper)
{
_logger = logger.CreateLogger(LogCategories.AUTHENGINE);
_spidConfiguration = spidConfiguration?.Value;
_idpHelper = idpHelper;
}