/// <summary>
/// Invoked when the client is being redirected after log out.
/// </summary>
/// <param name="context">The <see cref="RedirectContext{TOptions}"/>.</param>
public virtual Task RedirectToReturnUrl(RedirectContext <CookieAuthenticationOptions> context) => OnRedirectToReturnUrl(context);
private async Task TwitterRedirectToAuthorizationEndpointEventHandler(RedirectContext <TwitterOptions> context)
{
}
public override async Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context)
{
await ReturnStatus(context.Response, StatusCodes.Status403Forbidden);
}
public override Task RedirectToLogin(RedirectContext <CookieAuthenticationOptions> context)
{
RemoveReturnUrlFromRedirectUri(context);
return(base.RedirectToLogin(context));
}
internal static Task UnauthorizedResponse(RedirectContext <CookieAuthenticationOptions> context)
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
return(Task.CompletedTask);
}
private Task OnRedirectToIdentityProvider(RedirectContext context)
{
context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken;
context.ProtocolMessage.Scope += $" offline_access {_options.ApiScopes}";
return(Task.FromResult(0));
}
private static Task OnRedirectToLogin(RedirectContext <CookieAuthenticationOptions> context)
{
// override the status code
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
return(Task.CompletedTask);
}
private static Task OnRedirectToIdentityProvider(RedirectContext n)
{
n.ProtocolMessage.RedirectUri = AuthorizationConsts.IdentityAdminRedirectUri;
return(Task.FromResult(0));
}
internal static Task RedirectToAuthorizationEndpoint(RedirectContext <OAuthOptions> context)
{
context.Response.Redirect(context.RedirectUri + "&custom_redirect_uri=custom");
return(Task.FromResult(0));
}
private static async Task SetIssuerAddressForSignOutAsync(RedirectContext context, string defaultPolicy)
{
var configuration = await GetOpenIdConnectConfigurationAsync(context, defaultPolicy);
context.ProtocolMessage.IssuerAddress = configuration.EndSessionEndpoint;
}
private static Task <OpenIdConnectConfiguration> GetOpenIdConnectConfigurationAsync(RedirectContext context, string defaultPolicy)
{
var manager = (PolicyConfigurationManager)context.Options.ConfigurationManager;
var policy = context.Properties.Items.ContainsKey(Constants.B2CPolicy) ? context.Properties.Items[Constants.B2CPolicy] : defaultPolicy;
return(manager.GetConfigurationByPolicyAsync(CancellationToken.None, policy));
}
public override async Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context)
{
context.Response.Headers.Remove("Location");
context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
await Task.CompletedTask;
}
public override async Task RedirectToLogin(RedirectContext <CookieAuthenticationOptions> context)
{
context.Response.Headers.Remove("Location");
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await Task.CompletedTask;
}
/// <summary>
/// Invoked when the client is being redirected to the access denied url.
/// </summary>
/// <param name="context">The <see cref="RedirectContext{TOptions}"/>.</param>
public virtual Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context) => OnRedirectToAccessDenied(context);
public override Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context)
{
context.HandleRedirect(StatusCodes.Status403Forbidden);
return(Task.CompletedTask);
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = "/login";
options.LogoutPath = "/logout";
options.Events = new CookieAuthenticationEvents
{
OnSigningOut = context =>
{
// Single Sign-Out
var casUrl = new Uri(Configuration["Authentication:CAS:ServerUrlBase"]);
var serviceUrl = new Uri(context.Request.GetEncodedUrl())
.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped);
var redirectUri = UriHelper.BuildAbsolute(
casUrl.Scheme,
new HostString(casUrl.Host, casUrl.Port),
casUrl.LocalPath, "/logout",
QueryString.Create("service", serviceUrl));
var logoutRedirectContext = new RedirectContext <CookieAuthenticationOptions>(
context.HttpContext,
context.Scheme,
context.Options,
context.Properties,
redirectUri
);
context.Response.StatusCode = 204; //Prevent RedirectToReturnUrl
context.Options.Events.RedirectToLogout(logoutRedirectContext);
return(Task.CompletedTask);
}
};
})
.AddCAS(options =>
{
options.CallbackPath = "/signin-cas";
options.CasServerUrlBase = Configuration["Authentication:CAS:ServerUrlBase"];
var protocolVersion = Configuration.GetValue("Authentication:CAS:ProtocolVersion", 3);
if (protocolVersion != 3)
{
switch (protocolVersion)
{
case 1:
options.ServiceTicketValidator = new Cas10ServiceTicketValidator(options);
break;
case 2:
options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options);
break;
}
}
options.Events = new CasEvents
{
OnCreatingTicket = context =>
{
// add claims from CasIdentity.Assertion ?
var assertion = context.Assertion;
if (assertion == null)
{
return(Task.CompletedTask);
}
if (!(context.Principal.Identity is ClaimsIdentity identity))
{
return(Task.CompletedTask);
}
identity.AddClaim(new Claim(identity.NameClaimType, assertion.PrincipalName));
if (assertion.Attributes.TryGetValue("email", out var email))
{
identity.AddClaim(new Claim(ClaimTypes.Email, email));
}
if (assertion.Attributes.TryGetValue("display_name", out var displayName))
{
identity.AddClaim(new Claim(ClaimTypes.GivenName, displayName));
}
return(Task.CompletedTask);
}
};
})
.AddOAuth("OAuth", options =>
{
options.CallbackPath = "/signin-oauth";
options.ClientId = Configuration["Authentication:OAuth:ClientId"];
options.ClientSecret = Configuration["Authentication:OAuth:ClientSecret"];
options.AuthorizationEndpoint = Configuration["Authentication:OAuth:AuthorizationEndpoint"];
options.TokenEndpoint = Configuration["Authentication:OAuth:TokenEndpoint"];
options.SaveTokens = true;
options.UserInformationEndpoint = Configuration["Authentication:OAuth:UserInformationEndpoint"];
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
var request =
new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);
request.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", context.AccessToken);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response =
await context.Backchannel.SendAsync(request, context.HttpContext.RequestAborted);
response.EnsureSuccessStatusCode();
var user = JObject.Parse(await response.Content.ReadAsStringAsync());
var identifier = user.Value <string>("id");
if (!string.IsNullOrEmpty(identifier))
{
context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, identifier));
}
var attributes = user.Value <JObject>("attributes");
if (attributes == null)
{
return;
}
var email = attributes.Value <string>("email");
if (!string.IsNullOrEmpty(email))
{
context.Identity.AddClaim(new Claim(ClaimTypes.Email, email));
}
var name = attributes.Value <string>("display_name");
if (!string.IsNullOrEmpty(name))
{
context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, name));
}
}
};
});
}
private static Task OnRedirectToIdentityProviderForSignOut(RedirectContext context)
{
context.ProtocolMessage.PostLogoutRedirectUri = context.Request.Scheme + "://" + context.Request.Host;
return(Task.FromResult(0));
}
/// <summary>
/// RedirectToAccessDenied
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context)
{
return(base.RedirectToAccessDenied(context));
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers(options =>
{
// Global Authorize Filter
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages();
var redisConfiguration = Configuration.GetConnectionString("Redis");
if (!string.IsNullOrWhiteSpace(redisConfiguration))
{
services.AddStackExchangeRedisCache(options => options.Configuration = redisConfiguration);
}
else
{
services.AddDistributedMemoryCache();
}
services.AddSingleton <IServiceTicketStore, DistributedCacheServiceTicketStore>();
services.AddSingleton <ITicketStore, TicketStoreWrapper>();
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.SessionStore = Services.GetRequiredService <ITicketStore>();
options.Events = new CookieAuthenticationEvents
{
OnSigningOut = context =>
{
// Single Sign-Out
var casUrl = new Uri(Configuration["Authentication:CAS:ServerUrlBase"]);
var links = context.HttpContext.RequestServices.GetRequiredService <LinkGenerator>();
var serviceUrl = links.GetUriByPage(context.HttpContext, "/Index");
var redirectUri = UriHelper.BuildAbsolute(
casUrl.Scheme,
new HostString(casUrl.Host, casUrl.Port),
casUrl.LocalPath, "/logout",
QueryString.Create("service", serviceUrl));
var logoutRedirectContext = new RedirectContext <CookieAuthenticationOptions>(
context.HttpContext,
context.Scheme,
context.Options,
context.Properties,
redirectUri
);
context.Response.StatusCode = 204; //Prevent RedirectToReturnUrl
context.Options.Events.RedirectToLogout(logoutRedirectContext);
return(Task.CompletedTask);
}
};
})
.AddCAS(options =>
{
options.CasServerUrlBase = Configuration["Authentication:CAS:ServerUrlBase"];
// required for CasSingleSignOutMiddleware
options.SaveTokens = true;
var protocolVersion = Configuration.GetValue("Authentication:CAS:ProtocolVersion", 3);
if (protocolVersion != 3)
{
switch (protocolVersion)
{
case 1:
options.ServiceTicketValidator = new Cas10ServiceTicketValidator(options);
break;
case 2:
options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options);
break;
}
}
options.Events = new CasEvents
{
OnCreatingTicket = context =>
{
var assertion = context.Assertion;
if (assertion == null)
{
return(Task.CompletedTask);
}
if (!(context.Principal.Identity is ClaimsIdentity identity))
{
return(Task.CompletedTask);
}
// Map claims from assertion
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, assertion.PrincipalName));
if (assertion.Attributes.TryGetValue("display_name", out var displayName))
{
identity.AddClaim(new Claim(ClaimTypes.Name, displayName));
}
if (assertion.Attributes.TryGetValue("email", out var email))
{
identity.AddClaim(new Claim(ClaimTypes.Email, email));
}
return(Task.CompletedTask);
},
OnRemoteFailure = context =>
{
var failure = context.Failure;
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <CasEvents> >();
logger.LogError(failure, failure.Message);
context.Response.Redirect("/Account/ExternalLoginFailure");
context.HandleResponse();
return(Task.CompletedTask);
}
};
})
.AddOAuth(OAuthDefaults.DisplayName, options =>
{
options.CallbackPath = "/signin-oauth";
options.ClientId = Configuration["Authentication:OAuth:ClientId"];
options.ClientSecret = Configuration["Authentication:OAuth:ClientSecret"];
options.AuthorizationEndpoint = Configuration["Authentication:OAuth:AuthorizationEndpoint"];
options.TokenEndpoint = Configuration["Authentication:OAuth:TokenEndpoint"];
options.UserInformationEndpoint = Configuration["Authentication:OAuth:UserInformationEndpoint"];
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
options.ClaimActions.MapJsonSubKey(ClaimTypes.Name, "attributes", "display_name");
options.ClaimActions.MapJsonSubKey(ClaimTypes.Email, "attributes", "email");
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
// Get the OAuth user
using var request =
new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);
request.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", context.AccessToken);
using var response =
await context.Backchannel.SendAsync(request, context.HttpContext.RequestAborted)
.ConfigureAwait(false);
if (!response.IsSuccessStatusCode ||
response.Content?.Headers?.ContentType?.MediaType.StartsWith("application/json") != true)
{
throw new HttpRequestException(
$"An error occurred when retrieving OAuth user information ({response.StatusCode}). Please check if the authentication information is correct.");
}
await using var stream = await response.Content.ReadAsStreamAsync().ConfigureAwait(false);
using var json = await JsonDocument.ParseAsync(stream).ConfigureAwait(false);
context.RunClaimActions(json.RootElement);
},
OnRemoteFailure = context =>
{
var failure = context.Failure;
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <OAuthEvents> >();
logger.LogError(failure, failure.Message);
context.Response.Redirect("/Account/ExternalLoginFailure");
context.HandleResponse();
return(Task.CompletedTask);
}
};
});
/// <summary>
/// RedirectToReturnUrl
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override Task RedirectToReturnUrl(RedirectContext <CookieAuthenticationOptions> context)
{
return(base.RedirectToReturnUrl(context));
}
private Task HandleWithStatusCode(RedirectContext <CookieAuthenticationOptions> context, HttpStatusCode statusCode)
{
context.Response.StatusCode = (int)statusCode;
return(Task.CompletedTask);
}
private static Task OnRedirectToIdentityProviderForSignOut(RedirectContext context)
{
return(Task.FromResult(0));
}
public override async Task RedirectToAccessDenied(RedirectContext <CookieAuthenticationOptions> context)
{
context.Response.StatusCode = 403;
}
public override Task RedirectToIdentityProvider(RedirectContext context)
{
context.ProtocolMessage.SetParameter("CustomKey", "CustomValue");
return(base.RedirectToIdentityProvider(context));
}
/// <summary> /// Called when a Challenge causes a redirect to authorize endpoint in the OAuth handler. /// </summary> /// <param name="context">Contains redirect URI and <see cref="AuthenticationProperties"/> of the challenge.</param> public virtual Task RedirectToAuthorizationEndpoint(RedirectContext <OAuthOptions> context) => OnRedirectToAuthorizationEndpoint(context);
private static Task OnRedirectToIdentityProvider(RedirectContext context, AdminConfiguration adminConfiguration)
{
context.ProtocolMessage.RedirectUri = adminConfiguration.IdentityAdminRedirectUri;
return(Task.CompletedTask);
}
private static Task OnRedirectToIdentityProvider(RedirectContext n, IAdminConfiguration adminConfiguration)
{
n.ProtocolMessage.RedirectUri = adminConfiguration.IdentityAdminRedirectUri;
return(Task.FromResult(0));
}
public override Task RedirectToLogin(RedirectContext <CookieAuthenticationOptions> context)
{
context.HandleRedirect(StatusCodes.Status401Unauthorized);
return(Task.CompletedTask);
}
public async override Task RedirectToReturnUrl(RedirectContext <CookieAuthenticationOptions> context)
{
await ReturnStatus(context.Response, StatusCodes.Status401Unauthorized);
}
/// <summary>
/// Invoked when the client is being redirected to the log in url.
/// </summary>
/// <param name="context">The <see cref="RedirectContext{TOptions}"/>.</param>
public virtual Task RedirectToLogin(RedirectContext <CookieAuthenticationOptions> context) => OnRedirectToLogin(context);
