public TokenDbCache(string userObjectId)
{
// associate the cache to the current user of the web app
userObjId = userObjectId;
this.AfterAccess = AfterAccessNotification;
this.BeforeAccess = BeforeAccessNotification;
this.BeforeWrite = BeforeWriteNotification;
// look up the entry in the DB
Cache = db.TokenCacheEntries.FirstOrDefault(c => c.userObjId == userObjId);
// place the entry in memory
this.Deserialize((Cache == null) ? null : Cache.cacheBits);
}
// Notification raised after ADAL accessed the cache.
// If the HasStateChanged flag is set, ADAL changed the content of the cache
void AfterAccessNotification(TokenCacheNotificationArgs args)
{
// if state changed
if (this.HasStateChanged)
{
Cache = new TokenCacheEntry
{
userObjId = userObjId,
cacheBits = this.Serialize(),
LastWrite = DateTime.Now
};
//// update the DB and the lastwrite
db.Entry(Cache).State = Cache.TokenCacheEntryID == 0 ? EntityState.Added : EntityState.Modified;
db.SaveChanges();
this.HasStateChanged = false;
}
}
// Notification raised before ADAL accesses the cache.
// This is your chance to update the in-memory copy from the DB, if the in-memory version is stale
void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
if (Cache == null)
{
// first time access
Cache = db.TokenCacheEntries.FirstOrDefault(c => c.userObjId == userObjId);
}
else
{
// retrieve last write from the DB
var dbCache = db.TokenCacheEntries.FirstOrDefault(c => c.userObjId == userObjId);
// if the in-memory copy is older than the persistent copy, update the in-memory copy
if (dbCache.LastWrite > Cache.LastWrite)
{
Cache = dbCache;
}
}
this.Deserialize((Cache == null) ? null : Cache.cacheBits);
}
// Notification raised after ADAL accessed the cache.
// If the HasStateChanged flag is set, ADAL changed the content of the cache
void AfterAccessNotification(TokenCacheNotificationArgs args)
{
// if state changed
if (this.HasStateChanged)
{
// retrieve last write from the DB
Cache = db.TokenCacheEntries.FirstOrDefault(e => e.userObjId == userObjId);
if (Cache == null)
{
Cache = new TokenCacheEntry
{
userObjId = userObjId,
};
}
Cache.LastWrite = DateTime.Now;
Cache.cacheBits = this.Serialize();
//// update the DB and the lastwrite
db.Entry(Cache).State = Cache.TokenCacheEntryID == 0 ? EntityState.Added : EntityState.Modified;
db.SaveChanges();
this.HasStateChanged = false;
}
}
// Notification raised before ADAL accesses the cache.
// This is your chance to update the in-memory copy from the DB, if the in-memory version is stale
void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
if (Cache == null)
{
// first time access
Cache = db.TokenCacheEntries.FirstOrDefault(c => c.userObjId == userObjId);
}
else
{ // retrieve last write from the DB
var status = from e in db.TokenCacheEntries
where (e.userObjId == userObjId)
select new
{
LastWrite = e.LastWrite
};
// if the in-memory copy is older than the persistent copy
if (status.First().LastWrite > Cache.LastWrite)
//// read from from storage, update in-memory copy
{
Cache = db.TokenCacheEntries.FirstOrDefault(c => c.userObjId == userObjId);
}
}
this.Deserialize((Cache == null) ? null : Cache.cacheBits);
}
public void ConfigureAuth(IAppBuilder app)
{
string clientId = ConfigurationManager.AppSettings["ida:ClientID"];
string appKey = ConfigurationManager.AppSettings["ida:Password"];
string graphResourceID = "https://graph.windows.net";
//fixed address for multitenant apps in the public cloud
string Authority = "https://login.windows.net/common/";
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
Client_Id = clientId,
Authority = Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AccessCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.ClaimsIdentity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.ClaimsIdentity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);
TokenCacheEntry tce = new TokenCacheEntry
{
SignedInUser = signedInUserID,
TokenRequestorUser = result.UserInfo.UserId,
ResourceID = graphResourceID,
AccessToken = result.AccessToken,
RefreshToken = result.RefreshToken,
Expiration = result.ExpiresOn.AddMinutes(-5)
};
var existing = db.TokenCache.FirstOrDefault(a => (a.SignedInUser == signedInUserID) && (a.ResourceID == graphResourceID));
if (existing != null)
{
db.TokenCache.Remove(existing);
}
db.TokenCache.Add(tce);
db.SaveChanges();
return(Task.FromResult(0));
},
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.Redirect_Uri = appBaseUrl + "/";
context.ProtocolMessage.Post_Logout_Redirect_Uri = appBaseUrl;
return(Task.FromResult(0));
},
// we use this notification for injecting our custom logic
SecurityTokenValidated = (context) =>
{
// retriever caller data from the incoming principal
string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
if (
// the caller comes from an admin-consented, recorded issuer
(db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) == null)
// the caller is recorded in the db of users who went through the individual onboardoing
&& (db.Users.FirstOrDefault(b => ((b.UPN == UPN) && (b.TenantID == tenantID))) == null)
)
{
// the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
throw new System.IdentityModel.Tokens.SecurityTokenValidationException();
}
return(Task.FromResult(0));
},
AuthenticationFailed = (context) =>
{
context.Redirect("/Home/Error");
return(Task.FromResult(0));
}
}
});
}