private static void RegisterAuthenticationServicesWithCertificate(
IServiceCollection services,
IConfiguration configuration,
AuthenticationOptions authenticationOptions,
AzureADOptions azureADOptions)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(
options =>
{
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0";
options.SaveToken = true;
options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions);
options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator;
options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions);
},
microsoftIdentityOptions =>
{
configuration.Bind("AzureAd", microsoftIdentityOptions);
microsoftIdentityOptions.ClientCertificates = new CertificateDescription[]
{
CertificateDescription.FromKeyVault(configuration.GetValue <string>("KeyVault:Url"), configuration.GetValue <string>("GraphAppCertName")),
};
})
.EnableTokenAcquisitionToCallDownstreamApi(
confidentialClientApplicationOptions =>
{
configuration.Bind("AzureAd", confidentialClientApplicationOptions);
})
.AddInMemoryTokenCaches();
}
// This method works specifically for single tenant application.
private static void RegisterAuthenticationServices(
IServiceCollection services,
IConfiguration configuration,
AuthenticationOptions authenticationOptions)
{
AuthenticationServiceCollectionExtensions.ValidateAuthenticationOptions(authenticationOptions);
services.AddProtectedWebApi(configuration)
.AddProtectedWebApiCallsProtectedWebApi(configuration)
.AddInMemoryTokenCaches();
services.Configure <JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
var azureADOptions = new AzureADOptions
{
Instance = authenticationOptions.AzureAdInstance,
TenantId = authenticationOptions.AzureAdTenantId,
ClientId = authenticationOptions.AzureAdClientId,
};
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0";
options.SaveToken = true;
options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions);
options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator;
options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions);
});
}
/// <summary>
/// Extension method to register the authentication services.
/// </summary>
/// <param name="services">IServiceCollection instance.</param>
/// <param name="configuration">The configuration instance.</param>
/// <param name="authenticationOptions">The authentication options.</param>
public static void AddAuthentication(
this IServiceCollection services,
IConfiguration configuration,
AuthenticationOptions authenticationOptions)
{
AuthenticationServiceCollectionExtensions.RegisterAuthenticationServices(services, configuration, authenticationOptions);
AuthenticationServiceCollectionExtensions.RegisterAuthorizationPolicy(services, configuration);
}
private static IEnumerable <string> GetValidIssuers(AuthenticationOptions authenticationOptions)
{
var tenantId = authenticationOptions.AzureAdTenantId;
var validIssuers =
AuthenticationServiceCollectionExtensions.SplitAuthenticationOptionsList(
authenticationOptions.AzureAdValidIssuers);
validIssuers = validIssuers.Select(validIssuer => validIssuer.Replace("TENANT_ID", tenantId));
return(validIssuers);
}
private static IEnumerable <string> GetValidIssuers(IConfiguration configuration)
{
var tenantId = configuration[AuthenticationServiceCollectionExtensions.TenantIdConfigurationSettingsKey];
var validIssuers =
AuthenticationServiceCollectionExtensions.GetSettings(
configuration,
AuthenticationServiceCollectionExtensions.ValidIssuersConfigurationSettingsKey);
validIssuers = validIssuers.Select(validIssuer => validIssuer.Replace("TENANT_ID", tenantId));
return(validIssuers);
}
private static void RegisterAuthenticationServicesWithSecret(
IServiceCollection services,
IConfiguration configuration,
AuthenticationOptions authenticationOptions,
AzureADOptions azureADOptions)
{
services.AddMicrosoftIdentityWebApiAuthentication(configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
services.Configure <JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0";
options.SaveToken = true;
options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions);
options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator;
options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions);
});
}
// This method works specifically for single tenant application.
private static void RegisterAuthenticationServices(
IServiceCollection services,
IConfiguration configuration)
{
AuthenticationServiceCollectionExtensions.ValidateAuthenticationConfigurationSettings(configuration);
services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
var azureADOptions = new AzureADOptions();
configuration.Bind("AzureAd", azureADOptions);
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(configuration),
ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(configuration),
AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator,
};
});
}
// This method works specifically for single tenant application.
private static void RegisterAuthenticationServices(
IServiceCollection services,
IConfiguration configuration)
{
AuthenticationServiceCollectionExtensions.ValidateAuthenticationConfigurationSettings(configuration);
var atWorkRioIdentityOptions = configuration.GetSection("AtWorkRioIdentity").Get <AtWorkRioIdentityOptions>();
services.AddTransient <AtWorkRioIdentityOptions>(svc => atWorkRioIdentityOptions);
services.AddSingleton((serviceProvider) =>
{
var options = serviceProvider.GetService <AtWorkRioIdentityOptions>();
return(new DiscoveryCache(options.Authority));
});
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
var azureADOptions = new AzureADOptions();
configuration.Bind("AzureAd", azureADOptions);
options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(configuration),
ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(configuration),
AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator,
};
})
.AddIdentityServerAuthentication(PolicyNames.AtWorkRioIdentity, options =>
{
options.Authority = atWorkRioIdentityOptions.Authority;
options.ApiName = atWorkRioIdentityOptions.ApiName;
options.ApiSecret = atWorkRioIdentityOptions.ApiSecret;
options.RequireHttpsMetadata = false;
})
;
}
// This method works specifically for single tenant application.
private static void RegisterAuthenticationServices(
IServiceCollection services,
IConfiguration configuration,
AuthenticationOptions authenticationOptions)
{
AuthenticationServiceCollectionExtensions.ValidateAuthenticationOptions(authenticationOptions);
var azureADOptions = new AzureADOptions
{
Instance = authenticationOptions.AzureAdInstance,
TenantId = authenticationOptions.AzureAdTenantId,
ClientId = authenticationOptions.AzureAdClientId,
};
var useCertificate = configuration.GetValue <bool>("UseCertificate");
if (useCertificate)
{
RegisterAuthenticationServicesWithCertificate(services, configuration, authenticationOptions, azureADOptions);
}
else
{
RegisterAuthenticationServicesWithSecret(services, configuration, authenticationOptions, azureADOptions);
}
}
