private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
{
authBuilder.AddAzureADBearer(
scheme: schemes.ApiName,
jwtBearerScheme: schemes.JwtBearerName,
configureOptions: options =>
{
options.Instance = idp.Instance;
options.TenantId = idp.TenantId;
options.ClientId = application.IdentityProviderBinding.ClientId;
});
}
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
authBuilder.AddAzureAD(
scheme: schemes.WebName,
openIdConnectScheme: schemes.OpenIdName,
cookieScheme: schemes.CookieName,
displayName: schemes.DisplayName,
configureOptions: options =>
{
options.Instance = idp.Instance;
options.TenantId = idp.TenantId;
options.ClientId = application.IdentityProviderBinding.ClientId;
options.ClientSecret = application.IdentityProviderBinding.ClientSecret;
options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
});
}
}
private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
{
authBuilder.AddJwtBearer(schemes.ApiName, options =>
{
options.Authority = idp.Authority;
if (idp.AccessTokenIssuer != null)
{
options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer;
}
options.Audience = application.IdentityProviderBinding.ClientId;
options.SaveToken = retainApiToken;
options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri };
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth;
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
{
MapInboundClaims = false
});
});
}
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
authBuilder.AddOpenIdConnect(schemes.OpenIdName, options =>
{
options.ClientId = application.IdentityProviderBinding.ClientId;
options.ClientSecret = application.IdentityProviderBinding.ClientSecret;
options.Authority = idp.Authority;
options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
options.SignInScheme = schemes.WebName;
options.UseTokenLifetime = true;
options.SaveTokens = retainWebToken;
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
options.SecurityTokenValidator = new JwtSecurityTokenHandler
{
MapInboundClaims = false
};
});
authBuilder.AddCookie(schemes.WebName, options =>
{
options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
options.ForwardChallenge = schemes.OpenIdName;
});
}
}
public async Task InvokeAsync(HttpContext context, IProxyApplicationService applicationService)
{
var application = applicationService.GetActiveApplication();
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
if (context.Request.Path == ProxyMetaEndpoints.AccessDenied)
{
await context.Response.WriteAsync("Access denied.");
return;
}
if (context.Request.Path == ProxyMetaEndpoints.PostSignedOutCallback)
{
await context.Response.WriteAsync("Logged out.");
return;
}
if (context.Request.Path == ProxyMetaEndpoints.UserSignOut)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
var properties = new AuthenticationProperties
{
RedirectUri = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.PostSignedOutCallback)
};
await context.SignOutAsync(schemes.CookieName);
await context.SignOutAsync(schemes.OpenIdName, properties);
return;
}
}
context.Response.StatusCode = (int)HttpStatusCode.NotFound;
}
private static void ConfigureAzureADAuthOptions(IServiceCollection services, ProxyApplication application, string[] additionalClaimsRetained, bool retainWebToken, bool retainApiToken)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
{
services.Configure <JwtBearerOptions>(schemes.JwtBearerName, options =>
{
options.SaveToken = retainApiToken;
options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri };
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth;
options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles;
options.TokenValidationParameters.NameClaimTypeRetriever = (token, _) =>
{
var jwtToken = (JwtSecurityToken)token;
return(jwtToken.Claims.Any(c => c.ValueType == AzureADClaims.UserPrincipalName) ?
AzureADClaims.UserPrincipalName : AzureADClaims.ObjectId);
};
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
{
MapInboundClaims = false
});
});
}
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
services.Configure <CookieAuthenticationOptions>(schemes.CookieName, options =>
{
options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
});
services.Configure <OpenIdConnectOptions>(schemes.OpenIdName, options =>
{
var stripClaims = new List <string> {
"aio", "family_name", "given_name", "name", "tid", "unique_name", "uti"
};
if (additionalClaimsRetained != null)
{
foreach (var claim in additionalClaimsRetained)
{
options.ClaimActions.Remove(claim);
}
stripClaims = stripClaims.Except(additionalClaimsRetained).ToList();
}
if (application.SessionCookieRetainedClaims != null)
{
foreach (var claim in application.SessionCookieRetainedClaims)
{
options.ClaimActions.Remove(claim);
}
stripClaims = stripClaims.Except(application.SessionCookieRetainedClaims).ToList();
}
if (application.SessionCookieStrippedClaims != null)
{
stripClaims.AddRange(application.SessionCookieStrippedClaims);
}
options.ClaimActions.DeleteClaims(stripClaims.ToArray());
options.SaveTokens = retainWebToken;
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles;
options.TokenValidationParameters.NameClaimType = AzureADClaims.UserPrincipalName;
options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
options.ResponseType = application.IdentityProviderBinding.DisableImplicitIdToken ?
OpenIdConnectResponseType.Code : OpenIdConnectResponseType.IdToken;
options.SecurityTokenValidator = new JwtSecurityTokenHandler
{
MapInboundClaims = false
};
if (application.IdentityProviderBinding.UseApplicationMetadata)
{
options.MetadataAddress = $"{options.Authority}/.well-known/openid-configuration?appid={options.ClientId}";
}
});
}
}
