public void ConfigureAuthServices(IServiceCollection services, ServerSettings serverSettings)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap = new Dictionary <string, string>();
string connectionString = this.Configuration.GetConnectionString("DefaultConnection");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddDbContext <UnityAuthDbContext>(options =>
{
options.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
});
services.AddIdentity <ApplicationUser, ApplicationUserRole>()
.AddRoleManager <ApplicationUserRoleManager>()
.AddUserManager <ApplicationUserManager>()
.AddEntityFrameworkStores <UnityAuthDbContext>()
.AddDefaultTokenProviders();
// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
// .AddClientStore<UnityClientStore>()
.AddProfileService <UnityUserProfileService>()
// .AddClientStoreCache<UnityClientStore>()
.AddSigningCredential(IdentityServerBuilderExtensionsCrypto.CreateRsaSecurityKey())
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(
connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(
connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = SessionSecurity.TokenCleanupInterval;
})
.AddDefaultEndpoints()
.AddRequiredPlatformServices()
// .AddInMemoryPersistedGrants()
// .AddInMemoryIdentityResources(Defaults.GetIdentityResources())
// .AddInMemoryApiResources(Defaults.GetApiResources())
// .AddInMemoryClients(Defaults.GetClients())
.AddAspNetIdentity <ApplicationUser>();
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = serverSettings.HostAddress;
options.ApiName = "api";
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.ApiSecret = "secret";
options.SupportedTokens = SupportedTokens.Both;
options.JwtBearerEvents = new AuthJwtBearerEvents();
});
services.Configure <IdentityOptions>(options =>
{
// Password settings
options.Password.RequireDigit = true;
options.Password.RequiredLength = 6;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = false;
options.Password.RequiredUniqueChars = 6;
// Lockout settings
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
options.Lockout.MaxFailedAccessAttempts = 5;
options.Lockout.AllowedForNewUsers = true;
// User settings
options.User.RequireUniqueEmail = true;
});
services.ConfigureApplicationCookie(options =>
{
// Cookie settings
options.Cookie.HttpOnly = true;
options.Cookie.Expiration = TimeSpan.FromMinutes(SessionSecurity.SessionExpiryTime);
options.LoginPath = "/Account/Login"; // If the LoginPath is not set here, ASP.NET Core will default to /Account/Login
options.LogoutPath = "/Account/Logout"; // If the LogoutPath is not set here, ASP.NET Core will default to /Account/Logout
options.AccessDeniedPath = "/Account/AccessDenied"; // If the AccessDeniedPath is not set here, ASP.NET Core will default to /Account/AccessDenied
options.SlidingExpiration = true;
});
// services
// .AddMvcCore(options =>
// {
// // require scope1 or scope2
// var policy = ScopePolicy.Create("apiv1");
// options.Filters.Add(new AuthorizeFilter(policy));
// })
// .AddJsonFormatters()
// .AddAuthorization();
// services.AddAuthorization(options =>
// {
// options.AddPolicy("apiv1Policy", builder =>
// {
// // require scope1
// builder.RequireScope("apiv1");
// });
// });
// add CORS policy for non-IdentityServer endpoints
services.AddCors(options =>
{
options.AddPolicy("apiCorsPolicy", policy =>
{
policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod();
});
});
// Add application services.
services.AddTransient <IEmailSender, EmailSender>();
// Add application services.
services.AddTransient <ISmsSender, SmsSender>();
services.AddSingleton <TokenCleanup>();
services.AddSingleton <IHostedService, TokenCleanupHost>();
var storeOptions = new OperationalServiceOptions();
services.AddSingleton(storeOptions);
storeOptions.EnableTokenCleanup = true;
storeOptions.TokenCleanupInterval = Convert.ToInt32(TimeSpan.FromMinutes(SessionSecurity.SessionExpiryTime).TotalSeconds);
storeOptions.TokenCleanupBatchSize = SessionSecurity.TokenCleanupBatchSize;
}
// clients want to access resources (aka scopes)
/// <summary>
/// Gets the clients.
/// </summary>
/// <param name="serverSettings">The server settings.</param>
/// <returns>IEnumerable<Client>.</returns>
public static IEnumerable <Client> GetClients(ServerSettings serverSettings)
{
// client credentials client
return(new List <Client>
{
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "api", "apiv1" }
},
// resource owner password grant client
new Client
{
ClientId = "Unity.Auth.Server.Api",
AllowedGrantTypes = GrantTypes.Implicit,
ClientSecrets =
{
new Secret("Unity.Auth.Server.Client".Sha256())
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api",
"apiv1"
},
ClientName = "Unity Auth Server Client",
AllowAccessTokensViaBrowser = true,
RedirectUris = { serverSettings.HostAddress },
PostLogoutRedirectUris = { serverSettings.HostAddress },
FrontChannelLogoutUri = $"{serverSettings.HostAddress}/signout-idsrv", // for testing identityserver on localhost
},
// OpenID Connect hybrid flow and client credentials client (MVC)
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { $"{ serverSettings.HostAddress}/signin-oidc" },
PostLogoutRedirectUris = { $"{ serverSettings.HostAddress}/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api",
"apiv1"
},
AllowOfflineAccess = true
}
});
}