private static Task OnRedirectToIdentityProvider(RedirectContext n, IAdminConfiguration adminConfiguration) { n.ProtocolMessage.RedirectUri = adminConfiguration.IdentityAdminRedirectUri; return(Task.FromResult(0)); }
/// <summary> /// Generate default clients, identity and api resources /// </summary> private static async Task EnsureSeedIdentityServerData <TIdentityServerDbContext>(TIdentityServerDbContext context, IAdminConfiguration adminConfiguration) where TIdentityServerDbContext : DbContext, IAdminConfigurationDbContext { if (!context.Clients.Any()) { foreach (var client in Clients.GetAdminClient(adminConfiguration).ToList()) { await context.Clients.AddAsync(client.ToEntity()); } await context.SaveChangesAsync(); } if (!context.IdentityResources.Any()) { var identityResources = ClientResources.GetIdentityResources().ToList(); foreach (var resource in identityResources) { await context.IdentityResources.AddAsync(resource.ToEntity()); } await context.SaveChangesAsync(); } if (!context.ApiResources.Any()) { foreach (var resource in ClientResources.GetApiResources().ToList()) { await context.ApiResources.AddAsync(resource.ToEntity()); } await context.SaveChangesAsync(); } }
public static void AddAuthenticationServices <TContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IHostingEnvironment hostingEnvironment, IAdminConfiguration adminConfiguration) where TContext : DbContext where TUserIdentity : class where TUserIdentityRole : class { services.AddIdentity <TUserIdentity, TUserIdentityRole>() .AddEntityFrameworkStores <TContext>() .AddDefaultTokenProviders(); //For integration tests use only cookie middleware if (hostingEnvironment.IsStaging()) { services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName; }); } else { services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = AuthenticationConsts.OidcAuthenticationScheme; options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName; }) .AddOpenIdConnect(AuthenticationConsts.OidcAuthenticationScheme, options => { options.Authority = adminConfiguration.IdentityServerBaseUrl; options.RequireHttpsMetadata = false; options.ClientId = AuthenticationConsts.OidcClientId; options.Scope.Clear(); options.Scope.Add(AuthenticationConsts.ScopeOpenId); options.Scope.Add(AuthenticationConsts.ScopeProfile); options.Scope.Add(AuthenticationConsts.ScopeEmail); options.Scope.Add(AuthenticationConsts.ScopeRoles); options.SaveTokens = true; options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = JwtClaimTypes.Name, RoleClaimType = JwtClaimTypes.Role, }; options.Events = new OpenIdConnectEvents { OnMessageReceived = OnMessageReceived, OnRedirectToIdentityProvider = n => OnRedirectToIdentityProvider(n, adminConfiguration) }; }); } }
public RootConfiguration(IOptions <AdminConfiguration> adminConfiguration) { AdminConfiguration = adminConfiguration.Value; }
public static IServiceCollection AddCustomHealthCheck(this IServiceCollection services, IConfiguration configuration, IAdminConfiguration adminConfiguration) { services.AddHealthChecks() .AddCheck("self", () => HealthCheckResult.Healthy()) .AddUrlGroup(new Uri(adminConfiguration.IdentityServerBaseUrl + configuration["IdentityUrlHC"]), name: "identityapi-check", tags: new string[] { "identityapi" }); return(services); }
/// <summary> /// Register services for authentication, including Identity. /// For production mode is used OpenId Connect middleware which is connected to IdentityServer4 instance. /// For testing purpose is used cookie middleware with fake login url. /// </summary> /// <typeparam name="TContext"></typeparam> /// <typeparam name="TUserIdentity"></typeparam> /// <typeparam name="TUserIdentityRole"></typeparam> /// <param name="services"></param> /// <param name="hostingEnvironment"></param> /// <param name="adminConfiguration"></param> public static void AddAuthenticationServices <TContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IHostingEnvironment hostingEnvironment, IAdminConfiguration adminConfiguration, Microsoft.Extensions.Logging.ILogger logger) where TContext : DbContext where TUserIdentity : class where TUserIdentityRole : class { services.AddIdentity <TUserIdentity, TUserIdentityRole>(options => { options.User.RequireUniqueEmail = true; }) .AddEntityFrameworkStores <TContext>() .AddDefaultTokenProviders(); //For integration tests use only cookie middleware if (hostingEnvironment.IsStaging()) { services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName; }); } else { services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = AuthenticationConsts.OidcAuthenticationScheme; options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName; // Issue: https://github.com/aspnet/Announcements/issues/318 options.Cookie.SameSite = SameSiteMode.None; }) .AddOpenIdConnect(AuthenticationConsts.OidcAuthenticationScheme, options => { options.Authority = adminConfiguration.IdentityServerBaseUrl; // NOTE: This is only for development set for false // For production use - set RequireHttpsMetadata to true! options.RequireHttpsMetadata = false; options.ClientId = adminConfiguration.ClientId; options.ClientSecret = adminConfiguration.ClientSecret; options.ResponseType = adminConfiguration.OidcResponseType; options.Scope.Clear(); foreach (var scope in adminConfiguration.Scopes) { options.Scope.Add(scope); } options.ClaimActions.MapJsonKey(AuthenticationConsts.RoleClaim, AuthenticationConsts.RoleClaim, AuthenticationConsts.RoleClaim); options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = JwtClaimTypes.Name, RoleClaimType = JwtClaimTypes.Role, }; options.Events = new OpenIdConnectEvents { OnMessageReceived = OnMessageReceived, OnRedirectToIdentityProvider = n => OnRedirectToIdentityProvider(n, adminConfiguration) }; }); } }
public static IEnumerable <Client> GetAdminClient(IAdminConfiguration adminConfiguration) { return(new List <Client> { new Client { ClientId = adminConfiguration.ClientId, ClientName = adminConfiguration.ClientId, ClientUri = adminConfiguration.IdentityAdminBaseUrl, AllowedGrantTypes = GrantTypes.Hybrid, ClientSecrets = new List <Secret> { new Secret(adminConfiguration.ClientSecret.ToSha256()) }, RedirectUris = { $"{adminConfiguration.IdentityAdminBaseUrl}/signin-oidc" }, FrontChannelLogoutUri = $"{adminConfiguration.IdentityAdminBaseUrl}/signout-oidc", PostLogoutRedirectUris = { $"{adminConfiguration.IdentityAdminBaseUrl}/signout-callback-oidc" }, AllowedCorsOrigins = { adminConfiguration.IdentityAdminBaseUrl }, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, IdentityServerConstants.StandardScopes.Email, "roles" } }, new Client { ClientId = adminConfiguration.IdentityAdminApiSwaggerUIClientId, ClientName = adminConfiguration.IdentityAdminApiSwaggerUIClientId, AllowedGrantTypes = GrantTypes.Implicit, RedirectUris = new List <string> { adminConfiguration.IdentityAdminApiSwaggerUIRedirectUrl }, AllowedScopes = { adminConfiguration.IdentityAdminApiScope }, AllowAccessTokensViaBrowser = true }, new Client { ClientId = "mcb_api_swagger", ClientName = "Swagger UI for MCB", AllowedGrantTypes = GrantTypes.Implicit, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 180, RedirectUris = { "https://localhost:9001/api/oauth2-redirect.html" }, AllowedScopes = new [] { "tripwithmeapi" } }, new Client { ClientName = "Trip With Me WebClient", ClientId = "tripwithmeclient", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = false, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 180, RedirectUris = { "https://localhost:4200/assets/oidc-login-redirect.html" }, PostLogoutRedirectUris = { "https://localhost:4200/?postLogout=true" }, AllowedCorsOrigins = { "https://localhost:4200/" }, AllowedScopes = new [] { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "roles", "tripwithmeapi" } } , new Client { ClientName = "Trip With Me Mobile", ClientId = "tripwithmemobile", Description = "Used for All Xamarin Mobile Apps", AllowedGrantTypes = GrantTypes.Hybrid, RequireConsent = false, RequirePkce = true, RedirectUris = { "https://com.mst.uwp" }, AllowedCorsOrigins = { "https://com.mst.uwp" }, AllowedScopes = new List <string> { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, IdentityServerConstants.StandardScopes.OfflineAccess }, AllowOfflineAccess = true, AllowAccessTokensViaBrowser = true } }); }
public AuthorizeCheckOperationFilter(IRootConfiguration rootConfiguration) { _adminConfiguration = rootConfiguration.AdminConfiguration; }