/// <summary>
/// Processes an authentication request by a popup window.
/// </summary>
/// <param name="userIdentityPageBase">The base URI upon which user identity pages are created.</param>
/// <param name="request">The incoming authentication request.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// A task that completes with the asynchronous operation.
/// </returns>
internal static async Task ProcessAuthenticationAsync(Uri userIdentityPageBase, IAuthenticationRequest request, CancellationToken cancellationToken)
{
Requires.NotNull(userIdentityPageBase, "userIdentityPageBase");
Requires.NotNull(request, "request");
var window = new CheckIdWindow(userIdentityPageBase, request);
IHostFactories hostFactories = new DefaultOpenIdHostFactories();
bool isRPDiscoverable = await request.IsReturnUrlDiscoverableAsync(hostFactories, cancellationToken) == RelyingPartyDiscoveryResult.Success;
window.discoverableYesLabel.Visibility = isRPDiscoverable ? Visibility.Visible : Visibility.Collapsed;
window.discoverableNoLabel.Visibility = isRPDiscoverable ? Visibility.Collapsed : Visibility.Visible;
bool?result = window.ShowDialog();
// If the user pressed Esc or cancel, just send a negative assertion.
if (!result.HasValue || !result.Value)
{
request.IsAuthenticated = false;
return;
}
request.IsAuthenticated = window.tabControl1.SelectedItem == window.positiveTab;
if (request.IsAuthenticated.Value)
{
request.ClaimedIdentifier = window.claimedIdentifierBox.Text;
request.LocalIdentifier = window.localIdentifierBox.Text;
}
}
/// <summary>
/// Processes an authentication request by a popup window.
/// </summary>
/// <param name="userIdentityPageBase">The base URI upon which user identity pages are created.</param>
/// <param name="request">The incoming authentication request.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// A task that completes with the asynchronous operation.
/// </returns>
internal static async Task ProcessAuthenticationAsync(Uri userIdentityPageBase, IAuthenticationRequest request, CancellationToken cancellationToken) {
Requires.NotNull(userIdentityPageBase, "userIdentityPageBase");
Requires.NotNull(request, "request");
var window = new CheckIdWindow(userIdentityPageBase, request);
IHostFactories hostFactories = new DefaultOpenIdHostFactories();
bool isRPDiscoverable = await request.IsReturnUrlDiscoverableAsync(hostFactories, cancellationToken) == RelyingPartyDiscoveryResult.Success;
window.discoverableYesLabel.Visibility = isRPDiscoverable ? Visibility.Visible : Visibility.Collapsed;
window.discoverableNoLabel.Visibility = isRPDiscoverable ? Visibility.Collapsed : Visibility.Visible;
bool? result = window.ShowDialog();
// If the user pressed Esc or cancel, just send a negative assertion.
if (!result.HasValue || !result.Value) {
request.IsAuthenticated = false;
return;
}
request.IsAuthenticated = window.tabControl1.SelectedItem == window.positiveTab;
if (request.IsAuthenticated.Value) {
request.ClaimedIdentifier = window.claimedIdentifierBox.Text;
request.LocalIdentifier = window.localIdentifierBox.Text;
}
}
internal static async Task ProcessAuthenticationChallengeAsync(IAuthenticationRequest idrequest, CancellationToken cancellationToken) {
// Verify that RP discovery is successful.
var providerEndpoint = new ProviderEndpoint();
if (await idrequest.IsReturnUrlDiscoverableAsync(providerEndpoint.Provider.Channel.HostFactories, cancellationToken) != RelyingPartyDiscoveryResult.Success) {
idrequest.IsAuthenticated = false;
return;
}
// Verify that the RP is on the whitelist. Realms are case sensitive.
string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0) {
idrequest.IsAuthenticated = false;
return;
}
if (idrequest.IsDirectedIdentity) {
if (HttpContext.Current.User.Identity.IsAuthenticated) {
idrequest.LocalIdentifier = Util.BuildIdentityUrl();
idrequest.IsAuthenticated = true;
} else {
// If the RP demands an immediate answer, or if we're using implicit authentication
// and therefore have nothing further to ask the user, just reject the authentication.
if (idrequest.Immediate || ImplicitAuth) {
idrequest.IsAuthenticated = false;
} else {
// Send the user to a page to actually log into the OP.
if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase)) {
HttpContext.Current.Response.Redirect("~/Login.aspx");
}
}
}
} else {
string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);
// NOTE: in a production provider site, you may want to only
// respond affirmatively if the user has already authorized this consumer
// to know the answer.
idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;
if (!idrequest.IsAuthenticated.Value && !ImplicitAuth && !idrequest.Immediate) {
// Send the user to a page to actually log into the OP.
if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase)) {
HttpContext.Current.Response.Redirect("~/Login.aspx");
}
}
}
if (idrequest.IsAuthenticated.Value) {
// add extension responses here.
var fetchRequest = idrequest.GetExtension<FetchRequest>();
if (fetchRequest != null) {
var fetchResponse = new FetchResponse();
if (fetchRequest.Attributes.Contains(RolesAttribute)) {
// Inform the RP what roles this user should fill
// These roles would normally come out of the user database
// or Windows security groups.
fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
}
idrequest.AddResponseExtension(fetchResponse);
}
}
}
internal static async Task ProcessAuthenticationChallengeAsync(IAuthenticationRequest idrequest, CancellationToken cancellationToken)
{
// Verify that RP discovery is successful.
var providerEndpoint = new ProviderEndpoint();
if (await idrequest.IsReturnUrlDiscoverableAsync(providerEndpoint.Provider.Channel.HostFactories, cancellationToken) != RelyingPartyDiscoveryResult.Success)
{
idrequest.IsAuthenticated = false;
return;
}
// Verify that the RP is on the whitelist. Realms are case sensitive.
string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0)
{
idrequest.IsAuthenticated = false;
return;
}
if (idrequest.IsDirectedIdentity)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
idrequest.LocalIdentifier = Util.BuildIdentityUrl();
idrequest.IsAuthenticated = true;
}
else
{
// If the RP demands an immediate answer, or if we're using implicit authentication
// and therefore have nothing further to ask the user, just reject the authentication.
if (idrequest.Immediate || ImplicitAuth)
{
idrequest.IsAuthenticated = false;
}
else
{
// Send the user to a page to actually log into the OP.
if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase))
{
HttpContext.Current.Response.Redirect("~/Login.aspx");
}
}
}
}
else
{
string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);
// NOTE: in a production provider site, you may want to only
// respond affirmatively if the user has already authorized this consumer
// to know the answer.
idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;
if (!idrequest.IsAuthenticated.Value && !ImplicitAuth && !idrequest.Immediate)
{
// Send the user to a page to actually log into the OP.
if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase))
{
HttpContext.Current.Response.Redirect("~/Login.aspx");
}
}
}
if (idrequest.IsAuthenticated.Value)
{
// add extension responses here.
var fetchRequest = idrequest.GetExtension <FetchRequest>();
if (fetchRequest != null)
{
var fetchResponse = new FetchResponse();
if (fetchRequest.Attributes.Contains(RolesAttribute))
{
// Inform the RP what roles this user should fill
// These roles would normally come out of the user database
// or Windows security groups.
fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
}
idrequest.AddResponseExtension(fetchResponse);
}
}
}
