public static void AddFlexAuthentication(this OpenApiDocument document, IServiceIdentity serviceIdentity) { document.Components.SecuritySchemes.Add("openid", new OpenApiSecurityScheme { // swagger-ui doesn't support native OpenIdConnect yet Type = OpenApiSecuritySchemeType.OAuth2, Description = "Portal Authentication", Flows = new OpenApiOAuthFlows { AuthorizationCode = new OpenApiOAuthFlow { AuthorizationUrl = serviceIdentity.IdentityProvider + "/oauth2/v2.0/authorize", TokenUrl = serviceIdentity.IdentityProvider + "/oauth2/v2.0/token", Scopes = new Dictionary <string, string> { { "openid", "OpenID Connect" }, { "profile", "User Profile" }, { "email", "E-Mail" } } } } }); document.Security.Add(new OpenApiSecurityRequirement { { "openid", Array.Empty <string>() } }); }
public async Task NotifyAsync(EventMessage message) { try { _ = message ?? throw new ArgumentNullException(nameof(message)); State.MessageCount++; State.ByteCount += message.Message.LongLength; State.LastMessageTimestamp = DateTime.UtcNow; if (!string.IsNullOrEmpty(State.Metadata.NotifyAddress)) { if (sink == null && !EventSinkFactory.IsInitialized) { IServiceIdentity identity = GrainFactory.GetGrain <IServiceIdentity>("PiraeusIdentity"); byte[] certBytes = await identity.GetCertificateAsync(); List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync(); X509Certificate2 certificate = certBytes == null ? null : new X509Certificate2(certBytes); List <Claim> claims = GetClaims(kvps); sink = EventSinkFactory.Create(State.Metadata, claims, certificate); sink.OnResponse += Sink_OnResponse; } await sink.SendAsync(message); } else if (State.MessageLeases.Count > 0) { foreach (var observer in State.MessageLeases.Values) { observer.Notify(message); } } else { if (State.Metadata.DurableMessaging && State.Metadata.TTL.HasValue) { await QueueDurableMessageAsync(message); } else { await QueueInMemoryMessageAsync(message); } } await NotifyMetricsAsync(); } catch (Exception ex) { await logger?.LogErrorAsync(ex, "Subscription notify."); await NotifyErrorAsync(ex); throw; } }
private bool InitializeDSTSObjects() { //initialize objects first and then update member variables under lock to reduce lock duration string claimsAuth = this.configStore.ReadUnencryptedString(SecuritySection, ClaimsAuthEnabledKey); if (Boolean.TryParse(claimsAuth, out this.claimsAuthEnabled) && this.claimsAuthEnabled && this.configStore.GetSections(this.configSection).Count > 0) { var settings = new DSTSSettings(configSection); settings.LoadSettings(this.configStore); IServerHomeDsts serverHomeDsts = new ServerHomeDsts(new Uri(settings.DSTSRealm), settings.DSTSDnsName); IServiceIdentity serviceIdentity = new ServiceIdentity(settings.ServiceDnsName, settings.ServiceName); var configuration = new DatacenterServiceConfiguration(serverHomeDsts, serviceIdentity); WebSecurityTokenAuthenticator tokenAuthenticator = new WebSecurityTokenAuthenticator(configuration); ServerAuthenticationProvider authenticationProvider = new ServerAuthenticationProvider(configuration); if (!this.reloadLock.TryEnterWriteLock(DSTSObjectManager.LockTimeout)) { TokenValidationServiceFactory.TraceSource.WriteWarning( DSTSObjectManager.TraceType, "Failed to obtain write lock on InitializeDSTSObjects"); return(false); } bool retval = false; try { this.settings = settings; this.serverHomeDsts = serverHomeDsts; this.serviceIdentity = serviceIdentity; this.tokenAuthenticator = tokenAuthenticator; this.authenticationProvider = authenticationProvider; retval = true; TokenValidationServiceFactory.TraceSource.WriteInfo( DSTSObjectManager.TraceType, "DSTSSettings and DSTSObjects initialized for ServiceName {0}", this.settings.ServiceName); } finally { this.reloadLock.ExitWriteLock(); } return(retval); } else { TokenValidationServiceFactory.TraceSource.WriteWarning( DSTSObjectManager.TraceType, "TVS is in disabled mode because section {0} key {1} has value {2}", SecuritySection, ClaimsAuthEnabledKey, claimsAuth); return(true); } }
public static void AddFlexAuthentication(this SwaggerUi3Settings settings, IServiceIdentity serviceIdentity) { settings.OAuth2Client = new OAuth2ClientSettings { AppName = serviceIdentity.ClientId, ClientId = serviceIdentity.ClientId, ClientSecret = string.Empty, UsePkceWithAuthorizationCodeGrant = true }; }
private async Task SetCertificateAsync() { IServiceIdentity identity = GraphManager.GetServiceIdentity("PiraeusIdentity"); byte[] certBytes = await identity.GetCertificateAsync(); if (certBytes != null) { certificate = new X509Certificate2(certBytes); } }
public async Task AddServiceIdentityCertificateAsync(string key, string path, string password) { IServiceIdentity identity = GetServiceIdentity(key); X509Certificate2 cert = new X509Certificate2(path, password); if (cert != null) { byte[] certBytes = cert.Export(X509ContentType.Pfx, password); await identity.AddCertificateAsync(certBytes); } }
public async Task AddServiceIdentityCertificateAsync(string key, string store, string location, string thumbprint, string password) { IServiceIdentity identity = GetServiceIdentity(key); X509Certificate2 cert = GetLocalCertificate(store, location, thumbprint); if (cert != null) { byte[] certBytes = cert.Export(X509ContentType.Pfx, password); await identity.AddCertificateAsync(certBytes); } }
public static void AddFlexAuthentication(this IServiceCollection services, IServiceIdentity serviceIdentity) { JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier); JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear(); services.AddAuthentication(config => { config.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; config.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; config.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { options.Events = new CookieAuthenticationEvents { OnRedirectToLogin = context => { context.Response.Headers["Location"] = context.RedirectUri; context.Response.StatusCode = StatusCodes.Status401Unauthorized; return(Task.CompletedTask); } }; }) .AddOpenIdConnect(options => { options.ClientId = serviceIdentity.ClientId; options.Authority = serviceIdentity.IdentityProvider + "/v2.0"; options.ResponseType = "id_token"; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; }) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false, ValidateAudience = false, }; }); //services.AddTransient<IPostConfigureOptions<OpenIdConnectOptions>, OpenIdConnectPostConfiguration>(); services.AddAuthorization(options => { options.AddPolicy(KnownPolicies.Flexer, new AuthorizationPolicyBuilder(OpenIdConnectDefaults.AuthenticationScheme) .RequireAssertion(context => context.User.HasClaim(x => x.Value == "Flexer")) .RequireAuthenticatedUser() .Build()); }); }
private async Task SetClaimsAsync() { tokenExpiration = DateTime.UtcNow.AddDays(1.0); IServiceIdentity identity = GraphManager.GetServiceIdentity("PiraeusIdentity"); List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync(); if (kvps != null) { List <Claim> list = new List <Claim>(); foreach (var kvp in kvps) { list.Add(new Claim(kvp.Key, kvp.Value)); } claims = list; } }
public async Task NotifyAsync(EventMessage message) { Exception error = null; State.MessageCount++; State.ByteCount += message.Message.LongLength; State.LastMessageTimestamp = DateTime.UtcNow; try { if (!string.IsNullOrEmpty(State.Metadata.NotifyAddress)) { if (sink == null) { if (!EventSinkFactory.IsInitialized) { IServiceIdentity identity = GrainFactory.GetGrain <IServiceIdentity>("PiraeusIdentity"); byte[] certBytes = await identity.GetCertificateAsync(); List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync(); X509Certificate2 certificate = certBytes == null ? null : new X509Certificate2(certBytes); List <Claim> claims = GetClaims(kvps); sink = EventSinkFactory.Create(State.Metadata, claims, certificate); } else { sink = EventSinkFactory.Create(State.Metadata); } } await sink.SendAsync(message); } else if (State.MessageLeases.Count > 0) { //send to actively connected subsystem foreach (var observer in State.MessageLeases.Values) { observer.Notify(message); } } else { if (State.Metadata.DurableMessaging && State.Metadata.TTL.HasValue) //durable message queue { await QueueDurableMessageAsync(message); } else //in-memory message queue { await QueueInMemoryMessageAsync(message); } } } catch (Exception ex) { Trace.TraceWarning("Subscription publish failed to complete."); Trace.TraceError("Subscription publish error {0}", ex.Message); error = ex; //GetLogger().Log(2, Orleans.Runtime.Severity.Error, "Subscription notification exception {0}", new object[] { State.Metadata.SubscriptionUriString }, ex); } await NotifyMetricsAsync(); if (error != null) { await NotifyErrorAsync(error); } }
public async Task AddServiceIdentityClaimsAsync(string key, List <KeyValuePair <string, string> > claims) { IServiceIdentity identity = GetServiceIdentity(key); await identity.AddClaimsAsync(claims); }