/// <summary>
/// Configure ActiveDirectory sign-in
/// </summary>
/// <param name="app"></param>
/// <param name="tenant"></param>
/// <param name="clientId"></param>
/// <param name="postLoginRedirectUri">
/// The URL that will be redirected to after login is successful, example: http://mydomain.com/umbraco/;
/// </param>
/// <param name="issuerId">
///
/// This is the "Issuer Id" for you Azure AD application. This a GUID value and can be found
/// in the Azure portal when viewing your configured application and clicking on 'View endpoints'
/// which will list all of the API endpoints. Each endpoint will contain a GUID value, this is
/// the Issuer Id which must be used for this value.
///
/// If this value is not set correctly then accounts won't be able to be detected
/// for un-linking in the back office.
///
/// </param>
/// <param name="caption"></param>
/// <param name="style"></param>
/// <param name="icon"></param>
/// <remarks>
/// ActiveDirectory account documentation for ASP.Net Identity can be found:
/// https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
/// </remarks>
public static void ConfigureBackOfficeAzureActiveDirectoryAuth(this IAppBuilder app,
string tenant, string clientId, string postLoginRedirectUri, Guid issuerId,
string caption = "Active Directory", string style = "btn-microsoft", string icon = "fa-windows")
{
var authority = string.Format(
CultureInfo.InvariantCulture,
"https://login.windows.net/{0}",
tenant);
var adOptions = new OpenIdConnectAuthenticationOptions
{
SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
ClientId = clientId,
Authority = authority
};
adOptions.ForUmbracoBackOffice(style, icon);
adOptions.Caption = caption;
//Need to set the auth tyep as the issuer path
adOptions.AuthenticationType = string.Format(
CultureInfo.InvariantCulture,
"https://sts.windows.net/{0}/",
issuerId);
app.UseOpenIdConnectAuthentication(adOptions);
}
private void ConfigureAuth(IAppBuilder app)
{
var clientId = ConfigurationManager.AppSettings["ida:ClientID"];
//fixed address for multitenant apps in the public cloud
const string authority = "https://login.microsoftonline.com/common/";
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
TokenValidationParameters = new TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = context => RedirectToIdentityProvider(context),
// we use this notification for injecting our custom logic
SecurityTokenValidated = context => SecurityTokenValidated(context),
AuthenticationFailed = context => AuthenticationFailed(context)
}
};
app.UseOpenIdConnectAuthentication(openIdConnectAuthenticationOptions);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
OpenIdConnectAuthenticationOptions b2coptions = new OpenIdConnectAuthenticationOptions
{
// Standard OWIN OIDC parameters
Authority = String.Format(aadInstance, tenant),
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
},
// Required for AAD B2C
Scope = "openid",
ConfigurationManager = new B2CConfigurationManager(String.Format(aadInstance + "{1}", tenant, discoverySuffix)),
// Optional - used for displaying the user's name in the navigation bar when signed in.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
},
AuthenticationType = "OpenIdConnect-B2C",
};
// Required for AAD B2C
app.Use(typeof(B2COpenIdConnectAuthenticationMiddleware), app, b2coptions);
OpenIdConnectAuthenticationOptions b2eoptions = new OpenIdConnectAuthenticationOptions
{
Authority = String.Format(aadInstance, "common"),
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
},
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
},
AuthenticationType = "OpenIdConnect-B2E",
};
app.UseOpenIdConnectAuthentication(b2eoptions);
}
/// <summary>
/// Adds the <see cref="OpenIdConnectAuthenticationMiddleware"/> into the OWIN runtime.
/// </summary>
/// <param name="app">The <see cref="IAppBuilder"/> passed to the configuration method</param>
/// <param name="openIdConnectOptions">A <see cref="OpenIdConnectAuthenticationOptions"/> contains settings for obtaining identities using the OpenIdConnect protocol.</param>
/// <returns>The updated <see cref="IAppBuilder"/></returns>
public static IAppBuilder UseOpenIdConnectAuthentication(this IAppBuilder app, OpenIdConnectAuthenticationOptions openIdConnectOptions)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (openIdConnectOptions == null)
{
throw new ArgumentNullException("openIdConnectOptions");
}
return app.Use(typeof(OpenIdConnectAuthenticationMiddleware), app, openIdConnectOptions);
}
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions();
options.ClientId = SettingsHelper.ClientId;
options.Authority = SettingsHelper.AzureADAuthority;
options.PostLogoutRedirectUri = SettingsHelper.LogoutAuthority;
OpenIdConnectAuthenticationNotifications notifications = new OpenIdConnectAuthenticationNotifications();
notifications.AuthorizationCodeReceived = (context) =>
{
string code = context.Code;
AuthenticationHelper authHelper = new AuthenticationHelper();
String signInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.AzureADAuthAuthority);
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), authHelper.GetClientAssertionCertificate(), null);
return Task.FromResult(0);
};
notifications.RedirectToIdentityProvider = (context) =>
{
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return Task.FromResult(0);
};
notifications.AuthenticationFailed = (context) =>
{
context.HandleResponse();
return Task.FromResult(0);
};
options.Notifications = notifications;
app.UseOpenIdConnectAuthentication(options);
}
public IEnumerable<OwinMiddlewareRegistration> GetOwinMiddlewares() {
var middlewares = new List<OwinMiddlewareRegistration>();
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
var openIdOptions = new OpenIdConnectAuthenticationOptions {
ClientId = _azureClientId,
Authority = string.Format(CultureInfo.InvariantCulture, _azureADInstance, _azureTenant),
PostLogoutRedirectUri = _logoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications ()
};
var cookieOptions = new CookieAuthenticationOptions();
var bearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = string.Format(_sslEnabled ? "https://{0}/{1}" : "http://{0}/{1}", _azureTenant, _azureAppName)
}
};
if (_azureWebSiteProtectionEnabled) {
middlewares.Add(new OwinMiddlewareRegistration {
Priority = "9",
Configure = app => { app.SetDataProtectionProvider(new MachineKeyProtectionProvider()); }
});
}
middlewares.Add(new OwinMiddlewareRegistration {
Priority = "10",
Configure = app => {
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(cookieOptions);
app.UseOpenIdConnectAuthentication(openIdOptions);
//This is throwing an XML DTD is prohibited error?
//app.UseWindowsAzureActiveDirectoryBearerAuthentication(bearerAuthOptions);
}
});
return middlewares;
}
/// <summary>
/// Configures the application to use Azure AD with Power BI
/// </summary>
/// <param name="app">The OWIN app builder</param>
/// <param name="options">The autheentication options</param>
/// <returns>The OWIN app build</returns>
/// <exception cref="ArgumentNullException"></exception>
public static IAppBuilder UsePowerBIAuthentication(this IAppBuilder app, PowerBIAuthenticationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
ValidateOptions(options);
var openIdAuthOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
Authority = options.Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuer = options.Issuer,
ValidateIssuer = options.ValidateIssuer
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = (context) =>
{
OnAuthorizationCodeReceived(context, options);
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
var redirectUri = options.ErrorRedirectUri ?? new Uri("/", UriKind.Relative);
context.OwinContext.Response.Redirect(redirectUri.ToString());
context.HandleResponse();
return Task.FromResult(0);
}
}
};
app.UseOpenIdConnectAuthentication(openIdAuthOptions);
ConfigureTokenManager();
return app;
}
public static void ConfigureAuth(IAppBuilder app, OpenIdConnectAuthenticationOptions options)
{
if(string.IsNullOrEmpty(options.RedirectUri))
{
if(!string.IsNullOrEmpty(AppSettings.ReplyUri))
{
options.RedirectUri = AppSettings.ReplyUri;
}
else
{
var url = HttpContext.Current.Request.Url;
var port = "";
if ((url.Scheme == "http" && url.Port != 80) || (url.Scheme == "https" && url.Port != 443))
{
port = ":" + url.Port;
}
options.RedirectUri = string.Format("{0}://{1}{2}/", url.Scheme, url.Host, port);
}
}
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
if(null == options)
{
options = new OpenIdConnectAuthenticationOptions();
}
if (string.IsNullOrEmpty(options.ClientId)) options.ClientId = AppSettings.ClientId;
if (string.IsNullOrEmpty(options.Authority)) options.Authority = AppSettings.Authority;
if (string.IsNullOrEmpty(options.PostLogoutRedirectUri)) options.PostLogoutRedirectUri = AppSettings.PostLogoutRedirectUri;
if (null == options.Notifications) options.Notifications = new OpenIdConnectAuthenticationNotifications();
if (null == options.Notifications.RedirectToIdentityProvider) options.Notifications.RedirectToIdentityProvider = Startup.DefaultRedirectToIdentityProvider;
app.UseOpenIdConnectAuthentication(options);
}
public static void ConfigureAuth(
IAppBuilder app,
[Optional] Func<AuthorizationCodeReceivedNotification, Task> authorizationCodeReceived,
[Optional] Func<RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>, Task> redirectToIdentityProvider,
[Optional] Func<AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>, Task> authenticationFailed
)
{
var options = new OpenIdConnectAuthenticationOptions()
{
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = authorizationCodeReceived,
RedirectToIdentityProvider = redirectToIdentityProvider,
AuthenticationFailed = authenticationFailed
}
};
if(null == options.Notifications.AuthorizationCodeReceived)
{
options.Notifications.AuthorizationCodeReceived = (context) =>
{
CheckConfig();
var code = context.Code;
ClientCredential credential = new ClientCredential(AppSettings.ClientId, AppSettings.ClientSecret);
String signInUserId = context.AuthenticationTicket.Identity.NameIdentifier();//.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(AppSettings.Authority, new AdalTokenCache(signInUserId));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, AppSettings.GraphResourceId);
return Task.FromResult(0);
};
}
ConfigureAuth(app, options);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
},
Scope = "openid",
ResponseType = "id_token",
// The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
// endpoints from the OpenID Connect metadata endpoint. It is included in the PolicyAuthHelpers folder.
ConfigurationManager = new PolicyConfigurationManager(
String.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OIDCMetadataSuffix),
new string[] { SignUpPolicyId, SignInPolicyId, ProfilePolicyId }),
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
},
};
app.UseOpenIdConnectAuthentication(options);
}
public MyOpenIDConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app,
OpenIdConnectAuthenticationOptions options) : base(next, app, options)
{
_logger = app.CreateLogger<MyOpenIDConnectAuthenticationMiddleware>();
}
private static void ConfigureAzureAdProvider(IAppBuilder app, string signInAsType)
{
var aad = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "aad",
Caption = "Azure AD",
SignInAsAuthenticationType = signInAsType,
Authority = "https://login.windows.net/xxxxxxxxxxxxxxx",
ClientId = "cdb67f7b-0a52-450b-a555-fe01ee12abc2",
RedirectUri = "https://secured.local:449/identityserver/core/aadcb",
PostLogoutRedirectUri = "https://secured.local:449/spaclient",
Scope = "openid profile email roles",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var email = GetEmailAddress(n.ProtocolMessage.IdToken);
if (!string.IsNullOrWhiteSpace(email))
{
var emailClaim = new Claim(Constants.ClaimTypes.Email, email);
n.AuthenticationTicket.Identity.AddClaim(emailClaim);
}
return Task.FromResult(0);
}
}
};
app.UseOpenIdConnectAuthentication(aad);
}
// We need to update these values each time we receive a new token, so the SingleSignOut
// javascript has access to the correct values.
public async static Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// Get Tenant-Specific Metadata (Authorization Endpoint), needed for making prompt=none request in RedirectToIdentityProvider
OpenIdConnectAuthenticationOptions tenantSpecificOptions = new OpenIdConnectAuthenticationOptions();
tenantSpecificOptions.Authority = AADInstance + notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
tenantSpecificOptions.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(tenantSpecificOptions.Authority + "/.well-known/openid-configuration");
OpenIdConnectConfiguration tenantSpecificConfig = await tenantSpecificOptions.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled);
notification.AuthenticationTicket.Identity.AddClaim(new Claim("issEndpoint", tenantSpecificConfig.AuthorizationEndpoint, ClaimValueTypes.String, "WebApp-Distributed-SignOut-DotNet"));
CheckSessionIFrame = notification.AuthenticationTicket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame];
return;
}
public OpenIdConnectAuthenticationPatchedMiddleware(Microsoft.Owin.OwinMiddleware next, Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions options)
: base(next, app, options)
{
this._logger = Microsoft.Owin.Logging.AppBuilderLoggerExtensions.CreateLogger <OpenIdConnectAuthenticationPatchedMiddleware>(app);
}
private void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
string clientId = Constants.ClientId; // your client ID as configured in Azure
string redirectUri = "https://localhost:44300/identity/signin-azuread"; // the reply URL as configured in Azure
string postLogoutRedirectUri = "https://localhost:44300"; // an appropriate page for your project
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "AzureAd",
Caption = "Sign in with Azure AD",
Scope = "openid email",
ClientId = clientId,
Authority = "https://login.windows.net/common/",
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = redirectUri,
AuthenticationMode = AuthenticationMode.Passive,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false
},
SignInAsAuthenticationType = signInAsType // this MUST come after TokenValidationParameters
};
app.UseOpenIdConnectAuthentication(options);
}
public static IAppBuilder UseOpenIdConnectAuthenticationPatched(this IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions openIdConnectOptions)
{
if (app == null)
{
throw new System.ArgumentNullException("app");
}
if (openIdConnectOptions == null)
{
throw new System.ArgumentNullException("openIdConnectOptions");
}
System.Type type = typeof(OpenIdConnectAuthenticationPatchedMiddleware);
object[] objArray = new object[] { app, openIdConnectOptions };
return(app.Use(type, objArray));
}
public static IAppBuilder UseCookieAuthAgainstTokenServer(this IAppBuilder app, UseCookieAuthAgainstTokenServerOptions options)
{
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypeKeys.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions
{
Authority = options.TokenServerEndpoint,
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
RedirectUri = options.RedirectUriAfterLogin,
PostLogoutRedirectUri = options.RedirectUriAfterLogout,
ResponseType = options.ResponseType.AsString(),
Scope = string.Join(" ", options.Scopes),
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async notification =>
{
var claimsIdentity = notification.AuthenticationTicket.Identity;
var transformedIdentity = new ClaimsIdentity(
claimsIdentity.AuthenticationType,
ClaimTypeKeys.GivenName,
ClaimTypeKeys.Role);
transformedIdentity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
if (notification.ProtocolMessage.AccessToken != null)
transformedIdentity.AddClaim(new Claim("token", notification.ProtocolMessage.AccessToken));
var claimsOfInterest = claimsIdentity.Claims.Where(c => options.ClaimTypesOfInterest.Contains(c.Type));
transformedIdentity.AddClaims(claimsOfInterest);
notification.AuthenticationTicket = new AuthenticationTicket(
transformedIdentity,
notification.AuthenticationTicket.Properties);
if (options.OnTransformingValidatedIdentity != null)
{
var additionalClaims = await options.OnTransformingValidatedIdentity(claimsIdentity).ConfigureAwait(false);
if(additionalClaims != null && additionalClaims.Any())
transformedIdentity.AddClaims(additionalClaims);
}
if (options.OnLookupUserInfo != null && notification.ProtocolMessage.AccessToken != null)
{
var additionalClaims = await options.OnLookupUserInfo(notification.ProtocolMessage.AccessToken).ConfigureAwait(false);
if (additionalClaims != null && additionalClaims.Any())
transformedIdentity.AddClaims(additionalClaims);
}
},
RedirectToIdentityProvider = notification =>
{
if (notification.ProtocolMessage.RequestType != OpenIdConnectRequestType.LogoutRequest)
return Task.CompletedTask;
var idToken = notification.OwinContext.Authentication.User.FindFirst("id_token");
if (idToken != null)
notification.ProtocolMessage.IdTokenHint = idToken.Value;
return Task.CompletedTask;
}
}
};
app.UseOpenIdConnectAuthentication(openIdConnectAuthenticationOptions);
return app;
}
public static void Configuration(IAppBuilder app)
{
AntiForgeryConfig.UniqueClaimTypeIdentifier = Core.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseResourceAuthorization(
new AuthorizationManager());
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
AuthenticationMode = AuthenticationMode.Active
});
//app.O
app.SetDefaultSignInAsAuthenticationType("External");
var openIDConnectOptions = new OpenIdConnectAuthenticationOptions
{
// ConfigurationManager =
Authority = LG.Owin.Security.Config.ServerSettings.Url,
ClientId = LG.Owin.Security.Config.ClientSettings.ClientID,
ClientSecret = "51FC860D-07D3-4296-9147-2E40AC7FF6C8".Sha256(),
Scope = "openid profile roles all_claims",
ResponseType = "id_token token",
RedirectUri = LG.Owin.Security.Config.ClientSettings.ClientUrl,
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var nid = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
Core.ClaimTypes.GivenName, Core.ClaimTypes.Role);
var userInfoClient = new UserInfoClient(
new Uri(n.Options.Authority + "/connect/userinfo"),
n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(
ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
// keep the id_token for logout
nid.AddClaim(new Claim("id_token",
n.ProtocolMessage.IdToken));
// add access token for sample API
nid.AddClaim(new Claim("access_token",
n.ProtocolMessage.AccessToken));
// keep track of access token expiration
nid.AddClaim(new Claim("expires_at",
DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));
// add some other app specific claim
//nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(nid, n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = async n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
await GetWaiter();
var sb = new StringBuilder();
var custom = n.OwinContext.Get<Dictionary<string, string>>("OpenIdConnect.Parameters");
if (custom != null)
{
foreach (var c in custom)
{
// ReSharper disable once UseStringInterpolation
sb.Append(string.Format(" {0}={1}", c.Key, c.Value));
}
}
if (sb.Length > 0)
{
sb.Remove(0, 1);
}
n.ProtocolMessage.AcrValues = sb.ToString();
}
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
}
}
};
app.Use(typeof(MyOpenIDConnectAuthenticationMiddleware),
app,
openIDConnectOptions);
// app.UseOpenIdConnectAuthentication(openIDConnectOptions);
}
public GenericDiscoverCacheContainer(OpenIdConnectAuthenticationOptions options)
{
Options = options;
}
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenValidated = message =>
{
IdToken = message.ProtocolMessage.IdToken;
var newJwt = new JwtSecurityTokenHandler().ReadToken(IdToken) as JwtSecurityToken;
ClaimsIdentity claimsIdentity = new ClaimsIdentity();
claimsIdentity.AddClaims(newJwt.Claims);
message.OwinContext.Response.Context.Authentication.AuthenticationResponseGrant = new AuthenticationResponseGrant(claimsIdentity, new AuthenticationProperties());
message.OwinContext.Response.Context.Authentication.User = new ClaimsPrincipal(claimsIdentity);
// message.AuthenticationTicket = new AuthenticationTicket(claimsIdentity, new AuthenticationProperties() {RedirectUri = "/Home/Claims/"});
return Task.FromResult(newJwt);
}
},
Scope = "openid profile address",
ResponseType = "id_token",
// The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
// endpoints from the OpenID Connect metadata endpoint. It is included in the PolicyAuthHelpers folder.
// The first parameter is the metadata URL of your B2C directory
// The second parameter is an array of the policies that your app will use.
ConfigurationManager = new PolicyConfigurationManager(
String.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OIDCMetadataSuffix),
new string[] { SignUpPolicyId, SignInPolicyId, ProfilePolicyId }),
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
},
};
app.UseOpenIdConnectAuthentication(options);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() {AuthenticationType = "Cookie"});
}
public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var google = new GoogleOAuth2AuthenticationOptions
{
AuthenticationType = "Google",
Caption = "Google",
SignInAsAuthenticationType = signInAsType,
ClientId = "767400843187-8boio83mb57ruogr9af9ut09fkg56b27.apps.googleusercontent.com",
ClientSecret = "5fWcBT0udKY7_b6E3gEiJlze"
};
app.UseGoogleAuthentication(google);
var fb = new FacebookAuthenticationOptions
{
AuthenticationType = "Facebook",
Caption = "Facebook",
SignInAsAuthenticationType = signInAsType,
AppId = "676607329068058",
AppSecret = "9d6ab75f921942e61fb43a9b1fc25c63"
};
app.UseFacebookAuthentication(fb);
var twitter = new TwitterAuthenticationOptions
{
AuthenticationType = "Twitter",
Caption = "Twitter",
SignInAsAuthenticationType = signInAsType,
ConsumerKey = "N8r8w7PIepwtZZwtH066kMlmq",
ConsumerSecret = "df15L2x6kNI50E4PYcHS0ImBQlcGIt6huET8gQN41VFpUCwNjM"
};
app.UseTwitterAuthentication(twitter);
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = "adfs",
Caption = "ADFS",
SignInAsAuthenticationType = signInAsType,
MetadataAddress = "https://adfs.leastprivilege.vm/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "urn:idsrv3"
};
app.UseWsFederationAuthentication(adfs);
var aad = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "aad",
Caption = "Azure AD",
SignInAsAuthenticationType = signInAsType,
Authority = "https://login.windows.net/4ca9cb4c-5e5f-4be9-b700-c532992a3705",
ClientId = "65bbbda8-8b85-4c9d-81e9-1502330aacba",
RedirectUri = "https://localhost:44333/core/aadcb"
};
app.UseOpenIdConnectAuthentication(aad);
}
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
OpenIdConnectAuthenticationOptions b2coptions = new OpenIdConnectAuthenticationOptions
{
// Standard OWIN OIDC parameters
Authority = String.Format(aadInstanceB2C, tenantB2C),
ClientId = clientIdB2C,
RedirectUri = postLogoutRedirectUriB2C,
PostLogoutRedirectUri = postLogoutRedirectUriB2C,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
},
// Required for AAD B2C
Scope = "openid",
ConfigurationManager = new B2CConfigurationManager(
String.Format(CultureInfo.InvariantCulture, aadInstanceB2C + "{1}", tenantB2C, OIDCMetadataSuffix)),
//ConfigurationManager = new PolicyConfigurationManager(AuthorityB2C,
// new string[] { SignUpPolicyId, SignInPolicyId/*, ProfilePolicyId*/ }),
// Optional - used for displaying the user's name in the navigation bar when signed in.
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = "name",
},
AuthenticationType = "B2C"
,
ProtocolValidator = new OpenIdConnectProtocolValidator { RequireNonce = false }
};
// Required for AAD B2C
app.Use(typeof(B2COpenIdConnectAuthenticationMiddleware), app, b2coptions);
// app.UseOpenIdConnectAuthentication(b2coptions);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientIdAAD,
Authority = AuthorityAAD,
PostLogoutRedirectUri = postLogoutRedirectUriAAD,
//TokenValidationParameters = new TokenValidationParameters
//{
// ValidateIssuer = false,
//},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
//
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
//
//AuthorizationCodeReceived = (context) =>
//{
// var code = context.Code;
// ClientCredential credential = new ClientCredential(clientId, appKey);
// string userObjectID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectID));
// AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
// return Task.FromResult(0);
//},
//RedirectToIdentityProvider = (context) =>
//{
// if (context.Request.Path.Value == "/Account/ExternalLogin" || (context.Request.Path.Value == "/Account/LogOff" && context.Request.User.Identity.IsExternalUser()))
// {
// // This ensures that the address used for sign in and sign out is picked up dynamically from the request
// // this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// // Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
// string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
// context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
// context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
// }
// else
// {
// //This is to avoid being redirected to the microsoft login page when deep linking and not logged in
// context.State = Microsoft.Owin.Security.Notifications.NotificationResultState.Skipped;
// context.HandleResponse();
// }
// return Task.FromResult(0);
//},
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
},
Description = new AuthenticationDescription() { Caption = "AAD" },
AuthenticationType = "AAD"
});
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
// Uncomment the following lines to enable logging in with third party login providers
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
//app.UseFacebookAuthentication(
// appId: "",
// appSecret: "");
//app.UseGoogleAuthentication();
}
