Example #1
0
        private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp)
        {
            var schemes = ProxyAuthComponents.GetAuthSchemes(application);

            if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
            {
                authBuilder.AddAzureADBearer(
                    scheme: schemes.ApiName,
                    jwtBearerScheme: schemes.JwtBearerName,
                    configureOptions: options =>
                {
                    options.Instance = idp.Instance;
                    options.TenantId = idp.TenantId;
                    options.ClientId = application.IdentityProviderBinding.ClientId;
                });
            }

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                authBuilder.AddAzureAD(
                    scheme: schemes.WebName,
                    openIdConnectScheme: schemes.OpenIdName,
                    cookieScheme: schemes.CookieName,
                    displayName: schemes.DisplayName,
                    configureOptions: options =>
                {
                    options.Instance              = idp.Instance;
                    options.TenantId              = idp.TenantId;
                    options.ClientId              = application.IdentityProviderBinding.ClientId;
                    options.ClientSecret          = application.IdentityProviderBinding.ClientSecret;
                    options.CallbackPath          = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
                    options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
                });
            }
        }
Example #2
0
        private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken)
        {
            var schemes = ProxyAuthComponents.GetAuthSchemes(application);

            if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
            {
                authBuilder.AddJwtBearer(schemes.ApiName, options =>
                {
                    options.Authority = idp.Authority;
                    if (idp.AccessTokenIssuer != null)
                    {
                        options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer;
                    }

                    options.Audience  = application.IdentityProviderBinding.ClientId;
                    options.SaveToken = retainApiToken;
                    options.TokenValidationParameters.ValidAudiences     = new string[] { application.IdentityProviderBinding.AppIdUri };
                    options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth;
                    options.SecurityTokenValidators.Clear();
                    options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    });
                });
            }

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                authBuilder.AddOpenIdConnect(schemes.OpenIdName, options =>
                {
                    options.ClientId              = application.IdentityProviderBinding.ClientId;
                    options.ClientSecret          = application.IdentityProviderBinding.ClientSecret;
                    options.Authority             = idp.Authority;
                    options.CallbackPath          = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
                    options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
                    options.SignInScheme          = schemes.WebName;
                    options.UseTokenLifetime      = true;
                    options.SaveTokens            = retainWebToken;
                    options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
                    options.RemoteSignOutPath      = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
                    options.SecurityTokenValidator = new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    };
                });
                authBuilder.AddCookie(schemes.WebName, options =>
                {
                    options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
                    options.Cookie.SameSite  = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
                    options.Cookie.Name      = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
                    options.ForwardChallenge = schemes.OpenIdName;
                });
            }
        }
Example #3
0
        public async Task InvokeAsync(HttpContext context, IProxyApplicationService applicationService)
        {
            var application = applicationService.GetActiveApplication();

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                if (context.Request.Path == ProxyMetaEndpoints.AccessDenied)
                {
                    await context.Response.WriteAsync("Access denied.");

                    return;
                }

                if (context.Request.Path == ProxyMetaEndpoints.PostSignedOutCallback)
                {
                    await context.Response.WriteAsync("Logged out.");

                    return;
                }

                if (context.Request.Path == ProxyMetaEndpoints.UserSignOut)
                {
                    var schemes = ProxyAuthComponents.GetAuthSchemes(application);

                    var properties = new AuthenticationProperties
                    {
                        RedirectUri = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.PostSignedOutCallback)
                    };
                    await context.SignOutAsync(schemes.CookieName);

                    await context.SignOutAsync(schemes.OpenIdName, properties);

                    return;
                }
            }

            context.Response.StatusCode = (int)HttpStatusCode.NotFound;
        }
Example #4
0
        private static void ConfigureAzureADAuthOptions(IServiceCollection services, ProxyApplication application, string[] additionalClaimsRetained, bool retainWebToken, bool retainApiToken)
        {
            var schemes = ProxyAuthComponents.GetAuthSchemes(application);

            if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
            {
                services.Configure <JwtBearerOptions>(schemes.JwtBearerName, options =>
                {
                    options.SaveToken = retainApiToken;
                    options.TokenValidationParameters.ValidAudiences         = new string[] { application.IdentityProviderBinding.AppIdUri };
                    options.TokenValidationParameters.AuthenticationType     = ProxyAuthComponents.ApiAuth;
                    options.TokenValidationParameters.RoleClaimType          = AzureADClaims.Roles;
                    options.TokenValidationParameters.NameClaimTypeRetriever = (token, _) =>
                    {
                        var jwtToken = (JwtSecurityToken)token;
                        return(jwtToken.Claims.Any(c => c.ValueType == AzureADClaims.UserPrincipalName) ?
                               AzureADClaims.UserPrincipalName : AzureADClaims.ObjectId);
                    };

                    options.SecurityTokenValidators.Clear();
                    options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    });
                });
            }

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                services.Configure <CookieAuthenticationOptions>(schemes.CookieName, options =>
                {
                    options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
                    options.Cookie.SameSite  = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
                    options.Cookie.Name      = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
                });

                services.Configure <OpenIdConnectOptions>(schemes.OpenIdName, options =>
                {
                    var stripClaims = new List <string> {
                        "aio", "family_name", "given_name", "name", "tid", "unique_name", "uti"
                    };
                    if (additionalClaimsRetained != null)
                    {
                        foreach (var claim in additionalClaimsRetained)
                        {
                            options.ClaimActions.Remove(claim);
                        }
                        stripClaims = stripClaims.Except(additionalClaimsRetained).ToList();
                    }
                    if (application.SessionCookieRetainedClaims != null)
                    {
                        foreach (var claim in application.SessionCookieRetainedClaims)
                        {
                            options.ClaimActions.Remove(claim);
                        }
                        stripClaims = stripClaims.Except(application.SessionCookieRetainedClaims).ToList();
                    }
                    if (application.SessionCookieStrippedClaims != null)
                    {
                        stripClaims.AddRange(application.SessionCookieStrippedClaims);
                    }
                    options.ClaimActions.DeleteClaims(stripClaims.ToArray());

                    options.SaveTokens = retainWebToken;
                    options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
                    options.TokenValidationParameters.RoleClaimType      = AzureADClaims.Roles;
                    options.TokenValidationParameters.NameClaimType      = AzureADClaims.UserPrincipalName;
                    options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
                    options.ResponseType      = application.IdentityProviderBinding.DisableImplicitIdToken ?
                                                OpenIdConnectResponseType.Code : OpenIdConnectResponseType.IdToken;

                    options.SecurityTokenValidator = new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    };

                    if (application.IdentityProviderBinding.UseApplicationMetadata)
                    {
                        options.MetadataAddress = $"{options.Authority}/.well-known/openid-configuration?appid={options.ClientId}";
                    }
                });
            }
        }