/// <summary>
/// Retrieves an S2S access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns></returns>
public static string GetS2SClaimsAccessTokenWithClaims(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
//get the identity claim info first
TokenHelper.ClaimsUserIdClaim id = null;
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType);
}
else
{
id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType);
}
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
JsonWebTokenClaim[] claims = identity != null?GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType) : null;
return(IssueToken(
ClientId,
IssuerId,
realm,
SharePointPrincipal,
realm,
targetApplicationUri.Authority,
true,
claims,
UseAppOnlyClaim,
id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN,
id.ClaimsIdClaimType,
id.ClaimsIdClaimValue));
}
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType)
{
//if an identity claim was not found, then exit
if (string.IsNullOrEmpty(id.ClaimsIdClaimValue))
{
return(null);
}
Hashtable claimSet = new Hashtable();
//you always need nii claim, so add that
claimSet.Add("nii", "temp");
//set up the nii claim and then add the smtp or sip claim separately
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses
}
else
{
claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower();
}
//plug in UPN claim if we're using that
if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN)
{
claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower());
}
//now create the JsonWebTokenClaim array
List <JsonWebTokenClaim> claimList = new List <JsonWebTokenClaim>();
foreach (string key in claimSet.Keys)
{
claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key]));
}
return(claimList.ToArray());
}