/// <summary>
/// Maps service info credentials and 'security:oauth2:client' info onto OpenIdConnectOptions
/// </summary>
/// <param name="si">Service info credentials parsed from VCAP_SERVICES</param>
/// <param name="oidcOptions">OpenId Connect options to be configured</param>
/// <param name="cfOptions">Cloud Foundry-related OpenId Connect configuration options</param>
internal static void Configure(SsoServiceInfo si, OpenIdConnectOptions oidcOptions, CloudFoundryOpenIdConnectOptions cfOptions)
{
if (oidcOptions == null || cfOptions == null)
{
return;
}
if (si != null)
{
oidcOptions.Authority = si.AuthDomain;
oidcOptions.ClientId = si.ClientId;
oidcOptions.ClientSecret = si.ClientSecret;
}
else
{
oidcOptions.Authority = cfOptions.Authority;
oidcOptions.ClientId = cfOptions.ClientId;
oidcOptions.ClientSecret = cfOptions.ClientSecret;
}
oidcOptions.AuthenticationMethod = cfOptions.AuthenticationMethod;
oidcOptions.BackchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(cfOptions.ValidateCertificates);
oidcOptions.CallbackPath = cfOptions.CallbackPath;
oidcOptions.ClaimsIssuer = cfOptions.ClaimsIssuer;
oidcOptions.ResponseType = cfOptions.ResponseType;
oidcOptions.SaveTokens = cfOptions.SaveTokens;
oidcOptions.SignInScheme = cfOptions.SignInScheme;
// remove profile scope
oidcOptions.Scope.Clear();
oidcOptions.Scope.Add("openid");
// add other scopes
if (!string.IsNullOrEmpty(cfOptions.AdditionalScopes))
{
foreach (var s in cfOptions.AdditionalScopes.Split(' '))
{
if (!oidcOptions.Scope.Contains(s))
{
oidcOptions.Scope.Add(s);
}
}
}
// http://irisclasson.com/2018/09/18/asp-net-core-openidconnect-why-is-the-claimsprincipal-name-null/
oidcOptions.TokenValidationParameters.NameClaimType = cfOptions.TokenValidationParameters.NameClaimType;
// main objective here is to set the IssuerSigningKeyResolver to work around an issue parsing the N value of the signing key in FullFramework
oidcOptions.TokenValidationParameters = CloudFoundryHelper.GetTokenValidationParameters(oidcOptions.TokenValidationParameters, oidcOptions.Authority + CloudFoundryDefaults.JwtTokenUri, oidcOptions.BackchannelHttpHandler, cfOptions.ValidateCertificates, cfOptions.BaseOptions(oidcOptions.ClientId));
oidcOptions.TokenValidationParameters.ValidateAudience = cfOptions.TokenValidationParameters.ValidateAudience;
oidcOptions.TokenValidationParameters.ValidateLifetime = cfOptions.TokenValidationParameters.ValidateLifetime;
// the ClaimsIdentity is built off the id_token, but scopes are returned in the access_token. Copy them as claims
oidcOptions.Events.OnTokenValidated = MapScopesToClaims;
}
/// <summary>
/// Maps service info credentials and 'security:oauth2:client' info onto OpenIdConnectOptions
/// </summary>
/// <param name="si">Service info credentials parsed from VCAP_SERVICES</param>
/// <param name="oidcOptions">OpenId Connect options to be configured</param>
/// <param name="cfOptions">Cloud Foundry-related OpenId Connect configuration options</param>
internal static void Configure(SsoServiceInfo si, OpenIdConnectOptions oidcOptions, CloudFoundryOpenIdConnectOptions cfOptions)
{
if (oidcOptions == null || cfOptions == null)
{
return;
}
if (si != null)
{
oidcOptions.Authority = si.AuthDomain;
oidcOptions.ClientId = si.ClientId;
oidcOptions.ClientSecret = si.ClientSecret;
}
else
{
oidcOptions.Authority = cfOptions.Authority;
oidcOptions.ClientId = cfOptions.ClientId;
oidcOptions.ClientSecret = cfOptions.ClientSecret;
}
oidcOptions.AuthenticationMethod = cfOptions.AuthenticationMethod;
oidcOptions.BackchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(cfOptions.ValidateCertificates);
oidcOptions.CallbackPath = cfOptions.CallbackPath;
oidcOptions.ClaimsIssuer = cfOptions.ClaimsIssuer;
oidcOptions.ResponseType = cfOptions.ResponseType;
oidcOptions.SaveTokens = cfOptions.SaveTokens;
oidcOptions.SignInScheme = cfOptions.SignInScheme;
// remove profile scope
oidcOptions.Scope.Clear();
oidcOptions.Scope.Add("openid");
// add other scopes
if (!string.IsNullOrEmpty(cfOptions.AdditionalScopes))
{
foreach (var s in cfOptions.AdditionalScopes.Split(' '))
{
if (!oidcOptions.Scope.Contains(s))
{
oidcOptions.Scope.Add(s);
}
}
}
oidcOptions.TokenValidationParameters = CloudFoundryHelper.GetTokenValidationParameters(
cfOptions.TokenValidationParameters,
oidcOptions.Authority + CloudFoundryDefaults.JwtTokenUri,
oidcOptions.BackchannelHttpHandler,
cfOptions.ValidateCertificates,
cfOptions.BaseOptions(oidcOptions.ClientId));
// the ClaimsIdentity is built off the id_token, but scopes are returned in the access_token. Copy them as claims
oidcOptions.Events.OnTokenValidated = MapScopesToClaims;
}
/// <summary>
/// Apply service binding info to JWT options
/// </summary>
/// <param name="si">Info for bound SSO Service</param>
/// <param name="options">Options to be updated</param>
internal static void Configure(SsoServiceInfo si, CloudFoundryJwtBearerAuthenticationOptions options)
{
if (options == null)
{
return;
}
if (si != null)
{
options.JwtKeyUrl = si.AuthDomain + CloudFoundryDefaults.JwtTokenUri;
}
var backchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(options.ValidateCertificates);
options.TokenValidationParameters = CloudFoundryHelper.GetTokenValidationParameters(options.TokenValidationParameters, options.JwtKeyUrl, backchannelHttpHandler, options.ValidateCertificates);
}
internal static void Configure(SsoServiceInfo si, JwtBearerOptions jwtOptions, CloudFoundryJwtBearerOptions options)
{
if (jwtOptions == null || options == null)
{
return;
}
if (si != null)
{
options.JwtKeyUrl = si.AuthDomain + CloudFoundryDefaults.JwtTokenUri;
}
jwtOptions.ClaimsIssuer = options.ClaimsIssuer;
jwtOptions.BackchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(options.ValidateCertificates);
jwtOptions.TokenValidationParameters = CloudFoundryHelper.GetTokenValidationParameters(options.TokenValidationParameters, options.JwtKeyUrl, jwtOptions.BackchannelHttpHandler, options.ValidateCertificates);
jwtOptions.SaveToken = options.SaveToken;
}
