public static ChatUser GetUser(this IJabbrRepository repository, ClaimsPrincipal principal)
{
string identity = principal.GetClaimValue(ClaimTypes.NameIdentifier);
string providerName = principal.GetIdentityProvider();
return repository.GetUserByIdentity(providerName, identity);
}
public ChatUser AddUser(ClaimsPrincipal claimsPrincipal)
{
var identity = claimsPrincipal.GetClaimValue(ClaimTypes.NameIdentifier);
var name = claimsPrincipal.GetClaimValue(ClaimTypes.Name);
var email = claimsPrincipal.GetClaimValue(ClaimTypes.Email);
var providerName = claimsPrincipal.GetIdentityProvider();
return AddUser(name, providerName, identity, email);
}
public void LinkIdentity(ChatUser user, ClaimsPrincipal claimsPrincipal)
{
var identity = claimsPrincipal.GetClaimValue(ClaimTypes.NameIdentifier);
var email = claimsPrincipal.GetClaimValue(ClaimTypes.Email);
var providerName = claimsPrincipal.GetIdentityProvider();
// Link this new identity
user.Identities.Add(new ChatUserIdentity
{
Email = email,
Identity = identity,
ProviderName = providerName
});
}
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user)
{
// let the login page know the client requesting authorization
_signIn.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
_signIn.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
_signIn.UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
_signIn.LoginHint = request.LoginHint;
}
// process acr values
var acrValues = request.AuthenticationContextReferenceClasses.Distinct().ToList();
// look for well-known acr value -- idp
var idp = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.HomeRealm));
if (idp.IsPresent())
{
_signIn.IdP = idp.Substring(Constants.KnownAcrValues.HomeRealm.Length);
acrValues.Remove(idp);
}
// look for well-known acr value -- tenant
var tenant = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.Tenant));
if (tenant.IsPresent())
{
_signIn.Tenant = tenant.Substring(Constants.KnownAcrValues.Tenant.Length);
acrValues.Remove(tenant);
}
// pass through any remaining acr values
if (acrValues.Any())
{
_signIn.AcrValues = acrValues;
}
if (request.PromptMode == Constants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(Constants.AuthorizeRequest.Prompt);
Logger.Info("Redirecting to login page because of prompt=login");
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// unauthenticated user
var isAuthenticated = user.Identity.IsAuthenticated;
if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login.");
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(user, request.Client);
await _users.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
if (!isActive) Logger.Info("User is not active. Redirecting to login.");
}
if (!isAuthenticated || !isActive)
{
// prompt=none means user must be signed in already
if (request.PromptMode == Constants.PromptModes.None)
{
Logger.Info("prompt=none was requested. But user is not authenticated.");
return new LoginInteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// check current idp
var currentIdp = user.GetIdentityProvider();
// check if idp login hint matches current provider
if (_signIn.IdP.IsPresent())
{
if (_signIn.IdP != currentIdp)
{
Logger.Info("Current IdP is not the requested IdP. Redirecting to login");
Logger.InfoFormat("Current: {0} -- Requested: {1}", currentIdp, _signIn.IdP);
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = user.GetAuthenticationTime();
if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.Info("Requested MaxAge exceeded. Redirecting to login");
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
return new LoginInteractionResponse();
}
/// <summary>
/// Gets the standard subject claims.
/// </summary>
/// <param name="subject">The subject.</param>
/// <returns>A list of standard claims</returns>
protected virtual IEnumerable<Claim> GetStandardSubjectClaims(ClaimsPrincipal subject)
{
var claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, subject.GetSubjectId()),
new Claim(Constants.ClaimTypes.AuthenticationMethod, subject.GetAuthenticationMethod()),
new Claim(Constants.ClaimTypes.AuthenticationTime, subject.GetAuthenticationTimeEpoch().ToString(), ClaimValueTypes.Integer),
new Claim(Constants.ClaimTypes.IdentityProvider, subject.GetIdentityProvider()),
};
return claims;
}
public void ResponseSignIn(FormsResponseSignInContext context)
{
var authResult = new AuthenticationResult
{
Success = true
};
ChatUser loggedInUser = GetLoggedInUser(context);
var principal = new ClaimsPrincipal(context.Identity);
// Do nothing if it's authenticated
if (principal.IsAuthenticated())
{
EnsurePersistentCookie(context);
return;
}
ChatUser user = _repository.GetUser(principal);
authResult.ProviderName = principal.GetIdentityProvider();
// The user exists so add the claim
if (user != null)
{
if (loggedInUser != null && user != loggedInUser)
{
// Set an error message
authResult.Message = String.Format("This {0} account has already been linked to another user.", authResult.ProviderName);
authResult.Success = false;
// Keep the old user logged in
context.Identity.AddClaim(new Claim(JabbRClaimTypes.Identifier, loggedInUser.Id));
}
else
{
// Login this user
AddClaim(context, user);
}
}
else if (principal.HasRequiredClaims())
{
ChatUser targetUser = null;
// The user doesn't exist but the claims to create the user do exist
if (loggedInUser == null)
{
// New user so add them
user = _membershipService.AddUser(principal);
targetUser = user;
}
else
{
// If the user is logged in then link
_membershipService.LinkIdentity(loggedInUser, principal);
_repository.CommitChanges();
authResult.Message = String.Format("Successfully linked {0} account.", authResult.ProviderName);
targetUser = loggedInUser;
}
AddClaim(context, targetUser);
}
else if(!principal.HasPartialIdentity())
{
// A partial identity means the user needs to add more claims to login
context.Identity.AddClaim(new Claim(JabbRClaimTypes.PartialIdentity, "true"));
}
var cookieOptions = new CookieOptions
{
HttpOnly = true
};
context.Response.Cookies.Append(Constants.AuthResultCookie,
JsonConvert.SerializeObject(authResult),
cookieOptions);
}
private EmailUser GetUser(ClaimsPrincipal principal)
{
string identity = principal.GetClaimValue(ClaimTypes.NameIdentifier);
var providerName = principal.GetIdentityProvider();
var emailUserIdentity = _session.Query<EmailUserIdentity>().SingleOrDefault(u => u.Identity == identity && u.ProviderName == providerName);
return emailUserIdentity != null ? emailUserIdentity.User : null;
}
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user)
{
// let the login page know the client requesting authorization
_signIn.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
_signIn.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
_signIn.UiLocales = request.UiLocales;
}
// check login_hint - we only support idp: right now
if (request.LoginHint.IsPresent())
{
if (request.LoginHint.StartsWith(Constants.LoginHints.HomeRealm))
{
_signIn.IdP = request.LoginHint.Substring(Constants.LoginHints.HomeRealm.Length);
}
if (request.LoginHint.StartsWith(Constants.LoginHints.Tenant))
{
_signIn.Tenant = request.LoginHint.Substring(Constants.LoginHints.Tenant.Length);
}
}
// pass through acr values
if (request.AuthenticationContextReferenceClasses.Any())
{
_signIn.AcrValues = request.AuthenticationContextReferenceClasses;
}
if (request.PromptMode == Constants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(Constants.AuthorizeRequest.Prompt);
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// unauthenticated user
var isAuthenticated = user.Identity.IsAuthenticated;
if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login.");
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
isActive = await _users.IsActiveAsync(user);
if (!isActive) Logger.Info("User is not active. Redirecting to login.");
}
if (!isAuthenticated || !isActive)
{
// prompt=none means user must be signed in already
if (request.PromptMode == Constants.PromptModes.None)
{
return new LoginInteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// check current idp
var currentIdp = user.GetIdentityProvider();
// check if idp login hint matches current provider
if (_signIn.IdP.IsPresent())
{
if (_signIn.IdP != currentIdp)
{
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = user.GetAuthenticationTime();
if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
return new LoginInteractionResponse();
}
