public AzureAdClient(IOptionsMonitor <AzureAdGraphApiOptions> azureAdGraphApiOptionsMonitor, IOptionsMonitor <AzureAdB2COptions> azureAdB2COptionsMonitor) { _azureAdGraphApiOptions = azureAdGraphApiOptionsMonitor?.CurrentValue ?? throw new ArgumentNullException(nameof(azureAdGraphApiOptionsMonitor)); _azureAdB2COptions = azureAdB2COptionsMonitor?.CurrentValue ?? throw new ArgumentNullException(nameof(azureAdB2COptionsMonitor)); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddOptions(); var b2cConfig = Configuration.GetSection("AzureAdB2C"); AzureAdB2COptions azureAdB2COptions = new AzureAdB2COptions(); Configuration.Bind("AzureAdB2C", azureAdB2COptions); services.Configure <AzureAdB2COptions>(b2cConfig); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = Constants.SignInSignUpPolicy; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { options.LoginPath = new PathString("/Auth/Login"); options.LogoutPath = new PathString("/Auth/Logout"); options.ReturnUrlParameter = "returnUrl"; }) .AddOpenIdConnect(Constants.SignInSignUpPolicy, GetOpenIdConnectOptions(azureAdB2COptions, Constants.SignInSignUpPolicy)) .AddOpenIdConnect(Constants.EditProfilePolicy, GetOpenIdConnectOptions(azureAdB2COptions, Constants.EditProfilePolicy)); services.AddDistributedMemoryCache(); services.AddControllersWithViews(); }
public APIController(IOptions <AzureAdB2COptions> azureAdB2COptions) { AzureAdB2COptions = azureAdB2COptions.Value; _httpClient = new HttpClient(); _httpClient.DefaultRequestHeaders.Accept.Clear(); _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); }
public Startup(IConfiguration configuration, AzureAdB2COptions azureAdB2COptions) { Configuration = configuration; _azureAdB2COptions = azureAdB2COptions; Configuration.Bind("Authentication:AzureAdB2C", _azureAdB2COptions); }
public HelloApiController(IConfiguration configuration, IOptions <AzureAdB2COptions> options, IDistributedCache cache) { _configuration = configuration; _baseApiAddress = _configuration["ApiEndpoint"]; _options = options.Value; _cache = cache; }
public AzureAdB2CSecuredApiConnector(IOptions <AzureAdB2COptions> options, IHttpContextAccessor httpContextAccessor) { _azureAdB2COptions = options.Value; ValidateOptions(options); _requiredScopes = _azureAdB2COptions.ApiScopes.Split(' ').ToList(); var signedInUserId = httpContextAccessor.HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value; var userTokenCache = new MsalSessionCache(signedInUserId, httpContextAccessor.HttpContext).GetMsalCacheInstance(); _confidentialClientApplication = new ConfidentialClientApplication(_azureAdB2COptions.ClientId, _azureAdB2COptions.Authority, _azureAdB2COptions.RedirectUri, new ClientCredential(_azureAdB2COptions.ClientSecret), userTokenCache, null); }
public APIController(IOptions <AzureAdB2COptions> azureAdB2COptions, IUserService <ApplicationUser> uService, IOfferService <JobOffer> oService, IOptions <MyConfig> options, HR_ProjectContext context) { AzureAdB2COptions = azureAdB2COptions.Value; userService = uService; _context = context; this.options = options; }
private async Task <AuthenticationResult> AcquireTokenSilentAsync(AzureAdB2COptions azureAdB2COptions) { // Retrieve the token with the specified scopes var scope = azureAdB2COptions.ApiScopes.Split(' '); var signedInUserId = HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value; var userTokenCache = new MsalSessionCache(signedInUserId, HttpContext).GetMsalCacheInstance(); var cca = new ConfidentialClientApplication( azureAdB2COptions.ApplicationId, azureAdB2COptions.Authority, azureAdB2COptions.RedirectUri, new ClientCredential(azureAdB2COptions.ClientSecret), userTokenCache, null); var result = await cca.AcquireTokenSilentAsync(scope, cca.Users.FirstOrDefault(), azureAdB2COptions.Authority, false); return(result); }
public static async Task <string> GetAccessToken(HttpContext context, AzureAdB2COptions options) { var scope = options.ApiScopes.Split(' '); string signedInUserID = context.User.FindFirst(ClaimTypes.NameIdentifier).Value; var cca = ConfidentialClientApplicationBuilder.Create(options.ClientId) .WithRedirectUri(options.RedirectUri) .WithClientSecret(options.ClientSecret) .WithB2CAuthority(options.Authority) .Build(); new MSALStaticCache(signedInUserID, context).EnablePersistence(cca.UserTokenCache); var accounts = await cca.GetAccountsAsync(); var result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault()) .ExecuteAsync(); return(result.AccessToken); }
private Action <OpenIdConnectOptions> GetOpenIdConnectOptions(AzureAdB2COptions azureAdB2COptions, string policyName) => (options) => { options.Authority = azureAdB2COptions.GetB2CAuthority(policyName); options.ClientId = azureAdB2COptions.ClientId; options.ClientSecret = azureAdB2COptions.ClientSecret; options.ResponseType = OidcConstants.ResponseTypes.CodeIdToken; options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.CallbackPath = $"/signin/{policyName}"; options.SignedOutCallbackPath = $"/signout/{policyName}"; options.SaveTokens = true; options.UseTokenLifetime = true; foreach (string scope in azureAdB2COptions.Scopes.Split(' ', StringSplitOptions.RemoveEmptyEntries)) { options.Scope.Add(scope); } options.TokenValidationParameters.NameClaimType = "name"; options.TokenValidationParameters.RoleClaimType = "role"; options.Events.OnAuthorizationCodeReceived += OnAuthorizationCodeReceived; options.Events.OnRemoteFailure += OnRemoteFailureHandler; };
public DomainResolver(HttpContext httpContext, AzureAdOptions azureAdOptions, AzureAdB2COptions azureAdB2COptions) { _azureAdOptions = azureAdOptions; _azureAdB2COptions = azureAdB2COptions; _httpContext = httpContext; userObjectID = (httpContext.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value; if (httpContext.User.FindFirst("emails") != null) { signedInUseremail = httpContext.User.FindFirst("emails").Value; } else { //"preferred_username" signedInUseremail = httpContext.User.FindFirst("preferred_username") != null?httpContext.User.FindFirst("preferred_username").Value : null; } if (!signedInUseremail.ToLower().EndsWith("domain.com")) { isB2cUser = true; } }
public HomeController(IOptions <AzureAdB2COptions> options) { _azureOptions = options.Value; }
public SignOutModel(IOptions <AzureAdB2COptions> b2cOptions) { AzureAdB2COptions = b2cOptions.Value; }
public AccountController( IOptions <AzureAdB2COptions> azureAdB2COptions) { _azureAdB2COptions = azureAdB2COptions.Value; }
public void SetOptionsForOpenIdConnectPolicy(string policy, OpenIdConnectOptions options, AzureAdB2COptions azureAdB2COptions) { options.ClientId = azureAdB2COptions.ApplicationId; // Azure AD B2C application ID."### ADD APPLICATION ID HERE ###"; options.Authority = azureAdB2COptions.Authority; options.UseTokenLifetime = true; options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" }; options.Events = new OpenIdConnectEvents { OnRedirectToIdentityProvider = context => OnRedirectToIdentityProvider(context, azureAdB2COptions.DefaultPolicy, azureAdB2COptions.ApiUrl, azureAdB2COptions.ApiScopes), OnRemoteFailure = OnRemoteFailure, //OnAuthorizationCodeReceived = OnAuthorizationCodeReceived OnAuthorizationCodeReceived = async context => await OnAuthorizationCodeReceived(context, azureAdB2COptions.ApplicationId, azureAdB2COptions.Authority, azureAdB2COptions.ClientSecret, azureAdB2COptions.RedirectUri, azureAdB2COptions.ApiScopes) }; // https://login.microsoftonline.com/bqadb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_sign_up_in&client_id=50b51705-27f1-4cf3-b9a1-1ee8be89bc8c&nonce=defaultNonce&redirect_uri=msal50b51705-27f1-4cf3-b9a1-1ee8be89bc8c%3A%2F%2Fauth&scope=openid&response_type=id_token&prompt=login options.MetadataAddress = $"https://login.microsoftonline.com/{azureAdB2COptions.Tenant}/v2.0/.well-known/openid-configuration?p={policy}"; }
public AccountController(IOptions <AzureAdB2COptions> b2COptionsAccessor) { _b2COptions = b2COptionsAccessor.Value; }
public TodoController(IOptions <AzureAdB2COptions> azureAdB2COptions, IOptions <AzureAdOptions> azureAdOptions) { _azureAdB2COptions = azureAdB2COptions.Value; _azureAdOptions = azureAdOptions.Value; }
public HomeController(IOptions <AzureAdB2COptions> azureAdB2COptions) { AzureAdB2COptions = azureAdB2COptions.Value; }
public HomeController(IOptions <AzureAdB2COptions> azureAdB2COptions, ILogger <HomeController> logger) { _logger = logger; AzureAdB2COptions = azureAdB2COptions.Value; }
public ExampleController(IAzureAdSecuredApiConnector azureAdSecuredApiConnector, IOptions <AzureAdOptions> azureSettingsAccessor, IOptions <AzureAdB2COptions> azureB2CSettingsAccessor) { _azureAdSecuredApiConnector = azureAdSecuredApiConnector; _azureAdOptions = azureSettingsAccessor.Value; _azureAdB2COptions = azureB2CSettingsAccessor.Value; }
public SessionController(IOptions <AzureAdB2COptions> b2cOptions) { _azureAdB2COptions = b2cOptions.Value; }
public static void AddAzureAdAndB2CJwtBearerAuthentication(this IServiceCollection services, AzureAdOptions azureAdOptions, AzureAdB2COptions azureB2COptions, Assembly controllerAssembly, string policyIdentifier = "") { // Setup Authentication services.AddAuthentication(options => { options.DefaultAuthenticateScheme = AzureJwtSchemes.AZURE_AD_AUTHENTICATION_SCHEME; }) .AddAzureB2CJwtBearer(azureB2COptions) .AddAzureAdJwtBearer(azureAdOptions); // Setup Authorization var customPolicyBuilder = new AuthorizationPolicyBuilder(AzureJwtSchemes.AZURE_AD_B2_C_AUTHENTICATION_SCHEME, AzureJwtSchemes.AZURE_AD_AUTHENTICATION_SCHEME); var defaultPolicy = customPolicyBuilder.RequireAuthenticatedUser().Build(); // scan custom defined policies in Authorization attribute to add as custom policies var customDefinedPolicies = FindAuthorizationPolicies(controllerAssembly, policyIdentifier); // add these custom policies to the authorization process services.AddAuthorization(o => { o.DefaultPolicy = defaultPolicy; customDefinedPolicies.ForEach(customDefinedPolicy => o.AddPolicy(customDefinedPolicy, policy => { policy.Requirements.Add(new AzurePolicyRequirement(customDefinedPolicy)); policy.AuthenticationSchemes.Add(AzureJwtSchemes.AZURE_AD_B2_C_AUTHENTICATION_SCHEME); policy.AuthenticationSchemes.Add(AzureJwtSchemes.AZURE_AD_AUTHENTICATION_SCHEME); })); }); }
public static AuthenticationBuilder AddAzureB2CCookieAuthentication(this IServiceCollection services, AzureAdB2COptions azureAdB2CSettings, string resetPasswordUrl, bool requestAccessToken, bool loadMemberGroupsAsRoles = false) { services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(20); // no javascript calls to cookie options.Cookie.HttpOnly = true; }); return(services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie() .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => { options.ClientId = azureAdB2CSettings.ClientId; // Set the authority to your Azure domain options.Authority = azureAdB2CSettings.Authority; options.UseTokenLifetime = true; options.TokenValidationParameters = new TokenValidationParameters() { NameClaimType = "name" }; options.Events = new OpenIdConnectEvents { OnRedirectToIdentityProvider = (context) => { // pass language (adds ui_locales to query string) var requestCulture = context.HttpContext.Features.Get <IRequestCultureFeature>(); var lang = requestCulture?.RequestCulture.Culture.TextInfo.ToTitleCase( requestCulture.RequestCulture.Culture.TwoLetterISOLanguageName); if (lang != null) { context.ProtocolMessage.UiLocales = lang; } // no explict policy or default policy passed - just continue var defaultPolicy = azureAdB2CSettings.DefaultPolicy; if (!context.Properties.Items.TryGetValue(AzureAdB2COptions.POLICY_AUTHENTICATION_PROPERTY, out var policy) || policy.Equals(defaultPolicy)) { if (requestAccessToken) { context.ProtocolMessage.Scope += $" offline_access {String.Join(" ", azureAdB2CSettings.Scopes)}"; context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.CodeIdToken; } } else { // explict policy set in context => see AuthenticationProperties.Items.Add("Policy", desired policy_name) // example --> custom policy has been set to reset password context.ProtocolMessage.Scope = OpenIdConnectScope.OpenIdProfile; context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; context.ProtocolMessage.IssuerAddress = context.ProtocolMessage.IssuerAddress.ToLower().Replace($"/{defaultPolicy.ToLower()}/", $"/{policy.ToLower()}/"); context.Properties.Items.Remove(AzureAdB2COptions.POLICY_AUTHENTICATION_PROPERTY); } return Task.CompletedTask; }, OnRemoteFailure = (context) => { context.HandleResponse(); // Handle the error code that Azure AD B2C throws when trying to reset a password from the login page // because password reset is not supported by a "sign-up or sign-in policy" if (context.Failure is OpenIdConnectProtocolException && context.Failure.Message.Contains("AADB2C90118")) { // If the user clicked the reset password link, redirect to the reset password route context.Response.Redirect(resetPasswordUrl); } else if (context.Failure is OpenIdConnectProtocolException && context.Failure.Message.Contains("access_denied")) { context.Response.Redirect("/"); } else { throw context.Failure; } return Task.FromResult(0); }, OnAuthorizationCodeReceived = async(context) => { // Use MSAL to swap the code for an access token // Extract the code from the response notification var auhtorizationCode = context.ProtocolMessage.Code; string signedInUserId = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value; var userTokenCache = new MsalSessionCache(signedInUserId, context.HttpContext).GetMsalCacheInstance(); var clientApplication = new ConfidentialClientApplication(azureAdB2CSettings.ClientId, azureAdB2CSettings.Authority, azureAdB2CSettings.RedirectUri, new ClientCredential(azureAdB2CSettings.ClientSecret), userTokenCache, null); try { if (requestAccessToken) { var result = await clientApplication.AcquireTokenByAuthorizationCodeAsync(auhtorizationCode, azureAdB2CSettings.Scopes); context.HandleCodeRedemption(result.AccessToken, result.IdToken); } } catch (Exception e) { throw new Exception("AcquireTokenByAuthorizationCodeAsync failed", e); } }, // handle the logout redirection OnRedirectToIdentityProviderForSignOut = (context) => { var logoutUri = $"{azureAdB2CSettings.Domain}/v2/logout?client_id={azureAdB2CSettings.ClientId}"; var postLogoutUri = context.Properties.RedirectUri; if (!string.IsNullOrEmpty(postLogoutUri)) { if (postLogoutUri.StartsWith("/")) { // transform to absolute var request = context.Request; postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri; } logoutUri += $"&post_logout_redirect_uri={Uri.EscapeDataString(postLogoutUri)}"; } // set the audience parameter to get also an access token back after login to be able to call APIs of this application context.ProtocolMessage.SetParameter("audience", azureAdB2CSettings.ClientId); context.Response.Redirect(logoutUri); context.HandleResponse(); return Task.CompletedTask; } }; if (loadMemberGroupsAsRoles) { //Check via Azure Graph API if user is in correct group options.Events.OnTokenValidated = context => { var serviceProvider = services.BuildServiceProvider(); // resolve GraphApiConnector var graphApiConnector = serviceProvider.GetService <IGraphApiConnector>(); if (graphApiConnector == null) { throw new Exception("No implementation has been registered for IGraphApiConnector"); } // Get membergroups for user from AzureAd var signedInUserId = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value; var memberGroups = graphApiConnector.GetMemberGroupsForUser(signedInUserId).GetAwaiter() .GetResult(); // create roleclaim var roleClaims = memberGroups.Select(x => new Claim(ClaimTypes.Role, x)); // Add RoleClaim to useridentity ((ClaimsIdentity)context.Principal.Identity).AddClaims(roleClaims); return Task.FromResult(0); }; } }));
public HomeController(IOptions <AzureAdB2COptions> azureAdB2COptions, IMemoryCache cache) { _azureOptions = azureAdB2COptions.Value; _cache = cache; }
public AccountController(IOptions <AzureAdB2COptions> b2cOptions, IUserService userService) { _options = b2cOptions.Value; _userService = userService; }
public HomeController(IOptions <AzureAdB2COptions> azureAdB2COptions, IHttpClientFactory clientFactory) { _azureAdB2COptions = azureAdB2COptions.Value; _clientFactory = clientFactory; }
public ApiController(IOptions <AzureAdB2COptions> b2cOptions) { AzureAdB2COptions = b2cOptions.Value; }
public Credentials(IOptions <AzureAdB2COptions> b2cOptions) { AzureAdB2COptions = b2cOptions.Value; }
public AccountController(IOptions <AzureAdB2COptions> b2cOptions) { _options = b2cOptions.Value; }
public ConfigureAzureOptions(IOptions <AzureAdB2COptions> azureOptions) { this.azureOptions = azureOptions.Value; }