public void ConfigureServices(IServiceCollection services)
{
//Setup the HttpClientFactory that will inject a typed HttpClient called BankIDClient
services.AddHttpClient <BankIDClient>(client =>
{
client.BaseAddress = new Uri("https://appapi2.test.bankid.com/rp/v5/");
client.DefaultRequestHeaders.Add("Accept", "application/json");
})
.ConfigurePrimaryHttpMessageHandler(h =>
{
var handler = new HttpClientHandler();
//Set the client certificate to use against BankID. This is TESTso we will download the certificate on-the-fly. In real-world this would use Certificate Store.
handler.ClientCertificates.Add(Certificates.DownloadBankIDTestCertificate().Result);
//BankID test servers certificate are typically not in the trusted root store if you are on Azure. This will bypass. Do NOT use in production!
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return(true); };
return(handler);
});
services.AddAuthentication(options =>
{
options.DefaultScheme = "ServerCookie";
})
.AddCookie("ServerCookie", options =>
{
options.Cookie.Name = CookieAuthenticationDefaults.CookiePrefix + "ServerCookie";
options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
//Choose Signin page with wither classic BankID with manual entry of the civicid (personnummer)
//or the new BankID QR-code method that is considered more secure
// options.LoginPath = new PathString("/signin");
options.LoginPath = new PathString("/signinqr");
options.LogoutPath = new PathString("/signout");
})
.AddBankIDAuthentication(options => {
//The BankID is firewall-friendly but that means that polling of the Collect method is required.
//Something like a 2-3 seconds interval seems like a good compromise
options.CollectIntervalInMilliseconds = 2000;
//BankID has a maximum timeout of 30 seconds doing a Collect. Here we can set a lower value if we want to.
options.CollectTimeoutInMilliseconds = 30000;
})
.AddOAuthValidation()
.AddOpenIdConnectServer(options =>
{
options.ProviderType = typeof(AuthorizationProvider);
// Enable the authorization, logout, token and userinfo endpoints.
options.AuthorizationEndpointPath = "/connect/authorize";
options.LogoutEndpointPath = "/connect/logout";
options.TokenEndpointPath = "/connect/token";
options.UserinfoEndpointPath = "/connect/userinfo";
options.ConfigurationEndpointPath = "/.well-known/openid-configuration";
// Note: see AuthorizationController.cs for more
// information concerning ApplicationCanDisplayErrors.
options.ApplicationCanDisplayErrors = true;
options.AllowInsecureHttp = true;
// Note: to override the default access token format and use JWT, assign AccessTokenHandler:
//
options.AccessTokenHandler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = new Dictionary <string, string>(),
OutboundClaimTypeMap = new Dictionary <string, string>()
};
//
// Note: when using JWT as the access token format, you have to register a signing key.
//
// You can register a new ephemeral key, that is discarded when the application shuts down.
// Tokens signed using this key are automatically invalidated and thus this method
// should only be used during development:
//
options.SigningCredentials.AddEphemeralKey();
//
// On production, using a X.509 certificate stored in the machine store is recommended.
// You can generate a self-signed certificate using Pluralsight's self-cert utility:
// https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
//
// options.SigningCredentials.AddCertificate("7D2A741FE34CC2C7369237A5F2078988E17A6A75");
//
// Alternatively, you can also store the certificate as an embedded .pfx resource
// directly in this assembly or in a file published alongside this project:
//
// options.SigningCredentials.AddCertificate(
// assembly: typeof(Startup).GetTypeInfo().Assembly,
// resource: "Mvc.Server.Certificate.pfx",
// password: "******");
});
services.AddScoped <AuthorizationProvider>();
services.AddMvc();
services.AddDistributedMemoryCache();
}
