private void AssertAdditionalClaims(IEnumerable <Claim> claims, ClaimsResult result) { Assert.Equal <Claim>(claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId), result.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId)); Assert.Equal <string>(claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId).Value, result.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId).Value); Assert.Equal <int>(claims.Where(x => x.Type == "groups").Count(), result.Claims.Where(x => x.Type == "groups").Count()); }
public GetEffectiveUserId() : base() { claimResult = new ClaimsResult() { SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure }; }
public GetEffectiveSubjectIdTests() : base() { claimResult = new ClaimsResult() { SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure }; user = new User() { }; }
/// <summary> /// Gets the user id to use based on the identity provider. /// if the identity is Azure AD, then use the AzureAD subject Id /// if it is windows Auth (or anything else) then return whatever the userId is. /// </summary> /// <param name="claimInformation">Claims information from GenerateClaimsForIdentity</param> /// <returns>The userid that should be used based on identity provider</returns> public string GetEffectiveUserId(ClaimsResult claimInformation) { CheckWhetherArgumentIsNull(claimInformation, nameof(claimInformation)); string userId = null; if (this.IsExternalTokenAzureAD(claimInformation.SchemeItem)) { userId = AzureADSubjectId(claimInformation.Claims); } return(userId ?? claimInformation.UserId); }
private void ValidateAzureADExternalToken(ClaimsResult claimsInformation) { var issuerClaim = claimsInformation.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Issuer); if (issuerClaim == null) { throw new MissingIssuerClaimException(ExceptionMessageResources.MissingIssuerClaimMessage); } if (!this._appConfiguration.AzureActiveDirectorySettings.IssuerWhiteList.Contains(issuerClaim.Issuer)) { var exception = new InvalidIssuerException(ExceptionMessageResources.ForbiddenIssuerMessageUser) { LogMessage = string.Format(CultureInfo.CurrentCulture, ExceptionMessageResources.ForbiddenIssuerMessageLog, issuerClaim?.Value) }; throw exception; } }
private Claim[] GenerateAdditionalClaims(ClaimsResult claimsResult) { var previousClaims = claimsResult.Claims; var additionalClaims = new List <Claim>(); //if the external system sent a session id claim, copy it over var sid = previousClaims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId); if (sid != null) { additionalClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value)); } //if the external provider issues groups claims, copy it over var groupClaims = previousClaims.Where(c => c.Type == "groups").ToList(); if (groupClaims.Any()) { additionalClaims.AddRange(groupClaims); } return(additionalClaims.ToArray()); }
public void GetEffectiveSubjectId_NullUser_ReturnsException() { var claimResult = new ClaimsResult() { SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure }; Exception excResult = null; try { var result = ClaimsService.GetEffectiveSubjectId(claimResult, null); Assert.True(false, "Should not get past this function call."); } catch (Exception exc) { excResult = exc; } Assert.NotNull(excResult); Assert.IsType <ArgumentNullException>(excResult); Assert.True(excResult.Message.Contains("The object name 'user' cannot be null.")); }
public async Task <IActionResult> ExternalLoginCallback(string returnUrl) { //read external identity from the temporary cookie var info = await HttpContext.AuthenticateAsync( IdentityServerConstants.ExternalCookieAuthenticationScheme); var context = await _interaction.GetAuthorizationContextAsync(returnUrl); //retrieve claims of the external user ClaimsResult claimInformation = null; try { claimInformation = await _claimsService.GenerateClaimsForIdentity(info, context); _logger.Information("Generated claims for Identity: " + claimInformation); } catch (InvalidIssuerException exc) { await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme); return(LogAndReturnStatus(403, exc.LogMessage, exc.Message)); } //issue authentication cookie for user var user = await _userLoginManager.UserLogin( claimInformation.Provider, _claimsService.GetEffectiveUserId(claimInformation), claimInformation.Claims, claimInformation?.ClientId); var subjectId = _claimsService.GetEffectiveSubjectId(claimInformation, user); var successfulEvent = new FabricUserLoginSuccessEvent( claimInformation.Provider, claimInformation.UserId, subjectId, user?.Username, claimInformation.ClientId); await _events.RaiseAsync(successfulEvent); await HttpContext.SignInAsync( subjectId, user?.Username, claimInformation.Provider, claimInformation.AuthenticationProperties, claimInformation.AdditionalClaims); //delete temporary cookie used during external authentication await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme); RemoveTestCookie(); //validate return URL and redirect back to authorization endpoint or a local page if (_interaction.IsValidReturnUrl(returnUrl) || Url.IsLocalUrl(returnUrl)) { return(Redirect(returnUrl)); } return(Redirect("~/")); }
private void AssertAuthenticationProperties(AuthenticateInfo info, ClaimsResult result) { Assert.Equal <string>(info.Properties.GetTokenValue("id_token"), result.AuthenticationProperties.GetTokenValue("id_token")); }
private void AssertClaimsResult(AuthenticateInfo info, AuthorizationRequest context, ClaimsResult result) { Assert.Equal <string>(context.ClientId, result.ClientId); Assert.Equal <string>(info.Properties.Items["scheme"], result.Provider); Assert.Equal <string>(info.Properties.Items.FirstOrDefault(i => i.Key == "scheme").Value, result.SchemeItem); var expectedUserId = info?.Principal.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Subject); Assert.Equal <string>(expectedUserId.Value, result.UserId); Assert.Equal <Claim>(expectedUserId, result.UserIdClaim); var expectedClaims = info?.Principal.Claims.ToArray(); // we remove one because user Id claim should be removed Assert.Equal <int>(expectedClaims.Length - 1, result.Claims.Count); AssertAdditionalClaims(info?.Principal.Claims, result); AssertAuthenticationProperties(info, result); }