private void AssertAdditionalClaims(IEnumerable <Claim> claims, ClaimsResult result)
{
Assert.Equal <Claim>(claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId), result.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId));
Assert.Equal <string>(claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId).Value, result.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId).Value);
Assert.Equal <int>(claims.Where(x => x.Type == "groups").Count(), result.Claims.Where(x => x.Type == "groups").Count());
}
public GetEffectiveUserId() :
base()
{
claimResult = new ClaimsResult()
{
SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure
};
}
public GetEffectiveSubjectIdTests() :
base()
{
claimResult = new ClaimsResult()
{
SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure
};
user = new User()
{
};
}
/// <summary>
/// Gets the user id to use based on the identity provider.
/// if the identity is Azure AD, then use the AzureAD subject Id
/// if it is windows Auth (or anything else) then return whatever the userId is.
/// </summary>
/// <param name="claimInformation">Claims information from GenerateClaimsForIdentity</param>
/// <returns>The userid that should be used based on identity provider</returns>
public string GetEffectiveUserId(ClaimsResult claimInformation)
{
CheckWhetherArgumentIsNull(claimInformation, nameof(claimInformation));
string userId = null;
if (this.IsExternalTokenAzureAD(claimInformation.SchemeItem))
{
userId = AzureADSubjectId(claimInformation.Claims);
}
return(userId ?? claimInformation.UserId);
}
private void ValidateAzureADExternalToken(ClaimsResult claimsInformation)
{
var issuerClaim = claimsInformation.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Issuer);
if (issuerClaim == null)
{
throw new MissingIssuerClaimException(ExceptionMessageResources.MissingIssuerClaimMessage);
}
if (!this._appConfiguration.AzureActiveDirectorySettings.IssuerWhiteList.Contains(issuerClaim.Issuer))
{
var exception = new InvalidIssuerException(ExceptionMessageResources.ForbiddenIssuerMessageUser)
{
LogMessage = string.Format(CultureInfo.CurrentCulture,
ExceptionMessageResources.ForbiddenIssuerMessageLog, issuerClaim?.Value)
};
throw exception;
}
}
private Claim[] GenerateAdditionalClaims(ClaimsResult claimsResult)
{
var previousClaims = claimsResult.Claims;
var additionalClaims = new List <Claim>();
//if the external system sent a session id claim, copy it over
var sid = previousClaims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId);
if (sid != null)
{
additionalClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value));
}
//if the external provider issues groups claims, copy it over
var groupClaims = previousClaims.Where(c => c.Type == "groups").ToList();
if (groupClaims.Any())
{
additionalClaims.AddRange(groupClaims);
}
return(additionalClaims.ToArray());
}
public void GetEffectiveSubjectId_NullUser_ReturnsException()
{
var claimResult = new ClaimsResult()
{
SchemeItem = FabricIdentityConstants.AuthenticationSchemes.Azure
};
Exception excResult = null;
try
{
var result = ClaimsService.GetEffectiveSubjectId(claimResult, null);
Assert.True(false, "Should not get past this function call.");
}
catch (Exception exc)
{
excResult = exc;
}
Assert.NotNull(excResult);
Assert.IsType <ArgumentNullException>(excResult);
Assert.True(excResult.Message.Contains("The object name 'user' cannot be null."));
}
public async Task <IActionResult> ExternalLoginCallback(string returnUrl)
{
//read external identity from the temporary cookie
var info = await HttpContext.AuthenticateAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme);
var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
//retrieve claims of the external user
ClaimsResult claimInformation = null;
try
{
claimInformation = await _claimsService.GenerateClaimsForIdentity(info, context);
_logger.Information("Generated claims for Identity: " + claimInformation);
}
catch (InvalidIssuerException exc)
{
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
return(LogAndReturnStatus(403, exc.LogMessage, exc.Message));
}
//issue authentication cookie for user
var user = await _userLoginManager.UserLogin(
claimInformation.Provider,
_claimsService.GetEffectiveUserId(claimInformation),
claimInformation.Claims,
claimInformation?.ClientId);
var subjectId = _claimsService.GetEffectiveSubjectId(claimInformation, user);
var successfulEvent = new FabricUserLoginSuccessEvent(
claimInformation.Provider,
claimInformation.UserId,
subjectId,
user?.Username,
claimInformation.ClientId);
await _events.RaiseAsync(successfulEvent);
await HttpContext.SignInAsync(
subjectId,
user?.Username,
claimInformation.Provider,
claimInformation.AuthenticationProperties,
claimInformation.AdditionalClaims);
//delete temporary cookie used during external authentication
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
RemoveTestCookie();
//validate return URL and redirect back to authorization endpoint or a local page
if (_interaction.IsValidReturnUrl(returnUrl) || Url.IsLocalUrl(returnUrl))
{
return(Redirect(returnUrl));
}
return(Redirect("~/"));
}
private void AssertAuthenticationProperties(AuthenticateInfo info, ClaimsResult result)
{
Assert.Equal <string>(info.Properties.GetTokenValue("id_token"), result.AuthenticationProperties.GetTokenValue("id_token"));
}
private void AssertClaimsResult(AuthenticateInfo info, AuthorizationRequest context, ClaimsResult result)
{
Assert.Equal <string>(context.ClientId, result.ClientId);
Assert.Equal <string>(info.Properties.Items["scheme"], result.Provider);
Assert.Equal <string>(info.Properties.Items.FirstOrDefault(i => i.Key == "scheme").Value, result.SchemeItem);
var expectedUserId = info?.Principal.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Subject);
Assert.Equal <string>(expectedUserId.Value, result.UserId);
Assert.Equal <Claim>(expectedUserId, result.UserIdClaim);
var expectedClaims = info?.Principal.Claims.ToArray();
// we remove one because user Id claim should be removed
Assert.Equal <int>(expectedClaims.Length - 1, result.Claims.Count);
AssertAdditionalClaims(info?.Principal.Claims, result);
AssertAuthenticationProperties(info, result);
}