Exemple #1
0
        private void ConfigureOpenIdConnectAuthentication(OpenIdConnectAuthenticationOptions options)
        {
            // from original template
            options.AutomaticAuthentication = true;
            options.ClientId              = Configuration["Authentication:AzureAd:ClientId"];
            options.Authority             = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:Tenant"];
            options.PostLogoutRedirectUri = Configuration["Authentication:AzureAd:PostLogoutRedirectUri"];
            options.SignInScheme          = CookieAuthenticationDefaults.AuthenticationScheme;
            options.RedirectUri           = Configuration["Authentication:AzureAd:PostLogoutRedirectUri"];
            options.Scope        = "openid";
            options.ResponseType = "id_token";
            //options.ConfigurationManager = new PolicyConfigurationManager(options.Authority + "/v2.0/.well-known/openid-configuration",
            //    new string[] { "B2C_1_SiUp", "b2c_1_siin", "B2C_1_SiPe" });

            var configurationManager = new PolicyConfigurationManager();

            configurationManager.AddPolicy("common", "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration");
            configurationManager.AddPolicy("b2c_1_siup", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                                                                       options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_siup"));
            configurationManager.AddPolicy("b2c_1_siin", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                                                                       options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_siin"));
            configurationManager.AddPolicy("b2c_1_sipe", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                                                                       options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_sipe"));
            options.ConfigurationManager = configurationManager;

            options.TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
            {
                //NameClaimType = "name"
                ValidateIssuer = false
            };
            options.Notifications = CreateOpenIdConnectAuthenticationNotifications();
        }
Exemple #2
0
        // This notification can be used to manipulate the OIDC request before it is sent.  Here we use it to send the correct policy.
        private async Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
        {
            PolicyConfigurationManager mgr = notification.Options.ConfigurationManager as PolicyConfigurationManager;

            if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
            {
                OpenIdConnectConfiguration config = await mgr.GetConfigurationByPolicyAsync(CancellationToken.None, notification.OwinContext.Authentication.AuthenticationResponseRevoke.Properties.Dictionary[Startup.PolicyKey]);

                notification.ProtocolMessage.IssuerAddress = config.EndSessionEndpoint;
            }
            else
            {
                OpenIdConnectConfiguration config = await mgr.GetConfigurationByPolicyAsync(CancellationToken.None, notification.OwinContext.Authentication.AuthenticationResponseChallenge.Properties.Dictionary[Startup.PolicyKey]);

                notification.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint;
            }
        }
Exemple #3
0
        private OpenIdConnectAuthenticationNotifications CreateOpenIdConnectAuthenticationNotifications()
        {
            return(new OpenIdConnectAuthenticationNotifications()
            {
                MessageReceived = (context) =>
                {
                    return Task.FromResult(0);
                },

                RedirectToIdentityProvider = async(context) =>
                {
                    PolicyConfigurationManager mgr = context.Options.ConfigurationManager as PolicyConfigurationManager;
                    OpenIdConnectConfiguration config = null;
                    if (context.HttpContext.Items.ContainsKey("b2cpolicy"))
                    {
                        string policyName = (string)context.HttpContext.Items["b2cpolicy"];
                        config = await mgr.GetConfigurationByPolicyAsync(System.Threading.CancellationToken.None, policyName);
                    }
                    else
                    {
                        config = await mgr.GetConfigurationByPolicyAsync(System.Threading.CancellationToken.None,
                                                                         "common");
                    }

                    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                    {
                        context.ProtocolMessage.IssuerAddress = config.EndSessionEndpoint;
                    }
                    else
                    {
                        context.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint;
                    }
                },

                SecurityTokenReceived = (context) =>
                {
                    return Task.FromResult(0);
                },

                SecurityTokenValidated = (context) =>
                {
                    var principal = context.AuthenticationTicket.Principal;
                    var identity = principal.Identities.First();
                    // TODO - We need to figure out what this looks like when multiple emails are sent.  For now, we'll
                    // assume just one.
                    var emails = principal.FindFirst("emails")?.Value
                                 ?? principal.FindFirst("preferred_username")?.Value;
                    if (!string.IsNullOrWhiteSpace(emails))
                    {
                        identity.AddClaim(new Claim(ClaimTypes.Email, emails));
                    }

                    // We need to normalize the name claim for the Identity model
                    var name = principal.FindFirst("name")?.Value;
                    if (!string.IsNullOrWhiteSpace(name))
                    {
                        identity.AddClaim(new Claim(identity.NameClaimType, name));
                    }

                    var identityProvider = principal.FindFirst(
                        "http://schemas.microsoft.com/identity/claims/identityprovider")?.Value;
                    if (string.IsNullOrWhiteSpace(identityProvider))
                    {
                        // AAD doesn't provide this in B2C, so we'll add one.
                        identity.AddClaim(new Claim("http://schemas.microsoft.com/identity/claims/identityprovider", "aad"));
                        identity.AddClaim(new Claim("survey_tenant", principal.FindFirst("iss")?.Value));
                    }
                    else
                    {
                        // Whenever we use an external auth provider besides AAD, we need to generate a "tenant" identifier,
                        // since those users are in their own tenant.
                        identity.AddClaim(
                            new Claim("survey_tenant", principal.FindFirst("iss")?.Value +
                                      principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value));
                    }

                    return Task.FromResult(0);
                },

                AuthenticationFailed = (context) =>
                {
                    context.Response.Redirect("/Home/Error");
                    context.HandleResponse(); // Suppress the exception
                    return Task.FromResult(0);
                }
            });
        }
Exemple #4
0
        private void ConfigureOpenIdConnectAuthentication(OpenIdConnectAuthenticationOptions options)
        {
            // from original template
            options.AutomaticAuthentication = true;
            options.ClientId = Configuration["Authentication:AzureAd:ClientId"];
            options.Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:Tenant"];
            options.PostLogoutRedirectUri = Configuration["Authentication:AzureAd:PostLogoutRedirectUri"];
            options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.RedirectUri = Configuration["Authentication:AzureAd:PostLogoutRedirectUri"];
            options.Scope = "openid";
            options.ResponseType = "id_token";
            //options.ConfigurationManager = new PolicyConfigurationManager(options.Authority + "/v2.0/.well-known/openid-configuration",
            //    new string[] { "B2C_1_SiUp", "b2c_1_siin", "B2C_1_SiPe" });

            var configurationManager = new PolicyConfigurationManager();
            configurationManager.AddPolicy("common", "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration");
            configurationManager.AddPolicy("b2c_1_siup", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_siup"));
            configurationManager.AddPolicy("b2c_1_siin", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_siin"));
            configurationManager.AddPolicy("b2c_1_sipe", string.Format(CultureInfo.InvariantCulture, "{0}{1}?p={2}",
                options.Authority, "/v2.0/.well-known/openid-configuration", "b2c_1_sipe"));
            options.ConfigurationManager = configurationManager;

            options.TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
            {
                //NameClaimType = "name"
                ValidateIssuer = false
            };
            options.Notifications = CreateOpenIdConnectAuthenticationNotifications();
        }