/// <summary>
/// The same as StartSignOut, but returns an ActionResult
/// </summary>
/// <param name="accessTokenResponse">
/// The token endpoint's access token response (when the user completed the sign in flow).
/// We need the id_token that was returned in this response.
/// </param>
/// <param name="redirectUri">
/// The callback URI where the application will cleanup the user's session
/// </param>
/// <returns>
/// A Redirect ActionResult, to redirect the user to SDB Connect IdG or, in special cases, to the redirectUri itself.
/// </returns>
public ActionResult StartMvcSignOut(AccessTokenResponse accessTokenResponse, string redirectUri)
{
var redirectResponse = base.StartSignOut(accessTokenResponse, redirectUri);
return new RedirectResult(redirectResponse.Location.ToString());
}
/// <summary>
/// Obtains the user's claims, from the userInfo endpoint, given the user's access_token
/// </summary>
/// <param name="accessTokenResponse">
/// The token endpoint's access token response (when the user completed the SignIn flow).
/// We need the access_token that was returned in this response.
/// </param>
/// <returns>
/// A future dictionary, mapping claim types to their values.
/// The amount of claims, claim names and their value formats are all defined/configurable on SDB Connect IdG.
///
/// Typically the claim names are returned according to the OpenIdConnect standard.
/// For more information, see: http://openid.net/specs/openid-connect-basic-1_0-28.html#StandardClaims
/// </returns>
public async Task<IDictionary<string, string>> GetUserInfo(AccessTokenResponse accessTokenResponse)
{
using (var client = new HttpClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, _openIdSettings.UserInfoEndpoint);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessTokenResponse.AccessToken);
// TODO process errors according to the OpenIdConnect standard
var response = await client.SendAsync(request).ConfigureAwait(false);
var claims = await response
.EnsureSuccessStatusCode()
.Content
.ReadAsAsync<IDictionary<string, string>>()
.ConfigureAwait(false);
return claims;
}
}
/// <summary>
/// Build the sign out endpoint URI
/// </summary>
/// <param name="accessTokenResponse">
/// The token endpoint's access token response (when the user completed the sign in flow).
/// We need the id_token that was returned in this response.
/// </param>
/// <param name="redirectUri">
/// The callback URI where the application will cleanup the user's session
/// </param>
/// <returns>
/// The generated URI to the sign out endpoint on SDB Connect IdG.
/// </returns>
private Uri GetIdentityGatewayOicSignOutEndpoint(AccessTokenResponse accessTokenResponse, string redirectUri)
{
var relativeUrl = string.Format(
"?id_token_hint={0}&post_logout_redirect_uri={1}",
accessTokenResponse.IdToken,
redirectUri);
return new Uri(_openIdSettings.AuthorizationEndpoint, relativeUrl);
}
/// <summary>
/// Starts the SignOut flow.
/// You should start this step before cleaning up the user session, because this can be
/// done in the final redirect.
///
/// The steps are:
/// 1. Redirect to SDB Connect IdG to perform the sign out at federation level
/// 2. Callback to the application sign out redirect URI to cleanup at application level
/// </summary>
/// <param name="accessTokenResponse">
/// The token endpoint's access token response (when the user completed the sign in flow).
/// We need the id_token that was returned in this response.
/// </param>
/// <param name="redirectUri">
/// The callback URI where the application will cleanup the user's session
/// </param>
/// <returns>
/// An HTTP Redirect, to redirect the user to SDB Connect IdG or, in special cases, to the redirectUri itself.
/// </returns>
public HttpRedirectResponse StartSignOut(AccessTokenResponse accessTokenResponse, string redirectUri)
{
if (accessTokenResponse == null || accessTokenResponse.IdToken == null)
{
// when we have no id_token, like when the user session expires, we cannot sign-out at federation level.
// in this particular case, we will not redirect to SDB Connect Identity Gateway.
return new HttpRedirectResponse(redirectUri);
}
return new HttpRedirectResponse(GetIdentityGatewayOicSignOutEndpoint(accessTokenResponse, redirectUri));
}
