public IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>(from c in principal.Claims select c);
// email address
string email = Membership.FindUsersByName(userName)[userName].Email;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRolesForToken(userName).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
if (ProfileManager.Enabled)
{
var profile = ProfileBase.Create(userName, true);
if (profile != null)
{
foreach (SettingsProperty prop in ProfileBase.Properties)
{
string value = profile.GetPropertyValue(prop.Name).ToString();
if (!String.IsNullOrWhiteSpace(value))
{
claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
}
}
}
}
return claims;
}
public virtual IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>(from c in principal.Claims select c);
var nameIdClaim = claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
if (nameIdClaim == null)
{
claims.Add(new Claim(ClaimTypes.NameIdentifier, userName));
}
// email address
var membership = Membership.FindUsersByName(userName)[userName];
if (membership != null)
{
string email = membership.Email;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
}
// roles
GetRolesForToken(userName).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
claims.AddRange(GetProfileClaims(userName));
return claims;
}
public IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
return new List<Claim>
{
principal.Identities.First().FindFirst(ClaimTypes.Name),
new Claim("http://claims/custom/foo", "bar")
};
}
public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var claims = from c in NewContext.UserClaims
where c.PartitionKey == principal.Identity.Name.ToLower() &&
c.Kind == UserClaimEntity.EntityKind
select new Claim(c.ClaimType, c.Value);
return claims.ToList();
}
public RequestDetails Analyze(RequestSecurityToken rst, ClaimsPrincipal principal)
{
if (rst == null)
{
throw new ArgumentNullException("rst");
}
if (principal == null)
{
throw new ArgumentNullException("principal");
}
Tracing.Information("Starting PolicyOptions creation");
var clientIdentity = AnalyzeClientIdentity(principal);
var details = new RequestDetails
{
ClientIdentity = clientIdentity,
IsActive = false,
Realm = null,
IsKnownRealm = false,
UsesSsl = false,
UsesEncryption = false,
ReplyToAddress = null,
ReplyToAddressIsWithinRealm = false,
IsReplyToFromConfiguration = false,
EncryptingCertificate = null,
ClaimsRequested = false,
RequestClaims = null,
Request = null,
IsActAsRequest = false,
RelyingPartyRegistration = null
};
AnalyzeRst(rst, details);
AnalyzeTokenType(rst, details);
AnalyzeKeyType(rst);
AnalyzeRealm(rst, details);
AnalyzeOperationContext(details);
AnalyzeDelegation(rst, details);
AnalyzeRelyingParty(details);
AnalyzeEncryption(details);
AnalyzeReplyTo(details);
AnalyzeSsl(details);
AnalyzeRequestClaims(details);
Tracing.Information("PolicyOptions creation done.");
_details = details;
return details;
}
public IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
var claims = new List<Claim>();
var nameClaim = principal.Identities.First().FindFirst(ClaimTypes.Name);
claims.Add(nameClaim);
var response = RewardService.GetRewardProgram(new GetRewardProgramRequest {UserName = nameClaim.Value});
if(response != null)
{
claims.Add(new Claim("http://oceanicairlines.com/rewardlevel/", response.RewardLevel.ToString()));
};
return claims;
}
HttpResponseMessage Get()
{
var requestClaims = new RequestClaimCollection();
var scopes = ClaimsPrincipal.Current.FindAll(OAuth2Constants.Scope);
foreach (var scope in scopes)
{
if (OidcConstants.Mappings.ContainsKey(scope.Value))
{
foreach (var oidcClaim in OidcConstants.Mappings[scope.Value])
{
requestClaims.Add(new RequestClaim(oidcClaim));
}
}
else
{
Request.CreateErrorResponse(HttpStatusCode.BadRequest, "invalid scope");
}
}
var details = new RequestDetails { IsOpenIdRequest = true };
details.ClaimsRequested = true;
details.RequestClaims = requestClaims;
var principal = Principal.Create("OpenIdConnect",
new Claim(ClaimTypes.NameIdentifier, ClaimsPrincipal.Current.FindFirst("sub").Value));
var claims = ClaimsRepository.GetClaims(principal, details);
var dictionary = new Dictionary<string, string>();
foreach (var claim in claims)
{
if (!dictionary.ContainsKey(claim.Type))
{
dictionary.Add(claim.Type, claim.Value);
}
else
{
var currentValue = dictionary[claim.Type];
dictionary[claim.Type] = currentValue += ("," + claim.Value);
}
}
return Request.CreateResponse<Dictionary<string, string>>(HttpStatusCode.OK, dictionary, "application/json");
}
public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption)
: base(details.Realm.Uri.AbsoluteUri, signingCredentials)
{
RequestDetails = details;
if (RequestDetails.UsesEncryption)
{
EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate);
}
if (RequestDetails.TokenType == SimpleWebToken.OasisTokenProfile)
{
SigningCredentials = new SymmetricSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey);
}
ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri;
TokenEncryptionRequired = requireEncryption;
}
public HttpResponseMessage Get()
{
Tracing.Start("OIDC UserInfo endpoint");
var details = new RequestDetails { IsOpenIdRequest = true };
var scopeClaims = ClaimsPrincipal.Current.FindAll(OAuth2Constants.Scope).ToList();
var requestedClaims = ClaimsPrincipal.Current.FindAll("requestclaim").ToList();
if (scopeClaims.Count > 0)
{
var scopes = new List<string>(scopeClaims.Select(sc => sc.Value));
details.OpenIdScopes = scopes;
}
if (requestedClaims.Count > 0)
{
var requestClaims = new RequestClaimCollection();
requestedClaims.ForEach(rc => requestClaims.Add(new RequestClaim(rc.Value)));
details.ClaimsRequested = true;
details.RequestClaims = requestClaims;
}
var principal = Principal.Create("OpenIdConnect",
new Claim(ClaimTypes.Name, ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value));
var claims = ClaimsRepository.GetClaims(principal, details);
var dictionary = new Dictionary<string, string>();
foreach (var claim in claims)
{
if (!dictionary.ContainsKey(claim.Type))
{
dictionary.Add(claim.Type, claim.Value);
}
else
{
var currentValue = dictionary[claim.Type];
dictionary[claim.Type] = currentValue += ("," + claim.Value);
}
}
return Request.CreateResponse<Dictionary<string, string>>(HttpStatusCode.OK, dictionary, "application/json");
}
public virtual IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>(from c in principal.Claims select c);
// email address
string email = userName;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRolesForToken(userName).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
claims.AddRange(GetProfileClaims(userName));
return claims;
}
virtual public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var claims = new List<Claim>();
using (PrincipalContext context = GetPrincipalContext())
{
var userName = principal.Identity.Name;
// find the user in the identity store
UserPrincipal user = UserPrincipal.FindByIdentity(context, userName);
// email address
string email = user.EmailAddress;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
if (ProfileManager.Enabled)
{
var profile = ProfileBase.Create(userName, true);
if (profile != null)
{
foreach (SettingsProperty prop in ProfileBase.Properties)
{
string value = profile.GetPropertyValue(prop.Name).ToString();
if (!String.IsNullOrWhiteSpace(value))
{
claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
}
}
}
}
}
return claims;
}
public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption)
: base(details.Realm.Uri.AbsoluteUri, signingCredentials)
{
RequestDetails = details;
if (RequestDetails.UsesEncryption)
{
EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate);
}
if (RequestDetails.TokenType == TokenTypes.SimpleWebToken || RequestDetails.TokenType == TokenTypes.JsonWebToken)
{
if (details.RelyingPartyRegistration.SymmetricSigningKey != null && details.RelyingPartyRegistration.SymmetricSigningKey.Length > 0)
{
SigningCredentials = new HmacSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey);
}
}
ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri;
TokenEncryptionRequired = requireEncryption;
}
public override IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
if (requestDetails.Realm.Uri.AbsoluteUri == "http://sbserver/swttest/")
{
if (principal.Identity.Name == "bob")
{
return new List<Claim>
{
new Claim(sbClaimType, "Listen"),
new Claim(sbClaimType, "Manage"),
};
}
else
{
return new List<Claim>
{
new Claim(sbClaimType, "Send"),
};
}
}
return base.GetClaims(principal, requestDetails);
}
public IEnumerable<Claim> ProcessClaims(ClaimsPrincipal incomingPrincipal, IdentityProvider identityProvider, RequestDetails details)
{
var audienceUri = details.Realm.Uri.AbsoluteUri;
var newClaimsPrincipal = (ClaimsIdentity)incomingPrincipal.Identity;
newClaimsPrincipal.AddClaim(new Claim("http://schemas.fcsamerica.com/claims/PartnerApps/audienceuri", audienceUri));
return newClaimsPrincipal.Claims;
/* Prototype code to test loading Claims Mapper Claims from STS.
ClaimsIdentity claimsIdentity = incomingPrincipal.Identity as ClaimsIdentity;
var emailClaim = incomingPrincipal.Claims.FirstOrDefault(_ => _.Type.Equals(ClaimTypes.Email));
// var partnerClaim = incomingPrincipal.Claims.FirstOrDefault(_ => _.Type.Con)
// NOTE: McGruff has a Get Partner Name from Host Header Method.
// QUESTION: How will we store the STS generated SAML token on the claims principal? It isn't rewritten yet. We will need to generate it here?
// QUESTION: If the Audit Info is on the claims principal... We would still need logic to help people determine which one to pull. Look at RequestHeader first, then Claims Principal.
// QUESTION: We still need an API for accessing SAML token and AuditInfo. Can this be the Token Generator?
// QUESTION: How much of the WIF settings can be added to the Website Root for Inheritance?
// QUESTION: How can we call Claims Mapper Service without a SAML token. - it hasn't been created yet. Or can we create a temporary one here????
List<Claim> claims = new List<Claim>();
if( emailClaim != null)
{
var emailAddress = emailClaim.Value;
var realm = details.Realm.ToString();
var applicationName = realm.Substring(realm.IndexOf(":")+1);
// call claims mapper and add additional claims...
claims.Add(new Claim("AuditInfo", "Test AuditInfo Value"));
}
else
{
claims.Add(new Claim("STSClaimsLoadError", "Could not determine the partner and/or application. Make sure the realm has the application name and IdP provides the partner claim."));
}
claimsIdentity.AddClaims(claims);
return claimsIdentity.Claims;
*/
}
private void ValidateTokenType(RequestDetails details)
{
if (details.TokenType == TokenTypes.SimpleWebToken || details.TokenType == TokenTypes.JsonWebToken)
{
if (details.RelyingPartyRegistration == null ||
details.RelyingPartyRegistration.SymmetricSigningKey == null ||
details.RelyingPartyRegistration.SymmetricSigningKey.Length == 0)
{
Tracing.Error("Token with symmetric siganture requested, but no symmetric signing key found");
throw new InvalidRequestException("Token with symmetric siganture requested, but no symmetric signing key found");
}
}
}
public IEnumerable<Claim> ProcessClaims(ClaimsPrincipal incomingPrincipal, IdentityProvider identityProvider, RequestDetails details)
{
return incomingPrincipal.Claims;
}
protected virtual void AnalyzeDelegation(RequestSecurityToken rst, RequestDetails details)
{
// check for identity delegation request
if (rst.ActAs != null)
{
details.IsActAsRequest = true;
Tracing.Information("Request is ActAs request");
}
}
protected virtual void AnalyzeTokenType(RequestSecurityToken rst, RequestDetails details)
{
if (string.IsNullOrWhiteSpace(rst.TokenType))
{
details.TokenType = _configuration.DefaultTokenType;
Tracing.Information("Token Type: not specified, falling back to default token type");
}
else
{
Tracing.Information("Token Type: " + rst.TokenType);
details.TokenType = rst.TokenType;
}
}
protected virtual RelyingParty AnalyzeRelyingParty(RequestDetails details)
{
// check if the relying party is registered
RelyingParty rp = null;
if (RelyingPartyRepository.TryGet(details.Realm.Uri.AbsoluteUri, out rp))
{
details.RelyingPartyRegistration = rp;
details.IsKnownRealm = true;
var traceString = String.Format("Relying Party found in registry - Realm: {0}", rp.Realm.AbsoluteUri);
if (!string.IsNullOrEmpty(rp.Name))
{
traceString += String.Format(" ({0})", rp.Name);
}
Tracing.Information(traceString);
if (rp.EncryptingCertificate != null)
{
details.EncryptingCertificate = rp.EncryptingCertificate;
Tracing.Information("Encrypting certificate set from registry");
}
}
else
{
Tracing.Information("Relying party is not registered.");
}
return rp;
}
protected virtual void AnalyzeOperationContext(RequestDetails details)
{
// determine if this is a WCF call
if (OperationContext.Current != null)
{
details.IsActive = true;
Tracing.Information("Active request");
}
else
{
Tracing.Information("Passive request");
}
}
public IEnumerable<Claim> GetClaims(ClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>(from c in principal.Claims select c);
// roles
GetRolesForToken(userName).ToList().ForEach(role => claims.Add(new Claim(System.Security.Claims.ClaimTypes.Role, role)));
// profile claims
claims.AddRange(GetProfileClaims(userName));
//context claims
if (requestDetails.Request.AdditionalContext != null && requestDetails.Request.AdditionalContext.Items.Count() > 0)
{
//Aggiunta di Claim da parte del client questa logica serve per settare di lingua,company e profilo
var passedProfile = requestDetails.Request.AdditionalContext.Items.FirstOrDefault(p => p.Name.ToString() == Sagrada.IdentityServer.ClaimTypes.Profile);
if (passedProfile != null)
{
var profiles = SagradaIdentityService.GetProfiles(userName);
if (profiles.Count(p => p.Item1.ToString() == passedProfile.Value) == 0)
{
string errors = string.Format("additionalContext request from {0} has a not valid claim : {1}.", requestDetails.Realm.Uri, Sagrada.IdentityServer.ClaimTypes.Profile);
Tracing.Error(errors);
throw new InvalidRequestException(errors);
}
else
claims.Add(new Claim(Sagrada.IdentityServer.ClaimTypes.Profile, passedProfile.Value));
}
var passedCompany = requestDetails.Request.AdditionalContext.Items.FirstOrDefault(p => p.Name.ToString() == Sagrada.IdentityServer.ClaimTypes.Company);
if (passedCompany != null)
{
var companies = SagradaIdentityService.GetCompanies();
if (companies.Count(p => p.Item1.ToString() == passedCompany.Value) == 0)
{
string errors = string.Format("additionalContext request from {0} has a not valid claim : {1}.", requestDetails.Realm.Uri, Sagrada.IdentityServer.ClaimTypes.Company);
Tracing.Error(errors);
throw new InvalidRequestException(errors);
}
else
claims.Add(new Claim(Sagrada.IdentityServer.ClaimTypes.Company, passedCompany.Value));
}
var passedLanguage = requestDetails.Request.AdditionalContext.Items.FirstOrDefault(p => p.Name.ToString() == Sagrada.IdentityServer.ClaimTypes.Language);
if (passedLanguage != null)
{
var languages = SagradaIdentityService.GetLanguages();
if (languages.Count(p => p.Name == passedLanguage.Value) == 0)
{
string errors = string.Format("additionalContext request from {0} has a not valid claim : {1}.", requestDetails.Realm.Uri, Sagrada.IdentityServer.ClaimTypes.Language);
Tracing.Error(errors);
throw new InvalidRequestException(errors);
}
else
claims.Add(new Claim(Sagrada.IdentityServer.ClaimTypes.Language, passedLanguage.Value));
}
};
return claims;
}
protected virtual void AnalyzeSsl(RequestDetails details)
{
// determine if reply to is via SSL
details.UsesSsl = (details.ReplyToAddress.Scheme == Uri.UriSchemeHttps);
Tracing.Information(String.Format("SSL used:{0}", details.UsesSsl));
}
protected virtual void ValidateDelegation(RequestDetails details)
{
// check for ActAs request
if (details.IsActAsRequest)
{
if (!_configuration.EnableDelegation)
{
Tracing.Error("Request is ActAs request - but ActAs is not enabled");
throw new InvalidRequestException("Request is ActAs request - but ActAs is not enabled");
}
if (!DelegationRepository.IsDelegationAllowed(details.ClientIdentity.Name, details.Realm.Uri.AbsoluteUri))
{
Tracing.Error(String.Format("ActAs mapping not found."));
throw new InvalidRequestException("ActAs mapping not found.");
}
}
}
protected virtual void AnalyzeRealm(RequestSecurityToken rst, RequestDetails options)
{
// check realm
if (rst.AppliesTo == null || rst.AppliesTo.Uri == null)
{
throw new Exception("AppliesTo is missing");
//throw new MissingAppliesToException("AppliesTo is missing");
}
options.Realm = new EndpointAddress(rst.AppliesTo.Uri);
}
protected virtual void AnalyzeRst(RequestSecurityToken rst, RequestDetails options)
{
if (rst == null)
{
throw new ArgumentNullException("request");
}
options.Request = rst;
}
protected virtual void ValidateEncryption(RequestDetails details)
{
// check if token must be encrypted
if (_configuration.RequireEncryption && (!details.UsesEncryption))
{
Tracing.Error("Configuration requires encryption - but no key available");
throw new InvalidRequestException("No encryption key available");
}
}
protected virtual void ValidateReplyTo(RequestDetails details)
{
// check if replyto is part of a registered realm (when not explicitly registered in config)
if (!details.IsReplyToFromConfiguration)
{
if (_configuration.RequireReplyToWithinRealm && (!details.ReplyToAddressIsWithinRealm))
{
Tracing.Error("Configuration requires that ReplyTo is a sub-address of the realm - this is not the case");
throw new InvalidRequestException("Invalid ReplyTo");
}
}
}
public IEnumerable<System.Security.Claims.Claim> GetClaims(
ClaimsPrincipal principal, RequestDetails requestDetails)
{
var user = userSvc.GetByUsername(principal.Identity.Name);
if (user == null) throw new ArgumentException("Invalid Username");
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, user.Username));
claims.Add(new Claim(ClaimTypes.NameIdentifier, user.ID.ToString("D")));
if (!String.IsNullOrWhiteSpace(user.Email))
{
claims.Add(new Claim(ClaimTypes.Email, user.Email));
}
if (!String.IsNullOrWhiteSpace(user.MobilePhoneNumber))
{
claims.Add(new Claim(ClaimTypes.MobilePhone, user.MobilePhoneNumber));
}
//var x509 = from c in user.Certificates
// select new Claim(ClaimTypes.X500DistinguishedName, c.Subject);
//claims.AddRange(x509);
var otherClaims =
(from uc in user.Claims
select new Claim(uc.Type, uc.Value)).ToList();
claims.AddRange(otherClaims);
return claims;
}
protected virtual void ValidateKnownRealm(RequestDetails details)
{
// check if realm is allowed
if (_configuration.AllowKnownRealmsOnly && (!details.IsKnownRealm))
{
Tracing.Error("Configuration requires a known realm - but realm is not registered");
throw new Exception(details.Realm.Uri.AbsoluteUri);
//throw new InvalidScopeException(details.Realm.Uri.AbsoluteUri);
}
}
protected virtual void ValidateSsl(RequestDetails details)
{
// check if SSL is used (for passive only)
if (_configuration.RequireSsl && !details.UsesSsl)
{
if (!details.IsActive)
{
Tracing.Error("Configuration requires SSL - but clear text reply address used");
throw new InvalidRequestException("SSL is required");
}
}
}
protected virtual void AnalyzeEncryption(RequestDetails details)
{
if (details.EncryptingCertificate == null)
{
X509Certificate2 requestCertificate;
if (TryGetEncryptionCertificateFromRequest(details.Realm, out requestCertificate))
{
details.EncryptingCertificate = requestCertificate;
Tracing.Information("Encrypting certificate set from RST");
}
}
details.UsesEncryption = (details.EncryptingCertificate != null);
Tracing.Information("Token encryption: " + details.UsesEncryption);
}
