/// <summary>
/// Validate the issuer. The issuer is considered as valid if it
/// has the same http scheme and authority as the trusted issuer uri
/// from the configuration file or default uri, plus it has to have
/// a tenant Id, and optionally v2.0 but nothing more..
/// </summary>
/// <param name="issuer">Issuer to validate (will be tenanted)</param>
/// <param name="config">Authentication configuration</param>
/// <returns>The <c>issuer</c> if it's valid</returns>
private static string ValidateIssuer(string issuer, IAuthConfig config)
{
var uri = new Uri(issuer);
var authorityUri = new Uri(config?.TrustedIssuer ?? kDefaultIssuerUri);
if (uri.Scheme != authorityUri.Scheme ||
uri.Authority != authorityUri.Authority)
{
throw new SecurityTokenInvalidIssuerException(
"Issuer has wrong authority.");
}
var parts = uri.AbsolutePath.Split(new char[] { '/' },
StringSplitOptions.RemoveEmptyEntries);
if (parts.Length == 0)
{
throw new SecurityTokenInvalidIssuerException(
"Issuer is not tenanted.");
}
if (parts.Length >= 1 && !Guid.TryParse(parts[0], out var tenantId))
{
throw new SecurityTokenInvalidIssuerException(
"No valid tenant Id for the issuer.");
}
if (parts.Length > 1 && parts[2] != "v2.0")
{
throw new SecurityTokenInvalidIssuerException(
"Only accepted protocol versions are AAD v1.0 or V2.0");
}
return(issuer);
}
public UsersController(IMapper mapper, IHttpContextAccessor httpContextAccessor, IAuthConfig authConfig, IAuthorService authorService)
{
_mapper = mapper;
_httpContextAccessor = httpContextAccessor;
_authConfig = authConfig;
_authorService = authorService;
}
/// <summary>
/// Helper to add jwt bearer authentication
/// </summary>
/// <param name="services"></param>
/// <param name="config"></param>
/// <param name="inDevelopment"></param>
public static void AddJwtBearerAuthentication(this IServiceCollection services,
IAuthConfig config, bool inDevelopment)
{
if (config.HttpsRedirectPort > 0)
{
services.AddHsts(options => {
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromDays(60);
});
services.AddHttpsRedirection(options => {
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = config.HttpsRedirectPort;
});
}
// Allow access to context from within token providers and other client auth
services.AddSingleton <IHttpContextAccessor, HttpContextAccessor>();
// Add jwt bearer auth
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.Authority = config.GetAuthorityUrl() + "/v2.0";
options.SaveToken = true; // Save token to allow request on behalf
options.TokenValidationParameters = new TokenValidationParameters {
ClockSkew = config.AllowedClockSkew,
ValidateIssuer = true,
IssuerValidator = (iss, t, p) => ValidateIssuer(iss, config),
ValidateAudience = !string.IsNullOrEmpty(config.Audience),
ValidAudience = config.Audience
};
options.Events = new JwtBearerEvents {
OnAuthenticationFailed = ctx => {
if (config.AuthRequired)
{
ctx.NoResult();
return(WriteErrorAsync(ctx.Response, inDevelopment ?
ctx.Exception : null));
}
return(Task.CompletedTask);
},
OnTokenValidated = ctx => {
if (ctx.SecurityToken is JwtSecurityToken accessToken)
{
if (ctx.Principal.Identity is ClaimsIdentity identity)
{
identity.AddClaim(new Claim("access_token",
accessToken.RawData));
}
}
return(Task.CompletedTask);
}
};
});
}
public UsersController(
IMapper mapper,
IHttpContextAccessor httpContextAccessor,
IHubContext <UsersHub> userHubContext,
IAuthConfig authConfig,
IUserService userService)
{
_mapper = mapper;
_httpContextAccessor = httpContextAccessor;
_userHubContext = userHubContext;
_authConfig = authConfig;
_userService = userService;
}
/// <summary>
/// Add v1 policies to options
/// </summary>
/// <param name="config"></param>
/// <param name="servicesConfig"></param>
/// <param name="options"></param>
public static void AddV1Policies(this AuthorizationOptions options,
IAuthConfig config, IServicesConfig servicesConfig)
{
options.AddPolicy(Policies.CanRead, policy =>
policy.RequireAuthenticatedUser());
options.AddPolicy(Policies.CanWrite, policy =>
policy.RequireAuthenticatedUser()
.Require(WriterRights));
options.AddPolicy(Policies.CanSign, policy =>
policy.RequireAuthenticatedUser()
.Require(ApproverRights));
options.AddPolicy(Policies.CanManage, policy =>
policy.RequireAuthenticatedUser()
.Require(AdminRights));
}
public ProjectsController(
IMapper mapper,
IHttpContextAccessor httpContextAccessor,
IHubContext <ProjectsHub> projectHubContext,
IAuthConfig authConfig,
IProjectService projectService,
IUserService userService)
{
_mapper = mapper;
_httpContextAccessor = httpContextAccessor;
_projectHubContext = projectHubContext;
_authConfig = authConfig;
_projectService = projectService;
_userService = userService;
}
public InternalClient(IConfiguration configuration, IAuthConfig authConfig)
{
Config = configuration ?? TrueDialogConfigSection.GetConfig();
AccountId = authConfig.AccountId;
if (AccountId == 0)
{
throw new ArgumentException("Account ID is missing.");
}
var strategy = GetRetryStrategy();
RetryPolicy = new RetryPolicy <RestErrorDetectionStrategy>(strategy);
RestClient = CreateClient(Config, authConfig);
}
/// <summary>
/// Url of the token issuing instance. E.g. the JWT bearer
/// authentication middleware will use this URI as base
/// uri to retrieve the public key that can be used to
/// validate the token's signature.
/// </summary>
/// <param name="config"></param>
/// <returns></returns>
public static string GetAuthorityUrl(this IAuthConfig config)
{
var instanceUrl = config?.InstanceUrl;
if (string.IsNullOrEmpty(instanceUrl))
{
instanceUrl = "https://login.microsoftonline.com/";
}
var tenantId = config?.TenantId;
if (string.IsNullOrEmpty(tenantId))
{
tenantId = "common";
}
return(instanceUrl.TrimEnd('/') + "/" + tenantId);
}
public void SaveAuthConfig(IAuthConfig c)
{
var configSection = (TGFCSpidermanSection)_config.GetSection(SectionName);
if (configSection == null)
{
configSection = new TGFCSpidermanSection();
configSection.AuthElement.UserName = c.UserName;
configSection.AuthElement.AuthToken = c.AuthToken;
_config.Sections.Add(SectionName, configSection);
}
else
{
configSection.AuthElement.UserName = c.UserName;
configSection.AuthElement.AuthToken = c.AuthToken;
}
_config.Save(ConfigurationSaveMode.Modified);
System.Configuration.ConfigurationManager.RefreshSection(SectionName);
}
private IRestClient CreateClient(IConfiguration config, IAuthConfig authConfig)
{
Assembly thisAssembly = Assembly.GetCallingAssembly();
AssemblyName asmName = thisAssembly.GetName();
var version = asmName.Version.ToString();
string user = authConfig.UserName;
string pass = authConfig.Password;
m_userAuthenticator = new HttpBasicAuthenticator(user, pass);
string apiKey = string.IsNullOrEmpty(authConfig.ApiKey) ? user : authConfig.ApiKey;
string apiSecret = string.IsNullOrEmpty(authConfig.ApiSecret) ? pass : authConfig.ApiSecret;
m_apiAuthenticator = new HttpBasicAuthenticator(apiKey, apiSecret);
string userAgent = config.UserAgent;
if (String.IsNullOrWhiteSpace(userAgent))
{
userAgent = String.Format("TrueDialog SDK.NET {0}", version);
}
var rval = new RestClient
{
Authenticator = m_apiAuthenticator,
BaseUrl = new Uri(config.BaseUrl),
UserAgent = userAgent,
Timeout = (int)config.Timeout.TotalMilliseconds
};
rval.ClearHandlers();
rval.AddHandler("application/json", () => { return(new NewtonsoftSerializer()); });
rval.AddHandler("text/json", () => { return(new NewtonsoftSerializer()); });
rval.AddHandler("application/xml", () => { return(new XmlDeserializer()); });
rval.AddHandler("text/xml", () => { return(new XmlDeserializer()); });
return(rval);
}
/// <summary>
/// Create validator
/// </summary>
/// <param name="config"></param>
/// <param name="logger"></param>
public JwtTokenValidator(IAuthConfig config, ILogger logger)
{
_config = config ?? throw new ArgumentNullException(nameof(config));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_tokenHandler = new JwtSecurityTokenHandler();
}
public AuthenticationService(ILoginRepo loginRepo, IAuthConfig authConfig)
{
_loginRepo = loginRepo;
_authConfig = authConfig;
}
