/// <summary>
/// Finds a relying party by realm
/// </summary>
/// <param name="realm">The realm</param>
/// <returns>
/// The relying party
/// </returns>
public async Task <RelyingParty> FindRelyingPartyByRealm(string realm)
{
var relyingParty = await _cache.GetAsync(realm,
_options.Caching.ClientStoreExpiration,
() => _inner.FindRelyingPartyByRealm(realm),
_logger);
return(relyingParty);
}
public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
{
//Logger.Info("Start WS-Federation signin request validation");
var result = new SignInValidationResult
{
WsFederationMessage = message
};
// check client
var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);
if (client == null)
{
LogError("Client not found: " + message.Wtrealm, result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
{
LogError("Client is not configured for WS-Federation", result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
result.Client = client;
result.ReplyUrl = client.RedirectUris.First();
// check if additional relying party settings exist
var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm);
if (rp == null)
{
rp = new RelyingParty
{
TokenType = _options.DefaultTokenType,
SignatureAlgorithm = _options.DefaultSignatureAlgorithm,
DigestAlgorithm = _options.DefaultDigestAlgorithm,
SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat,
ClaimMapping = _options.DefaultClaimMapping
};
}
result.RelyingParty = rp;
if (user == null ||
user.Identity.IsAuthenticated == false)
{
result.SignInRequired = true;
}
result.User = user;
LogSuccess(result);
return(result);
}
/// <summary>
/// Validates the asynchronous.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="user">The user.</param>
/// <returns></returns>
public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
{
var result = new SignInValidationResult
{
WsFederationMessage = message
};
// check client
var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);
if (client == null)
{
return(new SignInValidationResult
{
Error = "invalid_relying_party",
ErrorMessage = $"{message.Wtrealm} client not found."
});
}
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
{
return(new SignInValidationResult
{
Error = "invalid_relying_party",
ErrorMessage = $"{message.Wtrealm} client is not a wsfed client."
});
}
var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm).ConfigureAwait(false);
if (rp == null)
{
return(new SignInValidationResult
{
Error = "invalid_relying_party",
ErrorMessage = $"{message.Wtrealm} relying party not found."
});
}
var replyUrl = message.Wreply ?? client.RedirectUris.FirstOrDefault();
if (!Uri.TryCreate(replyUrl, UriKind.Absolute, out Uri _))
{
return(new SignInValidationResult
{
Error = "invalid_relying_party",
ErrorMessage = $"'{replyUrl}' is not a valid absolute uri. Message wreply received: {message.Wreply}. Client 1st redirect uri: {client.RedirectUris.FirstOrDefault()}."
});
}
result.Client = client;
result.ReplyUrl = replyUrl;
result.RelyingParty = rp;
if (user == null || !user.Identity.IsAuthenticated)
{
result.SignInRequired = true;
}
result.User = user;
return(result);
}
public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
{
_logger.LogInformation("Start WS-Federation signin request validation");
var result = new SignInValidationResult
{
WsFederationMessage = message
};
// check client
var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);
if (client == null)
{
LogError("Client not found: " + message.Wtrealm, result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
if (client.Enabled == false)
{
LogError("Client is disabled: " + message.Wtrealm, result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
{
LogError("Client is not configured for WS-Federation", result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
result.Client = client;
result.ReplyUrl = client.RedirectUris.First();
// check if additional relying party settings exist
var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm);
if (rp == null)
{
rp = new RelyingParty
{
TokenType = _options.DefaultTokenType,
SignatureAlgorithm = _options.DefaultSignatureAlgorithm,
DigestAlgorithm = _options.DefaultDigestAlgorithm,
SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat,
ClaimMapping = _options.DefaultClaimMapping
};
}
result.RelyingParty = rp;
if (user == null ||
user.Identity.IsAuthenticated == false)
{
result.SignInRequired = true;
return(result);
}
result.User = user;
if (!string.IsNullOrEmpty(message.Wfresh))
{
if (int.TryParse(message.Wfresh, out int maxAgeInMinutes))
{
if (maxAgeInMinutes == 0)
{
_logger.LogInformation("Showing login: Requested wfresh=0.");
message.Wfresh = null;
result.SignInRequired = true;
return(result);
}
var authTime = user.GetAuthenticationTime();
if (_clock.UtcNow.UtcDateTime > authTime.AddMinutes(maxAgeInMinutes))
{
_logger.LogInformation("Showing login: Requested wfresh time exceeded.");
result.SignInRequired = true;
return(result);
}
}
}
LogSuccess(result);
return(result);
}