public async Task <String> GetOnBehalfOfAccessToken(string resourceId, string replyUrl)
{
string accessToken = null;
AuthenticationResult result = null;
// The Resource ID of the service we want to call.
// The current user's access token, from the current request's authorization header.
// The credentials of this application.
// The username (UPN or email) of the user calling the API
//
ClientCredential clientCred = new ClientCredential(ConfigHelper.ClientId, ConfigHelper.AppKey);
if (ClaimsPrincipal.Current.Identities.First().BootstrapContext == null)
{
throw new Exception("BootstrapContext is null. Please modify the config 'saveSignInToken = true' to ensure that the original token is preserved.");
}
System.IdentityModel.Tokens.BootstrapContext bootstrapContext = new System.IdentityModel.Tokens.BootstrapContext(ClaimsPrincipal.Current.Identities.First().BootstrapContext.ToString());
if (bootstrapContext == null || string.IsNullOrWhiteSpace(bootstrapContext.Token))
{
throw new Exception("Failed to obtain the BootstrapContext token. Please modify the config 'saveSignInToken = true' to ensure that the original token is preserved.");
}
string userAccessToken = bootstrapContext.Token;
// The username (UPN or email) of the user calling the API
string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null?ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
if (string.IsNullOrWhiteSpace(userName))
{
throw new Exception("Failed to obtain the signed-in user's name or upn in the ClaimsPrincipal.Current.Claims collection.");
}
UserAssertion userAssertion = new UserAssertion(userAccessToken, OAuth2GrantTypeJwtBearer, userName);
string userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(this.Authority, this.TokenCache);
try
{
result = await authContext.AcquireTokenSilentAsync(resourceId, clientCred, new UserIdentifier(Util.GetSignedInUsersObjectIdFromClaims(), UserIdentifierType.UniqueId));
}
catch (AdalException ex)
{
result = await authContext.AcquireTokenAsync(resourceId, clientCred, userAssertion);
}
accessToken = result.AccessToken;
return(accessToken);
}
public async Task <TokenResultModel> GetTokenForAsync(string resource, IEnumerable <string> scopes = null)
{
ClientCredential clientCred = new ClientCredential(_aadClientId, _appSecret);
ClaimsPrincipal current = ClaimsPrincipal.Current;
if (current == null)
{
throw new AuthenticationException("Missing claims principal.");
}
System.IdentityModel.Tokens.BootstrapContext bootstrapContext = new System.IdentityModel.Tokens.BootstrapContext(current.Identities.First().BootstrapContext.ToString());
if (bootstrapContext == null)
{
throw new AuthenticationException("bootstrapContext is null.");
}
string userName = current.FindFirst(ClaimTypes.Upn) != null
? current.FindFirst(ClaimTypes.Upn).Value
: current.FindFirst(ClaimTypes.Email).Value;
string userAccessToken = bootstrapContext.Token;
UserAssertion userAssertion = new UserAssertion(userAccessToken, kGrantType, userName);
string authority = String.Format(CultureInfo.InvariantCulture, _aadInstance, _aadTenant);
string userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(authority);
string userObjectID = (ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
var user = new UserIdentifier(userObjectID, UserIdentifierType.UniqueId);
try
{
_result = await authContext.AcquireTokenAsync(resource, clientCred, userAssertion);
return(_result.ToTokenResult());
}
catch (AdalException ex)
{
throw new AuthenticationException(
$"Failed to authenticate on behalf of {userName}", ex);
}
}
public static async Task <object> CallApiOnBehalfOfUser()
{
if (!ClaimsPrincipal.Current.FindAll("https://schemas.microsoft.com/identity/claims/scope").Any(x => x.Value.Contains("user_impersonation")))
{
throw new HttpResponseException(new HttpResponseMessage {
StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found"
});
}
var authContext = new AuthenticationContext(Authority, false);
// ClientId needs to be audience/target resource, can't be guid?!
// See https://docs.microsoft.com/sv-se/windows-server/identity/ad-fs/development/ad-fs-on-behalf-of-authentication-in-windows-server
// It is very important that the ida:Audience and ida:ClientID match each other
var credential = new ClientCredential(ClientId, ClientSecret);
var bootstrapContext = new System.IdentityModel.Tokens.BootstrapContext(ClaimsPrincipal.Current.Identities.First().BootstrapContext.ToString());
var userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null?ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
var userAccessToken = bootstrapContext.Token;
var userAssertion = new UserAssertion(userAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
var tokenResult = await authContext.AcquireTokenAsync(Resource, credential, userAssertion);
var client = new HttpClient();
var requestUri = $"{Resource}api/identity";
var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokenResult.AccessToken);
var response = await client.SendAsync(request);
if (response.IsSuccessStatusCode)
{
var content = await response.Content.ReadAsStringAsync();
var claimsIdentity = JsonConvert.DeserializeObject <object>(content);
return(claimsIdentity);
}
return("Unsuccessful OBO operation : " + response.ReasonPhrase);
}
