// Inject custom logic for validating which users we allow to sign in
// Here we check that the user (or their tenant admin) has signed up for the application.
private Task OnTokenValidated(TokenValidatedContext context)
{
// Retrieve the db service
TodoListWebAppContext db = (TodoListWebAppContext)context.HttpContext.RequestServices.GetService(typeof(TodoListWebAppContext));
// Retrieve caller data from the incoming principal
string issuer = context.Ticket.Principal.FindFirst(AzureADConstants.Issuer).Value;
string objectID = context.Ticket.Principal.FindFirst(AzureADConstants.ObjectIdClaimType).Value;
string tenantID = context.Ticket.Principal.FindFirst(AzureADConstants.TenantIdClaimType).Value;
string upn = context.Ticket.Principal.FindFirst(ClaimTypes.Upn).Value;
// Look up existing sign up records from the database
Tenant tenant = db.Tenants.FirstOrDefault(a => a.IssValue.Equals(issuer));
AADUserRecord user = db.Users.FirstOrDefault(b => b.ObjectID.Equals(objectID));
// If the user is signing up, add the user or tenant to the database record of sign ups.
string adminConsentSignUp = null;
if (context.Properties.Items.TryGetValue(Constants.AdminConsentKey, out adminConsentSignUp))
{
if (adminConsentSignUp == Constants.True)
{
if (tenant == null)
{
tenant = new Tenant {
Created = DateTime.Now, IssValue = issuer, Name = context.Properties.Items[Constants.TenantNameKey], AdminConsented = true
};
db.Tenants.Add(tenant);
}
else
{
tenant.AdminConsented = true;
}
}
else if (user == null)
{
user = new AADUserRecord {
UPN = upn, ObjectID = objectID
};
db.Users.Add(user);
}
db.SaveChanges();
}
// Ensure that the caller is recorded in the db of users who went through the individual onboarding
// or if the caller comes from an admin-consented, recorded issuer.
if ((tenant == null || !tenant.AdminConsented) && (user == null))
{
// If not, the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
throw new SecurityTokenValidationException("Did you forget to sign-up?");
}
return(Task.FromResult(0));
}
public DbTokenCache(TodoListWebAppContext db, IHttpContextAccessor httpContextAccessor, IOptions <AzureADConfig> aadConfig)
{
this.BeforeAccess = BeforeAccessNotification;
this.AfterAccess = AfterAccessNotification;
this.BeforeWrite = BeforeWriteNotification;
_aadConfig = aadConfig.Value;
_userId = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.ObjectIdClaimType).Value;
string tenantId = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.TenantIdClaimType).Value;
_authContext = new AuthenticationContext(String.Format(_aadConfig.AuthorityFormat, tenantId), this);
_appCredentials = new ClientCredential(_aadConfig.ClientId, _aadConfig.ClientSecret);
}
public override void OnAuthorization(HttpActionContext actionContext)
{
string issuer = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Issuer;
string UPN = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
using (TodoListWebAppContext db = new TodoListWebAppContext())
{
if (!(
// Verifies if the organization to which the caller belongs is trusted.
// This onboarding style is not possible in the consent flow originated by a native app shown in this sample,
// but it could be achieved by triggering consent from an associated web application.
// For details, see the sample https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet
(db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) != null)
// Verifies if the caller is in the db of onboarded users.
|| (db.Users.FirstOrDefault(b => (b.UPN == UPN) && (b.TenantID == tenantID)) != null)
))
{
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized,
$"The user {UPN} has not been onboarded. Sign up and try again");
}
}
}
public TodoController(TodoListWebAppContext context)
{
_db = context;
}
