// Inject custom logic for validating which users we allow to sign in // Here we check that the user (or their tenant admin) has signed up for the application. private Task OnTokenValidated(TokenValidatedContext context) { // Retrieve the db service TodoListWebAppContext db = (TodoListWebAppContext)context.HttpContext.RequestServices.GetService(typeof(TodoListWebAppContext)); // Retrieve caller data from the incoming principal string issuer = context.Ticket.Principal.FindFirst(AzureADConstants.Issuer).Value; string objectID = context.Ticket.Principal.FindFirst(AzureADConstants.ObjectIdClaimType).Value; string tenantID = context.Ticket.Principal.FindFirst(AzureADConstants.TenantIdClaimType).Value; string upn = context.Ticket.Principal.FindFirst(ClaimTypes.Upn).Value; // Look up existing sign up records from the database Tenant tenant = db.Tenants.FirstOrDefault(a => a.IssValue.Equals(issuer)); AADUserRecord user = db.Users.FirstOrDefault(b => b.ObjectID.Equals(objectID)); // If the user is signing up, add the user or tenant to the database record of sign ups. string adminConsentSignUp = null; if (context.Properties.Items.TryGetValue(Constants.AdminConsentKey, out adminConsentSignUp)) { if (adminConsentSignUp == Constants.True) { if (tenant == null) { tenant = new Tenant { Created = DateTime.Now, IssValue = issuer, Name = context.Properties.Items[Constants.TenantNameKey], AdminConsented = true }; db.Tenants.Add(tenant); } else { tenant.AdminConsented = true; } } else if (user == null) { user = new AADUserRecord { UPN = upn, ObjectID = objectID }; db.Users.Add(user); } db.SaveChanges(); } // Ensure that the caller is recorded in the db of users who went through the individual onboarding // or if the caller comes from an admin-consented, recorded issuer. if ((tenant == null || !tenant.AdminConsented) && (user == null)) { // If not, the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow throw new SecurityTokenValidationException("Did you forget to sign-up?"); } return(Task.FromResult(0)); }
public DbTokenCache(TodoListWebAppContext db, IHttpContextAccessor httpContextAccessor, IOptions <AzureADConfig> aadConfig) { this.BeforeAccess = BeforeAccessNotification; this.AfterAccess = AfterAccessNotification; this.BeforeWrite = BeforeWriteNotification; _aadConfig = aadConfig.Value; _userId = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.ObjectIdClaimType).Value; string tenantId = httpContextAccessor.HttpContext.User.FindFirst(AzureADConstants.TenantIdClaimType).Value; _authContext = new AuthenticationContext(String.Format(_aadConfig.AuthorityFormat, tenantId), this); _appCredentials = new ClientCredential(_aadConfig.ClientId, _aadConfig.ClientSecret); }
public override void OnAuthorization(HttpActionContext actionContext) { string issuer = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Issuer; string UPN = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Value; string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value; using (TodoListWebAppContext db = new TodoListWebAppContext()) { if (!( // Verifies if the organization to which the caller belongs is trusted. // This onboarding style is not possible in the consent flow originated by a native app shown in this sample, // but it could be achieved by triggering consent from an associated web application. // For details, see the sample https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet (db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) != null) // Verifies if the caller is in the db of onboarded users. || (db.Users.FirstOrDefault(b => (b.UPN == UPN) && (b.TenantID == tenantID)) != null) )) { actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized, $"The user {UPN} has not been onboarded. Sign up and try again"); } } }
public TodoController(TodoListWebAppContext context) { _db = context; }