/// <summary>
/// Creates a new instance of OpenIdConnectAuthenticationOptions.
/// </summary>
/// <param name="oktaMvcOptions">The <see cref="OktaMvcOptions"/> options.</param>
/// <param name="notifications">The OpenIdConnectAuthenticationNotifications notifications.</param>
/// <returns>A new instance of OpenIdConnectAuthenticationOptions.</returns>
public static OpenIdConnectAuthenticationOptions BuildOpenIdConnectAuthenticationOptions(OktaMvcOptions oktaMvcOptions, OpenIdConnectAuthenticationNotifications notifications)
{
var issuer = UrlHelper.CreateIssuerUrl(oktaMvcOptions.OktaDomain, oktaMvcOptions.AuthorizationServerId);
var httpClient = new HttpClient(new UserAgentHandler("okta-aspnet", typeof(OktaMiddlewareExtensions).Assembly.GetName().Version));
var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(
issuer + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient));
var tokenValidationParameters = new DefaultTokenValidationParameters(oktaMvcOptions, issuer)
{
NameClaimType = "name",
ValidAudience = oktaMvcOptions.ClientId,
// CLIST: 2019-11-08 - save the claims token into the bootstrap context for k2
SaveSigninToken = true,
};
var tokenExchanger = new TokenExchanger(oktaMvcOptions, issuer, configurationManager);
var definedScopes = oktaMvcOptions.Scope?.ToArray() ?? OktaDefaults.Scope;
var scopeString = string.Join(" ", definedScopes);
var oidcOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = oktaMvcOptions.ClientId,
ClientSecret = oktaMvcOptions.ClientSecret,
Authority = issuer,
RedirectUri = oktaMvcOptions.RedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Scope = scopeString,
PostLogoutRedirectUri = oktaMvcOptions.PostLogoutRedirectUri,
TokenValidationParameters = tokenValidationParameters,
SecurityTokenValidator = new StrictSecurityTokenValidator(),
AuthenticationMode = (oktaMvcOptions.LoginMode == LoginMode.SelfHosted) ? AuthenticationMode.Passive : AuthenticationMode.Active,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync,
RedirectToIdentityProvider = notifications.RedirectToIdentityProvider,
},
};
if (oktaMvcOptions.SecurityTokenValidated != null)
{
oidcOptions.Notifications.SecurityTokenValidated = oktaMvcOptions.SecurityTokenValidated;
}
return(oidcOptions);
}
private static void AddOpenIdConnectAuthentication(IAppBuilder app, OktaMvcOptions options)
{
var issuer = UrlHelper.CreateIssuerUrl(options.OktaDomain, options.AuthorizationServerId);
var httpClient = new HttpClient(new UserAgentHandler("okta-aspnet", typeof(OktaMiddlewareExtensions).Assembly.GetName().Version));
var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(
issuer + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient));
var tokenValidationParameters = new DefaultTokenValidationParameters(options, issuer)
{
NameClaimType = "name",
ValidAudience = options.ClientId,
};
var tokenExchanger = new TokenExchanger(options, issuer, configurationManager);
// Stop the default behavior of remapping JWT claim names to legacy MS/SOAP claim names
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
var definedScopes = options.Scope?.ToArray() ?? OktaDefaults.Scope;
var scopeString = string.Join(" ", definedScopes);
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
Authority = issuer,
RedirectUri = options.RedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Scope = scopeString,
PostLogoutRedirectUri = options.PostLogoutRedirectUri,
TokenValidationParameters = tokenValidationParameters,
SecurityTokenValidator = new StrictSecurityTokenValidator(),
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync,
RedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync,
},
});
}
