private void ConfigureAuthorization(IServiceCollection services) { var betaAccessOptions = AuthenticationBetaAppAccessOptions.Construct(Configuration); services.AddAuthorization(options => { options.AddPolicy(Constants.AuthorizationPolicies.AccessCatalog, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager, Constants.Roles.Partner, Constants.Roles.Employee, Constants.Roles.IndividualCustomer)); options.AddPolicy(Constants.AuthorizationPolicies.AddToCatalog, policyBuilder => policyBuilder.RequireRole(Constants.Roles.Partner, Constants.Roles.Employee)); options.AddPolicy(Constants.AuthorizationPolicies.RemoveFromCatalog, policyBuilder => policyBuilder.RequireRole(Constants.Roles.Partner, Constants.Roles.Employee)); options.AddPolicy(Constants.AuthorizationPolicies.AccessPantry, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager, Constants.Roles.BusinessCustomerStocker)); options.AddPolicy(Constants.AuthorizationPolicies.AddToPantry, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager)); options.AddPolicy(Constants.AuthorizationPolicies.RemoveFromPantry, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerManager)); options.AddPolicy(Constants.AuthorizationPolicies.AccessTrolley, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.IndividualCustomer)); //options.AddPolicy(Constants.AuthorizationPolicies.AccessCheckout, policyBuilder => policyBuilder.Requirements.Add(new MfaRequirement("B2C_1A_WoodGrove_Dev_mfa"))); options.AddPolicy(Constants.AuthorizationPolicies.AccessCheckout, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.IndividualCustomer)); options.AddPolicy(Constants.AuthorizationPolicies.ChangeUserRole, policyBuilder => policyBuilder.RequireRole(Constants.Roles.BusinessCustomerStocker, Constants.Roles.BusinessCustomerManager)); options.AddPolicy(Constants.AuthorizationPolicies.BetaAppAccess, policyBuilder => { if (betaAccessOptions.RequireFullAppAuth) { policyBuilder.RequireAuthenticatedUser(); policyBuilder.AddAuthenticationSchemes( Constants.AuthenticationSchemes.CustomerAuth, Constants.AuthenticationSchemes.BusinessCustomerAuth, Constants.AuthenticationSchemes.PartnerOpenIdConnect, Constants.AuthenticationSchemes.BetaAccessOpenIdConnect ); } else { policyBuilder.RequireAssertion(_ => true); } }); }); }
private void ConfigureBetaAppAuthentication(IConfiguration configuration, IServiceCollection services, AuthenticationBuilder authenticationBuilder) { var authenticationOptions = AuthenticationBetaAppAccessOptions.Construct(configuration); if (authenticationOptions.RequireFullAppAuth) { authenticationBuilder.AddOpenIdConnect(Constants.AuthenticationSchemes.BetaAccessOpenIdConnect, options => { options.Authority = authenticationOptions.Authority; options.CallbackPath = new PathString("/betaaccess-callback"); options.ClientId = authenticationOptions.ClientId; options.ClientSecret = authenticationOptions.ClientSecret; options.CorrelationCookie.Expiration = TimeSpan.FromHours(3); options.ConfigurationManager = new PolicyConfigurationManager( authenticationOptions.Authority, new[] { authenticationOptions.Policy }); options.Events = CreateBetaAppOidcEvents(); options.Scope.Remove("profile"); //options.SignedOutCallbackPath = new PathString("/b2c-signout-callback"); options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = Constants.ClaimTypes.Name }; }); //authenticationBuilder.AddOpenIdConnect(Constants.AuthenticationSchemes.BetaAccessOpenIdConnect, options => //{ // options.Authority = authenticationOptions.Authority; // options.CallbackPath = new PathString("/betaaccess-callback"); // options.ClientId = authenticationOptions.ClientId; // options.Events = CreateB2COpenIdConnectEvents(); // options.SignedOutCallbackPath = new PathString("/betaaccess-signout-callback"); // options.TokenValidationParameters = new TokenValidationParameters // { // NameClaimType = Constants.ClaimTypes.Name // }; //}); } services.AddSingleton <IdentityService, IdentityService>(); }
public bool IsUserLoggedIn(ClaimsPrincipal principal) { var config = AuthenticationBetaAppAccessOptions.Construct(_configuration); if (!config.RequireFullAppAuth) { return(principal.Identity.IsAuthenticated); } if (!principal.Identity.IsAuthenticated) { return(false); } var tenantId = principal.FindFirstValue(Constants.ClaimTypes.TenantIdentifier); return(tenantId != config.TenantId); }
private OpenIdConnectEvents CreateBetaAppOidcEvents() { var authenticationOptions = AuthenticationBetaAppAccessOptions.Construct(Configuration); return(new OpenIdConnectEvents { OnRemoteFailure = context => { if (context.Failure.Message == "Correlation failed.") { //// [ log error ] context.HandleResponse(); //// redirect to some help page or handle it as you wish context.Response.Redirect("/"); } return Task.CompletedTask; }, OnAuthenticationFailed = context => { context.Fail(context.Exception); return Task.CompletedTask; }, OnMessageReceived = context => { if (context.ProtocolMessage.Parameters.Any(x => x.Key == "response")) { var jsonResponse = JsonConvert.DeserializeObject <Constants.JsonResponse>(context.ProtocolMessage.Parameters["response"]); if (jsonResponse != null && !string.IsNullOrEmpty(jsonResponse.response) && jsonResponse.response.Contains("B2C_V1_90001")) { context.Response.Redirect("/Account/AgeGatingError"); context.HandleResponse(); return Task.CompletedTask; } } if (!string.IsNullOrEmpty(context.ProtocolMessage.Error) && !string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription)) { if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091")) { var policy = context.Properties.Items[Constants.AuthenticationProperties.Policy]; //if (policy == Constants.Policies.PasswordReset || // policy == Constants.Policies.SignUpOrSignInWithPersonalAccountLocalEmailAndSocial) //{ // var command = // $"{Constants.AuthenticationSchemes.CustomerAuth}:{Constants.Policies.SignUpOrSignInWithPersonalAccountLocalEmailAndSocial}"; // var uiLocale = string.Empty; // if (context.Properties.Items.Any(x => x.Key == Constants.AuthenticationProperties.UILocales)) // { // uiLocale = context.Properties.Items[Constants.AuthenticationProperties.UILocales]; // } // context.Response.Redirect($"/Account/LogInFor?command={command}&uiLocale={uiLocale}"); // context.HandleResponse(); //} //else //{ // context.Response.Redirect("/"); // context.HandleResponse(); //} } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90118")) { var uiLocale = string.Empty; if (context.Properties.Items.Any(x => x.Key == Constants.AuthenticationProperties.UILocales)) { uiLocale = context.Properties.Items[Constants.AuthenticationProperties.UILocales]; } context.Response.Redirect($"/Account/ResetPassword?uiLocale={uiLocale}"); context.HandleResponse(); } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C99001")) { context.Response.Redirect($"/Account/LinkError??ReturnUrl={context.Properties.RedirectUri}"); context.HandleResponse(); } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C99002")) { context.Response.Redirect("/Account/LogOut"); context.HandleResponse(); } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90157")) { context.Response.Redirect("/Account/RetryExceededError"); context.HandleResponse(); } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90037")) { context.Response.Redirect("/Account/AgeGatingError"); context.HandleResponse(); } else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90273")) { context.Response.Redirect("/"); context.HandleResponse(); } } return Task.CompletedTask; }, OnRedirectToIdentityProvider = async context => { var configuration = await GetB2COpenIdConnectConfigurationAsync(context, authenticationOptions.Policy); context.ProtocolMessage.IssuerAddress = configuration.AuthorizationEndpoint; }, OnRedirectToIdentityProviderForSignOut = async context => { var configuration = await GetB2COpenIdConnectConfigurationAsync(context, authenticationOptions.Policy); context.ProtocolMessage.IssuerAddress = configuration.EndSessionEndpoint; }, OnTokenValidated = context => { //var requestedPolicy = context.Properties.Items[Constants.AuthenticationProperties.Policy]; //var issuedPolicy = context.Principal.FindFirstValue(Constants.ClaimTypes.TrustFrameworkPolicy); //if (!string.Equals(issuedPolicy, requestedPolicy, StringComparison.OrdinalIgnoreCase)) //{ // context.Fail($"Access denied: The issued policy '{issuedPolicy}' is different to the requested policy '{requestedPolicy}'."); // return Task.CompletedTask; //} //string roleClaimValue; //var identityProvider = context.Principal.FindFirstValue(Constants.ClaimTypes.IdentityProvider); //if (identityProvider != null && identityProvider.StartsWith("https://sts.windows.net/")) //{ // var businessCustomerRole = context.Principal.FindFirstValue(Constants.ClaimTypes.BusinessCustomerRole); // if (businessCustomerRole == "Manager") // { // roleClaimValue = Constants.Roles.BusinessCustomerManager; // } // else // { // roleClaimValue = Constants.Roles.BusinessCustomerStocker; // } //} //else //{ // roleClaimValue = Constants.Roles.IndividualCustomer; //} //var claims = new List<Claim> //{ // new Claim(ClaimTypes.Role, roleClaimValue) //}; //var identity = new ClaimsIdentity(claims); //context.Principal.AddIdentity(identity); return Task.CompletedTask; } }); }