public static void Register(HttpConfiguration config)
{
var authNConfig = new AuthenticationConfiguration
{
SendWwwAuthenticateResponseHeaders = false,
RequireSsl = false
};
//authNConfig.AddJsonWebToken(
// "TODOApi",
// "http://tt.com/mobile/todos",
// ConfigurationManager.AppSettings["acsSigningKey"]);
authNConfig.AddJsonWebToken(
"http://identityserver.v2.thinktecture.com/trust/cw",
"http://tt.com/mobile/todos",
ConfigurationManager.AppSettings["oauthSigningKey"]);
authNConfig.AddBasicAuthentication(
(un, pw) => un == pw); // this is the super complex basic authentication validation logic :)
authNConfig.ClaimsAuthenticationManager =
FederatedAuthentication.FederationConfiguration
.IdentityConfiguration.ClaimsAuthenticationManager;
config.MessageHandlers.Add(new AuthenticationHandler(authNConfig));
config.Filters.Add(new ClaimsAuthorizeAttribute());
}
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
// retrieve certificate for x509-signed tokens
//var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
//store.Open(OpenFlags.ReadOnly);
//var clientCert =
// store.Certificates.OfType<X509Certificate2>()
// .FirstOrDefault(c => c.Subject == "CN=CleanerClient");
//store.Close();
Configuration.AddJsonWebToken(
issuer: "AS",
audience: "HsrTestApp",
//signingCertificate: clientCert,
signingKey: "i4SpI3zdts0yIHhfbBIeR4VuG1MJCfM1wcUZ2LVPFWA=", //use symmetric key instead of signing cert
scheme: "bearer");
// Debug config to disable chain validation for self-signed certs (not needed if peer validation is used)
//var authTokenHandleConfig = Configuration.Mappings.First().TokenHandler.First().Configuration;
//authTokenHandleConfig.RevocationMode = X509RevocationMode.NoCheck;
//authTokenHandleConfig.CertificateValidationMode = X509CertificateValidationMode.None;
}
public static void ConfigureOAuth(HttpConfiguration config)
{
// Set up CORS configuration
var corsConfig = new CorsConfiguration();
corsConfig.AllowAll();
var corsHandler = new CorsMessageHandler(corsConfig, config);
config.MessageHandlers.Add(corsHandler);
// Set up ACS token configuration
var authenticationConfiguration = new AuthenticationConfiguration
{
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformer()
};
authenticationConfiguration.AddJsonWebToken(
issuer: "https://eyecatch.accesscontrol.windows.net/",
audience: "http://localhost:61390/",
signingKey: "vZhjuby4hTmoaKnptAXe1MPAMiI+63obW20+fVaFAYM=",
scheme: "ACS");
config.MessageHandlers.Add(new AuthenticationHandler(authenticationConfiguration));
}
public static AuthenticationConfiguration CreateAuthenticationConfiguration(ILog log)
{
var authentication = new AuthenticationConfiguration {
ClaimsAuthenticationManager = new ClaimsTransformer(),
RequireSsl = false,
EnableSessionToken = true
};
#region Basic Authentication
authentication.AddBasicAuthentication(UserCredentials.Validate);
log.Info("Configurada autenticación básica.");
#endregion
#region IdentityServer JWT
//authentication.AddJsonWebToken(
// issuer: Constants.IdSrv.IssuerUri,
// audience: Constants.Audience,
// signingKey: Constants.IdSrv.SigningKey);
authentication.AddMsftJsonWebToken(
issuer: Constants.IdSrv.IssuerUri,
audience: Constants.Audience,
signingKey: Constants.IdSrv.SigningKey);
log.Info("Configurado IdentityServer JWT.");
#endregion
#region Access Control Service JWT
authentication.AddJsonWebToken(
issuer: Constants.ACS.IssuerUri,
audience: Constants.Audience,
signingKey: Constants.ACS.SigningKey,
scheme: Constants.ACS.Scheme);
log.Info("Configurado Access Control Service JWT.");
#endregion
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
issuerName: Constants.IdSrv.IssuerUri,
audienceUri: Constants.Realm,
certificateValidator: X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
log.Info("Configurado IdentityServer SAML.");
#endregion
#region Client Certificates
authentication.AddClientCertificate(ClientCertificateMode.ChainValidation);
log.Info("Configurado Client Certificate.");
#endregion
// OLL: Reeemplazo la session key generada automaticamente. Tendría que haber una variable de web.config para indicar si la quiero random o fija
// y obtener la key del config;
authentication.SessionToken.SigningKey = Constants.SessionKey;
log.Info("Configurada Clave.");
return(authentication);
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
var authentication = new AuthenticationConfiguration
{
ClaimsAuthenticationManager = new ClaimsTransformer(),
RequireSsl = false,
EnableSessionToken = true
};
#region Basic Authentication
authentication.AddBasicAuthentication(UserCredentials.Validate);
#endregion
#region IdentityServer JWT
authentication.AddJsonWebToken(
issuer: Constants.IdSrv.IssuerUri,
audience: Constants.Audience,
signingKey: Constants.IdSrv.SigningKey);
#endregion
#region Access Control Service JWT
authentication.AddJsonWebToken(
issuer: Constants.ACS.IssuerUri,
audience: Constants.Audience,
signingKey: Constants.ACS.SigningKey,
scheme: Constants.ACS.Scheme);
#endregion
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
issuerName: Constants.IdSrv.IssuerUri,
audienceUri: Constants.Realm,
certificateValidator: X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
#endregion
#region Client Certificates
authentication.AddClientCertificate(ClientCertificateMode.ChainValidation);
#endregion
return(authentication);
}
public static AuthenticationConfiguration CreateUserInfoAuthConfig(IConfigurationRepository configuration)
{
var userInfoAuth = new AuthenticationConfiguration
{
RequireSsl = true,
InheritHostClientIdentity = false
};
userInfoAuth.AddJsonWebToken(
issuer: configuration.Global.IssuerUri,
audience: configuration.Global.IssuerUri + "/userinfo",
signingCertificate: configuration.Keys.SigningCertificate);
return(userInfoAuth);
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
var authentication = new AuthenticationConfiguration
{
RequireSsl = false,
};
authentication.AddJsonWebToken(
issuer: Constants.AS.IssuerName,
audience: Constants.Audience,
signingKey: Constants.AS.SigningKey,
claimMappings: ClaimMappings.None);
return(authentication);
}
public static void Configure(HttpConfiguration config)
{
var authNConfig = new AuthenticationConfiguration();
authNConfig.AddJsonWebToken(
"http://identityserver.v2.thinktecture.com/trust/cw",
"http://tt.com/mobile/todos",
ConfigurationManager.AppSettings["oauthSigningKey"],
AuthenticationOptions.ForAuthorizationHeader("Bearer"));
authNConfig.ClaimsAuthenticationManager =
FederatedAuthentication.FederationConfiguration
.IdentityConfiguration.ClaimsAuthenticationManager;
config.MessageHandlers.Add(new AuthenticationHandler(authNConfig));
config.Filters.Add(new ClaimsAuthorizeAttribute());
}
/// <summary>
/// Configuration related to the Thinktecture Authorization Server
/// </summary>
/// <returns></returns>
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
/*ClaimsAuthenticationManager = new GridsClaimsAuthenticationManager(),*/
var authentication = new AuthenticationConfiguration
{
RequireSsl = false,
};
authentication.AddJsonWebToken(
issuer: Constants.AuthorizationServer.IssuerName,
audience: Constants.Audience,
signingKey: Constants.AuthorizationServer.SigningKey,
claimMappings: ClaimMappings.None);
return(authentication);
}
public static void ConfigureOAuth()
{
// Create ACS OAuth filter
var authenticationConfiguration = new AuthenticationConfiguration
{
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformer()
};
authenticationConfiguration.AddJsonWebToken(
issuer: "https://eyecatch.accesscontrol.windows.net/",
audience: "http://localhost:61390/",
signingKey: "vZhjuby4hTmoaKnptAXe1MPAMiI+63obW20+fVaFAYM=",
scheme: "ACS");
// Use custom acs controller factory
ControllerBuilder.Current.SetControllerFactory(
new AcsControllerFactory(
new CookieToAuthenticationHeaderHandler("ACS"),
new AuthenticationHandler(authenticationConfiguration, new HttpRequestMessageFactory())));
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration(IConfigurationRepository configurationRepository)
{
const string audience = "api/";
var issuerUri = configurationRepository.Global.IssuerUri;
if (configurationRepository.Keys.SigningCertificate == null)
{
//Note: when set up Identity server 1st time, it goes here. After the initial configuration, please re-start IIS to make sure the following code executed.
return(null);
}
var signingKey = configurationRepository.Keys.SigningCertificate.Thumbprint;
var authenticationConfiguration = new AuthenticationConfiguration
{
ClaimsAuthenticationManager = new ClaimsTransformer(),
RequireSsl = false,
EnableSessionToken = true,
SessionToken = new SessionTokenConfiguration
{
DefaultTokenLifetime = TimeSpan.FromHours(10.0),
EndpointAddress = "/issue/simple",
HeaderName = "Authorization",
Scheme = "Session",
Audience = audience,
IssuerName = issuerUri,
SigningKey = Encoding.UTF8.GetBytes(signingKey),
}
};
// IdentityServer JWT
authenticationConfiguration.AddJsonWebToken(issuerUri, audience, signingKey);
authenticationConfiguration.AddBasicAuthentication(Membership.ValidateUser);
//Client Certificates
authenticationConfiguration.AddClientCertificate(ClientCertificateMode.ChainValidation);
return(authenticationConfiguration);
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
};
#region Basic Authentication
config.AddBasicAuthentication((userName, password) => userName == password);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
"http://identity.thinktecture.com/trust",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
"http://selfissued.test",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
"https://" + Constants.ACS + "/",
Constants.Realm,
Constants.AcsSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
var handler = new SimpleSecurityTokenHandler("my access key", token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(new ClaimsIdentity(new Claim[]
{
new Claim("customerid", "123")
}, "Custom"));
}
return(null);
});
config.AddAccessKey(handler, AuthenticationOptions.ForQueryString("key"));
#endregion
return(config);
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: Constants.IdSrvIssuerName,
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region JsonWebToken Windows Store Client
config.AddJsonWebToken(
issuer: "http://identityserver.v2.thinktecture.com/trust/changethis",
audience: "https://test/rp/",
signingKey: "3ihK5qGVhp8ptIk9+TDucXQW4Aaengg3d5m6gU8nzc8=",
options: AuthenticationOptions.ForAuthorizationHeader("Win8"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer(Constants.IdSrvSamlSigningKeyThumbprint, "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer(Constants.AdfsSamlSigningKeyThumbprint, "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**")));
}
return(null);
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return(config);
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: "http://identity.thinktecture.com/trust",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer("8EC7F962CC083FF7C5997D8A4D5ED64B12E4C174", "ADFS");
adfsRegistry.AddTrustedIssuer("b6 93 46 34 7f 70 a9 c3 72 02 18 ae f1 82 2a 5c 97 b1 8c a5", "PETS ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**")));
}
return(null);
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return(config);
}