public static async Task setTokenAsync(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential credential = new ClientCredential(AuthConstants.CLIENT_ID, AuthConstants.APP_KEY);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst(AuthConstants.claimIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(AuthConstants.AUTHORITY, true);
Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, credential, AuthConstants.powerBIResourceId);
string AccessToken = result.AccessToken;
HttpCookie myCookie = new HttpCookie(AuthConstants.accessCookie);
// Set the cookie value.
myCookie.Value = AccessToken;
// Set the cookie expiration date time.
DateTime now = DateTime.Now;
myCookie.Expires = now.AddMinutes(58);
// Add the cookie.
HttpContext.Current.Response.Cookies.Add(myCookie);
HttpContext.Current.Session.Add(AuthConstants.accessToken, AccessToken);
// Set the session expiration time
HttpContext.Current.Session.Timeout = 58; //minutes
}
private async Task <AuthorizationCodeReceivedNotification> RunAuthorizationCodeReceivedNotificationAsync(OpenIdConnectMessage message, AuthenticationProperties properties, AuthenticationTicket ticket, JwtSecurityToken jwt)
{
var redirectUri = properties.Items.ContainsKey(OpenIdConnectAuthenticationDefaults.RedirectUriForCodePropertiesKey) ?
properties.Items[OpenIdConnectAuthenticationDefaults.RedirectUriForCodePropertiesKey] : Options.RedirectUri;
Logger.LogDebug(Resources.OIDCH_0014_AuthorizationCodeReceived, message.Code);
var authorizationCodeReceivedNotification = new AuthorizationCodeReceivedNotification(Context, Options)
{
Code = message.Code,
ProtocolMessage = message,
RedirectUri = redirectUri,
AuthenticationTicket = ticket,
JwtSecurityToken = jwt
};
await Options.Notifications.AuthorizationCodeReceived(authorizationCodeReceivedNotification);
if (authorizationCodeReceivedNotification.HandledResponse)
{
Logger.LogVerbose(Resources.OIDCH_0015_AuthorizationCodeReceivedNotificationHandledResponse);
}
else if (authorizationCodeReceivedNotification.Skipped)
{
Logger.LogVerbose(Resources.OIDCH_0016_AuthorizationCodeReceivedNotificationSkipped);
}
return(authorizationCodeReceivedNotification);
}
private async Task OnAuthorizationCodeReceived(
AuthorizationCodeReceivedNotification context)
{
var user = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
var telemetryContext = new TelemetryContext
{
TenantId = user.GetTenantId(),
UserObjectId = user.GetUserObjectId()
};
TelemetryHelper.LogVerbose(@"OnAuthorizationCodeReceived", telemetryContext);
var authContext = new AuthenticationContext($"{ConfigHelper.AuthenticationEndpoint}{user.GetTenantId()}");
var result = await authContext.AcquireTokenByAuthorizationCodeAsync(
context.Code,
new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)),
new ClientCredential(ConfigHelper.ApplicationId, ConfigHelper.ApplicationSecret),
ConfigHelper.ResourceManagerEndpoint);
context.AuthenticationTicket.Identity.AddClaims(new[]
{
new Claim(Constants.TokenKey, result.AccessToken)
});
TelemetryHelper.WriteEvent(
TelemetryEventNames.AuthSignedIn,
telemetryContext);
}
private static async Task AuthorizationCodeReceived(AuthorizationCodeReceivedNotification n, string authority, string clientId, string clientSecret)
{
var tokenEndpoint = $"{authority}/connect/token";
if (n.Code != null)
{
// use the code to get the access and refresh token
var tokenResponse = await StsTokenHelper.RequestToken(_client, tokenEndpoint, clientId, clientSecret, n.Code, n.RedirectUri);
// create new identity
//var claimsIdent = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
var claimsIdent = n.AuthenticationTicket.Identity;
bool includeUserClaims = claimsIdent.FindFirst("role") == null;
if (includeUserClaims)
{
//Add userClaims from userInfoEndpoint with the access token
await AddUserClaimsAsync(claimsIdent, authority, tokenResponse.AccessToken);
//Add portal
//AddPortalGroupInfo(claimsIdent);
}
claimsIdent.AddOrUpdateClaim("access_token", tokenResponse.AccessToken);
claimsIdent.AddOrUpdateClaim("expires_at", tokenResponse.ExpiresUtc().ToString());
claimsIdent.AddOrUpdateClaim("refresh_token", tokenResponse.RefreshToken);
claimsIdent.AddOrUpdateClaim("id_token", n.ProtocolMessage.IdToken);
n.AuthenticationTicket.Properties.ExpiresUtc = tokenResponse.ExpiresUtc();
}
}
public async Task ThrowsOnInvalidTokenResponse()
{
var httpClient = A.Fake <HttpClient>();
A.CallTo(() => httpClient.SendAsync(A <ProtocolRequest> ._, A <CancellationToken> ._))
.Returns(new HttpResponseMessage
{
Content = new StringContent(
"xxxxxxxxxxxxxxxxx")
});
var notifications = new VippsOpenIdConnectAuthenticationNotifications(httpClient);
var configurationManager =
A.Fake <IConfigurationManager <OpenIdConnectConfiguration> >();
A.CallTo(() => configurationManager.GetConfigurationAsync(A <CancellationToken> ._))
.Returns(new OpenIdConnectConfiguration());
var notification = new AuthorizationCodeReceivedNotification(
A.Fake <IOwinContext>(),
new VippsOpenIdConnectAuthenticationOptions("clientId", "clientSecret", "authority")
{
ConfigurationManager = configurationManager
})
{
RedirectUri = "https://redirect-url",
Code = "AuthCode"
};
await Assert.ThrowsAsync <OpenIdConnectProtocolException>(async() =>
await notifications.AuthorizationCodeReceived(notification));
}
public async Task RetrievesTokenEndpointResponse()
{
var httpClient = A.Fake <HttpClient>();
A.CallTo(() => httpClient.SendAsync(A <ProtocolRequest> ._, A <CancellationToken> ._))
.Returns(new HttpResponseMessage
{
Content = new StringContent(
"{\"access_token\":\"abcde\",\"expires_in\":3599,\"id_token\":\"qwerty\",\"scope\":\"phoneNumber address email name openid birthDate\",\"token_type\":\"bearer\"}")
});
var notifications = new VippsOpenIdConnectAuthenticationNotifications(httpClient);
var configurationManager =
A.Fake <IConfigurationManager <OpenIdConnectConfiguration> >();
A.CallTo(() => configurationManager.GetConfigurationAsync(A <CancellationToken> ._))
.Returns(new OpenIdConnectConfiguration());
var notification = new AuthorizationCodeReceivedNotification(
A.Fake <IOwinContext>(),
new VippsOpenIdConnectAuthenticationOptions("clientId", "clientSecret", "authority")
{
ConfigurationManager = configurationManager
})
{
RedirectUri = "https://redirect-url",
Code = "AuthCode"
};
await notifications.AuthorizationCodeReceived(notification);
Assert.Equal("abcde", notification.TokenEndpointResponse.AccessToken);
Assert.Equal("qwerty", notification.TokenEndpointResponse.IdToken);
}
public async Task ExchangeCodeForTokenAsync(AuthorizationCodeReceivedNotification response)
{
var openIdConfiguration = await _configurationManager.GetConfigurationAsync().ConfigureAwait(false);
var tokenResponse = await _httpClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = openIdConfiguration.TokenEndpoint,
ClientId = _options.ClientId,
ClientSecret = _options.ClientSecret,
Code = response.Code,
RedirectUri = _options.RedirectUri,
}).ConfigureAwait(false);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
FillNameIdentifierClaimOnIdentity(response.AuthenticationTicket.Identity);
response.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
response.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
{
response.AuthenticationTicket.Identity.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
}
return;
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
// If there is a code in the OpenID Connect response, redeem it for an access token and store it away.
var code = context.Code;
string userObjectId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
SampleTokenCache tokenCache = new SampleTokenCache(userObjectId);
var credential = new ClientCredential(ClientSecret);
var cca = new ConfidentialClientApplication(
ClientId,
context.Request.Uri.ToString(),
credential,
tokenCache.GetMsalCacheInstance(),
null);
try
{
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, Scopes);
}
catch (MsalException ex)
{
context.HandleResponse();
context.Response.Redirect($"/error/index?message={ex.Message}");
}
}
// Redeem code for token asynchronosly for performance, must not do synchronous call for Production
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
Startup.LastContext = context;
code = context.Code;
returnUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
// Token Service appKey is required to authenticate with Azure AD for redeeming the authorization code
// Note that the code is returned to LE-SfBApp, but the JavaScript client cannot make use of it
ClientCredential credential = new ClientCredential(clientId, appKey);
// userObjectID is the objectGUID of the O365 user in Azure AD
string userObjectID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// intialize with common to retrieve MRRT, index Cache with both user GUID and resource url due to UCWA usage pattern
// Startup.sessionCache = new NaiveSessionCache(userObjectID);
// Startup.sessionCache = new NaiveSessionCache(userObjectID);
// Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(Startup.Authority, Startup.sessionCache);
AuthContext authContext = new AuthContext(Authority,
new DistributedTokenCache(cacheconnStr, userObjectID));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, returnUri, credential, ucwaResourceUrl);
// Azure AD schema change
// string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
// AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
Startup.accessToken = result.AccessToken;
Startup.refreshToken = result.RefreshToken;
Startup.idToken = result.IdToken;
}
// If the javascript issues an OIDC authorize reuest, and it succeeds, the user is already logged
// into AAD. Since the AAD session cookie has changed, we need to check if the same use is still
// logged in.
public static Task AuthorizationCodeRecieved(AuthorizationCodeReceivedNotification notification)
{
// If the successful authorize request was issued by the SingleSignOut javascript
if (notification.AuthenticationTicket.Properties.RedirectUri.Contains("SessionChanged"))
{
// Clear the SingleSignOutCookie
notification.Response.Cookies.Append("SingleSignOut" + clientId, "");
Claim existingUserObjectId = notification.OwinContext.Authentication.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier");
Claim incomingUserObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier");
if (existingUserObjectId.Value != null && incomingUserObjectId != null)
{
// If a different user is logged into AAD
if (existingUserObjectId.Value != incomingUserObjectId.Value)
{
// No need to clear the session state here. It has already been
// updated with the new user's session state in SecurityTokenValidated.
notification.Response.Redirect("Account/SingleSignOut");
notification.HandleResponse();
}
// If the same user is logged into AAD
else if (existingUserObjectId.Value == incomingUserObjectId.Value)
{
// No need to clear the session state, SecurityTokenValidated will do so.
// Simply redirect the iframe to a page other than SingleSignOut to reset
// the timer in the javascript.
notification.Response.Redirect("/");
notification.HandleResponse();
}
}
}
return(Task.FromResult <object>(null));
}
private async Task OnAuthorizationCodeRecieved(AuthorizationCodeReceivedNotification context)
{
// Upon successful sign in, get & cache a token using MSAL
string userId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
ConfidentialClientApplication cc = new ConfidentialClientApplication(Globals.ClientId, Globals.RedirectUri, new ClientCredential(Globals.ClientSecret), new MsalSessionTokenCache(userId, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
AuthenticationResult result = await cc.AcquireTokenByAuthorizationCodeAsync(new[] { "user.readbasic.all" }, context.Code);
}
public async Task HandleOpenIdAuthorizationCodeAsync(
AuthorizationCodeReceivedNotification authorizationCodeReceived)
{
string tokenAsBase64 =
JwtTokenHelper.CreateSecurityTokenDescriptor(authorizationCodeReceived.JwtSecurityToken.Claims,
_jwtOptions).CreateTokenAsBase64();
authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri +=
string.Format("&{0}={1}", _jwtOptions.JwtTokenParameterName, tokenAsBase64);
if (_createConsentOptions.CreateConsentAsync != null)
{
await _createConsentOptions.CreateConsentAsync(authorizationCodeReceived.Response,
new Uri(authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri));
authorizationCodeReceived.HandleResponse();
}
else
{
string implicitConsent = string.Format("&{0}={1}", _consentHandlerOptions.ConsentParameterName,
Uri.EscapeDataString("implicit"));
authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri += implicitConsent;
}
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
try
{
/*
* The `MSALPerUserMemoryTokenCache` is created and hooked in the `UserTokenCache` used by `IConfidentialClientApplication`.
* At this point, if you inspect `ClaimsPrinciple.Current` you will notice that the Identity is still unauthenticated and it has no claims,
* but `MSALPerUserMemoryTokenCache` needs the claims to work properly. Because of this sync problem, we are using the constructor that
* receives `ClaimsPrincipal` as argument and we are getting the claims from the object `AuthorizationCodeReceivedNotification context`.
* This object contains the property `AuthenticationTicket.Identity`, which is a `ClaimsIdentity`, created from the token received from
* Azure AD and has a full set of claims.
*/
IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
}
catch (Exception ex)
{
throw new HttpResponseException(new HttpResponseMessage
{
StatusCode = HttpStatusCode.BadRequest,
ReasonPhrase = $"Unable to get authorization code {ex.Message}."
});
}
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
// Upon successful sign in, get the access token & cache it using MSAL
IConfidentialClientApplication clientApp = await MsalAppBuilder.BuildConfidentialClientApplication();
AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "Mail.Read" }, context.Code).ExecuteAsync();
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
string signedInUserId = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
SessionTokenCache tokenCache = new SessionTokenCache(
signedInUserId,
notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase);
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appPassword),
tokenCache.GetMsalCacheInstance(),
null);
try
{
var result = await cca.AcquireTokenByAuthorizationCodeAsync(notification.Code, scopes);
}
catch (MsalException ex)
{
string message, debug;
message = "AcquireTokenByAuthorizationCodeAsync threw an exception";
debug = ex.Message;
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=" + message + "&debug=" + debug);
}
}
/// <summary>
/// Retrieve the code_verifier from authentication process
/// </summary>
public static string RetrieveCodeVerifier(this AuthorizationCodeReceivedNotification n)
{
// retreive the cookie key
string key = GetCodeVerifierKey(n.ProtocolMessage.State);
// retrive the cookie value by key
string codeVerifierCookie = n.Options.CookieManager.GetRequestCookie(n.OwinContext, key);
if (codeVerifierCookie != null)
{
// delete the cookie from authentication process
var cookieOptions = new CookieOptions
{
SameSite = SameSiteMode.None,
HttpOnly = true,
Secure = n.Request.IsSecure
};
n.Options.CookieManager.DeleteCookie(n.OwinContext, key, cookieOptions);
}
// read the AuthenticationProperties from the authentication session
var cookieProperties = n.Options.StateDataFormat.Unprotect(Encoding.UTF8.GetString(Convert.FromBase64String(codeVerifierCookie)));
// retrive the code_verifier value
cookieProperties.Dictionary.TryGetValue("cv", out var codeVerifier);
return(codeVerifier);
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Extract the code from the response notification
string code = notification.Code;
// Extract signed in user id
string signedInUserID = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
// MSAL v3 confidential application creation
IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(ClientId)
.WithB2CAuthority(Authority)
.WithClientSecret(ClientSecret)
.WithRedirectUri(RedirectUri)
.Build();
// Enable encrypted persistence to local file for tokens
TokenCacheHelper.EnableSerialization(cca.UserTokenCache);
try
{
// MSAL v3 get accesstoken by authorization code
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCode(Scopes, code).ExecuteAsync();
}
catch (Exception ex)
{
//TODO: Handle
throw;
}
}
private async Task ProcessAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Exchange code for access and ID tokens
var tokenClient = new TokenClient(Authority + OauthTokenEndpoint, ClientId, ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(notification.Code, notification.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
var userInfoClient = new UserInfoClient(Authority + OauthUserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
var claims = new List <Claim>();
claims.AddRange(userInfoResponse.Claims);
claims.Add(new Claim("id_token", tokenResponse.IdentityToken));
claims.Add(new Claim("access_token", tokenResponse.AccessToken));
if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
{
claims.Add(new Claim("refresh_token", tokenResponse.RefreshToken));
}
notification.AuthenticationTicket.Identity.AddClaims(claims);
notification.AuthenticationTicket.Identity.ApplyClaimsTransformations(new TransformationContext(this.FederatedAuthenticationConfiguration, IdentityProvider));
}
public async Task ExchangeCodeForTokenAsync(AuthorizationCodeReceivedNotification response)
{
var openIdConfiguration = await _configurationManager.GetConfigurationAsync().ConfigureAwait(false);
var tokenClient = new TokenClient(openIdConfiguration.TokenEndpoint, _options.ClientId, _options.ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(response.Code, _options.RedirectUri).ConfigureAwait(false);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
if (_options.GetClaimsFromUserInfoEndpoint)
{
await EnrichIdentityViaUserInfoAsync(
response.AuthenticationTicket.Identity,
openIdConfiguration,
tokenResponse).ConfigureAwait(false);
}
response.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
response.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
{
response.AuthenticationTicket.Identity.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
}
return;
}
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
context.HandleResponse();
var token = context.JwtSecurityToken.ToString();
context.Response.Redirect(string.Format("/Main.aspx?Token={0}", token));
return(Task.FromResult(0));
}
internal static async Task AuthInit(AuthorizationCodeReceivedNotification ctx)
{
var hctx =
(HttpContextWrapper)
ctx.OwinContext.Environment.Single(e => e.Key == "System.Web.HttpContextBase").Value;
await AuthInit(hctx, (ClaimsIdentity)ctx.Request.User.Identity);
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
if (Options.CallbackPath.HasValue && Options.CallbackPath != Request.PathBase + Request.Path)
{
return(null);
}
var state = Request.Query.Get("state");
var error = Request.Query.Get("error");
var code = Request.Query.Get("code");
var openIdConnectMessage = new OpenIdConnectMessage
{
Error = error,
State = state,
Code = code,
};
ExceptionDispatchInfo authFailedEx;
try
{
var properties = GetPropertiesFromState(state);
if (properties == null)
{
log.Warn("The state field is missing or invalid.");
return(null);
}
if (!string.IsNullOrWhiteSpace(openIdConnectMessage.Error))
{
throw new OpenIdConnectProtocolException(
string.Format(CultureInfo.InvariantCulture, openIdConnectMessage.Error, typeof(Exception), openIdConnectMessage.ErrorDescription ?? string.Empty, openIdConnectMessage.ErrorUri ?? string.Empty));
}
if (openIdConnectMessage.Code != null)
{
var authorizationCodeReceivedNotification = new AuthorizationCodeReceivedNotification(Context, Options)
{
Code = openIdConnectMessage.Code,
ProtocolMessage = openIdConnectMessage,
RedirectUri = properties.Dictionary.ContainsKey("OpenIdConnect.Code.RedirectUri") ? properties.Dictionary["OpenIdConnect.Code.RedirectUri"] : string.Empty
};
await Options.Notifications.AuthorizationCodeReceived(authorizationCodeReceivedNotification);
}
var identity = new ClaimsIdentity();
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, code));
return(new AuthenticationTicket(identity, properties));
}
catch (Exception ex)
{
authFailedEx = ExceptionDispatchInfo.Capture(ex);
}
if (authFailedEx != null)
{
log.Error("Exception occurred while processing message: ", authFailedEx.SourceException);
authFailedEx.Throw();
}
return(null);
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
//AD B2C token will be received here after authentication. The token will have role claims which will be added in the AuthenticationTicket.Identity automatically.
//try
//{
// IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
// // Upon successful sign in, get & cache a token using MSAL
// //AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
// //string token = result.AccessToken;
// using (var client = new HttpClient())
// {
// string tokenURL = "https://login.microsoftonline.com/rallycommunitas.onmicrosoft.com/oauth2/v2.0/token";
// var requestContent = new FormUrlEncodedContent(new[]
// {
// new KeyValuePair<string, string>("grant_type", "client_credentials"),
// new KeyValuePair<string, string>("client_id", Globals.RoleClientId),
// new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"),
// new KeyValuePair<string, string>("client_secret", Globals.RoleClientSecret)
// });
// var response1 = await client.PostAsync(tokenURL, requestContent);
// var responseContent = await response1.Content.ReadAsStringAsync();
// var tokenObj = JObject.Parse(responseContent);
// JToken accessToke = tokenObj.GetValue("access_token");
// string accessToken = tokenObj.GetValue("access_token").Value<string>();
// string requestUrl = $"https://graph.microsoft.com/v1.0/users/{notification.JwtSecurityToken.Subject}/memberOf?$select=displayName";
// HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
// request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
// HttpResponseMessage response = await client.SendAsync(request);
// var responseString = await response.Content.ReadAsStringAsync();
// var json = JObject.Parse(responseString);
// foreach (var group in json["value"])
// notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph"));
// }
//}
//catch (Exception ex)
//{
// throw new HttpResponseException(new HttpResponseMessage
// {
// StatusCode = HttpStatusCode.BadRequest,
// ReasonPhrase = $"Unable to get authorization code {ex.Message}."
// });
//}
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Acquire a Token for the Graph API and cache it. In the TodoListController, we'll use the cache to acquire a token to the Todo List API
string userObjectId = notification.AuthenticationTicket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
ClientCredential clientCred = new ClientCredential(ClientId, AppKey);
AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectId, notification.HttpContext.Session));
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
notification.Code, new Uri(notification.RedirectUri), clientCred, Startup.GraphResourceId);
}
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
_log.Debug("OnAuthorizationCodeReceived: \r\n{0}\r\nCode={1}, \r\nJwtSecurityToken={2}",
string.Join("\r\n", notification.AuthenticationTicket.Identity.Claims.Select(f => "Claim " + f.Type + "=" + f.Value)),
notification.Code,
notification.JwtSecurityToken);
return(Task.FromResult(0));
}
public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Acquire a Token for the Graph API and cache it. In the TodoListController, we'll use the cache to acquire a token to the Todo List API
string userObjectId = notification.AuthenticationTicket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
ClientCredential clientCred = new ClientCredential(ClientId, AppKey);
AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectId, notification.HttpContext.Session));
AuthenticationResult authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
notification.Code, new Uri(notification.RedirectUri), clientCred, Startup.GraphResourceId);
}
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
ClientCredential credential = new ClientCredential(ConfigHelper.ClientId, ConfigHelper.AppKey);
string userObjectId = notification.AuthenticationTicket.Identity.FindFirst(Globals.ObjectIdClaimType).Value;
string tenantId = notification.AuthenticationTicket.Identity.FindFirst(Globals.TenantIdClaimType).Value;
AuthenticationContext authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance, tenantId), new TokenDbCache(userObjectId));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
notification.Code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority)), credential, ConfigHelper.GraphResourceId);
return Task.FromResult(0);
}
private static async Task <AuthenticationResult> AuthCodeReceivedCallback(AuthorizationCodeReceivedNotification context, string graphResourceId)
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(Authority);
return(await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId));
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
string userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier").Value;
string tenantID = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenantID, string.Empty);
ClientCredential cred = new ClientCredential(clientId, clientSecret);
// Here you ask for a token using the web app's clientId as the scope, since the web app and service share the same clientId.
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority, false, new NaiveSessionCache(userObjectId));
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(notification.Code, new Uri(redirectUri), cred, new string[] { clientId });
}
/// <summary>
/// Called when an authorization code is received.
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
private async Task OnAuthorizationCodeReceivedAsync(AuthorizationCodeReceivedNotification context)
{
var claimsPrincipal = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
// Upon successful sign in, get the access token & cache it using MSAL
IConfidentialClientApplication clientApp = MSALAppBuilder.BuildConfidentialClientApplication(claimsPrincipal);
AuthenticationResult result = await clientApp
.AcquireTokenByAuthorizationCode(VeracityIntegrationOptions.DefaultScope.Split(' '), context.Code)
.ExecuteAsync();
}
public Task AuthCodeReceived(AuthorizationCodeReceivedNotification notification)
{
var oid = Guid.Parse(notification.JwtSecurityToken.Claims.Single(c => c.Type == "oid").Value);
var tid = Guid.Parse(notification.JwtSecurityToken.Claims.Single(c => c.Type == "tid").Value);
var firstname = notification.JwtSecurityToken.Claims.Single(c => c.Type == "name").Value;
var context = new DashDocsContext();
var customer = context.Customers.SingleOrDefault(c => c.Id == tid);
if (customer != null)
{
var user = context.Users.SingleOrDefault(u => u.Id == oid && u.CustomerId == tid);
if (user == null)
{
// new user first sign-in
user = new User
{
Id = oid,
CustomerId = tid,
FirstName = firstname
};
context.Users.Add(user);
context.SaveChanges();
}
// though the application can access the claims from the returned
// JWTToken, it's better to have custom claim properties as this eases up the usage.
var applicationClaims = new AppClaims
{
CustomerId = tid,
CustomerName = customer.Name,
UserId = oid,
DisplayName = user.FirstName + user.LastName
};
var claim = new Claim("ddcs", JsonConvert.SerializeObject(applicationClaims));
notification.AuthenticationTicket.Identity.AddClaim(claim);
var tableStorageService = new TableStorageService();
tableStorageService.CreateLog(tid, oid, notification.Request.RemoteIpAddress, true, null);
}
else
{
throw new UserLoggedInWithoutExistingCustomerException()
{
TenantId = tid,
UserId = oid,
FirstName = firstname
};
}
return(Task.FromResult(0));
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
IConfidentialClientApplication clientApp = ConfidentialClientApplicationBuilder.Create(AuthenticationConfig.ClientId)
.WithClientSecret(AuthenticationConfig.ClientSecret)
.WithRedirectUri(AuthenticationConfig.RedirectUri)
.WithAuthority(new Uri(AuthenticationConfig.Authority))
.Build();
AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "Mail.Read" }
, context.Code).ExecuteAsync();
}
private static async Task ExchangeAuthCodeWithToken(AuthorizationCodeReceivedNotification notification, TokenProviderConfiguration configuration)
{
HttpContext.Current.User = new ClaimsPrincipal(notification.AuthenticationTicket.Identity);
var c = HttpContext.Current;
var cache = CacheFactoryFunc().Invoke();
var context = configuration.ConfidentialClientApplication(cache, _debugLogger);
var user = await context.AcquireTokenByAuthorizationCode(new[] { configuration.Scope }, notification.Code)
.ExecuteAsync();
HttpContext.Current = c;
}
internal static async Task AuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
Helpers.ThrowIfConditionFailed(() => context.Code == "AAABAAAAvPM1KaPlrEqdFSBzjqfTGGBtrTYVn589oKw4lLgJ6Svz0AhPVOJr0J2-Uu_KffGlqIbYlRAyxmt-vZ7VlSVdrWvOkNhK9OaAMaSD7LDoPbBTVMEkB0MdAgBTV34l2el-s8ZI02_9PvgQaORZs7n8eGaGbcoKAoxiDn2OcKuJVplXYgrGUwU4VpRaqe6RaNzuseM7qBFbLIv4Wps8CndE6W8ccmuu6EvGC6-H4uF9EZL7gU4nEcTcvkE4Qyt8do6VhTVfM1ygRNQgmV1BCig5t_5xfhL6-xWQdy15Uzn_Df8VSsyDXe8s9cxyKlqc_AIyLFy_NEiMQFUqjZWKd_rR3A8ugug15SEEGuo1kF3jMc7dVMdE6OF9UBd-Ax5ILWT7V4clnRQb6-CXB538DlolREfE-PowXYruFBA-ARD6rwAVtuVfCSbS0Zr4ZqfNjt6x8yQdK-OkdQRZ1thiZcZlm1lyb2EquGZ8Deh2iWBoY1uNcyjzhG-L43EivxtHAp6Y8cErhbo41iacgqOycgyJWxiB5J0HHkxD0nQ2RVVuY8Ybc9sdgyfKkkK2wZ3idGaRCdZN8Q9VBhWRXPDMqHWG8t3aZRtvJ_Xd3WhjNPJC0GpepUGNNQtXiEoIECC363o1z6PZC5-E7U3l9xK06BZkcfTOnggUiSWNCrxUKS44dNqaozdYlO5E028UgAEhJ4eDtcP3PZty-0j4j5Mw0F2FmyAA",
"context.Code is invalid.");
notificationsFired.Add(nameof(AuthorizationCodeReceived));
// Verify all notifications are fired.
if (notificationsFired.Contains(nameof(RedirectToIdentityProvider)) &&
notificationsFired.Contains(nameof(MessageReceived)) &&
notificationsFired.Contains(nameof(SecurityTokenReceived)) &&
notificationsFired.Contains(nameof(SecurityTokenValidated)) &&
notificationsFired.Contains(nameof(AuthorizationCodeReceived)))
{
((ClaimsIdentity)context.AuthenticationTicket.Principal.Identity).AddClaim(new Claim("ManageStore", "Allowed"));
}
await Task.FromResult(0);
}
private static void OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context, PowerBIAuthenticationOptions options)
{
var code = context.Code;
var credential = new ClientCredential(options.ClientId, options.ClientSecret);
var tenantId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
var signedInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
var authContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}", new TokenCache(Encoding.Default.GetBytes(signedInUserId)));
var result = authContext.AcquireTokenByAuthorizationCode(code, options.SuccessRedirectUri, credential, options.Resource);
TokenManager.Current.WriteToken(context.AuthenticationTicket.Identity, result.AccessToken);
}
// If the javascript issues an OIDC authorize reuest, and it succeeds, the user is already logged
// into AAD. Since the AAD session cookie has changed, we need to check if the same use is still
// logged in.
public static Task AuthorizationCodeRecieved(AuthorizationCodeReceivedNotification notification)
{
// If the successful authorize request was issued by the SingleSignOut javascript
if (notification.AuthenticationTicket.Properties.RedirectUri.Contains("SessionChanged"))
{
// Clear the SingleSignOut Cookie
ICookieManager cookieManager = new ChunkingCookieManager();
string cookie = cookieManager.GetRequestCookie(notification.OwinContext, CookieName);
AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookie);
if (ticket.Properties.Dictionary != null)
ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.AuthenticationType + "SingleSignOut"] = "";
cookieManager.AppendResponseCookie(notification.OwinContext, CookieName, ticketDataFormat.Protect(ticket), new CookieOptions());
Claim existingUserObjectId = notification.OwinContext.Authentication.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier");
Claim incomingUserObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier");
if (existingUserObjectId.Value != null && incomingUserObjectId != null)
{
// If a different user is logged into AAD
if(existingUserObjectId.Value != incomingUserObjectId.Value)
{
// No need to clear the session state here. It has already been
// updated with the new user's session state in SecurityTokenValidated.
notification.Response.Redirect("Account/SingleSignOut");
notification.HandleResponse();
}
// If the same user is logged into AAD
else if (existingUserObjectId.Value == incomingUserObjectId.Value)
{
// No need to clear the session state, SecurityTokenValidated will do so.
// Simply redirect the iframe to a page other than SingleSignOut to reset
// the timer in the javascript.
notification.Response.Redirect("/");
notification.HandleResponse();
}
}
}
return Task.FromResult<object>(null);
}
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
if (Options.CallbackPath.HasValue && Options.CallbackPath != (Request.PathBase + Request.Path))
{
return null;
}
OpenIdConnectMessage openIdConnectMessage = null;
if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase)
&& !string.IsNullOrWhiteSpace(Request.ContentType)
&& Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase)
&& Request.Body.CanRead)
{
if (!Request.Body.CanSeek)
{
_logger.WriteVerbose("Buffering request body");
MemoryStream memoryStream = new MemoryStream();
await Request.Body.CopyToAsync(memoryStream);
memoryStream.Seek(0, SeekOrigin.Begin);
Request.Body = memoryStream;
}
IFormCollection form = await Request.ReadFormAsync();
Request.Body.Seek(0, SeekOrigin.Begin);
openIdConnectMessage = new OpenIdConnectMessage(form);
}
if (openIdConnectMessage == null)
{
return null;
}
ExceptionDispatchInfo authFailedEx = null;
string policy = string.Empty;
try
{
var messageReceivedNotification = new MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage
};
await Options.Notifications.MessageReceived(messageReceivedNotification);
if (messageReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (messageReceivedNotification.Skipped)
{
return null;
}
AuthenticationProperties properties = GetPropertiesFromState(openIdConnectMessage.State);
if (properties == null)
{
_logger.WriteWarning("The state field is missing or invalid.");
return null;
}
string nonce = null;
if (Options.ProtocolValidator.RequireNonce)
{
nonce = RetrieveNonce(openIdConnectMessage);
}
if (!string.IsNullOrWhiteSpace(openIdConnectMessage.Error))
{
throw new OpenIdConnectProtocolException(
string.Format(CultureInfo.InvariantCulture,
openIdConnectMessage.Error,
"", openIdConnectMessage.ErrorDescription ?? string.Empty, openIdConnectMessage.ErrorUri ?? string.Empty));
}
if (string.IsNullOrWhiteSpace(openIdConnectMessage.IdToken))
{
_logger.WriteWarning("The id_token is missing.");
return null;
}
var securityTokenReceivedNotification = new SecurityTokenReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage,
};
await Options.Notifications.SecurityTokenReceived(securityTokenReceivedNotification);
if (securityTokenReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (securityTokenReceivedNotification.Skipped)
{
return null;
}
// Enable Per-Policy Metadata Retreival
if (properties.Dictionary.TryGetValue(PolicyParameter, out policy))
{
B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager;
_configuration = await mgr.GetConfigurationAsync(Context.Request.CallCancelled, policy);
}
else
{
_logger.WriteWarning("No policy identifier was found in the Authentication Properties of the request.");
return null;
}
TokenValidationParameters tvp = Options.TokenValidationParameters.Clone();
IEnumerable<string> issuers = new[] { _configuration.Issuer };
tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
tvp.IssuerSigningTokens = (tvp.IssuerSigningTokens == null ? _configuration.SigningTokens : tvp.IssuerSigningTokens.Concat(_configuration.SigningTokens));
SecurityToken validatedToken;
ClaimsPrincipal principal = Options.SecurityTokenHandlers.ValidateToken(openIdConnectMessage.IdToken, tvp, out validatedToken);
ClaimsIdentity claimsIdentity = principal.Identity as ClaimsIdentity;
JwtSecurityToken jwt = validatedToken as JwtSecurityToken;
AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, properties);
if (!string.IsNullOrWhiteSpace(openIdConnectMessage.SessionState))
{
ticket.Properties.Dictionary[OpenIdConnectSessionProperties.SessionState] = openIdConnectMessage.SessionState;
}
if (!string.IsNullOrWhiteSpace(_configuration.CheckSessionIframe))
{
ticket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame] = _configuration.CheckSessionIframe;
}
if (Options.UseTokenLifetime)
{
DateTime issued = jwt.ValidFrom;
if (issued != DateTime.MinValue)
{
ticket.Properties.IssuedUtc = issued.ToUniversalTime();
}
DateTime expires = jwt.ValidTo;
if (expires != DateTime.MinValue)
{
ticket.Properties.ExpiresUtc = expires.ToUniversalTime();
}
ticket.Properties.AllowRefresh = false;
}
var securityTokenValidatedNotification = new SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
AuthenticationTicket = ticket,
ProtocolMessage = openIdConnectMessage,
};
await Options.Notifications.SecurityTokenValidated(securityTokenValidatedNotification);
if (securityTokenValidatedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (securityTokenValidatedNotification.Skipped)
{
return null;
}
ticket = securityTokenValidatedNotification.AuthenticationTicket;
var protocolValidationContext = new OpenIdConnectProtocolValidationContext
{
AuthorizationCode = openIdConnectMessage.Code,
Nonce = nonce,
};
Options.ProtocolValidator.Validate(jwt, protocolValidationContext);
if (openIdConnectMessage.Code != null)
{
var authorizationCodeReceivedNotification = new AuthorizationCodeReceivedNotification(Context, Options)
{
AuthenticationTicket = ticket,
Code = openIdConnectMessage.Code,
JwtSecurityToken = jwt,
ProtocolMessage = openIdConnectMessage,
RedirectUri = ticket.Properties.Dictionary.ContainsKey(OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey) ?
ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey] : string.Empty,
};
await Options.Notifications.AuthorizationCodeReceived(authorizationCodeReceivedNotification);
if (authorizationCodeReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (authorizationCodeReceivedNotification.Skipped)
{
return null;
}
ticket = authorizationCodeReceivedNotification.AuthenticationTicket;
}
return ticket;
}
catch (Exception exception)
{
authFailedEx = ExceptionDispatchInfo.Capture(exception);
}
if (authFailedEx != null)
{
_logger.WriteError("Exception occurred while processing message: '" + authFailedEx.ToString());
if (Options.RefreshOnIssuerKeyNotFound && authFailedEx.SourceException.GetType().Equals(typeof(SecurityTokenSignatureKeyNotFoundException)))
{
B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager;
mgr.RequestRefresh(policy);
}
var authenticationFailedNotification = new AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage,
Exception = authFailedEx.SourceException
};
await Options.Notifications.AuthenticationFailed(authenticationFailedNotification);
if (authenticationFailedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (authenticationFailedNotification.Skipped)
{
return null;
}
authFailedEx.Throw();
}
return null;
}
/*
* Callback function when an authorization code is received
*/
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
// Extract the code from the response notification
var code = notification.Code;
string signedInUserID = notification.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new MSALSessionCache(signedInUserID, notification.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
}
