public static IEnumerable <Client> GetAdminClient(IAdminAppConfiguration adminConfiguration)
{
return(new List <Client>
{
///////////////////////////////////////////
// IdentityServer4.Admin Client
//////////////////////////////////////////
new Client
{
ClientId = adminConfiguration.ClientId,
ClientName = adminConfiguration.ClientId,
ClientUri = adminConfiguration.IdentityAdminBaseUrl,
AllowedGrantTypes = GrantTypes.Hybrid,
ClientSecrets = new List <Secret>
{
new Secret(adminConfiguration.ClientSecret.ToSha256())
},
RedirectUris = { $"{adminConfiguration.IdentityAdminBaseUrl}/signin-oidc" },
FrontChannelLogoutUri = $"{adminConfiguration.IdentityAdminBaseUrl}/signout-oidc",
PostLogoutRedirectUris = { $"{adminConfiguration.IdentityAdminBaseUrl}/signout-callback-oidc" },
AllowedCorsOrigins = { adminConfiguration.IdentityAdminBaseUrl },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"roles"
}
},
new Client
{
ClientId = adminConfiguration.IdentityAdminApiSwaggerUIClientId,
ClientName = adminConfiguration.IdentityAdminApiSwaggerUIClientId,
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = new List <string>
{
adminConfiguration.IdentityAdminApiSwaggerUIRedirectUrl
},
AllowedScopes =
{
adminConfiguration.IdentityAdminApiScope
},
AllowAccessTokensViaBrowser = true
}
});
}
public static IEnumerable <ApiResource> GetApiResources(IAdminAppConfiguration adminConfiguration)
{
return(new[]
{
new ApiResource
{
Name = adminConfiguration.IdentityAdminApiScope,
Scopes = new List <Scope>
{
new Scope
{
Name = adminConfiguration.IdentityAdminApiScope,
DisplayName = adminConfiguration.IdentityAdminApiScope,
UserClaims = new List <string>
{
"role"
},
Required = true
}
}
}
});
}
/// <summary>
/// Generate default clients, identity and api resources
/// </summary>
private static async Task EnsureSeedIdentityServerData <TIdentityServerDbContext>(TIdentityServerDbContext context, IAdminAppConfiguration adminConfiguration)
where TIdentityServerDbContext : DbContext, IAdminConfigurationDbContext
{
if (!context.Clients.Any())
{
foreach (var client in Clients.GetAdminClient(adminConfiguration).ToList())
{
await context.Clients.AddAsync(client.ToEntity());
}
await context.SaveChangesAsync();
}
if (!context.IdentityResources.Any())
{
var identityResources = ClientResources.GetIdentityResources().ToList();
foreach (var resource in identityResources)
{
await context.IdentityResources.AddAsync(resource.ToEntity());
}
await context.SaveChangesAsync();
}
if (!context.ApiResources.Any())
{
foreach (var resource in ClientResources.GetApiResources(adminConfiguration).ToList())
{
await context.ApiResources.AddAsync(resource.ToEntity());
}
await context.SaveChangesAsync();
}
}
private static Task OnRedirectToIdentityProvider(RedirectContext n, IAdminAppConfiguration adminConfiguration)
{
n.ProtocolMessage.RedirectUri = adminConfiguration.IdentityAdminRedirectUri;
return(Task.FromResult(0));
}
/// <summary>
/// Register services for authentication, including Identity.
/// For production mode is used OpenId Connect middleware which is connected to IdentityServer4 instance.
/// For testing purpose is used cookie middleware with fake login url.
/// </summary>
/// <typeparam name="TContext"></typeparam>
/// <typeparam name="TUserIdentity"></typeparam>
/// <typeparam name="TUserIdentityRole"></typeparam>
/// <param name="services"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="adminConfiguration"></param>
public static void AddAuthenticationServices <TContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IHostingEnvironment hostingEnvironment, IAdminAppConfiguration adminConfiguration)
where TContext : DbContext where TUserIdentity : class where TUserIdentityRole : class
{
services.AddIdentity <TUserIdentity, TUserIdentityRole>(options =>
{
options.User.RequireUniqueEmail = true;
})
.AddEntityFrameworkStores <TContext>()
.AddDefaultTokenProviders();
//For integration tests use only cookie middleware
if (hostingEnvironment.IsStaging())
{
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options => { options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName; });
}
else
{
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = AuthenticationConsts.OidcAuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options =>
{
options.Cookie.Name = AuthenticationConsts.IdentityAdminCookieName;
// Issue: https://github.com/aspnet/Announcements/issues/318
options.Cookie.SameSite = SameSiteMode.None;
})
.AddOpenIdConnect(AuthenticationConsts.OidcAuthenticationScheme, options =>
{
options.Authority = adminConfiguration.IdentityServerBaseUrl;
#if DEBUG
options.RequireHttpsMetadata = false;
#else
options.RequireHttpsMetadata = true;
#endif
options.ClientId = adminConfiguration.ClientId;
options.ClientSecret = adminConfiguration.ClientSecret;
options.ResponseType = adminConfiguration.OidcResponseType;
options.Scope.Clear();
foreach (var scope in adminConfiguration.Scopes)
{
options.Scope.Add(scope);
}
options.ClaimActions.MapJsonKey(AuthenticationConsts.RoleClaim, AuthenticationConsts.RoleClaim, AuthenticationConsts.RoleClaim);
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
options.Events = new OpenIdConnectEvents
{
OnMessageReceived = OnMessageReceived,
OnRedirectToIdentityProvider = n => OnRedirectToIdentityProvider(n, adminConfiguration)
};
});
}
}