public AuthenticationService(IAuthConfiguration config, IPublicClientApplication publicClientApplication)
{
_accessToken = new Subject <string>();
_authResult = new Subject <AuthenticationResult>();
Config = config;
AuthClient = publicClientApplication;
}
public AuthenticationService(Func <IPublicClientApplication> pcaFactory, IAuthConfiguration configuration,
ICurrentActivity currentActivity)
{
_client = pcaFactory();
_configuration = configuration;
CurrentActivity = currentActivity;
}
public TokenGenerator(IIdentityUserManager userManager,
IAuthConfiguration authConfig,
IIdentityUserClaimsProvider claimsProvider)
{
this.userManager = userManager;
this.authConfig = authConfig;
this.claimsProvider = claimsProvider;
}
private PublicClientApplicationBuilder CreateBaseBuilder(IAuthConfiguration configuration)
{
return(PublicClientApplicationBuilder.Create(configuration.ClientId)
.WithRedirectUri(configuration.RedirectUri)
#if __IOS__
.WithIosKeychainSecurityGroup(Xamarin.Essentials.AppInfo.PackageName)
#endif
.WithLogging(AADLog, configuration.LogLevel));
}
public ChangePasswordCommandHandler(IAuthConfiguration authConfiguration, IUserRepository userRepository, IEncryptor encryptor, IPasswordValidator passwordValidator, IEmailValidator emailValidator)
{
_authConfiguration = authConfiguration;
_userRepository = userRepository;
_encryptor = encryptor;
_passwordValidator = passwordValidator;
_emailValidator = emailValidator;
_minimumPasswordLength = _authConfiguration.GetMinimumPasswordLength() ?? 8;
}
public CofoundryStartupServiceConfigurationTask(
IEnumerable <IMvcJsonOptionsConfiguration> mvcJsonOptionsConfigurations,
IEnumerable <IMvcOptionsConfiguration> mvcOptionsConfigurations,
IEnumerable <IRazorViewEngineOptionsConfiguration> razorViewEngineOptionsConfigurations,
IAuthConfiguration authConfiguration
)
{
_mvcJsonOptionsConfigurations = mvcJsonOptionsConfigurations;
_mvcOptionsConfigurations = mvcOptionsConfigurations;
_razorViewEngineOptionsConfigurations = razorViewEngineOptionsConfigurations;
_authConfiguration = authConfiguration;
}
public MongoConnection(IAuthConfiguration configuration)
{
try
{
var connectionString = configuration.DatabaseConnectionString;
var client = new MongoClient(connectionString);
this.mongoDatabase = client.GetDatabase(configuration.DatabaseName);
}
catch (Exception e)
{
throw new DatabaseException(e.Message);
}
}
private static void LogElevatedPermissions(IAuthConfiguration options, ILogger logger)
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(currentUser);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
logger.RunningElevated();
// In the future this will need to be modified when ephemeral keys are setup
if (options.EnableNegotiate)
{
logger.DisabledNegotiateWhileElevated();
}
}
}
// in the future we should check that we aren't running root on linux (out of scope for now)
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app,
IHostingEnvironment env,
ILoggerFactory loggerFactory,
IDBInitializer initializer,
IAuthConfiguration authConfig)
{
loggerFactory.AddConsole(configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseCorsConfig(env)
.UseIdentity()
.UseJwtBearerTokenAuthentication(authConfig)
.UseMiddleware <ExceptionHandlingMiddleware>()
.UseSignalR2()
.UseMvc()
.UseSwagger()
.UseSwaggerUI(s => s.SwaggerEndpoint("/swagger/v1/swagger.json", "WordHunt WebAPI"));
initializer.InitDatabase().Wait();
}
public AccessTokenConfigPasswordFinder(IAuthConfiguration authConfiguration)
{
_password = authConfiguration.AccessTokenSecret.ToCharArray();
}
public EmailVerificationRepository(IAuthConfiguration authConfiguration)
{
_connectionString = authConfiguration.GetConnectionString();
}
public static IIdentityServerBuilder AddExternalValidation(this IIdentityServerBuilder builder, IAuthConfiguration configuration)
{
builder.Services.AddTransient <IExternalValidationHandler, ExternalValidationHandler>();
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(o =>
{
o.Authority = configuration.IdentityServerBaseAddress;
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = new TokenValidationParameters()
{
ValidAudiences = new List <string>()
{
configuration.ExternalValidationScope,
configuration.UserManagementScope
}
};
o.Events = new JwtBearerEvents
{
OnTokenValidated = context =>
{
var accessToken = context.SecurityToken as JwtSecurityToken;
if (accessToken != null)
{
ClaimsIdentity identity = context.Principal.Identity as ClaimsIdentity;
if (identity != null)
{
var emailClaim = accessToken.Claims.FirstOrDefault(e => e.Type == JwtClaimTypes.Email);
if (emailClaim != null)
{
identity.AddClaim(emailClaim);
}
var subjectClaim = accessToken.Claims.FirstOrDefault(e => e.Type == JwtClaimTypes.Subject);
if (subjectClaim != null)
{
identity.AddClaim(subjectClaim);
}
}
}
return(Task.CompletedTask);
},
OnChallenge = context =>
{
o.ConfigurationManager.RequestRefresh();
return(Task.CompletedTask);
},
};
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdmin", policy => policy.RequireRole("Admin"));
options.AddPolicy("RequireUser", policy => policy.RequireRole("User"));
options.AddPolicy("RequireExternalValidationToken", policy => policy.RequireClaim("client_id", configuration.ExternalValidationClientId));
options.AddPolicy("RequireUserManagementToken", policy => policy.RequireClaim("aud", configuration.UserManagementScope));
options.AddPolicy("RequireUserManagementOrUserToken", policy => policy.RequireAssertion(
async context => await UserUpdatePolicyAsync(context, configuration)
));
});
return(builder);
}
public RequestAuthPreProcessorBehavior(IMediator mediator, ICurrentUserService currentUserService, IAuthConfiguration authConfig)
{
_mediator = mediator;
_currentUserService = currentUserService;
_authConfig = authConfig;
}
private static bool UserManagementOrAnalystValidation(AuthorizationHandlerContext context, IAuthConfiguration configuration)
{
if (context.User.HasClaim(c => c.Type == "aud" && c.Value == configuration.UserManagementScope))
{
return(true);
}
if (context.User.IsInRole("Analyst"))
{
return(true);
}
return(false);
}
private static async Task <bool> UserUpdatePolicyAsync(this AuthorizationHandlerContext context, IAuthConfiguration configuration)
{
if (UserManagementOrAnalystValidation(context, configuration))
{
return(true);
}
var claimUsername = context.User.Claims.Where(e => e.Type == "username").FirstOrDefault()?.Value;
var requestUsername = (await context.GetResourceBodyAs <UserUpdateRequest>())?.Username;
if (string.IsNullOrWhiteSpace(claimUsername) || string.IsNullOrWhiteSpace(requestUsername))
{
return(false);
}
if (requestUsername == claimUsername)
{
return(true);
}
return(false);
}
private async Task <AuthResults> Auth(AuthDetails details)
{
AuthResults result = new AuthResults();
try
{
IAuthConfiguration conf = this._configlist.GetAuthConfiguration(details.Provider);
if (conf == null)
{
throw new ArgumentException("Provider not found");
}
ILogin login = conf.GetLogin(details.Username, details.Password);
if (login.IsAuthenticated)
{
result.Name = login.GivenName;
result.IsAuthenticated = true;
if (login.IsAuthorised == false)
{
result.Message = "You are not authorised to use BirdsNest. Please contact your administrator";
this._logger.LogWarning("Login not authorised: {username}", details.Username);
return(result);
}
var claims = new List <Claim> {
new Claim(ClaimTypes.GivenName, login.GivenName, conf.Name),
new Claim(ClaimTypes.Name, login.Name, conf.Name),
new Claim(ClaimTypes.Surname, login.Surname, conf.Name),
new Claim(ClaimTypes.Sid, login.ID, conf.Name)
};
if (login.IsUser)
{
claims.Add(new Claim(Types.BirdsNestUsersClaim, TRUE_STRING, ClaimValueTypes.Boolean, conf.Name));
}
if (login.IsAdmin)
{
result.IsAdmin = true;
claims.Add(new Claim(Types.BirdsNestAdminsClaim, TRUE_STRING, ClaimValueTypes.Boolean, conf.Name));
}
var userIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
var userPrincipal = new ClaimsPrincipal(userIdentity);
var authProperties = new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddSeconds(login.TimeoutSeconds),
IsPersistent = false,
AllowRefresh = true
};
await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, authProperties);
result.IsAuthorized = true;
result.Message = "OK";
this._logger.LogInformation("Login successful: {username}", details.Username);
}
else
{
result.Message = "Login failed";
}
result.IsProcessed = true;
}
catch (Exception e)
{
result.Message = "There was an error logging in: " + e.Message;
this._logger.LogWarning("Login error: {username}. Error: {error}", details.Username, e.Message);
this._logger.LogTrace(e, "Login error stacktrace");
}
return(result);
}
public ClaimAuthorizationHandler(IAuthConfiguration authConfiguration)
{
_authIssuer = authConfiguration.AuthIssuer;
}
public UserRepository(IAuthConfiguration authConfiguration)
{
_connectionString = authConfiguration.GetConnectionString();
}
public RefreshTokenRepository(IAuthConfiguration authConfiguration)
{
_connectionString = authConfiguration.GetConnectionString();
}
public JwtTokenFactory(IAuthConfiguration authConfiguration)
{
this.authConfiguration = authConfiguration;
}
public ExternalValidationHandler(IClientStore clientStore, IAuthConfiguration configuration)
{
this.clientStore = clientStore;
this.configuration = configuration;
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(
IApplicationBuilder app,
IHostApplicationLifetime lifetime,
IWebHostEnvironment env,
IAuthConfiguration options,
AddressListenResults listenResults,
MonitorApiKeyConfigurationObserver optionsObserver,
ILogger <Startup> logger)
{
// These errors are populated before Startup.Configure is called because
// the KestrelServer class is configured as a prerequisite of
// GenericWebHostServer being instantiated. The GenericWebHostServer invokes
// Startup.Configure as part of its StartAsync method. This method is the
// first opportunity to log anything through ILogger (a dedicated HostedService
// could be written for this, but there is no guarantee that service would run
// after the GenericWebHostServer is instantiated but before it is started).
foreach (AddressListenResult result in listenResults.Errors)
{
logger.UnableToListenToAddress(result.Url, result.Exception);
}
// If we end up not listening on any ports, Kestrel defaults to port 5000. Make sure we don't attempt this.
// Startup.Configure is called before KestrelServer is started
// by the GenericWebHostServer, so there is no duplication of logging errors
// and Kestrel does not bind to default ports.
if (!listenResults.AnyAddresses)
{
// This is logged by GenericWebHostServer.StartAsync
throw new MonitoringException(Strings.ErrorMessage_UnableToBindUrls);
}
lifetime.ApplicationStarted.Register(() => LogBoundAddresses(app.ServerFeatures, listenResults, logger));
LogElevatedPermissions(options, logger);
// Start listening for options changes so they can be logged when changed.
optionsObserver.Initialize();
if (options.KeyAuthenticationMode == KeyAuthenticationMode.NoAuth)
{
logger.NoAuthentication();
}
else
{
if (options.KeyAuthenticationMode == KeyAuthenticationMode.TemporaryKey)
{
logger.LogTempKey(options.TemporaryJwtKey.Token);
}
//Auth is enabled and we are binding on http. Make sure we log a warning.
string hostingUrl = Configuration.GetValue <string>(WebHostDefaults.ServerUrlsKey);
string[] urls = ConfigurationHelper.SplitValue(hostingUrl);
foreach (string url in urls)
{
BindingAddress address = null;
try
{
address = BindingAddress.Parse(url);
}
catch (Exception)
{
continue;
}
if (string.Equals(Uri.UriSchemeHttp, address.Scheme, StringComparison.OrdinalIgnoreCase))
{
logger.InsecureAuthenticationConfiguration();
break;
}
}
}
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
CorsConfigurationOptions corsConfiguration = new CorsConfigurationOptions();
Configuration.Bind(ConfigurationKeys.CorsConfiguration, corsConfiguration);
if (!string.IsNullOrEmpty(corsConfiguration.AllowedOrigins))
{
app.UseCors(builder => builder.WithOrigins(corsConfiguration.GetOrigins()).AllowAnyHeader().AllowAnyMethod());
}
// Disable response compression due to ASP.NET 6.0 bug:
// https://github.com/dotnet/aspnetcore/issues/36960
//app.UseResponseCompression();
//Note this must be after UseRouting but before UseEndpoints
app.UseMiddleware <RequestLimitMiddleware>();
app.UseEndpoints(builder =>
{
builder.MapControllers();
});
}
public AuthenticationService(Func <IPublicClientApplication> pcaFactory, IAuthConfiguration configuration)
{
_client = pcaFactory();
_configuration = configuration;
}
internal static string GetB2CAuthority(this IAuthConfiguration config) => config.GetB2CAuthority(config.Policy);
public ClientCredentialsRequestValidator(IAuthConfiguration authConfiguration) => this.authConfiguration = authConfiguration;
internal static string GetB2CAuthority(this IAuthConfiguration config, string policy)
{
return($"https://{config.TenantName}.b2clogin.com/tfp/{config.FullyQualifiedTenantName}/{policy}");
}
/// <summary>
/// Jwt Bearer Authentication config
/// </summary>
/// <param name="app"></param>
/// <param name="authConfig"></param>
/// <returns></returns>
public static IApplicationBuilder UseJwtBearerTokenAuthentication(this IApplicationBuilder app, IAuthConfiguration authConfig)
{
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(authConfig.TokenKey)),
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = authConfig.Audience,
ValidateIssuer = true,
ValidIssuer = authConfig.Issuer
}
});
return(app);
}
public RefreshTokenConfigPasswordFinder(IAuthConfiguration authConfiguration)
{
_password = authConfiguration.RefreshTokenSecret.ToCharArray();
}