private async Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { string[] tenant = new string[1], client_id = new string[1], policy = new string[1]; if (!notification.Response.Headers.TryGetValue("tenant", out tenant) || !notification.Response.Headers.TryGetValue("client_id", out client_id) || !notification.Response.Headers.TryGetValue("policy", out policy) || string.IsNullOrEmpty(tenant[0]) || string.IsNullOrEmpty(client_id[0]) || string.IsNullOrEmpty(policy[0])) { notification.HandleResponse(); notification.Response.Redirect("/Home/Error?message=You need to input your app settings before you can try this flow."); return; } try { B2CConfigurationManager cm = new B2CConfigurationManager(String.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration", tenant[0])); OpenIdConnectConfiguration config = await cm.GetConfigurationAsync(new System.Threading.CancellationToken(), policy[0]); notification.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint; notification.ProtocolMessage.ClientId = client_id[0]; notification.ProtocolMessage.SetParameter("prompt", "login"); notification.Response.Headers.Remove("tenant"); notification.Response.Headers.Remove("client_id"); notification.Response.Headers.Remove("policy"); } catch (Exception e) { notification.HandleResponse(); notification.Response.Redirect("/Home/Error?message=Are you SURE you entered your app settings correctly?"); } return; }
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // If a challenge was issued by the SingleSignOut javascript UrlHelper url = new UrlHelper(HttpContext.Current.Request.RequestContext); if (notification.Request.Uri.AbsolutePath == url.Action("SessionChanged", "Account")) { // Store the state in the cookie so we can distinguish OIDC messages that occurred // as a result of the SingleSignOut javascript. ICookieManager cookieManager = new ChunkingCookieManager(); string cookie = cookieManager.GetRequestCookie(notification.OwinContext, CookieName); AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookie); if (ticket.Properties.Dictionary != null) { ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.AuthenticationType + "SingleSignOut"] = notification.ProtocolMessage.State; } cookieManager.AppendResponseCookie(notification.OwinContext, CookieName, ticketDataFormat.Protect(ticket), new CookieOptions()); // Return prompt=none request (to tenant specific endpoint) to SessionChanged controller. notification.ProtocolMessage.Prompt = "none"; notification.ProtocolMessage.IssuerAddress = notification.OwinContext.Authentication.User.FindFirst("issEndpoint").Value; string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl(); notification.Response.Redirect(url.Action("SessionChanged", "Account") + "?" + redirectUrl); notification.HandleResponse(); } return(Task.FromResult <object>(null)); }
public void OnAuthenticationFailed(IOwinContext context, BaseNotification <OpenIdConnectAuthenticationOptions> baseNotif) { OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions(); RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> redirectContext = new RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(context, options); redirectContext.HandleResponse(); baseNotif.HandleResponse(); }
protected virtual void AvoidRedirectLoop(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { // To avoid a redirect loop to the federation server send 403 // when user is authenticated but does not have access if (context.OwinContext.Response.StatusCode == 401 && context.OwinContext.Authentication.User?.Identity != null && context.OwinContext.Authentication.User.Identity.IsAuthenticated) { context.OwinContext.Response.StatusCode = 403; context.HandleResponse(); } }
private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout) { var logoutUri = openIdConnectConfiguration.EndSessionEndpoint; var postLogoutRedirectUri = notification.ProtocolMessage.PostLogoutRedirectUri; var idTokenHint = notification.OwinContext.Authentication.User.FindFirst("id_token_hint").Value; notification.ProtocolMessage.IdTokenHint = idTokenHint; logoutUri += "?id_token_hint=" + idTokenHint + "&post_logout_redirect_uri=" + postLogoutRedirectUri; notification.Response.Redirect(logoutUri); notification.HandleResponse(); } return(Task.FromResult(0)); }
protected virtual Task DefaultRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { // In order to support multi site we change the return uri based on the current request // For example https://your-first-site/vipps-login or https://your-second-site/vipps-login context.ProtocolMessage.RedirectUri = GetMultiSiteRedirectUri(context.ProtocolMessage.RedirectUri, context.Request); AvoidRedirectLoop(context); // XHR requests cannot handle redirects to a login screen, return 401 if (context.OwinContext.Response.StatusCode == 401 && VippsHelpers.IsXhrRequest(context.OwinContext.Request)) { context.HandleResponse(); } return(Task.FromResult(0)); }
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // If a challenge was issued by the SingleSignOut javascript if (notification.Request.Path.Value == "/Account/SessionChanged") { // Store an app-specific cookie so we can identify OIDC messages that occurred // as a result of the SingleSignOut javascript. notification.Response.Cookies.Append("SingleSignOut" + clientId, notification.ProtocolMessage.State); notification.ProtocolMessage.Prompt = "none"; string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl(); notification.Response.Redirect("/Account/SessionChanged?" + notification.ProtocolMessage.BuildRedirectUrl()); notification.HandleResponse(); } return(Task.FromResult <object>(null)); }
/* * On each call to Azure AD B2C, check if a policy (e.g. the profile edit or password reset policy) has been specified in the OWIN context. * If so, use that policy when making the call. Also, don't request a code (since it won't be needed). */ private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { if (notification.Request.Path.Value == "/Account/SignUp") { var policy = notification.OwinContext.Get <string>("Policy"); if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy)) { //notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId; //notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower()); } } else if (notification.Request.Path.Value == "/Account/SignIn") { var policy = notification.OwinContext.Get <string>("Policy"); if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy)) { //notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId; //notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower()); } } else if (notification.Request.Path.Value == "/Account/EditProfile") { var policy = notification.OwinContext.Get <string>("Policy"); if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy)) { //notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId; //notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower()); } } else if (notification.Request.Path.Value == "/Account/ResetPassword") { var policy = notification.OwinContext.Get <string>("Policy"); if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy)) { //notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId; //notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower()); } } else if (notification.Request.Path.Value == "/Account/SignOut") { var policy = notification.OwinContext.Get <string>("Policy"); if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy)) { //notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId; //notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken; notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower()); } } else { notification.Response.StatusCode = 401; notification.Response.Redirect("/Home/Error?message=Access Denied"); notification.HandleResponse(); } return(Task.FromResult(0)); }
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // If a challenge was issued by the SingleSignOut javascript UrlHelper url = new UrlHelper(HttpContext.Current.Request.RequestContext); if (notification.Request.Uri.AbsolutePath == url.Action("SessionChanged", "Account")) { // Store the state in the cookie so we can distinguish OIDC messages that occurred // as a result of the SingleSignOut javascript. ICookieManager cookieManager = new ChunkingCookieManager(); string cookie = cookieManager.GetRequestCookie(notification.OwinContext, CookieName); AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookie); if (ticket.Properties.Dictionary != null) ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.AuthenticationType + "SingleSignOut"] = notification.ProtocolMessage.State; cookieManager.AppendResponseCookie(notification.OwinContext, CookieName, ticketDataFormat.Protect(ticket), new CookieOptions()); // Return prompt=none request (to tenant specific endpoint) to SessionChanged controller. notification.ProtocolMessage.Prompt = "none"; notification.ProtocolMessage.IssuerAddress = notification.OwinContext.Authentication.User.FindFirst("issEndpoint").Value; string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl(); notification.Response.Redirect(url.Action("SessionChanged", "Account") + "?" + redirectUrl); notification.HandleResponse(); } return Task.FromResult<object>(null); }