/// <summary>
/// Validates this instance.
/// </summary>
/// <exception cref="System.ArgumentException">
/// InstanceName must be set
/// or
/// AppId must be set
/// or
/// AppId must be set
/// or
/// TenantId must be set
/// or
/// SubscriptionId must be set
/// or
/// SharedAccessPolicy must be set
/// </exception>
/// <exception cref="ArgumentException">InstanceName must be set and AppId must be set and AppId must be set and
/// TenantId must be set and SubscriptionId must be set and SharedAccessPolicy must be set
/// and ReceiverEntity OR SenderEntity must be set.</exception>
/// <inheritdoc />
public override void Validate()
{
if (InstanceName.IsNullOrEmpty())
{
throw new ArgumentException("InstanceName must be set");
}
if (AppId.IsNullOrEmpty())
{
throw new ArgumentException("AppId must be set");
}
if (AppSecret.IsNullOrEmpty())
{
throw new ArgumentException("AppSecret must be set");
}
if (TenantId.IsNullOrEmpty())
{
throw new ArgumentException("TenantId must be set");
}
if (SubscriptionId.IsNullOrEmpty())
{
throw new ArgumentException("SubscriptionId must be set");
}
if (SharedAccessPolicyName.IsNullOrEmpty())
{
throw new ArgumentException("SharedAccessPolicy must be set");
}
base.Validate();
}
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary <string, string> authInfo)
{
try
{
// The id_token is a JWT token. See http://jwt.io
var jwt = new JwtSecurityToken(authInfo["access_token"]);
var p = jwt.Payload;
var tenantId = (string)p["tid"];
if (!TenantId.IsNullOrEmpty() && TenantId != tenantId)
{
return(RedirectDueToFailure(authService, session, new NameValueCollection
{
{ "error", "mismatched-tenant" },
{ "error_description", "Mismatched Tenant ID in JWT token" }
}));
}
// if (!p.Aud.Contains(ClientId))
if (!((string)p["appid"] == ClientId))
{
return(RedirectDueToFailure(authService, session, new NameValueCollection
{
{ "error", "mismatched-client-app" },
{ "error_description", "Mismatched Client ID in JWT token" }
}));
}
if (!p.ContainsKey("oid") || !p.ContainsKey("upn"))
{
FailAndLogError(session, new NameValueCollection
{
{ "error", "missing-user-id" },
{ "error_description", "Missing 'oid' or 'upn' in JWT token. " +
"This may imply the user logged into the wrong account. " +
"For example, the user may have logged into their Microsoft Account " +
"rather than their organizational account." }
});
// Here we really need to give the user a way to sign out of their MS account
// If the user selected "Keep me signed in" they will effectively be stuck
// Because Microsoft will continue to send us the same token without prompting
// the user for other credentials.
// TODO: It would be nice to momentarily show the user a message explaining why they are being signed out
return(RedirectToMicrosoftLogout(authService));
}
}
catch (Exception ex)
{
Log.Error("Reading JWT token", ex);
return(RedirectDueToFailure(authService, session, new NameValueCollection
{
{ "error", "bad-jwt" },
{ "error_description", "Problem checking the JWT token" }
}));
}
return(base.OnAuthenticated(authService, session, tokens, authInfo));
}
