/// <summary>
/// Apply service binding info to JWT options
/// </summary>
/// <param name="si">Info for bound SSO Service</param>
/// <param name="options">Options to be updated</param>
internal static void Configure(SsoServiceInfo si, CloudFoundryJwtBearerAuthenticationOptions options)
{
if (options == null)
{
return;
}
if (si != null)
{
options.JwtKeyUrl = si.AuthDomain + CloudFoundryDefaults.JwtTokenUri;
}
var backchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(options.ValidateCertificates);
options.TokenValidationParameters = CloudFoundryHelper.GetTokenValidationParameters(options.TokenValidationParameters, options.JwtKeyUrl, backchannelHttpHandler, options.ValidateCertificates);
}
/// <summary>
/// Configures and adds JWT bearer token middleware to the OWIN request pipeline
/// </summary>
/// <param name="appBuilder">Your OWIN AppBuilder</param>
/// <param name="configuration">Your application configuration</param>
/// <param name="logger">Include for diagnostic logging during app start</param>
/// <returns>Your <see cref="IAppBuilder"/></returns>
public static IAppBuilder UseCloudFoundryJwtBearerAuthentication(this IAppBuilder appBuilder, IConfiguration configuration, ILogger logger = null)
{
if (appBuilder == null)
{
throw new ArgumentNullException(nameof(appBuilder));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
// get options with defaults
var cloudFoundryOptions = new CloudFoundryJwtBearerAuthenticationOptions();
// get and apply config from application
var securitySection = configuration.GetSection(CloudFoundryDefaults.SECURITY_CLIENT_SECTION_PREFIX);
securitySection.Bind(cloudFoundryOptions);
// get and apply service binding info
SsoServiceInfo si = configuration.GetSingletonServiceInfo <SsoServiceInfo>();
CloudFoundryJwtOwinConfigurer.Configure(si, cloudFoundryOptions);
// REVIEW: return without adding auth middleware if no service binding was found... !?
// - presumably written this way to support local development, but seems like a bad idea
// - added option to disable, but leaving behavior to default this way, for now, to avoid a breaking change
if (si == null && cloudFoundryOptions.SkipAuthIfNoBoundSSOService)
{
logger?.LogWarning("SSO Service binding not detected, JWT Bearer middleware has not been added!");
logger?.LogInformation("To include JWT Bearer middleware when bindings aren't found, set security:oauth2:client:SkipAuthIfNoBoundSSOService=false");
return(appBuilder);
}
return(appBuilder.UseJwtBearerAuthentication(cloudFoundryOptions));
}
public static IAppBuilder UseCloudFoundryJwtBearerAuthentication(this IAppBuilder app, IConfiguration config)
{
var cloudFoundryOptions = new CloudFoundryJwtBearerAuthenticationOptions();
var securitySection = config.GetSection(CloudFoundryDefaults.SECURITY_CLIENT_SECTION_PREFIX);
securitySection.Bind(cloudFoundryOptions);
SsoServiceInfo si = config.GetSingletonServiceInfo <SsoServiceInfo>();
if (si == null)
{
return(app);
}
var jwtTokenUrl = si.AuthDomain + CloudFoundryDefaults.JwtTokenKey;
var httpMessageHandler = CloudFoundryHelper.GetBackChannelHandler(cloudFoundryOptions.ValidateCertificates);
var tokenValidationParameters = GetTokenValidationParameters(jwtTokenUrl, httpMessageHandler, cloudFoundryOptions.ValidateCertificates);
return(app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
TokenValidationParameters = tokenValidationParameters,
}));
}
internal static void Configure(SsoServiceInfo si, JwtBearerAuthenticationOptions jwtOptions, CloudFoundryJwtBearerAuthenticationOptions options)
{
if (jwtOptions == null || options == null)
{
return;
}
if (si != null)
{
options.JwtKeyUrl = si.AuthDomain + CloudFoundryDefaults.JwtTokenKey;
}
// jwtOptions.ClaimsIssuer = options.ClaimsIssuer;
// jwtOptions.BackchannelHttpHandler = CloudFoundryHelper.GetBackChannelHandler(options.ValidateCertificates);
// jwtOptions.TokenValidationParameters = GetTokenValidationParameters(jwtOptions.TokenValidationParameters, options.JwtKeyUrl, jwtOptions.BackchannelHttpHandler, options.ValidateCertificates);
// jwtOptions.SaveToken = options.SaveToken;
}