public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {"*"});
var identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
var userManager = Startup.UserManagerFactory();
var user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
identity.AddClaim(new Claim("id", user.StaffId.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
var listOfRoles = await userManager.GetRolesAsync(user.Id);
if (listOfRoles.Contains("admin"))
{
identity.AddClaim(new Claim("role", "admin"));
}
else
{
identity.AddClaim(new Claim("role", "user"));
}
context.Validated(identity);
var ctx = HttpContext.Current.GetOwinContext();
var authManager = ctx.Authentication;
authManager.SignIn(identity);
}
public ActionResult Authorize()
{
var claims = new ClaimsPrincipal(User).Claims.ToArray();
var identity = new ClaimsIdentity(claims, "Bearer");
AuthenticationManager.SignIn(identity);
return new EmptyResult();
}
protected override async Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
var cert = request.GetClientCertificate();
if (cert == null) return await base.SendAsync(request, cancellationToken);
try
{
_validator.Validate(cert);
}
catch (SecurityTokenValidationException)
{
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
var issuer = _issuerMapper(cert);
if (issuer == null)
{
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
var claims = ExtractClaims(cert, issuer);
var identity = new ClaimsIdentity(new ClaimsIdentity(claims, X509AuthnMethod));
AddIdentityToCurrentPrincipal(identity, request);
return await base.SendAsync(request, cancellationToken);
}
private void ValidateResponseAndSignIn(TokenResponse response)
{
if (!string.IsNullOrWhiteSpace(response.IdentityToken))
{
var tokenClaims = ValidateToken(response.IdentityToken);
var claims = new List<Claim>(from c in tokenClaims
where c.Type != "iss" &&
c.Type != "aud" &&
c.Type != "nbf" &&
c.Type != "exp" &&
c.Type != "iat" &&
c.Type != "amr" &&
c.Type != "idp"
select c);
if (!string.IsNullOrWhiteSpace(response.AccessToken))
{
claims.Add(new Claim("access_token", response.AccessToken));
claims.Add(new Claim("expires_at", (DateTime.UtcNow.ToEpochTime() + response.ExpiresIn).ToDateTimeFromEpoch().ToString()));
}
if (!string.IsNullOrWhiteSpace(response.RefreshToken))
{
claims.Add(new Claim("refresh_token", response.RefreshToken));
}
var id = new ClaimsIdentity(claims, "Cookies");
Request.GetOwinContext().Authentication.SignIn(id);
}
}
public async static Task<IEnumerable<Claim>> GetClaims(ClaimsIdentity user)
{
List<Claim> claims = new List<Claim>();
using (edisDbEntities db = new edisDbEntities())
{
if (user.HasClaim(c => c.Type == ClaimTypes.Role && c.Value == AuthorizationRoles.Role_Client))
{
var userManager = new ApplicationUserManager(new UserStore<ApplicationUser>(new ApplicationDbContext()));
var userProfile = await userManager.FindByNameAsync(user.Name);
var client = db.Clients.FirstOrDefault(c => c.ClientUserID == userProfile.Id);
if (client != null)
{
var clientGroup = db.ClientGroups.FirstOrDefault(c => c.ClientGroupID == client.ClientGroupID);
if (clientGroup != null && clientGroup.MainClientID == client.ClientUserID)
{
claims.Add(CreateClaim(ClaimType_ClientGroupLeader, ClaimValue_ClientGroupLeader_Leader));
}
else
{
claims.Add(CreateClaim(ClaimType_ClientGroupLeader, ClaimValue_ClientGroupLeader_Member));
}
}
}
}
return claims;
}
private string IssueJwtToken(System.IdentityModel.Tokens.Jwt.JwtSecurityToken aadToken)
{
var msKey = GetTokenSignKey();
var msSigningCredentials = new Microsoft.IdentityModel.Tokens
.SigningCredentials(msKey, Microsoft.IdentityModel.Tokens.SecurityAlgorithms.HmacSha256Signature);
var claimsIdentity = new System.Security.Claims.ClaimsIdentity(new List <Claim>()
{
new Claim(ClaimTypes.NameIdentifier, "*****@*****.**"),
new Claim(ClaimTypes.Role, "admin"),
}, "MassRover.Authentication");
var msSecurityTokenDescriptor = new Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor()
{
Audience = "massrover.client",
Issuer = "massrover.authservice",
Subject = claimsIdentity,
Expires = DateTime.UtcNow.AddHours(8),
SigningCredentials = msSigningCredentials
};
var tokenHandler = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler();
var plainToken = tokenHandler.CreateToken(msSecurityTokenDescriptor);
var signedAndEncodedToken = tokenHandler.WriteToken(plainToken);
return(signedAndEncodedToken);
}
public void ConfigureOAuth(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
Provider = new OAuthAuthorizationServerProvider
{
OnValidateClientAuthentication = async c=>c.Validated(),
OnGrantResourceOwnerCredentials = async c =>
{
using (var repo = new AuthRepository())
{
var user = await repo.FindUser(c.UserName, c.Password);
if (user == null)
{
c.Rejected();
throw new ApiException("User not existed or wrong password.");
}
}
var identity = new ClaimsIdentity(c.Options.AuthenticationType);
identity.AddClaims(new[] {new Claim(ClaimTypes.Name, c.UserName), new Claim(ClaimTypes.Role, "user")});
if (string.Equals(c.UserName, AppConfig.Manager, StringComparison.InvariantCultureIgnoreCase))
identity.AddClaims(new[] {new Claim(ClaimTypes.Name, c.UserName), new Claim(ClaimTypes.Role, "manager")});
c.Validated(identity);
}
},
});
}
/// <summary>
/// Returns a ClaimsPrincipal object with the NameIdentifier and Name claims, if the request can be
/// successfully authenticated based on query string parameter bewit or HTTP Authorization header (hawk scheme).
/// </summary>
public async Task<ClaimsPrincipal> AuthenticateAsync()
{
string bewit;
bool isBewit = Bewit.TryGetBewit(this.request, out bewit);
var authentication = isBewit ?
Bewit.AuthenticateAsync(bewit, now, request, credentialsFunc) :
HawkSchemeHeader.AuthenticateAsync(now, request, credentialsFunc);
this.result = await authentication;
if (result.IsAuthentic)
{
// At this point, authentication is successful but make sure the request parts match what is in the
// application specific data 'ext' parameter by invoking the callback passing in the request object and 'ext'.
// The application specific data is considered verified, if the callback is not set or it returns true.
bool isAppSpecificDataVerified = this.verificationCallback == null ||
this.verificationCallback(request, result.ApplicationSpecificData);
if (isAppSpecificDataVerified)
{
// Set the flag so that Server-Authorization header is not sent for bewit requests.
this.isBewitRequest = isBewit;
var idClaim = new Claim(ClaimTypes.NameIdentifier, result.Credential.Id);
var nameClaim = new Claim(ClaimTypes.Name, result.Credential.User);
var identity = new ClaimsIdentity(new[] { idClaim, nameClaim }, HawkConstants.Scheme);
return new ClaimsPrincipal(identity);
}
}
return null;
}
public string Authenticate(string Email, string Password)
{
AuthenticateService service = new AuthenticateService(_container);
if (!string.IsNullOrEmpty(Email) && !string.IsNullOrEmpty(Password))
{
var user = service.Authenticate(Email, Password);
if (user != null)
{
var authentication = Request.GetOwinContext().Authentication;
var identity = new ClaimsIdentity("Bearer");
identity.AddClaim(new Claim("name", user.Name));
identity.AddClaim(new Claim("email", user.Email));
identity.AddClaim(new Claim("userid", user.Id.ToString()));
identity.AddClaim(new Claim("usertype", user.UserType.ToString()));
identity.AddClaim(new Claim("companyid", user.Company.Id.ToString()));
identity.AddClaim(new Claim("companyname", user.Company.Name));
AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
var currentUtc = new Microsoft.Owin.Infrastructure.SystemClock().UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));
var token = Startup.OAuthServerOptions.AccessTokenFormat.Protect(ticket);
authentication.SignIn(identity);
return token;
}
}
return "false";
}
public override async System.Threading.Tasks.Task GrantCustomExtension(OAuthGrantCustomExtensionContext context)
{
if(context.GrantType.ToLower() == "facebook")
{
var fbClient = new FacebookClient(context.Parameters.Get("accesstoken"));
dynamic mainDataResponse = await fbClient.GetTaskAsync("me", new { fields = "first_name, last_name, picture" });
dynamic friendListResponse = await fbClient.GetTaskAsync("me/friends");
var friendsResult = (IDictionary<string, object>)friendListResponse;
var friendsData = (IEnumerable<object>)friendsResult["data"];
var friendsIdList = new List<string>();
foreach (var item in friendsData)
{
var friend = (IDictionary<string, object>)item;
friendsIdList.Add((string)friend["id"]);
}
User user = await CreateOrUpdateUser(mainDataResponse.id, mainDataResponse.first_name, mainDataResponse.last_name, mainDataResponse.picture.data.url, friendsIdList);
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(_fbIdKey, mainDataResponse.id));
identity.AddClaim(new Claim(_idKey, user.Id.ToString()));
await base.GrantCustomExtension(context);
context.Validated(identity);
}
return;
}
public ActionResult Login(LoginViewModel model)
{
try
{
if (string.IsNullOrEmpty(model.account)) { throw new ArgumentNullException("account"); }
if (string.IsNullOrEmpty(model.password)) { throw new ArgumentNullException("password"); }
//声明
Claim[] claims =
{
new Claim(ClaimTypes.Name,model.account),
new Claim(ClaimTypes.NameIdentifier,model.account),
new Claim(ClaimTypes.Role,"normal"),
};
//注意: DefaultAuthenticationTypes.ApplicationCookie否则会导致Cookie无法写入
System.Security.Claims.ClaimsIdentity claimsIdentity = new System.Security.Claims.ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
authenticationManager.SignIn(new Microsoft.Owin.Security.AuthenticationProperties()
{
RedirectUri = "http://www.baidu.com/",
IsPersistent = true
}, claimsIdentity);
return Redirect("/home/");
}
catch (Exception ex)
{
ModelState.AddModelError("", ex);
}
return View(model);
}
public async Task<IActionResult> Unauthorized(string returnUrl = null)
{
const string Issuer = "https://contoso.com";
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, "barry", ClaimValueTypes.String, Issuer));
claims.Add(new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String, Issuer));
claims.Add(new Claim("EmployeeId", "123", ClaimValueTypes.String, Issuer));
claims.Add(new Claim(ClaimTypes.DateOfBirth, "1970-06-08", ClaimValueTypes.Date));
claims.Add(new Claim("BadgeNumber", "123456", ClaimValueTypes.String, Issuer));
//claims.Add(new Claim("TemporaryBadgeExpiry", DateTime.Now.AddDays(1).ToString(), ClaimValueTypes.String, Issuer));
//claims.Add(new Claim("TemporaryBadgeExpiry", DateTime.Now.AddDays(-1).ToString(), ClaimValueTypes.String, Issuer));
var userIdentity = new ClaimsIdentity("SuperSecureLogin");
userIdentity.AddClaims(claims);
var userPrincipal = new ClaimsPrincipal(userIdentity);
await HttpContext.Authentication.SignInAsync("Cookie", userPrincipal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(20),
IsPersistent = false,
AllowRefresh = false
});
return RedirectToLocal(returnUrl);
}
/// <summary>
/// 验证用户名与密码 [Resource Owner Password Credentials Grant[username与password]|grant_type=password&username=irving&password=654321]
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
//validate user credentials (验证用户名与密码) should be stored securely (salted, hashed, iterated)
var userValid = await _accountService.ValidateUserNameAuthorizationPwdAsync(context.UserName, context.Password);
if (!userValid)
{
//context.Rejected();
context.SetError(AbpConstants.AccessDenied, AbpConstants.AccessDeniedErrorDescription);
return;
}
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
var ticket = new AuthenticationTicket(claimsIdentity, new AuthenticationProperties());
context.Validated(ticket);
/*
//create identity
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
claimsIdentity.AddClaim(new Claim("sub", context.UserName));
claimsIdentity.AddClaim(new Claim("role", "user"));
// create metadata to pass on to refresh token provider
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{"as:client_id", context.ClientId }
});
var ticket = new AuthenticationTicket(claimsIdentity, props);
context.Validated(ticket);
*/
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (var projectContext = new ProjectContext())
{
using (var unitOfWork = new UnitOfWork(projectContext))
{
IdentityUser user = await unitOfWork.Users.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
// Dummy check here, you need to do your DB checks against membership system http://bit.ly/SPAAuthCode
if (context.UserName != context.Password)
{
context.SetError("invalid_grant", "The user name or password is incorrect");
//return;
return Task.FromResult<object>(null);
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "Manager"));
identity.AddClaim(new Claim(ClaimTypes.Role, "Supervisor"));
var props =
new AuthenticationProperties(
new Dictionary<string, string>
{
{
"audience",
context.ClientId ?? string.Empty
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
return Task.FromResult<object>(null);
}
/// <summary>
/// Verifies role against user's groups in Azure AD
/// </summary>
/// <param name="role"></param>
/// <param name="claimsIdentity"></param>
/// <returns></returns>
public static async Task <bool> CheckInRole(string role, System.Security.Claims.ClaimsIdentity claimsIdentity)
{
ObjectCache cache = MemoryCache.Default;
try
{
if (HttpContext.Current.Request.IsAuthenticated)
{
//use LazyCache to cache the groups
var cacheKey = GetCacheKey(claimsIdentity);
var groups = cache.AddOrGetExisting(cacheKey, await UserInfoHelper.GetAllGroups(claimsIdentity), _CacheItemPolicy) as List <string>;
//locate AD group tied to role
if (groups.Count > 0)
{
return(groups.Contains(ConfigurationManager.AppSettings[role]));
}
}
}
catch (Exception)
{
//TODO: Handle exception
}
return(false);
}
public async Task<ActionResult> Login(LoginModel model)
{
if (!ModelState.IsValid)
{
return View(model);
}
var blogContext = new BlogContext();
var user = await blogContext.Users.Find(x => x.Email == model.Email).SingleOrDefaultAsync();
if (user == null)
{
ModelState.AddModelError("Email", "Email address has not been registered.");
return View(model);
}
var identity = new ClaimsIdentity(new[] {
new Claim(ClaimTypes.Name, user.Name),
new Claim(ClaimTypes.Email, user.Email)
}, "ApplicationCookie");
var context = Request.GetOwinContext();
var authManager = context.Authentication;
authManager.SignIn(identity);
return Redirect(GetRedirectUrl(model.ReturnUrl));
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var allowedOrigin = "*";
ApplicationUser appUser = null;
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
using (AuthRepository _repo = new AuthRepository())
{
appUser = await _repo.FindUser(context.UserName, context.Password);
if (appUser == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "User"));
identity.AddClaim(new Claim("PSK", appUser.PSK));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{
"userName", context.UserName
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (var repo = new AuthRepository())
{
var user = await repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("id", user.Id));
var isAdmin = repo.HasRole(user, "Administrator");
identity.AddClaim(new Claim("is_admin", isAdmin.ToString()));
identity.AddClaim(isAdmin
? new Claim(ClaimTypes.Role, "Administrator")
: new Claim(ClaimTypes.Role, "DashboardUser"));
context.Validated(identity);
}
}
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager, ClaimsIdentity ext = null)
{
// Observe que o authenticationType precisa ser o mesmo que foi definido em CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
var claims = new List<Claim>();
if (!string.IsNullOrEmpty(CurrentClientId))
{
claims.Add(new Claim("AspNet.Identity.ClientId", CurrentClientId));
}
// Adicione novos Claims aqui //
// Adicionando Claims externos capturados no login, que o facebook, twitter, etc enviam para essa aplicação.
//No momento que o usuário loga, coneguimos pegar mais informações para cadastrar no Bd local.
if (ext != null)
{
await SetExternalProperties(userIdentity, ext);
}
// Gerenciamento de Claims para informaçoes do usuario
//claims.Add(new Claim("AdmRoles", "True"));
userIdentity.AddClaims(claims);
return userIdentity;
}
public ActionResult Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}
var data = new Data();
var users = data.users();
if (users.Any(p => p.user == model.UserName && p.password == model.Password))
{
var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, model.UserName),}, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties
{
IsPersistent = model.RememberMe
}, identity);
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError("", "Invalid login attempt.");
return View(model);
}
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {"*"});
try
{
using (var userManager = new UserManager<User>(new UserStore<User>(new ElearningDbContext())))
{
var user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invaild_grant", "The user name or password is incorrect");
return;
}
}
}
catch (Exception ex)
{
var a = ex;
throw;
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "user"));
var properties = new AuthenticationProperties(new Dictionary<string, string>
{
{
"audience", context.ClientId ?? string.Empty
}
});
var ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
}
public async Task <IActionResult> VerifyLoginToken([FromBody] VerifyLoginTokenModel model)
{
var result = await _db.VerifyLoginToken(model.TokenID, model.Token);
if (result.Success)
{
var identity = new System.Security.Claims.ClaimsIdentity("LoginToken");
identity.AddClaim(new Claim(ClaimTypes.Name, result.PersonID));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, result.PersonID));
identity.AddClaim(new Claim(ClaimTypes.Email, result.EmailAddress));
var principal = new System.Security.Claims.ClaimsPrincipal(identity);
await this.HttpContext.Authentication.SignInAsync(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme, principal, new Microsoft.AspNetCore.Http.Authentication.AuthenticationProperties()
{
IsPersistent = false,
AllowRefresh = true,
IssuedUtc = DateTimeOffset.Now,
ExpiresUtc = DateTimeOffset.Now.AddMinutes(90)
});
return(this.Ok(new
{
PersonID = result.PersonID,
EmailAddress = result.EmailAddress
}));
}
return(this.BadRequest());
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var allowedOrigin = "*";
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var user = await _userAccountManager.Authenticate(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var claims = new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, user.Name),
new Claim(ClaimTypes.Name, user.Email),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", user.Email),
new Claim("urn:Custom:UserType", "AnonymousUser")
};
System.Security.Claims.ClaimsIdentity oAuthIdentity = new System.Security.Claims.ClaimsIdentity(claims, "JWT"); // await user.GenerateUserIdentityAsync(userManager, "JWT");
var ticket = new AuthenticationTicket(oAuthIdentity, null);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Try get the useraccount by provided username
var userAccount = _uow.UserAccountRepository.Get(context.UserName);
// If the useraccount was not found, reject the token request
if (userAccount == null)
{
context.Rejected();
return;
}
// If password is invalid, reject the token request
if (!PasswordHelper.Verify(userAccount.Password, userAccount.Salt, context.Password))
{
context.Rejected();
return;
}
// Create identity which will be included in the token
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
// All claims added here will be written to the token. Thus claims should
// be added with moderation
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "administrator"));
// Validate the reqeust and return a token
context.Validated(identity);
}
internal static IEnumerable<string> GetUniqueIdentifierParameters(ClaimsIdentity claimsIdentity)
{
var nameIdentifierClaim = claimsIdentity.FindFirst(claim =>
String.Equals(ClaimTypes.NameIdentifier,
claim.Type, StringComparison.Ordinal));
if (nameIdentifierClaim != null && !string.IsNullOrEmpty(nameIdentifierClaim.Value))
{
return new string[]
{
ClaimTypes.NameIdentifier,
nameIdentifierClaim.Value
};
}
// We Do not understand this claimsIdentity, fallback on serializing the entire claims Identity.
var claims = claimsIdentity.Claims.ToList();
claims.Sort((a, b) => string.Compare(a.Type, b.Type, StringComparison.Ordinal));
var identifierParameters = new List<string>();
foreach (var claim in claims)
{
identifierParameters.Add(claim.Type);
identifierParameters.Add(claim.Value);
}
return identifierParameters;
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var user = userRepository.Get(w => w.UserName == context.UserName && w.Password == context.Password);
//var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
//ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
if (user.Roles.Count() > 0)
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, user.Roles.FirstOrDefault().Name));
}
//ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
// OAuthDefaults.AuthenticationType);
//ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
// CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
List<string> roles = new List<string>();
IdentityUser user = new IdentityUser();
using (AuthRepository _repo = new AuthRepository())
{
user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "Потребителското име или паролата не са верни.");
return;
}
else
{
roles = await _repo.GetRolesForUser(user.Id);
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
foreach (var item in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, item));
}
context.Validated(identity);
context.Response.Headers.Add("UserRoles", roles.ToArray());
}
public ClaimsIdentity ProcessClientCertificate(X509Certificate2 cert, string ipAddress)
{
using (var per = PersistenceFactory())
{
var hash = cert.GetCertHash();
var client = per.ClientGetByCertificateHash(hash);
// not found? add to pending certificates list
if (client == null)
{
TraceSource.TraceInformation("Pending certificate:\n{0} ({1})", ByteArrayHelper.ByteArrayToString(hash), ipAddress);
per.PendingCertificateAddOrUpdate(hash, ipAddress);
per.Save();
}
// build identity
var identity = new ClaimsIdentity("ClientAuthentication");
identity.AddClaim(new Claim(CertificateHashClaimType, ByteArrayHelper.ByteArrayToString(hash), ClaimValueTypes.HexBinary, ClaimIssuer));
identity.AddClaim(new Claim(IsKnownClaimType, client == null ? "false" : "true", ClaimValueTypes.Boolean, ClaimIssuer)); // known client?
// add details only if authenticated
if (client != null)
{
identity.AddClaim(new Claim(identity.NameClaimType, client.Name, ClaimValueTypes.String, ClaimIssuer)); // nick name
identity.AddClaim(new Claim(ClientIdClaimType, client.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer)); // ID
identity.AddClaims(client.ClientGroups.Select(group => new Claim(identity.RoleClaimType, group.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer))); // assigned groups
identity.AddClaims(client.ClientGroups.Select(group => new Claim(RoleNameClaimType, group.Name, ClaimValueTypes.String, ClaimIssuer))); // assigned groups (names - informative)
}
return identity;
}
}
public ActionResult Login(LoginFormViewModel model)
{
if (!ModelState.IsValid)
{
return View();
}
User user = userService.GetByLogin(model.Email, model.Password);
if (user != null)
{
var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Email, user.Email), new Claim(ClaimTypes.Role, user.Role.Naziv) }, "ApplicationCookie");
var ctx = Request.GetOwinContext();
var authManager = ctx.Authentication;
authManager.SignOut("ApplicationCookie");
Session.Clear();
authManager.SignIn(identity);
Session.Add(Constants.User,user);
return RedirectToAction("Index", "Home");
}
ModelState.AddModelError("", "Greska");
return View();
}
public ActionResult LoginIndex(LoginModel log, string ReturnURL = "")
{
if (!ModelState.IsValid)
{
return(View(log));
}
var user = BOSSDB.Accounts.Where(a => a.Username == log.username && a.IsLock == false).FirstOrDefault();
if (user != null)
{
var validate = PasswordHash.PasswordHash.ValidatePassword(log.password, user.Password);
if (validate == true)
{
var identity = new System.Security.Claims.ClaimsIdentity(new[] { new Claim(ClaimTypes.Authentication, user.AccountID.ToString()) }, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties(), identity);
var ActionName = "Index";
var ControllerName = "Home";
return(RedirectToAction(ActionName, ControllerName));
}
else
{
return(View());
}
}
else
{
return(View());
}
}
public virtual async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<IdentityUser> manager, ClaimsIdentity ext = null)
{
// Observe que o authenticationType precisa ser o mesmo que foi definido em CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
var claims = new List<Claim>();
if (!string.IsNullOrEmpty(CurrentClientId))
{
claims.Add(new Claim("AspNet.Identity.ClientId", CurrentClientId));
}
// Adicione novos Claims aqui //
// Adicionando Claims externos capturados no login
if (ext != null)
{
await SetExternalProperties(userIdentity, ext);
}
// Gerenciamento de Claims para informaçoes do usuario
//claims.Add(new Claim("AdmRoles", "True"));
userIdentity.AddClaims(claims);
return userIdentity;
}
protected override void Initialize(RequestContext requestContext)
{
base.Initialize(requestContext);
if (Request.Cookies["lang"] == null)
{
var value = Request.Cookies["lang"].Value;
Thread.CurrentThread.CurrentCulture = new CultureInfo(value);
Thread.CurrentThread.CurrentUICulture = new CultureInfo(value);
}
if (Request.Cookies["access_token"] != null)
{
var value = Request.Cookies["access_token"].Value;
if (!string.IsNullOrEmpty(value))
{
var jwtToken = new JwtSecurityToken(value);
var claims = jwtToken.Claims;
ClaimsIdentity claim = new ClaimsIdentity(claims);
var cp = new ClaimsPrincipal(claim);
var transformer = new ClaimsAuthenticationManager();
var newPrincipal = transformer.Authenticate(string.Empty, cp);
Thread.CurrentPrincipal = newPrincipal;
HttpContext.User = newPrincipal;
}
}
}
public ActionResult Login(LoginModel model, string returnUrl)
{
if (model.UserName != model.Password) return View();
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, model.UserName),
new Claim(ClaimTypes.Email, "*****@*****.**"),
new Claim(ClaimTypes.Role, "Administrator"),
new Claim("Data", "Read"),
};
var id = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationType);
var authenticationManager = Request.GetOwinContext().Authentication;
var authProperties = new AuthenticationProperties { IsPersistent = true };
authenticationManager.SignIn(authProperties, id);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index", "Home");
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (AuthRepository _repo = new AuthRepository())
{
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
var roles = await _repo.FindUserRoles(user.Id);
foreach (var r in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, r));
}
//identity.AddClaim(new Claim("sub", context.UserName));
context.Validated(identity);
}
}
/// <summary>
/// Initializes an instance of <see cref="Claim"/> using a <see cref="BinaryReader"/>.
/// Normally the <see cref="BinaryReader"/> is constructed using the bytes from <see cref="WriteTo(BinaryWriter)"/> and initialized in the same way as the <see cref="BinaryWriter"/>.
/// </summary>
/// <param name="reader">a <see cref="BinaryReader"/> pointing to a <see cref="Claim"/>.</param>
/// <param name="subject"> the value for <see cref="Claim.Subject"/>, which is the <see cref="ClaimsIdentity"/> that has these claims.</param>
/// <exception cref="ArgumentNullException">if 'reader' is null.</exception>
public Claim(BinaryReader reader, ClaimsIdentity subject)
{
if (reader == null)
throw new ArgumentNullException("reader");
Initialize(reader, subject);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Allow CORS on the token middleware provider
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
//TODO
// Usually this would be done via dependency injection
// But I haven't got it to work with the OWIN startup class yet
AppDBContext _ctx = new AppDBContext();
UserRepository _repo = new UserRepository(_ctx);
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public static T GetClaimsValue <T>(this System.Security.Claims.ClaimsIdentity claimsIdentity, string claimType)
{
Type underlyingType = typeof(T);
var value = claimsIdentity.Claims.Where(c => c.Type == claimType)
.Select(c => Convert.ChangeType(c.Value, underlyingType)).SingleOrDefault();
var objType = value.GetType();
return((T)value);
}
public ActionResult About()
{
System.Security.Claims.ClaimsIdentity claimsIdentity = System.Web.HttpContext.Current.User.Identity as System.Security.Claims.ClaimsIdentity;
foreach (Claim claim in claimsIdentity.Claims)
{
ViewBag.Message = ViewBag.Message + claim.Type + ":" + claim.Value;
}
// ViewBag.Message = "Your app description page.";
return(View());
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var svc = context.OwinContext.Environment.GetUserAccountService <UserAccount>();
var user = svc.GetByUsername("users", context.UserName);
var claims = user.GetAllClaims();
var id = new System.Security.Claims.ClaimsIdentity(claims, "MembershipReboot");
context.Validated(id);
return(base.GrantResourceOwnerCredentials(context));
}
private void SignIn(Nalozi account)
{
try
{
ApplicationUser user = new ApplicationUser();
user.nalogId = account.Id;
user.Email = account.Email;
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
List <Claim> claims = new List <Claim>();
Claim nalogId = new Claim("nalogId", user.nalogId.ToString());
claims.Add(nalogId);
Claim schemaUsername = new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user.Email);
claims.Add(schemaUsername);
Claim schemaUserId = new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", user.nalogId.ToString());
claims.Add(schemaUserId);
Claim schemaApp = new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "Plivacki Centar NERETVA");
claims.Add(schemaApp);
ClaimsIdentity identity = new System.Security.Claims.ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.Name, ClaimTypes.Role);
AuthenticationManager.SignIn(identity);
Session["current-account-name"] = account.Ime + " " + account.Prezime;
if (account.IsAdministrator)
{
Session["current-account-role"] = "admin";
}
else if (account.IsPlivac)
{
Session["current-account-role"] = "plivac";
}
else if (account.IsRekreativac)
{
Session["current-account-role"] = "rekreativac";
}
else if (account.IsTrener)
{
Session["current-account-role"] = "trener";
}
}
catch (Exception)
{
RedirectToAction("LogOff", "guest");
}
}
protected Task <IPrincipal> AuthenticateJwtToken(string token)
{
List <System.Security.Claims.Claim> userClaims;
if (ValidateToken(token, out userClaims))
{
var identity = new System.Security.Claims.ClaimsIdentity(userClaims, "Jwt");
IPrincipal user = new System.Security.Claims.ClaimsPrincipal(identity);
return(Task.FromResult(user));
}
return(Task.FromResult <IPrincipal>(null));
}
private void SetClaimsIdentity(string userName)
{
var claims = new System.Security.Claims.Claim[]
{
new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.NameIdentifier, userName)
};
ClaimsIdentity id = new System.Security.Claims.ClaimsIdentity(claims, "Forms");
ClaimsPrincipal cp = new System.Security.Claims.ClaimsPrincipal(id);
SessionSecurityToken token = new SessionSecurityToken(cp);
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);
}
protected override Task <AuthenticateResult> HandleAuthenticateAsync()
{
Task <AuthenticateResult> rtnTask = Task <AuthenticateResult> .Factory.StartNew(() =>
{
NoAuthIdentity noauthIdentity = new NoAuthIdentity();
System.Security.Claims.ClaimsIdentity ci = new System.Security.Claims.ClaimsIdentity();
System.Security.Principal.GenericIdentity gi = new System.Security.Principal.GenericIdentity("NoUser");
System.Security.Claims.ClaimsPrincipal p = new System.Security.Claims.ClaimsPrincipal(noauthIdentity);
AuthenticationTicket ticket = new AuthenticationTicket(p, "NoAuthScheme");
return(AuthenticateResult.Success(ticket));
});
return(rtnTask);
}
private void SignIn(User user)
{
List <Claim> claims = new List <Claim> {
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user.Username),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", user.Id.ToString()),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "Surveys")
};
ClaimsIdentity identity = new System.Security.Claims.ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.Name, ClaimTypes.Role);
HttpContext.GetOwinContext().Authentication.SignIn(new AuthenticationProperties()
{
IsPersistent = true
}, identity);
}
private static System.Security.Claims.ClaimsIdentity SetClaimsIdentity(OAuthGrantResourceOwnerCredentialsContext context, IdentityUser user)
{
var identity = new System.Security.Claims.ClaimsIdentity();
identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, context.UserName));
identity.AddClaim(new System.Security.Claims.Claim("sub", context.UserName));
var userRoles = context.OwinContext.Get <BookUserManager>().GetRoles(user.Id);
foreach (var role in userRoles)
{
identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, role));
}
return(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var identity = new System.Security.Claims.ClaimsIdentity(context.Options.AuthenticationType);
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (var db = new TestModel())
{
if (db != null)
{
IQueryable <USER_MASTER> rtn = from temp in db.USER_MASTER select temp;
var user = rtn.ToList();
//var empl = db.Employees.ToList();
//var user = db.USER_MASTER;
if (user != null)
{
if (!string.IsNullOrEmpty(user.Where(u => u.Email == context.UserName && u.Password == context.Password).FirstOrDefault().Email))
{
identity.AddClaim(new Claim("Age", "16"));
var props = new AuthenticationProperties(new Dictionary <string, string>
{
{
"userdisplayname", context.UserName
},
{
"role", "admin"
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
else
{
context.SetError("invalid_grant", "Provided username and password is incorrect");
context.Rejected();
}
}
}
else
{
context.SetError("invalid_grant", "Provided username and password is incorrect");
context.Rejected();
}
return;
}
}
public ActionResult ClientInfo()
{
ClientInfoViewModel model = new ClientInfoViewModel();
StringBuilder msg = new StringBuilder();
try
{
if (!Request.IsAuthenticated)
{
msg.AppendLine("Request not authenticated");
}
var user = this.User;
var claimsPrincipal = user as SSC.ClaimsPrincipal;
if (claimsPrincipal != null)
{
SSC.ClaimsIdentity claimsIdentity = claimsPrincipal.Identity as SSC.ClaimsIdentity;
if (claimsIdentity != null)
{
int claimNum = 1;
foreach (SSC.Claim claim in claimsIdentity.Claims)
{
model.ClientInfo.Add(new InfoItem
{
Name = string.Format("Claim {0}", claimNum),
Value = string.Format("Issuer: \"{1}\" {0}OriginalIssuer: \"{2}\" {0}Properties.Count: \"{3}\" {0}Subject: \"{4}\" {0}Type: \"{5}\" {0}ValueType: \"{6}\" {0}Value: \"{7}\" {0}",
Environment.NewLine,
claim.Issuer,
claim.OriginalIssuer,
claim.Properties.Count,
claim.Subject,
claim.Type,
claim.ValueType,
claim.Value)
});
claimNum++;
}
}
}
}
catch (Exception ex)
{
ReportException(ex, msg);
}
model.Message = msg.ToString();
return(View(model));
}
/// <summary>
/// Used to get updated claims information on the username.
/// Can be used when an action is denyed by attempting to check if updated claim will allow the action.
/// You may also choose a frequency to check for updated claims on the client side.
/// </summary>
/// <param name="userName"></param>
/// <returns></returns>
public ClaimsIdentity GetClaimsIdentity(string userName, string sharedClientKey)
{
// Ensure the clients are certified.
if (sharedClientKey != Sahara.Core.Platform.Requests.RequestManager.SharedClientKey)
{
return(null);
}
var accountUserIdentity = AccountUserManager.GetUserIdentity(userName);
System.Security.Claims.ClaimsIdentity identity = AccountUserManager.GetUserClaimsIdentity(
accountUserIdentity,
DefaultAuthenticationTypes.ApplicationCookie); //<-- Uses a cookie for the local web application
return(identity);
}
public async Task <IActionResult> PcoLoginCallback(string code)
{
var redirectUrl = this.Url.Action("PcoLoginCallback", "Home", null, "https");
var client = new System.Net.Http.HttpClient();
var tokenRequest = new
{
grant_type = "authorization_code",
code = code,
client_id = _pcoApp.ClientID,
client_secret = _pcoApp.ClientSecret,
redirect_uri = redirectUrl
};
var tokenRequestJson = Newtonsoft.Json.JsonConvert.SerializeObject(tokenRequest);
var callbackResponse = await client.PostAsync(_pcoAuthOptions.AuthTokenUrl, new StringContent(tokenRequestJson, System.Text.Encoding.UTF8, "application/json"));
var token = await callbackResponse.Content.ReadJsonAsync <PcoAuthTokenResponse>();
var pcoClient = new PcoApiClient.PcoApiClient(client, new PcoApiOptions()
{
AuthenticationMethod = "Bearer",
Password = token.AccessToken
});
var myInfo = await pcoClient.Get <PcoPeoplePerson>("people/v2/me");
var ident = new System.Security.Claims.ClaimsIdentity("PCO");
ident.AddClaim(new Claim(ClaimTypes.NameIdentifier, myInfo.Data.ID));
ident.AddClaim(new Claim(ClaimTypes.Name, myInfo.Data.Attributes.Name));
ident.AddClaim(new Claim(ClaimsExtensions.OrganizationID, myInfo.Meta.Parent.ID.ToString()));
ident.AddClaim(new Claim(ClaimsExtensions.AccessToken, token.AccessToken));
ident.AddClaim(new Claim(ClaimsExtensions.RefreshToken, token.RefreshToken));
var principal = new System.Security.Claims.ClaimsPrincipal(ident);
await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties()
{
ExpiresUtc = DateTimeOffset.UtcNow.AddHours(1),
AllowRefresh = true,
IsPersistent = true
});
return(RedirectToAction("Index"));
}
/// <summary>
/// Get loggedon user groups that contain 'key' and display name from AD.
/// </summary>
/// <param name="key"></param>
/// <param name="claimsIdentity"></param>
/// <returns></returns>
public static async Task <List <string> > GetGroups(string key, System.Security.Claims.ClaimsIdentity claimsIdentity)
{
List <string> kgroups = new List <string>();
List <string> allgroups = await GetAllGroups(claimsIdentity);
//
kgroups.Add(allgroups[0]); //add the user DisplayName
//
foreach (string s in allgroups)
{
if (s.Contains(key))
{
kgroups.Add(s);
}
}
return(kgroups);
}
private async void SetCookie(PersianNov.DataStructure.Author author)
{
var claims = new List <Claim>
{
new Claim(ClaimTypes.Name, $"{author.FirstName} {author.LastName}"),
new Claim(ClaimTypes.NameIdentifier, author.Username),
new Claim(ClaimTypes.Email, author.Email),
new Claim("Id", author.Id.ToString()),
new Claim(ClaimTypes.Role, "Author"),
};
var claimsIdentity = new System.Security.Claims.ClaimsIdentity(
claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties
{
AllowRefresh = true,
// Refreshing the authentication session should be allowed.
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(20),
// The time at which the authentication ticket expires. A
// value set here overrides the ExpireTimeSpan option of
// CookieAuthenticationOptions set with AddCookie.
//IsPersistent = true,
// Whether the authentication session is persisted across
// multiple requests. When used with cookies, controls
// whether the cookie's lifetime is absolute (matching the
// lifetime of the authentication ticket) or session-based.
//IssuedUtc = <DateTimeOffset>,
// The time at which the authentication ticket was issued.
//RedirectUri = <string>
// The full path or absolute URI to be used as an http
// redirect response value.
};
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
authProperties);
}
/// <summary>
/// Get all loggedon user groups and display name from AD.
/// </summary>
/// <param name="key"></param>
/// <param name="dn"></param>
/// <returns></returns>
public static async Task <List <string> > GetAllGroups(System.Security.Claims.ClaimsIdentity claimsIdentity)
{
List <string> lgroups = new List <string>();
ObjectCache cache = MemoryCache.Default;
var cacheKey = GetCacheKey(claimsIdentity);
// If the claims identity is not populated, return an empty list
if (String.IsNullOrEmpty(cacheKey))
{
return(lgroups);
}
// If the claims identity is populated and already in the cache, just return the cached list
if (cache.Contains(cacheKey))
{
return(cache.Get(cacheKey) as List <string>);
}
// If the claims identity is populated and NOT in the cache, call the Graph API and populate the cache
try
{
MSGraphClient msGraphClient = new MSGraphClient(
ConfigHelper.Authority,
new ADALTokenCache(claimsIdentity.FindFirst("oid")?.Value));
System.Collections.Generic.IList <Group> groups = await msGraphClient.GetCurrentUserGroupsAsync();
var groupNameList = await GetGroupNameList(groups);
return(cache.AddOrGetExisting(cacheKey, groupNameList, _CacheItemPolicy) as List <string>);
}
catch (AdalException ex)
{
//TODO: error handling
return(new List <string>());
}
catch (Exception ex)
{
//TODO: error handling
return(new List <string>());
}
}
public static AuthResult GetAuth <TKey>(System.Security.Claims.ClaimsIdentity claim, IUserDevice <TKey> model)
{
var now = DateTime.Now;
var jwt = new JwtSecurityToken(
issuer: AuthOption.ISSUER,
audience: AuthOption.AUDINECE,
notBefore: now,
claims: claim.Claims,
expires: now.Add(TimeSpan.FromMinutes(AuthOption.LifeTime)),
signingCredentials: new SigningCredentials(State.GetSecurityKey(), SecurityAlgorithms.HmacSha256));
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
AuthResult result = new AuthResult()
{
AccessToken = encodedJwt,
RefreshToken = ComputeSha256Hash(now.ToLongDateString() + now.ToLongTimeString() + RepositoryRule.State.State.RandomString(6)),
AccessTime = now,
};
return(result);
}
public static AppClaim ParseClaim(this System.Security.Claims.ClaimsIdentity claimsIdentity)
{
var appClaim = new AppClaim
{
UserId = claimsIdentity.GetSpecificClaim("UserId"),
UserTypeId = Convert.ToString(claimsIdentity.GetSpecificClaim("UserTypeId")),
CustomerId = claimsIdentity.GetSpecificClaim("CustomerId"),
AccountId = Convert.ToString(claimsIdentity.GetSpecificClaim("AccountId")),
PersonalCode = claimsIdentity.GetSpecificClaim("PersonalCode"),
Email = Convert.ToString(claimsIdentity.GetSpecificClaim("Email"))
};
//appClaim.SubscriptionId = claimsIdentity.GetSpecificClaim("SubscriptionId");
//if (appClaim.SubscriptionId.IsNotNullOrEmpty())
//{
// appClaim.DBName = claimsIdentity.GetSpecificClaim("DBName");
// appClaim.DBUserId = claimsIdentity.GetSpecificClaim("DBUserId");
// appClaim.DBUserPassword = claimsIdentity.GetSpecificClaim("DBUserPassword");
//}
return(appClaim);
}
private void SignInAsync(User user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
List <System.Security.Claims.Claim> claims = new List <System.Security.Claims.Claim>();
claims.Add(new System.Security.Claims.Claim(ClaimTypes.Name, String.IsNullOrEmpty(user.Name) ? user.UserName : user.Name)); //user.Name from my database
claims.Add(new System.Security.Claims.Claim(ClaimTypes.NameIdentifier, user.UserId)); //user.Id from my database
claims.Add(new System.Security.Claims.Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "MyApplication"));
if (!String.IsNullOrEmpty(user.FirstName))
{
claims.Add(new System.Security.Claims.Claim("FirstName", user.FirstName)); //user.FirstName from my database
}
foreach (var role in user.Roles)
{
claims.Add(new System.Security.Claims.Claim(ClaimTypes.Role, role));
}
System.Security.Claims.ClaimsIdentity identity = new System.Security.Claims.ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.Name, ClaimTypes.Role);
AuthenticationManager.SignIn(new AuthenticationProperties()
{
IsPersistent = isPersistent
}, identity);
}
public async Task SignIn(User user)
{
var identity = new System.Security.Claims.ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.UserID.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Name, user.FirstName));
identity.AddClaim(new Claim(ClaimTypes.Email, user.Email));
identity.AddClaim(new Claim(ClaimTypes.Role, user.Role.ToString()));
var principal = new ClaimsPrincipal(identity);
var authProperties = new AuthenticationProperties
{
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(60),
IsPersistent = true,
IssuedUtc = DateTimeOffset.UtcNow
};
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, authProperties);
//WebUser.SetUser(user);
}
/// <summary>
/// This static method is setup as a delegate in Startup.Auth and will be called each time a userIdentity is created
/// </summary>
/// <param name="userIdentity">the ClaimsIdentity created from CRM</param>
/// <param name="manager">the user manager used to add claims in the CRM storage</param>
public static async Task AddCustomUserClaims(System.Security.Claims.ClaimsIdentity userIdentity, UserManager <CrmIdentityUser <string>, string> manager)
{
// Here you can add your custom claims to the userIdentity
// Below is an example of how to add a custom claim:
// Check if the customClaim has been retrieved from CRM storage
if (!userIdentity.HasClaim("MyClaimType", "MyClaimValue"))
{
// Add the claim to the CRM Claim storage
System.Security.Claims.Claim customClaim = new Claim("MyClaimType", "MyClaimValue");
IdentityResult result = await manager.AddClaimAsync(userIdentity.GetUserId(), customClaim);
// If all goes well, add the claim to the userIdentity. Next time the user logs in
if (result.Succeeded)
{
userIdentity.AddClaim(customClaim);
}
else
{
// Handle the error
}
}
}
public JsonResult Escoger(int AgenciaId)
{
try {
var authenticationManager = HttpContext.GetOwinContext().Authentication;
var identity = new System.Security.Claims.ClaimsIdentity(User.Identity);
var Claim = identity.FindFirst(Lib.DataFilters.MustHaveAgencyParam);
if (Claim != null)
{
identity.RemoveClaim(identity.FindFirst(Lib.DataFilters.MustHaveAgencyParam));
}
identity.AddClaim(new System.Security.Claims.Claim(Lib.DataFilters.MustHaveAgencyParam, AgenciaId.ToString()));
authenticationManager.AuthenticationResponseGrant =
new AuthenticationResponseGrant(
new ClaimsPrincipal(identity),
new AuthenticationProperties {
IsPersistent = true
}
);
return(Json(new { success = true }));
} catch (Exception ex) {
return(Json(new { success = false, errors = ex.Message }));
}
}
public async Task <IActionResult> LoginAsync(string username, string password)
{
List <Claim> claims = new List <Claim>()
{
new Claim(ClaimTypes.Name, username),
new Claim(ClaimTypes.Role, "admin")
};
string scheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme;
ClaimsIdentity claimIden = new System.Security.Claims.ClaimsIdentity(claims, scheme, ClaimTypes.Name, ClaimTypes.Role);
ClaimsPrincipal claimsPrinc = new ClaimsPrincipal(claimIden);
Microsoft.AspNetCore.Authentication.AuthenticationProperties authProps = new Microsoft.AspNetCore.Authentication.AuthenticationProperties {
//RedirectUri = "",
IsPersistent = true
};
_log.LogWarning($"Logging In User: {username}");
await HttpContext.SignInAsync(scheme, claimsPrinc);
return(Json("ok"));
}
