private static Task RedirectToIdentityProvider( RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n, TcgOpenIdConnectAuthenticationOptions options ) { // if signing out, add the id_token_hint if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout) { var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token"); if (idTokenHint != null) { n.ProtocolMessage.IdTokenHint = idTokenHint.Value; } n.ProtocolMessage.PostLogoutRedirectUri = $"{n.OwinContext.Request.Uri.Scheme}://{n.OwinContext.Request.Uri.Authority}"; //Session.Abandon(); } // Add Tennant specific info to AuthenticationRequest if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication) { //////TODO: Do something with the state to redirect to the correct URL //n.ProtocolMessage.State = string.Empty; if (n.OwinContext.Authentication.User.Identity.IsAuthenticated) { n.ProtocolMessage.Prompt = "login"; } n.ProtocolMessage.RedirectUri = $"{n.OwinContext.Request.Uri.Scheme}://{n.OwinContext.Request.Uri.Authority}"; string host = n.OwinContext.Request.Uri.Host; string preferredIdp = options.PreferedIdps?.FirstOrDefault(x => string.Equals(host, x.HostName, StringComparison.OrdinalIgnoreCase))?.Idp ?? options.FallbackPreferedIdp; var forceDomain = options.ForceDomains?.FirstOrDefault(x => string.Equals(host, x.HostName, StringComparison.OrdinalIgnoreCase))?.Domain; string loginDomains = null; if (options.LoginDomains != null) { loginDomains = string.Join(";", options.LoginDomains.Select(x => $"#{x.ToString("N")}")); } List <string> acrValues = options.ExtraAcrValues ?? new List <string>(); if (!string.IsNullOrWhiteSpace(preferredIdp)) { acrValues.Add($"idp:{preferredIdp}"); } if (!string.IsNullOrWhiteSpace(loginDomains)) { acrValues.Add($"loginDomains:{loginDomains}"); } if (forceDomain.HasValue) { acrValues.Add($"forceDomain:#{forceDomain.Value.ToString("N")}"); } //string otac = n.OwinContext.Get<string>("otac"); //if (otac != null) { // acrValues.Add($"otac:{otac}"); //} n.ProtocolMessage.AcrValues = string.Join(" ", acrValues); } return(Task.FromResult(0)); }
public static IAppBuilder UseTcgOpenIdConnectAuthentication(this IAppBuilder app, TcgOpenIdConnectAuthenticationOptions options) { if (options == null) { throw new ArgumentNullException(nameof(options)); } var tokenEndpoint = $"{options.Authority}/connect/token"; app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "DomainSecurity STS Cookie", SessionStore = options.SessionStore, CookieHttpOnly = options.CookieHttpOnly, CookieDomain = options.CookieDomain, CookieSecure = options.CookieSecure, CookieSameSite = options.CookieSameSite, CookieManager = new SystemWebCookieManager(), Provider = new CookieAuthenticationProvider { OnValidateIdentity = n => ValidateAccessToken(n, tokenEndpoint, options.ClientId, options.ClientSecret), }, }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = options.ClientId, ClientSecret = options.ClientSecret, Authority = options.Authority, AuthenticationMode = options.AuthenticationMode, AuthenticationType = options.AuthenticationType ?? "STS", ResponseType = options.ResponseType, Scope = options.Scope, RedirectUri = options.RedirectUri, PostLogoutRedirectUri = options.PostLogoutRedirectUri, TokenValidationParameters = new TokenValidationParameters { NameClaimType = "idString", RoleClaimType = "role", }, //Do not use the lifetime of the id_token, use the Cookie middleware expiration instead. UseTokenLifetime = false, SignInAsAuthenticationType = "DomainSecurity STS Cookie", Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = async n => { if (options.Notifications?.AuthenticationFailed != null) { await options.Notifications?.AuthenticationFailed(n); } }, AuthorizationCodeReceived = async n => { await AuthorizationCodeReceived(n, options.Authority, options.ClientId, options.ClientSecret); if (options.Notifications?.AuthorizationCodeReceived != null) { await options.Notifications?.AuthorizationCodeReceived(n); } }, MessageReceived = async n => { if (options.Notifications != null) { await options.Notifications?.MessageReceived(n); } }, SecurityTokenReceived = async n => { if (options.Notifications?.SecurityTokenReceived != null) { await options.Notifications?.SecurityTokenReceived(n); } }, SecurityTokenValidated = async n => { await SecurityTokenValidated(n, options.Authority); if (options.Notifications?.SecurityTokenValidated != null) { await options.Notifications?.SecurityTokenValidated(n); } }, RedirectToIdentityProvider = async n => { await RedirectToIdentityProvider(n, options); if (options.Notifications?.RedirectToIdentityProvider != null) { await options.Notifications?.RedirectToIdentityProvider(n); } } } }); return(app); }