/// <summary>
/// Retrieves an S2S access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns></returns>
public static string GetS2SClaimsAccessTokenWithClaims(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
//get the identity claim info first
ClaimsUserIdClaim id = null;
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType);
}
else
{
id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType);
}
var realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
var claims = identity != null
? GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType).ToList()
: null;
if (claims != null)
{
var roleClaim = GetJwtRoleClaims(identity);
claims.Add(roleClaim);
}
return(IssueToken(
ClientId,
IssuerId,
realm,
SharePointPrincipal,
realm,
targetApplicationUri.Authority,
true,
claims,
UseAppOnlyClaim,
id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN,
id.ClaimsIdClaimType,
id.ClaimsIdClaimValue));
}
/// <summary>
/// Retrieves an S2S client context with an access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns>A ClientContext using an access token with an audience of the target application</returns>
public static ClientContext GetS2SClientContextWithClaimsIdentity(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
string accessToken = GetS2SClaimsAccessTokenWithClaims(
targetApplicationUri,
identity,
UserIdentityClaimType,
IdentityClaimProviderType,
UseAppOnlyClaim);
return(GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken));
}
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType)
{
//if an identity claim was not found, then exit
if (string.IsNullOrEmpty(id.ClaimsIdClaimValue))
{
return(null);
}
Hashtable claimSet = new Hashtable();
//you always need nii claim, so add that
claimSet.Add("nii", "temp");
//set up the nii claim and then add the smtp or sip claim separately
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses
}
else
{
claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower();
}
//plug in UPN claim if we're using that
if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN)
{
claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower());
}
//now create the JsonWebTokenClaim array
List <JsonWebTokenClaim> claimList = new List <JsonWebTokenClaim>();
foreach (string key in claimSet.Keys)
{
claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key]));
}
return(claimList.ToArray());
}
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType)
{
//if an identity claim was not found, then exit
if (string.IsNullOrEmpty(id.ClaimsIdClaimValue))
return null;
Hashtable claimSet = new Hashtable();
//you always need nii claim, so add that
claimSet.Add("nii", "temp");
//set up the nii claim and then add the smtp or sip claim separately
if (IdentityClaimProviderType == ClaimProviderType.SAML)
claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses
else
claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower();
//plug in UPN claim if we're using that
if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN)
claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower());
//now create the JsonWebTokenClaim array
List<JsonWebTokenClaim> claimList = new List<JsonWebTokenClaim>();
foreach (string key in claimSet.Keys)
{
claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key]));
}
return claimList.ToArray();
}
/// <summary>
/// Retrieves an S2S client context with an access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns>A ClientContext using an access token with an audience of the target application</returns>
public static ClientContext GetS2SClientContextWithClaimsIdentity(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
string accessToken = GetS2SClaimsAccessTokenWithClaims(
targetApplicationUri,
identity,
UserIdentityClaimType,
IdentityClaimProviderType,
UseAppOnlyClaim);
return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken);
}
/// <summary>
/// Retrieves an S2S access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns></returns>
public static string GetS2SClaimsAccessTokenWithClaims(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
//get the identity claim info first
TokenHelper.ClaimsUserIdClaim id = null;
if (IdentityClaimProviderType == ClaimProviderType.SAML)
id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType);
else
{
id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType);
}
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType) : null;
return IssueToken(
ClientId,
IssuerId,
realm,
SharePointPrincipal,
realm,
targetApplicationUri.Authority,
true,
claims,
UseAppOnlyClaim,
id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN,
id.ClaimsIdClaimType,
id.ClaimsIdClaimValue);
}
