/// <summary> /// Retrieves an S2S access token signed by the application's private certificate on /// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the /// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the /// targetApplicationUri to discover it. /// </summary> /// <param name="targetApplicationUri">Url of the target SharePoint site</param> /// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param> /// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param> /// <param name="IdentityClaimProviderType">The type of identity provider being used</param> /// <param name="UseAppOnlyClaim">Use an App Only claim</param> /// <returns></returns> public static string GetS2SClaimsAccessTokenWithClaims( Uri targetApplicationUri, ClaimsIdentity identity, IdentityClaimType UserIdentityClaimType, ClaimProviderType IdentityClaimProviderType, bool UseAppOnlyClaim) { //get the identity claim info first ClaimsUserIdClaim id = null; if (IdentityClaimProviderType == ClaimProviderType.SAML) { id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType); } else { id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType); } var realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; var claims = identity != null ? GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType).ToList() : null; if (claims != null) { var roleClaim = GetJwtRoleClaims(identity); claims.Add(roleClaim); } return(IssueToken( ClientId, IssuerId, realm, SharePointPrincipal, realm, targetApplicationUri.Authority, true, claims, UseAppOnlyClaim, id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN, id.ClaimsIdClaimType, id.ClaimsIdClaimValue)); }
/// <summary> /// Retrieves an S2S client context with an access token signed by the application's private certificate on /// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the /// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the /// targetApplicationUri to discover it. /// </summary> /// <param name="targetApplicationUri">Url of the target SharePoint site</param> /// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param> /// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param> /// <param name="IdentityClaimProviderType">The type of identity provider being used</param> /// <param name="UseAppOnlyClaim">Use an App Only claim</param> /// <returns>A ClientContext using an access token with an audience of the target application</returns> public static ClientContext GetS2SClientContextWithClaimsIdentity( Uri targetApplicationUri, ClaimsIdentity identity, IdentityClaimType UserIdentityClaimType, ClaimProviderType IdentityClaimProviderType, bool UseAppOnlyClaim) { string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; string accessToken = GetS2SClaimsAccessTokenWithClaims( targetApplicationUri, identity, UserIdentityClaimType, IdentityClaimProviderType, UseAppOnlyClaim); return(GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken)); }
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType) { //if an identity claim was not found, then exit if (string.IsNullOrEmpty(id.ClaimsIdClaimValue)) { return(null); } Hashtable claimSet = new Hashtable(); //you always need nii claim, so add that claimSet.Add("nii", "temp"); //set up the nii claim and then add the smtp or sip claim separately if (IdentityClaimProviderType == ClaimProviderType.SAML) { claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses } else { claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower(); } //plug in UPN claim if we're using that if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN) { claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower()); } //now create the JsonWebTokenClaim array List <JsonWebTokenClaim> claimList = new List <JsonWebTokenClaim>(); foreach (string key in claimSet.Keys) { claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key])); } return(claimList.ToArray()); }
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType) { //if an identity claim was not found, then exit if (string.IsNullOrEmpty(id.ClaimsIdClaimValue)) return null; Hashtable claimSet = new Hashtable(); //you always need nii claim, so add that claimSet.Add("nii", "temp"); //set up the nii claim and then add the smtp or sip claim separately if (IdentityClaimProviderType == ClaimProviderType.SAML) claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses else claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower(); //plug in UPN claim if we're using that if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN) claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower()); //now create the JsonWebTokenClaim array List<JsonWebTokenClaim> claimList = new List<JsonWebTokenClaim>(); foreach (string key in claimSet.Keys) { claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key])); } return claimList.ToArray(); }
/// <summary> /// Retrieves an S2S client context with an access token signed by the application's private certificate on /// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the /// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the /// targetApplicationUri to discover it. /// </summary> /// <param name="targetApplicationUri">Url of the target SharePoint site</param> /// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param> /// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param> /// <param name="IdentityClaimProviderType">The type of identity provider being used</param> /// <param name="UseAppOnlyClaim">Use an App Only claim</param> /// <returns>A ClientContext using an access token with an audience of the target application</returns> public static ClientContext GetS2SClientContextWithClaimsIdentity( Uri targetApplicationUri, ClaimsIdentity identity, IdentityClaimType UserIdentityClaimType, ClaimProviderType IdentityClaimProviderType, bool UseAppOnlyClaim) { string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; string accessToken = GetS2SClaimsAccessTokenWithClaims( targetApplicationUri, identity, UserIdentityClaimType, IdentityClaimProviderType, UseAppOnlyClaim); return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken); }
/// <summary> /// Retrieves an S2S access token signed by the application's private certificate on /// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the /// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the /// targetApplicationUri to discover it. /// </summary> /// <param name="targetApplicationUri">Url of the target SharePoint site</param> /// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param> /// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param> /// <param name="IdentityClaimProviderType">The type of identity provider being used</param> /// <param name="UseAppOnlyClaim">Use an App Only claim</param> /// <returns></returns> public static string GetS2SClaimsAccessTokenWithClaims( Uri targetApplicationUri, ClaimsIdentity identity, IdentityClaimType UserIdentityClaimType, ClaimProviderType IdentityClaimProviderType, bool UseAppOnlyClaim) { //get the identity claim info first TokenHelper.ClaimsUserIdClaim id = null; if (IdentityClaimProviderType == ClaimProviderType.SAML) id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType); else { id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType); } string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType) : null; return IssueToken( ClientId, IssuerId, realm, SharePointPrincipal, realm, targetApplicationUri.Authority, true, claims, UseAppOnlyClaim, id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN, id.ClaimsIdClaimType, id.ClaimsIdClaimValue); }