private void ErrorIfAlreadyAuthenticated(CookieApplyRedirectContext context) { if (context.Request.User.Identity.IsAuthenticated) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; } }
private static void OnApplyRedirect(CookieApplyRedirectContext context) { if (context.Request.User.Identity.IsAuthenticated) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; } else { context.Response.Redirect(context.RedirectUri); } }
private void ApplyRedirect(CookieApplyRedirectContext context) { if (!IsAjaxRequest(context.Request)) { var redirectUri = context.RedirectUri; var uri = new Uri(redirectUri); UrlHelper _url = new UrlHelper(HttpContext.Current.Request.RequestContext); string actionUri = string.Format("{0}{1}", _url.RouteUrl("AccountLogin"), uri.Query); context.Response.Redirect(actionUri); } }
private static void ApplyRedirect(CookieApplyRedirectContext context, Func<IStorefrontUrlBuilder> urlBuilderFactory) { Uri absoluteUri; if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri)) { var path = PathString.FromUriComponent(absoluteUri); if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath) { var urlBuilder = urlBuilderFactory(); context.RedirectUri = urlBuilder.ToAppAbsolute(context.Options.LoginPath.ToString()) + new QueryString(context.Options.ReturnUrlParameter, context.Request.Uri.AbsoluteUri); } } context.Response.Redirect(context.RedirectUri); }
private static void ApplyRedirect(CookieApplyRedirectContext context) { Uri absoluteUri; if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri)) { var path = PathString.FromUriComponent(absoluteUri); if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath) context.RedirectUri = "http://accounts.domain.com/login" + new QueryString( context.Options.ReturnUrlParameter, context.Request.Uri.AbsoluteUri); } context.Response.Redirect(context.RedirectUri); }
/// <summary> /// Method for managing all the re-directs that occurs on the website. /// </summary> /// <param name="context"></param> private static void ApplyRedirect(CookieApplyRedirectContext context) { string backendPath = Paths.ProtectedRootPath.TrimEnd('/'); // We use the method for transferring the user to the backend login pages if she tries to go // to the Edit views without being navigated. if (context.Request.Uri.AbsolutePath.StartsWith(backendPath) && !context.Request.User.Identity.IsAuthenticated) { context.RedirectUri = VirtualPathUtility.ToAbsolute("~/BackendLogin") + new QueryString( context.Options.ReturnUrlParameter, context.Request.Uri.AbsoluteUri); } context.Response.Redirect(context.RedirectUri); }
public void UpdateRedirectUrlToAdminLoginPageIfNecessary(CookieApplyRedirectContext context) { if (UserWasAccessingInternalArea(context)) { string standardLoginPathString = VirtualPathUtility.ToAbsolute(context.Options.LoginPath.Value); string adminLoginPathString = VirtualPathUtility.ToAbsolute(AdminLoginPath); Uri currentUri = new Uri(context.RedirectUri); UriBuilder uriBuilder = new UriBuilder(currentUri); if (string.Equals(uriBuilder.Path, standardLoginPathString, StringComparison.OrdinalIgnoreCase)) { uriBuilder.Path = adminLoginPathString; } context.RedirectUri = uriBuilder.Uri.ToString(); } }
public override void ApplyRedirect(CookieApplyRedirectContext context) { base.ApplyRedirect(context); }
public void Configuration(IAppBuilder app) { // MVC GlobalFilters.Filters.Add(new HandleErrorAttribute()); RouteTable.Routes.MapRoute( name: "Default", url: "{controller}/{action}/{id}", defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional } ); app.UseErrorPage(); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType, LoginPath = CookieAuthenticationDefaults.LoginPath, LogoutPath = CookieAuthenticationDefaults.LogoutPath, ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter, Provider = new CookieAuthenticationProvider { OnResponseSignOut = (context) => { // Single Sign-Out var casUrl = new Uri(ConfigurationManager.AppSettings["Authentication:CAS:CasServerUrlBase"]); var serviceUrl = context.Request.Uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped); var redirectUri = new UriBuilder(casUrl); redirectUri.Path += "/logout"; redirectUri.Query = $"service={Uri.EscapeDataString(serviceUrl)}"; var logoutRedirectContext = new CookieApplyRedirectContext( context.OwinContext, context.Options, redirectUri.Uri.AbsoluteUri ); context.Options.Provider.ApplyRedirect(logoutRedirectContext); } } }); app.UseCasAuthentication(new CasAuthenticationOptions { CasServerUrlBase = ConfigurationManager.AppSettings["Authentication:CAS:CasServerUrlBase"], Provider = new CasAuthenticationProvider { OnCreatingTicket = (context) => { // first_name, family_name, display_name, email, verified_email var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.FromResult(0)); } var email = assertion.Attributes["email"].FirstOrDefault(); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = assertion.Attributes["display_name"].FirstOrDefault(); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName)); } return(Task.FromResult(0)); } } }); app.UseOAuthAuthentication((options) => { options.ClientId = ConfigurationManager.AppSettings["Authentication:OAuth:ClientId"]; options.ClientSecret = ConfigurationManager.AppSettings["Authentication:OAuth:ClientSecret"]; options.CallbackPath = new PathString("/sign-oauth"); options.AuthorizationEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:AuthorizationEndpoint"]; options.TokenEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:TokenEndpoint"]; options.SaveTokensAsClaims = true; options.UserInformationEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:UserInformationEndpoint"]; options.Events = new OAuthEvents { OnCreatingTicket = async(context) => { var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var response = await context.Backchannel.SendAsync(request, context.Request.CallCancelled); response.EnsureSuccessStatusCode(); var user = JObject.Parse(await response.Content.ReadAsStringAsync()); var identifier = user.Value <string>("id"); if (!string.IsNullOrEmpty(identifier)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identifier)); } var attributes = user.Value <JObject>("attributes"); if (attributes == null) { return; } var email = attributes.Value <string>("email"); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = attributes.Value <string>("display_name"); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName)); } } }; }); }
private static void ApplyRedirect(CookieApplyRedirectContext context) { UrlHelper _url = new UrlHelper(HttpContext.Current.Request.RequestContext); String actionUri = _url.Action("Login", "Account", new { Culture = Abstractions.CultureHelper.CurrentCulture.Name }); context.Response.Redirect(actionUri); }
/// <summary> /// Implements the interface method by invoking the related delegate method /// </summary> /// <param name="context">Contains information about the event</param> public virtual void ApplyRedirect(CookieApplyRedirectContext context) { OnApplyRedirect.Invoke(context); }
public void Configuration(IAppBuilder app) { var env = Environment.GetEnvironmentVariable("ENVIRONMENT") ?? "Production"; var builder = new ConfigurationBuilder() .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) .AddJsonFile($"appsettings.{env}.json", optional: true, reloadOnChange: true); var configuration = builder.Build(); // MVC GlobalFilters.Filters.Add(new HandleErrorAttribute()); RouteTable.Routes.MapRoute( name: "Default", url: "{controller}/{action}/{id}", defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional } ); app.UseErrorPage(); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { LoginPath = CookieAuthenticationDefaults.LoginPath, LogoutPath = CookieAuthenticationDefaults.LogoutPath, Provider = new CookieAuthenticationProvider { OnResponseSignOut = context => { // Single Sign-Out var casUrl = new Uri(configuration["Authentication:CAS:ServerUrlBase"]); var serviceUrl = context.Request.Uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped); var redirectUri = new UriBuilder(casUrl); redirectUri.Path += "/logout"; redirectUri.Query = $"service={Uri.EscapeDataString(serviceUrl)}"; var logoutRedirectContext = new CookieApplyRedirectContext( context.OwinContext, context.Options, redirectUri.Uri.AbsoluteUri ); context.Options.Provider.ApplyRedirect(logoutRedirectContext); } } }); app.UseCasAuthentication(options => { options.CasServerUrlBase = configuration["Authentication:CAS:ServerUrlBase"]; var protocolVersion = configuration.GetValue("Authentication:CAS:ProtocolVersion", 3); if (protocolVersion != 3) { switch (protocolVersion) { case 1: options.ServiceTicketValidator = new Cas10ServiceTicketValidator(options); break; case 2: options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options); break; } } options.Provider = new CasAuthenticationProvider { OnCreatingTicket = context => { // add claims from CasIdentity.Assertion ? var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.CompletedTask); } context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, assertion.PrincipalName)); if (assertion.Attributes.TryGetValue("email", out var email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } if (assertion.Attributes.TryGetValue("display_name", out var displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, displayName)); } return(Task.CompletedTask); } }; }); app.UseOAuthAuthentication(options => { options.ClientId = configuration["Authentication:OAuth:ClientId"]; options.ClientSecret = configuration["Authentication:OAuth:ClientSecret"]; options.CallbackPath = new PathString("/sign-oauth"); options.AuthorizationEndpoint = configuration["Authentication:OAuth:AuthorizationEndpoint"]; options.TokenEndpoint = configuration["Authentication:OAuth:TokenEndpoint"]; options.SaveTokensAsClaims = true; options.UserInformationEndpoint = configuration["Authentication:OAuth:UserInformationEndpoint"]; options.Events = new OAuthEvents { OnCreatingTicket = async context => { var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var response = await context.Backchannel.SendAsync(request, context.Request.CallCancelled); response.EnsureSuccessStatusCode(); var user = JObject.Parse(await response.Content.ReadAsStringAsync()); var identifier = user.Value <string>("id"); if (!string.IsNullOrEmpty(identifier)) { context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, identifier)); } var attributes = user.Value <JObject>("attributes"); if (attributes == null) { return; } var email = attributes.Value <string>("email"); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = attributes.Value <string>("display_name"); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, displayName)); } } }; }); }
public void Configuration(IAppBuilder app) { var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Development"; var builder = new ConfigurationBuilder() .AddJsonFile($"appsettings.json", optional: true, reloadOnChange: true) .AddJsonFile($"appsettings.{env}.json", optional: true, reloadOnChange: true); var configuration = builder.Build(); app.UseErrorPage(); var sessionStore = new AuthenticationSessionStoreWrapper(new RuntimeCacheServiceTicketStore()); app.UseCasSingleSignOut(sessionStore); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { LoginPath = new PathString("/login"), LogoutPath = new PathString("/logout"), SessionStore = sessionStore, Provider = new CookieAuthenticationProvider { OnResponseSignOut = context => { // Single Sign-Out var casUrl = new Uri(configuration["Authentication:CAS:ServerUrlBase"]); var serviceUrl = context.Request.Uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped); var redirectUri = new UriBuilder(casUrl); redirectUri.Path += "/logout"; redirectUri.Query = $"service={Uri.EscapeDataString(serviceUrl)}"; var logoutRedirectContext = new CookieApplyRedirectContext( context.OwinContext, context.Options, redirectUri.Uri.AbsoluteUri ); context.Options.Provider.ApplyRedirect(logoutRedirectContext); } } }); app.UseCasAuthentication(options => { options.CasServerUrlBase = configuration["Authentication:CAS:ServerUrlBase"]; options.ServiceUrlBase = configuration.GetValue <Uri>("Authentication:CAS:ServiceUrlBase"); options.UseAuthenticationSessionStore = true; var protocolVersion = configuration.GetValue("Authentication:CAS:ProtocolVersion", 3); if (protocolVersion != 3) { switch (protocolVersion) { case 1: options.ServiceTicketValidator = new Cas10ServiceTicketValidator(options); break; case 2: options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options); break; } } options.Provider = new CasAuthenticationProvider { OnCreatingTicket = context => { // add claims from CasIdentity.Assertion ? var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.CompletedTask); } context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, assertion.PrincipalName)); if (assertion.Attributes.TryGetValue("email", out var email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } if (assertion.Attributes.TryGetValue("display_name", out var displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, displayName)); } return(Task.CompletedTask); } }; }); app.UseOAuthAuthentication(options => { options.ClientId = configuration["Authentication:OAuth:ClientId"]; options.ClientSecret = configuration["Authentication:OAuth:ClientSecret"]; options.CallbackPath = new PathString("/sign-oauth"); options.AuthorizationEndpoint = configuration["Authentication:OAuth:AuthorizationEndpoint"]; options.TokenEndpoint = configuration["Authentication:OAuth:TokenEndpoint"]; options.SaveTokensAsClaims = true; options.UserInformationEndpoint = configuration["Authentication:OAuth:UserInformationEndpoint"]; options.Events = new OAuthEvents { OnCreatingTicket = async context => { var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var response = await context.Backchannel.SendAsync(request, context.Request.CallCancelled); response.EnsureSuccessStatusCode(); var user = JObject.Parse(await response.Content.ReadAsStringAsync()); var identifier = user.Value <string>("id"); if (!string.IsNullOrEmpty(identifier)) { context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, identifier)); } var attributes = user.Value <JObject>("attributes"); if (attributes == null) { return; } var email = attributes.Value <string>("email"); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = attributes.Value <string>("display_name"); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, displayName)); } } }; }); // Choose an authentication type app.Map("/login", branch => { branch.Run(async context => { var scheme = context.Request.Query["authscheme"]; if (!string.IsNullOrEmpty(scheme)) { // By default the client will be redirect back to the URL that issued the challenge (/login?authscheme=foo), // send them to the home page instead (/). context.Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, scheme); return; } context.Response.ContentType = "text/html"; await context.Response.WriteAsync(@"<!DOCTYPE html><html><head><meta charset=""utf-8""></head><body>"); await context.Response.WriteAsync("<p>Choose an authentication scheme:</p>"); foreach (var type in context.Authentication.GetAuthenticationTypes()) { if (string.IsNullOrEmpty(type.Caption)) { continue; } await context.Response.WriteAsync($"<a href=\"?authscheme={type.AuthenticationType}\">{type.Caption ?? type.AuthenticationType}</a><br>"); } await context.Response.WriteAsync("</body></html>"); }); }); // Sign-out to remove the user cookie. app.Map("/logout", branch => { branch.Run(context => { context.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType); context.Response.Redirect("/"); return(Task.CompletedTask); }); }); app.Run(async context => { // CookieAuthenticationOptions.AutomaticAuthenticate = true (default) causes User to be set var user = context.Authentication.User; // This is what [Authorize] calls // var user = await context.Authentication.AuthenticateAsync(AuthenticationManager.AutomaticScheme); // Deny anonymous request beyond this point. if (user == null || !user.Identities.Any(identity => identity.IsAuthenticated)) { // This is what [Authorize] calls // The cookie middleware will intercept this 401 and redirect to /login context.Authentication.Challenge(); return; } // Display user information context.Response.ContentType = "text/html"; await context.Response.WriteAsync(@"<!DOCTYPE html><html><head><meta charset=""utf-8""></head><body>"); await context.Response.WriteAsync($"<h1>Hello {user.Identity.Name ?? "anonymous"}</h1>"); await context.Response.WriteAsync("<ul>"); foreach (var claim in user.Claims) { await context.Response.WriteAsync($"<li>{claim.Type}: {claim.Value}</li>"); } await context.Response.WriteAsync("</ul>"); await context.Response.WriteAsync("<a href=\"/logout\">Logout</a><br>"); await context.Response.WriteAsync("</body></html>"); }); }
public void ApplyRedirect(CookieApplyRedirectContext context) { context.Response.Redirect(context.RedirectUri); }
public void Configuration(IAppBuilder app) { var env = Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT") ?? "Production"; _configuration = new ConfigurationBuilder() .AddJsonFile("appsettings.json") .AddJsonFile($"appsettings.{env}.json", optional: true, reloadOnChange: true) .AddEnvironmentVariables() .Build(); var services = new ServiceCollection(); ConfigureServices(services); _resolver = services.BuildServiceProvider(); // MVC GlobalFilters.Filters.Add(new AuthorizeAttribute()); GlobalFilters.Filters.Add(new HandleErrorAttribute()); RouteTable.Routes.MapRoute( name: "Default", url: "{controller}/{action}/{id}", defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional } ); AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier; // configure nlog.config per environment var configFile = new FileInfo(Path.Combine(AppContext.BaseDirectory, $"NLog.{env}.config")); LogManager.LoadConfiguration(configFile.Exists ? configFile.Name : "NLog.config"); app.UseNLog(); app.UseCasSingleSignOut(_resolver.GetRequiredService <IAuthenticationSessionStore>()); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { LoginPath = CookieAuthenticationDefaults.LoginPath, LogoutPath = CookieAuthenticationDefaults.LogoutPath, // https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues CookieManager = new SystemWebCookieManager(), SessionStore = _resolver.GetRequiredService <IAuthenticationSessionStore>(), Provider = new CookieAuthenticationProvider { OnResponseSignOut = context => { // Single Sign-Out var casUrl = new Uri(_configuration["Authentication:CAS:ServerUrlBase"]); var urlHelper = new UrlHelper(HttpContext.Current.Request.RequestContext); var serviceUrl = urlHelper.Action("Index", "Home", null, HttpContext.Current.Request.Url.Scheme); var redirectUri = new UriBuilder(casUrl); redirectUri.Path += "/logout"; redirectUri.Query = $"service={Uri.EscapeDataString(serviceUrl)}"; var logoutRedirectContext = new CookieApplyRedirectContext ( context.OwinContext, context.Options, redirectUri.Uri.AbsoluteUri ); context.Options.Provider.ApplyRedirect(logoutRedirectContext); } } }); app.UseCasAuthentication(options => { options.CasServerUrlBase = _configuration["Authentication:CAS:ServerUrlBase"]; options.ServiceUrlBase = _configuration.GetValue <Uri>("Authentication:CAS:ServiceUrlBase"); // required for CasSingleSignOutMiddleware options.UseAuthenticationSessionStore = true; var protocolVersion = _configuration.GetValue("Authentication:CAS:ProtocolVersion", 3); if (protocolVersion != 3) { switch (protocolVersion) { case 1: options.ServiceTicketValidator = new Cas10ServiceTicketValidator(options); break; case 2: options.ServiceTicketValidator = new Cas20ServiceTicketValidator(options); break; } } options.Provider = new CasAuthenticationProvider { OnCreatingTicket = context => { var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.CompletedTask); } // Map claims from assertion context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, assertion.PrincipalName)); if (assertion.Attributes.TryGetValue("display_name", out var displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName)); } if (assertion.Attributes.TryGetValue("email", out var email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } return(Task.CompletedTask); }, OnRemoteFailure = context => { var failure = context.Failure; _logger.Error(failure, failure.Message); context.Response.Redirect("/Account/ExternalLoginFailure"); context.HandleResponse(); return(Task.CompletedTask); } }; }); app.UseOAuthAuthentication(options => { options.ClientId = _configuration["Authentication:OAuth:ClientId"]; options.ClientSecret = _configuration["Authentication:OAuth:ClientSecret"]; options.AuthorizationEndpoint = _configuration["Authentication:OAuth:AuthorizationEndpoint"]; options.TokenEndpoint = _configuration["Authentication:OAuth:TokenEndpoint"]; options.UserInformationEndpoint = _configuration["Authentication:OAuth:UserInformationEndpoint"]; options.Events = new OAuthEvents { OnCreatingTicket = async context => { // Get the OAuth user using var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); using var response = await context.Backchannel.SendAsync(request, context.Request.CallCancelled).ConfigureAwait(false); if (!response.IsSuccessStatusCode || response.Content?.Headers?.ContentType?.MediaType.StartsWith("application/json") != true) { var responseText = response.Content == null ? string.Empty : await response.Content.ReadAsStringAsync().ConfigureAwait(false); _logger.Error($"An error occurred when retrieving OAuth user information ({response.StatusCode}). {responseText}"); return; } using var stream = await response.Content.ReadAsStreamAsync().ConfigureAwait(false); using var json = await JsonDocument.ParseAsync(stream).ConfigureAwait(false); var user = json.RootElement; if (user.TryGetProperty("id", out var id)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, id.GetString())); } if (user.TryGetProperty("attributes", out var attributes)) { if (attributes.TryGetProperty("display_name", out var displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName.GetString())); } if (attributes.TryGetProperty("email", out var email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email.GetString())); } } }, OnRemoteFailure = context => { var failure = context.Failure; _logger.Error(failure, failure.Message); context.Response.Redirect("/Account/ExternalLoginFailure"); context.HandleResponse(); return(Task.CompletedTask); } }; }); }
/// <summary> /// Parse the request URI to determine whether the user was trying to access the internal area. /// </summary> /// <param name="context"></param> /// <returns></returns> public bool UserWasAccessingInternalArea(CookieApplyRedirectContext context) { HttpRequest request = new HttpRequest(null, context.Request.Uri.OriginalString, context.Request.Uri.Query); HttpResponse response = new HttpResponse(new StringWriter()); HttpContext httpContext = new HttpContext(request, response); var routeData = RouteTable.Routes.GetRouteData(new HttpContextWrapper(httpContext)); string area = routeData.DataTokens["area"] as string; bool userWasAccessingInternalArea = string.Equals(area, AdminAreaName, StringComparison.OrdinalIgnoreCase); return userWasAccessingInternalArea; }
/// <summary> /// Applies grants to the response /// </summary> /// <returns></returns> protected override async Task ApplyResponseGrantAsync() { AuthenticationResponseGrant signin = Helper.LookupSignIn(Options.AuthenticationType); bool shouldSignin = signin != null; AuthenticationResponseRevoke signout = Helper.LookupSignOut(Options.AuthenticationType, Options.AuthenticationMode); bool shouldSignout = signout != null; if (!(shouldSignin || shouldSignout || _shouldRenew)) { return; } AuthenticationTicket model = await AuthenticateAsync(); try { var cookieOptions = new CookieOptions { Domain = Options.CookieDomain, HttpOnly = Options.CookieHttpOnly, Path = Options.CookiePath ?? "/", }; if (Options.CookieSecure == CookieSecureOption.SameAsRequest) { cookieOptions.Secure = Request.IsSecure; } else { cookieOptions.Secure = Options.CookieSecure == CookieSecureOption.Always; } if (shouldSignin) { var signInContext = new CookieResponseSignInContext( Context, Options, Options.AuthenticationType, signin.Identity, signin.Properties, cookieOptions); DateTimeOffset issuedUtc; if (signInContext.Properties.IssuedUtc.HasValue) { issuedUtc = signInContext.Properties.IssuedUtc.Value; } else { issuedUtc = Options.SystemClock.UtcNow; signInContext.Properties.IssuedUtc = issuedUtc; } if (!signInContext.Properties.ExpiresUtc.HasValue) { signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.ExpireTimeSpan); } Options.Provider.ResponseSignIn(signInContext); if (signInContext.Properties.IsPersistent) { DateTimeOffset expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan); signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime().DateTime; } model = new AuthenticationTicket(signInContext.Identity, signInContext.Properties); if (Options.SessionStore != null) { if (_sessionKey != null) { await Options.SessionStore.RemoveAsync(_sessionKey); } _sessionKey = await Options.SessionStore.StoreAsync(model); ClaimsIdentity identity = new ClaimsIdentity( new[] { new Claim(SessionIdClaim, _sessionKey) }, Options.AuthenticationType); model = new AuthenticationTicket(identity, null); } string cookieValue = Options.TicketDataFormat.Protect(model); Options.CookieManager.AppendResponseCookie( Context, Options.CookieName, cookieValue, signInContext.CookieOptions); var signedInContext = new CookieResponseSignedInContext( Context, Options, Options.AuthenticationType, signInContext.Identity, signInContext.Properties); Options.Provider.ResponseSignedIn(signedInContext); } else if (shouldSignout) { if (Options.SessionStore != null && _sessionKey != null) { await Options.SessionStore.RemoveAsync(_sessionKey); } var context = new CookieResponseSignOutContext( Context, Options, cookieOptions); Options.Provider.ResponseSignOut(context); Options.CookieManager.DeleteCookie( Context, Options.CookieName, context.CookieOptions); } else if (_shouldRenew && model.Identity != null) { model.Properties.IssuedUtc = _renewIssuedUtc; model.Properties.ExpiresUtc = _renewExpiresUtc; if (Options.SessionStore != null && _sessionKey != null) { await Options.SessionStore.RenewAsync(_sessionKey, model); ClaimsIdentity identity = new ClaimsIdentity( new[] { new Claim(SessionIdClaim, _sessionKey) }, Options.AuthenticationType); model = new AuthenticationTicket(identity, null); } string cookieValue = Options.TicketDataFormat.Protect(model); if (model.Properties.IsPersistent) { cookieOptions.Expires = _renewExpiresUtc.ToUniversalTime().DateTime; } Options.CookieManager.AppendResponseCookie( Context, Options.CookieName, cookieValue, cookieOptions); } Response.Headers.Set( HeaderNameCacheControl, HeaderValueNoCache); Response.Headers.Set( HeaderNamePragma, HeaderValueNoCache); Response.Headers.Set( HeaderNameExpires, HeaderValueMinusOne); bool shouldLoginRedirect = shouldSignin && Options.LoginPath.HasValue && Request.Path == Options.LoginPath; bool shouldLogoutRedirect = shouldSignout && Options.LogoutPath.HasValue && Request.Path == Options.LogoutPath; if ((shouldLoginRedirect || shouldLogoutRedirect) && Response.StatusCode == 200) { IReadableStringCollection query = Request.Query; string redirectUri = query.Get(Options.ReturnUrlParameter); if (!string.IsNullOrWhiteSpace(redirectUri) && IsHostRelative(redirectUri)) { var redirectContext = new CookieApplyRedirectContext(Context, Options, redirectUri); Options.Provider.ApplyRedirect(redirectContext); } } } catch (Exception exception) { CookieExceptionContext exceptionContext = new CookieExceptionContext(Context, Options, CookieExceptionContext.ExceptionLocation.ApplyResponseGrant, exception, model); Options.Provider.Exception(exceptionContext); if (exceptionContext.Rethrow) { throw; } } }
private static bool IsApiRequest(CookieApplyRedirectContext context) { return(context.Request.Path.StartsWithSegments(new PathString("/api"))); }
/// <summary> /// If a user times out before attempting an action, the "ReturnUrl" query string /// parameter included in the sign-in page URL may need to be rewritten. /// This can be used to prevent the user being redirected with a GET to a POST-only action /// after they sign back in. /// </summary> public void ApplyReturnUrlMapping(CookieApplyRedirectContext context) { Uri currentUri = new Uri(context.RedirectUri); var queryStringParameters = HttpUtility.ParseQueryString(currentUri.Query); string returnUrl = queryStringParameters["ReturnUrl"]; if (returnUrlMapping.IsMapped(returnUrl)) { returnUrl = returnUrlMapping.ApplyMap(returnUrl); if (returnUrl != null) { queryStringParameters["ReturnUrl"] = returnUrl; } else { queryStringParameters.Remove("ReturnUrl"); } UriBuilder uriBuilder = new UriBuilder(currentUri); uriBuilder.Query = queryStringParameters.ToString(); context.RedirectUri = uriBuilder.Uri.ToString(); } }
public void Configuration(IAppBuilder app) { app.UseErrorPage(); var sessionStore = new AuthenticationSessionStoreWrapper(new RuntimeCacheServiceTicketStore()); app.UseCasSingleSignOut(sessionStore); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { LoginPath = new PathString("/login"), LogoutPath = new PathString("/logout"), SessionStore = sessionStore, Provider = new CookieAuthenticationProvider { OnResponseSignOut = (context) => { // Single Sign-Out var casUrl = new Uri(ConfigurationManager.AppSettings["Authentication:CAS:CasServerUrlBase"]); var serviceUrl = context.Request.Uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped); var redirectUri = new UriBuilder(casUrl); redirectUri.Path += "/logout"; redirectUri.Query = $"service={Uri.EscapeDataString(serviceUrl)}"; var logoutRedirectContext = new CookieApplyRedirectContext( context.OwinContext, context.Options, redirectUri.Uri.AbsoluteUri ); context.Options.Provider.ApplyRedirect(logoutRedirectContext); } } }); app.UseCasAuthentication(new CasAuthenticationOptions { CasServerUrlBase = ConfigurationManager.AppSettings["Authentication:CAS:CasServerUrlBase"], UseAuthenticationSessionStore = true, Provider = new CasAuthenticationProvider { OnCreatingTicket = (context) => { // first_name, family_name, display_name, email, verified_email var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.FromResult(0)); } var email = assertion.Attributes["email"].FirstOrDefault(); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = assertion.Attributes["display_name"].FirstOrDefault(); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName)); } return(Task.FromResult(0)); } } }); app.UseOAuthAuthentication((options) => { options.ClientId = ConfigurationManager.AppSettings["Authentication:OAuth:ClientId"]; options.ClientSecret = ConfigurationManager.AppSettings["Authentication:OAuth:ClientSecret"]; options.CallbackPath = new PathString("/sign-oauth"); options.AuthorizationEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:AuthorizationEndpoint"]; options.TokenEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:TokenEndpoint"]; options.SaveTokensAsClaims = true; options.UserInformationEndpoint = ConfigurationManager.AppSettings["Authentication:OAuth:UserInformationEndpoint"]; options.Events = new OAuthEvents { OnCreatingTicket = async(context) => { var request = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); var response = await context.Backchannel.SendAsync(request, context.Request.CallCancelled); response.EnsureSuccessStatusCode(); var user = JObject.Parse(await response.Content.ReadAsStringAsync()); var identifier = user.Value <string>("id"); if (!string.IsNullOrEmpty(identifier)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identifier)); } var attributes = user.Value <JObject>("attributes"); if (attributes == null) { return; } var email = attributes.Value <string>("email"); if (!string.IsNullOrEmpty(email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, email)); } var displayName = attributes.Value <string>("display_name"); if (!string.IsNullOrEmpty(displayName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName)); } } }; }); // Choose an authentication type app.Map("/login", branch => { branch.Run(async context => { var authType = context.Request.Query["authscheme"]; if (!string.IsNullOrEmpty(authType)) { // By default the client will be redirect back to the URL that issued the challenge (/login?authtype=foo), // send them to the home page instead (/). context.Authentication.Challenge(new AuthenticationProperties() { RedirectUri = "/" }, authType); return; } context.Response.ContentType = "text/html"; await context.Response.WriteAsync("<html><body>"); await context.Response.WriteAsync("<p>Choose an authentication scheme:</p>"); foreach (var type in context.Authentication.GetAuthenticationTypes()) { if (string.IsNullOrEmpty(type.Caption)) { continue; } await context.Response.WriteAsync($"<a href=\"?authscheme={type.AuthenticationType}\">{type.Caption}</a><br>"); } await context.Response.WriteAsync("</body></html>"); }); }); // Sign-out to remove the user cookie. app.Map("/logout", branch => { branch.Run(context => { context.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType); context.Response.Redirect("/"); return(Task.FromResult(0)); }); }); app.Run(async context => { // CookieAuthenticationOptions.AutomaticAuthenticate = true (default) causes User to be set var user = context.Authentication.User; // This is what [Authorize] calls // var user = await context.Authentication.AuthenticateAsync(AuthenticationManager.AutomaticScheme); // Deny anonymous request beyond this point. if (user == null || !user.Identities.Any(identity => identity.IsAuthenticated)) { // This is what [Authorize] calls // The cookie middleware will intercept this 401 and redirect to /login context.Authentication.Challenge(); return; } // Display user information context.Response.ContentType = "text/html"; await context.Response.WriteAsync("<html><body>"); await context.Response.WriteAsync($"<h1>Hello {user.Identity.Name ?? "anonymous"}</h1>"); await context.Response.WriteAsync("<ul>"); foreach (var claim in user.Claims) { await context.Response.WriteAsync($"<li>{claim.Type}: {claim.Value}</li>"); } await context.Response.WriteAsync("</ul>"); await context.Response.WriteAsync("<a href=\"/logout\">Logout</a><br>"); await context.Response.WriteAsync("</body></html>"); }); }
public void ApplyRedirect(CookieApplyRedirectContext context) { OnApplyingRedirect.Invoke(context); _cookieAuthenticationProvider.ApplyRedirect(context); OnRedirectApplied.Invoke(context); }