public UmbracoBackOfficeCookieAuthOptions(
string[] explicitPaths,
ISecuritySection securitySection,
int loginTimeoutMinutes,
bool forceSsl,
bool useLegacyFormsAuthDataFormat = true)
{
LoginTimeoutMinutes = loginTimeoutMinutes;
AuthenticationType = Constants.Security.BackOfficeAuthenticationType;
if (useLegacyFormsAuthDataFormat)
{
//If this is not explicitly set it will fall back to the default automatically
TicketDataFormat = new FormsAuthenticationSecureDataFormat(LoginTimeoutMinutes);
}
SlidingExpiration = true;
ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes);
CookieDomain = securitySection.AuthCookieDomain;
CookieName = securitySection.AuthCookieName;
CookieHttpOnly = true;
CookieSecure = forceSsl ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
CookiePath = "/";
//Custom cookie manager so we can filter requests
CookieManager = new BackOfficeCookieManager(new SingletonUmbracoContextAccessor(), explicitPaths);
}
public FrontEndCookieAuthenticationOptions(
FrontEndCookieManager frontEndCookieManager,
ISecuritySection securitySection,
IGlobalSettings globalSettings)
{
CookieManager = frontEndCookieManager;
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie;
SlidingExpiration = true;
ExpireTimeSpan = TimeSpan.FromMinutes(globalSettings.TimeOutInMinutes);
CookieDomain = securitySection.AuthCookieDomain;
CookieName = securitySection.AuthCookieName + "_MEMBERS";
CookieHttpOnly = true;
CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
CookiePath = "/";
//NOTE: These are the defaults in the base class
//ReturnUrlParameter = "ReturnUrl";
//CookiePath = "/";
//ExpireTimeSpan = TimeSpan.FromDays(14.0);
//SlidingExpiration = true;
//CookieHttpOnly = true;
//CookieSecure = CookieSecureOption.SameAsRequest;
//SystemClock = new SystemClock();
//Provider = new CookieAuthenticationProvider();
}
public UmbracoBackOfficeCookieAuthOptions(
string[] explicitPaths,
IUmbracoContextAccessor umbracoContextAccessor,
ISecuritySection securitySection,
IGlobalSettings globalSettings,
IRuntimeState runtimeState,
ISecureDataFormat <AuthenticationTicket> secureDataFormat)
{
var secureDataFormat1 = secureDataFormat ?? throw new ArgumentNullException(nameof(secureDataFormat));
LoginTimeoutMinutes = globalSettings.TimeOutInMinutes;
AuthenticationType = Constants.Security.BackOfficeAuthenticationType;
SlidingExpiration = true;
ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes);
CookieDomain = securitySection.AuthCookieDomain;
CookieName = securitySection.AuthCookieName;
CookieHttpOnly = true;
CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
CookiePath = "/";
TicketDataFormat = new UmbracoSecureDataFormat(LoginTimeoutMinutes, secureDataFormat1);
//Custom cookie manager so we can filter requests
CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, globalSettings, explicitPaths);
}
public UmbracoBackOfficeCookieAuthOptions(
ISecuritySection securitySection,
int loginTimeoutMinutes,
bool forceSsl,
bool useLegacyFormsAuthDataFormat = true)
: this(null, securitySection, loginTimeoutMinutes, forceSsl, useLegacyFormsAuthDataFormat)
{
}
public GetUserSecondsMiddleWare(
OwinMiddleware next,
UmbracoBackOfficeCookieAuthOptions authOptions,
IGlobalSettings globalSettings,
ISecuritySection security,
ILogger logger)
: base(next)
{
_authOptions = authOptions ?? throw new ArgumentNullException(nameof(authOptions));
_globalSettings = globalSettings;
_security = security;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public FrontEndCookieAuthenticationOptions(
FrontEndCookieManager frontEndCookieManager,
ISecuritySection securitySection,
IGlobalSettings globalSettings)
{
CookieManager = frontEndCookieManager;
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie;
SlidingExpiration = true;
ExpireTimeSpan = TimeSpan.FromMinutes(globalSettings.TimeOutInMinutes);
CookieDomain = securitySection.AuthCookieDomain;
CookieName = securitySection.AuthCookieName + "_MEMBERS";
CookieHttpOnly = true;
CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
CookiePath = "/";
}
public ActiveDirectoryComponent(ILogger logger, IUmbracoContextAccessor umbracoContextAccessor,
IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings,
ISecuritySection securitySection, IMemberService memberService)
{
_logger = logger;
_umbracoContextAccessor = umbracoContextAccessor;
_runtimeState = runtimeState;
_userService = userService;
_globalSettings = globalSettings;
_securitySection = securitySection;
_memberService = memberService;
_openIdAuthorizeUrl = ConfigurationManager.AppSettings["OpenId.AuthorizeUrl"];
_tenantId = ConfigurationManager.AppSettings["AzureAd.TenantId"];
_clientId = ConfigurationManager.AppSettings["AzureAd.ClientId"];
_redirectUrl = ConfigurationManager.AppSettings["AzureAd.RedirectUrl"];
}
public GetUserSecondsMiddleWare(
OwinMiddleware next,
UmbracoBackOfficeCookieAuthOptions authOptions,
ISecuritySection security,
ILogger logger)
: base(next)
{
if (authOptions == null)
{
throw new ArgumentNullException("authOptions");
}
if (logger == null)
{
throw new ArgumentNullException("logger");
}
_authOptions = authOptions;
_security = security;
_logger = logger;
}
public TwoFactorEventHandler(
IUmbracoContextAccessor umbracoContextAccessor,
IRuntimeState runtimeState,
IUserService userService,
IGlobalSettings globalSettings,
ISecuritySection securitySection,
IEntityService entityService,
IExternalLoginService externalLoginService,
IMemberTypeService memberTypeService,
UmbracoMapper umbracoMapper)
{
this.umbracoContextAccessor = umbracoContextAccessor;
this.runtimeState = runtimeState;
this.userService = userService;
this.globalSettings = globalSettings;
this.securitySection = securitySection;
this.entityService = entityService;
this.externalLoginService = externalLoginService;
this.memberTypeService = memberTypeService;
this.umbracoMapper = umbracoMapper;
}
/// <summary>
/// Create the default umb cookie auth options
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="globalSettings"></param>
/// <param name="runtimeState"></param>
/// <param name="securitySettings"></param>
/// <param name="explicitPaths"></param>
/// <returns></returns>
public static UmbracoBackOfficeCookieAuthOptions CreateUmbracoCookieAuthOptions(this IAppBuilder app,
IUmbracoContextAccessor umbracoContextAccessor,
IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySection securitySettings, string[] explicitPaths = null)
{
//this is how aspnet wires up the default AuthenticationTicket protector so we'll use the same code
var ticketDataFormat = new TicketDataFormat(
app.CreateDataProtector(typeof(CookieAuthenticationMiddleware).FullName,
Constants.Security.BackOfficeAuthenticationType,
"v1"));
var authOptions = new UmbracoBackOfficeCookieAuthOptions(
explicitPaths,
umbracoContextAccessor,
securitySettings,
globalSettings,
runtimeState,
ticketDataFormat);
return(authOptions);
}
/// <summary>
/// In order for preview to work this needs to be called
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="stage"></param>
/// <returns></returns>
/// <remarks>
/// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity
/// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document.
/// </remarks>
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings, PipelineStage stage)
{
if (runtimeState.Level != RuntimeLevel.Run)
{
return(app);
}
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings);
app.Use(typeof(PreviewAuthenticationMiddleware), authOptions, Current.Configs.Global());
// This middleware must execute at least on PostAuthentication, by default it is on Authorize
// The middleware needs to execute after the RoleManagerModule executes which is during PostAuthenticate,
// currently I've had 100% success with ensuring this fires after RoleManagerModule even if this is set
// to PostAuthenticate though not sure if that's always a guarantee so by default it's Authorize.
if (stage < PipelineStage.PostAuthenticate)
{
throw new InvalidOperationException("The stage specified for UseUmbracoPreviewAuthentication must be greater than or equal to " + PipelineStage.PostAuthenticate);
}
app.UseStageMarker(stage);
return(app);
}
/// <summary>
/// In order for preview to work this needs to be called
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <returns></returns>
/// <remarks>
/// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity
/// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document.
/// </remarks>
/// <remarks>
/// By default this will be configured to execute on PipelineStage.PostAuthenticate
/// </remarks>
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings)
{
return(app.UseUmbracoPreviewAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, PipelineStage.PostAuthenticate));
}
/// <summary>
/// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySection"></param>
/// <param name="cookieOptions">Custom auth cookie options can be specified to have more control over the cookie authentication logic</param>
/// <param name="stage">
/// Configurable pipeline stage
/// </param>
/// <returns></returns>
public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySection, CookieAuthenticationOptions cookieOptions, PipelineStage stage)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
if (runtimeState == null)
{
throw new ArgumentNullException(nameof(runtimeState));
}
if (cookieOptions == null)
{
throw new ArgumentNullException(nameof(cookieOptions));
}
if (cookieOptions.Provider == null)
{
throw new ArgumentNullException("cookieOptions.Provider cannot be null.", nameof(cookieOptions));
}
if (cookieOptions.Provider is BackOfficeCookieAuthenticationProvider == false)
{
throw new ArgumentException($"cookieOptions.Provider must be of type {typeof(BackOfficeCookieAuthenticationProvider)}.", nameof(cookieOptions));
}
app.UseUmbracoBackOfficeCookieAuthenticationInternal(cookieOptions, runtimeState, stage);
//don't apply if app is not ready
if (runtimeState.Level != RuntimeLevel.Upgrade && runtimeState.Level != RuntimeLevel.Run)
{
return(app);
}
var cookieAuthOptions = app.CreateUmbracoCookieAuthOptions(
umbracoContextAccessor, globalSettings, runtimeState, securitySection,
//This defines the explicit path read cookies from for this middleware
new[] { $"{globalSettings.Path}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds" });
cookieAuthOptions.Provider = cookieOptions.Provider;
//This is a custom middleware, we need to return the user's remaining logged in seconds
app.Use <GetUserSecondsMiddleWare>(
cookieAuthOptions,
Current.Configs.Global(),
Current.Configs.Settings().Security,
app.CreateLogger <GetUserSecondsMiddleWare>());
//This is required so that we can read the auth ticket format outside of this pipeline
app.CreatePerOwinContext <UmbracoAuthTicketDataProtector>(
(options, context) => new UmbracoAuthTicketDataProtector(cookieOptions.TicketDataFormat));
return(app);
}
/// <summary>
/// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="userService"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySection"></param>
/// <param name="stage">
/// Configurable pipeline stage
/// </param>
/// <returns></returns>
public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, PipelineStage stage)
{
//Create the default options and provider
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySection);
authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings)
{
// Enables the application to validate the security stamp when the user
// logs in. This is a security feature which is used when you
// change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator
.OnValidateIdentity <BackOfficeUserManager, BackOfficeIdentityUser, int>(
TimeSpan.FromMinutes(30),
(manager, user) => manager.GenerateUserIdentityAsync(user),
identity => identity.GetUserId <int>()),
};
return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySection, authOptions, stage));
}
/// <summary>
/// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="userService"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySection"></param>
/// <returns></returns>
/// <remarks>
/// By default this will be configured to execute on PipelineStage.Authenticate
/// </remarks>
public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection)
{
return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySection, PipelineStage.Authenticate));
}
/// <summary>
/// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline
/// </summary>
/// <param name="app"></param>
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="userService"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySection"></param>
/// <param name="stage">
/// Configurable pipeline stage
/// </param>
/// <returns></returns>
public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, PipelineStage stage)
{
//Create the default options and provider
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySection);
authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings)
{
// Enables the application to validate the security stamp when the user
// logs in. This is a security feature which is used when you
// change a password or add an external login to your account.
OnValidateIdentity = context =>
{
// capture the current ticket for the request
var identity = context.Identity;
return(SecurityStampValidator
.OnValidateIdentity <BackOfficeUserManager, BackOfficeIdentityUser, int>(
// This will re-verify the security stamp at a throttled 30 mins
// (the standard/default set in aspnet identity).
// This ensures that if the security stamp has changed - i.e. passwords,
// external logins, or other security profile data changed behind the
// scenes while being logged in, that they are logged out and have
// to re-verify their identity.
TimeSpan.FromMinutes(30),
async(manager, user) =>
{
var regenerated = await manager.GenerateUserIdentityAsync(user);
// Keep any custom claims from the original identity
regenerated.MergeClaimsFromBackOfficeIdentity(identity);
return regenerated;
},
identity => identity.GetUserId <int>())(context));
}
};
return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySection, authOptions, stage));
}
