public static IServiceCollection ConfigureSingleSignOn(this IServiceCollection services, IConfiguration configuration) { // Single sign on services.Configure <JwtTokenValidationOptions>(configuration.GetSection("singleSignOn")); var ssoOptions = new JwtTokenValidationOptions(); configuration.GetSection("singleSignOn").Bind(ssoOptions); IdentityModelEventSource.ShowPII = ssoOptions.ShowPII; services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options => { options.MetadataAddress = $"{ssoOptions.Authority}/.well-known/openid-configuration"; options.Audience = ssoOptions.Audience; options.RequireHttpsMetadata = ssoOptions.RequireHttpsMetadata; options.SaveToken = ssoOptions.SaveToken; options.TokenValidationParameters = new TokenValidationParameters() { }; }); services.AddAuthorization(options => { options.AddPolicy("admin", builder => builder.RequireClaim("user-roles", new[] { "administrator" })); // TODO: add custom claim for resource-access }); return(services); }
public static IAppBuilder UseIdentitiyServerJwt(this IAppBuilder app, JwtTokenValidationOptions options) { if (!string.IsNullOrWhiteSpace(options.Authority)) { return(app.UseDiscovery(options)); } else { return(app.ConfigureMiddleware(options.IssuerName, options.SigningCertificate, options.AuthenticationType)); } }
private static IAppBuilder UseDiscovery(this IAppBuilder app, JwtTokenValidationOptions options) { var authority = options.Authority; if (!authority.EndsWith("/")) { authority += "/"; } authority += ".well-known/openid-configuration"; var configuration = new ConfigurationManager <OpenIdConnectConfiguration>(authority); var result = configuration.GetConfigurationAsync().Result; var x5c = result.JsonWebKeySet.Keys.First().X5c.First(); return(app.ConfigureMiddleware(result.Issuer, new X509Certificate2(Convert.FromBase64String(x5c)), options.AuthenticationType)); }