public static IServiceCollection ConfigureSingleSignOn(this IServiceCollection services, IConfiguration configuration)
{
// Single sign on
services.Configure <JwtTokenValidationOptions>(configuration.GetSection("singleSignOn"));
var ssoOptions = new JwtTokenValidationOptions();
configuration.GetSection("singleSignOn").Bind(ssoOptions);
IdentityModelEventSource.ShowPII = ssoOptions.ShowPII;
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options => {
options.MetadataAddress = $"{ssoOptions.Authority}/.well-known/openid-configuration";
options.Audience = ssoOptions.Audience;
options.RequireHttpsMetadata = ssoOptions.RequireHttpsMetadata;
options.SaveToken = ssoOptions.SaveToken;
options.TokenValidationParameters = new TokenValidationParameters()
{
};
});
services.AddAuthorization(options => {
options.AddPolicy("admin", builder => builder.RequireClaim("user-roles", new[] { "administrator" }));
// TODO: add custom claim for resource-access
});
return(services);
}
public static IAppBuilder UseIdentitiyServerJwt(this IAppBuilder app, JwtTokenValidationOptions options)
{
if (!string.IsNullOrWhiteSpace(options.Authority))
{
return(app.UseDiscovery(options));
}
else
{
return(app.ConfigureMiddleware(options.IssuerName, options.SigningCertificate, options.AuthenticationType));
}
}
private static IAppBuilder UseDiscovery(this IAppBuilder app, JwtTokenValidationOptions options)
{
var authority = options.Authority;
if (!authority.EndsWith("/"))
{
authority += "/";
}
authority += ".well-known/openid-configuration";
var configuration = new ConfigurationManager <OpenIdConnectConfiguration>(authority);
var result = configuration.GetConfigurationAsync().Result;
var x5c = result.JsonWebKeySet.Keys.First().X5c.First();
return(app.ConfigureMiddleware(result.Issuer, new X509Certificate2(Convert.FromBase64String(x5c)), options.AuthenticationType));
}
