public static void AddAppWebSecurity(this IServiceCollection services, IHostingEnvironment env)
{
//RSAKeyUtils.GenerateKeyAndSave(env.ContentRootPath + "\\App_Data\\RSAkey.txt");
RSAParameters keyParams = RSAKeyUtils.GetKeyParameters(env.ContentRootPath + "\\App_Data\\RSAkey.txt");
var key = new RsaSecurityKey(keyParams);
services.Configure <TokenAuthOptions>(tokenAuthOptions =>
{
tokenAuthOptions.Audience = GetAudience();
tokenAuthOptions.Issuer = GetIssuer();
tokenAuthOptions.SigningCredentials =
new SigningCredentials(key,
SecurityAlgorithms.RsaSha256Signature);
tokenAuthOptions.IssuerSigningKey = key;
});
services.AddAuthorization(auth =>
{
auth.AddPolicy(ApiConstants.ApiPolicy, new AuthorizationPolicyBuilder()
//.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme)
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build());
})
.AddAuthentication(o =>
{
o.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.Cookie.Name = ".BaseApp.Web-Core-AUTH";
options.LoginPath = new PathString("/Account/LogOn/");
options.LogoutPath = new PathString("/Account/LogOff/");
options.AccessDeniedPath = new PathString("/Account/Forbidden/");
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = key,
ValidateIssuer = true,
ValidIssuer = GetIssuer(),
ValidateAudience = true,
ValidAudience = GetAudience(),
ValidateLifetime = true,
// This defines the maximum allowable clock skew - i.e. provides a tolerance on the token expiry time
// when validating the lifetime. As we're creating the tokens locally and validating them on the same
// machines which should have synchronised time, this can be set to zero. Where external tokens are
// used, some leeway here could be useful.
ClockSkew = TimeSpan.FromMinutes(0)
};
options.RequireHttpsMetadata = false;
});
}
private void ConfigAuth(IServiceCollection services)
{
// *** CHANGE THIS FOR PRODUCTION USE ***
// Here, we're generating a random key to sign tokens - obviously this means
// that each time the app is started the key will change, and multiple servers
// all have different keys. This should be changed to load a key from a file
// securely delivered to your application, controlled by configuration.
//
// See the RSAKeyUtils.GetKeyParameters method for an examle of loading from
// a JSON file.
var keyParams = RSAKeyUtils.GetKeyParameters(".config/rsaparams.json");
// Create the key, and a set of token options to record signing credentials
// using that key, along with the other parameters we will need in the
// token controlller.
_signingKey = new RsaSecurityKey(keyParams);
_tokenOptions = new TokenProviderOptions
{
Audience = AppSettings.Auth.TokenAudience,
Issuer = AppSettings.Auth.TokenIssuer,
SigningCredentials = new SigningCredentials(_signingKey, SecurityAlgorithms.RsaSha256Signature),
IdentityResolver = GetIdentity
};
// Save the token options into an instance so they're accessible to the
services.AddSingleton(typeof(TokenProviderOptions), _tokenOptions);
// Enable Dual Authentication
services.AddAuthentication()
.AddCookie(cfg => cfg.SlidingExpiration = true)
.AddJwtBearer(cfg =>
{
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
cfg.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = AppSettings.Auth.TokenIssuer,
ValidAudience = AppSettings.Auth.TokenAudience,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"]))
};
});
//services.AddAuthentication(options =>
//{
// options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
//});
// Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect.
services.AddAuthorization(options =>
{
options.AddPolicy(AuthSchema, policy =>
{
policy.AuthenticationSchemes.Add(AuthSchema);
policy.RequireAuthenticatedUser().Build();
});
});
}