public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (user.Identity.IsAuthenticated)
{
var identity = (ClaimsIdentity)user.Identity;
var roleClaims = identity.FindAll(identity.RoleClaimType);
if (roleClaims != null && roleClaims.Any())
{
foreach (var existingClaim in roleClaims)
{
identity.RemoveClaim(existingClaim);
}
var rolesElem = account.AdditionalProperties[identity.RoleClaimType];
if (rolesElem is JsonElement roles)
{
if (roles.ValueKind == JsonValueKind.Array)
{
foreach (var role in roles.EnumerateArray())
{
identity.AddClaim(new Claim(options.RoleClaim, role.GetString()));
}
}
else
{
identity.AddClaim(new Claim(options.RoleClaim, roles.GetString()));
}
}
}
}
return(user);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(CustomRemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var userClaimsPrincipal = await base.CreateUserAsync(account, options);
if (userClaimsPrincipal.Identity.IsAuthenticated)
{
ClaimsIdentity claimsIdentity = userClaimsPrincipal.Identity as ClaimsIdentity;
_ = claimsIdentity.Claims.GetAzureAdB2CUserObjectId();
var httpClient = this.HttpClientService.CreateAuthorizedClient();
var userRoles = await UserClientService.GetMyRolesAsync();
if (userRoles != null)
{
foreach (var singleRole in userRoles)
{
claimsIdentity.AddClaim(new Claim("Role", singleRole));
}
}
var subscriptionPlan = await UserClientService.GetMySubscriptionAsync();
if (subscriptionPlan != null)
{
claimsIdentity.AddClaim(new Claim("Subscription", subscriptionPlan.Name));
}
var userStatus = await httpClient.GetStringAsync(Constants.ApiRoutes.UserController.GetMyUserStatus);
if (!string.IsNullOrWhiteSpace(userStatus))
{
claimsIdentity.AddClaim(new Claim("UserStatus", userStatus));
}
}
return(userClaimsPrincipal);
}
// </ConstructorSnippet>
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
// Create the base user
var initialUser = await base.CreateUserAsync(account, options);
// If authenticated, we can call Microsoft Graph
if (initialUser.Identity.IsAuthenticated)
{
try
{
// Add additional info from Graph to the identity
await AddGraphInfoToClaims(accessor, initialUser);
}
catch (AccessTokenNotAvailableException exception)
{
logger.LogError($"Graph API access token failure: {exception.Message}");
}
catch (ServiceException exception)
{
logger.LogError($"Graph API error: {exception.Message}");
logger.LogError($"Response body: {exception.RawResponseBody}");
}
}
return(initialUser);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var graphClient = ActivatorUtilities
.CreateInstance <GraphServiceClient>(serviceProvider);
var request = graphClient.Me.Request();
var user = await request.GetAsync();
if (user != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
user.MobilePhone));
}
}
catch (ServiceException exception)
{
logger.LogError("Graph API service failure: {Message}",
exception.Message);
}
}
return(initialUser);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options).ConfigureAwait(true);
var token = await TokenProvider.RequestAccessToken().ConfigureAwait(true);
var tokenStatus = token.Status;
if (initialUser.Identity is not ClaimsIdentity userIdentity ||
tokenStatus != AccessTokenResultStatus.Success ||
!userIdentity.IsAuthenticated)
{
return(initialUser);
}
_logger.LogInformation("Connecting logged in user");
userIdentity.AddRolesFromExtensionClaim();
try
{
var client = _clientFactory.CreateClient("NRZMyk.ServerAPI");
var response = await client.GetAsync("api/user/connect").ConfigureAwait(true);
if (response.IsSuccessStatusCode)
{
var connectedAccount =
await response.Content.ReadFromJsonAsync <ConnectedAccount>().ConfigureAwait(true);
if (connectedAccount != null)
{
_logger.LogInformation("Connect success, {displayName}, IsGuest={isGuest}", connectedAccount.Account.DisplayName, connectedAccount.IsGuest);
if (!connectedAccount.IsGuest && !userIdentity.HasClaim(ClaimTypes.Role, nameof(Role.User)))
{
userIdentity.AddClaim(new Claim(ClaimTypes.Role, nameof(Role.User)));
userIdentity.RemoveClaim(userIdentity.Claims.FirstOrDefault(c =>
c.Type == ClaimTypes.Role && c.Value == nameof(Role.Guest)));
}
}
else
{
_logger.LogError("Failed to connect account as it deserialized as 'null'");
}
}
else
{
_logger.LogError("Connect API request failed with status code: " + response.StatusCode);
}
}
catch (Exception exception)
{
_logger.LogError(exception, "Connect API request failed: " + exception.Message);
}
return(initialUser);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
var claimsIdentity = (ClaimsIdentity)user.Identity;
if (account != null)
{
MapArrayClaimsToMultipleSeparateClaims(account, claimsIdentity);
}
return(user);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(CustomRemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var userClaimsPrincipal = await base.CreateUserAsync(account, options);
if (userClaimsPrincipal.Identity.IsAuthenticated)
{
ClaimsIdentity claimsIdentity = userClaimsPrincipal.Identity as ClaimsIdentity;
var userObjectId = claimsIdentity.Claims.GetAzureAdB2CUserObjectId();
var httpClient = this.HttpClientService.CreateAuthorizedClient();
var userRole = await httpClient.GetStringAsync($"api/User/GetUserRole?userAdB2CObjectId={userObjectId}");
claimsIdentity.AddClaim(new Claim("Role", userRole));
}
return(userClaimsPrincipal);
}
public async Task WhenAccessTokenRequiresRedirect_UserDoesNotHaveAnyRole()
{
var remoteAccount = new RemoteUserAccount
{
AdditionalProperties = new Dictionary <string, object>()
};
var accessToken = new AccessTokenResult(AccessTokenResultStatus.RequiresRedirect, new AccessToken(), "");
var options = new RemoteAuthenticationUserOptions {
AuthenticationType = "Basic"
};
var sut = CreateSut(out var tokenProvider, out _, out _);
tokenProvider.TokenProvider.RequestAccessToken().Returns(accessToken);
var claims = await sut.CreateUserAsync(remoteAccount, options).ConfigureAwait(true);
claims.IsInRole(Role.Guest.ToString()).Should().BeFalse();
claims.IsInRole(Role.User.ToString()).Should().BeFalse();
}
public async Task WhenGetConnectReturnsAccountButDeserializationFails_UserIsTreatedAsGuest()
{
var remoteAccount = new RemoteUserAccount
{
AdditionalProperties = new Dictionary <string, object>()
};
var accessToken = new AccessTokenResult(AccessTokenResultStatus.Success, new AccessToken(), "");
var options = new RemoteAuthenticationUserOptions {
AuthenticationType = "Basic"
};
var sut = CreateSut(out var tokenProvider, out var mockHttp, out var logger);
tokenProvider.TokenProvider.RequestAccessToken().Returns(accessToken);
mockHttp.When(HttpMethod.Get, "http://localhost/api/user/connect").Respond("application/json", "{ baz }");
var claims = await sut.CreateUserAsync(remoteAccount, options).ConfigureAwait(true);
claims.IsInRole(Role.Guest.ToString()).Should().BeTrue();
claims.IsInRole(Role.User.ToString()).Should().BeFalse();
}
public async Task WhenGetConnectFails_UserIsTreatedAsGuest()
{
var remoteAccount = new RemoteUserAccount
{
AdditionalProperties = new Dictionary <string, object>()
};
var accessToken = new AccessTokenResult(AccessTokenResultStatus.Success, new AccessToken(), "");
var options = new RemoteAuthenticationUserOptions {
AuthenticationType = "Basic"
};
var sut = CreateSut(out var tokenProvider, out _, out var logger);
tokenProvider.TokenProvider.RequestAccessToken().Returns(accessToken);
var claims = await sut.CreateUserAsync(remoteAccount, options).ConfigureAwait(true);
claims.IsInRole(Role.Guest.ToString()).Should().BeTrue();
claims.IsInRole(Role.User.ToString()).Should().BeFalse();
logger.Received(1).LogError(Arg.Any <Exception>(), "Connect API request failed with status code: NotFound");
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (user.Identity.IsAuthenticated)
{
var identity = (ClaimsIdentity)user.Identity;
// delete all the role claims
var roleClaims = identity.FindAll(identity.RoleClaimType).ToArray();
if (roleClaims != null && roleClaims.Any())
{
foreach (var existingClaim in roleClaims)
{
identity.RemoveClaim(existingClaim);
}
// load the claim (role: "Admin" or role: [ "User, "Admin,..] an array )
// (set in Programs.cs: options.UserOptions.RoleClaim = "role";)
var rolesElem = account.AdditionalProperties[identity.RoleClaimType];
if (rolesElem is JsonElement roles)
{
if (roles.ValueKind == JsonValueKind.Array)
{
// loop the role array
foreach (var role in roles.EnumerateArray())
{
//add the role as claim type: ClaimsType.Role
identity.AddClaim(new Claim(options.RoleClaim, role.GetString()));
}
}
else //is not an array, load it directly
{
identity.AddClaim(new Claim(options.RoleClaim, roles.GetString()));
}
}
}
}
return(user);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (user.Identity.IsAuthenticated)
{
var identity = (ClaimsIdentity)user.Identity;
var rolesClaim = identity.Claims.Single(c => c.Type == "roles").Value;
var roles = JsonSerializer.Deserialize <string[]>(rolesClaim);
foreach (var role in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
}
return(user);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
CpkAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
foreach (var value in account.AuthenticationMethod)
{
((ClaimsIdentity)initialUser.Identity).AddClaim(new Claim("amr", value));
}
foreach (var value in account.Roles.Split(',', StringSplitOptions.RemoveEmptyEntries))
{
((ClaimsIdentity)initialUser.Identity).AddClaim(new Claim("client_role", value));
}
}
return(initialUser);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(
OidcAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
foreach (var value in account.AuthenticationMethod)
{
((ClaimsIdentity)initialUser.Identity).AddClaim(new Claim("amr", value));
}
var tokenResponse = await TokenProvider.RequestAccessToken();
if (tokenResponse.TryGetToken(out var token))
{
var request = new HttpRequestMessage(HttpMethod.Get, "Preferences/HasCompletedAdditionalInformation");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Value);
var response = await _httpClient.SendAsync(request);
if (response.StatusCode != HttpStatusCode.OK)
{
throw new InvalidOperationException("Error accessing additional user info.");
}
var hasInfo = JsonSerializer.Deserialize <bool>(await response.Content.ReadAsStringAsync());
if (!hasInfo)
{
// The actual pattern would be to cache this info to avoid constant queries to the server per auth update.
// (By default once every minute)
((ClaimsIdentity)initialUser.Identity).AddClaim(new Claim("NewUser", "true"));
}
}
}
return(initialUser);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
AuthZUserAccount account, RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
foreach (var value in account.Roles)
{
((ClaimsIdentity)initialUser.Identity)
.AddClaim(new Claim("roles", value));
}
foreach (var value in account.Groups)
{
((ClaimsIdentity)initialUser.Identity)
.AddClaim(new Claim("groups", value));
}
}
return(initialUser);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
CustomUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity is null)
{
throw new NullReferenceException();
}
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
foreach (var role in account.Roles)
{
userIdentity.AddClaim(new Claim("role", role));
}
}
return(initialUser);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(
CustomUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
foreach (var role in account.Roles)
{
userIdentity.AddClaim(new Claim("role", role));
}
//if (userIdentity.HasClaim(c => c.Type == "hasgroups"))
//{
// try
// {
// var client = _clientFactory.CreateClient("GraphAPI");
// var response = await client.GetAsync("v1.0/me/memberOf");
// if (response.IsSuccessStatusCode)
// {
// var userObjects = await response.Content
// .ReadFromJsonAsync<DirectoryObjects>();
// foreach (var obj in userObjects?.Values)
// {
// userIdentity.AddClaim(new Claim("group", obj.Id));
// }
// var claim = userIdentity.Claims.FirstOrDefault(
// c => c.Type == "hasgroups");
// userIdentity.RemoveClaim(claim);
// }
// else
// {
// _logger.LogError("Graph API request failure: {REASON}",
// response.ReasonPhrase);
// }
// }
// catch (AccessTokenNotAvailableException exception)
// {
// _logger.LogError("Graph API access token failure: {MESSAGE}",
// exception.Message);
// }
//}
//else
//{
// foreach (var group in account.Groups)
// {
// userIdentity.AddClaim(new Claim("group", group));
// }
//}
}
return(initialUser);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (user.Identity.IsAuthenticated)
{
var identity = user.Identity as ClaimsIdentity;
_logger.LogInformation($"User connected {identity.Name}");
foreach (var claim in user.Claims.ToArray())
{
var value = claim.Value;
if (value.StartsWith("["))
{
var values = JsonSerializer.Deserialize <IEnumerable <string> >(value);
var type = claim.Type;
foreach (var item in values)
{
_logger.LogDebug($"Add {type} claim {item}");
identity.AddClaim(new Claim(type, item));
}
identity.RemoveClaim(claim);
}
}
}
return(user);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
Console.WriteLine("Entered Create User Async");
var localDoZenStore = services.GetRequiredService <LocalDoZenStore>();
var result = await base.CreateUserAsync(account, options);
if (result.Identity.IsAuthenticated)
{
Console.WriteLine("Entered Create User Async: Is Authenticated");
await localDoZenStore.SaveUserAccountAsync(result);
}
else
{
Console.WriteLine("Entered Create User Async: Else");
result = await localDoZenStore.LoadUserAccountAsync();
}
Console.WriteLine("Entered Create User Async: Returning Result");
return(result);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
ClaimsPrincipal result = await base.CreateUserAsync(account, options);
if (result.Identity.IsAuthenticated)
{
await _userService.SetAsync(result);
}
else if (!_networkService.IsOnline)
{
return(await _userService.GetAsync());
}
return(result);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser?.Identity?.IsAuthenticated ?? false)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
account.AdditionalProperties.TryGetValue(ClaimTypes.Role, out var roleClaimValue);
if (roleClaimValue is not null && roleClaimValue is JsonElement element && element.ValueKind == JsonValueKind.Array)
{
userIdentity.RemoveClaim(userIdentity.FindFirst(ClaimTypes.Role));
var claims = element.EnumerateArray()
.Select(x => new Claim(ClaimTypes.Role, x.ToString()));
userIdentity.AddClaims(claims);
}
}
return(initialUser ?? new ClaimsPrincipal());
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(TAccount account, RemoteAuthenticationUserOptions options)
{
ClaimsPrincipal user = await base.CreateUserAsync(account, options);
if (account != null)
{
ClaimsIdentity?claimsIdentity = (ClaimsIdentity?)user.Identity;
if (claimsIdentity != null)
{
foreach (KeyValuePair <string, object> kvp in account.AdditionalProperties)
{
if (kvp.Value is JsonElement element && element.ValueKind == JsonValueKind.Array)
{
claimsIdentity.RemoveClaim(claimsIdentity.FindFirst(kvp.Key));
IEnumerable <Claim> claims = element
.EnumerateArray()
.Select(e => e.ToString())
.Where(v => !string.IsNullOrWhiteSpace(v))
.Select(v => new Claim(kvp.Key, v !))
.ToList();
claimsIdentity.AddClaims(claims);
}
}
}
}
return(user);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (user.Identity?.IsAuthenticated == true)
{
var identity = (ClaimsIdentity)user.Identity;
foreach (var claim in identity.Claims.ToList())
{
if (account.AdditionalProperties.TryGetValue(claim.Type, out var claimObj) && claimObj is JsonElement jsonElement && jsonElement.ValueKind == JsonValueKind.Array)
{
identity.RemoveClaim(claim);
foreach (var arrayElement in jsonElement.EnumerateArray())
{
identity.AddClaim(new Claim(claim.Type, arrayElement.GetString() ?? string.Empty));
}
}
}
}
return(user);
}
public override async ValueTask <ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var localVehiclesStore = services.GetRequiredService <LocalVehiclesStore>();
var result = await base.CreateUserAsync(account, options);
if (result.Identity.IsAuthenticated)
{
await localVehiclesStore.SaveUserAccountAsync(result);
}
else
{
result = await localVehiclesStore.LoadUserAccountAsync();
}
return(result);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(CustomUserAccount account, RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
((ClaimsIdentity)initialUser.Identity).AddClaim(new Claim("picture", account.ProfilePicture));
}
return(initialUser);
}
// when a user belongs to multiple roles, IS4 returns a single claim with a serialised array of values
// this class improves the original factory by deserializing the claims in the correct way
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(TAccount account, RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
var claimsIdentity = (ClaimsIdentity)user.Identity;
if (account != null)
{
foreach (var kvp in account.AdditionalProperties)
{
var name = kvp.Key;
var value = kvp.Value;
if (value != null &&
(value is JsonElement element && element.ValueKind == JsonValueKind.Array))
{
claimsIdentity.RemoveClaim(claimsIdentity.FindFirst(kvp.Key));
var claims = element.EnumerateArray()
.Select(x => new Claim(kvp.Key, x.ToString()));
claimsIdentity.AddClaims(claims);
}
}
}
return(user);
}
/// <inheritdoc/>
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(AzureAdRemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = initialUser.Identity as ClaimsIdentity;
if (userIdentity == null)
{
return(initialUser);
}
foreach (var role in account.Roles)
{
userIdentity.AddClaim(new Claim("appRole", role));
}
foreach (var wid in account.Wids)
{
userIdentity.AddClaim(new Claim("directoryRole", wid));
}
}
return(initialUser);
}
public async override ValueTask <ClaimsPrincipal> CreateUserAsync(CustomUserAccount account, RemoteAuthenticationUserOptions options)
{
var initial = await base.CreateUserAsync(account, options);
if (initial.Identity.IsAuthenticated)
{
foreach (var value in account.AuthenticationMethod)
{
((ClaimsIdentity)initial.Identity).AddClaim(new Claim("amr", value));
}
}
return(initial);
}
