예제 #1
0
            public void Configure(string name, OpenIdConnectOptions options)
            {
                options.ClientId             = azureOptions.ClientId;
                options.Authority            = $"{azureOptions.Instance}{azureOptions.TenantId}/v2.0";
                options.UseTokenLifetime     = true;
                options.CallbackPath         = azureOptions.CallbackPath;
                options.RequireHttpsMetadata = env.IsProduction();
                options.TokenValidationParameters.NameClaimType = "preferred_username";
                options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                options.Prompt       = "select_account";

                options.Scope.Add("openid");
                options.Scope.Add("profile");
                options.Scope.Add("email");
                options.Scope.Add("offline_access");
                // sometimes need admin approval: options.Scope.Add("user.read");

                if (azureOptions.DefaultScopes != null && azureOptions.DefaultScopes.Length > 0)
                {
                    foreach (var scope in azureOptions.DefaultScopes)
                    {
                        options.Scope.Add(scope);
                    }
                }

                if (azureOptions.ValidIssuers != null && azureOptions.ValidIssuers.Length > 0)
                {
                    options.TokenValidationParameters.ValidIssuers = azureOptions.ValidIssuers;
                }

                options.Events = new OpenIdConnectEvents
                {
                    OnUserInformationReceived = context =>
                    {
                        return(Task.CompletedTask);
                    },
                    OnTicketReceived = context =>
                    {
                        // If your authentication logic is based on users then add your logic here
                        return(Task.CompletedTask);
                    },
                    OnAuthenticationFailed = context =>
                    {
                        logger.LogError("OnAuthenticationFailed", context.Exception);
                        context.Response.Redirect("/Home/Error");
                        context.HandleResponse(); // Suppress the exception
                        return(Task.CompletedTask);
                    },
                    OnRedirectToIdentityProviderForSignOut = context =>
                    {
                        System.Security.Claims.ClaimsPrincipal user = context.HttpContext.User;

                        context.ProtocolMessage.LoginHint  = user.GetLoginHint();
                        context.ProtocolMessage.DomainHint = user.GetDomainHint();

                        tokenService.RemoveAccount(user);
                        return(Task.FromResult(true));
                    },
                    OnRedirectToIdentityProvider = context =>
                    {
                        System.Collections.Generic.IDictionary <string, object> properties =
                            context.Properties.Parameters;
                        if (properties.ContainsKey("scopes"))
                        {
                            var scopes = properties["scopes"] as string[];
                            if (scopes.Length > 0)
                            {
                                var encoded = string.Join(" ", scopes);
                                context.ProtocolMessage.Scope = context.ProtocolMessage.Scope + " " + encoded;
                            }
                        }

                        return(Task.CompletedTask);
                    },
                    OnAuthorizationCodeReceived = async(context) =>
                    {
                        // As AcquireTokenByAuthorizationCode is asynchronous we want to tell ASP.NET core
                        // that we are handing the code even if it's not done yet, so that it does
                        // not concurrently call the Token endpoint.
                        context.HandleCodeRedemption();

                        var code = context.ProtocolMessage.Code;

                        Microsoft.Identity.Client.AuthenticationResult result =
                            await tokenService.GetAccessTokenByAuthorizationCodeAsync(context.Principal, code);

                        // Do not share the access token with ASP.NET Core otherwise ASP.NET will cache it
                        // and will not send the OAuth 2.0 request in case a further call to
                        // AcquireTokenByAuthorizationCode in the future for incremental consent
                        // (getting a code requesting more scopes)
                        // Share the ID Token so that the identity of the user is known in the application (in
                        // HttpContext.User)
                        context.HandleCodeRedemption(null, result.IdToken);
                    }
                };
            }
            public void Configure(string name, OpenIdConnectOptions options)
            {
                // Set the application id
                options.ClientId = _azureOptions.ClientId;

                // the authority {Instance}/{Tenant}/v2.0
                // ASP.NET uses v1.0 by default
                options.Authority        = $"{_azureOptions.Instance}{_azureOptions.TenantId}/v2.0";
                options.UseTokenLifetime = true;
                // the redirect Uri: constructed from host:port/signin-oidc
                options.CallbackPath = _azureOptions.CallbackPath;
                // we are in development environment, don't do this in production
                options.RequireHttpsMetadata = false;
                // set name of user name claim
                options.TokenValidationParameters.NameClaimType = "preferred_username";
                // We ask ASP.NET to request a Code and an Id Token
                options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                //options.Scope.Add("https://graph.microsoft.com/User.Read");
                //options.Scope.Add("https://graph.microsoft.com/Mail.ReadWrite");
                //options.Scope.Add("https://graph.microsoft.com/Tasks.ReadWrite.Shared");
                options.Scope.Add("offline_access");

                options.Events = new OpenIdConnectEvents
                {
                    OnTicketReceived = context =>
                    {
                        // If your authentication logic is based on users then add your logic here
                        return(Task.CompletedTask);
                    },
                    OnAuthenticationFailed = context =>
                    {
                        context.Response.Redirect("/Home/Error");
                        context.HandleResponse(); // Suppress the exception
                        return(Task.CompletedTask);
                    },
                    OnRedirectToIdentityProviderForSignOut = context =>
                    {
                        System.Security.Claims.ClaimsPrincipal user = context.HttpContext.User;

                        context.ProtocolMessage.LoginHint  = user.GetLoginHint();
                        context.ProtocolMessage.DomainHint = user.GetDomainHint();

                        _tokenService.RemoveAccount(user);
                        return(Task.FromResult(true));
                    },
                    OnAuthorizationCodeReceived = async(context) =>
                    {
                        // As AcquireTokenByAuthorizationCode is asynchronous we want to tell ASP.NET core
                        // that we are handing the code even if it's not done yet, so that it does
                        // not concurrently call the Token endpoint.
                        context.HandleCodeRedemption();

                        string code = context.ProtocolMessage.Code;

                        Microsoft.Identity.Client.AuthenticationResult result = await _tokenService.GetAccessTokenByAuthorizationCodeAsync(context.Principal, code);

                        // Do not share the access token with ASP.NET Core otherwise ASP.NET will cache it
                        // and will not send the OAuth 2.0 request in case a further call to
                        // AcquireTokenByAuthorizationCode in the future for incremental consent
                        // (getting a code requesting more scopes)
                        // Share the ID Token so that the identity of the user is known in the application (in
                        // HttpContext.User)
                        context.HandleCodeRedemption(null, result.IdToken);
                    }
                };
            }