private async Task <IActionResult> LogoutResponseAsync <T>(Saml2Configuration samlConfig, string inResponseTo, string relayState, string loggedOutUrl, Saml2Binding <T> binding, Saml2StatusCodes status, string sessionIndex = null)
{
binding.RelayState = relayState;
var saml2LogoutResponse = new Saml2LogoutResponse(samlConfig)
{
InResponseTo = new Saml2Id(inResponseTo),
Status = status,
Destination = new Uri(loggedOutUrl),
SessionIndex = sessionIndex
};
binding.Bind(saml2LogoutResponse);
logger.ScopeTrace($"SAML Logout response '{saml2LogoutResponse.XmlDocument.OuterXml}'.");
logger.ScopeTrace($"Logged out url '{loggedOutUrl}'.");
logger.ScopeTrace("Down, SAML Logout response.", triggerEvent: true);
await sequenceLogic.RemoveSequenceDataAsync <SamlDownSequenceData>();
await formActionLogic.RemoveFormActionSequenceDataAsync();
if (binding is Saml2Binding <Saml2RedirectBinding> )
{
return(await Task.FromResult((binding as Saml2RedirectBinding).ToActionResult()));
}
if (binding is Saml2Binding <Saml2PostBinding> )
{
return(await Task.FromResult((binding as Saml2PostBinding).ToActionResult()));
}
else
{
throw new NotSupportedException();
}
}
private async Task <IActionResult> AuthnResponseAsync <T>(Saml2Configuration samlConfig, string inResponseTo, string relayState, string acsUrl, Saml2Binding <T> binding, Saml2StatusCodes status, SamlDownParty party = null, IEnumerable <Claim> claims = null)
{
binding.RelayState = relayState;
var saml2AuthnResponse = new FoxIdsSaml2AuthnResponse(settings, samlConfig)
{
InResponseTo = new Saml2Id(inResponseTo),
Status = status,
Destination = new Uri(acsUrl),
};
if (status == Saml2StatusCodes.Success && party != null && claims != null)
{
claims = await claimTransformationsLogic.Transform(party.ClaimTransformations?.ConvertAll(t => (ClaimTransformation)t), claims);
saml2AuthnResponse.SessionIndex = claims.FindFirstValue(c => c.Type == Saml2ClaimTypes.SessionIndex);
saml2AuthnResponse.NameId = GetNameId(claims);
var tokenIssueTime = DateTimeOffset.UtcNow;
var tokenDescriptor = saml2AuthnResponse.CreateTokenDescriptor(GetSubjectClaims(party, claims), party.Issuer, tokenIssueTime, party.IssuedTokenLifetime);
var authnContext = claims.FindFirstValue(c => c.Type == ClaimTypes.AuthenticationMethod);
var authenticationInstant = claims.FindFirstValue(c => c.Type == ClaimTypes.AuthenticationInstant);
var authenticationStatement = saml2AuthnResponse.CreateAuthenticationStatement(authnContext, DateTime.Parse(authenticationInstant));
var subjectConfirmation = saml2AuthnResponse.CreateSubjectConfirmation(tokenIssueTime, party.SubjectConfirmationLifetime);
await saml2AuthnResponse.CreateSecurityTokenAsync(tokenDescriptor, authenticationStatement, subjectConfirmation);
}
binding.Bind(saml2AuthnResponse);
logger.ScopeTrace($"SAML Authn response '{saml2AuthnResponse.XmlDocument.OuterXml}'.");
logger.ScopeTrace($"Acs url '{acsUrl}'.");
logger.ScopeTrace("Down, SAML Authn response.", triggerEvent: true);
await sequenceLogic.RemoveSequenceDataAsync <SamlDownSequenceData>();
await formActionLogic.RemoveFormActionSequenceDataAsync();
if (binding is Saml2Binding <Saml2RedirectBinding> )
{
return(await Task.FromResult((binding as Saml2RedirectBinding).ToActionResult()));
}
else if (binding is Saml2Binding <Saml2PostBinding> )
{
return(await Task.FromResult((binding as Saml2PostBinding).ToActionResult()));
}
else
{
throw new NotSupportedException();
}
}
public async Task <IActionResult> EndSessionResponseAsync(string partyId)
{
logger.ScopeTrace("Down, End session response.");
logger.SetScopeProperty("downPartyId", partyId);
var sequenceData = await sequenceLogic.GetSequenceDataAsync <OidcDownSequenceData>(false);
var endSessionResponse = new EndSessionResponse
{
State = sequenceData.State,
};
logger.ScopeTrace($"End session response '{endSessionResponse.ToJsonIndented()}'.");
var nameValueCollection = endSessionResponse.ToDictionary();
logger.ScopeTrace($"Redirect Uri '{sequenceData.RedirectUri}'.");
logger.ScopeTrace("Down, OIDC End session response.", triggerEvent: true);
await sequenceLogic.RemoveSequenceDataAsync <OidcDownSequenceData>();
await formActionLogic.RemoveFormActionSequenceDataAsync();
return(await nameValueCollection.ToRedirectResultAsync(sequenceData.RedirectUri));
}
public async Task <IActionResult> AuthenticationResponseAsync(string partyId, List <Claim> claims)
{
logger.ScopeTrace("Down, OIDC Authentication response.");
logger.SetScopeProperty("downPartyId", partyId);
var party = await tenantRepository.GetAsync <TParty>(partyId);
if (party.Client == null)
{
throw new NotSupportedException($"Party Client not configured.");
}
var sequenceData = await sequenceLogic.GetSequenceDataAsync <OidcDownSequenceData>(false);
claims = await claimTransformationsLogic.Transform(party.ClaimTransformations?.ConvertAll(t => (ClaimTransformation)t), claims);
var authenticationResponse = new AuthenticationResponse
{
TokenType = IdentityConstants.TokenTypes.Bearer,
State = sequenceData.State,
ExpiresIn = party.Client.AccessTokenLifetime,
};
var sessionResponse = new SessionResponse
{
SessionState = claims.FindFirstValue(c => c.Type == JwtClaimTypes.SessionId)
};
logger.ScopeTrace($"Response type '{sequenceData.ResponseType}'.");
var responseTypes = sequenceData.ResponseType.ToSpaceList();
if (responseTypes.Contains(IdentityConstants.ResponseTypes.Code))
{
authenticationResponse.Code = await oauthAuthCodeGrantLogic.CreateAuthCodeGrantAsync(party.Client as TClient, claims, sequenceData.RedirectUri, sequenceData.Scope, sequenceData.Nonce, sequenceData.CodeChallenge, sequenceData.CodeChallengeMethod);
}
string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256;
if (responseTypes.Contains(IdentityConstants.ResponseTypes.Token))
{
authenticationResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(party.Client as TClient, claims, sequenceData.Scope?.ToSpaceList(), algorithm);
}
if (responseTypes.Contains(IdentityConstants.ResponseTypes.IdToken))
{
authenticationResponse.IdToken = await jwtLogic.CreateIdTokenAsync(party.Client as TClient, claims, sequenceData.Scope?.ToSpaceList(), sequenceData.Nonce, responseTypes, authenticationResponse.Code, authenticationResponse.AccessToken, algorithm);
}
logger.ScopeTrace($"Authentication response '{authenticationResponse.ToJsonIndented()}'.");
var nameValueCollection = authenticationResponse.ToDictionary();
if (!sessionResponse.SessionState.IsNullOrWhiteSpace())
{
logger.ScopeTrace($"Session response '{sessionResponse.ToJsonIndented()}'.");
nameValueCollection = nameValueCollection.AddToDictionary(sessionResponse);
}
logger.ScopeTrace($"Redirect Uri '{sequenceData.RedirectUri}'.");
logger.ScopeTrace("Down, OIDC Authentication response.", triggerEvent: true);
var responseMode = GetResponseMode(sequenceData.ResponseMode, sequenceData.ResponseType);
await sequenceLogic.RemoveSequenceDataAsync <OidcDownSequenceData>();
await formActionLogic.RemoveFormActionSequenceDataAsync();
switch (responseMode)
{
case IdentityConstants.ResponseModes.FormPost:
return(await nameValueCollection.ToHtmlPostContentResultAsync(sequenceData.RedirectUri));
case IdentityConstants.ResponseModes.Query:
return(await nameValueCollection.ToRedirectResultAsync(sequenceData.RedirectUri));
case IdentityConstants.ResponseModes.Fragment:
return(await nameValueCollection.ToFragmentResultAsync(sequenceData.RedirectUri));
default:
throw new NotSupportedException();
}
}
