/// <summary> /// Creates a new instance of OpenIdConnectAuthenticationOptions. /// </summary> /// <param name="oktaMvcOptions">The <see cref="OktaMvcOptions"/> options.</param> /// <param name="notifications">The OpenIdConnectAuthenticationNotifications notifications.</param> /// <returns>A new instance of OpenIdConnectAuthenticationOptions.</returns> public static OpenIdConnectAuthenticationOptions BuildOpenIdConnectAuthenticationOptions(OktaMvcOptions oktaMvcOptions, OpenIdConnectAuthenticationNotifications notifications) { var issuer = UrlHelper.CreateIssuerUrl(oktaMvcOptions.OktaDomain, oktaMvcOptions.AuthorizationServerId); var httpClient = new HttpClient(new UserAgentHandler("okta-aspnet", typeof(OktaMiddlewareExtensions).Assembly.GetName().Version)); var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>( issuer + "/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever(httpClient)); var tokenValidationParameters = new DefaultTokenValidationParameters(oktaMvcOptions, issuer) { NameClaimType = "name", ValidAudience = oktaMvcOptions.ClientId, // CLIST: 2019-11-08 - save the claims token into the bootstrap context for k2 SaveSigninToken = true, }; var tokenExchanger = new TokenExchanger(oktaMvcOptions, issuer, configurationManager); var definedScopes = oktaMvcOptions.Scope?.ToArray() ?? OktaDefaults.Scope; var scopeString = string.Join(" ", definedScopes); var oidcOptions = new OpenIdConnectAuthenticationOptions { ClientId = oktaMvcOptions.ClientId, ClientSecret = oktaMvcOptions.ClientSecret, Authority = issuer, RedirectUri = oktaMvcOptions.RedirectUri, ResponseType = OpenIdConnectResponseType.CodeIdToken, Scope = scopeString, PostLogoutRedirectUri = oktaMvcOptions.PostLogoutRedirectUri, TokenValidationParameters = tokenValidationParameters, SecurityTokenValidator = new StrictSecurityTokenValidator(), AuthenticationMode = (oktaMvcOptions.LoginMode == LoginMode.SelfHosted) ? AuthenticationMode.Passive : AuthenticationMode.Active, Notifications = new OpenIdConnectAuthenticationNotifications { AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync, RedirectToIdentityProvider = notifications.RedirectToIdentityProvider, }, }; if (oktaMvcOptions.SecurityTokenValidated != null) { oidcOptions.Notifications.SecurityTokenValidated = oktaMvcOptions.SecurityTokenValidated; } return(oidcOptions); }
private static void AddOpenIdConnectAuthentication(IAppBuilder app, OktaMvcOptions options) { var issuer = UrlHelper.CreateIssuerUrl(options.OktaDomain, options.AuthorizationServerId); var httpClient = new HttpClient(new UserAgentHandler("okta-aspnet", typeof(OktaMiddlewareExtensions).Assembly.GetName().Version)); var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>( issuer + "/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever(httpClient)); var tokenValidationParameters = new DefaultTokenValidationParameters(options, issuer) { NameClaimType = "name", ValidAudience = options.ClientId, }; var tokenExchanger = new TokenExchanger(options, issuer, configurationManager); // Stop the default behavior of remapping JWT claim names to legacy MS/SOAP claim names JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); var definedScopes = options.Scope?.ToArray() ?? OktaDefaults.Scope; var scopeString = string.Join(" ", definedScopes); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = options.ClientId, ClientSecret = options.ClientSecret, Authority = issuer, RedirectUri = options.RedirectUri, ResponseType = OpenIdConnectResponseType.CodeIdToken, Scope = scopeString, PostLogoutRedirectUri = options.PostLogoutRedirectUri, TokenValidationParameters = tokenValidationParameters, SecurityTokenValidator = new StrictSecurityTokenValidator(), Notifications = new OpenIdConnectAuthenticationNotifications { AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync, RedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync, }, }); }