public InteractionResponse ProcessLogin(ValidatedAuthorizeRequest request, ClaimsPrincipal user) { // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { _signIn.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { _signIn.UILocales = request.UiLocales; } if (request.PromptMode == Constants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(Constants.AuthorizeRequest.Prompt); return new InteractionResponse { IsLogin = true, SignInMessage = _signIn }; } // unauthenticated user if (!user.Identity.IsAuthenticated) { // prompt=none means user must be signed in already if (request.PromptMode == Constants.PromptModes.None) { return new InteractionResponse { IsError = true, Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = Constants.AuthorizeErrors.InteractionRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }; } return new InteractionResponse { IsLogin = true, SignInMessage = _signIn }; } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = user.GetAuthenticationTime(); if (DateTime.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { return new InteractionResponse { IsLogin = true, SignInMessage = _signIn }; } } return new InteractionResponse(); }
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user) { // let the login page know the client requesting authorization _signIn.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { _signIn.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { _signIn.UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { _signIn.LoginHint = request.LoginHint; } // process acr values var acrValues = request.AuthenticationContextReferenceClasses.Distinct().ToList(); // look for well-known acr value -- idp var idp = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.HomeRealm)); if (idp.IsPresent()) { _signIn.IdP = idp.Substring(Constants.KnownAcrValues.HomeRealm.Length); acrValues.Remove(idp); } // look for well-known acr value -- tenant var tenant = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.Tenant)); if (tenant.IsPresent()) { _signIn.Tenant = tenant.Substring(Constants.KnownAcrValues.Tenant.Length); acrValues.Remove(tenant); } // pass through any remaining acr values if (acrValues.Any()) { _signIn.AcrValues = acrValues; } if (request.PromptMode == Constants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(Constants.AuthorizeRequest.Prompt); Logger.Info("Redirecting to login page because of prompt=login"); return new LoginInteractionResponse { SignInMessage = _signIn }; } // unauthenticated user var isAuthenticated = user.Identity.IsAuthenticated; if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login."); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(user, request.Client); await _users.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; if (!isActive) Logger.Info("User is not active. Redirecting to login."); } if (!isAuthenticated || !isActive) { // prompt=none means user must be signed in already if (request.PromptMode == Constants.PromptModes.None) { Logger.Info("prompt=none was requested. But user is not authenticated."); return new LoginInteractionResponse { Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = Constants.AuthorizeErrors.LoginRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }; } return new LoginInteractionResponse { SignInMessage = _signIn }; } // check current idp var currentIdp = user.GetIdentityProvider(); // check if idp login hint matches current provider if (_signIn.IdP.IsPresent()) { if (_signIn.IdP != currentIdp) { Logger.Info("Current IdP is not the requested IdP. Redirecting to login"); Logger.InfoFormat("Current: {0} -- Requested: {1}", currentIdp, _signIn.IdP); return new LoginInteractionResponse { SignInMessage = _signIn }; } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = user.GetAuthenticationTime(); if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.Info("Requested MaxAge exceeded. Redirecting to login"); return new LoginInteractionResponse { SignInMessage = _signIn }; } } return new LoginInteractionResponse(); }
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user) { // let the login page know the client requesting authorization _signIn.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { _signIn.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { _signIn.UiLocales = request.UiLocales; } // check login_hint - we only support idp: right now if (request.LoginHint.IsPresent()) { if (request.LoginHint.StartsWith(Constants.LoginHints.HomeRealm)) { _signIn.IdP = request.LoginHint.Substring(Constants.LoginHints.HomeRealm.Length); } if (request.LoginHint.StartsWith(Constants.LoginHints.Tenant)) { _signIn.Tenant = request.LoginHint.Substring(Constants.LoginHints.Tenant.Length); } } // pass through acr values if (request.AuthenticationContextReferenceClasses.Any()) { _signIn.AcrValues = request.AuthenticationContextReferenceClasses; } if (request.PromptMode == Constants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(Constants.AuthorizeRequest.Prompt); return new LoginInteractionResponse { SignInMessage = _signIn }; } // unauthenticated user var isAuthenticated = user.Identity.IsAuthenticated; if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login."); // user de-activated bool isActive = false; if (isAuthenticated) { isActive = await _users.IsActiveAsync(user); if (!isActive) Logger.Info("User is not active. Redirecting to login."); } if (!isAuthenticated || !isActive) { // prompt=none means user must be signed in already if (request.PromptMode == Constants.PromptModes.None) { return new LoginInteractionResponse { Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = Constants.AuthorizeErrors.LoginRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }; } return new LoginInteractionResponse { SignInMessage = _signIn }; } // check current idp var currentIdp = user.GetIdentityProvider(); // check if idp login hint matches current provider if (_signIn.IdP.IsPresent()) { if (_signIn.IdP != currentIdp) { return new LoginInteractionResponse { SignInMessage = _signIn }; } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = user.GetAuthenticationTime(); if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { return new LoginInteractionResponse { SignInMessage = _signIn }; } } return new LoginInteractionResponse(); }