public override void Process(HttpRequestArgs args)
{
Assert.ArgumentNotNull(args, "args");
var sitecoreUserLoggedIn = Context.IsLoggedIn;
string key = String.Empty;
ClaimsPrincipal federatedUser = null;
key = IdentityHelper.GetAuthTokenFromCookie();
// only check if domain is not equal to the sitecore domain
// TODO: can be removed if we are logging in with claims as well for editors
if (!Context.Domain.Name.Equals("sitecore"))
{
federatedUser = IdentityHelper.GetCurrentClaimsPrincipal() as ClaimsPrincipal;
// algorithm:
// 1 - if user is not logged in AND claimscookie is missing, return: anonymous visit -> handle in pipeline
// 2 - if only claimscookie is available, delete this cookie -> handled by owin
// 3 - if only ID in Database is available (not possible to check) -> handled by timer
// 4 - if cookie, fedID and no sitecore ID is available -> redirect to login page, handled by sitecore
// 5 - if only .ASPXAUTH cookiue is available (Context.IsLoggedIn) -> logout and redirect -> pipeline
// 6 - if claimscookie, no fed ID and sitecore login is availalbe: logout and redirect -> pipeline
// 7- if no claimscookie, no fed ID and sitecore login available: logout and redirect -> pipeline.
// handled by
// 1 - anonymous
if (!Context.IsLoggedIn && String.IsNullOrEmpty(key))
{
return;
}
// 5 & 7 - pipeline if user is logged in
else if (Context.IsLoggedIn && String.IsNullOrEmpty(key))
{
LogoutAndRedirectToLogoutPage();
}
// 6 - pipeline
else if (!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser == null)
{
LogoutAndRedirectToLogoutPage();
}
// 8 all identities available
// check if identity matches.
// if not: redirect. Otherwise: return
else if (!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser != null)
{
var user = Context.User;
// compare identities
// if not equal, , there is a cookie mismatch:
// remove tokens,
// logout sitecore user and
// redirect to loginpage.
if (!user.Name.Equals(String.Format("{0}\\{1}", Context.Domain.Name, federatedUser.Identity.Name)))
{
LogoutAndRedirectToLogoutPage();
}
}
// several options:
// Callback from the federated Identity provider, or an unexpected situation
else
{
// Callback from the identity provider
// entry from /login, auth context
if (HttpContext.Current.Request.Url.PathAndQuery.StartsWith("/login", StringComparison.InvariantCultureIgnoreCase))
{
return;
}
// For all other situations:
//Log to database for other situation
LogoutAndRedirectToLogoutPage();
}
}
}
