public MultipleAuthenticationStartup(ClaimsPrincipal principal1, ClaimsPrincipal principal2, bool automaticAuthenticate, ScopeValidationOptions options)
{
_principal1 = principal1;
_principal2 = principal2;
_scopeOptions = options;
_automaticAuthenticate = automaticAuthenticate;
}
/// <summary>
/// Initializes a new instance of the <see cref="ScopeValidationMiddleware"/> class.
/// </summary>
/// <param name="next">The next midleware.</param>
/// <param name="scopes">The scopes.</param>
public ScopeValidationMiddleware(RequestDelegate next, ScopeValidationOptions options)
{
if (next == null)
{
throw new ArgumentNullException(nameof(next));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (string.IsNullOrWhiteSpace(options.ScopeClaimType))
{
throw new ArgumentNullException(nameof(options.ScopeClaimType));
}
if (options.AllowedScopes == null)
{
throw new ArgumentNullException(nameof(options.AllowedScopes));
}
_next = next;
_options = options;
}
public static IApplicationBuilder AllowScopes(this IApplicationBuilder app, params string[] scopes)
{
var options = new ScopeValidationOptions
{
AllowedScopes = scopes
};
return app.AllowScopes(options);
}
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions();
combinedOptions.TokenRetriever = options.TokenRetriever;
combinedOptions.AuthenticationScheme = options.AuthenticationScheme;
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
app.UseMiddleware<IdentityServerAuthenticationMiddleware>(app, combinedOptions);
var allowedScopes = new List<string>();
if (!string.IsNullOrWhiteSpace(options.ScopeName))
{
allowedScopes.Add(options.ScopeName);
}
if (options.AdditionalScopes != null && options.AdditionalScopes.Any())
{
allowedScopes.AddRange(options.AdditionalScopes);
}
if (allowedScopes.Any())
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
app.AllowScopes(scopeOptions);
}
return app;
}
//[Fact]
//public async Task Authenticated_User_Missing_Scopes_Should_Be_Forbidden()
//{
// var principal = Principal.Create("custom",
// new Claim("sub", "123"));
// var allowedScopes = new[] { "scope1", "scope2" };
// var client = CreateClient(principal, allowedScopes);
// var response = await client.GetAsync("/");
// response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
//}
//[Fact]
//public async Task Authenticated_User_Matching_Scope_Should_Be_Allowed()
//{
// var principal = Principal.Create("custom",
// new Claim("sub", "123"),
// new Claim("scope", "scope1"));
// var allowedScopes = new[] { "scope1", "scope2" };
// var client = CreateClient(principal, allowedScopes);
// var response = await client.GetAsync("/");
// response.StatusCode.Should().Be(HttpStatusCode.OK);
//}
private HttpClient CreateClient(ClaimsPrincipal principal1, ClaimsPrincipal principal2, bool automaticAuthenticate, IEnumerable<string> allowedScopes, string scopeAuthenticationScheme)
{
var options = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = scopeAuthenticationScheme
};
var startup = new MultipleAuthenticationStartup(principal1, principal2, automaticAuthenticate, options);
var server = TestServer.Create(null, startup.Configure, startup.ConfigureServices);
return server.CreateClient();
}
public static IApplicationBuilder AllowScopes(this IApplicationBuilder app, ScopeValidationOptions options)
{
return app.UseMiddleware<ScopeValidationMiddleware>(options);
}
