static Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> notification)
{
var token = notification.ProtocolMessage.AccessToken;
if (!string.IsNullOrEmpty(token))
{
notification.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", token));
}
return Task.FromResult(true);
}
private static Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> n)
{
var id = n.AuthenticationTicket.Identity;
if (id != null)
{
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(id, n.AuthenticationTicket.Properties);
}
var token = n.ProtocolMessage.AccessToken;
if (!string.IsNullOrEmpty(token))
{
n.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", token));
}
return Task.FromResult(true);
}
private Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
// retriever caller data from the incoming principal
var issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
var upn = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
var tenantId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// the caller comes from an admin-consented, recorded issuer
var adminConsentedRecordedIssuer = _db.Tenants.FirstOrDefault(a => (a.IssValue == issuer) && a.AdminConsented) == null;
// the caller is recorded in the _db of users who went through the individual onboardoing
var userIsOnboarded = _db.Users.FirstOrDefault(b => (b.UPN == upn) && (b.TenantID == tenantId)) == null;
if (adminConsentedRecordedIssuer && userIsOnboarded)
{
// the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
throw new SecurityTokenValidationException();
}
return Task.FromResult(0);
}
async Task<SecurityTokenValidatedNotification<WsFederationMessage, WsFederationAuthenticationOptions>> LoginSitecoreUser(SecurityTokenValidatedNotification<WsFederationMessage, WsFederationAuthenticationOptions> context)
{
//IPrincipal claimsPrincipal = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
//// store claims in session
//IEnumerable<Claim> claims = context.AuthenticationTicket.Identity.Claims;
//ClientContext.SetValue("bla", "diebla");
//LoginHelper loginHelper = new LoginHelper();
//loginHelper.Login(claimsPrincipal);
return context;
}
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
if (Options.CallbackPath.HasValue && Options.CallbackPath != (Request.PathBase + Request.Path))
{
return null;
}
OpenIdConnectMessage openIdConnectMessage = null;
if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase)
&& !string.IsNullOrWhiteSpace(Request.ContentType)
&& Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase)
&& Request.Body.CanRead)
{
if (!Request.Body.CanSeek)
{
_logger.WriteVerbose("Buffering request body");
MemoryStream memoryStream = new MemoryStream();
await Request.Body.CopyToAsync(memoryStream);
memoryStream.Seek(0, SeekOrigin.Begin);
Request.Body = memoryStream;
}
IFormCollection form = await Request.ReadFormAsync();
Request.Body.Seek(0, SeekOrigin.Begin);
openIdConnectMessage = new OpenIdConnectMessage(form);
}
if (openIdConnectMessage == null)
{
return null;
}
ExceptionDispatchInfo authFailedEx = null;
string policy = string.Empty;
try
{
var messageReceivedNotification = new MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage
};
await Options.Notifications.MessageReceived(messageReceivedNotification);
if (messageReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (messageReceivedNotification.Skipped)
{
return null;
}
AuthenticationProperties properties = GetPropertiesFromState(openIdConnectMessage.State);
if (properties == null)
{
_logger.WriteWarning("The state field is missing or invalid.");
return null;
}
string nonce = null;
if (Options.ProtocolValidator.RequireNonce)
{
nonce = RetrieveNonce(openIdConnectMessage);
}
if (!string.IsNullOrWhiteSpace(openIdConnectMessage.Error))
{
throw new OpenIdConnectProtocolException(
string.Format(CultureInfo.InvariantCulture,
openIdConnectMessage.Error,
"", openIdConnectMessage.ErrorDescription ?? string.Empty, openIdConnectMessage.ErrorUri ?? string.Empty));
}
if (string.IsNullOrWhiteSpace(openIdConnectMessage.IdToken))
{
_logger.WriteWarning("The id_token is missing.");
return null;
}
var securityTokenReceivedNotification = new SecurityTokenReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage,
};
await Options.Notifications.SecurityTokenReceived(securityTokenReceivedNotification);
if (securityTokenReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (securityTokenReceivedNotification.Skipped)
{
return null;
}
// Enable Per-Policy Metadata Retreival
if (properties.Dictionary.TryGetValue(PolicyParameter, out policy))
{
B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager;
_configuration = await mgr.GetConfigurationAsync(Context.Request.CallCancelled, policy);
}
else
{
_logger.WriteWarning("No policy identifier was found in the Authentication Properties of the request.");
return null;
}
TokenValidationParameters tvp = Options.TokenValidationParameters.Clone();
IEnumerable<string> issuers = new[] { _configuration.Issuer };
tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
tvp.IssuerSigningTokens = (tvp.IssuerSigningTokens == null ? _configuration.SigningTokens : tvp.IssuerSigningTokens.Concat(_configuration.SigningTokens));
SecurityToken validatedToken;
ClaimsPrincipal principal = Options.SecurityTokenHandlers.ValidateToken(openIdConnectMessage.IdToken, tvp, out validatedToken);
ClaimsIdentity claimsIdentity = principal.Identity as ClaimsIdentity;
JwtSecurityToken jwt = validatedToken as JwtSecurityToken;
AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, properties);
if (!string.IsNullOrWhiteSpace(openIdConnectMessage.SessionState))
{
ticket.Properties.Dictionary[OpenIdConnectSessionProperties.SessionState] = openIdConnectMessage.SessionState;
}
if (!string.IsNullOrWhiteSpace(_configuration.CheckSessionIframe))
{
ticket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame] = _configuration.CheckSessionIframe;
}
if (Options.UseTokenLifetime)
{
DateTime issued = jwt.ValidFrom;
if (issued != DateTime.MinValue)
{
ticket.Properties.IssuedUtc = issued.ToUniversalTime();
}
DateTime expires = jwt.ValidTo;
if (expires != DateTime.MinValue)
{
ticket.Properties.ExpiresUtc = expires.ToUniversalTime();
}
ticket.Properties.AllowRefresh = false;
}
var securityTokenValidatedNotification = new SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
AuthenticationTicket = ticket,
ProtocolMessage = openIdConnectMessage,
};
await Options.Notifications.SecurityTokenValidated(securityTokenValidatedNotification);
if (securityTokenValidatedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (securityTokenValidatedNotification.Skipped)
{
return null;
}
ticket = securityTokenValidatedNotification.AuthenticationTicket;
var protocolValidationContext = new OpenIdConnectProtocolValidationContext
{
AuthorizationCode = openIdConnectMessage.Code,
Nonce = nonce,
};
Options.ProtocolValidator.Validate(jwt, protocolValidationContext);
if (openIdConnectMessage.Code != null)
{
var authorizationCodeReceivedNotification = new AuthorizationCodeReceivedNotification(Context, Options)
{
AuthenticationTicket = ticket,
Code = openIdConnectMessage.Code,
JwtSecurityToken = jwt,
ProtocolMessage = openIdConnectMessage,
RedirectUri = ticket.Properties.Dictionary.ContainsKey(OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey) ?
ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey] : string.Empty,
};
await Options.Notifications.AuthorizationCodeReceived(authorizationCodeReceivedNotification);
if (authorizationCodeReceivedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (authorizationCodeReceivedNotification.Skipped)
{
return null;
}
ticket = authorizationCodeReceivedNotification.AuthenticationTicket;
}
return ticket;
}
catch (Exception exception)
{
authFailedEx = ExceptionDispatchInfo.Capture(exception);
}
if (authFailedEx != null)
{
_logger.WriteError("Exception occurred while processing message: '" + authFailedEx.ToString());
if (Options.RefreshOnIssuerKeyNotFound && authFailedEx.SourceException.GetType().Equals(typeof(SecurityTokenSignatureKeyNotFoundException)))
{
B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager;
mgr.RequestRefresh(policy);
}
var authenticationFailedNotification = new AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options)
{
ProtocolMessage = openIdConnectMessage,
Exception = authFailedEx.SourceException
};
await Options.Notifications.AuthenticationFailed(authenticationFailedNotification);
if (authenticationFailedNotification.HandledResponse)
{
return GetHandledResponseTicket();
}
if (authenticationFailedNotification.Skipped)
{
return null;
}
authFailedEx.Throw();
}
return null;
}
/// <summary>
/// Invokes the login procedure (2nd leg of SP-Initiated login). Analagous to Saml20SignonHandler from ASP.Net DLL
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public async Task<AuthenticationTicket> Invoke(IOwinContext context)
{
Logger.Debug(TraceMessages.SignOnHandlerCalled);
ExceptionDispatchInfo authFailedEx = null;
try {
var messageReceivedNotification = new MessageReceivedNotification<SamlMessage, SamlAuthenticationOptions>(context, options)
{
ProtocolMessage = new SamlMessage(context, configuration, null)
};
await options.Notifications.MessageReceived(messageReceivedNotification);
if (messageReceivedNotification.HandledResponse) {
return null; // GetHandledResponseTicket()
}
if (messageReceivedNotification.Skipped) {
return null;
}
var requestParams = await HandleResponse(context);
var assertion = context.Get<Saml20Assertion>("Saml2:assertion");
var securityTokenReceivedNotification = new SecurityTokenReceivedNotification<SamlMessage, SamlAuthenticationOptions>(context, options)
{
ProtocolMessage = new SamlMessage(context, configuration, assertion)
};
await options.Notifications.SecurityTokenReceived(securityTokenReceivedNotification);
if (securityTokenReceivedNotification.HandledResponse) {
return null; // GetHandledResponseTicket();
}
if (securityTokenReceivedNotification.Skipped) {
return null;
}
var ticket = await GetAuthenticationTicket(context, requestParams);
var securityTokenValidatedNotification = new SecurityTokenValidatedNotification<SamlMessage, SamlAuthenticationOptions>(context, options)
{
AuthenticationTicket = ticket,
ProtocolMessage = new SamlMessage(context, configuration, assertion)
};
await options.Notifications.SecurityTokenValidated(securityTokenValidatedNotification);
if (securityTokenValidatedNotification.HandledResponse) {
return null; // GetHandledResponseTicket();
}
if (securityTokenValidatedNotification.Skipped) {
return null; // null;
}
// Flow possible changes
ticket = securityTokenValidatedNotification.AuthenticationTicket;
context.Authentication.AuthenticationResponseGrant = new AuthenticationResponseGrant(ticket.Identity, ticket.Properties);
return ticket;
}
catch (Exception ex) {
authFailedEx = ExceptionDispatchInfo.Capture(ex);
}
if (authFailedEx != null) {
Logger.Error("Exception occurred while processing message: " + authFailedEx.SourceException);
var message = new SamlMessage(context, configuration, context.Get<Saml20Assertion>("Saml2:assertion"));
var authenticationFailedNotification = new AuthenticationFailedNotification<SamlMessage, SamlAuthenticationOptions>(context, options)
{
ProtocolMessage = message,
Exception = authFailedEx.SourceException
};
await options.Notifications.AuthenticationFailed(authenticationFailedNotification);
if (authenticationFailedNotification.HandledResponse) {
return null;//GetHandledResponseTicket();
}
if (authenticationFailedNotification.Skipped) {
return null; //null
}
authFailedEx.Throw();
}
return null;
}
// We need to update these values each time we receive a new token, so the SingleSignOut
// javascript has access to the correct values.
public async static Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// Get Tenant-Specific Metadata (Authorization Endpoint), needed for making prompt=none request in RedirectToIdentityProvider
OpenIdConnectAuthenticationOptions tenantSpecificOptions = new OpenIdConnectAuthenticationOptions();
tenantSpecificOptions.Authority = AADInstance + notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
tenantSpecificOptions.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(tenantSpecificOptions.Authority + "/.well-known/openid-configuration");
OpenIdConnectConfiguration tenantSpecificConfig = await tenantSpecificOptions.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled);
notification.AuthenticationTicket.Identity.AddClaim(new Claim("issEndpoint", tenantSpecificConfig.AuthorizationEndpoint, ClaimValueTypes.String, "WebApp-Distributed-SignOut-DotNet"));
CheckSessionIFrame = notification.AuthenticationTicket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame];
return;
}
