internal static Lazy <OAuthBearerAuthenticationOptions> ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
JwtFormat tokenFormat = null;
// use static configuration
if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
options.SigningCertificate != null)
{
var audience = options.IssuerName.EnsureTrailingSlash();
audience += "resources";
var valParams = new TokenValidationParameters
{
ValidIssuer = options.IssuerName,
ValidAudience = audience,
// IssuerSigningToken = new X509SecurityToken(options.SigningCertificate),
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType,
};
tokenFormat = new JwtFormat(valParams);
}
else
{
// use discovery endpoint
if (string.IsNullOrWhiteSpace(options.Authority))
{
throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
}
var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
discoveryEndpoint += ".well-known/openid-configuration";
var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
discoveryEndpoint,
options,
loggerFactory);
var valParams = new TokenValidationParameters
{
ValidAudience = issuerProvider.Audience,
NameClaimType = options.NameClaimType,
RoleClaimType = options.RoleClaimType
};
if (options.IssuerSigningKeyResolver != null)
{
valParams.IssuerSigningKeyResolver = options.IssuerSigningKeyResolver;
}
else
{
// valParams.IssuerSigningKeyResolver = ResolveRsaKeys;
}
// tokenFormat = new JwtFormat(valParams, issuerProvider);
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = tokenFormat,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider)
};
return bearerOptions;
}, LazyThreadSafetyMode.PublicationOnly));
}
/// <summary>
/// Add identity server token authentication to the pipeline.
/// </summary>
/// <param name="app">The application.</param>
/// <param name="options">The options.</param>
/// <returns></returns>
public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
var loggerFactory = app.GetLoggerFactory();
var middlewareOptions = new IdentityServerOAuthBearerAuthenticationOptions();
switch (options.ValidationMode)
{
case ValidationMode.Local:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
break;
case ValidationMode.ValidationEndpoint:
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
case ValidationMode.Both:
middlewareOptions.LocalValidationOptions = ConfigureLocalValidation(options, loggerFactory);
middlewareOptions.EndpointValidationOptions = ConfigureEndpointValidation(options, loggerFactory);
break;
default:
throw new Exception("ValidationMode has invalid value");
}
if (!options.DelayLoadMetadata)
{
// evaluate the lazy members so that they can do their job
if (middlewareOptions.LocalValidationOptions != null)
{
var ignore = middlewareOptions.LocalValidationOptions.Value;
}
if (middlewareOptions.EndpointValidationOptions != null)
{
var ignore = middlewareOptions.EndpointValidationOptions.Value;
}
}
if (options.TokenProvider != null)
{
middlewareOptions.TokenProvider = options.TokenProvider;
}
app.Use <IdentityServerBearerTokenValidationMiddleware>(app, middlewareOptions, loggerFactory);
if (options.RequiredScopes.Any())
{
var scopeOptions = new ScopeRequirementOptions
{
AuthenticationType = options.AuthenticationType,
RequiredScopes = options.RequiredScopes
};
app.Use <ScopeRequirementMiddleware>(scopeOptions);
}
if (options.PreserveAccessToken)
{
app.Use <PreserveAccessTokenMiddleware>();
}
app.UseStageMarker(PipelineStage.Authenticate);
return(app);
}
private static Lazy <OAuthBearerAuthenticationOptions> ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
{
return(new Lazy <OAuthBearerAuthenticationOptions>(() =>
{
if (options.EnableValidationResultCache)
{
if (options.ValidationResultCache == null)
{
options.ValidationResultCache = new InMemoryValidationResultCache(options);
}
}
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType,
Provider = new ContextTokenProvider(options.TokenProvider),
};
if (!string.IsNullOrEmpty(options.ClientId) || options.IntrospectionHttpHandler != null)
{
bearerOptions.AccessTokenProvider = new IntrospectionEndpointTokenProvider(options, loggerFactory);
}
else
{
bearerOptions.AccessTokenProvider = new ValidationEndpointTokenProvider(options, loggerFactory);
}
return bearerOptions;
}, true));
}
