public IAsyncResult BeginAuthenticateAsClient(string targetHost, AsyncCallback asyncCallback, Object asyncState) { var waitCallback = new WaitCallback(StartAuthentication); var result = new AuthenticateResult(); result.Callback = asyncCallback; result.AsyncState = asyncState; ThreadPool.QueueUserWorkItem(waitCallback, result); return result; }
public static void RaiseLocalLoginSuccessEvent(this IEventService events, IDictionary<string, object> env, string username, SignInMessage signInMessage, AuthenticateResult authResult) { if (events == null) throw new ArgumentNullException("events"); var evt = new LocalAuthenticationEvent() { Id = EventConstants.Ids.SuccessfulLocalLogin, EventType = EventType.Success, Message = Resources.Events.LocalLoginSuccess, SubjectId = authResult.User.GetSubjectId(), SignInMessage = signInMessage, LoginUserName = username }; evt.ApplyEnvironment(env); events.Raise(evt); }
public override Task<AuthenticateResult> PreAuthenticateAsync(SignInMessage message) { var idp = context.Request.Cookies["idp"]; if (String.IsNullOrWhiteSpace(idp)) { // no idp, so redirect var url = new Claim("url", context.Request.Uri.AbsoluteUri); var result = new AuthenticateResult("~/hrd", "hrd", "hrd", new Claim[] { url }); return Task.FromResult(result); } else { // we have idp, so set it context.Response.Cookies.Append("idp", ".", new CookieOptions { Expires = DateTime.UtcNow.AddYears(-1) }); message.IdP = idp; return Task.FromResult<AuthenticateResult>(null); } }
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message = null) { if (message != null) { var tenant = message.Tenant; if (username == password) { var claims = new List<Claim> { new Claim("account_store", tenant) }; var result = new AuthenticateResult("123", username, claims: claims, authenticationMethod: "custom"); return Task.FromResult(new AuthenticateResult("123", username, claims)); } } // default account store throw new NotImplementedException(); }
private IHttpActionResult SignInAndRedirect( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime = 0) { SignIn(authResult, authenticationMethod, identityProvider, authTime); var redirectUrl = GetRedirectUrl(authResult); Logger.InfoFormat("redirecting to: {0}", redirectUrl); return Redirect(redirectUrl); }
private async Task <(ApplicationUser user, string provider, string providerUserId, IEnumerable <Claim> claims)> FindUserFromExternalProviderAsync(AuthenticateResult result) { var externalUser = result.Principal; // try to determine the unique id of the external user (issued by the provider) // the most common claim type for that are the sub claim and the NameIdentifier // depending on the external provider, some other claim type might be used var userIdClaim = externalUser.FindFirst(JwtClaimTypes.Subject) ?? externalUser.FindFirst(ClaimTypes.NameIdentifier) ?? throw new Exception("Unknown userid"); // remove the user id claim so we don't include it as an extra claim if/when we provision the user var claims = externalUser.Claims.ToList(); claims.Remove(userIdClaim); var provider = result.Properties.Items["scheme"]; var providerUserId = userIdClaim.Value; // find external user var user = await _userManager.FindByLoginAsync(provider, providerUserId); //_user.FindByExternalProvider(provider, providerUserId); return(user, provider, providerUserId, claims); }
private (TestUser user, string provider, string providerUserId, IEnumerable <Claim> claims) FindUserFromExternalProvider(AuthenticateResult result) { var externalUser = result.Principal; // try to determine the unique id of the external user (issued by the provider) // the most common claim type for that are the sub claim and the NameIdentifier // depending on the external provider, some other claim type might be used var userIdClaim = externalUser.FindFirst(JwtClaimTypes.Subject) ?? externalUser.FindFirst(ClaimTypes.NameIdentifier) ?? // We also want to check upn as a possible user id before failing externalUser.FindFirst(ClaimTypes.Upn) ?? throw new Exception("Unknown userid"); // Don't remove the user id claim here because we might want to include it in a token var claims = externalUser.Claims.ToList(); var provider = result.Properties.Items["scheme"]; var providerUserId = userIdClaim.Value; // find external user var user = _users.FindByExternalProvider(provider, providerUserId); return(user, provider, providerUserId, claims); }
private async Task <AuthenticateResult> HandleLegacyAuthentication(UserSettings userSettings, HttpContext context) { // ************************************************** // Authenticate based on SiteMinder Headers // ************************************************** _logger.Debug("Parsing the HTTP headers for SiteMinder authentication credential"); _logger.Debug("Getting user data from headers"); FileManagerClient _fileManagerClient = (FileManagerClient)context.RequestServices.GetService(typeof(FileManagerClient)); if (!string.IsNullOrEmpty(context.Request.Headers[_options.SiteMinderUserDisplayNameKey])) { userSettings.UserDisplayName = context.Request.Headers[_options.SiteMinderUserDisplayNameKey]; } if (!string.IsNullOrEmpty(context.Request.Headers[_options.SiteMinderBusinessLegalNameKey])) { userSettings.BusinessLegalName = context.Request.Headers[_options.SiteMinderBusinessLegalNameKey]; } var userId = context.Request.Headers[_options.SiteMinderUserNameKey]; if (string.IsNullOrEmpty(userId)) { userId = context.Request.Headers[_options.SiteMinderUniversalIdKey]; } string siteMinderGuid = context.Request.Headers[_options.SiteMinderUserGuidKey]; string siteMinderBusinessGuid = context.Request.Headers[_options.SiteMinderBusinessGuidKey]; string siteMinderUserType = context.Request.Headers[_options.SiteMinderUserTypeKey]; // ************************************************** // Validate credentials // ************************************************** if (string.IsNullOrEmpty(userId)) { _logger.Debug(_options.MissingSiteMinderUserIdError); return(AuthenticateResult.Fail(_options.MissingSiteMinderGuidError)); } if (string.IsNullOrEmpty(siteMinderGuid)) { _logger.Debug(_options.MissingSiteMinderGuidError); return(AuthenticateResult.Fail(_options.MissingSiteMinderGuidError)); } if (string.IsNullOrEmpty(siteMinderUserType)) { _logger.Debug(_options.MissingSiteMinderUserTypeError); return(AuthenticateResult.Fail(_options.MissingSiteMinderUserTypeError)); } _logger.Debug("Loading user external id = " + siteMinderGuid); // 3/18/2020 - Note that LoadUserLegacy will now work if there is a match on the guid, as well as a match on name in a case where there is no guid. userSettings.AuthenticatedUser = await _dynamicsClient.LoadUserLegacy(siteMinderGuid, context.Request.Headers, _ms_logger); _logger.Information("After getting authenticated user = "******" (" + userId + ")"); return(AuthenticateResult.Fail(_options.InactivegDbUserIdError)); } // set the usertype to siteminder if (userSettings.AuthenticatedUser != null && !string.IsNullOrEmpty(siteMinderUserType)) { userSettings.AuthenticatedUser.UserType = siteMinderUserType; } userSettings.UserType = siteMinderUserType; // Get the various claims for the current user. ClaimsPrincipal userPrincipal = userSettings.AuthenticatedUser.ToClaimsPrincipal(_options.Scheme, userSettings.UserType); // ************************************************** // Create authenticated user // ************************************************** _logger.Debug("Authentication successful: " + userId); _logger.Debug("Setting identity and creating session for: " + userId); // create session info for the current user userSettings.UserId = userId; userSettings.UserAuthenticated = true; userSettings.IsNewUserRegistration = userSettings.AuthenticatedUser == null; // set other session info userSettings.SiteMinderGuid = siteMinderGuid; userSettings.SiteMinderBusinessGuid = siteMinderBusinessGuid; _logger.Debug("Before getting contact and account ids = " + userSettings.GetJson()); if (userSettings.AuthenticatedUser != null) { userSettings.ContactId = userSettings.AuthenticatedUser.ContactId.ToString(); // ensure that the given account has a documents folder. if (siteMinderBusinessGuid != null) // BCeID user { var contact = _dynamicsClient.GetActiveContactByExternalId(userSettings.ContactId); if (contact == null) { // try by other means. var contactVM = new ViewModels.Contact(); contactVM.CopyHeaderValues(context.Request.Headers); contact = _dynamicsClient.GetContactByContactVmBlankSmGuid(contactVM); } if (contact != null && contact.Contactid != null) { await CreateSharePointContactDocumentLocation(_fileManagerClient, contact); } // Note that this will search for active accounts var account = await _dynamicsClient.GetActiveAccountBySiteminderBusinessGuid(siteMinderBusinessGuid); if (account == null) { // try by other means. account = _dynamicsClient.GetActiveAccountByLegalName(userSettings.BusinessLegalName); } if (account != null && account.Accountid != null) { userSettings.AccountId = account.Accountid; userSettings.AuthenticatedUser.AccountId = Guid.Parse(account.Accountid); // ensure that the given account has a documents folder. await CreateSharePointAccountDocumentLocation(_fileManagerClient, account); } else // force the new user process if contact exists but account does not. { userSettings.AuthenticatedUser = null; userSettings.IsNewUserRegistration = true; } // handle cases where Contact was deleted. if (contact == null) { userSettings.IsNewUserRegistration = true; } } } // add the worker settings if it is a new user. if (userSettings.IsNewUserRegistration) { userSettings.NewWorker = new Worker(); userSettings.NewWorker.CopyHeaderValues(context.Request.Headers); userSettings.NewContact = new ViewModels.Contact(); userSettings.NewContact.CopyHeaderValues(context.Request.Headers); } else if (siteMinderUserType == "VerifiedIndividual") { await HandleVerifiedIndividualLogin(userSettings, context); if (HttpUtility.ParseQueryString(context.Request.QueryString.ToString()).Get("path") != "cannabis-associate-screening") { await HandleWorkerLogin(userSettings, context); } } // ************************************************** // Update user settings // ************************************************** UserSettings.SaveUserSettings(userSettings, context); return(AuthenticateResult.Success(new AuthenticationTicket(userPrincipal, null, Options.Scheme))); }
private async Task <AuthenticateResult> LoginDevUser(HttpContext context, IDynamicsClient dynamicsClient) { string userId = null; string devCompanyId = null; bool isDeveloperLogin = false; bool isBCSCDeveloperLogin = false; UserSettings userSettings = new UserSettings(); // check for a fake BCeID login string temp = context.Request.Cookies[_options.DevAuthenticationTokenKey]; if (string.IsNullOrEmpty(temp)) // could be an automated test user. { temp = context.Request.Headers["DEV-USER"]; } if (!string.IsNullOrEmpty(temp)) { if (temp.Contains("::")) { var temp2 = temp.Split("::"); userId = temp2[0]; if (temp2.Length >= 2) { devCompanyId = temp2[1]; } else { devCompanyId = temp2[0]; } } else { userId = temp; devCompanyId = temp; } isDeveloperLogin = true; _logger.Debug("Got user from dev cookie = " + userId + ", company = " + devCompanyId); } else { // same set of tests for a BC Services Card dev login temp = context.Request.Cookies[_options.DevBCSCAuthenticationTokenKey]; if (string.IsNullOrEmpty(temp)) // could be an automated test user. { temp = context.Request.Headers["DEV-BCSC-USER"]; } if (!string.IsNullOrEmpty(temp)) { userId = temp; isBCSCDeveloperLogin = true; _logger.Debug("Got user from dev cookie = " + userId); } } if (isDeveloperLogin) { _logger.Debug("Generating a Development user"); userSettings.BusinessLegalName = devCompanyId + " TestBusiness"; userSettings.UserDisplayName = userId + " TestUser"; userSettings.SiteMinderGuid = GuidUtility.CreateIdForDynamics("contact", userSettings.UserDisplayName).ToString(); userSettings.SiteMinderBusinessGuid = GuidUtility.CreateIdForDynamics("account", userSettings.BusinessLegalName).ToString(); userSettings.UserType = "Business"; } else if (isBCSCDeveloperLogin) { _logger.Debug("Generating a Development BC Services user"); userSettings.BusinessLegalName = null; userSettings.UserDisplayName = userId + " Associate"; userSettings.SiteMinderGuid = GuidUtility.CreateIdForDynamics("bcsc", userSettings.UserDisplayName).ToString(); userSettings.SiteMinderBusinessGuid = null; userSettings.UserType = "VerifiedIndividual"; } NameValueCollection queryStringParams = HttpUtility.ParseQueryString(context.Request.QueryString.ToString()); if (queryStringParams.Get("path") == "cannabis-associate-screening" && queryStringParams.Get("success") == "false") { context.Request.Headers.Add("smgov_givenname", "NORMAN"); context.Request.Headers.Add("smgov_givennames", "Norman Percevel "); context.Request.Headers.Add("smgov_useremail", "*****@*****.**"); context.Request.Headers.Add("smgov_birthdate", "1986-12-03"); context.Request.Headers.Add("smgov_sex", "Male"); context.Request.Headers.Add("smgov_streetaddress", "2000 STORMAN ROW"); context.Request.Headers.Add("smgov_city", "PENTICTON"); context.Request.Headers.Add("smgov_postalcode", "V8V8V8"); context.Request.Headers.Add("smgov_province", "BC"); context.Request.Headers.Add("smgov_country", "CA"); context.Request.Headers.Add("smgov_surname", "ROCKWELL"); userSettings.UserDisplayName = "NORMAN ROCKWELL"; } else if (queryStringParams.Get("path") == "cannabis-associate-screening") { context.Request.Headers.Add("smgov_givenname", "JOE"); context.Request.Headers.Add("smgov_givennames", "Joe Shmoe "); context.Request.Headers.Add("smgov_useremail", "*****@*****.**"); context.Request.Headers.Add("smgov_birthdate", "1986-12-03"); context.Request.Headers.Add("smgov_sex", "Male"); context.Request.Headers.Add("smgov_streetaddress", "2000 COLONIAL ROW"); context.Request.Headers.Add("smgov_city", "PENTICTON"); context.Request.Headers.Add("smgov_postalcode", "V2A7P4"); context.Request.Headers.Add("smgov_province", "BC"); context.Request.Headers.Add("smgov_country", "CA"); context.Request.Headers.Add("smgov_surname", "ONE"); userSettings.UserDisplayName = "JOE ONE"; userSettings.ContactId = "3c254b30-ebf2-ea11-b81d-00505683fbf4"; } _logger.Debug("DEV MODE Setting identity and creating session for: " + userId); // create session info for the current user userSettings.AuthenticatedUser = await _dynamicsClient.LoadUserLegacy(userSettings.SiteMinderGuid, context.Request.Headers, _ms_logger); if (userSettings.AuthenticatedUser == null) { userSettings.UserAuthenticated = true; userSettings.IsNewUserRegistration = true; } else { userSettings.AuthenticatedUser.UserType = userSettings.UserType; userSettings.AccountId = userSettings.AuthenticatedUser.AccountId.ToString(); userSettings.ContactId = userSettings.AuthenticatedUser.ContactId.ToString(); userSettings.UserAuthenticated = true; userSettings.IsNewUserRegistration = false; } userSettings.UserId = userId; ClaimsPrincipal userPrincipal = userSettings.AuthenticatedUser.ToClaimsPrincipal(_options.Scheme, userSettings.UserType); UserSettings.SaveUserSettings(userSettings, context); return(AuthenticateResult.Success(new AuthenticationTicket(userPrincipal, null, _options.Scheme))); }
public async Task<IHttpActionResult> ResumeLoginFromRedirect(string resume) { Logger.Info("Callback requested to resume login from partial login"); if (resume.IsMissing()) { Logger.Error("no resumeId passed"); return RenderErrorPage(); } var user = await context.GetIdentityFromPartialSignIn(); if (user == null) { Logger.Error("no identity from partial login"); return RenderErrorPage(); } var type = GetClaimTypeForResumeId(resume); var resumeClaim = user.FindFirst(type); if (resumeClaim == null) { Logger.Error("no claim matching resumeId"); return RenderErrorPage(); } var signInId = resumeClaim.Value; if (signInId.IsMissing()) { Logger.Error("No signin id found in resume claim"); return RenderErrorPage(); } var signInMessage = signInMessageCookie.Read(signInId); if (signInMessage == null) { Logger.Error("No cookie matching signin id found"); return RenderErrorPage(localizationService.GetMessage(MessageIds.NoSignInCookie)); } // check to see if the partial login has all the claim types needed to login AuthenticateResult result = null; if (Constants.AuthenticateResultClaimTypes.All(claimType => user.HasClaim(claimType))) { Logger.Info("Authentication claims found -- logging user in"); // the user/subject was known, so pass thru (without the redirect claims) if (user.HasClaim(Constants.ClaimTypes.PartialLoginReturnUrl)) { user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl)); } if (user.HasClaim(Constants.ClaimTypes.ExternalProviderUserId)) { user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId)); } if (user.HasClaim(GetClaimTypeForResumeId(resume))) { user.RemoveClaim(user.FindFirst(GetClaimTypeForResumeId(resume))); } result = new AuthenticateResult(new ClaimsPrincipal(user)); eventService.RaisePartialLoginCompleteEvent(user, signInId, signInMessage); } else { Logger.Info("Authentication claims not found -- looking for ExternalProviderUserId to call AuthenticateExternalAsync"); // the user was not known, we need to re-execute AuthenticateExternalAsync // to obtain a subject to proceed var externalProviderClaim = user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId); if (externalProviderClaim == null) { Logger.Error("No ExternalProviderUserId claim found -- rendering error page"); return RenderErrorPage(); } var provider = externalProviderClaim.Issuer; var providerId = externalProviderClaim.Value; var externalId = new ExternalIdentity { Provider = provider, ProviderId = providerId, Claims = user.Claims }; result = await userService.AuthenticateExternalAsync(externalId, signInMessage); if (result == null) { Logger.Warn("user service failed to authenticate external identity"); var msg = localizationService.GetMessage(MessageIds.NoMatchingExternalAccount); eventService.RaiseExternalLoginFailureEvent(externalId, signInId, signInMessage, msg); return await RenderLoginPage(signInMessage, signInId, msg); } if (result.IsError) { Logger.WarnFormat("user service returned error message: {0}", result.ErrorMessage); eventService.RaiseExternalLoginFailureEvent(externalId, signInId, signInMessage, result.ErrorMessage); return await RenderLoginPage(signInMessage, signInId, result.ErrorMessage); } eventService.RaiseExternalLoginSuccessEvent(externalId, signInId, signInMessage, result); } return SignInAndRedirect(signInMessage, signInId, result); }
protected override async Task <AuthenticateResult> HandleRemoteAuthenticateAsync() { AuthenticationProperties properties = null; var query = Request.Query; var error = query["error"]; if (!StringValues.IsNullOrEmpty(error)) { var failureMessage = new StringBuilder(); failureMessage.Append(error); var errorDescription = query["error_description"]; if (!StringValues.IsNullOrEmpty(errorDescription)) { failureMessage.Append(";Description=").Append(errorDescription); } var errorUri = query["error_uri"]; if (!StringValues.IsNullOrEmpty(errorUri)) { failureMessage.Append(";Uri=").Append(errorUri); } return(AuthenticateResult.Fail(failureMessage.ToString())); } var code = query["code"]; var state = query["state"]; properties = Options.StateDataFormat.Unprotect(state); if (properties == null) { return(AuthenticateResult.Fail("The oauth state was missing or invalid.")); } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(properties)) { return(AuthenticateResult.Fail("Correlation failed.")); } if (StringValues.IsNullOrEmpty(code)) { return(AuthenticateResult.Fail("Code was not found.")); } var tokens = await ExchangeCodeAsync(code, BuildRedirectUri(Options.CallbackPath)); if (tokens.Error != null) { return(AuthenticateResult.Fail(tokens.Error)); } if (string.IsNullOrEmpty(tokens.AccessToken)) { return(AuthenticateResult.Fail("Failed to retrieve access token.")); } var identity = new ClaimsIdentity(Options.ClaimsIssuer); if (Options.SaveTokens) { var authTokens = new List <AuthenticationToken>(); authTokens.Add(new AuthenticationToken { Name = "access_token", Value = tokens.AccessToken }); if (!string.IsNullOrEmpty(tokens.RefreshToken)) { authTokens.Add(new AuthenticationToken { Name = "refresh_token", Value = tokens.RefreshToken }); } if (!string.IsNullOrEmpty(tokens.TokenType)) { authTokens.Add(new AuthenticationToken { Name = "token_type", Value = tokens.TokenType }); } if (!string.IsNullOrEmpty(tokens.ExpiresIn)) { int value; if (int.TryParse(tokens.ExpiresIn, NumberStyles.Integer, CultureInfo.InvariantCulture, out value)) { // https://www.w3.org/TR/xmlschema-2/#dateTime // https://msdn.microsoft.com/en-us/library/az4se3k1(v=vs.110).aspx var expiresAt = Options.SystemClock.UtcNow + TimeSpan.FromSeconds(value); authTokens.Add(new AuthenticationToken { Name = "expires_at", Value = expiresAt.ToString("o", CultureInfo.InvariantCulture) }); } } properties.StoreTokens(authTokens); } return(AuthenticateResult.Success(await CreateTicketAsync(identity, properties, tokens))); }
public void ProcessLoginCallbackForWsFed(AuthenticateResult externalResult, List <Claim> localClaims, AuthenticationProperties localSignInProps) { }
public async Task <IdentityUser> TryConnectExternalLoginToExistingUser(string providerUserId, AuthenticateResult result) { var user = await FindUser(result); if (user != null) { // mark email as confirmed -- this is saved with the operation below user.EmailConfirmed = true; await TryConnectExternalLoginToUser(user, providerUserId, result); return(user); } return(null); }
/// <summary> /// Searches the 'Authorization' header for a 'Bearer' token. /// </summary> /// <returns></returns> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { string token = null; try { // Give application opportunity to find from a different location, adjust, or reject token var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options); // event can set the token await Events.MessageReceived(messageReceivedContext); if (messageReceivedContext.Result != null) { return(messageReceivedContext.Result); } // If application retrieved token from somewhere else, use that. token = messageReceivedContext.Token; if (string.IsNullOrEmpty(token)) { string authorization = Request.Headers["Authorization"]; // If no authorization header found, nothing to process further if (string.IsNullOrEmpty(authorization)) { return(AuthenticateResult.NoResult()); } if (authorization.StartsWith("FakeBearer ", StringComparison.OrdinalIgnoreCase)) { token = authorization.Substring("FakeBearer ".Length).Trim(); } // If no token found, no further work possible if (string.IsNullOrEmpty(token)) { return(AuthenticateResult.NoResult()); } } Dictionary <string, dynamic> tokenDecoded = JsonConvert.DeserializeObject <Dictionary <string, dynamic> >(token); ClaimsIdentity id = new ClaimsIdentity("Identity.Application", "name", "role"); foreach (var td in tokenDecoded) { if (td.Key == "sub") { id.AddClaim(new Claim("sub", td.Value.ToString())); if (!tokenDecoded.Any(c => c.Key == "name")) { id.AddClaim(new Claim("name", td.Value.ToString())); } } else { if (td.Value is string) { id.AddClaim(new Claim(td.Key, td.Value)); } else if (td.Value is IEnumerable) { foreach (string subValue in td.Value) { id.AddClaim(new Claim(td.Key, subValue)); } } else { throw new Exception("Unknown type"); } } } ClaimsPrincipal principal = new ClaimsPrincipal(id); var tokenValidatedContext = new TokenValidatedContext(Context, Scheme, Options) { Principal = principal }; await Events.TokenValidated(tokenValidatedContext); if (tokenValidatedContext.Result != null) { return(tokenValidatedContext.Result); } if (Options.SaveToken) { tokenValidatedContext.Properties.StoreTokens(new[] { new AuthenticationToken { Name = "access_token", Value = token } }); } tokenValidatedContext.Success(); return(tokenValidatedContext.Result); } catch (Exception ex) { var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options) { Exception = ex }; await Events.AuthenticationFailed(authenticationFailedContext); if (authenticationFailedContext.Result != null) { return(authenticationFailedContext.Result); } throw; } }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { if (!Request.Cookies.ContainsKey(AccessToken) || !Request.Cookies.ContainsKey(User_Id)) { Log.Error("No Access Token or User Id found."); return(await Task.FromResult(AuthenticateResult.NoResult())); } if (!AuthenticationHeaderValue.TryParse($"{"Bearer " + Request.Cookies[AccessToken]}", out AuthenticationHeaderValue headerValue)) { Log.Error("Could not pass token from authentication Header"); return(await Task.FromResult(AuthenticateResult.NoResult())); } if (!AuthenticationHeaderValue.TryParse($"{"Bearer " + Request.Cookies[User_Id]}", out AuthenticationHeaderValue headerValueId)) { Log.Error("Could not Parse User Id from authentication Header"); return(await Task.FromResult(AuthenticateResult.NoResult())); } try { var key = Encoding.ASCII.GetBytes(_appSettings.Secret); var handler = new JwtSecurityTokenHandler(); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateIssuerSigningKey = true, ValidateAudience = true, ValidIssuer = _appSettings.Site, ValidAudience = _appSettings.Audience, IssuerSigningKey = new SymmetricSecurityKey(key), ValidateLifetime = true, ClockSkew = TimeSpan.Zero }; var protectorProvider = _provider.GetService <IDataProtectionProvider>(); var protector = protectorProvider.CreateProtector(_dataProtectionKeys.ApplicationUserKey); var decryptedUid = protector.Unprotect(headerValueId.Parameter); var decryptedToken = protector.Unprotect(headerValue.Parameter); TokenModel tokenModel = new TokenModel(); using (var scope = _provider.CreateScope()) { var dbContextService = scope.ServiceProvider.GetService <ApplicationDbContext>(); var userToken = dbContextService.Tokens.Include(x => x.User) .FirstOrDefault(ut => ut.UserId == decryptedUid && ut.User.UserName == Request.Cookies[Username] && ut.User.Id == decryptedUid && ut.User.UserRole == "Administrator"); tokenModel = userToken; } if (tokenModel == null) { return(await Task.FromResult(AuthenticateResult.Fail("You are not authorized to View this page."))); } IDataProtector layerTwoProtector = protectorProvider.CreateProtector(tokenModel?.EncryptionKeyJwt); string decryptedTokenLayerTwo = layerTwoProtector.Unprotect(decryptedToken); var validateToken = handler.ValidateToken(decryptedTokenLayerTwo, validationParameters, out var securityToken); if (!(securityToken is JwtSecurityToken jwtSecurityToken) || !jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase)) { return(await Task.FromResult(AuthenticateResult.Fail("You are not authorized to View this page."))); } var username = validateToken.Claims.FirstOrDefault(claim => claim.Type == ClaimTypes.NameIdentifier)?.Value; if (Request.Cookies[Username] != username) { return(await Task.FromResult(AuthenticateResult.Fail("You are not authorized to View this page."))); } var user = await _userManager.FindByNameAsync(username); if (user == null) { return(await Task.FromResult(AuthenticateResult.Fail("You are not authorized to View this page."))); } if (!UserRoles.Contains(user.UserRole)) { return(await Task.FromResult(AuthenticateResult.Fail("You are not authorized to View this page."))); } var identity = new ClaimsIdentity(validateToken.Claims, Scheme.Name); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, Scheme.Name); return(await Task.FromResult(AuthenticateResult.Success(ticket))); } catch (Exception e) { Log.Error("An Error Occured while seeding database {Error} {StackTrace} {InnerException} {Source}", e.Message, e.StackTrace, e.Source); return(await Task.FromResult(AuthenticateResult.Fail("You are not Authorized"))); } }
private static string GetScheme(AuthenticateResult externalLogin) { return(externalLogin.Properties.Items["scheme"]); }
/// <summary> /// 在 "授权" 标头中搜索 "持票人" 令牌。如果找到 "持票人" 令牌, 则使用 <see cref="TokenValidationParameters"/> 在选项设置. /// </summary> /// <returns></returns> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { string token = null; try { // 提供从不同位置查找、调整或拒绝令牌的应用程序机会 var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options); // 事件可以设置令牌 await Events.MessageReceived(messageReceivedContext); if (messageReceivedContext.Result != null) { return(messageReceivedContext.Result); } // 如果应用程序从别处检索到标记, 请使用. token = messageReceivedContext.Token; if (string.IsNullOrEmpty(token)) { string authorization = Request.Headers["Authorization"]; // 如果未找到授权标头, 则无法进一步处理 if (string.IsNullOrEmpty(authorization)) { return(AuthenticateResult.NoResult()); } if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { token = authorization.Substring("Bearer ".Length).Trim(); } // 如果找不到任何令牌, 则无法进一步工作 if (string.IsNullOrEmpty(token)) { return(AuthenticateResult.NoResult()); } } if (_configuration == null && Options.ConfigurationManager != null) { _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted); } var validationParameters = Options.TokenValidationParameters.Clone(); if (_configuration != null) { var issuers = new[] { _configuration.Issuer }; validationParameters.ValidIssuers = validationParameters.ValidIssuers?.Concat(issuers) ?? issuers; validationParameters.IssuerSigningKeys = validationParameters.IssuerSigningKeys?.Concat(_configuration.SigningKeys) ?? _configuration.SigningKeys; } List <Exception> validationFailures = null; SecurityToken validatedToken; foreach (var validator in Options.SecurityTokenValidators) { if (validator.CanReadToken(token)) { ClaimsPrincipal principal; try { principal = validator.ValidateToken(token, validationParameters, out validatedToken); var validJwt = validatedToken as JwtSecurityToken; if (validJwt == null) { throw new ArgumentException("Invalid JWT"); } var uuid = validJwt.Claims.FirstOrDefault(i => i.Type == TokenClaimsKey.UUID); if (uuid != null) { this.Context.SetStringEntry(TokenClaimsKey.UUID, uuid.Value); } var uname = validJwt.Claims.FirstOrDefault(i => i.Type == TokenClaimsKey.UserName); if (uname != null) { this.Context.SetStringEntry(TokenClaimsKey.UserName, uname.Value); } var role = validJwt.Claims.FirstOrDefault(i => i.Type == TokenClaimsKey.RoleID); if (role != null) { this.Context.SetStringEntry(TokenClaimsKey.RoleID, role.Value); } var avatar = validJwt.Claims.FirstOrDefault(i => i.Type == TokenClaimsKey.Avatar); if (avatar != null) { this.Context.SetStringEntry(TokenClaimsKey.Avatar, avatar.Value); } } catch (ArgumentException ex) { if (validationFailures == null) { validationFailures = new List <Exception>(1); } validationFailures.Add(ex); continue; } catch (Exception ex) { //Logger.TokenValidationFailed(token, ex); //为可能由键翻转引起的异常刷新配置。用户还可以请求在事件中进行刷新。 if (Options.RefreshOnIssuerKeyNotFound && Options.ConfigurationManager != null && ex is SecurityTokenSignatureKeyNotFoundException) { Options.ConfigurationManager.RequestRefresh(); } if (validationFailures == null) { validationFailures = new List <Exception>(1); } validationFailures.Add(ex); continue; } //Logger.TokenValidationSucceeded(); var tokenValidatedContext = new TokenValidatedContext(Context, Scheme, Options) { Principal = principal, SecurityToken = validatedToken }; await Events.TokenValidated(tokenValidatedContext); if (tokenValidatedContext.Result != null) { return(tokenValidatedContext.Result); } if (Options.SaveToken) { tokenValidatedContext.Properties.StoreTokens(new[] { new AuthenticationToken { Name = "access_token", Value = token } }); } tokenValidatedContext.Success(); return(tokenValidatedContext.Result); } } if (validationFailures != null) { var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options) { Exception = (validationFailures.Count == 1) ? validationFailures[0] : new AggregateException(validationFailures) }; await Events.AuthenticationFailed(authenticationFailedContext); if (authenticationFailedContext.Result != null) { return(authenticationFailedContext.Result); } return(AuthenticateResult.Fail(authenticationFailedContext.Exception)); } return(AuthenticateResult.Fail("No SecurityTokenValidator available for token: " + token ?? "[null]")); } catch (Exception ex) { //Logger.ErrorProcessingMessage(ex); var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options) { Exception = ex }; await Events.AuthenticationFailed(authenticationFailedContext); if (authenticationFailedContext.Result != null) { return(authenticationFailedContext.Result); } throw; } }
public async Task VerifyAccountControllerExternalLoginWithTokensFlow() { // Setup the external cookie like it would look from a real OAuth2 var externalId = "<externalId>"; var authScheme = "<authScheme>"; var externalIdentity = new ClaimsIdentity(); externalIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, externalId)); var externalPrincipal = new ClaimsPrincipal(externalIdentity); var externalLogin = new ExternalLoginInfo(externalPrincipal, authScheme, externalId, "displayname") { AuthenticationTokens = new[] { new AuthenticationToken { Name = "refresh_token", Value = "refresh" }, new AuthenticationToken { Name = "access_token", Value = "access" } } }; var context = new DefaultHttpContext(); var auth = MockAuth(context); auth.Setup(a => a.AuthenticateAsync(context, It.IsAny<string>())).Returns(Task.FromResult(AuthenticateResult.NoResult())); var contextAccessor = new Mock<IHttpContextAccessor>(); contextAccessor.Setup(a => a.HttpContext).Returns(context); var services = new ServiceCollection() .AddSingleton<IConfiguration>(new ConfigurationBuilder().Build()) .AddLogging() .AddSingleton(contextAccessor.Object); services.AddIdentity<PocoUser, PocoRole>(); services.AddSingleton<IUserStore<PocoUser>, InMemoryStore<PocoUser, PocoRole>>(); services.AddSingleton<IRoleStore<PocoRole>, InMemoryStore<PocoUser, PocoRole>>(); var app = new ApplicationBuilder(services.BuildServiceProvider()); // Act var user = new PocoUser { UserName = "******" }; var userManager = app.ApplicationServices.GetRequiredService<UserManager<PocoUser>>(); var signInManager = app.ApplicationServices.GetRequiredService<SignInManager<PocoUser>>(); IdentityResultAssert.IsSuccess(await userManager.CreateAsync(user)); IdentityResultAssert.IsSuccess(await userManager.AddLoginAsync(user, new UserLoginInfo(authScheme, externalId, "whatever"))); IdentityResultAssert.IsSuccess(await signInManager.UpdateExternalAuthenticationTokensAsync(externalLogin)); Assert.Equal("refresh", await userManager.GetAuthenticationTokenAsync(user, authScheme, "refresh_token")); Assert.Equal("access", await userManager.GetAuthenticationTokenAsync(user, authScheme, "access_token")); }
private Uri GetRedirectUrl(AuthenticateResult authResult) { if (authResult == null) throw new ArgumentNullException("authResult"); if (authResult.IsPartialSignIn) { return new Uri(Request.RequestUri, authResult.PartialSignInRedirectPath.Value); } else { var signInMessage = LoadSignInMessage(); return new Uri(signInMessage.ReturnUrl); } }
public async Task TryConnectExternalLoginToUser(IdentityUser user, string providerUserId, AuthenticateResult result) { if (user == null) { throw new ArgumentNullException(nameof(user)); } var email = result.Principal.Claims.FindEmail(); var provider = result.Properties.Items["scheme"]; var providerDisplayName = await _authenticationSchemeProvider.GetProviderDisplayName(provider); var identityResult = await _userManager.AddLoginAsync(user, new UserLoginInfo(provider, providerUserId, providerDisplayName), email); if (!identityResult.Succeeded) { throw new Exception(identityResult.Errors.First().Description); } }
public static async Task RaiseLocalLoginSuccessEventAsync(this IEventService events, string username, string signInMessageId, SignInMessage signInMessage, AuthenticateResult authResult) { var evt = new Event <LocalLoginDetails>( EventConstants.Categories.Authentication, Resources.Events.LocalLoginSuccess, EventTypes.Success, EventConstants.Ids.LocalLoginSuccess, new LocalLoginDetails { SubjectId = authResult.HasSubject ? authResult.User.GetSubjectId() : null, Name = authResult.User.Identity.Name, SignInId = signInMessageId, SignInMessage = signInMessage, PartialLogin = authResult.IsPartialSignIn, LoginUserName = username }); await events.RaiseEventAsync(evt); }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { var request = Context.GetOpenIdConnectRequest(); if (request == null) { throw new InvalidOperationException("An identity cannot be extracted from this request."); } if (request.IsAuthorizationRequest() || request.IsLogoutRequest()) { if (string.IsNullOrEmpty(request.IdTokenHint)) { return(AuthenticateResult.NoResult()); } var ticket = await DeserializeIdentityTokenAsync(request.IdTokenHint, request); if (ticket == null) { Logger.LogWarning("The identity token extracted from the 'id_token_hint' " + "parameter was invalid or malformed and was ignored."); return(AuthenticateResult.NoResult()); } // Tickets are returned even if they // are considered invalid (e.g expired). return(AuthenticateResult.Success(ticket)); } else if (request.IsTokenRequest()) { // Note: this method can be called from the ApplyTokenResponse event, // which may be invoked for a missing authorization code/refresh token. if (request.IsAuthorizationCodeGrantType()) { if (string.IsNullOrEmpty(request.Code)) { return(AuthenticateResult.NoResult()); } var ticket = await DeserializeAuthorizationCodeAsync(request.Code, request); if (ticket == null) { Logger.LogWarning("The authorization code extracted from the " + "token request was invalid and was ignored."); return(AuthenticateResult.NoResult()); } return(AuthenticateResult.Success(ticket)); } else if (request.IsRefreshTokenGrantType()) { if (string.IsNullOrEmpty(request.RefreshToken)) { return(AuthenticateResult.NoResult()); } var ticket = await DeserializeRefreshTokenAsync(request.RefreshToken, request); if (ticket == null) { Logger.LogWarning("The refresh token extracted from the " + "token request was invalid and was ignored."); return(AuthenticateResult.NoResult()); } return(AuthenticateResult.Success(ticket)); } return(AuthenticateResult.NoResult()); } throw new InvalidOperationException("An identity cannot be extracted from this request."); }
private void IssueAuthenticationCookie(string signInMessageId, AuthenticateResult authResult, bool? rememberMe = null) { if (authResult == null) throw new ArgumentNullException("authResult"); Logger.InfoFormat("issuing cookie{0}", authResult.IsPartialSignIn ? " (partial login)" : ""); var props = new Microsoft.Owin.Security.AuthenticationProperties(); var id = authResult.User.Identities.First(); if (authResult.IsPartialSignIn) { // add claim so partial redirect can return here to continue login // we need a random ID to resume, and this will be the query string // to match a claim added. the claim added will be the original // signIn ID. var resumeId = CryptoRandom.CreateUniqueId(); var resumeLoginUrl = context.GetPartialLoginResumeUrl(resumeId); var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl); id.AddClaim(resumeLoginClaim); id.AddClaim(new Claim(GetClaimTypeForResumeId(resumeId), signInMessageId)); } else { signInMessageCookie.Clear(signInMessageId); } if (!authResult.IsPartialSignIn) { // don't issue persistnt cookie if it's a partial signin if (rememberMe == true || (rememberMe != false && this.options.AuthenticationOptions.CookieOptions.IsPersistent)) { // only issue persistent cookie if user consents (rememberMe == true) or // if server is configured to issue persistent cookies and user has not explicitly // denied the rememberMe (false) // if rememberMe is null, then user was not prompted for rememberMe props.IsPersistent = true; if (rememberMe == true) { var expires = DateTimeHelper.UtcNow.Add(options.AuthenticationOptions.CookieOptions.RememberMeDuration); props.ExpiresUtc = new DateTimeOffset(expires); } } } ClearAuthenticationCookies(); context.Authentication.SignIn(props, id); }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultRequirement requirement) { AuthorizationFilterContext authorizationFilterContext = context.Resource as AuthorizationFilterContext; HttpContext httpContext = authorizationFilterContext.HttpContext; IAuthenticationHandlerProvider handlers = httpContext.RequestServices.GetRequiredService <IAuthenticationHandlerProvider>(); foreach (AuthenticationScheme scheme in await _schemes.GetRequestHandlerSchemesAsync()) { IAuthenticationRequestHandler handler = await handlers.GetHandlerAsync(httpContext, scheme.Name) as IAuthenticationRequestHandler; if (handler != null && await handler.HandleRequestAsync()) { context.Fail(); return; } } AuthenticationScheme defaultAuthenticate = await _schemes.GetDefaultAuthenticateSchemeAsync(); if (defaultAuthenticate != null) { AuthenticateResult result = await httpContext.AuthenticateAsync(defaultAuthenticate.Name); if (result?.Principal != null) { if (long.Parse(result.Principal.Claims.SingleOrDefault(s => s.Type == "exp").Value) < DateTime.Now.ToIntS()) { authorizationFilterContext.Result = new JsonResult(new MessageResult { Msg = ConifgMessage.TIMEOUT, Status = false }) { StatusCode = 401 }; } else { httpContext.User = result.Principal; if (requirement.Validation != null) { AuthResult validMsg = requirement.Validation(httpContext); if (!validMsg.IsValid) { authorizationFilterContext.Result = new JsonResult(new MessageResult { Msg = validMsg.Msg, Status = false }) { StatusCode = 401 }; } } } } else { authorizationFilterContext.Result = new JsonResult(new MessageResult { Msg = ConifgMessage.NOTRIGHT, Status = false }) { StatusCode = 401 }; } } else { context.Fail(); return; } context.Succeed(requirement); }
private void IssueAuthenticationCookie(SignInMessage signInMessage, string signInMessageId, AuthenticateResult authResult, bool?rememberMe = null) { if (signInMessage == null) { throw new ArgumentNullException("signInId"); } if (authResult == null) { throw new ArgumentNullException("authResult"); } Logger.InfoFormat("issuing cookie{0}", authResult.IsPartialSignIn ? " (partial login)" : ""); var props = new Microsoft.Owin.Security.AuthenticationProperties(); var id = authResult.User.Identities.First(); if (authResult.IsPartialSignIn) { // add claim so partial redirect can return here to continue login // we need a random ID to resume, and this will be the query string // to match a claim added. the claim added will be the original // signIn ID. var resumeId = Guid.NewGuid().ToString("N"); var resumeLoginUrl = Url.Link(Constants.RouteNames.ResumeLoginFromRedirect, new { resume = resumeId }); var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl); id.AddClaim(resumeLoginClaim); id.AddClaim(new Claim(GetClaimTypeForResumeId(resumeId), signInMessageId)); } else { ClearSignInCookie(signInMessageId); } if (!authResult.IsPartialSignIn) { // don't issue persistnt cookie if it's a partial signin if (rememberMe == true || (rememberMe != false && this._options.AuthenticationOptions.CookieOptions.IsPersistent)) { // only issue persistent cookie if user consents (rememberMe == true) or // if server is configured to issue persistent cookies and user has not explicitly // denied the rememberMe (false) // if rememberMe is null, then user was not prompted for rememberMe props.IsPersistent = true; if (rememberMe == true) { var expires = DateTime.UtcNow.Add(_options.AuthenticationOptions.CookieOptions.RememberMeDuration); props.ExpiresUtc = new DateTimeOffset(expires); } } } ClearAuthenticationCookies(); var ctx = Request.GetOwinContext(); ctx.Authentication.SignIn(props, id); }
/// <summary> /// Process Authentication Request /// </summary> /// <returns></returns> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { ClaimsPrincipal principal = new ClaimsPrincipal(); /* * // get siteminder headers * _logger.LogDebug("Parsing the HTTP headers for SiteMinder authentication credential"); * * SiteMinderAuthOptions options = new SiteMinderAuthOptions(); * bool isDeveloperLogin = false; * bool isBCSCDeveloperLogin = false; * try * { * * HttpContext context = Request.HttpContext; * * IHostingEnvironment hostingEnv = (IHostingEnvironment)context.RequestServices.GetService(typeof(IHostingEnvironment)); * * UserSettings userSettings = new UserSettings(); * * string userId = null; * string devCompanyId = null; * string siteMinderGuid = ""; * string siteMinderBusinessGuid = ""; * string siteMinderUserType = ""; * * // ************************************************** * // If this is an Error or Authentiation API - Ignore * // ************************************************** * string url = context.Request.GetDisplayUrl().ToLower(); * * if (url.Contains(".js")) * { * return AuthenticateResult.NoResult(); * } * * // ************************************************** * // Check if we have a Dev Environment Cookie * // ************************************************** * //if (!hostingEnv.IsProduction()) * //{ * // check for a fake BCeID login in dev mode * string temp = context.Request.Cookies[options.DevAuthenticationTokenKey]; * * if (string.IsNullOrEmpty(temp)) // could be an automated test user. * { * temp = context.Request.Headers["DEV-USER"]; * } * * if (!string.IsNullOrEmpty(temp)) * { * if (temp.Contains("::")) * { * var temp2 = temp.Split("::"); * userId = temp2[0]; * if (temp2.Length >= 2) * devCompanyId = temp2[1]; * else * devCompanyId = temp2[0]; * } * else * { * userId = temp; * devCompanyId = temp; * } * isDeveloperLogin = true; * * _logger.LogDebug("Got user from dev cookie = " + userId + ", company = " + devCompanyId); * } * else * { * // same set of tests for a BC Services Card dev login * temp = context.Request.Cookies[options.DevBCSCAuthenticationTokenKey]; * * if (string.IsNullOrEmpty(temp)) // could be an automated test user. * { * temp = context.Request.Headers["DEV-BCSC-USER"]; * } * * if (!string.IsNullOrEmpty(temp)) * { * userId = temp; * isBCSCDeveloperLogin = true; * * _logger.LogDebug("Got user from dev cookie = " + userId); * } * } * //} * * // ************************************************** * // Check if the user session is already created * // ************************************************** * try * { * _logger.LogInformation("Checking user session"); * userSettings = UserSettings.ReadUserSettings(context); * _logger.LogDebug("UserSettings found: " + userSettings.GetJson()); * } * catch * { * //do nothing * _logger.LogDebug("No UserSettings found"); * } * * // is user authenticated - if so we're done * if ((userSettings.UserAuthenticated && string.IsNullOrEmpty(userId)) || * (userSettings.UserAuthenticated && !string.IsNullOrEmpty(userId) && * !string.IsNullOrEmpty(userSettings.UserId) && userSettings.UserId == userId)) * { * _logger.LogDebug("User already authenticated with active session: " + userSettings.UserId); * principal = userSettings.AuthenticatedUser.ToClaimsPrincipal(options.Scheme, userSettings.UserType); * return AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme)); * } * * string smgov_userdisplayname = context.Request.Headers["smgov_userdisplayname"]; * if (!string.IsNullOrEmpty(smgov_userdisplayname)) * { * userSettings.UserDisplayName = smgov_userdisplayname; * } * * string smgov_businesslegalname = context.Request.Headers["smgov_businesslegalname"]; * if (!string.IsNullOrEmpty(smgov_businesslegalname)) * { * userSettings.BusinessLegalName = smgov_businesslegalname; * } * * // ************************************************** * // Authenticate based on SiteMinder Headers * // ************************************************** * _logger.LogDebug("Parsing the HTTP headers for SiteMinder authentication credential"); * * // At this point userID would only be set if we are logging in through as a DEV user * * if (string.IsNullOrEmpty(userId)) * { * _logger.LogDebug("Getting user data from headers"); * * userId = context.Request.Headers[options.SiteMinderUserNameKey]; * if (string.IsNullOrEmpty(userId)) * { * userId = context.Request.Headers[options.SiteMinderUniversalIdKey]; * } * * siteMinderGuid = context.Request.Headers[options.SiteMinderUserGuidKey]; * siteMinderBusinessGuid = context.Request.Headers[options.SiteMinderBusinessGuidKey]; * siteMinderUserType = context.Request.Headers[options.SiteMinderUserTypeKey]; * * * // ************************************************** * // Validate credentials * // ************************************************** * if (string.IsNullOrEmpty(userId)) * { * _logger.LogDebug(options.MissingSiteMinderUserIdError); * return AuthenticateResult.Fail(options.MissingSiteMinderGuidError); * } * * if (string.IsNullOrEmpty(siteMinderGuid)) * { * _logger.LogDebug(options.MissingSiteMinderGuidError); * return AuthenticateResult.Fail(options.MissingSiteMinderGuidError); * } * if (string.IsNullOrEmpty(siteMinderUserType)) * { * _logger.LogDebug(options.MissingSiteMinderUserTypeError); * return AuthenticateResult.Fail(options.MissingSiteMinderUserTypeError); * } * } * else // DEV user, setup a fake session and SiteMinder headers. * { * if (isDeveloperLogin ) * { * _logger.LogError("Generating a Development user"); * userSettings.BusinessLegalName = devCompanyId + " BusinessProfileName"; * userSettings.UserDisplayName = userId + " BCeIDContactType"; * * // search for a matching user. * var existingContact = _dynamicsClient.GetContactByName(userId, "BCeIDContactType"); * * if (existingContact != null) * { * siteMinderGuid = existingContact.Externaluseridentifier; * } * else * { * siteMinderGuid = GuidUtility.CreateIdForDynamics("contact", userSettings.UserDisplayName).ToString(); * } * * var existingBusiness = await _dynamicsClient.GetAccountByLegalName(userSettings.BusinessLegalName); * if (existingBusiness != null) * { * siteMinderBusinessGuid = existingBusiness.BcgovBceid; * } * { * siteMinderBusinessGuid = GuidUtility.CreateIdForDynamics("account", userSettings.BusinessLegalName).ToString(); * } * siteMinderUserType = "Business"; * } * else if (isBCSCDeveloperLogin) * { * _logger.LogError("Generating a Development BC Services user"); * userSettings.BusinessLegalName = null; * userSettings.UserDisplayName = userId + " Associate"; * siteMinderGuid = GuidUtility.CreateIdForDynamics("bcsc", userSettings.UserDisplayName).ToString(); * siteMinderBusinessGuid = null; * siteMinderUserType = "VerifiedIndividual"; * } * } * * // Previously the code would do a database lookup here. However there is no backing database for the users table now, * // so we just do a Dynamics lookup on the siteMinderGuid. * * _logger.LogDebug("Loading user external id = " + siteMinderGuid); * if (_dynamicsClient != null) * { * userSettings.AuthenticatedUser = await _dynamicsClient.LoadUser(siteMinderGuid, context.Request.Headers, _logger); * } * * _logger.LogDebug("After getting authenticated user = "******" (" + userId + ")"); * return AuthenticateResult.Fail(options.InactivegDbUserIdError); * } * * if (userSettings.AuthenticatedUser != null && !String.IsNullOrEmpty(siteMinderUserType)) * { * userSettings.AuthenticatedUser.UserType = siteMinderUserType; * } * userSettings.UserType = siteMinderUserType; * * // This line gets the various claims for the current user. * ClaimsPrincipal userPrincipal = userSettings.AuthenticatedUser.ToClaimsPrincipal(options.Scheme, userSettings.UserType); * * // ************************************************** * // Create authenticated user * // ************************************************** * _logger.LogDebug("Authentication successful: " + userId); * _logger.LogDebug("Setting identity and creating session for: " + userId); * * // create session info for the current user * userSettings.UserId = userId; * userSettings.UserAuthenticated = true; * userSettings.IsNewUserRegistration = (userSettings.AuthenticatedUser == null); * * // set other session info * userSettings.SiteMinderGuid = siteMinderGuid; * userSettings.SiteMinderBusinessGuid = siteMinderBusinessGuid; * _logger.LogDebug("Before getting contact and account ids = " + userSettings.GetJson()); * * if (userSettings.AuthenticatedUser != null) * { * userSettings.ContactId = userSettings.AuthenticatedUser.ContactId.ToString(); * * if (siteMinderBusinessGuid != null) // BCeID user * { * var account = await _dynamicsClient.GetAccountBySiteminderBusinessGuid(siteMinderBusinessGuid); * if (account != null && account.Accountid != null) * { * userSettings.AccountId = account.Accountid; * userSettings.AuthenticatedUser.AccountId = Guid.Parse(account.Accountid); * } * } * } * * if (!hostingEnv.IsProduction() && (isDeveloperLogin || isBCSCDeveloperLogin)) * { * _logger.LogError("DEV MODE Setting identity and creating session for: " + userId); * * if (isDeveloperLogin) * { * userSettings.BusinessLegalName = devCompanyId + " BusinessProfileName"; * userSettings.UserDisplayName = userId + " BCeIDContactType"; * * // add generated guids * userSettings.SiteMinderBusinessGuid = GuidUtility.CreateIdForDynamics("account", userSettings.BusinessLegalName).ToString(); * userSettings.SiteMinderGuid = GuidUtility.CreateIdForDynamics("contact", userSettings.UserDisplayName).ToString(); * } * else if (isBCSCDeveloperLogin) * { * userSettings.BusinessLegalName = null; * userSettings.UserDisplayName = userId + " Associate"; * * // add generated guids * userSettings.SiteMinderBusinessGuid = null; * userSettings.SiteMinderGuid = GuidUtility.CreateIdForDynamics("bcsc", userSettings.UserDisplayName).ToString(); * } * * if (userSettings.IsNewUserRegistration) * { * if (isDeveloperLogin) * { * // add generated guids * userSettings.AccountId = userSettings.SiteMinderBusinessGuid; * userSettings.ContactId = userSettings.SiteMinderGuid; * } * else if (isBCSCDeveloperLogin) * { * // set to null for now * userSettings.AccountId = null; * userSettings.ContactId = null; * } * * _logger.LogDebug("New user registration:" + userSettings.UserDisplayName); * _logger.LogDebug("userSettings.SiteMinderBusinessGuid:" + userSettings.SiteMinderBusinessGuid); * _logger.LogDebug("userSettings.SiteMinderGuid:" + userSettings.SiteMinderGuid); * _logger.LogDebug("userSettings.AccountId:" + userSettings.AccountId); * _logger.LogDebug("userSettings.ContactId:" + userSettings.ContactId); * } * // Set account ID from authenticated user * else if (userSettings.AuthenticatedUser != null) * { * // populate the business GUID. * if (string.IsNullOrEmpty(userSettings.AccountId)) * { * userSettings.AccountId = userSettings.AuthenticatedUser.AccountId.ToString(); * } * if (string.IsNullOrEmpty(userSettings.ContactId)) * { * userSettings.ContactId = userSettings.AuthenticatedUser.ContactId.ToString(); * } * _logger.LogDebug("Returning user:"******"userSettings.AccountId:" + userSettings.AccountId); * _logger.LogDebug("userSettings.ContactId:" + userSettings.ContactId); * } * } * * * // add the worker settings if it is a new user. * if (userSettings.IsNewUserRegistration && userSettings.NewContact == null) * { * userSettings.NewContact = new ViewModels.Contact(); * userSettings.NewContact.CopyHeaderValues(context.Request.Headers); * } * * // ************************************************** * // Update user settings * // ************************************************** * UserSettings.SaveUserSettings(userSettings, context); * * // done! * principal = userPrincipal; * return AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme)); * } * catch (Exception exception) * { * _logger.LogError(exception.Message); * Console.WriteLine(exception); * throw; * } */ return(AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme))); }
/// <summary> /// Process Authentication Request /// </summary> /// <returns></returns> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { // get siteminder headers _logger.Debug("Parsing the HTTP headers for SiteMinder authentication credential"); string userId = null; string devCompanyId = null; string siteMinderGuid = ""; string siteMinderBusinessGuid = ""; string siteMinderUserType = ""; try { ClaimsPrincipal principal; HttpContext context = Request.HttpContext; UserSettings userSettings = new UserSettings(); IConfiguration _configuration = (IConfiguration)context.RequestServices.GetService(typeof(IConfiguration)); _dynamicsClient = (IDynamicsClient)context.RequestServices.GetService(typeof(IDynamicsClient)); IWebHostEnvironment hostingEnv = (IWebHostEnvironment)context.RequestServices.GetService(typeof(IWebHostEnvironment)); // Fail if login disabled if (!string.IsNullOrEmpty(_configuration["FEATURE_DISABLE_LOGIN"])) { return(AuthenticateResult.Fail(_options.LoginDisabledError)); } // Fail if coming from JS if (context.Request.GetDisplayUrl().ToLower().Contains(".js")) { return(AuthenticateResult.NoResult()); } // ************************************************** // Check if the user session is already created // ************************************************** try { _logger.Debug("Checking user session"); userSettings = UserSettings.ReadUserSettings(context); // fix for cases where AuthenticatedUser contact is empty. if (userSettings?.AuthenticatedUser?.ContactId != null && userSettings?.AuthenticatedUser?.ContactId == Guid.Empty && !string.IsNullOrEmpty(userSettings?.SiteMinderGuid)) { var contact = _dynamicsClient.GetActiveContactByExternalId(userSettings.SiteMinderGuid); if (contact != null) { userSettings.AuthenticatedUser.ContactId = Guid.Parse(contact.Contactid); } } _logger.Debug("UserSettings found: " + userSettings.GetJson()); } catch { //do nothing _logger.Debug("No UserSettings found"); } // is user authenticated - if so we're done if ((userSettings.UserAuthenticated && string.IsNullOrEmpty(userId)) || (userSettings.UserAuthenticated && !string.IsNullOrEmpty(userId) && !string.IsNullOrEmpty(userSettings.UserId) && userSettings.UserId == userId)) { _logger.Debug("User already authenticated with active session: " + userSettings.UserId); principal = userSettings.AuthenticatedUser.ToClaimsPrincipal(_options.Scheme, userSettings.UserType); return(AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme))); } // ************************************************** // Check if we have a Dev Environment Cookie // ************************************************** if (!hostingEnv.IsProduction() && (!string.IsNullOrEmpty(context.Request.Cookies[_options.DevAuthenticationTokenKey]) || !string.IsNullOrEmpty(context.Request.Cookies[_options.DevBCSCAuthenticationTokenKey]) || !string.IsNullOrEmpty(context.Request.Headers[_options.DevAuthenticationTokenKey]) || !string.IsNullOrEmpty(context.Request.Headers[_options.DevBCSCAuthenticationTokenKey])) ) { try { return(await LoginDevUser(context, _dynamicsClient)); } catch (Exception ex) { _logger.Information(ex.Message); _logger.Information("Couldn't successfully login as dev user - continuing as regular user"); } } // determine if it is the new bridge entity based flow or the legacy. if (!string.IsNullOrEmpty(_configuration["FEATURE_BRIDGE_LOGIN"])) { return(await HandleBridgeAuthentication(userSettings, context)); } else { return(await HandleLegacyAuthentication(userSettings, context)); } } catch (Exception exception) { _logger.Error(exception.Message); throw; } }
public virtual Task <PolicyAuthorizationResult> AuthorizeAsync( AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) => Task.FromResult(PolicyAuthorizationResult.Success());
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { if (!Request.Headers.ContainsKey("Authorization")) { return(AuthenticateResult.Fail("Header Not Found.")); } var token = Request.Headers["Authorization"].ToString(); if (!token.StartsWith(TokenPrefix)) { return(AuthenticateResult.Fail("Invalid header.")); } token = token.Substring(TokenPrefix.Length); var maybeUser = AuthenticatedUsers.TryGet(token); return(await maybeUser.Match <Task <AuthenticateResult> >( async user => { var now = this.nClock.GetCurrentInstant(); if (user.Expiry < now) { try { // Try authenticate again if the timeout has expired. var maybeNewUser = await this.CheckTokenWithGoogle(user.IdToken); if (maybeNewUser.HasValue) { // User is still valid, update user. var newUser = new AuthenticatedUser(token, user.User, now.Plus(this.SessionTimeout)); AuthenticatedUsers.AddOrUpdate(token, newUser); } else { // User is no longer valid, remove user. AuthenticatedUsers.Remove(token); return AuthenticateResult.Fail("User not authenticated"); } } catch { // Authentication failed for unknown reason, remove user. AuthenticatedUsers.Remove(token); return AuthenticateResult.Fail("User not authenticated"); } } else { // Update expiry of user. This means the timeout only expires after an inactivity of this // time, and continued requests keep the session alive. var newUser = new AuthenticatedUser(token, user.User, now.Plus(this.SessionTimeout)); AuthenticatedUsers.AddOrUpdate(token, newUser); } // Authorized from here, set the user identity and return the principal. var ticket = new AuthenticationTicket( new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim("Identifier", user.User.Identifier), new Claim("Name", user.User.Name), new Claim("Email", user.User.Email), new Claim("IdToken", user.IdToken), }, AuthHandler.SchemeName)), this.Scheme.Name); return AuthenticateResult.Success(ticket); }, () => Task.FromResult(AuthenticateResult.Fail("User not authenticated.")))); }
protected override Task <AuthenticateResult> HandleAuthenticateAsync() { return(Task.FromResult(AuthenticateResult.Fail("Failed Authentication"))); }
private void ProcessLoginCallbackForSaml2p(AuthenticateResult externalResult, List <Claim> localClaims, AuthenticationProperties localSignInProps) { }
/// <summary> /// Process Authentication Request /// </summary> /// <returns></returns> protected override Task <AuthenticateResult> HandleAuthenticateAsync() { // get siteminder headers _logger.LogDebug("Parsing the HTTP headers for SiteMinder authentication credential"); SiteMinderAuthOptions options = new SiteMinderAuthOptions(); try { ClaimsPrincipal principal; HttpContext context = Request.HttpContext; IDbAppContext dbAppContext = (DbAppContext)context.RequestServices.GetService(typeof(DbAppContext)); IHostingEnvironment hostingEnv = (IHostingEnvironment)context.RequestServices.GetService(typeof(IHostingEnvironment)); UserSettings userSettings = new UserSettings(); string userId = ""; string siteMinderGuid = ""; // ************************************************** // If this is an Error or Authentiation API - Ignore // ************************************************** string url = context.Request.GetDisplayUrl().ToLower(); if (url.Contains("/authentication/dev") || url.Contains("/error") || url.Contains(".map") || url.Contains(".js")) { return(Task.FromResult(AuthenticateResult.NoResult())); } // ************************************************** // Check if we have a Dev Environment Cookie // ************************************************** if (hostingEnv.IsDevelopment()) { string temp = context.Request.Cookies[options.DevAuthenticationTokenKey]; if (!string.IsNullOrEmpty(temp)) { userId = temp; } } // ************************************************** // Check if the user session is already created // ************************************************** try { _logger.LogInformation("Checking user session"); userSettings = UserSettings.ReadUserSettings(context); } catch { //do nothing } // is user authenticated - if so we're done if ((userSettings.UserAuthenticated && string.IsNullOrEmpty(userId)) || (userSettings.UserAuthenticated && !string.IsNullOrEmpty(userId) && !string.IsNullOrEmpty(userSettings.UserId) && userSettings.UserId == userId)) { _logger.LogInformation("User already authenticated with active session: " + userSettings.UserId); principal = userSettings.HetsUser.ToClaimsPrincipal(options.Scheme); return(Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme)))); } // ************************************************** // Authenticate based on SiteMinder Headers // ************************************************** _logger.LogDebug("Parsing the HTTP headers for SiteMinder authentication credential"); if (string.IsNullOrEmpty(userId)) { userId = context.Request.Headers[options.SiteMinderUserNameKey]; if (string.IsNullOrEmpty(userId)) { userId = context.Request.Headers[options.SiteMinderUniversalIdKey]; } siteMinderGuid = context.Request.Headers[options.SiteMinderUserGuidKey]; // ************************************************** // Validate credentials // ************************************************** if (string.IsNullOrEmpty(userId)) { _logger.LogError(options.MissingSiteMinderUserIdError); return(Task.FromResult(AuthenticateResult.Fail(options.MissingSiteMinderGuidError))); } if (string.IsNullOrEmpty(siteMinderGuid)) { _logger.LogError(options.MissingSiteMinderGuidError); return(Task.FromResult(AuthenticateResult.Fail(options.MissingSiteMinderGuidError))); } } // ************************************************** // Validate credential against database // ************************************************** userSettings.HetsUser = hostingEnv.IsDevelopment() ? dbAppContext.LoadUser(userId) : dbAppContext.LoadUser(userId, siteMinderGuid); if (userSettings.HetsUser == null) { _logger.LogWarning(options.MissingDbUserIdError + " (" + userId + ")"); return(Task.FromResult(AuthenticateResult.Fail(options.MissingDbUserIdError))); } if (!userSettings.HetsUser.Active) { _logger.LogWarning(options.InactivegDbUserIdError + " (" + userId + ")"); return(Task.FromResult(AuthenticateResult.Fail(options.InactivegDbUserIdError))); } // ************************************************** // Create authenticated user // ************************************************** _logger.LogInformation("Authentication successful: " + userId); _logger.LogInformation("Setting identity and creating session for: " + userId); // create session info userSettings.UserId = userId; userSettings.UserAuthenticated = true; // update user settings UserSettings.SaveUserSettings(userSettings, context); // done! principal = userSettings.HetsUser.ToClaimsPrincipal(options.Scheme); return(Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(principal, null, Options.Scheme)))); } catch (Exception exception) { _logger.LogError(exception.Message); Console.WriteLine(exception); throw; } }
public async Task<IHttpActionResult> ResumeLoginFromRedirect() { Logger.Info("Callback requested to resume login from partial login"); var user = await GetIdentityFromPartialSignIn(); if (user == null) { Logger.Error("no identity from partial login"); return RedirectToRoute(Constants.RouteNames.Login, null); } var subject = user.GetSubjectId(); var name = user.GetName(); var result = new AuthenticateResult(subject, name); var method = user.GetAuthenticationMethod(); var idp = user.GetIdentityProvider(); var authTime = user.GetAuthenticationTimeEpoch(); var authorizationReturnUrl = user.Claims.GetValue(Constants.ClaimTypes.AuthorizationReturnUrl); SignIn(result, method, idp, authTime); Logger.InfoFormat("redirecting to: {0}", authorizationReturnUrl); return Redirect(authorizationReturnUrl); }
private IHttpActionResult SignInAndRedirect( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime = 0) { logger.Verbose("[AuthenticationController.SignInAndRedirect] called"); if (authResult == null) throw new ArgumentNullException("authResult"); if (String.IsNullOrWhiteSpace(authenticationMethod)) throw new ArgumentNullException("authenticationMethod"); if (String.IsNullOrWhiteSpace(identityProvider)) throw new ArgumentNullException("identityProvider"); var signInMessage = LoadLoginRequestMessage(); var issuer = authResult.IsPartialSignIn ? Constants.PartialSignInAuthenticationType : Constants.PrimaryAuthenticationType; var principal = IdentityServerPrincipal.Create( authResult.Subject, authResult.Name, authenticationMethod, identityProvider, issuer, authTime); var id = principal.Identities.First(); if (authResult.IsPartialSignIn) { // TODO: put original return URL into cookie with a GUID ID // and put the ID as route param for the resume URL. then // we can always call ClearLoginRequestMessage() id.AddClaim(new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, Url.Route(Constants.RouteNames.ResumeLoginFromRedirect, null))); // allow redircting code to add claims for target page id.AddClaims(authResult.RedirectClaims); } var ctx = Request.GetOwinContext(); ctx.Authentication.SignOut( Constants.PrimaryAuthenticationType, Constants.ExternalAuthenticationType, Constants.PartialSignInAuthenticationType); ctx.Authentication.SignIn(id); if (authResult.IsPartialSignIn) { logger.Verbose("[AuthenticationController.SignInAndRedirect] partial login requested, redirecting to requested url"); var uri = new Uri(ctx.Request.Uri, authResult.PartialSignInRedirectPath.Value); return Redirect(uri); } else { logger.Verbose("[AuthenticationController.SignInAndRedirect] normal login requested, redirecting back to authorization"); // TODO -- manage this state better if we're doing redirect to custom page // would rather the redirect URL from request message put into cookie // and named with a nonce, then the resume url + nonce set as claim // in principal above so page being redirected to can know what url to return to ClearLoginRequestMessage(); return Redirect(signInMessage.ReturnUrl); } }
private void SignIn( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime) { IssueAuthenticationCookie(authResult, authenticationMethod, identityProvider, authTime); ClearSignInMessage(); }
public async Task<IHttpActionResult> ResumeLoginFromRedirect(string resume) { Logger.Info("Callback requested to resume login from partial login"); if (resume.IsMissing()) { Logger.Error("no resumeId passed"); return RenderErrorPage(); } var user = await GetIdentityFromPartialSignIn(); if (user == null) { Logger.Error("no identity from partial login"); return RenderErrorPage(); } var type = GetClaimTypeForResumeId(resume); var resumeClaim = user.FindFirst(type); if (resumeClaim == null) { Logger.Error("no claim matching resumeId"); return RenderErrorPage(); } var signInId = resumeClaim.Value; if (signInId.IsMissing()) { Logger.Error("No signin id found in resume claim"); return RenderErrorPage(); } var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options); var signInMessage = cookie.Read(signInId); if (signInMessage == null) { Logger.Error("No cookie matching signin id found"); return RenderErrorPage(); } AuthenticateResult result = null; var externalProviderClaim = user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId); if (externalProviderClaim == null) { // the user/subject was known, so pass thru (without the redirect claims) user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl)); user.RemoveClaim(user.FindFirst(GetClaimTypeForResumeId(resume))); result = new AuthenticateResult(new ClaimsPrincipal(user)); } else { // the user was not known, we need to re-execute AuthenticateExternalAsync // to obtain a subject to proceed var provider = externalProviderClaim.Issuer; var providerId = externalProviderClaim.Value; var externalId = new ExternalIdentity { Provider = provider, ProviderId = providerId, Claims = user.Claims }; result = await _userService.AuthenticateExternalAsync(externalId); if (result == null) { Logger.Warn("user service failed to authenticate external identity"); return await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount); } if (result.IsError) { Logger.WarnFormat("user service returned error message: {0}", result.ErrorMessage); return await RenderLoginPage(signInMessage, signInId, result.ErrorMessage); } } return SignInAndRedirect(signInMessage, signInId, result); }
private void IssueAuthenticationCookie( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime) { if (authResult == null) throw new ArgumentNullException("authResult"); if (String.IsNullOrWhiteSpace(authenticationMethod)) throw new ArgumentNullException("authenticationMethod"); if (String.IsNullOrWhiteSpace(identityProvider)) throw new ArgumentNullException("identityProvider"); Logger.InfoFormat("logging user in as subject: {0}, name: {1}{2}", authResult.Subject, authResult.Name, authResult.IsPartialSignIn ? " (partial login)" : ""); var issuer = authResult.IsPartialSignIn ? Constants.PartialSignInAuthenticationType : Constants.PrimaryAuthenticationType; var principal = IdentityServerPrincipal.Create( authResult.Subject, authResult.Name, authenticationMethod, identityProvider, issuer, authTime); var id = principal.Identities.First(); if (authResult.IsPartialSignIn) { // add claim so partial redirect can return here to continue login var resumeLoginUrl = Url.Link(Constants.RouteNames.ResumeLoginFromRedirect, null); var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl); id.AddClaim(resumeLoginClaim); // store original authorization url as claim // so once we result we can return to authorization page var signInMessage = LoadSignInMessage(); var authorizationUrl = signInMessage.ReturnUrl; var authorizationUrlClaim = new Claim(Constants.ClaimTypes.AuthorizationReturnUrl, authorizationUrl); id.AddClaim(authorizationUrlClaim); // allow redircting code to add claims for target page id.AddClaims(authResult.RedirectClaims); } ClearAuthenticationCookies(); var ctx = Request.GetOwinContext(); ctx.Authentication.SignIn(id); }
/// <summary> /// Searches the 'Authorization' header for a 'Bearer' token. If the 'Bearer' token is found, it is validated using <see cref="T:Microsoft.IdentityModel.Tokens.TokenValidationParameters" /> set in the options. /// </summary> /// <returns></returns> protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { string token; Exception obj; AuthenticationFailedContext authenticationFailedContext; int num; try { var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options); await Events.MessageReceived(messageReceivedContext); if (messageReceivedContext.Result != null) { return(messageReceivedContext.Result); } token = messageReceivedContext.Token; if (string.IsNullOrEmpty(token)) { string header = Request.Headers["Authorization"]; if (string.IsNullOrEmpty(header)) { return(AuthenticateResult.NoResult()); } if (header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { token = header.Substring("Bearer ".Length).Trim(); } if (string.IsNullOrEmpty(token)) { return(AuthenticateResult.NoResult()); } } if (_configuration == null && Options.ConfigurationManager != null) { var configurationAsync = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted); _configuration = configurationAsync; } var validationParameters1 = Options.TokenValidationParameters.Clone(); if (_configuration != null) { var strArray = new string[1] { _configuration.Issuer }; var validationParameters2 = validationParameters1; var validIssuers = validationParameters1.ValidIssuers; var obj1 = (validIssuers != null ? validIssuers.Concat(strArray) : null) ?? strArray; validationParameters2.ValidIssuers = obj1; var validationParameters3 = validationParameters1; var issuerSigningKeys = validationParameters1.IssuerSigningKeys; var securityKeys = (issuerSigningKeys != null ? issuerSigningKeys.Concat(_configuration.SigningKeys) : null) ?? _configuration.SigningKeys; validationParameters3.IssuerSigningKeys = securityKeys; } List <Exception> exceptionList = null; foreach (var securityTokenValidator in Options.SecurityTokenValidators) { if (securityTokenValidator.CanReadToken(token)) { SecurityToken securityToken; ClaimsPrincipal claimsPrincipal; try { claimsPrincipal = securityTokenValidator.ValidateToken(token, validationParameters1, out securityToken); } catch (Exception ex) { //Logger.TokenValidationFailed(ex); if (Options.RefreshOnIssuerKeyNotFound && Options.ConfigurationManager != null && ex is SecurityTokenSignatureKeyNotFoundException) { Options.ConfigurationManager.RequestRefresh(); } if (exceptionList == null) { exceptionList = new List <Exception>(1); } exceptionList.Add(ex); continue; } //Logger.TokenValidationSucceeded(); var validatedContext = new TokenValidatedContext(Context, Scheme, Options); validatedContext.Principal = claimsPrincipal; validatedContext.SecurityToken = securityToken; var tokenValidatedContext = validatedContext; await Events.TokenValidated(tokenValidatedContext); if (tokenValidatedContext.Result != null) { return(tokenValidatedContext.Result); } if (Options.SaveToken) { tokenValidatedContext.Properties.StoreTokens(new AuthenticationToken[1] { new AuthenticationToken() { Name = "access_token", Value = token } }); } tokenValidatedContext.Success(); return(tokenValidatedContext.Result); } } if (exceptionList == null) { return(AuthenticateResult.Fail("No SecurityTokenValidator available for token: " + token ?? "[null]")); } authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options) { Exception = exceptionList.Count == 1 ? exceptionList[0] : new AggregateException(exceptionList) }; await Events.AuthenticationFailed(authenticationFailedContext); return(authenticationFailedContext.Result == null?AuthenticateResult.Fail(authenticationFailedContext.Exception) : authenticationFailedContext.Result); } catch (Exception ex) { obj = ex; num = 1; } if (num == 1) { var ex = obj; //Logger.ErrorProcessingMessage(ex); authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options) { Exception = ex }; await Events.AuthenticationFailed(authenticationFailedContext); if (authenticationFailedContext.Result != null) { return(authenticationFailedContext.Result); } var source = obj as Exception; if (source == null) { throw obj; } ExceptionDispatchInfo.Capture(source).Throw(); authenticationFailedContext = null; } return(null); }
public async Task<IHttpActionResult> ResumeLoginFromRedirect() { logger.Start("[AuthenticationController.ResumeLoginFromRedirect] called"); var ctx = Request.GetOwinContext(); var redirectAuthResult = await ctx.Authentication.AuthenticateAsync(Constants.PartialSignInAuthenticationType); if (redirectAuthResult == null || redirectAuthResult.Identity == null) { logger.Verbose("[AuthenticationController.ResumeLoginFromRedirect] no redirect identity - exiting to login page"); return RedirectToRoute(Constants.RouteNames.Login, null); } var subject = redirectAuthResult.Identity.GetSubjectId(); var name = redirectAuthResult.Identity.GetName(); var result = new AuthenticateResult(subject, name); var method = redirectAuthResult.Identity.GetAuthenticationMethod(); var idp = redirectAuthResult.Identity.GetIdentityProvider(); var authTime = redirectAuthResult.Identity.GetAuthenticationTimeEpoch(); return SignInAndRedirect(result, method, idp, authTime); }
protected async override Task <AuthenticateResult> HandleAuthenticateAsync() { if (this.Context == null) { return(AuthenticateResult.Fail("Context is Null")); } if (this.Options == null) { return(AuthenticateResult.Fail("Options is Null")); } var token = this.Context.Request.Query[Options.TokenQueryKey].FirstOrDefault(); if (string.IsNullOrEmpty(token)) { // 地址过滤标识 var flag = false; string key1 = this.Context.Request.Query["name"]; if (!string.IsNullOrEmpty(key1) && key1 == "admin") { flag = true; } if (flag) { ClaimsIdentity id = new ClaimsIdentity(APIScheme, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); id.AddClaim(new Claim(ClaimTypes.Role, key1)); id.AddClaim(new Claim(ClaimTypes.Name, key1)); //id.AddClaim(new Claim(ClaimsIdentity.DefaultRoleClaimType, "admin")); ClaimsPrincipal p = new ClaimsPrincipal(id); AuthenticationTicket tiket = new AuthenticationTicket(p, APIScheme); this.Context.Items.Add(APIUserKey, _format.Protect(tiket)); return(AuthenticateResult.Success(tiket)); } return(AuthenticateResult.Fail("暂无权限"));//.NoResult(); } if (string.IsNullOrEmpty(token)) { return(AuthenticateResult.NoResult()); } int index = token.IndexOf('1'); if (index == -1) { return(AuthenticateResult.Fail("format wrong")); } var user = token.Substring(index + 1); var userEntity = await _userManager.FindByNameAsync(user); if (userEntity == null) { return(AuthenticateResult.Fail("user is not found")); } var ticketStr = await _userManager.GetAuthenticationTokenAsync(userEntity, "APILOGIN", token); if (string.IsNullOrEmpty(ticketStr)) { return(AuthenticateResult.NoResult()); } var tokenObj = _format.Unprotect(ticketStr); if (tokenObj == null) { return(AuthenticateResult.NoResult()); } // 验证过期时间 if (tokenObj.Properties.ExpiresUtc.HasValue) { if (tokenObj.Properties.ExpiresUtc < base.Clock.UtcNow) { return(AuthenticateResult.Fail("Ticket Expire")); } } if (tokenObj.Principal == null) { return(AuthenticateResult.Fail("NO Principal")); } this.Context.Items.Add(APIUserKey, tokenObj.Principal); this.Context.Items.Add("ticket", token); _log.LogDebug($"Get a token ticket user is {tokenObj?.Principal?.Identity?.Name}"); return(AuthenticateResult.Success(tokenObj)); }
private static void Describe(IOwinResponse res, AuthenticateResult result) { res.StatusCode = 200; res.ContentType = "text/xml"; var xml = new XElement("xml"); if (result != null && result.Identity != null) { xml.Add(result.Identity.Claims.Select(claim => new XElement("claim", new XAttribute("type", claim.Type), new XAttribute("value", claim.Value)))); } if (result != null && result.Properties != null) { xml.Add(result.Properties.Dictionary.Select(extra => new XElement("extra", new XAttribute("type", extra.Key), new XAttribute("value", extra.Value)))); } using (var memory = new MemoryStream()) { using (var writer = new XmlTextWriter(memory, Encoding.UTF8)) { xml.WriteTo(writer); } res.Body.Write(memory.ToArray(), 0, memory.ToArray().Length); } }
protected async override Task <AuthenticateResult> HandleAuthenticateAsync() { var authorizationHeader = this.Request.Headers["Authorization"]; var remoteIPAddress = this.Context.Connection.RemoteIpAddress; this.Logger?.LogDebug( "Request came from remote IP Address: {RemoteIPAddress}. Continuing with auth check.", remoteIPAddress.ToJson()); if (!authorizationHeader.Any()) { this.Logger?.LogWarning( "Failing authentication from IP {RemoteIPAddress} for application: {Reason}", remoteIPAddress.ToJson(), "No authorization header found"); return(AuthenticateResult.Fail("No authorization header found")); } if (!TryGetHmacAuthenticationParameter(this.Logger, remoteIPAddress, authorizationHeader[0] ?? string.Empty, out var parameter)) { this.Logger?.LogWarning("Failing authentication from IP {RemoteIPAddress}: {Reason}", remoteIPAddress.ToJson(), "Invalid HMAC authentication parameter"); return(AuthenticateResult.Fail("Invalid HMAC authentication parameter")); } if (!this.ApplicationSecretStore.TryGetValue(parameter.ApplicationKey, out var applicationSecret)) { this.Logger?.LogWarning("Failing authentication from IP {RemoteIPAddress}: {Reason}. Parameters: {Parameters}", remoteIPAddress.ToJson(), "No secret found for application key", parameter.ToJson()); return(AuthenticateResult.Fail("No secret found for application key")); } if (!IsRequestFresh(parameter, out var freshnessIndicator)) { this.Logger?.LogWarning( "Failing authentication from IP {RemoteIPAddress}: {Reason}. Parameters: {Parameters}. Freshness Indicator: {FreshnessIndicator}", remoteIPAddress.ToJson(), "HMAC authentication request is not fresh", parameter.ToJson(), freshnessIndicator.ToJson()); return(AuthenticateResult.Fail("HMAC authentication request is not fresh")); } var includeBodyInHash = this.Request.ContentLength.HasValue && this.Request.ContentLength.Value > 0; var requestBody = includeBodyInHash ? await ReadRequestBody(this.Request).ConfigureAwait(false) : string.Empty; var displayUrl = this.Request.GetDisplayUrl(); var hash = HmacHashGenerator.Generate( parameter, applicationSecret, displayUrl, requestBody); if (hash != parameter.Hash) { this.Logger?.LogWarning( "Failing authentication from IP {RemoteIPAddress}: {Reason}. DisplayUrl: {DisplayUrl}. Parameters: {Parameters}. Includes body: {IncludeBodyInHash}.", remoteIPAddress.ToJson(), "HMAC request hashes do not match", displayUrl, parameter.ToJson(), includeBodyInHash); return(AuthenticateResult.Fail("HMAC request hashes do not match")); } this.Logger?.LogDebug( "HMAC authentication from IP {RemoteIPAddress} looks good. Building claims principal for User: {User}, ApplicationKey: {Application}, Time: {Time}.", remoteIPAddress.ToJson(), parameter.AuthenticatedUser, parameter.ApplicationKey, parameter.Time); var properties = new AuthenticationProperties(); properties.Items[nameof(HmacAuthenticationParameter.ApplicationKey)] = parameter.ApplicationKey; properties.Items[nameof(HmacAuthenticationParameter.AuthenticatedUser)] = parameter.AuthenticatedUser; properties.Items[nameof(HmacAuthenticationParameter.Time)] = parameter.Time; ClaimsIdentity identity = new GenericIdentity(parameter.AuthenticatedUser, HmacSchemeName); if (this.ClaimsProvider == null) { this.Logger?.LogWarning("The claims provider is null. Proceeding without attaching claims to identity."); } else { this.Logger?.LogDebug("Attaching claims to identity."); this.ClaimsProvider.AddClaimsTo(identity, properties); if (identity.Claims.Any()) { this.Logger?.LogDebug("Claims were successfully attached."); } else { this.Logger?.LogWarning("No claims were attached by the claims provider."); } } var user = new ClaimsPrincipal(identity); this.Logger?.LogDebug("Returning success with claims principal."); return(AuthenticateResult.Success(new AuthenticationTicket(user, properties, HmacSchemeName))); }
private void RaiseLocalLoginSuccessEvent(string username, SignInMessage signInMessage, AuthenticateResult authResult) { _events.RaiseLocalLoginSuccessEvent(Request.GetOwinEnvironment(), username, signInMessage, authResult); }
private static async Task <TestServer> CreateServer(Action <IServiceCollection> configureServices = null, Func <HttpContext, Task> testpath = null, Uri baseAddress = null, bool testCore = false) { var host = new HostBuilder() .ConfigureWebHost(builder => builder.Configure(app => { app.UseAuthentication(); app.Use(async(context, next) => { var req = context.Request; var res = context.Response; var userManager = context.RequestServices.GetRequiredService <UserManager <PocoUser> >(); var roleManager = context.RequestServices.GetRequiredService <RoleManager <PocoRole> >(); var signInManager = context.RequestServices.GetRequiredService <SignInManager <PocoUser> >(); PathString remainder; if (req.Path == new PathString("/normal")) { res.StatusCode = 200; } else if (req.Path == new PathString("/createMe")) { var user = new PocoUser("hao"); var result = await userManager.CreateAsync(user, TestPassword); if (result.Succeeded) { result = await roleManager.CreateAsync(new PocoRole("role")); } if (result.Succeeded) { result = await userManager.AddToRoleAsync(user, "role"); } res.StatusCode = result.Succeeded ? 200 : 500; } else if (req.Path == new PathString("/createSimple")) { var result = await userManager.CreateAsync(new PocoUser("simple"), "aaaaaa"); res.StatusCode = result.Succeeded ? 200 : 500; } else if (req.Path == new PathString("/signoutEverywhere")) { var user = await userManager.FindByNameAsync("hao"); var result = await userManager.UpdateSecurityStampAsync(user); res.StatusCode = result.Succeeded ? 200 : 500; } else if (req.Path.StartsWithSegments(new PathString("/pwdLogin"), out remainder)) { var isPersistent = bool.Parse(remainder.Value.AsSpan(1)); var result = await signInManager.PasswordSignInAsync("hao", TestPassword, isPersistent, false); res.StatusCode = result.Succeeded ? 200 : 500; } else if (req.Path == new PathString("/twofactorRememeber")) { var user = await userManager.FindByNameAsync("hao"); await signInManager.RememberTwoFactorClientAsync(user); res.StatusCode = 200; } else if (req.Path == new PathString("/isTwoFactorRememebered")) { var user = await userManager.FindByNameAsync("hao"); var result = await signInManager.IsTwoFactorClientRememberedAsync(user); res.StatusCode = result ? 200 : 500; } else if (req.Path == new PathString("/hasTwoFactorUserId")) { var result = await context.AuthenticateAsync(IdentityConstants.TwoFactorUserIdScheme); res.StatusCode = result.Succeeded ? 200 : 500; } else if (req.Path == new PathString("/me")) { await DescribeAsync(res, AuthenticateResult.Success(new AuthenticationTicket(context.User, null, "Application"))); } else if (req.Path.StartsWithSegments(new PathString("/me"), out remainder)) { var auth = await context.AuthenticateAsync(remainder.Value.Substring(1)); await DescribeAsync(res, auth); } else if (req.Path == new PathString("/testpath") && testpath != null) { await testpath(context); } else { await next(context); } }); }) .ConfigureServices(services => { if (testCore) { services.AddIdentityCore <PocoUser>() .AddRoles <PocoRole>() .AddSignInManager() .AddDefaultTokenProviders(); services.AddAuthentication(IdentityConstants.ApplicationScheme).AddIdentityCookies(); } else { services.AddIdentity <PocoUser, PocoRole>().AddDefaultTokenProviders(); } var store = new InMemoryStore <PocoUser, PocoRole>(); services.AddSingleton <IUserStore <PocoUser> >(store); services.AddSingleton <IRoleStore <PocoRole> >(store); configureServices?.Invoke(services); }) .UseTestServer()) .Build(); await host.StartAsync(); var server = host.GetTestServer(); server.BaseAddress = baseAddress; return(server); }
private IHttpActionResult SignInAndRedirect(SignInMessage signInMessage, string signInMessageId, AuthenticateResult authResult, bool? rememberMe = null) { IssueAuthenticationCookie(signInMessageId, authResult, rememberMe); sessionCookie.IssueSessionId(); var redirectUrl = GetRedirectUrl(signInMessage, authResult); Logger.InfoFormat("redirecting to: {0}", redirectUrl); return Redirect(redirectUrl); }
public async Task <IHttpActionResult> ResumeLoginFromRedirect(string resume) { Logger.Info("Callback requested to resume login from partial login"); if (resume.IsMissing()) { Logger.Error("no resumeId passed"); return(RenderErrorPage()); } var user = await GetIdentityFromPartialSignIn(); if (user == null) { Logger.Error("no identity from partial login"); return(RenderErrorPage()); } var type = GetClaimTypeForResumeId(resume); var resumeClaim = user.FindFirst(type); if (resumeClaim == null) { Logger.Error("no claim matching resumeId"); return(RenderErrorPage()); } var signInId = resumeClaim.Value; if (signInId.IsMissing()) { Logger.Error("No signin id found in resume claim"); return(RenderErrorPage()); } var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options); var signInMessage = cookie.Read(signInId); if (signInMessage == null) { Logger.Error("No cookie matching signin id found"); return(RenderErrorPage()); } AuthenticateResult result = null; var externalProviderClaim = user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId); if (externalProviderClaim == null) { // the user/subject was known, so pass thru (without the redirect claims) user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl)); user.RemoveClaim(user.FindFirst(GetClaimTypeForResumeId(resume))); result = new AuthenticateResult(new ClaimsPrincipal(user)); } else { // the user was not known, we need to re-execute AuthenticateExternalAsync // to obtain a subject to proceed var provider = externalProviderClaim.Issuer; var providerId = externalProviderClaim.Value; var externalId = new ExternalIdentity { Provider = provider, ProviderId = providerId, Claims = user.Claims }; result = await _userService.AuthenticateExternalAsync(externalId); if (result == null) { Logger.Warn("user service failed to authenticate external identity"); return(await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount)); } if (result.IsError) { Logger.WarnFormat("user service returned error message: {0}", result.ErrorMessage); return(await RenderLoginPage(signInMessage, signInId, result.ErrorMessage)); } } return(SignInAndRedirect(signInMessage, signInId, result)); }
private Uri GetRedirectUrl(SignInMessage signInMessage, AuthenticateResult authResult) { if (signInMessage == null) throw new ArgumentNullException("signInMessage"); if (authResult == null) throw new ArgumentNullException("authResult"); if (authResult.IsPartialSignIn) { var path = authResult.PartialSignInRedirectPath; if (path.StartsWith("~/")) { path = path.Substring(2); path = Request.GetIdentityServerBaseUrl() + path; } var host = new Uri(context.GetIdentityServerHost()); return new Uri(host, path); } else { return new Uri(signInMessage.ReturnUrl); } }
private IHttpActionResult SignInAndRedirect(SignInMessage signInMessage, string signInMessageId, AuthenticateResult authResult, bool?rememberMe = null) { IssueAuthenticationCookie(signInMessage, signInMessageId, authResult, rememberMe); var redirectUrl = GetRedirectUrl(signInMessage, authResult); Logger.InfoFormat("redirecting to: {0}", redirectUrl); return(Redirect(redirectUrl)); }