public void Configuration(IAppBuilder app)
{
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
ExpireTimeSpan = TimeSpan.FromMinutes(15.0)
};
var openIdConnectOptions = new OpenIdConnectAuthenticationOptions
{
MetadataAddress = "https://.../oauth2/oidcdiscovery/.well-known/openid-configuration",
ResponseType = OpenIdConnectResponseType.Code,
ClientId = ClientId,
Scope = OpenIdConnectScope.OpenId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
MessageReceived = OnMessageReceived,
AuthenticationFailed = notification =>
{
return(Task.FromResult(0));
},
SecurityTokenReceived = notification =>
{
// Test to check if Owin middleware takes care of access token validation as per https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
//notification.ProtocolMessage.AccessToken = "foo";
return(Task.FromResult(0));
},
SecurityTokenValidated = notification =>
{
// Test to check if Owin middleware takes care of decoded id token validation of payload
//notification.ProtocolMessage.IdToken = notification.ProtocolMessage.IdToken + 'a';
notification.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", notification.ProtocolMessage.AccessToken));
notification.AuthenticationTicket.Identity.AddClaim(new Claim("id_token_hint", notification.ProtocolMessage.IdTokenHint));
notification.AuthenticationTicket.Identity.AddClaim(new Claim("refresh_token", notification.ProtocolMessage.RefreshToken));
notification.AuthenticationTicket.Properties.IsPersistent = true;
// Below line required to avoid the error -
// Error appears to be caused due to Token endpoint being invoked explicitly from MessageReceived notification rather than AuthorizationCodeReceived notification
notification.ProtocolMessage.RefreshToken = null;
return(Task.FromResult(0));
}
}
};
app.UseCookieAuthentication(cookieAuthenticationOptions);
app.UseOpenIdConnectAuthentication(openIdConnectOptions);
}
//private IOIDCNotificationHandlerService _oidcNotificationHandlerService;
/// <summary>
/// Helper class to be invoked from within Application's Startup Configuration method,
/// Configure the OWIN MiddleWare
/// </summary>
/// <param name="appBuilder"></param>
/// <param name="keyVaultService"></param>
/// <param name="oidcNotificationHandlerService"></param>
public void Configure(IAppBuilder appBuilder)
{
//Get basic OIDC Config settings:
IAadOidcSettingsConfidentialClientConfiguration aadOidcSettingsConfidentialClientConfiguration =
_keyVaultService.GetObject <AadOidcSettingsConfidentialSettingsClientConfiguration>();
//Same for AAD as for OIDC:
appBuilder.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//Same for AAD as for OIDC:
appBuilder.UseCookieAuthentication(new CookieAuthenticationOptions());
var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions
{
//AAD does not need MetadataAddress (whereas B2C does)
//MetadataAddress = ...
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = aadOidcSettingsConfidentialClientConfiguration.ClientId,
Authority = aadOidcSettingsConfidentialClientConfiguration.AuthorityUri,
RedirectUri = aadOidcSettingsConfidentialClientConfiguration.ClientRedirectUri,
PostLogoutRedirectUri = aadOidcSettingsConfidentialClientConfiguration.ClientPostLogoutUri,
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType [IdToken|CodeIdToken] is set to request the id_token - which
// contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,
// ValidateIssuer set to false to allow personal and work accounts from any organization
// to sign in to your application.
// To only allow users from a single organizations,
// set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters =
new TokenValidationParameters
{
ValidateIssuer = false /*ValidIssuers = ...*/
},
// OpenIdConnectAuthenticationNotifications configures OWIN
// to send notification of failed authentications
// to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed
}
};
appBuilder.UseOpenIdConnectAuthentication(openIdConnectAuthenticationOptions);
}
// We need to update these values each time we receive a new token, so the SingleSignOut
// javascript has access to the correct values.
public async static Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// Get Tenant-Specific Metadata (Authorization Endpoint), needed for making prompt=none request in RedirectToIdentityProvider
OpenIdConnectAuthenticationOptions tenantSpecificOptions = new OpenIdConnectAuthenticationOptions();
tenantSpecificOptions.Authority = AADInstance + notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
tenantSpecificOptions.ConfigurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(tenantSpecificOptions.Authority + "/.well-known/openid-configuration");
OpenIdConnectConfiguration tenantSpecificConfig = await tenantSpecificOptions.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled);
notification.AuthenticationTicket.Identity.AddClaim(new Claim("issEndpoint", tenantSpecificConfig.AuthorizationEndpoint, ClaimValueTypes.String, "WebApp-Distributed-SignOut-DotNet"));
CheckSessionIFrame = notification.AuthenticationTicket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame];
return;
}
public void Configuration(IAppBuilder app)
{
//Configure the Identity user manager for use with Umbraco Back office
// *** EXPERT: There are several overloads of this method that allow you to specify a custom UserStore or even a custom UserManager!
app.ConfigureUserManagerForUmbracoBackOffice(
ApplicationContext.Current,
//The Umbraco membership provider needs to be specified in order to maintain backwards compatibility with the
// user password formats. The membership provider is not used for authentication, if you require custom logic
// to validate the username/password against an external data source you can create create a custom UserManager
// and override CheckPasswordAsync
global::Umbraco.Core.Security.MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());
//Ensure owin is configured for Umbraco back office authentication
app
.UseUmbracoBackOfficeCookieAuthentication(ApplicationContext.Current)
.UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext.Current);
var identityOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = "u-client-bo",
SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
Authority = "http://localhost:5000",
RedirectUri = "http://localhost:5003/umbraco",
PostLogoutRedirectUri = "http://localhost:5003/umbraco",
ResponseType = "code id_token token",
Scope = "openid profile email application.profile application.policy"
};
// Configure BackOffice Account Link button and style
identityOptions.ForUmbracoBackOffice("btn-microsoft", "fa-windows");
identityOptions.Caption = "OpenId Connect";
// Fix Authentication Type
identityOptions.AuthenticationType = "http://localhost:5000";
// Configure AutoLinking
identityOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(
autoLinkExternalAccount: true,
defaultUserGroups: null,
defaultCulture: null
));
identityOptions.Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = EnrollUser.GenerateIdentityAsync
};
app.UseOpenIdConnectAuthentication(identityOptions);
}
public static IAppBuilder UseAzureAdAuthentication(this IAppBuilder app, AzureAdAuthenticationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "aad",
Caption = "AzureAD",
Scope = "openid profile",
SignInAsAuthenticationType = options.SignInAsAuthenticationType,
Authority = $"https://login.microsoftonline.com/{options.TenantId}",
ClientId = options.ClientId,
RedirectUri = options.RedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectRequestType.Authentication)
{
var signInMessage = n.OwinContext.Environment.GetSignInMessage();
string webServiceUrl = n.OwinContext.Environment.GetIdentityServerWebServiceUri();
if (signInMessage != null)
{
n.ProtocolMessage.Prompt = signInMessage.PromptMode;
n.ProtocolMessage.State = $"{Base64Url.Encode(Encoding.UTF8.GetBytes(webServiceUrl))}.{n.ProtocolMessage.State}";
}
}
return(Task.FromResult(0));
}
}
};
if (options.TenantId.StartsWith("common"))
{
openIdOptions.TokenValidationParameters.IssuerValidator = ValidateIssuerWithPlaceholder;
}
if (!string.IsNullOrEmpty(options.CallbackUri))
{
openIdOptions.CallbackPath = PathString.FromUriComponent(new Uri(options.CallbackUri));
}
return(app.UseOpenIdConnectAuthentication(openIdOptions));
}
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions();
options.ClientId = SettingsHelper.ClientId;
options.Authority = SettingsHelper.AzureADAuthority;
options.PostLogoutRedirectUri = SettingsHelper.LogoutAuthority;
OpenIdConnectAuthenticationNotifications notifications = new OpenIdConnectAuthenticationNotifications();
notifications.AuthorizationCodeReceived = (context) =>
{
string code = context.Code;
AuthenticationHelper authHelper = new AuthenticationHelper();
String signInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.AzureADAuthAuthority);
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), authHelper.GetClientAssertionCertificate(), null);
return(Task.FromResult(0));
};
notifications.RedirectToIdentityProvider = (context) =>
{
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return(Task.FromResult(0));
};
notifications.AuthenticationFailed = (context) =>
{
context.HandleResponse();
return(Task.FromResult(0));
};
options.Notifications = notifications;
app.UseOpenIdConnectAuthentication(options);
}
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
var resp = new OpenIdConnectAuthenticationOptions
{
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
ClientId = clientId,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = SetResponseUrls,
AuthenticationFailed = AuthenticationFailed,
SecurityTokenValidated = async(ctx) =>
{
try
{
ctx.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(Constants.TenantTypeClaim, Constants.B2CTenantType));
var userId = ctx.AuthenticationTicket.Identity.Claims.First(c => c.Type == Constants.ObjectIdClaim).Value;
var roles = db.UserRoles.Where(r => r.UserObjectId == userId);
if (roles.Count() > 0)
{
//TODO: use a persistent cookie to hold unto user tenant preference for future sessions
var tenantId = roles.First().TenantId;
var tenantName = db.Tenants.First(t => t.Id == tenantId).Name;
ctx.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(Constants.TenantIdClaim, tenantId));
ctx.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(Constants.TenantNameClaim, tenantName));
foreach (var r in roles.Where(role => role.TenantId == tenantId))
{
ctx.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(Constants.RoleClaim, r.Role));
}
}
await Task.FromResult(0);
} catch (Exception ex)
{
throw new SecurityTokenValidationException();
}
},
},
Scope = "openid",
ResponseType = "id_token",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role",
},
};
return(resp);
}
public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var aad = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "AzureAd",
Caption = "Azure AD",
SignInAsAuthenticationType = signInAsType,
Authority = "https://login.microsoftonline.com/katsoupitsouhotmail.onmicrosoft.com",
ClientId = "b0d36085-a8ab-4f18-b10b-c0384eefbab2",
ClientSecret = "Qw8vTzvMP8gFIiwhRRJKnaeNRKDhfMZnU0LwBx3NkmI=",
RedirectUri = "http://localhost:8570/identity/signin-azuread"
};
app.UseOpenIdConnectAuthentication(aad);
}
private static void CodeReceivedAndRedeemedSkippedOptions(OpenIdConnectAuthenticationOptions options)
{
DefaultOptions(options);
options.ResponseType = OpenIdConnectResponseTypes.Code;
options.StateDataFormat = new AuthenticationPropertiesFormaterKeyValue();
options.Notifications =
new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeRedeemed = (notification) =>
{
notification.SkipToNextMiddleware();
return(Task.FromResult <object>(null));
}
};
}
/// <summary>
/// Creates a new instance of OpenIdConnectAuthenticationOptions.
/// </summary>
/// <param name="oktaMvcOptions">The <see cref="OktaMvcOptions"/> options.</param>
/// <param name="notifications">The OpenIdConnectAuthenticationNotifications notifications.</param>
/// <returns>A new instance of OpenIdConnectAuthenticationOptions.</returns>
public static OpenIdConnectAuthenticationOptions BuildOpenIdConnectAuthenticationOptions(OktaMvcOptions oktaMvcOptions, OpenIdConnectAuthenticationNotifications notifications)
{
var issuer = UrlHelper.CreateIssuerUrl(oktaMvcOptions.OktaDomain, oktaMvcOptions.AuthorizationServerId);
var httpClient = new HttpClient(new UserAgentHandler("okta-aspnet", typeof(OktaMiddlewareExtensions).Assembly.GetName().Version));
var configurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(
issuer + "/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient));
var tokenValidationParameters = new DefaultTokenValidationParameters(oktaMvcOptions, issuer)
{
NameClaimType = "name",
ValidAudience = oktaMvcOptions.ClientId,
// CLIST: 2019-11-08 - save the claims token into the bootstrap context for k2
SaveSigninToken = true,
};
var tokenExchanger = new TokenExchanger(oktaMvcOptions, issuer, configurationManager);
var definedScopes = oktaMvcOptions.Scope?.ToArray() ?? OktaDefaults.Scope;
var scopeString = string.Join(" ", definedScopes);
var oidcOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = oktaMvcOptions.ClientId,
ClientSecret = oktaMvcOptions.ClientSecret,
Authority = issuer,
RedirectUri = oktaMvcOptions.RedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Scope = scopeString,
PostLogoutRedirectUri = oktaMvcOptions.PostLogoutRedirectUri,
TokenValidationParameters = tokenValidationParameters,
SecurityTokenValidator = new StrictSecurityTokenValidator(),
AuthenticationMode = (oktaMvcOptions.LoginMode == LoginMode.SelfHosted) ? AuthenticationMode.Passive : AuthenticationMode.Active,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync,
RedirectToIdentityProvider = notifications.RedirectToIdentityProvider,
},
};
if (oktaMvcOptions.SecurityTokenValidated != null)
{
oidcOptions.Notifications.SecurityTokenValidated = oktaMvcOptions.SecurityTokenValidated;
}
return(oidcOptions);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var openIdSettings = new OpenIdConnectAuthenticationOptions()
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri
};
app.UseOpenIdConnectAuthentication(openIdSettings);
LogSettings(openIdSettings);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
var authProvider = new CookieAuthenticationProvider
{
OnResponseSignIn = ctx =>
{
//ctx.Identity = StartupAuth.InitAuth(ctx);
}
};
var cookieOptions = new CookieAuthenticationOptions
{
Provider = authProvider
};
app.UseCookieAuthentication(cookieOptions);
// Required for AAD
OpenIdConnectAuthenticationOptions Options = new OpenIdConnectAuthenticationOptions
{
Authority = string.Format(aadInstance, tenant),
ClientId = clientId,
//ProtocolValidator = new OpenIdConnectProtocolValidator
//{
// RequireNonce = false
//},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = (context) =>
{
string appBaseUrl = string.Format("{0}://{1}{2}", context.Request.Scheme, context.Request.Host, context.Request.PathBase);
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl + "/Account/SignedOut";
return(Task.FromResult(0));
},
},
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
},
AuthenticationType = CustomAuthTypes.B2E,
};
app.UseOpenIdConnectAuthentication(Options);
}
private static OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions(IdentityProviderClientConfigurationElement provider)
{
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = provider.Name,
Caption = provider.Name,
ClientId = provider.ClientId,
Authority = provider.Issuer.ToString(),
RedirectUri = provider.RedirectUrl.ToString(),
// Leveraging Authorization Code grant
ResponseType = "code",
Scope = "openid email",
Notifications = GetOpenIdConnectAuthenticationNotifications()
};
return(options);
}
private static void AuthorizationCodeReceivedHandledOptions(OpenIdConnectAuthenticationOptions options)
{
DefaultOptions(options);
options.SecurityTokenValidators = new Collection <ISecurityTokenValidator> {
MockSecurityTokenValidator()
};
options.ProtocolValidator = MockProtocolValidator();
options.Notifications =
new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = (notification) =>
{
notification.HandleResponse();
return(Task.FromResult <object>(null));
}
};
}
private static void AuthenticationErrorSkippedOptions(OpenIdConnectAuthenticationOptions options)
{
DefaultOptions(options);
options.SecurityTokenValidators = new Collection <ISecurityTokenValidator> {
MockSecurityTokenValidator()
};
options.ProtocolValidator = MockProtocolValidator();
options.Notifications =
new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = (notification) =>
{
notification.SkipToNextMiddleware();
return(Task.FromResult <object>(null));
}
};
}
private static void SetProtocolMessageOptions(OpenIdConnectAuthenticationOptions options)
{
var mockOpenIdConnectMessage = new Mock <OpenIdConnectMessage>();
mockOpenIdConnectMessage.Setup(m => m.CreateAuthenticationRequestUrl()).Returns(ExpectedAuthorizeRequest);
mockOpenIdConnectMessage.Setup(m => m.CreateLogoutRequestUrl()).Returns(ExpectedLogoutRequest);
options.AutomaticAuthentication = true;
options.Notifications =
new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (notification) =>
{
notification.ProtocolMessage = mockOpenIdConnectMessage.Object;
return(Task.FromResult <object>(null));
}
};
}
/// <summary>
/// Adds the <see cref="OpenIdConnectAuthenticationMiddleware"/> into the OWIN runtime.
/// </summary>
/// <param name="app">The <see cref="IAppBuilder"/> passed to the configuration method</param>
/// <param name="openIdConnectOptions">A <see cref="OpenIdConnectAuthenticationOptions"/> contains settings for obtaining identities using the OpenIdConnect protocol.</param>
/// <returns>The updated <see cref="IAppBuilder"/></returns>
public static IAppBuilder UseOpenIdConnectAuthentication(this IAppBuilder app,
OpenIdConnectAuthenticationOptions openIdConnectOptions)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (openIdConnectOptions == null)
{
throw new ArgumentNullException("openIdConnectOptions");
}
app.Use(typeof(OpenIdConnectAuthenticationMiddleware), app, openIdConnectOptions);
app.UseStageMarker(PipelineStage.PostAcquireState);
return(app);
}
public IEnumerable <OwinMiddlewareRegistration> GetOwinMiddlewares()
{
var middlewares = new List <OwinMiddlewareRegistration>();
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
var openIdOptions = new OpenIdConnectAuthenticationOptions {
ClientId = _azureClientId,
Authority = string.Format(CultureInfo.InvariantCulture, _azureADInstance, _azureTenant),
PostLogoutRedirectUri = _logoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
};
var cookieOptions = new CookieAuthenticationOptions();
var bearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = string.Format(_sslEnabled ? "https://{0}/{1}" : "http://{0}/{1}", _azureTenant, _azureAppName)
}
};
if (_azureWebSiteProtectionEnabled)
{
middlewares.Add(new OwinMiddlewareRegistration {
Priority = "9",
Configure = app => { app.SetDataProtectionProvider(new MachineKeyProtectionProvider()); }
});
}
middlewares.Add(new OwinMiddlewareRegistration {
Priority = "10",
Configure = app => {
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(cookieOptions);
app.UseOpenIdConnectAuthentication(openIdOptions);
//This is throwing an XML DTD is prohibited error?
//app.UseWindowsAzureActiveDirectoryBearerAuthentication(bearerAuthOptions);
}
});
return(middlewares);
}
protected override void AttachToOwinApp(IGalleryConfigurationService config, IAppBuilder app)
{
// Fetch site root from configuration
var siteRoot = config.Current.SiteRoot.TrimEnd('/') + "/";
// We *always* require SSL for Authentication
if (siteRoot.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
{
siteRoot = siteRoot.Replace("http://", "https://");
}
if (!string.IsNullOrWhiteSpace(config.Current.AlternateSiteRootList))
{
var alternateSiteRootList = config
.Current
.AlternateSiteRootList
.Split(';')
.Select(d => d.Trim())
.ToArray();
_alternateSiteRootList = new HashSet <string>(alternateSiteRootList, StringComparer.OrdinalIgnoreCase);
}
// Configure OpenIdConnect
var options = new OpenIdConnectAuthenticationOptions(BaseConfig.AuthenticationType)
{
RedirectUri = siteRoot + _callbackPath,
PostLogoutRedirectUri = siteRoot,
Scope = OpenIdConnectScope.OpenIdProfile + " email",
ResponseType = OpenIdConnectResponseType.CodeIdToken,
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = RedirectToIdentityProvider
}
};
Config.ApplyToOwinSecurityOptions(options);
app.UseOpenIdConnectAuthentication(options);
}
public void Configuration(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary <string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
});
var options = new OpenIdConnectAuthenticationOptions
{
ClientId = "getstartedimplicit",
Authority = "http://localhost:53189/",
RedirectUri = "http://localhost:64584/",
PostLogoutRedirectUri = "http://localhost:64584/",
ResponseType = "id_token token",
Scope = "openid profile",
SignInAsAuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = notification =>
{
var identity = notification.AuthenticationTicket.Identity;
identity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
identity.AddClaim(new Claim("access_token", notification.ProtocolMessage.AccessToken));
notification.AuthenticationTicket = new AuthenticationTicket(identity, notification.AuthenticationTicket.Properties);
return(Task.FromResult(0));
},
RedirectToIdentityProvider = notification =>
{
if (notification.ProtocolMessage.RequestType != OpenIdConnectRequestType.LogoutRequest)
{
return(Task.FromResult(0));
}
notification.ProtocolMessage.IdTokenHint = notification.OwinContext.Authentication.User.FindFirst("id_token").Value;
return(Task.FromResult(0));
}
}
};
app.UseOpenIdConnectAuthentication(options);
}
public static IAppBuilder UseMultitenantAadOidcAuthentication(this IAppBuilder app, MultitenantAadOidcOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
var aad = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = options.AuthenticationType,
Caption = options.Caption,
RedirectUri = options.RedirectUri,
ClientId = options.MultitenantAppId.ToString(),
Authority = options.Authority,
Scope = "openid email",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (n) =>
{
var metadata = MetadataHelper.GetMetadataDocumentAsync("https://login.microsoftonline.com/lesterjtgmail.onmicrosoft.com/.well-known/openid-configuration", n.OwinContext.Request.CallCancelled).Result;
OpenIdConnectConfiguration config = new OpenIdConnectConfiguration(metadata);
//these values affect the redirect
n.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint;
n.ProtocolMessage.ClientId = "4deaba2a-548d-47bc-809f-e010a0841769";
//these values affect the token validation when the reponse is received
n.Options.TokenValidationParameters.ValidAudience = "4deaba2a-548d-47bc-809f-e010a0841769";
n.Options.TokenValidationParameters.ValidIssuer = config.Issuer;
return(Task.FromResult(0));
}
},
SignInAsAuthenticationType = options.SignInAsAuthenticationType
};
app.UseOpenIdConnectAuthentication(aad);
return(app);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var oidcOptions = new OpenIdConnectAuthenticationOptions
{
Authority = OidcAuthority,
ClientId = OidcClientId,
ClientSecret = OidcClientSecret,
GetClaimsFromUserInfoEndpoint = true,
PostLogoutRedirectUri = OidcRedirectUrl,
RedirectUri = OidcRedirectUrl,
ResponseType = OpenIdConnectResponseType.Code,
Scope = OpenIdConnectScope.OpenId
};
app.UseOpenIdConnectAuthentication(oidcOptions);
}
private static void ConfigureOpenIdConnectOptions(OktaMvcOptions oktaMvcOptions,
OpenIdConnectAuthenticationOptions oidcOptions)
{
oidcOptions.ClientId = oktaMvcOptions.ClientId;
oidcOptions.ClientSecret = oktaMvcOptions.ClientSecret;
oidcOptions.Authority = domain;
oidcOptions.CallbackPath = new PathString("");
oidcOptions.PostLogoutRedirectUri = oktaMvcOptions.PostLogoutRedirectUri;
oidcOptions.ResponseType = "code id_token";
oidcOptions.SecurityTokenValidator = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler();
oidcOptions.UseTokenLifetime = true;
oidcOptions.RedirectUri = EnsureTrailingSlash(oktaMvcOptions.RedirectUri);
oidcOptions.Scope = "openid profile";
oidcOptions.TokenValidationParameters = new DefaultTokenValidationParameters(oktaMvcOptions, "Okta")
{
ValidAudience = oktaMvcOptions.ClientId,
NameClaimType = "preferred_username",
};
}
public void Signup(OpenIdConnectAuthenticationOptions openIdConnectOptions)
{
if (!Context.User.Identity.IsAuthenticated)
{
Context.Response.Redirect(
$"https://login.microsoftonline.com/{Startup.Tenant}/oauth2/v2.0/authorize" +
$"&client_id={Startup.SignUpPolicyId}" +
$"&client_id={Startup.ClientId}" +
"&response_type=id_token" +
"&scope=openid" +
"&response_mode=form_post" +
$"&redirect_uri={Startup.RedirectUrl}"
);
}
else
{
Context.Response.Redirect("/");
}
}
protected override void ProcessCore(IdentityProvidersArgs args)
{
Assert.ArgumentNotNull(args, "args");
IdentityProvider = this.GetIdentityProvider();
var options = new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
ClientSecret = ClientSecret,
Authority = Authority,
RedirectUri = OAuthRedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Scope = OpenIdScope,
AuthenticationType = IdentityProvider.Name,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = ProcessAuthorizationCodeReceived,
RedirectToIdentityProvider = n =>
{
// If signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnectRequestType.LogoutRequest)
{
var idTokenClaim = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenClaim != null)
{
n.ProtocolMessage.IdTokenHint = idTokenClaim.Value;
}
}
return(Task.CompletedTask);
}
}
};
args.App.UseOpenIdConnectAuthentication(options);
}
/// <summary>
/// Configures the application to use Azure AD with Power BI
/// </summary>
/// <param name="app">The OWIN app builder</param>
/// <param name="options">The autheentication options</param>
/// <returns>The OWIN app build</returns>
/// <exception cref="ArgumentNullException"></exception>
public static IAppBuilder UsePowerBIAuthentication(this IAppBuilder app, PowerBIAuthenticationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
ValidateOptions(options);
var openIdAuthOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
Authority = options.Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuer = options.Issuer,
ValidateIssuer = options.ValidateIssuer
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = (context) =>
{
OnAuthorizationCodeReceived(context, options);
return(Task.FromResult(0));
},
AuthenticationFailed = (context) =>
{
var redirectUri = options.ErrorRedirectUri ?? new Uri("/", UriKind.Relative);
context.OwinContext.Response.Redirect(redirectUri.ToString());
context.HandleResponse();
return(Task.FromResult(0));
}
}
};
app.UseOpenIdConnectAuthentication(openIdAuthOptions);
ConfigureTokenManager();
return(app);
}
private static void GetUserInfoFromUIEndpoint(OpenIdConnectAuthenticationOptions options)
{
DefaultOptions(options);
options.ResponseType = OpenIdConnectResponseTypes.Code;
options.StateDataFormat = new AuthenticationPropertiesFormaterKeyValue();
options.GetClaimsFromUserInfoEndpoint = true;
options.SecurityTokenValidators = new Collection <ISecurityTokenValidator> {
MockSecurityTokenValidator()
};
options.Notifications =
new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = (notification) =>
{
var claimValue = notification.AuthenticationTicket.Principal.FindFirst("test claim");
Assert.Equal(claimValue.Value, "test value");
notification.HandleResponse();
return(Task.FromResult <object>(null));
}
};
}
private void ConfigureAuth(IAppBuilder app)
{
var cookieOptions = new CookieAuthenticationOptions();
app.UseCookieAuthentication(cookieOptions);
app.SetDefaultSignInAsAuthenticationType(cookieOptions.AuthenticationType);
OpenIdConnectAuthenticationOptions oidcOptions = new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:5000",
ClientId = "mvc",
ClientSecret = "49C1A7E1-0C79-4A89-A3D6-A37998FB86B0",
RedirectUri = "https://localhost:44348/signin-oidc",
ResponseType = "code",
RedeemCode = true,
SaveTokens = true
};
app.UseOpenIdConnectAuthentication(oidcOptions);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var opt = new OktaMvcOptions()
{
ClientSecret = clientSecret,
ClientId = clientId,
OktaDomain = domain,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = redirectUri
};
var oidOptions = new OpenIdConnectAuthenticationOptions();
ConfigureOpenIdConnectOptions(opt, oidOptions);
LogSettings(oidOptions);
app.UseOpenIdConnectAuthentication(oidOptions);
}
private static void ConfigureOpenIdForFrontEnd(IAppBuilder app)
{
// Uncomment the following lines to enable logging in with third party login providers
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
//app.UseFacebookAuthentication(
// appId: "",
// appSecret: "");
//app.UseGoogleAuthentication(
// clientId: "",
// clientSecret: "");
var identityOptions
= new OpenIdConnectAuthenticationOptions
{
ClientId = ConfigurationManager.AppSettings["FE_READYCONNECT_CLIENT_ID"], // This client has already been registered. You may register more via https://members.readysignon.com
Caption = ConfigurationManager.AppSettings["FE_READYCONNECT_CLIENT_CAPTION"], // Text used for displaying this sign-in option on the login page.
ResponseType = "code id_token token", // This corresponds to the Hybrid Flow outlined in oidc core spec 1.0.
Scope = ConfigurationManager.AppSettings["FE_READYCONNECT_SCOPES"], // When rso_rid is absent, rso_idp is used.
SignInAsAuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
Authority = "https://members.readysignon.com/",
RedirectUri = ConfigurationManager.AppSettings["MAIN_SITE_BASE_URL"], // This shouldn't be changed if you're running this code locally unless you want to register your own client application at https://members.readysignon.com
PostLogoutRedirectUri = ConfigurationManager.AppSettings["MAIN_SITE_BASE_URL"]
};
// Give this middleware a unique type name
identityOptions.AuthenticationType = "readyconnectsvc_for_umbraco_fe";
ConfigureIdentityCreationAndCustomHandlers(app, identityOptions, autoLinkExternalAccount: true);
}
public static void ConfigureBackOfficeAzureActiveDirectoryA2BAuth(this IAppBuilder app,
string tenant,
string clientId,
string clientSecret,
string redirectUri,
string signUpPolicyId,
string signInPolicyId,
string userProfilePolicyId,
string adminClientId,
string adminClientSecret,
//Guid issuerId,
string caption = "Active Directory", string style = "btn-microsoft", string icon = "fa-windows")
{
//ORIGINAL OPTIONS SUPPLIED BY SAMPLE B2C APP
//var options = new OpenIdConnectAuthenticationOptions
//{
// // These are standard OpenID Connect parameters, with values pulled from web.config
// ClientId = clientId,
// RedirectUri = redirectUri,
// PostLogoutRedirectUri = redirectUri,
// Notifications = new OpenIdConnectAuthenticationNotifications
// {
// AuthenticationFailed = AuthenticationFailed,
// RedirectToIdentityProvider = OnRedirectToIdentityProvider,
// },
// Scope = "openid",
// ResponseType = "id_token",
// // The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
// // endpoints from the OpenID Connect metadata endpoint. It is included in the PolicyAuthHelpers folder.
// ConfigurationManager = new PolicyConfigurationManager(
// string.Format(CultureInfo.InvariantCulture, AADInstance, tenant, "/v2.0", OIDCMetadataSuffix),
// new string[] { signUpPolicyId, signInPolicyId, userProfilePolicyId }),
// // This piece is optional - it is used for displaying the user's name in the navigation bar.
// TokenValidationParameters = new TokenValidationParameters
// {
// NameClaimType = "name"
// },
//};
var adOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
//AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
////When the user is authorized and we are not asking for an id_token (see way below for details on that),
//// we will get an auth code which we can then use to retrieve information about the user.
//AuthorizationCodeReceived = async notification =>
//{
// // The user's objectId is extracted from the claims provided in the id_token, and used to cache tokens in ADAL
// // The authority is constructed by appending your B2C directory's name to "https://login.microsoftonline.com/"
// // The client credential is where you provide your application secret, and is used to authenticate the application to Azure AD
// var userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// var authority = string.Format(CultureInfo.InvariantCulture, AADInstance, tenant, string.Empty, string.Empty);
// var credential = new ClientCredential(clientId, clientSecret);
// // We don't care which policy is used to access the TaskService, so let's use the most recent policy as indicated in the sign-in token
// var mostRecentPolicy = notification.AuthenticationTicket.Identity.FindFirst(AcrClaimType).Value;
// // The Authentication Context is ADAL's primary class, which represents your connection to your B2C directory
// // ADAL uses an in-memory token cache by default. In this case, we've extended the default cache to use a simple per-user session cache
// var authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectId));
// // Here you ask for a token using the web app's clientId as the scope, since the web app and service share the same clientId.
// // The token will be stored in the ADAL token cache, for use in our controllers
// var result = await authContext.AcquireTokenByAuthorizationCodeAsync(notification.Code, new Uri(redirectUri), credential, new string[] { clientId }, mostRecentPolicy);
// //var userDetails = await GetUserByObjectId(result, userObjectId, tenant, clientId, clientSecret);
// var asdf = result;
//},
MessageReceived = notification =>
{
return Task.FromResult(0);
},
SecurityTokenReceived = notification =>
{
return Task.FromResult(0);
},
SecurityTokenValidated = notification =>
{
//var userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
//var authority = string.Format(CultureInfo.InvariantCulture, AADInstance, tenant, string.Empty, string.Empty);
//var credential = new ClientCredential(clientId, clientSecret);
// We don't care which policy is used to access the TaskService, so let's use the most recent policy
//var mostRecentPolicy = notification.AuthenticationTicket.Identity.FindFirst(AcrClaimType).Value;
// Here you ask for a token using the web app's clientId as the scope, since the web app and service share the same clientId.
// AcquireTokenSilentAsync will return a token from the token cache, and throw an exception if it cannot do so.
//var authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectId));
//var result = await authContext.AcquireTokenSilentAsync(new string[] { clientId }, credential, UserIdentifier.AnyUser, mostRecentPolicy);
// Here you ask for a token using the web app's clientId as the scope, since the web app and service share the same clientId.
// The token will be stored in the ADAL token cache, for use in our controllers
//var result = await authContext.AcquireTokenByAuthorizationCodeAsync(notification.Code, new Uri(redirectUri), credential, new string[] { clientId }, mostRecentPolicy);
//var asdf = result;
//The returned identity doesn't actually have 'email' as a claim, but instead has a collection of "emails", so we're going to ensure one is
// in there and then set the Email claim to be the first so that auto-signin works
var emails = notification.AuthenticationTicket.Identity.FindFirst("emails");
if (emails != null)
{
var email = emails.Value;
notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Email, email));
}
return Task.FromResult(0);
}
},
//NOTE: in this article they are requesting this scope: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-api-dotnet/
// I'm unsure if we leave off the offline_access part if we'd get an authcode request back or not, so leaving it here
// for now since it is working.
//Scope = "openid offline_access",
Scope = "openid",
//NOTE: If we ask for this, then we'll simply get an ID Token back which we cannot use to request
// additional data of the user. We need to get an authorization code reponse (I'm not sure what the
// string value for that is but if we don't specify then it's the default).
ResponseType = "id_token",
// The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
// endpoints from the OpenID Connect metadata endpoint. It is included in the PolicyAuthHelpers folder.
// The first parameter is the metadata URL of your B2C directory
// The second parameter is an array of the policies that your app will use.
ConfigurationManager = new PolicyConfigurationManager(
string.Format(CultureInfo.InvariantCulture, AADInstance, tenant, "/v2.0", OIDCMetadataSuffix),
new string[] { signUpPolicyId, signInPolicyId, userProfilePolicyId }),
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
},
SignInAsAuthenticationType = Umbraco.Core.Constants.Security.BackOfficeExternalAuthenticationType
};
adOptions.SetChallengeResultCallback(context => new AuthenticationProperties(
new Dictionary<string, string>
{
{UmbracoADAuthExtensions.PolicyKey, signInPolicyId}
})
{
RedirectUri = "/Umbraco",
});
var orig = adOptions.AuthenticationType;
adOptions.ForUmbracoBackOffice(style, icon);
adOptions.AuthenticationType = orig;
adOptions.Caption = caption;
//NOTE: This needs to be set after the ForUmbracoBackOffice
// this needs to be set to what AD returns otherwise you cannot unlink an account
adOptions.AuthenticationType = string.Format(
CultureInfo.InvariantCulture,
"https://login.microsoftonline.com/{0}/v2.0/",
//Not sure where this comes from! ... perhaps 'issuerId', but i don't know where to find this,
// i just know this based on the response we get from B2C
"ae25bf5e-871e-454a-a1b6-a3560a09ec5e");
//This will auto-create users based on the authenticated user if they are new
//NOTE: This needs to be set after the explicit auth type is set
adOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(autoLinkExternalAccount: true));
app.UseOpenIdConnectAuthentication(adOptions);
}
