public async Task<User> GetBySSOIoTUserAsync(string accessToken) { var client = new UserInfoClient( new Uri(UGConstants.SSO.UserInfoEndpoint), accessToken); var response = await client.GetAsync(); var user = new User(); if (response.Claims != null) { foreach (var ui in response.Claims) { if (ui.Item1 == UGConstants.ClaimTypes.Subject) user.Id = ui.Item2; if (ui.Item1 == UGConstants.ClaimTypes.PreferredUserName) user.UserName = ui.Item2; } } return user; }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864 public void ConfigureAuth(IAppBuilder app) { // Configure the db context, user manager and signin manager to use a single instance per request SSOFactory.CreateOwinContext(app); JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>(); //Require => error sso app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = UGConstants.SSOClient.ClientId, ClientSecret = UGConstants.SSOClient.ClientSecret, Authority = UGConstants.SSO.AuthorityBaseUri + UGConstants.SSO.PathHostIdentityServer, RedirectUri = UGConstants.SSOClient.RedirectUri, ResponseType = "id_token token", Scope = "openid profile", PostLogoutRedirectUri = UGConstants.SSOClient.PostLogoutRedirectUri, SignInAsAuthenticationType = "Cookies", UseTokenLifetime = false, Notifications = new OpenIdConnectAuthenticationNotifications { SecurityTokenValidated = async n => { var nid = new ClaimsIdentity(n.AuthenticationTicket.Identity.Claims, n.AuthenticationTicket.Identity.AuthenticationType, UGConstants.ClaimTypes.GivenName, UGConstants.ClaimTypes.Role); // get userinfo data var userInfoClient = new UserInfoClient( new Uri(n.Options.Authority + "/connect/userinfo"), n.ProtocolMessage.AccessToken); var userInfo = await userInfoClient.GetAsync(); if (userInfo.Claims != null) { //userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2))); foreach (var ui in userInfo.Claims) { if (nid.Claims.Where(x => x.Type == ui.Item1 && x.Value == ui.Item2).Count() < 1) nid.AddClaim(new Claim(ui.Item1, ui.Item2)); } } string userName = nid.GetUserName(); if (string.IsNullOrWhiteSpace(userName)) throw new ArgumentNullException("UserName is not null or empty"); // keep the id_token for logout nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken)); // add access token for sample API nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken)); // keep track of access token expiration nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString())); n.AuthenticationTicket = new Microsoft.Owin.Security.AuthenticationTicket( nid, n.AuthenticationTicket.Properties); }, RedirectToIdentityProvider = n => { if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest) { var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token"); if (idTokenHint != null) { n.ProtocolMessage.IdTokenHint = idTokenHint.Value; var signOutMessageId = n.OwinContext.Environment.GetSignOutMessageId(); if (signOutMessageId != null) { n.OwinContext.Response.Cookies.Append("state", signOutMessageId); } } } return Task.FromResult(0); } } }); }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864 public void ConfigureAuth(IAppBuilder app) { // Configure the db context, user manager and signin manager to use a single instance per request //register with IdentityServer3 //app.CreatePerOwinContext(ApplicationDbContext.Create); app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create); app.CreatePerOwinContext<ApplicationPermissionManager>(ApplicationPermissionManager.Create); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie); // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process. app.UseTwoFactorSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5)); // Enables the application to remember the second login verification factor such as phone or email. // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from. // This is similar to the RememberMe option when you log in. app.UseTwoFactorRememberBrowserCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = SSOISConstants.LocalClientId, ClientSecret = SSOISConstants.LocalClientSecret, Authority = SSOISConstants.LocalClientUri + SSOISConstants.PathHostIdentityServer, RedirectUri = SSOISConstants.LocalRedirectUris.First(), ResponseType = "id_token token", Scope = "openid profile email roles", PostLogoutRedirectUri = SSOISConstants.LocalPostLogoutRedirectUris.First(), SignInAsAuthenticationType = "Cookies", UseTokenLifetime = false, Notifications = new OpenIdConnectAuthenticationNotifications { SecurityTokenValidated = async n => { var nid = new ClaimsIdentity(n.AuthenticationTicket.Identity.Claims, n.AuthenticationTicket.Identity.AuthenticationType, Constants.ClaimTypes.GivenName, Constants.ClaimTypes.Role); // get userinfo data var userInfoClient = new UserInfoClient( new Uri(n.Options.Authority + "/connect/userinfo"), n.ProtocolMessage.AccessToken); var userInfo = await userInfoClient.GetAsync(); if (userInfo.Claims != null) { //userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2))); foreach (var ui in userInfo.Claims) { if (nid.Claims.Where(x => x.Type == ui.Item1 &&x.Value == ui.Item2).Count()<1) nid.AddClaim(new Claim(ui.Item1, ui.Item2)); } } // keep the id_token for logout nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken)); // add access token for sample API nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken)); // keep track of access token expiration nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString())); n.AuthenticationTicket = new Microsoft.Owin.Security.AuthenticationTicket( nid, n.AuthenticationTicket.Properties); }, RedirectToIdentityProvider = n => { if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest) { var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token"); if (idTokenHint != null) { n.ProtocolMessage.IdTokenHint = idTokenHint.Value; //https://identityserver.github.io/Documentation/docsv2/advanced/federated-post-logout-redirect.html //https://github.com/IdentityServer/IdentityServer3/issues/1000 var signOutMessageId = n.OwinContext.Environment.GetSignOutMessageId(); if (signOutMessageId != null) { n.OwinContext.Response.Cookies.Append("state", signOutMessageId); } } } return Task.FromResult(0); } } }); }
private async Task<IEnumerable<Tuple<string, string>>> GetClaimsAsync(string token) { var client = new UserInfoClient( new Uri(UGConstants.SSO.UserInfoEndpoint), token); var response = await client.GetAsync(); var claim = response.Claims; return response.Claims; }