private static Task RedirectToIdentityProvider(
RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n,
TcgOpenIdConnectAuthenticationOptions options
)
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
n.ProtocolMessage.PostLogoutRedirectUri = $"{n.OwinContext.Request.Uri.Scheme}://{n.OwinContext.Request.Uri.Authority}";
//Session.Abandon();
}
// Add Tennant specific info to AuthenticationRequest
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
{
//////TODO: Do something with the state to redirect to the correct URL
//n.ProtocolMessage.State = string.Empty;
if (n.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
n.ProtocolMessage.Prompt = "login";
}
n.ProtocolMessage.RedirectUri = $"{n.OwinContext.Request.Uri.Scheme}://{n.OwinContext.Request.Uri.Authority}";
string host = n.OwinContext.Request.Uri.Host;
string preferredIdp = options.PreferedIdps?.FirstOrDefault(x => string.Equals(host, x.HostName, StringComparison.OrdinalIgnoreCase))?.Idp
?? options.FallbackPreferedIdp;
var forceDomain = options.ForceDomains?.FirstOrDefault(x => string.Equals(host, x.HostName, StringComparison.OrdinalIgnoreCase))?.Domain;
string loginDomains = null;
if (options.LoginDomains != null)
{
loginDomains = string.Join(";", options.LoginDomains.Select(x => $"#{x.ToString("N")}"));
}
List <string> acrValues = options.ExtraAcrValues ?? new List <string>();
if (!string.IsNullOrWhiteSpace(preferredIdp))
{
acrValues.Add($"idp:{preferredIdp}");
}
if (!string.IsNullOrWhiteSpace(loginDomains))
{
acrValues.Add($"loginDomains:{loginDomains}");
}
if (forceDomain.HasValue)
{
acrValues.Add($"forceDomain:#{forceDomain.Value.ToString("N")}");
}
//string otac = n.OwinContext.Get<string>("otac");
//if (otac != null) {
// acrValues.Add($"otac:{otac}");
//}
n.ProtocolMessage.AcrValues = string.Join(" ", acrValues);
}
return(Task.FromResult(0));
}
public static IAppBuilder UseTcgOpenIdConnectAuthentication(this IAppBuilder app, TcgOpenIdConnectAuthenticationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var tokenEndpoint = $"{options.Authority}/connect/token";
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "DomainSecurity STS Cookie",
SessionStore = options.SessionStore,
CookieHttpOnly = options.CookieHttpOnly,
CookieDomain = options.CookieDomain,
CookieSecure = options.CookieSecure,
CookieSameSite = options.CookieSameSite,
CookieManager = new SystemWebCookieManager(),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = n => ValidateAccessToken(n, tokenEndpoint, options.ClientId, options.ClientSecret),
},
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
Authority = options.Authority,
AuthenticationMode = options.AuthenticationMode,
AuthenticationType = options.AuthenticationType ?? "STS",
ResponseType = options.ResponseType,
Scope = options.Scope,
RedirectUri = options.RedirectUri,
PostLogoutRedirectUri = options.PostLogoutRedirectUri,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "idString",
RoleClaimType = "role",
},
//Do not use the lifetime of the id_token, use the Cookie middleware expiration instead.
UseTokenLifetime = false,
SignInAsAuthenticationType = "DomainSecurity STS Cookie",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = async n =>
{
if (options.Notifications?.AuthenticationFailed != null)
{
await options.Notifications?.AuthenticationFailed(n);
}
},
AuthorizationCodeReceived = async n =>
{
await AuthorizationCodeReceived(n, options.Authority, options.ClientId, options.ClientSecret);
if (options.Notifications?.AuthorizationCodeReceived != null)
{
await options.Notifications?.AuthorizationCodeReceived(n);
}
},
MessageReceived = async n =>
{
if (options.Notifications != null)
{
await options.Notifications?.MessageReceived(n);
}
},
SecurityTokenReceived = async n =>
{
if (options.Notifications?.SecurityTokenReceived != null)
{
await options.Notifications?.SecurityTokenReceived(n);
}
},
SecurityTokenValidated = async n =>
{
await SecurityTokenValidated(n, options.Authority);
if (options.Notifications?.SecurityTokenValidated != null)
{
await options.Notifications?.SecurityTokenValidated(n);
}
},
RedirectToIdentityProvider = async n =>
{
await RedirectToIdentityProvider(n, options);
if (options.Notifications?.RedirectToIdentityProvider != null)
{
await options.Notifications?.RedirectToIdentityProvider(n);
}
}
}
});
return(app);
}
