/// <summary>
/// Add services for authentication, including Identity model, IdentityServer4 and external providers
/// </summary>
/// <typeparam name="TIdentityDbContext">DbContext for Identity</typeparam>
/// <typeparam name="TUserIdentity">User Identity class</typeparam>
/// <typeparam name="TUserIdentityRole">User Identity Role class</typeparam>
/// <param name="services"></param>
/// <param name="configuration"></param>
public static void AddAuthenticationServices <TIdentityDbContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IConfiguration configuration) where TIdentityDbContext : DbContext
where TUserIdentity : class
where TUserIdentityRole : class
{
var loginConfiguration = GetLoginConfiguration(configuration);
var registrationConfiguration = GetRegistrationConfiguration(configuration);
var identityOptions = configuration.GetSection(nameof(IdentityOptions)).Get <IdentityOptions>();
services
.AddSingleton(registrationConfiguration)
.AddSingleton(loginConfiguration)
.AddSingleton(identityOptions)
.AddScoped <ApplicationSignInManager <TUserIdentity> >()
.AddScoped <UserResolver <TUserIdentity> >()
.AddIdentity <TUserIdentity, TUserIdentityRole>(options => configuration.GetSection(nameof(IdentityOptions)).Bind(options))
.AddEntityFrameworkStores <TIdentityDbContext>()
.AddDefaultTokenProviders();
services.Configure <CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.Secure = CookieSecurePolicy.SameAsRequest;
options.OnAppendCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
services.Configure <IISOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
var authenticationBuilder = services.AddAuthentication();
AddExternalProviders(authenticationBuilder, configuration);
}
/// <summary>
/// Register services for authentication, including Identity.
/// For production mode is used OpenId Connect middleware which is connected to IdentityServer4 instance.
/// For testing purpose is used cookie middleware with fake login url.
/// </summary>
/// <typeparam name="TContext"></typeparam>
/// <typeparam name="TUserIdentity"></typeparam>
/// <typeparam name="TUserIdentityRole"></typeparam>
/// <param name="services"></param>
/// <param name="configuration"></param>
public static void AddAuthenticationServices <TContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IConfiguration configuration)
where TContext : DbContext where TUserIdentity : class where TUserIdentityRole : class
{
var adminConfiguration = configuration.GetSection(nameof(AdminConfiguration)).Get <AdminConfiguration>();
services.Configure <CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.Secure = CookieSecurePolicy.SameAsRequest;
options.OnAppendCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
services
.AddIdentity <TUserIdentity, TUserIdentityRole>(options => configuration.GetSection(nameof(IdentityOptions)).Bind(options))
.AddEntityFrameworkStores <TContext>()
.AddDefaultTokenProviders();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = AuthenticationConsts.OidcAuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options =>
{
options.Cookie.Name = adminConfiguration.IdentityAdminCookieName;
})
.AddOpenIdConnect(AuthenticationConsts.OidcAuthenticationScheme, options =>
{
options.Authority = adminConfiguration.IdentityServerBaseUrl;
options.RequireHttpsMetadata = adminConfiguration.RequireHttpsMetadata;
options.ClientId = adminConfiguration.ClientId;
options.ClientSecret = adminConfiguration.ClientSecret;
options.ResponseType = adminConfiguration.OidcResponseType;
options.Scope.Clear();
foreach (var scope in adminConfiguration.Scopes)
{
options.Scope.Add(scope);
}
options.ClaimActions.MapJsonKey(adminConfiguration.TokenValidationClaimRole, adminConfiguration.TokenValidationClaimRole, adminConfiguration.TokenValidationClaimRole);
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = adminConfiguration.TokenValidationClaimName,
RoleClaimType = adminConfiguration.TokenValidationClaimRole
};
options.Events = new OpenIdConnectEvents
{
OnMessageReceived = context => OnMessageReceived(context, adminConfiguration),
OnRedirectToIdentityProvider = context => OnRedirectToIdentityProvider(context, adminConfiguration)
};
});
}
/// <summary>
/// Register services for authentication, including Identity.
/// For production mode is used OpenId Connect middleware which is connected to IdentityServer4 instance.
/// For testing purpose is used cookie middleware with fake login url.
/// </summary>
/// <typeparam name="TContext"></typeparam>
/// <typeparam name="TUserIdentity"></typeparam>
/// <typeparam name="TUserIdentityRole"></typeparam>
/// <param name="services"></param>
/// <param name="configuration"></param>
public static void AddAuthenticationServices <TContext, TUserIdentity, TUserIdentityRole>(this IServiceCollection services, IConfiguration configuration)
where TContext : DbContext where TUserIdentity : class where TUserIdentityRole : class
{
var adminConfiguration = configuration.GetSection(nameof(AdminConfiguration)).Get <AdminConfiguration>();
services.Configure <CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.Secure = CookieSecurePolicy.SameAsRequest;
options.OnAppendCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
services
.AddIdentity <TUserIdentity, TUserIdentityRole>(options => configuration.GetSection(nameof(IdentityOptions)).Bind(options))
.AddEntityFrameworkStores <TContext>()
.AddDefaultTokenProviders();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = AuthenticationConsts.OidcAuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
options =>
{
options.Cookie.Name = adminConfiguration.IdentityAdminCookieName;
})
.AddOpenIdConnect(AuthenticationConsts.OidcAuthenticationScheme, options =>
{
options.Authority = adminConfiguration.IdentityServerBaseUrl;
if (adminConfiguration.IdentityServerAllowInvalidSsl)
{
options.BackchannelHttpHandler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
};
}
options.RequireHttpsMetadata = adminConfiguration.RequireHttpsMetadata;
options.ClientId = adminConfiguration.ClientId;
options.ClientSecret = adminConfiguration.ClientSecret;
options.ResponseType = adminConfiguration.OidcResponseType;
options.Scope.Clear();
foreach (var scope in adminConfiguration.Scopes)
{
options.Scope.Add(scope);
}
options.ClaimActions.MapJsonKey(adminConfiguration.TokenValidationClaimRole, adminConfiguration.TokenValidationClaimRole, adminConfiguration.TokenValidationClaimRole);
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = adminConfiguration.TokenValidationClaimName,
RoleClaimType = adminConfiguration.TokenValidationClaimRole
};
options.Events = new OpenIdConnectEvents
{
OnMessageReceived = context => OnMessageReceived(context, adminConfiguration),
OnRedirectToIdentityProvider = context => OnRedirectToIdentityProvider(context, adminConfiguration),
// EZY-modification (EZYC-3029): custom feature to support logging out when deployed inside d-c where ports are different.
OnRedirectToIdentityProviderForSignOut = context => OnRedirectToIdentityProviderForSignOut(context, adminConfiguration),
};
});
}