/// <summary>
/// Before redirecting for authentication to the provider, append the properties for Multi-Factor Authentication
/// and configuration settings.
/// </summary>
/// <param name="notification">The properties used for authentication</param>
/// <returns>awaitable Task</returns>
private Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var authenticationProperties = GetAuthenticationPropertiesFromProtocolMessage(notification.ProtocolMessage, notification.Options);
// AcrValues token control the multi-factor authentication, when supplied with any(which could be default or mfa), the user set policy for 2FA
// is enforced. When explicitly set to mfa, the authentication is enforced with multi-factor auth. The LoginHint token, is useful for redirecting
// an already logged in user directly to the multi-factor auth flow.
if (AuthenticationPolicy.TryGetPolicyFromProperties(authenticationProperties.Dictionary, out AuthenticationPolicy policy))
{
notification.ProtocolMessage.AcrValues = policy.EnforceMultiFactorAuthentication ? ACR_VALUES.MFA : ACR_VALUES.ANY;
notification.ProtocolMessage.LoginHint = policy.Email;
}
else
{
notification.ProtocolMessage.AcrValues = ACR_VALUES.ANY;
}
// Set the redirect_uri token for the alternate domains of same gallery instance
if (_alternateSiteRootList != null && _alternateSiteRootList.Contains(notification.Request.Uri.Host))
{
notification.ProtocolMessage.RedirectUri = "https://" + notification.Request.Uri.Host + "/" + _callbackPath;
}
// We always want to show the options to select account when signing in and while changing account.
notification.ProtocolMessage.Prompt = SELECT_ACCOUNT;
return(Task.FromResult(0));
}
internal static string GetPolicyValue(
AuthenticationPolicy xrmPolicy,
string elementName,
string defaultValue)
{
string str;
return xrmPolicy != null && xrmPolicy.PolicyElements.TryGetValue(elementName, out str) ? str : defaultValue;
}
private static object[] PrepareHandlerMethodParameters(MethodInfo method, IServiceProvider services, HttpContext httpContext, AuthenticationPolicy policy, Type[] customAuthenticators)
{
ParameterInfo[] parameters = method.GetParameters();
if (parameters.Length <= 0)
{
return(null);
}
object[] result = new object[parameters.Length];
object value;
int i = 0;
foreach (ParameterInfo parameter in parameters)
{
if (parameter.ParameterType.Equals(typeof(HttpContext)))
{
result[i] = httpContext;
}
else if (parameter.ParameterType.Equals(typeof(AuthenticationPolicy)))
{
result[i] = policy;
}
else if ((parameter.ParameterType.Equals(typeof(Type[])) || parameter.ParameterType.Equals(typeof(IEnumerable <Type>))))
{
result[i] = customAuthenticators;
}
else if ((parameter.ParameterType.Equals(typeof(List <Type>)) || parameter.ParameterType.Equals(typeof(IList <Type>)) || parameter.ParameterType.Equals(typeof(IReadOnlyList <Type>))))
{
result[i] = customAuthenticators.ToList();
}
else
{
value = services.GetService(parameter.ParameterType);
if (value == null)
{
if (parameter.HasDefaultValue)
{
value = parameter.DefaultValue;
}
else
{
value = parameter.ParameterType.IsValueType ? Activator.CreateInstance(parameter.ParameterType) : null;
}
}
result[i] = value;
}
i++;
}
return(result);
}
/// <summary>
/// Before redirecting for authentication to the provider, append the properties for Multi-Factor Authentication.
/// </summary>
/// <param name="notification">The properties used for authentication</param>
/// <returns>awaitable Task</returns>
private Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
var authenticationProperties = GetAuthenticationPropertiesFromProtocolMessage(notification.ProtocolMessage, notification.Options);
// AcrValues token control the multi-factor authentication, when supplied with any(which could be default or mfa), the user set policy for 2FA
// is enforced. When explicitly set to mfa, the authentication is enforced with multi-factor auth. The LoginHint token, is useful for redirecting
// an already logged in user directly to the multi-factor auth flow.
if (AuthenticationPolicy.TryGetPolicyFromProperties(authenticationProperties.Dictionary, out AuthenticationPolicy policy))
{
notification.ProtocolMessage.AcrValues = policy.EnforceMultiFactorAuthentication ? ACR_VALUES.MFA : ACR_VALUES.ANY;
notification.ProtocolMessage.LoginHint = policy.Email;
}
else
{
notification.ProtocolMessage.AcrValues = ACR_VALUES.ANY;
}
return(Task.FromResult(0));
}
internal WindowsPolicyConfiguration(AuthenticationPolicy xrmPolicy)
: base(xrmPolicy)
{
}
public ActionResult ChallengeAuthentication(string returnUrl, string provider, AuthenticationPolicy policy = null)
{
try
{
return(_authService.Challenge(provider, returnUrl, policy));
}
catch (InvalidOperationException)
{
// This exception will be thrown when the unsupported provider is invoked, return 404.
return(new HttpStatusCodeResult(HttpStatusCode.NotFound));
}
}
public override ActionResult Challenge(string redirectUrl, AuthenticationPolicy policy = null)
{
return(new ChallengeResult(BaseConfig.AuthenticationType, redirectUrl, policy?.GetProperties()));
}
internal static IActionResult ExecuteHandler(Type handler, object[] constructParameters, HttpContext httpContext, AuthenticationPolicy policy, Type[] customAuthenticators)
{
IServiceProvider services = httpContext.RequestServices;
IHandlerInvokeMethodCache cache = services.GetRequiredService <IHandlerInvokeMethodCache>();
InvokeMethodInfo methodInfo = cache.Get(handler);
if (methodInfo != null)
{
return(ExecuteMethod(methodInfo));
}
return(null);
IActionResult ExecuteMethod(InvokeMethodInfo info)
{
try
{
MethodInfo method = info.Method;
object handler_instance = ActivatorUtilities.CreateInstance(services, handler, constructParameters);
object invoke_result = method.Invoke(handler_instance, PrepareHandlerMethodParameters(method, services, httpContext, policy, customAuthenticators));
switch (info.ReturnType)
{
case InvokeMethodReturnType.Void:
return(null);
case InvokeMethodReturnType.Task:
{
Task result = (Task)invoke_result;
if (result == null)
{
return(null);
}
if (result.Status == TaskStatus.WaitingToRun || result.Status == TaskStatus.Created)
{
result.Start();
}
result.Wait();
return(null);
}
case InvokeMethodReturnType.TaskWithIActionResult:
{
object awaiter = info.GetAwaiter.Invoke(invoke_result, null);
IActionResult result = (IActionResult)info.GetResult.Invoke(awaiter, null);
if (result == null)
{
return(null);
}
return(result);
}
case InvokeMethodReturnType.IActionResult:
default:
{
IActionResult result = (IActionResult)invoke_result;
if (result == null)
{
return(null);
}
return(result);
}
}
}
catch (Exception ex)
{
Debug.WriteLine(ex);
return(null);
}
}
}
public virtual ActionResult Challenge(string providerName, string redirectUrl, AuthenticationPolicy policy = null)
{
Authenticator provider;
if (!Authenticators.TryGetValue(providerName, out provider))
{
throw new InvalidOperationException(string.Format(
CultureInfo.CurrentCulture,
ServicesStrings.UnknownAuthenticationProvider,
providerName));
}
if (!provider.BaseConfig.Enabled)
{
throw new InvalidOperationException(string.Format(
CultureInfo.CurrentCulture,
ServicesStrings.AuthenticationProviderDisabled,
providerName));
}
return(provider.Challenge(redirectUrl, policy));
}
public AuthenticationRequiredAttribute(AuthenticationPolicy policy = AuthenticationPolicy.All, AuthenticationFailedAction failedAction = AuthenticationFailedAction.KeepUnauthenticated)
{
Policy = policy;
FailedAction = failedAction;
}
internal IActionResult Execute(HttpContext httpContext, AuthenticationPolicy policy, Type[] customAuthenticators)
{
return(AuthenticationHelper.ExecuteHandler(Handler, ConstructParameters, httpContext, policy, customAuthenticators));
}
internal PolicyConfiguration(AuthenticationPolicy xrmPolicy)
{
this.XrmPolicy = xrmPolicy;
this.Initialize();
}
