public void Configure(string name, OpenIdConnectOptions options) { options.ClientId = _azureOptions.ClientId; options.Authority = $"{_azureOptions.Instance}common/v2.0"; options.UseTokenLifetime = true; options.CallbackPath = _azureOptions.CallbackPath; options.RequireHttpsMetadata = false; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; var allScopes = $"{_azureOptions.Scopes} {_azureOptions.GraphScopes}".Split(new[] { ' ' }); foreach (var scope in allScopes) { options.Scope.Add(scope); } options.TokenValidationParameters = new TokenValidationParameters { // Ensure that User.Identity.Name is set correctly after login NameClaimType = "name", // Instead of using the default validation (validating against a single issuer value, as we do in line of business apps), // we inject our own multitenant validation logic ValidateIssuer = false, // If the app is meant to be accessed by entire organizations, add your issuer validation logic here. //IssuerValidator = (issuer, securityToken, validationParameters) => { // if (myIssuerValidationLogic(issuer)) return issuer; //} }; options.Events = new OpenIdConnectEvents { OnTicketReceived = context => { // If your authentication logic is based on users then add your logic here return(Task.CompletedTask); }, OnAuthenticationFailed = context => { context.Response.Redirect("/Home/Error"); context.HandleResponse(); // Suppress the exception return(Task.CompletedTask); }, OnAuthorizationCodeReceived = async(context) => { string code = context.ProtocolMessage.Code; // Get access token using authorization code AuthenticationResult result = await _authProvider.GetUserAccessTokenByAuthorizationCode(code); context.HandleCodeRedemption(result.AccessToken, result.IdToken); }, // If your application needs to do authenticate single users, add your user validation below. //OnTokenValidated = context => //{ // return myUserValidationLogic(context.Ticket.Principal); //} }; }
public void Configure(string name, OpenIdConnectOptions options) { options.ClientId = _azureOptions.ClientId; options.Authority = $"{_azureOptions.Instance}common/v2.0"; options.UseTokenLifetime = true; options.CallbackPath = _azureOptions.CallbackPath; options.RequireHttpsMetadata = false; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; var allScopes = $"{_azureOptions.Scopes} {_azureOptions.GraphScopes}".Split(new[] { ' ' }); foreach (var scope in allScopes) { options.Scope.Add(scope); } options.TokenValidationParameters = new TokenValidationParameters { // Ensure that User.Identity.Name is set correctly after login NameClaimType = "name", // Instead of using the default validation (validating against a single issuer value, as we do in line of business apps), // we inject our own multitenant validation logic ValidateIssuer = false, // If the app is meant to be accessed by entire organizations, add your issuer validation logic here. //IssuerValidator = (issuer, securityToken, validationParameters) => { // if (myIssuerValidationLogic(issuer)) return issuer; //} }; options.Events = new OpenIdConnectEvents { OnTicketReceived = context => { // If your authentication logic is based on users then add your logic here return(Task.CompletedTask); }, OnAuthenticationFailed = context => { context.Response.Redirect("/Home/Error"); context.HandleResponse(); // Suppress the exception return(Task.CompletedTask); }, OnAuthorizationCodeReceived = async(context) => { var code = context.ProtocolMessage.Code; var identifier = context.Principal.FindFirst(Startup.ObjectIdentifierType).Value; var result = await _authProvider.GetUserAccessTokenByAuthorizationCode(code); // Check whether the login is from the MSA tenant. // The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account. var currentTenantId = context.Principal.FindFirst(Startup.TenantIdType).Value; if (currentTenantId == "9188040d-6c67-4c5b-b112-36a304b66dad") { // MSA (Microsoft Account) is used to log in } context.HandleCodeRedemption(result.AccessToken, result.IdToken); }, // If your application needs to do authenticate single users, add your user validation below. //OnTokenValidated = context => //{ // return myUserValidationLogic(context.Ticket.Principal); //} }; }
public void Configure(string name, OpenIdConnectOptions options) { options.ClientId = _azureOptions.ClientId; options.ClientSecret = _azureOptions.ClientSecret; options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}/v2.0"; options.UseTokenLifetime = true; options.CallbackPath = _azureOptions.CallbackPath; options.RequireHttpsMetadata = false; options.ResponseType = OpenIdConnectResponseType.CodeIdToken; var allScopes = $"{_azureOptions.Scopes} {_azureOptions.GraphScopes}".Split(new[] { ' ' }); foreach (var scope in allScopes) { options.Scope.Add(scope); } options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name", // Instead of using the default validation (validating against a single issuer value, as we do in line of business apps), // we inject our own multitenant validation logic ValidateIssuer = false, // If the app is meant to be accessed by entire organizations, add your issuer validation logic here. //IssuerValidator = (issuer, securityToken, validationParameters) => { // if (myIssuerValidationLogic(issuer)) return issuer; //} }; options.Events = new OpenIdConnectEvents { OnTicketReceived = context => { // If your authentication logic is based on users then add your logic here return(Task.CompletedTask); }, OnAuthenticationFailed = context => { string redirectUrl = $"/Home/Error?msg={System.Net.WebUtility.UrlEncode(context.Exception.Message)}"; if (context.Exception is Microsoft.Identity.Client.MsalServiceException) { var svcExp = context.Exception as Microsoft.Identity.Client.MsalServiceException; if (svcExp.ErrorCode == "invalid_grant") { redirectUrl = "/Account/PermissionsRequired"; } } if (context.Exception is Microsoft.Identity.Client.MsalUiRequiredException) { var svcExp = context.Exception as Microsoft.Identity.Client.MsalUiRequiredException; if (svcExp.ErrorCode == "invalid_grant") { redirectUrl = "/Account/PermissionsRequired"; } } context.Response.Redirect(redirectUrl); context.HandleResponse(); // Suppress the exception return(Task.CompletedTask); }, OnAuthorizationCodeReceived = async(context) => { var code = context.ProtocolMessage.Code; var identifier = context.Principal.FindFirst(Startup.ObjectIdentifierType).Value; //var memoryCache = context.HttpContext.RequestServices.GetRequiredService<IMemoryCache>(); //var graphScopes = _azureOptions.GraphScopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries); //var redirectUri = _azureOptions.BaseUrl + _azureOptions.CallbackPath; //var cca = new ConfidentialClientApplication( // _azureOptions.ClientId, // redirectUri, // new ClientCredential(_azureOptions.ClientSecret), // new InMemoryTokenCache(identifier, memoryCache).GetCacheInstance(), // null); var result = await _authProvider.GetUserAccessTokenByAuthorizationCode(code); // Check whether the login is from the MSA tenant. // The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account. var currentTenantId = context.Principal.FindFirst(Startup.TenantIdType).Value; if (currentTenantId == "9188040d-6c67-4c5b-b112-36a304b66dad") { // MSA (Microsoft Account) is used to log in } context.HandleCodeRedemption(result.AccessToken, result.IdToken); }, // If your application needs to do authenticate single users, add your user validation below. //OnTokenValidated = context => //{ // return myUserValidationLogic(context.Ticket.Principal); //} }; }