public UmbracoBackOfficeCookieAuthOptions( string[] explicitPaths, ISecuritySection securitySection, int loginTimeoutMinutes, bool forceSsl, bool useLegacyFormsAuthDataFormat = true) { LoginTimeoutMinutes = loginTimeoutMinutes; AuthenticationType = Constants.Security.BackOfficeAuthenticationType; if (useLegacyFormsAuthDataFormat) { //If this is not explicitly set it will fall back to the default automatically TicketDataFormat = new FormsAuthenticationSecureDataFormat(LoginTimeoutMinutes); } SlidingExpiration = true; ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes); CookieDomain = securitySection.AuthCookieDomain; CookieName = securitySection.AuthCookieName; CookieHttpOnly = true; CookieSecure = forceSsl ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest; CookiePath = "/"; //Custom cookie manager so we can filter requests CookieManager = new BackOfficeCookieManager(new SingletonUmbracoContextAccessor(), explicitPaths); }
public FrontEndCookieAuthenticationOptions( FrontEndCookieManager frontEndCookieManager, ISecuritySection securitySection, IGlobalSettings globalSettings) { CookieManager = frontEndCookieManager; AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie; SlidingExpiration = true; ExpireTimeSpan = TimeSpan.FromMinutes(globalSettings.TimeOutInMinutes); CookieDomain = securitySection.AuthCookieDomain; CookieName = securitySection.AuthCookieName + "_MEMBERS"; CookieHttpOnly = true; CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest; CookiePath = "/"; //NOTE: These are the defaults in the base class //ReturnUrlParameter = "ReturnUrl"; //CookiePath = "/"; //ExpireTimeSpan = TimeSpan.FromDays(14.0); //SlidingExpiration = true; //CookieHttpOnly = true; //CookieSecure = CookieSecureOption.SameAsRequest; //SystemClock = new SystemClock(); //Provider = new CookieAuthenticationProvider(); }
public UmbracoBackOfficeCookieAuthOptions( string[] explicitPaths, IUmbracoContextAccessor umbracoContextAccessor, ISecuritySection securitySection, IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecureDataFormat <AuthenticationTicket> secureDataFormat) { var secureDataFormat1 = secureDataFormat ?? throw new ArgumentNullException(nameof(secureDataFormat)); LoginTimeoutMinutes = globalSettings.TimeOutInMinutes; AuthenticationType = Constants.Security.BackOfficeAuthenticationType; SlidingExpiration = true; ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes); CookieDomain = securitySection.AuthCookieDomain; CookieName = securitySection.AuthCookieName; CookieHttpOnly = true; CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest; CookiePath = "/"; TicketDataFormat = new UmbracoSecureDataFormat(LoginTimeoutMinutes, secureDataFormat1); //Custom cookie manager so we can filter requests CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, globalSettings, explicitPaths); }
public UmbracoBackOfficeCookieAuthOptions( ISecuritySection securitySection, int loginTimeoutMinutes, bool forceSsl, bool useLegacyFormsAuthDataFormat = true) : this(null, securitySection, loginTimeoutMinutes, forceSsl, useLegacyFormsAuthDataFormat) { }
public GetUserSecondsMiddleWare( OwinMiddleware next, UmbracoBackOfficeCookieAuthOptions authOptions, IGlobalSettings globalSettings, ISecuritySection security, ILogger logger) : base(next) { _authOptions = authOptions ?? throw new ArgumentNullException(nameof(authOptions)); _globalSettings = globalSettings; _security = security; _logger = logger ?? throw new ArgumentNullException(nameof(logger)); }
public FrontEndCookieAuthenticationOptions( FrontEndCookieManager frontEndCookieManager, ISecuritySection securitySection, IGlobalSettings globalSettings) { CookieManager = frontEndCookieManager; AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie; SlidingExpiration = true; ExpireTimeSpan = TimeSpan.FromMinutes(globalSettings.TimeOutInMinutes); CookieDomain = securitySection.AuthCookieDomain; CookieName = securitySection.AuthCookieName + "_MEMBERS"; CookieHttpOnly = true; CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest; CookiePath = "/"; }
public ActiveDirectoryComponent(ILogger logger, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, IMemberService memberService) { _logger = logger; _umbracoContextAccessor = umbracoContextAccessor; _runtimeState = runtimeState; _userService = userService; _globalSettings = globalSettings; _securitySection = securitySection; _memberService = memberService; _openIdAuthorizeUrl = ConfigurationManager.AppSettings["OpenId.AuthorizeUrl"]; _tenantId = ConfigurationManager.AppSettings["AzureAd.TenantId"]; _clientId = ConfigurationManager.AppSettings["AzureAd.ClientId"]; _redirectUrl = ConfigurationManager.AppSettings["AzureAd.RedirectUrl"]; }
public GetUserSecondsMiddleWare( OwinMiddleware next, UmbracoBackOfficeCookieAuthOptions authOptions, ISecuritySection security, ILogger logger) : base(next) { if (authOptions == null) { throw new ArgumentNullException("authOptions"); } if (logger == null) { throw new ArgumentNullException("logger"); } _authOptions = authOptions; _security = security; _logger = logger; }
public TwoFactorEventHandler( IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, IEntityService entityService, IExternalLoginService externalLoginService, IMemberTypeService memberTypeService, UmbracoMapper umbracoMapper) { this.umbracoContextAccessor = umbracoContextAccessor; this.runtimeState = runtimeState; this.userService = userService; this.globalSettings = globalSettings; this.securitySection = securitySection; this.entityService = entityService; this.externalLoginService = externalLoginService; this.memberTypeService = memberTypeService; this.umbracoMapper = umbracoMapper; }
/// <summary> /// Create the default umb cookie auth options /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="globalSettings"></param> /// <param name="runtimeState"></param> /// <param name="securitySettings"></param> /// <param name="explicitPaths"></param> /// <returns></returns> public static UmbracoBackOfficeCookieAuthOptions CreateUmbracoCookieAuthOptions(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySection securitySettings, string[] explicitPaths = null) { //this is how aspnet wires up the default AuthenticationTicket protector so we'll use the same code var ticketDataFormat = new TicketDataFormat( app.CreateDataProtector(typeof(CookieAuthenticationMiddleware).FullName, Constants.Security.BackOfficeAuthenticationType, "v1")); var authOptions = new UmbracoBackOfficeCookieAuthOptions( explicitPaths, umbracoContextAccessor, securitySettings, globalSettings, runtimeState, ticketDataFormat); return(authOptions); }
/// <summary> /// In order for preview to work this needs to be called /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="globalSettings"></param> /// <param name="securitySettings"></param> /// <param name="stage"></param> /// <returns></returns> /// <remarks> /// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity /// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document. /// </remarks> public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings, PipelineStage stage) { if (runtimeState.Level != RuntimeLevel.Run) { return(app); } var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings); app.Use(typeof(PreviewAuthenticationMiddleware), authOptions, Current.Configs.Global()); // This middleware must execute at least on PostAuthentication, by default it is on Authorize // The middleware needs to execute after the RoleManagerModule executes which is during PostAuthenticate, // currently I've had 100% success with ensuring this fires after RoleManagerModule even if this is set // to PostAuthenticate though not sure if that's always a guarantee so by default it's Authorize. if (stage < PipelineStage.PostAuthenticate) { throw new InvalidOperationException("The stage specified for UseUmbracoPreviewAuthentication must be greater than or equal to " + PipelineStage.PostAuthenticate); } app.UseStageMarker(stage); return(app); }
/// <summary> /// In order for preview to work this needs to be called /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="globalSettings"></param> /// <param name="securitySettings"></param> /// <returns></returns> /// <remarks> /// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity /// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document. /// </remarks> /// <remarks> /// By default this will be configured to execute on PipelineStage.PostAuthenticate /// </remarks> public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySettings) { return(app.UseUmbracoPreviewAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, PipelineStage.PostAuthenticate)); }
/// <summary> /// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="globalSettings"></param> /// <param name="securitySection"></param> /// <param name="cookieOptions">Custom auth cookie options can be specified to have more control over the cookie authentication logic</param> /// <param name="stage"> /// Configurable pipeline stage /// </param> /// <returns></returns> public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySection securitySection, CookieAuthenticationOptions cookieOptions, PipelineStage stage) { if (app == null) { throw new ArgumentNullException(nameof(app)); } if (runtimeState == null) { throw new ArgumentNullException(nameof(runtimeState)); } if (cookieOptions == null) { throw new ArgumentNullException(nameof(cookieOptions)); } if (cookieOptions.Provider == null) { throw new ArgumentNullException("cookieOptions.Provider cannot be null.", nameof(cookieOptions)); } if (cookieOptions.Provider is BackOfficeCookieAuthenticationProvider == false) { throw new ArgumentException($"cookieOptions.Provider must be of type {typeof(BackOfficeCookieAuthenticationProvider)}.", nameof(cookieOptions)); } app.UseUmbracoBackOfficeCookieAuthenticationInternal(cookieOptions, runtimeState, stage); //don't apply if app is not ready if (runtimeState.Level != RuntimeLevel.Upgrade && runtimeState.Level != RuntimeLevel.Run) { return(app); } var cookieAuthOptions = app.CreateUmbracoCookieAuthOptions( umbracoContextAccessor, globalSettings, runtimeState, securitySection, //This defines the explicit path read cookies from for this middleware new[] { $"{globalSettings.Path}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds" }); cookieAuthOptions.Provider = cookieOptions.Provider; //This is a custom middleware, we need to return the user's remaining logged in seconds app.Use <GetUserSecondsMiddleWare>( cookieAuthOptions, Current.Configs.Global(), Current.Configs.Settings().Security, app.CreateLogger <GetUserSecondsMiddleWare>()); //This is required so that we can read the auth ticket format outside of this pipeline app.CreatePerOwinContext <UmbracoAuthTicketDataProtector>( (options, context) => new UmbracoAuthTicketDataProtector(cookieOptions.TicketDataFormat)); return(app); }
/// <summary> /// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="userService"></param> /// <param name="globalSettings"></param> /// <param name="securitySection"></param> /// <param name="stage"> /// Configurable pipeline stage /// </param> /// <returns></returns> public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, PipelineStage stage) { //Create the default options and provider var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySection); authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings) { // Enables the application to validate the security stamp when the user // logs in. This is a security feature which is used when you // change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator .OnValidateIdentity <BackOfficeUserManager, BackOfficeIdentityUser, int>( TimeSpan.FromMinutes(30), (manager, user) => manager.GenerateUserIdentityAsync(user), identity => identity.GetUserId <int>()), }; return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySection, authOptions, stage)); }
/// <summary> /// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="userService"></param> /// <param name="globalSettings"></param> /// <param name="securitySection"></param> /// <returns></returns> /// <remarks> /// By default this will be configured to execute on PipelineStage.Authenticate /// </remarks> public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection) { return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySection, PipelineStage.Authenticate)); }
/// <summary> /// Ensures that the UmbracoBackOfficeAuthenticationMiddleware is assigned to the pipeline /// </summary> /// <param name="app"></param> /// <param name="umbracoContextAccessor"></param> /// <param name="runtimeState"></param> /// <param name="userService"></param> /// <param name="globalSettings"></param> /// <param name="securitySection"></param> /// <param name="stage"> /// Configurable pipeline stage /// </param> /// <returns></returns> public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IUserService userService, IGlobalSettings globalSettings, ISecuritySection securitySection, PipelineStage stage) { //Create the default options and provider var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySection); authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings) { // Enables the application to validate the security stamp when the user // logs in. This is a security feature which is used when you // change a password or add an external login to your account. OnValidateIdentity = context => { // capture the current ticket for the request var identity = context.Identity; return(SecurityStampValidator .OnValidateIdentity <BackOfficeUserManager, BackOfficeIdentityUser, int>( // This will re-verify the security stamp at a throttled 30 mins // (the standard/default set in aspnet identity). // This ensures that if the security stamp has changed - i.e. passwords, // external logins, or other security profile data changed behind the // scenes while being logged in, that they are logged out and have // to re-verify their identity. TimeSpan.FromMinutes(30), async(manager, user) => { var regenerated = await manager.GenerateUserIdentityAsync(user); // Keep any custom claims from the original identity regenerated.MergeClaimsFromBackOfficeIdentity(identity); return regenerated; }, identity => identity.GetUserId <int>())(context)); } }; return(app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySection, authOptions, stage)); }