/// <summary>
/// Gets the sign in message.
/// </summary>
/// <param name="env">The OWIN environment.</param>
/// <param name="id">The signin identifier.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">
/// env
/// or
/// id
/// </exception>
public static SignInMessage GetSignInMessage(this IDictionary <string, object> env, string id)
{
if (env == null)
{
throw new ArgumentNullException("env");
}
if (string.IsNullOrEmpty(id))
{
throw new ArgumentNullException("id");
}
var options = env.ResolveDependency <IdentityServerOptions>();
var cookie = new MessageCookie <SignInMessage>(env, options);
return(cookie.Read(id));
}
public async Task <IHttpActionResult> LoginExternal(string signin, string provider)
{
Logger.InfoFormat("External login requested for provider: {0}", provider);
if (provider.IsMissing())
{
Logger.Error("No provider passed");
return(RenderErrorPage());
}
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return(RenderErrorPage());
}
var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return(RenderErrorPage());
}
var providerFilter = await GetProviderFilterForClientAsync(signInMessage);
if (providerFilter != null && providerFilter.Any() && !providerFilter.Contains(provider))
{
Logger.ErrorFormat("Provider {0} not allowed for client: {1}", provider, signInMessage.ClientId);
return(RenderErrorPage());
}
var authProp = new Microsoft.Owin.Security.AuthenticationProperties
{
RedirectUri = Url.Route(Constants.RouteNames.LoginExternalCallback, null)
};
// add the id to the dictionary so we can recall the cookie id on the callback
authProp.Dictionary.Add(Constants.Authentication.SigninId, signin);
authProp.Dictionary.Add(Constants.Authentication.KatanaAuthenticationType, provider);
Request.GetOwinContext().Authentication.Challenge(authProp, provider);
return(Unauthorized());
}
public async Task <IHttpActionResult> Login(string signin)
{
Logger.Info("Login page requested");
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return(RenderErrorPage());
}
var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return(RenderErrorPage());
}
Logger.DebugFormat("signin message passed to login: {0}", JsonConvert.SerializeObject(signInMessage, Formatting.Indented));
var authResult = await _userService.PreAuthenticateAsync(Request.GetOwinEnvironment(), signInMessage);
if (authResult != null)
{
if (authResult.IsError)
{
Logger.WarnFormat("user service returned an error message: {0}", authResult.ErrorMessage);
return(RenderErrorPage(authResult.ErrorMessage));
}
Logger.Info("user service returned a login result");
return(SignInAndRedirect(signInMessage, signin, authResult));
}
if (signInMessage.IdP.IsPresent())
{
Logger.InfoFormat("identity provider requested, redirecting to: {0}", signInMessage.IdP);
return(Redirect(Url.Link(Constants.RouteNames.LoginExternal, new { provider = signInMessage.IdP, signin })));
}
return(await RenderLoginPage(signInMessage, signin));
}
public async Task<IHttpActionResult> Login(string signin)
{
Logger.Info("Login page requested");
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return RenderErrorPage();
}
var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return RenderErrorPage();
}
Logger.DebugFormat("signin message passed to login: {0}", JsonConvert.SerializeObject(signInMessage, Formatting.Indented));
var authResult = await _userService.PreAuthenticateAsync(signInMessage);
if (authResult != null)
{
if (authResult.IsError)
{
Logger.WarnFormat("user service returned an error message: {0}", authResult.ErrorMessage);
return RenderErrorPage(authResult.ErrorMessage);
}
Logger.Info("user service returned a login result");
return SignInAndRedirect(signInMessage, signin, authResult);
}
if (signInMessage.IdP.IsPresent())
{
Logger.InfoFormat("identity provider requested, redirecting to: {0}", signInMessage.IdP);
return Redirect(Url.Link(Constants.RouteNames.LoginExternal, new { provider = signInMessage.IdP, signin }));
}
return await RenderLoginPage(signInMessage, signin);
}
public IHttpActionResult LoginExternal(string signin, string provider)
{
Logger.InfoFormat("External login requested for provider: {0}", provider);
if (provider.IsMissing())
{
Logger.Error("No provider passed");
return(RenderErrorPage());
}
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return(RenderErrorPage());
}
var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return(RenderErrorPage());
}
var authProp = new Microsoft.Owin.Security.AuthenticationProperties
{
RedirectUri = Url.Route(Constants.RouteNames.LoginExternalCallback, null)
};
// add the id to the dictionary so we can recall the cookie id on the callback
authProp.Dictionary.Add("signin", signin);
authProp.Dictionary.Add("katanaAuthenticationType", provider);
Request.GetOwinContext().Authentication.Challenge(authProp, provider);
return(Unauthorized());
}
public async Task<IHttpActionResult> ResumeLoginFromRedirect(string resume)
{
Logger.Info("Callback requested to resume login from partial login");
if (resume.IsMissing())
{
Logger.Error("no resumeId passed");
return RenderErrorPage();
}
var user = await GetIdentityFromPartialSignIn();
if (user == null)
{
Logger.Error("no identity from partial login");
return RenderErrorPage();
}
var type = GetClaimTypeForResumeId(resume);
var resumeClaim = user.FindFirst(type);
if (resumeClaim == null)
{
Logger.Error("no claim matching resumeId");
return RenderErrorPage();
}
var signInId = resumeClaim.Value;
if (signInId.IsMissing())
{
Logger.Error("No signin id found in resume claim");
return RenderErrorPage();
}
var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signInId);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return RenderErrorPage();
}
AuthenticateResult result = null;
var externalProviderClaim = user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId);
if (externalProviderClaim == null)
{
// the user/subject was known, so pass thru (without the redirect claims)
user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl));
user.RemoveClaim(user.FindFirst(GetClaimTypeForResumeId(resume)));
result = new AuthenticateResult(new ClaimsPrincipal(user));
}
else
{
// the user was not known, we need to re-execute AuthenticateExternalAsync
// to obtain a subject to proceed
var provider = externalProviderClaim.Issuer;
var providerId = externalProviderClaim.Value;
var externalId = new ExternalIdentity
{
Provider = provider,
ProviderId = providerId,
Claims = user.Claims
};
result = await _userService.AuthenticateExternalAsync(externalId);
if (result == null)
{
Logger.Warn("user service failed to authenticate external identity");
return await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount);
}
if (result.IsError)
{
Logger.WarnFormat("user service returned error message: {0}", result.ErrorMessage);
return await RenderLoginPage(signInMessage, signInId, result.ErrorMessage);
}
}
return SignInAndRedirect(signInMessage, signInId, result);
}
public async Task<IHttpActionResult> LoginExternalCallback()
{
Logger.Info("Callback invoked from external identity provider ");
var signInId = await GetSignInIdFromExternalProvider();
if (signInId.IsMissing())
{
Logger.Error("No signin id passed");
return RenderErrorPage();
}
var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signInId);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return RenderErrorPage();
}
var user = await GetIdentityFromExternalProvider();
if (user == null)
{
Logger.Error("no identity from external identity provider");
return await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount);
}
var externalIdentity = ExternalIdentity.FromClaims(user.Claims);
if (externalIdentity == null)
{
Logger.Error("no subject or unique identifier claims from external identity provider");
return await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount);
}
Logger.InfoFormat("external user provider: {0}, provider ID: {1}", externalIdentity.Provider, externalIdentity.ProviderId);
var authResult = await _userService.AuthenticateExternalAsync(externalIdentity);
if (authResult == null)
{
Logger.Warn("user service failed to authenticate external identity");
return await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount);
}
if (authResult.IsError)
{
Logger.WarnFormat("user service returned error message: {0}", authResult.ErrorMessage);
return await RenderLoginPage(signInMessage, signInId, authResult.ErrorMessage);
}
return SignInAndRedirect(signInMessage, signInId, authResult);
}
public async Task<IHttpActionResult> LoginExternal(string signin, string provider)
{
Logger.InfoFormat("External login requested for provider: {0}", provider);
if (provider.IsMissing())
{
Logger.Error("No provider passed");
return RenderErrorPage();
}
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return RenderErrorPage();
}
var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return RenderErrorPage();
}
var providerFilter = await GetProviderFilterForClientAsync(signInMessage);
if (providerFilter != null && providerFilter.Any() && !providerFilter.Contains(provider))
{
Logger.ErrorFormat("Provider {0} not allowed for client: {1}", provider, signInMessage.ClientId);
return RenderErrorPage();
}
var authProp = new Microsoft.Owin.Security.AuthenticationProperties
{
RedirectUri = Url.Route(Constants.RouteNames.LoginExternalCallback, null)
};
// add the id to the dictionary so we can recall the cookie id on the callback
authProp.Dictionary.Add(Constants.Authentication.SigninId, signin);
authProp.Dictionary.Add(Constants.Authentication.KatanaAuthenticationType, provider);
Request.GetOwinContext().Authentication.Challenge(authProp, provider);
return Unauthorized();
}
public async Task<IHttpActionResult> LoginLocal(string signin, LoginCredentials model)
{
Logger.Info("Login page submitted");
if (this._options.AuthenticationOptions.EnableLocalLogin == false)
{
Logger.Warn("EnableLocalLogin disabled -- returning 405 MethodNotAllowed");
return StatusCode(HttpStatusCode.MethodNotAllowed);
}
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return RenderErrorPage();
}
var cookie = new MessageCookie<SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return RenderErrorPage();
}
if (model == null)
{
Logger.Error("no data submitted");
return await RenderLoginPage(signInMessage, signin, Messages.InvalidUsernameOrPassword);
}
// the browser will only send 'true' if ther user has checked the checkbox
// it will pass nothing if the user does not check the checkbox
// this check here is to establish if the user deliberatly did not check the checkbox
// or if the checkbox was not presented as an option (and thus AllowRememberMe is not allowed)
// true means they did check it, false means they did not, null means they were not presented with the choice
if (_options.AuthenticationOptions.CookieOptions.AllowRememberMe)
{
if (model.RememberMe != true)
{
model.RememberMe = false;
}
}
else
{
model.RememberMe = null;
}
if (!ModelState.IsValid)
{
Logger.Warn("validation error: username or password missing");
return await RenderLoginPage(signInMessage, signin, ModelState.GetError(), model.Username, model.RememberMe == true);
}
var authResult = await _userService.AuthenticateLocalAsync(model.Username, model.Password, signInMessage);
if (authResult == null)
{
Logger.WarnFormat("user service indicated incorrect username or password for username: {0}", model.Username);
return await RenderLoginPage(signInMessage, signin, Messages.InvalidUsernameOrPassword, model.Username, model.RememberMe == true);
}
if (authResult.IsError)
{
Logger.WarnFormat("user service returned an error message: {0}", authResult.ErrorMessage);
return await RenderLoginPage(signInMessage, signin, authResult.ErrorMessage, model.Username, model.RememberMe == true);
}
RaiseLocalLoginSuccessEvent(model.Username, signInMessage, authResult);
IssueLastUsernameCookie(model.Username);
return SignInAndRedirect(signInMessage, signin, authResult, model.RememberMe);
}
public async Task <IHttpActionResult> Login(string signin = null)
{
Logger.Info("Login page requested");
if (signin.IsMissing())
{
Logger.Info("No signin id passed");
return(HandleNoSignin());
}
if (signin.Length > MaxSignInMessageLength)
{
Logger.Error("Signin parameter passed was larger than max length");
return(RenderErrorPage());
}
var signInMessage = signInMessageCookie.Read(signin);
if (signInMessage == null)
{
Logger.Info("No cookie matching signin id found");
return(HandleNoSignin());
}
Logger.DebugFormat("signin message passed to login: {0}", JsonConvert.SerializeObject(signInMessage, Formatting.Indented));
var preAuthContext = new PreAuthenticationContext {
SignInMessage = signInMessage
};
await userService.PreAuthenticateAsync(preAuthContext);
var authResult = preAuthContext.AuthenticateResult;
if (authResult != null)
{
if (authResult.IsError)
{
Logger.WarnFormat("user service returned an error message: {0}", authResult.ErrorMessage);
await eventService.RaisePreLoginFailureEventAsync(signin, signInMessage, authResult.ErrorMessage);
if (preAuthContext.ShowLoginPageOnErrorResult)
{
Logger.Debug("ShowLoginPageOnErrorResult set to true, showing login page with error");
return(await RenderLoginPage(signInMessage, signin, authResult.ErrorMessage));
}
else
{
Logger.Debug("ShowLoginPageOnErrorResult set to false, showing error page with error");
return(RenderErrorPage(authResult.ErrorMessage));
}
}
Logger.Info("user service returned a login result");
await eventService.RaisePreLoginSuccessEventAsync(signin, signInMessage, authResult);
return(await SignInAndRedirectAsync(signInMessage, signin, authResult));
}
if (signInMessage.IdP.IsPresent())
{
Logger.InfoFormat("identity provider requested, redirecting to: {0}", signInMessage.IdP);
return(await LoginExternal(signin, signInMessage.IdP));
}
return(await RenderLoginPage(signInMessage, signin));
}
public async Task <IHttpActionResult> LoginLocal(string signin, LoginCredentials model)
{
Logger.Info("Login page submitted");
if (this._options.AuthenticationOptions.EnableLocalLogin == false)
{
Logger.Warn("EnableLocalLogin disabled -- returning 405 MethodNotAllowed");
return(StatusCode(HttpStatusCode.MethodNotAllowed));
}
if (signin.IsMissing())
{
Logger.Error("No signin id passed");
return(RenderErrorPage());
}
var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signin);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return(RenderErrorPage());
}
if (model == null)
{
Logger.Error("no data submitted");
return(await RenderLoginPage(signInMessage, signin, Messages.InvalidUsernameOrPassword));
}
// the browser will only send 'true' if ther user has checked the checkbox
// it will pass nothing if the user does not check the checkbox
// this check here is to establish if the user deliberatly did not check the checkbox
// or if the checkbox was not presented as an option (and thus AllowRememberMe is not allowed)
// true means they did check it, false means they did not, null means they were not presented with the choice
if (_options.AuthenticationOptions.CookieOptions.AllowRememberMe)
{
if (model.RememberMe != true)
{
model.RememberMe = false;
}
}
else
{
model.RememberMe = null;
}
if (!ModelState.IsValid)
{
Logger.Warn("validation error: username or password missing");
return(await RenderLoginPage(signInMessage, signin, ModelState.GetError(), model.Username, model.RememberMe == true));
}
var authResult = await _userService.AuthenticateLocalAsync(model.Username, model.Password, signInMessage);
if (authResult == null)
{
Logger.WarnFormat("user service indicated incorrect username or password for username: {0}", model.Username);
return(await RenderLoginPage(signInMessage, signin, Messages.InvalidUsernameOrPassword, model.Username, model.RememberMe == true));
}
if (authResult.IsError)
{
Logger.WarnFormat("user service returned an error message: {0}", authResult.ErrorMessage);
return(await RenderLoginPage(signInMessage, signin, authResult.ErrorMessage, model.Username, model.RememberMe == true));
}
RaiseLocalLoginSuccessEvent(model.Username, signInMessage, authResult);
return(SignInAndRedirect(signInMessage, signin, authResult, model.RememberMe));
}
public virtual Task <Message <ConsentResponse> > ReadAsync(string id)
{
return(Task.FromResult(Cookie.Read(id)));
}
/// <summary>
/// Gets the sign in message.
/// </summary>
/// <param name="env">The OWIN environment.</param>
/// <param name="id">The signin identifier.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">
/// env
/// or
/// id
/// </exception>
public static SignInMessage GetSignInMessage(this IDictionary<string, object> env, string id)
{
if (env == null) throw new ArgumentNullException("env");
if (string.IsNullOrEmpty(id)) throw new ArgumentNullException("id");
var options = env.ResolveDependency<IdentityServerOptions>();
var cookie = new MessageCookie<SignInMessage>(env, options);
return cookie.Read(id);
}
public virtual Task <Message <ConsentResponse> > ReadAsync(string id)
{
using var activity = Tracing.StoreActivitySource.StartActivity("ConsentMessageStore.Read");
return(Task.FromResult(Cookie.Read(id)));
}
public Task <Message <TModel> > ReadAsync(string id)
{
return(Task.FromResult(_cookie.Read(id)));
}
private SignOutMessage GetSignOutMessage(string id)
{
if (!String.IsNullOrWhiteSpace(id))
{
var cookie = new MessageCookie<SignOutMessage>(Request.GetOwinContext(), this._options);
return cookie.Read(id);
}
return null;
}
public async Task <IHttpActionResult> ResumeLoginFromRedirect(string resume)
{
Logger.Info("Callback requested to resume login from partial login");
if (resume.IsMissing())
{
Logger.Error("no resumeId passed");
return(RenderErrorPage());
}
var user = await GetIdentityFromPartialSignIn();
if (user == null)
{
Logger.Error("no identity from partial login");
return(RenderErrorPage());
}
var type = GetClaimTypeForResumeId(resume);
var resumeClaim = user.FindFirst(type);
if (resumeClaim == null)
{
Logger.Error("no claim matching resumeId");
return(RenderErrorPage());
}
var signInId = resumeClaim.Value;
if (signInId.IsMissing())
{
Logger.Error("No signin id found in resume claim");
return(RenderErrorPage());
}
var cookie = new MessageCookie <SignInMessage>(Request.GetOwinContext(), this._options);
var signInMessage = cookie.Read(signInId);
if (signInMessage == null)
{
Logger.Error("No cookie matching signin id found");
return(RenderErrorPage());
}
AuthenticateResult result = null;
var externalProviderClaim = user.FindFirst(Constants.ClaimTypes.ExternalProviderUserId);
if (externalProviderClaim == null)
{
// the user/subject was known, so pass thru (without the redirect claims)
user.RemoveClaim(user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl));
user.RemoveClaim(user.FindFirst(GetClaimTypeForResumeId(resume)));
result = new AuthenticateResult(new ClaimsPrincipal(user));
}
else
{
// the user was not known, we need to re-execute AuthenticateExternalAsync
// to obtain a subject to proceed
var provider = externalProviderClaim.Issuer;
var providerId = externalProviderClaim.Value;
var externalId = new ExternalIdentity
{
Provider = provider,
ProviderId = providerId,
Claims = user.Claims
};
result = await _userService.AuthenticateExternalAsync(externalId);
if (result == null)
{
Logger.Warn("user service failed to authenticate external identity");
return(await RenderLoginPage(signInMessage, signInId, Messages.NoMatchingExternalAccount));
}
if (result.IsError)
{
Logger.WarnFormat("user service returned error message: {0}", result.ErrorMessage);
return(await RenderLoginPage(signInMessage, signInId, result.ErrorMessage));
}
}
return(SignInAndRedirect(signInMessage, signInId, result));
}
