/// <summary>
/// Updates claims with authentication information.
/// </summary>
/// <param name="httpContextBase">The HTTP context base.</param>
/// <param name="authToken">The authentication token.</param>
/// <param name="identityProviderType">Type of the identity provider.</param>
/// <param name="email">The email.</param>
/// <param name="accountNumber">The account number.</param>
/// <param name="firstName">The first name.</param>
/// <param name="lastName">The last name.</param>
private void UpdateClaims(HttpContextBase httpContextBase, string authToken, IdentityProviderType identityProviderType, string email, string accountNumber, string firstName, string lastName)
{
var claims = new List <Claim>();
claims.Add(new Claim(CookieConstants.Email, email));
// Split up auth token to prevent exceeding of browser cookie size limitation.
int midIndex = authToken.Length / 2;
string authTokenPart1 = authToken.Substring(0, midIndex);
claims.Add(new Claim(CookieConstants.ExternalTokenPart1, authTokenPart1));
string authTokenPart2 = authToken.Substring(midIndex);
this.SaveToEncryptedCookie(httpContextBase, authTokenPart2, CookieConstants.ExternalTokenPart2);
claims.Add(new Claim(CookieConstants.IdentityProviderType, identityProviderType.ToString()));
claims.Add(new Claim(CookieConstants.CustomerAccountNumber, accountNumber));
claims.Add(new Claim(CookieConstants.FirstName, firstName));
claims.Add(new Claim(CookieConstants.LastName, lastName));
var id = new ClaimsIdentity(claims, CookieConstants.ApplicationCookieAuthenticationType);
var ctx = httpContextBase.Request.GetOwinContext();
var authenticationManager = ctx.Authentication;
authenticationManager.SignIn(id);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieState);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieNonce);
}
/// <summary>
/// Action invoked on being redirected from ACS identity provider.
/// </summary>
/// <returns>View after being redirected from ACS identity provider.</returns>
/// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception>
public ActionResult AcsRedirect()
{
string documentContents;
using (Stream receiveStream = this.HttpContext.Request.InputStream)
{
StreamReader readStream = new StreamReader(receiveStream, Encoding.UTF8);
documentContents = readStream.ReadToEnd();
}
string acsToken = OpenIdConnectUtilities.GetAcsToken(documentContents);
JwtSecurityToken token = new JwtSecurityToken(acsToken);
var emailClaim = token.Claims.FirstOrDefault(t => t.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
string email = null;
// Not all providers provide the claim, for instance, Windows Live ID does not.
if (emailClaim != null)
{
email = emailClaim.Value;
}
return(this.GetRedirectionBasedOnAssociatedCustomer(acsToken, IdentityProviderType.ACS, email));
}
public ActionResult SignOut()
{
Uri externalLogOffUri = null;
if (this.Request.IsAuthenticated)
{
var ctx = Request.GetOwinContext();
ctx.Authentication.SignOut(CookieConstants.ApplicationCookieAuthenticationType);
IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings();
////ctx.Authentication.SignOut(providerClient.Name);
// Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)'
//// Begin workaround.
foreach (string cookieName in ControllerContext.HttpContext.Request.Cookies.AllKeys)
{
if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase))
{
OpenIdConnectUtilities.RemoveCookie(cookieName);
break;
}
}
//// End workaround.
externalLogOffUri = providerClient.LogOffUrl;
}
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider);
ServiceUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext);
return(this.View(SignInController.SignOutViewName, externalLogOffUri));
}
/// <summary>
/// Action invoked on being redirected from open identity provider.
/// </summary>
/// <returns>View after being redirected from open identity provider.</returns>
/// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception>
public ActionResult OAuthV2Redirect()
{
IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings();
// Check whether provider returned an error which could be a case if a user rejected a consent.
string errorCode = this.HttpContext.Request.Params["error"];
if (errorCode != null)
{
string message = string.Format(
CultureInfo.CurrentCulture,
"The provider {0} returned error code {1} while processing user's credentials.",
currentProvider.Name,
errorCode);
this.Response.Redirect("~", false);
this.HttpContext.ApplicationInstance.CompleteRequest();
return(null);
}
string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode();
if (authorizationCode == null)
{
string message = "Unable to find the authorization code for the login request.";
SecurityException securityException = new SecurityException(message);
throw securityException;
}
string bodyParameters = string.Format(
CultureInfo.InvariantCulture,
"grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}",
authorizationCode,
currentProvider.RedirectUrl,
currentProvider.ClientId,
currentProvider.ClientSecret);
OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer);
string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters);
TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson);
JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken);
Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, OpenIdConnectUtilities.Email, StringComparison.OrdinalIgnoreCase));
string email = null;
// IdentityServer does not return email claim.
if (emailClaim != null)
{
email = emailClaim.Value;
}
return(this.GetRedirectionBasedOnAssociatedCustomer(tokenResponse.IdToken, currentProvider.ProviderType, email));
}
/// <summary>
/// Action invoked on being redirected from open identity provider.
/// </summary>
/// <returns>View after being redirected from open identity provider.</returns>
/// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception>
public async Task <ActionResult> OAuthV2Redirect()
{
IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings();
// Check whether provider returned an error which could be a case if a user rejected a consent.
string errorCode = ControllerContext.HttpContext.Request.Params["error"];
if (errorCode != null)
{
string message = string.Format(
"The provider {0} returned error code {1} while processing user's credentials.", currentProvider.Name, errorCode);
System.Diagnostics.Trace.TraceWarning(message);
this.Response.Redirect("~", false);
this.HttpContext.ApplicationInstance.CompleteRequest();
return(null);
}
string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode(this.HttpContext);
if (authorizationCode == null)
{
SecurityException securityException = new SecurityException("Unable to find the authorization code for the login request.");
RetailLogger.Log.OnlineStoreAuthorizationCodeNotFoundForLogOnRequest(securityException);
throw securityException;
}
string bodyParameters = string.Format(
"grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}",
authorizationCode,
currentProvider.RedirectUrl,
currentProvider.ClientId,
currentProvider.ClientSecret);
OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer);
string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters);
TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson);
JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken);
Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, CookieConstants.Email, StringComparison.OrdinalIgnoreCase));
if (emailClaim == null)
{
RetailLogger.Log.OnlineStoreClaimNotFound(CookieConstants.Email, "Required for sign up using OpenIdAuth");
throw new SecurityException("Email claim does not exist.");
}
RedirectToRouteResult redirectResult = await this.GetRedirectionBasedOnAssociatedCustomer(this.HttpContext, tokenResponse.IdToken, currentProvider.ProviderType, emailClaim.Value);
return(redirectResult);
}
public ActionResult FederatedSignOut()
{
IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings();
Uri externalLogOffUri = providerClient.LogOffUrl;
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProviderType);
OpenIdConnectUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext);
var model = new FederatedSignOutApiModel()
{
LogOffUri = externalLogOffUri
};
return(this.View(model));
}
/// <summary>
/// Cleans the not authorized session.
/// </summary>
public virtual void CleanNotAuthorizedSession()
{
var ctx = this.Request.GetOwinContext();
ctx.Authentication.SignOut(OpenIdConnectUtilities.ApplicationCookieAuthenticationType);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.OpenIdCookie);
// Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)'
foreach (var cookieName in this.ControllerContext.HttpContext.Request.Cookies.AllKeys)
{
if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase))
{
OpenIdConnectUtilities.RemoveCookie(cookieName);
break;
}
}
}
public ActionResult LoginPost(string provider)
{
IdentityProviderClientConfigurationElement providerConfig = OpenIdConnectUtilities.GetIdentityProviderFromConfiguration(provider);
switch (providerConfig.ProviderType)
{
case IdentityProviderType.OpenIdConnect:
this.ControllerContext.HttpContext.GetOwinContext().Authentication.Challenge(providerConfig.Name);
return(new HttpUnauthorizedResult());
case IdentityProviderType.ACS:
// Storing cookie with current provider (used in Logoff).
OpenIdConnectUtilities.SetCookie(
this.HttpContext,
OpenIdConnectUtilities.CookieCurrentProvider,
providerConfig.Name);
OpenIdConnectUtilities.SetCookie(
this.HttpContext,
OpenIdConnectUtilities.CookieCurrentProviderType,
providerConfig.ProviderType.ToString());
string url = string.Format(
CultureInfo.InvariantCulture,
"{0}v2/wsfederation?wa=wsignin1.0&wtrealm={1}",
providerConfig.Issuer,
providerConfig.RedirectUrl);
this.Response.Redirect(url, true);
break;
default:
SecurityException securityException =
new SecurityException(
string.Format(
CultureInfo.InvariantCulture,
"The identity provider type {0} is not supported",
providerConfig.ProviderType));
throw securityException;
}
return(null);
}
/// <summary>
/// Performs clean up operations after any authentication/authorization failure.
/// </summary>
/// <param name="httpContextBase">The HTTP context.</param>
public static void CleanUpOnSignOutOrAuthFailure(HttpContextBase httpContextBase)
{
if (httpContextBase == null)
{
throw new ArgumentNullException(nameof(httpContextBase));
}
var ctx = httpContextBase.Request.GetOwinContext();
ctx.Authentication.SignOut(CookieConstants.ApplicationCookieAuthenticationType);
OpenIdConnectUtilities.RemoveCookie(CookieConstants.ExternalTokenPart2);
string cookieName = GetCartTokenCookieName(SessionType.SignedInShopping);
CookieManager.DeleteCookie(httpContextBase.ApplicationInstance.Context, cookieName);
cookieName = GetCartTokenCookieName(SessionType.SignedInCheckout);
CookieManager.DeleteCookie(httpContextBase.ApplicationInstance.Context, cookieName);
}
public ActionResult LogOffAndRedirect()
{
if (Context.User.IsAuthenticated)
{
var ctx = this.Request.GetOwinContext();
var cookies = ctx.Response.Cookies;
ctx.Authentication.SignOut(OpenIdConnectUtilities.ApplicationCookieAuthenticationType);
// Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)'
foreach (string cookieName in this.ControllerContext.HttpContext.Request.Cookies.AllKeys)
{
if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase))
{
OpenIdConnectUtilities.RemoveCookie(cookieName);
}
}
}
this.AccountManager.Logout();
return(this.Redirect("/federatedSignout"));
}
private ActionResult GetRedirectionBasedOnAssociatedCustomer(string authToken, IdentityProviderType identityProviderType, string email)
{
OpenIdConnectUtilities.SetTokenCookie(authToken);
var customerResult = this.AccountManager.GetCustomer().ServiceProviderResult;
CommerceCustomer customer = customerResult.CommerceCustomer;
if (customerResult.Success && customer != null)
{
if (identityProviderType == IdentityProviderType.OpenIdConnect)
{
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieState);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieNonce);
}
return(this.RegisterExistingUser(customer));
}
else
{
string url = string.Format(CultureInfo.InvariantCulture, "/Register?isActivationPending={0}&email={1}", customerResult.Properties["IsRequestToLinkToExistingCustomerPending"], email);
return(this.Redirect(url));
}
}
public ActionResult Register(RegisterUserInputModel inputModel)
{
RegisterBaseResultApiModel result = new RegisterBaseResultApiModel();
try
{
Assert.ArgumentNotNull(inputModel, "RegisterInputModel");
if (string.Equals(inputModel.SignupSelection, "NewAccount", StringComparison.OrdinalIgnoreCase))
{
inputModel.Password = System.Web.Security.Membership.GeneratePassword(8, 4);
var response = this.AccountManager.RegisterUser(inputModel);
if (response.ServiceProviderResult.Success && response.Result != null)
{
var isLoggedIn = this.AccountManager.Login(response.Result.UserName, false);
if (!isLoggedIn)
{
result.Success = false;
result.SetErrors(new List <string> {
"Could not create user"
});
}
}
else
{
result.Success = false;
result.SetErrors(response.ServiceProviderResult);
}
return(this.Json(result, JsonRequestBehavior.AllowGet));
}
else
{
string emailOfExistingCustomer = inputModel.LinkupEmail;
var response = this.AccountManager.InitiateLinkToExistingCustomer(emailOfExistingCustomer);
if (response.ServiceProviderResult.Success && response.Result != null)
{
////Clean up auth cookies completely. We need to be signed out.
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProviderType);
OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.OpenIdCookie);
result.UserName = response.Result.Name;
result.IsSignupFlow = true;
return(this.Json(result, JsonRequestBehavior.AllowGet));
}
else
{
result.Success = false;
result.SetErrors(response.ServiceProviderResult);
return(this.Json(result, JsonRequestBehavior.AllowGet));
}
}
}
catch (AggregateException ex)
{
result.Success = false;
result.SetErrors(StorefrontConstants.KnownActionNames.RegisterActionName, ex.InnerExceptions[0]);
return(this.Json(result, JsonRequestBehavior.AllowGet));
}
catch (Sitecore.Commerce.OpenIDConnectionClosedUnexpectedlyException)
{
this.CleanNotAuthorizedSession();
return(this.Redirect("/login"));
}
catch (Exception ex)
{
result.Success = false;
result.SetErrors(StorefrontConstants.KnownActionNames.RegisterActionName, ex);
return(this.Json(result, JsonRequestBehavior.AllowGet));
}
}
