/// <summary> /// Updates claims with authentication information. /// </summary> /// <param name="httpContextBase">The HTTP context base.</param> /// <param name="authToken">The authentication token.</param> /// <param name="identityProviderType">Type of the identity provider.</param> /// <param name="email">The email.</param> /// <param name="accountNumber">The account number.</param> /// <param name="firstName">The first name.</param> /// <param name="lastName">The last name.</param> private void UpdateClaims(HttpContextBase httpContextBase, string authToken, IdentityProviderType identityProviderType, string email, string accountNumber, string firstName, string lastName) { var claims = new List <Claim>(); claims.Add(new Claim(CookieConstants.Email, email)); // Split up auth token to prevent exceeding of browser cookie size limitation. int midIndex = authToken.Length / 2; string authTokenPart1 = authToken.Substring(0, midIndex); claims.Add(new Claim(CookieConstants.ExternalTokenPart1, authTokenPart1)); string authTokenPart2 = authToken.Substring(midIndex); this.SaveToEncryptedCookie(httpContextBase, authTokenPart2, CookieConstants.ExternalTokenPart2); claims.Add(new Claim(CookieConstants.IdentityProviderType, identityProviderType.ToString())); claims.Add(new Claim(CookieConstants.CustomerAccountNumber, accountNumber)); claims.Add(new Claim(CookieConstants.FirstName, firstName)); claims.Add(new Claim(CookieConstants.LastName, lastName)); var id = new ClaimsIdentity(claims, CookieConstants.ApplicationCookieAuthenticationType); var ctx = httpContextBase.Request.GetOwinContext(); var authenticationManager = ctx.Authentication; authenticationManager.SignIn(id); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieState); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieNonce); }
/// <summary> /// Action invoked on being redirected from ACS identity provider. /// </summary> /// <returns>View after being redirected from ACS identity provider.</returns> /// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception> public ActionResult AcsRedirect() { string documentContents; using (Stream receiveStream = this.HttpContext.Request.InputStream) { StreamReader readStream = new StreamReader(receiveStream, Encoding.UTF8); documentContents = readStream.ReadToEnd(); } string acsToken = OpenIdConnectUtilities.GetAcsToken(documentContents); JwtSecurityToken token = new JwtSecurityToken(acsToken); var emailClaim = token.Claims.FirstOrDefault(t => t.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"); string email = null; // Not all providers provide the claim, for instance, Windows Live ID does not. if (emailClaim != null) { email = emailClaim.Value; } return(this.GetRedirectionBasedOnAssociatedCustomer(acsToken, IdentityProviderType.ACS, email)); }
public ActionResult SignOut() { Uri externalLogOffUri = null; if (this.Request.IsAuthenticated) { var ctx = Request.GetOwinContext(); ctx.Authentication.SignOut(CookieConstants.ApplicationCookieAuthenticationType); IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings(); ////ctx.Authentication.SignOut(providerClient.Name); // Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)' //// Begin workaround. foreach (string cookieName in ControllerContext.HttpContext.Request.Cookies.AllKeys) { if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase)) { OpenIdConnectUtilities.RemoveCookie(cookieName); break; } } //// End workaround. externalLogOffUri = providerClient.LogOffUrl; } OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider); ServiceUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext); return(this.View(SignInController.SignOutViewName, externalLogOffUri)); }
/// <summary> /// Action invoked on being redirected from open identity provider. /// </summary> /// <returns>View after being redirected from open identity provider.</returns> /// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception> public ActionResult OAuthV2Redirect() { IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings(); // Check whether provider returned an error which could be a case if a user rejected a consent. string errorCode = this.HttpContext.Request.Params["error"]; if (errorCode != null) { string message = string.Format( CultureInfo.CurrentCulture, "The provider {0} returned error code {1} while processing user's credentials.", currentProvider.Name, errorCode); this.Response.Redirect("~", false); this.HttpContext.ApplicationInstance.CompleteRequest(); return(null); } string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode(); if (authorizationCode == null) { string message = "Unable to find the authorization code for the login request."; SecurityException securityException = new SecurityException(message); throw securityException; } string bodyParameters = string.Format( CultureInfo.InvariantCulture, "grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}", authorizationCode, currentProvider.RedirectUrl, currentProvider.ClientId, currentProvider.ClientSecret); OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer); string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters); TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson); JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken); Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, OpenIdConnectUtilities.Email, StringComparison.OrdinalIgnoreCase)); string email = null; // IdentityServer does not return email claim. if (emailClaim != null) { email = emailClaim.Value; } return(this.GetRedirectionBasedOnAssociatedCustomer(tokenResponse.IdToken, currentProvider.ProviderType, email)); }
/// <summary> /// Action invoked on being redirected from open identity provider. /// </summary> /// <returns>View after being redirected from open identity provider.</returns> /// <exception cref="System.NotSupportedException">Thrown when email claim does not exist.</exception> public async Task <ActionResult> OAuthV2Redirect() { IdentityProviderClientConfigurationElement currentProvider = OpenIdConnectUtilities.GetCurrentProviderSettings(); // Check whether provider returned an error which could be a case if a user rejected a consent. string errorCode = ControllerContext.HttpContext.Request.Params["error"]; if (errorCode != null) { string message = string.Format( "The provider {0} returned error code {1} while processing user's credentials.", currentProvider.Name, errorCode); System.Diagnostics.Trace.TraceWarning(message); this.Response.Redirect("~", false); this.HttpContext.ApplicationInstance.CompleteRequest(); return(null); } string authorizationCode = OpenIdConnectUtilities.ValidateRequestAndGetAuthorizationCode(this.HttpContext); if (authorizationCode == null) { SecurityException securityException = new SecurityException("Unable to find the authorization code for the login request."); RetailLogger.Log.OnlineStoreAuthorizationCodeNotFoundForLogOnRequest(securityException); throw securityException; } string bodyParameters = string.Format( "grant_type=authorization_code&code={0}&redirect_uri={1}&client_id={2}&client_secret={3}", authorizationCode, currentProvider.RedirectUrl, currentProvider.ClientId, currentProvider.ClientSecret); OpenIdConnectConfiguration providerDiscoveryDocument = OpenIdConnectUtilities.GetDiscoveryDocument(currentProvider.Issuer); string returnValuesJson = OpenIdConnectUtilities.HttpPost(new Uri(providerDiscoveryDocument.TokenEndpoint), bodyParameters); TokenEndpointResponse tokenResponse = OpenIdConnectUtilities.DeserilizeJson <TokenEndpointResponse>(returnValuesJson); JwtSecurityToken token = OpenIdConnectUtilities.GetIdToken(tokenResponse.IdToken); Claim emailClaim = token.Claims.SingleOrDefault(c => string.Equals(c.Type, CookieConstants.Email, StringComparison.OrdinalIgnoreCase)); if (emailClaim == null) { RetailLogger.Log.OnlineStoreClaimNotFound(CookieConstants.Email, "Required for sign up using OpenIdAuth"); throw new SecurityException("Email claim does not exist."); } RedirectToRouteResult redirectResult = await this.GetRedirectionBasedOnAssociatedCustomer(this.HttpContext, tokenResponse.IdToken, currentProvider.ProviderType, emailClaim.Value); return(redirectResult); }
public ActionResult FederatedSignOut() { IdentityProviderClientConfigurationElement providerClient = OpenIdConnectUtilities.GetCurrentProviderSettings(); Uri externalLogOffUri = providerClient.LogOffUrl; OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProviderType); OpenIdConnectUtilities.CleanUpOnSignOutOrAuthFailure(this.HttpContext); var model = new FederatedSignOutApiModel() { LogOffUri = externalLogOffUri }; return(this.View(model)); }
/// <summary> /// Cleans the not authorized session. /// </summary> public virtual void CleanNotAuthorizedSession() { var ctx = this.Request.GetOwinContext(); ctx.Authentication.SignOut(OpenIdConnectUtilities.ApplicationCookieAuthenticationType); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.OpenIdCookie); // Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)' foreach (var cookieName in this.ControllerContext.HttpContext.Request.Cookies.AllKeys) { if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase)) { OpenIdConnectUtilities.RemoveCookie(cookieName); break; } } }
public ActionResult LoginPost(string provider) { IdentityProviderClientConfigurationElement providerConfig = OpenIdConnectUtilities.GetIdentityProviderFromConfiguration(provider); switch (providerConfig.ProviderType) { case IdentityProviderType.OpenIdConnect: this.ControllerContext.HttpContext.GetOwinContext().Authentication.Challenge(providerConfig.Name); return(new HttpUnauthorizedResult()); case IdentityProviderType.ACS: // Storing cookie with current provider (used in Logoff). OpenIdConnectUtilities.SetCookie( this.HttpContext, OpenIdConnectUtilities.CookieCurrentProvider, providerConfig.Name); OpenIdConnectUtilities.SetCookie( this.HttpContext, OpenIdConnectUtilities.CookieCurrentProviderType, providerConfig.ProviderType.ToString()); string url = string.Format( CultureInfo.InvariantCulture, "{0}v2/wsfederation?wa=wsignin1.0&wtrealm={1}", providerConfig.Issuer, providerConfig.RedirectUrl); this.Response.Redirect(url, true); break; default: SecurityException securityException = new SecurityException( string.Format( CultureInfo.InvariantCulture, "The identity provider type {0} is not supported", providerConfig.ProviderType)); throw securityException; } return(null); }
/// <summary> /// Performs clean up operations after any authentication/authorization failure. /// </summary> /// <param name="httpContextBase">The HTTP context.</param> public static void CleanUpOnSignOutOrAuthFailure(HttpContextBase httpContextBase) { if (httpContextBase == null) { throw new ArgumentNullException(nameof(httpContextBase)); } var ctx = httpContextBase.Request.GetOwinContext(); ctx.Authentication.SignOut(CookieConstants.ApplicationCookieAuthenticationType); OpenIdConnectUtilities.RemoveCookie(CookieConstants.ExternalTokenPart2); string cookieName = GetCartTokenCookieName(SessionType.SignedInShopping); CookieManager.DeleteCookie(httpContextBase.ApplicationInstance.Context, cookieName); cookieName = GetCartTokenCookieName(SessionType.SignedInCheckout); CookieManager.DeleteCookie(httpContextBase.ApplicationInstance.Context, cookieName); }
public ActionResult LogOffAndRedirect() { if (Context.User.IsAuthenticated) { var ctx = this.Request.GetOwinContext(); var cookies = ctx.Response.Cookies; ctx.Authentication.SignOut(OpenIdConnectUtilities.ApplicationCookieAuthenticationType); // Clean up openId nonce cookie. This is just a workaround. Ideally, we should be calling 'ctx.Authentication.SignOut(providerClient.Name)' foreach (string cookieName in this.ControllerContext.HttpContext.Request.Cookies.AllKeys) { if (cookieName.StartsWith("OpenIdConnect.nonce.", StringComparison.OrdinalIgnoreCase)) { OpenIdConnectUtilities.RemoveCookie(cookieName); } } } this.AccountManager.Logout(); return(this.Redirect("/federatedSignout")); }
private ActionResult GetRedirectionBasedOnAssociatedCustomer(string authToken, IdentityProviderType identityProviderType, string email) { OpenIdConnectUtilities.SetTokenCookie(authToken); var customerResult = this.AccountManager.GetCustomer().ServiceProviderResult; CommerceCustomer customer = customerResult.CommerceCustomer; if (customerResult.Success && customer != null) { if (identityProviderType == IdentityProviderType.OpenIdConnect) { OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieState); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieNonce); } return(this.RegisterExistingUser(customer)); } else { string url = string.Format(CultureInfo.InvariantCulture, "/Register?isActivationPending={0}&email={1}", customerResult.Properties["IsRequestToLinkToExistingCustomerPending"], email); return(this.Redirect(url)); } }
public ActionResult Register(RegisterUserInputModel inputModel) { RegisterBaseResultApiModel result = new RegisterBaseResultApiModel(); try { Assert.ArgumentNotNull(inputModel, "RegisterInputModel"); if (string.Equals(inputModel.SignupSelection, "NewAccount", StringComparison.OrdinalIgnoreCase)) { inputModel.Password = System.Web.Security.Membership.GeneratePassword(8, 4); var response = this.AccountManager.RegisterUser(inputModel); if (response.ServiceProviderResult.Success && response.Result != null) { var isLoggedIn = this.AccountManager.Login(response.Result.UserName, false); if (!isLoggedIn) { result.Success = false; result.SetErrors(new List <string> { "Could not create user" }); } } else { result.Success = false; result.SetErrors(response.ServiceProviderResult); } return(this.Json(result, JsonRequestBehavior.AllowGet)); } else { string emailOfExistingCustomer = inputModel.LinkupEmail; var response = this.AccountManager.InitiateLinkToExistingCustomer(emailOfExistingCustomer); if (response.ServiceProviderResult.Success && response.Result != null) { ////Clean up auth cookies completely. We need to be signed out. OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProvider); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.CookieCurrentProviderType); OpenIdConnectUtilities.RemoveCookie(OpenIdConnectUtilities.OpenIdCookie); result.UserName = response.Result.Name; result.IsSignupFlow = true; return(this.Json(result, JsonRequestBehavior.AllowGet)); } else { result.Success = false; result.SetErrors(response.ServiceProviderResult); return(this.Json(result, JsonRequestBehavior.AllowGet)); } } } catch (AggregateException ex) { result.Success = false; result.SetErrors(StorefrontConstants.KnownActionNames.RegisterActionName, ex.InnerExceptions[0]); return(this.Json(result, JsonRequestBehavior.AllowGet)); } catch (Sitecore.Commerce.OpenIDConnectionClosedUnexpectedlyException) { this.CleanNotAuthorizedSession(); return(this.Redirect("/login")); } catch (Exception ex) { result.Success = false; result.SetErrors(StorefrontConstants.KnownActionNames.RegisterActionName, ex); return(this.Json(result, JsonRequestBehavior.AllowGet)); } }