private async Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
string[] tenant = new string[1], client_id = new string[1], policy = new string[1];
if (!notification.Response.Headers.TryGetValue("tenant", out tenant) ||
!notification.Response.Headers.TryGetValue("client_id", out client_id) ||
!notification.Response.Headers.TryGetValue("policy", out policy) ||
string.IsNullOrEmpty(tenant[0]) || string.IsNullOrEmpty(client_id[0]) || string.IsNullOrEmpty(policy[0]))
{
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=You need to input your app settings before you can try this flow.");
return;
}
try
{
B2CConfigurationManager cm = new B2CConfigurationManager(String.Format("https://login.microsoftonline.com/{0}/v2.0/.well-known/openid-configuration", tenant[0]));
OpenIdConnectConfiguration config = await cm.GetConfigurationAsync(new System.Threading.CancellationToken(), policy[0]);
notification.ProtocolMessage.IssuerAddress = config.AuthorizationEndpoint;
notification.ProtocolMessage.ClientId = client_id[0];
notification.ProtocolMessage.SetParameter("prompt", "login");
notification.Response.Headers.Remove("tenant");
notification.Response.Headers.Remove("client_id");
notification.Response.Headers.Remove("policy");
}
catch (Exception e)
{
notification.HandleResponse();
notification.Response.Redirect("/Home/Error?message=Are you SURE you entered your app settings correctly?");
}
return;
}
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// If a challenge was issued by the SingleSignOut javascript
UrlHelper url = new UrlHelper(HttpContext.Current.Request.RequestContext);
if (notification.Request.Uri.AbsolutePath == url.Action("SessionChanged", "Account"))
{
// Store the state in the cookie so we can distinguish OIDC messages that occurred
// as a result of the SingleSignOut javascript.
ICookieManager cookieManager = new ChunkingCookieManager();
string cookie = cookieManager.GetRequestCookie(notification.OwinContext, CookieName);
AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookie);
if (ticket.Properties.Dictionary != null)
{
ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.AuthenticationType + "SingleSignOut"] = notification.ProtocolMessage.State;
}
cookieManager.AppendResponseCookie(notification.OwinContext, CookieName, ticketDataFormat.Protect(ticket), new CookieOptions());
// Return prompt=none request (to tenant specific endpoint) to SessionChanged controller.
notification.ProtocolMessage.Prompt = "none";
notification.ProtocolMessage.IssuerAddress = notification.OwinContext.Authentication.User.FindFirst("issEndpoint").Value;
string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl();
notification.Response.Redirect(url.Action("SessionChanged", "Account") + "?" + redirectUrl);
notification.HandleResponse();
}
return(Task.FromResult <object>(null));
}
public void OnAuthenticationFailed(IOwinContext context, BaseNotification <OpenIdConnectAuthenticationOptions> baseNotif)
{
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions();
RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> redirectContext = new RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(context, options);
redirectContext.HandleResponse();
baseNotif.HandleResponse();
}
protected virtual void AvoidRedirectLoop(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.OwinContext.Response.StatusCode == 401 &&
context.OwinContext.Authentication.User?.Identity != null &&
context.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
context.OwinContext.Response.StatusCode = 403;
context.HandleResponse();
}
}
private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var logoutUri = openIdConnectConfiguration.EndSessionEndpoint;
var postLogoutRedirectUri = notification.ProtocolMessage.PostLogoutRedirectUri;
var idTokenHint = notification.OwinContext.Authentication.User.FindFirst("id_token_hint").Value;
notification.ProtocolMessage.IdTokenHint = idTokenHint;
logoutUri += "?id_token_hint=" + idTokenHint + "&post_logout_redirect_uri=" + postLogoutRedirectUri;
notification.Response.Redirect(logoutUri);
notification.HandleResponse();
}
return(Task.FromResult(0));
}
protected virtual Task DefaultRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
// In order to support multi site we change the return uri based on the current request
// For example https://your-first-site/vipps-login or https://your-second-site/vipps-login
context.ProtocolMessage.RedirectUri = GetMultiSiteRedirectUri(context.ProtocolMessage.RedirectUri, context.Request);
AvoidRedirectLoop(context);
// XHR requests cannot handle redirects to a login screen, return 401
if (context.OwinContext.Response.StatusCode == 401 &&
VippsHelpers.IsXhrRequest(context.OwinContext.Request))
{
context.HandleResponse();
}
return(Task.FromResult(0));
}
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// If a challenge was issued by the SingleSignOut javascript
if (notification.Request.Path.Value == "/Account/SessionChanged")
{
// Store an app-specific cookie so we can identify OIDC messages that occurred
// as a result of the SingleSignOut javascript.
notification.Response.Cookies.Append("SingleSignOut" + clientId, notification.ProtocolMessage.State);
notification.ProtocolMessage.Prompt = "none";
string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl();
notification.Response.Redirect("/Account/SessionChanged?" + notification.ProtocolMessage.BuildRedirectUrl());
notification.HandleResponse();
}
return(Task.FromResult <object>(null));
}
/*
* On each call to Azure AD B2C, check if a policy (e.g. the profile edit or password reset policy) has been specified in the OWIN context.
* If so, use that policy when making the call. Also, don't request a code (since it won't be needed).
*/
private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
if (notification.Request.Path.Value == "/Account/SignUp")
{
var policy = notification.OwinContext.Get <string>("Policy");
if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
{
//notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
//notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
}
}
else if (notification.Request.Path.Value == "/Account/SignIn")
{
var policy = notification.OwinContext.Get <string>("Policy");
if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
{
//notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
//notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
}
}
else if (notification.Request.Path.Value == "/Account/EditProfile")
{
var policy = notification.OwinContext.Get <string>("Policy");
if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
{
//notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
//notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
}
}
else if (notification.Request.Path.Value == "/Account/ResetPassword")
{
var policy = notification.OwinContext.Get <string>("Policy");
if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
{
//notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
//notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
}
}
else if (notification.Request.Path.Value == "/Account/SignOut")
{
var policy = notification.OwinContext.Get <string>("Policy");
if (!string.IsNullOrEmpty(policy) && !policy.Equals(Globals.DefaultPolicy))
{
//notification.ProtocolMessage.Scope = OpenIdConnectScope.OpenId;
//notification.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(Globals.DefaultPolicy.ToLower(), policy.ToLower());
}
}
else
{
notification.Response.StatusCode = 401;
notification.Response.Redirect("/Home/Error?message=Access Denied");
notification.HandleResponse();
}
return(Task.FromResult(0));
}
public static Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// If a challenge was issued by the SingleSignOut javascript
UrlHelper url = new UrlHelper(HttpContext.Current.Request.RequestContext);
if (notification.Request.Uri.AbsolutePath == url.Action("SessionChanged", "Account"))
{
// Store the state in the cookie so we can distinguish OIDC messages that occurred
// as a result of the SingleSignOut javascript.
ICookieManager cookieManager = new ChunkingCookieManager();
string cookie = cookieManager.GetRequestCookie(notification.OwinContext, CookieName);
AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookie);
if (ticket.Properties.Dictionary != null)
ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.AuthenticationType + "SingleSignOut"] = notification.ProtocolMessage.State;
cookieManager.AppendResponseCookie(notification.OwinContext, CookieName, ticketDataFormat.Protect(ticket), new CookieOptions());
// Return prompt=none request (to tenant specific endpoint) to SessionChanged controller.
notification.ProtocolMessage.Prompt = "none";
notification.ProtocolMessage.IssuerAddress = notification.OwinContext.Authentication.User.FindFirst("issEndpoint").Value;
string redirectUrl = notification.ProtocolMessage.BuildRedirectUrl();
notification.Response.Redirect(url.Action("SessionChanged", "Account") + "?" + redirectUrl);
notification.HandleResponse();
}
return Task.FromResult<object>(null);
}
