public MultipleAuthenticationStartup(ClaimsPrincipal principal1, ClaimsPrincipal principal2, bool automaticAuthenticate, ScopeValidationOptions options)
{
_principal1 = principal1;
_principal2 = principal2;
_scopeOptions = options;
_automaticAuthenticate = automaticAuthenticate;
}
/// <summary>
/// Initializes a new instance of the <see cref="ScopeValidationMiddleware"/> class.
/// </summary>
/// <param name="next">The next midleware.</param>
/// <param name="scopes">The scopes.</param>
public ScopeValidationMiddleware(RequestDelegate next, ScopeValidationOptions options, ILogger <ScopeValidationMiddleware> logger)
{
_logger = logger;
if (next == null)
{
throw new ArgumentNullException(nameof(next));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (string.IsNullOrWhiteSpace(options.ScopeClaimType))
{
throw new ArgumentNullException(nameof(options.ScopeClaimType));
}
if (options.AllowedScopes == null)
{
throw new ArgumentNullException(nameof(options.AllowedScopes));
}
_next = next;
_options = options;
}
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions();
combinedOptions.TokenRetriever = options.TokenRetriever;
combinedOptions.AuthenticationScheme = options.AuthenticationScheme;
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
app.UseMiddleware <IdentityServerAuthenticationMiddleware>(app, combinedOptions);
var allowedScopes = new List <string>();
if (!string.IsNullOrWhiteSpace(options.ScopeName))
{
allowedScopes.Add(options.ScopeName);
}
if (options.AdditionalScopes != null && options.AdditionalScopes.Any())
{
allowedScopes.AddRange(options.AdditionalScopes);
}
if (allowedScopes.Any())
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
app.AllowScopes(scopeOptions);
}
return(app);
}
public static IAppBuilder RequireScopes(this IAppBuilder app, params string[] scopes)
{
var options = new ScopeValidationOptions
{
Scopes = scopes,
AllowAnonymousAccess = false,
ScopeClaimType = "scope"
};
app.RequireScopes(options);
return(app);
}
//[Fact]
//public async Task Authenticated_User_Missing_Scopes_Should_Be_Forbidden()
//{
// var principal = Principal.Create("custom",
// new Claim("sub", "123"));
// var allowedScopes = new[] { "scope1", "scope2" };
// var client = CreateClient(principal, allowedScopes);
// var response = await client.GetAsync("/");
// response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
//}
//[Fact]
//public async Task Authenticated_User_Matching_Scope_Should_Be_Allowed()
//{
// var principal = Principal.Create("custom",
// new Claim("sub", "123"),
// new Claim("scope", "scope1"));
// var allowedScopes = new[] { "scope1", "scope2" };
// var client = CreateClient(principal, allowedScopes);
// var response = await client.GetAsync("/");
// response.StatusCode.Should().Be(HttpStatusCode.OK);
//}
private HttpClient CreateClient(ClaimsPrincipal principal1, ClaimsPrincipal principal2, bool automaticAuthenticate, IEnumerable <string> allowedScopes, string scopeAuthenticationScheme)
{
var options = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = scopeAuthenticationScheme
};
var startup = new MultipleAuthenticationStartup(principal1, principal2, automaticAuthenticate, options);
var server = new TestServer(new WebHostBuilder()
.Configure(startup.Configure)
.ConfigureServices(startup.ConfigureServices));
return(server.CreateClient());
}
public static CombinedAuthenticationOptions FromIdentityServerAuthenticationOptions(IdentityServerAuthenticationOptions options)
{
var combinedOptions = new CombinedAuthenticationOptions();
combinedOptions.TokenRetriever = options.TokenRetriever;
combinedOptions.AuthenticationScheme = options.AuthenticationScheme;
combinedOptions.PassThruOptions = new NopAuthenticationOptions()
{
AuthenticationScheme = options.AuthenticationScheme,
AutomaticAuthenticate = options.AutomaticAuthenticate,
AutomaticChallenge = options.AutomaticChallenge
};
switch (options.SupportedTokens)
{
case SupportedTokens.Jwt:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
break;
case SupportedTokens.Reference:
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
case SupportedTokens.Both:
combinedOptions.JwtBearerOptions = ConfigureJwt(options);
combinedOptions.IntrospectionOptions = ConfigureIntrospection(options);
break;
default:
throw new Exception("SupportedTokens has invalid value");
}
if (options.ValidateScope)
{
var allowedScopes = new List <string>();
if (options.AllowedScopes != null && options.AllowedScopes.Any())
{
allowedScopes.AddRange(options.AllowedScopes);
}
if (allowedScopes.Any())
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = allowedScopes,
AuthenticationScheme = options.AuthenticationScheme
};
combinedOptions.ScopeValidationOptions = scopeOptions;
}
else
{
var scopeOptions = new ScopeValidationOptions
{
AllowedScopes = new string[] { }
};
combinedOptions.ScopeValidationOptions = scopeOptions;
}
}
return(combinedOptions);
}
public static IAppBuilder RequireScopes(this IAppBuilder app, ScopeValidationOptions options)
{
app.Use(typeof(ScopeValidationMiddleware), options);
return(app);
}
