private static Task OnSecurityTokenValidated(SecurityTokenValidatedContext context)
{
var claims = context.Principal.Claims;
var ukprn = claims.FirstOrDefault(claim => claim.Type == (ProviderClaims.Ukprn))?.Value;
return(Task.CompletedTask);
}
private static Task OnTokenValidated(SecurityTokenValidatedContext context)
{
//var ukprn = (context.Principal.FindFirst("http://schemas.portal.com/ukprn"))?.Value;
//var jwt = new JwtBuilder().WithAlgorithm(new HMACSHA256Algorithm())
// .WithSecret(_configuration.Api.TokenEncodingKey)
// .Issuer("SFA.DAS.PSRService")
// .Audience("SFA.DAS.PSRService.api")
// .ExpirationTime(DateTime.Now.AddMinutes(5))
// .AddClaim("ukprn", ukprn)
// .Build();
//context.HttpContext.Session.SetString(ukprn, jwt);
return(Task.FromResult(0));
}
private async Task <SecurityTokenValidatedContext> RunSecurityTokenValidatedEventAsync(
WsFederationMessage message,
AuthenticationTicket ticket)
{
Logger.LogTrace($"SecurityTokenValidated: {ticket.AuthenticationScheme} {ticket.Principal.Identity.Name}");
var securityTokenValidateContext = new SecurityTokenValidatedContext(Context, Options)
{
ProtocolMessage = message,
Ticket = ticket
};
await Options.Events.SecurityTokenValidated(securityTokenValidateContext);
if (securityTokenValidateContext.HandledResponse)
{
Logger.LogDebug("SecurityTokenValidatedContext.HandledResponse");
}
else if (securityTokenValidateContext.Skipped)
{
Logger.LogDebug("SecurityTokenValidatedContext.Skipped");
}
return(securityTokenValidateContext);
}
private static Task OnTokenValidated(SecurityTokenValidatedContext context)
{
return(Task.CompletedTask);
}
/// <summary>
/// Invoked to process incoming authentication messages.
/// </summary>
/// <returns></returns>
protected override async Task <HandleRequestResult> HandleRemoteAuthenticateAsync()
{
WsFederationMessage? wsFederationMessage = null;
AuthenticationProperties?properties = null;
// assumption: if the ContentType is "application/x-www-form-urlencoded" it should be safe to read as it is small.
if (HttpMethods.IsPost(Request.Method) &&
!string.IsNullOrEmpty(Request.ContentType)
// May have media/type; charset=utf-8, allow partial match.
&& Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase) &&
Request.Body.CanRead)
{
var form = await Request.ReadFormAsync(Context.RequestAborted);
// ToArray handles the StringValues.IsNullOrEmpty case. We assume non-empty Value does not contain null elements.
#pragma warning disable CS8620 // Argument cannot be used for parameter due to differences in the nullability of reference types.
wsFederationMessage = new WsFederationMessage(form.Select(pair => new KeyValuePair <string, string[]>(pair.Key, pair.Value.ToArray())));
#pragma warning restore CS8620 // Argument cannot be used for parameter due to differences in the nullability of reference types.
}
if (wsFederationMessage == null || !wsFederationMessage.IsSignInMessage)
{
if (Options.SkipUnrecognizedRequests)
{
// Not for us?
return(HandleRequestResult.SkipHandler());
}
return(HandleRequestResult.Fail("No message."));
}
try
{
// Retrieve our cached redirect uri
var state = wsFederationMessage.Wctx;
// WsFed allows for uninitiated logins, state may be missing. See AllowUnsolicitedLogins.
properties = Options.StateDataFormat.Unprotect(state);
if (properties == null)
{
if (!Options.AllowUnsolicitedLogins)
{
return(HandleRequestResult.Fail("Unsolicited logins are not allowed."));
}
}
else
{
// Extract the user state from properties and reset.
properties.Items.TryGetValue(WsFederationDefaults.UserstatePropertiesKey, out var userState);
wsFederationMessage.Wctx = userState;
}
var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options, properties)
{
ProtocolMessage = wsFederationMessage
};
await Events.MessageReceived(messageReceivedContext);
if (messageReceivedContext.Result != null)
{
return(messageReceivedContext.Result);
}
wsFederationMessage = messageReceivedContext.ProtocolMessage;
properties = messageReceivedContext.Properties !; // Provides a new instance if not set.
// If state did flow from the challenge then validate it. See AllowUnsolicitedLogins above.
if (properties.Items.TryGetValue(CorrelationProperty, out string?correlationId) &&
!ValidateCorrelationId(properties))
{
return(HandleRequestResult.Fail("Correlation failed.", properties));
}
if (wsFederationMessage.Wresult == null)
{
Logger.SignInWithoutWResult();
return(HandleRequestResult.Fail(Resources.SignInMessageWresultIsMissing, properties));
}
var token = wsFederationMessage.GetToken();
if (string.IsNullOrEmpty(token))
{
Logger.SignInWithoutToken();
return(HandleRequestResult.Fail(Resources.SignInMessageTokenIsMissing, properties));
}
var securityTokenReceivedContext = new SecurityTokenReceivedContext(Context, Scheme, Options, properties)
{
ProtocolMessage = wsFederationMessage
};
await Events.SecurityTokenReceived(securityTokenReceivedContext);
if (securityTokenReceivedContext.Result != null)
{
return(securityTokenReceivedContext.Result);
}
wsFederationMessage = securityTokenReceivedContext.ProtocolMessage;
properties = messageReceivedContext.Properties !;
if (_configuration == null)
{
_configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
}
// Copy and augment to avoid cross request race conditions for updated configurations.
var tvp = Options.TokenValidationParameters.Clone();
var issuers = new[] { _configuration.Issuer };
tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
tvp.IssuerSigningKeys = (tvp.IssuerSigningKeys == null ? _configuration.SigningKeys : tvp.IssuerSigningKeys.Concat(_configuration.SigningKeys));
ClaimsPrincipal?principal = null;
SecurityToken? parsedToken = null;
foreach (var validator in Options.SecurityTokenHandlers)
{
if (validator.CanReadToken(token))
{
principal = validator.ValidateToken(token, tvp, out parsedToken);
break;
}
}
if (principal == null)
{
throw new SecurityTokenException(Resources.Exception_NoTokenValidatorFound);
}
if (Options.UseTokenLifetime && parsedToken != null)
{
// Override any session persistence to match the token lifetime.
var issued = parsedToken.ValidFrom;
if (issued != DateTime.MinValue)
{
properties.IssuedUtc = issued.ToUniversalTime();
}
var expires = parsedToken.ValidTo;
if (expires != DateTime.MinValue)
{
properties.ExpiresUtc = expires.ToUniversalTime();
}
properties.AllowRefresh = false;
}
var securityTokenValidatedContext = new SecurityTokenValidatedContext(Context, Scheme, Options, principal, properties)
{
ProtocolMessage = wsFederationMessage,
SecurityToken = parsedToken,
};
await Events.SecurityTokenValidated(securityTokenValidatedContext);
if (securityTokenValidatedContext.Result != null)
{
return(securityTokenValidatedContext.Result);
}
// Flow possible changes
principal = securityTokenValidatedContext.Principal !;
properties = securityTokenValidatedContext.Properties;
return(HandleRequestResult.Success(new AuthenticationTicket(principal, properties, Scheme.Name)));
}
catch (Exception exception)
{
Logger.ExceptionProcessingMessage(exception);
// Refresh the configuration for exceptions that may be caused by key rollovers. The user can also request a refresh in the notification.
if (Options.RefreshOnIssuerKeyNotFound && exception is SecurityTokenSignatureKeyNotFoundException)
{
Options.ConfigurationManager.RequestRefresh();
}
var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options)
{
ProtocolMessage = wsFederationMessage,
Exception = exception
};
await Events.AuthenticationFailed(authenticationFailedContext);
if (authenticationFailedContext.Result != null)
{
return(authenticationFailedContext.Result);
}
return(HandleRequestResult.Fail(exception, properties));
}
}
/// <summary> /// Invoked after the security token has passed validation and a ClaimsIdentity has been generated. /// </summary> public virtual Task SecurityTokenValidated(SecurityTokenValidatedContext context) => OnSecurityTokenValidated(context);
public override Task SecurityTokenValidated(SecurityTokenValidatedContext context)
{
return(base.SecurityTokenValidated(context));
}
private static async Task HandleUserSignedIn(SecurityTokenValidatedContext ctx, IRecruitVacancyClient vacancyClient)
{
var user = ctx.Principal.ToVacancyUser();
await vacancyClient.UserSignedInAsync(user, UserType.Provider);
}
public override Task SecurityTokenValidated(SecurityTokenValidatedContext context)
{
context.Response.Headers["STS_TOKEN_VALID_TO"] = context.SecurityToken.ValidTo.ToString("o", CultureInfo.InvariantCulture);
return(base.SecurityTokenValidated(context));
}
