/// <summary> /// Event to handle Token Validation from ID provider /// </summary> /// <param name="n">The context for this notification</param> /// <param name="authorizationService">The service to use for authorization</param> /// <returns></returns> private static async Task OnSecurityTokenValidated( SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n) { // get access and id tokens var accessToken = n.ProtocolMessage.AccessToken; var idToken = n.ProtocolMessage.IdToken; // persist access token in cookie if (!String.IsNullOrEmpty(accessToken)) { // add access token n.AuthenticationTicket.Identity.AddClaim( new Claim("access_token", accessToken)); // get user info from ID server var userClient = new UserInfoClient(KnownIdServer.UserInfoEndpoint, accessToken); var userInfo = await userClient.GetAsync(); // get claims from ticket n.AuthenticationTicket.Identity.AddClaims(userInfo.Claims.Select(c => new Claim(c.Item1, c.Item2))); // get username var username = n.AuthenticationTicket.Identity.Claims.FirstOrDefault( c => c.Type == "preferred_username"); } // if we have an id token if (!String.IsNullOrEmpty(idToken)) { // add to authentication ticket n.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", idToken)); } }
private static async Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n, string authority) { var idToken = n.ProtocolMessage.IdToken; var claimsIdent = n.AuthenticationTicket.Identity; if (claimsIdent != null) { //If Implicit Flow if (n.ProtocolMessage.AccessToken != null) { //Add userClaims from userInfoEndpoint await AddUserClaimsAsync(claimsIdent, authority, n.ProtocolMessage.AccessToken); //Add portal //AddPortalGroupInfo(claimsIdent); //Calculate AccessToken Expiration int expiresIn = int.Parse(n.ProtocolMessage.ExpiresIn); DateTimeOffset expiresUtc = DateTimeOffset.UtcNow.AddSeconds(expiresIn); //Add access_token for DomSec Api call" claimsIdent.AddOrUpdateClaim("access_token", n.ProtocolMessage.AccessToken); claimsIdent.AddOrUpdateClaim("expires_at", expiresUtc.ToString()); //Add id_token for logout hint claimsIdent.AddOrUpdateClaim("id_token", idToken); //Add expiration to AuthenticationTicket n.AuthenticationTicket.Properties.ExpiresUtc = expiresUtc; } } }
private static async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { var protocolMessage = notification.ProtocolMessage; var idToken = protocolMessage.IdToken; var accessToken = protocolMessage.AccessToken; var identity = CreateIdentity(notification.AuthenticationTicket); await AddUserInfoClaims(identity, notification.Options, accessToken); // Keep the id_token for logout identity.AddClaim(new Claim("id_token", idToken)); // Add access token for API calls. The value of this claim will be used as the // argument to the BearerCredentials constructor when specifying credentials as part // of the SendOptions passed to Bus.Send methods. See example Bus.Send operation in // the TestMessageController.SendTestMessage method. identity.AddClaim(new Claim("access_token", accessToken)); // Keep track of access token expiration int expiresInSeconds; if (int.TryParse(protocolMessage.ExpiresIn, out expiresInSeconds)) { var expiresIn = TimeSpan.FromSeconds(expiresInSeconds); var expries = DateTimeOffset.UtcNow.Add(expiresIn); identity.AddClaim(new Claim("expires", expries.ToString("O"))); } notification.AuthenticationTicket = new AuthenticationTicket(identity, notification.AuthenticationTicket.Properties); }
protected virtual string GetEpiUserId(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context, ClaimsIdentity identity) { var vippsInfo = _vippsLoginService.GetVippsUserInfo(identity); if (vippsInfo == null) { var message = "Could not retrieve Vipps UserInfo from the provided identity"; Logger.Error($"Vipps.Login: {message}"); throw new VippsLoginException(message); } // Get existing user identifier (by default Epi will use email address) var userId = // First check if we're linking to an existing account ByLinkAccount(context, vippsInfo) ?? // If not, find user by vipps identifier (subject guid) BySubjectGuid(vippsInfo) ?? // Or else search user by email/phone ByEmailOrPhoneNumber(vippsInfo); // New user if (string.IsNullOrWhiteSpace(userId)) { userId = vippsInfo.Email; } return(userId); }
public static async Task GenerateUserIdentityAsync( SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { var identityUser = new ClaimsIdentity( notification.AuthenticationTicket.Identity.Claims, notification.AuthenticationTicket.Identity.AuthenticationType, ClaimTypes.Name, ClaimTypes.Role); var newIdentityUser = new ClaimsIdentity(identityUser.AuthenticationType, ClaimTypes.GivenName, ClaimTypes.Role); newIdentityUser.AddClaim(identityUser.FindFirst(ClaimTypes.NameIdentifier)); var emailClaim = identityUser.FindFirst(ClaimTypes.Email) ?? new Claim(ClaimTypes.Email, identityUser.FindFirst("name").Value); newIdentityUser.AddClaim(emailClaim); //Optionally add other claims var userInfoClient = new UserInfoClient( new Uri(notification.Options.Authority + "/connect/userinfo").ToString()); var userInfo = await userInfoClient.GetAsync(notification.ProtocolMessage.AccessToken); newIdentityUser.AddClaims(userInfo.Claims.Select(t => new Claim(t.Type, t.Value))); notification.AuthenticationTicket = new AuthenticationTicket(newIdentityUser, notification.AuthenticationTicket.Properties); }
private Task SecurityTokenValidated( SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg) { id_token = arg.ProtocolMessage.IdToken; return(Task.FromResult(0)); }
// Check if we're trying to link an existing account protected virtual string ByLinkAccount( SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context, VippsUserInfo vippsUserInfo) { var props = context.AuthenticationTicket.Properties.Dictionary; if (props.ContainsKey(VippsConstants.LinkAccount) && Guid.TryParse(props[VippsConstants.LinkAccount], out var linkAccountToken)) { // Do not allow linking to multiple accounts string message; if (BySubjectGuid(vippsUserInfo) != null) { message = "This Vipps account is already linked to an account. Please remove the connection before making a new one."; Logger.Error($"Vipps.Login: {message}"); throw new VippsLoginLinkAccountException(message, true); } var accountToLink = _vippsCommerceService.FindCustomerContactByLinkAccountToken(linkAccountToken); if (accountToLink == null) { message = "Could not find account to link to."; Logger.Error($"Vipps.Login: {message}"); throw new VippsLoginLinkAccountException(message); } return(GetLoginEmailFromContact(accountToLink)); } return(null); }
private static Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg) { Claim c = arg.AuthenticationTicket.Identity.Claims.FirstOrDefault(d => d.Type == "preferred_username"); Log.Info($"{c?.Value ?? "N/A"} logged in."); return(Task.FromResult(0)); }
CreateContext( string userInfoEndpoint = "https://user-info-endpoint", string scope = "") { var configurationManager = A.Fake <IConfigurationManager <OpenIdConnectConfiguration> >(); A.CallTo(() => configurationManager.GetConfigurationAsync(A <CancellationToken> ._)) .Returns(new OpenIdConnectConfiguration { UserInfoEndpoint = "https://user-info-endpoint", }); var options = new VippsOpenIdConnectAuthenticationOptions("clientId", "clientSecret", "authority") { ConfigurationManager = configurationManager, Scope = scope }; var context = new SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>( A.Fake <IOwinContext>(), options) { AuthenticationTicket = new AuthenticationTicket(new ClaimsIdentity(), new AuthenticationProperties( new Dictionary <string, string>() { { ".redirect", "https://test.url/redirect-url" } })), ProtocolMessage = A.Fake <OpenIdConnectMessage>() }; return(context); }
private async Task AddRoles(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg) { var context = new Adal.AuthenticationContext("https://login.microsoftonline.com/" + tenant); var clientCredentials = new Adal.ClientCredential(GraphClientId, GraphClientSecret); var token = await context.AcquireTokenAsync("https://graph.windows.net/", clientCredentials); var userId = arg.AuthenticationTicket.Identity.Claims .First(x => x.Type == "http://schemas.microsoft.com/identity/claims/objectidentifier") .Value; HttpClient http = new HttpClient(); string url = "https://graph.windows.net/b2ctestdes.onmicrosoft.com/users/" + userId + "/memberOf?api-version=1.6"; // Append the access token for the Graph API to the Authorization header of the request by using the Bearer scheme. HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, url); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.AccessToken); HttpResponseMessage response = await http.SendAsync(request); if (response.IsSuccessStatusCode) { var result = await response.Content.ReadAsStringAsync(); dynamic groups = JObject.Parse(result); foreach (var group in groups.value) { string groupName = group.displayName; arg.AuthenticationTicket.Identity.AddClaim( new Claim(ClaimTypes.Role, groupName)); } } }
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // If you wanted to keep some local state in the app (like a db of signed up users), // you could use this notification to create the user record if it does not already // exist. List <Claim> myClaims = notification.AuthenticationTicket.Identity.Claims.ToList(); string anOIDClaimValue = myClaims.FirstOrDefault(aClaim => aClaim.Type == "http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value; if (string.IsNullOrEmpty(anOIDClaimValue)) { throw new ApplicationException("Missing OID claim!"); } using (B2CContext aContext = new B2CContext()) { Applicant anInternalApplicant = aContext.Applicants.FirstOrDefault(aUser => aUser.ExternalID == anOIDClaimValue); if (anInternalApplicant == null) { Applicant aNewApplicant = new Applicant { ExternalID = anOIDClaimValue, FirstName = myClaims.FirstOrDefault(aClaim => aClaim.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")?.Value, LastName = myClaims.FirstOrDefault(aClaim => aClaim.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")?.Value, Gender = myClaims.FirstOrDefault(aClaim => aClaim.Type == "extension_Gender")?.Value, Ethnicity = myClaims.FirstOrDefault(aClaim => aClaim.Type == "extension_Ethnicity")?.Value, DateOfBirth = DateTime.Now.AddYears(-20) }; aContext.Applicants.Add(aNewApplicant); aContext.SaveChanges(); } } return(Task.FromResult(0)); }
private async Task SecurityTokenValidated(SecurityTokenValidatedNotification <WsFederationMessage, WsFederationAuthenticationOptions> notification, IProviderCommitmentsLogger logger, AuthenticationOrchestrator orchestrator, AccountOrchestrator accountOrchestrator) { logger.Info("SecurityTokenValidated notification called"); var identity = notification.AuthenticationTicket.Identity; var id = identity.Claims.FirstOrDefault(claim => claim.Type == (DasClaimTypes.Upn))?.Value; var displayName = identity.Claims.FirstOrDefault(claim => claim.Type == (DasClaimTypes.DisplayName))?.Value; var ukprn = identity.Claims.FirstOrDefault(claim => claim.Type == (DasClaimTypes.Ukprn))?.Value; var email = identity.Claims.FirstOrDefault(claim => claim.Type == (DasClaimTypes.Email))?.Value; long parsedUkprn; if (!long.TryParse(ukprn, out parsedUkprn)) { logger.Info($"Unable to parse Ukprn \"{ukprn}\" from claims for user \"{id}\""); return; } var showReservations = await accountOrchestrator.ProviderHasPermission(parsedUkprn, Operation.CreateCohort); identity.AddClaim(new Claim(DasClaimTypes.ShowReservations, showReservations.ToString(), "bool")); identity.MapClaimToRoles(); await orchestrator.SaveIdentityAttributes(id, parsedUkprn, displayName, email); }
private async Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> securityTokenValidatedNotification) { var n = securityTokenValidatedNotification; var id = n.AuthenticationTicket.Identity; // we want to keep first name, last name, subject and roles var givenName = id.FindFirst(IdentityServer3.Core.Constants.ClaimTypes.GivenName); var familyName = id.FindFirst(IdentityServer3.Core.Constants.ClaimTypes.FamilyName); var sub = id.FindFirst(IdentityServer3.Core.Constants.ClaimTypes.Subject); var roles = id.FindAll(IdentityServer3.Core.Constants.ClaimTypes.Role); var id2 = id.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"); var name = id.FindFirst("preferred_username"); // create new identity and set name and role claim type var nid = new ClaimsIdentity( id.AuthenticationType, IdentityServer3.Core.Constants.ClaimTypes.GivenName, IdentityServer3.Core.Constants.ClaimTypes.Role); if (givenName != null) { nid.AddClaim(givenName); } if (familyName != null) { nid.AddClaim(familyName); } if (sub != null) { nid.AddClaim(sub); } if (roles != null) { nid.AddClaims(roles); } nid.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", name?.Value ?? "UNKNOWN")); nid.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", id2.Value)); nid.AddClaim( new Claim( "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "idsrv")); nid.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "BUBGO")); // add some other app specific claim nid.AddClaim(new Claim("app_specific", "some data")); nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken)); n.AuthenticationTicket = new AuthenticationTicket( nid, n.AuthenticationTicket.Properties); }
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // If you wanted to keep some local state in the app (like a db of signed up users), // you could use this notification to create the user record if it does not already // exist. return(Task.FromResult(0)); }
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { // Verify the user signing in is a business user, not a consumer user. string[] issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value.Split('/'); string tenantId = issuer[(issuer.Length - 2)]; return(Task.FromResult(0)); }
private static void StripSchemeFromReturnUrl(SecurityTokenValidatedNotification <WsFederationMessage, WsFederationAuthenticationOptions> args) { try { var uri = new Uri(args.AuthenticationTicket.Properties.RedirectUri); args.AuthenticationTicket.Properties.RedirectUri = String.Concat(uri.PathAndQuery, uri.Fragment); } catch (Exception) { } }
/// <summary> /// Invoked after the security token has passed validation and a ClaimsIdentity has been generated. /// </summary> /// <param name="notification">Notification context</param> /// <returns>OWIN OpenId Connect Response</returns> private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // For Logout Request Okta requires idTokenHint so must maintain state for id_token // This should NOT be added to user's principal claims. For DEMO purposes only. // Okta REQUIRED parameter: A valid ID token with a subject matching the current session. notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim("id_token", notification.ProtocolMessage.IdToken)); return(Task.FromResult(0)); }
internal static async Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket != null, "context.AuthenticationTicket is null."); Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket.Principal != null, "context.AuthenticationTicket.Principal is null."); Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket.Principal.Identity != null, "context.AuthenticationTicket.Principal.Identity is null."); Helpers.ThrowIfConditionFailed(() => !string.IsNullOrWhiteSpace(context.AuthenticationTicket.Principal.Identity.Name), "context.AuthenticationTicket.Principal.Identity.Name is null."); notificationsFired.Add(nameof(SecurityTokenValidated)); await Task.FromResult(0); }
internal static async Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket != null, "context.AuthenticationTicket is null."); Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket.Principal != null, "context.AuthenticationTicket.Principal is null."); Helpers.ThrowIfConditionFailed(() => context.AuthenticationTicket.Principal.Identity != null, "context.AuthenticationTicket.Principal.Identity is null."); Helpers.ThrowIfConditionFailed(() => !string.IsNullOrWhiteSpace(context.AuthenticationTicket.Principal.Identity.Name), "context.AuthenticationTicket.Principal.Identity.Name is null."); notificationsFired.Add(nameof(SecurityTokenValidated)); await Task.FromResult(0); }
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <WsFederationMessage, WsFederationAuthenticationOptions> notification) { _logger.Debug("SecurityTokenValidated"); try { _logger.Debug("Authentication Properties", new Dictionary <string, object> { { "claims", JsonConvert.SerializeObject( notification.AuthenticationTicket.Identity.Claims.Select(x => new { x.Value, x.ValueType, x.Type })) }, { "authentication-type", notification.AuthenticationTicket.Identity.AuthenticationType }, { "role-type", notification.AuthenticationTicket.Identity.RoleClaimType } }); const string serviceClaimType = "http://service/service"; if (notification.AuthenticationTicket.Identity.HasClaim(serviceClaimType, _rolesSettings.Tier2Claim)) { _logger.Debug("Adding Tier2 Role"); notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, _rolesSettings.T2Role)); _logger.Debug("Adding ConsoleUser Role"); notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, _rolesSettings.ConsoleUserRole)); } else if (notification.AuthenticationTicket.Identity.HasClaim(serviceClaimType, _rolesSettings.GroupClaim)) { _logger.Debug("Adding ConsoleUser Role"); notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, _rolesSettings.ConsoleUserRole)); } else { throw new SecurityTokenValidationException(); } var firstName = notification.AuthenticationTicket.Identity.Claims.SingleOrDefault(x => x.Type == ClaimTypes.GivenName)?.Value; var lastName = notification.AuthenticationTicket.Identity.Claims.SingleOrDefault(x => x.Type == ClaimTypes.Surname)?.Value; var userEmail = notification.AuthenticationTicket.Identity.Claims.Single(x => x.Type == ClaimTypes.Upn).Value; notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Email, userEmail)); notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, $"{firstName} {lastName}")); } catch (Exception ex) { _logger.Error(ex, "IDAMS Authentication Callback Error"); } _logger.Debug("End of callback"); return(Task.FromResult(0)); }
private Task SecurityTokenValidatedNotification(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { var token = notification.ProtocolMessage.IdToken; if (!string.IsNullOrEmpty(token)) { notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim("id_token", token)); } return(Task.FromResult(0)); }
private static Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <WsFederationMessage, WsFederationAuthenticationOptions> notification) { Logger.Debug("SecurityTokenValidated"); var claimsIdentity = notification.AuthenticationTicket.Identity; Logger.Debug("Authentication Properties", new Dictionary <string, object> { { "claims", JsonConvert.SerializeObject(claimsIdentity.Claims.Select(x => new { x.Value, x.ValueType, x.Type })) }, { "authentication-type", claimsIdentity.AuthenticationType }, { "role-type", claimsIdentity.RoleClaimType } }); if (notification.AuthenticationTicket.Identity.HasClaim(serviceClaimType, ServiceClaimTier2Role)) { Logger.Debug("Adding Tier2 Role"); claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, Tier2User)); Logger.Debug("Adding ConsoleUser Role"); claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, ConsoleUser)); } else if (notification.AuthenticationTicket.Identity.HasClaim(serviceClaimType, ServiceClaimTier1Role)) { Logger.Debug("Adding Tier1 Role"); claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, Tier1User)); Logger.Debug("Adding ConsoleUser Role"); claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, ConsoleUser)); } else { throw new SecurityTokenValidationException("Service Claim Type not available to identify the Role"); } var firstName = claimsIdentity.Claims.SingleOrDefault(x => x.Type == ClaimTypes.GivenName)?.Value; var lastName = claimsIdentity.Claims.SingleOrDefault(x => x.Type == ClaimTypes.Surname)?.Value; var userEmail = claimsIdentity.Claims.Single(x => x.Type == ClaimTypes.Upn).Value; claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, $"{firstName} {lastName}")); if (!string.IsNullOrEmpty(userEmail)) { claimsIdentity.AddClaim(new Claim(ClaimTypes.Email, userEmail)); claimsIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userEmail)); } else { throw new SecurityTokenValidationException("Upn not available in the claims to identify UserEmail"); } Logger.Debug("End of callback"); return(Task.FromResult(0)); }
private Task OnSecurityTokenValidatedAsync(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // Make sure that the user didn't sign in with a personal Microsoft account if (notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value == "9188040d-6c67-4c5b-b112-36a304b66dad") { notification.HandleResponse(); notification.Response.Redirect("/Account/UserMismatch"); } return(Task.FromResult(0)); }
private async Task OnSecurityTokenValidated( SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { var issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value; if (!issuer.StartsWith(this.issuerPrefix, StringComparison.OrdinalIgnoreCase)) { throw new System.IdentityModel.Tokens.SecurityTokenValidationException(); } await Task.CompletedTask; }
static Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { var token = notification.ProtocolMessage.AccessToken; if (!string.IsNullOrEmpty(token)) { notification.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", token)); } return(Task.FromResult(true)); }
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context) { // Verify the user signing in is a business user, not a consumer user. string[] issuer = context.AuthenticationTicket.Identity.FindFirst(Globals.IssuerClaim).Value.Split('/'); string tenantId = issuer[(issuer.Length - 2)]; if (tenantId == Globals.ConsumerTenantId) { throw new SecurityTokenValidationException("Consumer accounts are not supported for the Group Manager App. Please log in with your work account."); } return(Task.FromResult(0)); }
// We need to update these values each time we receive a new token, so the SingleSignOut // javascript has access to the correct values. public async static Task SecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { // Get Tenant-Specific Metadata (Authorization Endpoint), needed for making prompt=none request in RedirectToIdentityProvider OpenIdConnectAuthenticationOptions tenantSpecificOptions = new OpenIdConnectAuthenticationOptions(); tenantSpecificOptions.Authority = AADInstance + notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value; tenantSpecificOptions.ConfigurationManager = new ConfigurationManager <OpenIdConnectConfiguration>(tenantSpecificOptions.Authority + "/.well-known/openid-configuration"); OpenIdConnectConfiguration tenantSpecificConfig = await tenantSpecificOptions.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled); notification.AuthenticationTicket.Identity.AddClaim(new Claim("issEndpoint", tenantSpecificConfig.AuthorizationEndpoint, ClaimValueTypes.String, "WebApp-Distributed-SignOut-DotNet")); CheckSessionIFrame = notification.AuthenticationTicket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame]; return; }
private static Task SecurityTokenValidated(SecurityTokenValidatedNotification <HttpContext, OAuthBearerAuthenticationOptions> notification) { List <Claim> claims = new List <Claim> { new Claim(ClaimTypes.Email, "*****@*****.**"), new Claim(ClaimsIdentity.DefaultNameClaimType, "bob"), }; notification.AuthenticationTicket = new AuthenticationTicket(new ClaimsIdentity(claims, notification.Options.AuthenticationType), new Http.Security.AuthenticationProperties()); notification.HandleResponse(); return(Task.FromResult <object>(null)); }
public void SetToken(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n) { var givenNameClaim = n.AuthenticationTicket .Identity.FindFirst(IdentityModel.JwtClaimTypes.GivenName); var familyNameClaim = n.AuthenticationTicket .Identity.FindFirst(IdentityModel.JwtClaimTypes.FamilyName); var emailClaim = n.AuthenticationTicket .Identity.FindFirst(IdentityModel.JwtClaimTypes.Email); var subClaim = n.AuthenticationTicket .Identity.FindFirst(IdentityModel.JwtClaimTypes.Subject); var nameClaim = new Claim(IdentityModel.JwtClaimTypes.Name, string.Format("{0}/{1}", Constants.NotesIssuerUri, subClaim.Value)); var newClaimsIdentity = new ClaimsIdentity( n.AuthenticationTicket.Identity.AuthenticationType, IdentityModel.JwtClaimTypes.Name, IdentityModel.JwtClaimTypes.Role); newClaimsIdentity.AddClaim(nameClaim); if (givenNameClaim != null) { newClaimsIdentity.AddClaim(givenNameClaim); } if (familyNameClaim != null) { newClaimsIdentity.AddClaim(familyNameClaim); } if (emailClaim != null) { newClaimsIdentity.AddClaim(emailClaim); var roles = GetUserRoles(emailClaim.Value); foreach (var role in roles) { newClaimsIdentity.AddClaim(new Claim(IdentityModel.JwtClaimTypes.Role, role)); } } newClaimsIdentity.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken)); n.AuthenticationTicket = new AuthenticationTicket(newClaimsIdentity, n.AuthenticationTicket.Properties); }
private async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { if (string.IsNullOrEmpty(notification.ProtocolMessage.State)) { string tenant = notification.AuthenticationTicket.Identity.FindFirst(IssuerClaimType).Value.Split('/')[3]; ViewDataDictionary settings = new ViewDataDictionary { { "tenant", tenant }, { "client_id", notification.AuthenticationTicket.Identity.FindFirst(AudClaimType).Value }, { "sign_up_policy", notification.AuthenticationTicket.Identity.HasClaim(NewUserClaimType, "true") ? notification.AuthenticationTicket.Identity.FindFirst(AcrClaimType).Value : null }, { "sign_in_policy", null }, { "edit_profile_policy", null }, }; HttpContext.Current.Session.Add("b2c_settings", settings); } }
private async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification <OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg) { var userIdentity = arg.AuthenticationTicket.Identity as ClaimsIdentity; if (userIdentity != null) { var emailAddress = userIdentity.GetEmailAddress(); var _submitterService = new SubmitterService(); var submitter = await _submitterService.GetSubmitterByMicrosoftAccountAsync(emailAddress); if (submitter != null) { userIdentity.AddClaims(SubmitterClaims.GenerateClaims(submitter)); } } }
private static Task SecurityTokenValidated(SecurityTokenValidatedNotification<HttpContext, OAuthBearerAuthenticationOptions> notification) { List<Claim> claims = new List<Claim> { new Claim(ClaimTypes.Email, "*****@*****.**"), new Claim(ClaimsIdentity.DefaultNameClaimType, "bob"), }; notification.AuthenticationTicket = new AuthenticationTicket(new ClaimsPrincipal(new ClaimsIdentity(claims, notification.Options.AuthenticationScheme)), new Http.Authentication.AuthenticationProperties(), notification.Options.AuthenticationScheme); notification.HandleResponse(); return Task.FromResult<object>(null); }