/// <summary> /// Validates this instance. /// </summary> /// <exception cref="System.ArgumentException"> /// InstanceName must be set /// or /// AppId must be set /// or /// AppId must be set /// or /// TenantId must be set /// or /// SubscriptionId must be set /// or /// SharedAccessPolicy must be set /// </exception> /// <exception cref="ArgumentException">InstanceName must be set and AppId must be set and AppId must be set and /// TenantId must be set and SubscriptionId must be set and SharedAccessPolicy must be set /// and ReceiverEntity OR SenderEntity must be set.</exception> /// <inheritdoc /> public override void Validate() { if (InstanceName.IsNullOrEmpty()) { throw new ArgumentException("InstanceName must be set"); } if (AppId.IsNullOrEmpty()) { throw new ArgumentException("AppId must be set"); } if (AppSecret.IsNullOrEmpty()) { throw new ArgumentException("AppSecret must be set"); } if (TenantId.IsNullOrEmpty()) { throw new ArgumentException("TenantId must be set"); } if (SubscriptionId.IsNullOrEmpty()) { throw new ArgumentException("SubscriptionId must be set"); } if (SharedAccessPolicyName.IsNullOrEmpty()) { throw new ArgumentException("SharedAccessPolicy must be set"); } base.Validate(); }
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary <string, string> authInfo) { try { // The id_token is a JWT token. See http://jwt.io var jwt = new JwtSecurityToken(authInfo["access_token"]); var p = jwt.Payload; var tenantId = (string)p["tid"]; if (!TenantId.IsNullOrEmpty() && TenantId != tenantId) { return(RedirectDueToFailure(authService, session, new NameValueCollection { { "error", "mismatched-tenant" }, { "error_description", "Mismatched Tenant ID in JWT token" } })); } // if (!p.Aud.Contains(ClientId)) if (!((string)p["appid"] == ClientId)) { return(RedirectDueToFailure(authService, session, new NameValueCollection { { "error", "mismatched-client-app" }, { "error_description", "Mismatched Client ID in JWT token" } })); } if (!p.ContainsKey("oid") || !p.ContainsKey("upn")) { FailAndLogError(session, new NameValueCollection { { "error", "missing-user-id" }, { "error_description", "Missing 'oid' or 'upn' in JWT token. " + "This may imply the user logged into the wrong account. " + "For example, the user may have logged into their Microsoft Account " + "rather than their organizational account." } }); // Here we really need to give the user a way to sign out of their MS account // If the user selected "Keep me signed in" they will effectively be stuck // Because Microsoft will continue to send us the same token without prompting // the user for other credentials. // TODO: It would be nice to momentarily show the user a message explaining why they are being signed out return(RedirectToMicrosoftLogout(authService)); } } catch (Exception ex) { Log.Error("Reading JWT token", ex); return(RedirectDueToFailure(authService, session, new NameValueCollection { { "error", "bad-jwt" }, { "error_description", "Problem checking the JWT token" } })); } return(base.OnAuthenticated(authService, session, tokens, authInfo)); }