private static IOpenIdConnectEvents CreateOpenIdConnectEventHandlers(B2CAuthenticationOptions authOptions,
B2CPolicies policies, IDistributedCache distributedCache)
{
return(new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context => SetIssuerAddressAsync(context, policies.SignInOrSignUpPolicy),
OnRedirectToIdentityProviderForSignOut = context => SetIssuerAddressForSignOutAsync(context, policies.SignInOrSignUpPolicy),
OnAuthorizationCodeReceived = async context =>
{
try
{
var userId = context.Ticket.Principal.FindFirst(B2CAuthConstants.ObjectId).Value;
var credential = new ClientCredential(authOptions.ClientId, authOptions.ClientSecret);
var authenticationContext = new AuthenticationContext(authOptions.Authority, new DistributedTokenCache(distributedCache, userId));
var result = await authenticationContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential,
new[] { authOptions.ClientId }, context.Ticket.Principal.FindFirst(B2CAuthConstants.AcrClaimType).Value);
context.HandleCodeRedemption();
}
catch
{
context.HandleResponse();
}
},
OnTokenValidated = context =>
{
var claimsIdentity = (ClaimsIdentity)context.Ticket.Principal.Identity;
claimsIdentity.AddClaim(new Claim(BookFastClaimTypes.InteractorRole, InteractorRole.Customer.ToString()));
return Task.FromResult(0);
},
OnAuthenticationFailed = context =>
{
context.SkipToNextMiddleware();
return Task.FromResult(0);
},
OnMessageReceived = context =>
{
if (!string.IsNullOrEmpty(context.ProtocolMessage.Error) &&
!string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription) &&
context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091") &&
context.Properties.Items[B2CAuthConstants.B2CPolicy] == policies.EditProfilePolicy)
{
context.Ticket = new Microsoft.AspNetCore.Authentication.AuthenticationTicket(context.HttpContext.User, context.Properties, B2CAuthConstants.OpenIdConnectB2CAuthenticationScheme);
context.HandleResponse();
}
return Task.FromResult(0);
}
});
}
private static OpenIdConnectEvents CreateOpenIdConnectEventHandlers(B2CAuthenticationOptions authOptions,
B2CPolicies policies, IDistributedCache distributedCache)
{
return(new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context => SetIssuerAddressAsync(context, policies.SignInOrSignUpPolicy),
OnRedirectToIdentityProviderForSignOut = context => SetIssuerAddressForSignOutAsync(context, policies.SignInOrSignUpPolicy),
OnAuthorizationCodeReceived = async context =>
{
try
{
var principal = context.Principal;
var userTokenCache = new DistributedTokenCache(distributedCache, principal.FindFirst(B2CAuthConstants.ObjectIdClaimType).Value).GetMSALCache();
var client = new ConfidentialClientApplication(authOptions.ClientId,
authOptions.GetAuthority(principal.FindFirst(B2CAuthConstants.AcrClaimType).Value),
"https://app", // it's not really needed
new ClientCredential(authOptions.ClientSecret),
userTokenCache,
null);
var result = await client.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
new[] { $"{authOptions.ApiIdentifier}/read_booking", $"{authOptions.ApiIdentifier}/update_booking" });
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
catch (Exception ex)
{
context.Fail(ex);
}
},
OnTokenValidated = context =>
{
var claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
claimsIdentity.AddClaim(new Claim(BookFastClaimTypes.InteractorRole, InteractorRole.Customer.ToString()));
return Task.FromResult(0);
},
OnAuthenticationFailed = context =>
{
context.Fail(context.Exception);
return Task.FromResult(0);
},
OnMessageReceived = context =>
{
if (!string.IsNullOrEmpty(context.ProtocolMessage.Error) &&
!string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription))
{
if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091")) // cancel profile editing
{
context.HandleResponse();
context.Response.Redirect("/");
}
else if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90118")) // forgot password
{
context.HandleResponse();
context.Response.Redirect("/Account/ResetPassword");
}
}
return Task.FromResult(0);
}
});
}
public static AuthenticationBuilder AddOpenIdConnectB2CAuthentication(this AuthenticationBuilder authenticationBuilder,
B2CAuthenticationOptions authOptions, B2CPolicies b2cPolicies, IDistributedCache distributedCache)
{
authenticationBuilder.AddOpenIdConnect(B2CAuthConstants.OpenIdConnectB2CAuthenticationScheme, options =>
{
options.CallbackPath = new PathString(B2CAuthConstants.B2CCallbackPath);
options.Authority = authOptions.Authority;
options.ClientId = authOptions.ClientId;
options.ClientSecret = authOptions.ClientSecret;
options.SignedOutRedirectUri = authOptions.PostLogoutRedirectUri;
options.ConfigurationManager = new PolicyConfigurationManager(authOptions.Authority,
new[] { b2cPolicies.SignInOrSignUpPolicy, b2cPolicies.EditProfilePolicy, b2cPolicies.ResetPasswordPolicy });
options.Events = CreateOpenIdConnectEventHandlers(authOptions, b2cPolicies, distributedCache);
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
// it will fall back on using DefaultSignInScheme if not set
//options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Scope.Add("offline_access");
options.Scope.Add($"{authOptions.ApiIdentifier}/read_booking");
options.Scope.Add($"{authOptions.ApiIdentifier}/update_booking");
});
return(authenticationBuilder);
}
public static void UseOpenIdConnectB2CAuthentication(this IApplicationBuilder app,
B2CAuthenticationOptions authOptions, B2CPolicies b2cPolicies, IDistributedCache distributedCache,
bool automaticChallenge = false)
{
var openIdConnectOptions = new OpenIdConnectOptions
{
AuthenticationScheme = B2CAuthConstants.OpenIdConnectB2CAuthenticationScheme,
AutomaticChallenge = automaticChallenge,
CallbackPath = new PathString(B2CAuthConstants.B2CCallbackPath),
Authority = authOptions.Authority,
ClientId = authOptions.ClientId,
ClientSecret = authOptions.ClientSecret,
PostLogoutRedirectUri = authOptions.PostLogoutRedirectUri,
ConfigurationManager = new PolicyConfigurationManager(authOptions.Authority,
new[] { b2cPolicies.SignInOrSignUpPolicy, b2cPolicies.EditProfilePolicy }),
Events = CreateOpenIdConnectEventHandlers(authOptions, b2cPolicies, distributedCache),
ResponseType = OpenIdConnectResponseType.CodeIdToken,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme
};
openIdConnectOptions.Scope.Add("offline_access");
app.UseOpenIdConnectAuthentication(openIdConnectOptions);
}
