/// <summary>
/// Creates identity infromation about the specified principal's identity.
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="application">The application from which the identity is observed.</param>
/// <param name="relatedApplicationIdentities">The identities as seen from other applications related to the current application.</param>
/// <returns>Identity information about the current principal's identity.</returns>
public static async Task <IdentityInfo> FromPrincipal(IPrincipal principal, string source, string application, IList <IdentityInfo> relatedApplicationIdentities, AadGraphClient graphClient)
{
return(await FromIdentity(principal.Identity as ClaimsIdentity, source, application, relatedApplicationIdentities, graphClient));
}
/// <summary>
/// Creates identity infromation about the specified identity.
/// </summary>
/// <param name="identity">The identity.</param>
/// <param name="application">The application from which the identity is observed.</param>
/// <param name="relatedApplicationIdentities">The identities as seen from other applications related to the current application.</param>
/// <param name="graphClient">The graph client used to look up group claim details.</param>
/// <returns>Identity information about the specified identity.</returns>
public static async Task <IdentityInfo> FromIdentity(ClaimsIdentity identity, string source, string application, IList <IdentityInfo> relatedApplicationIdentities, AadGraphClient graphClient)
{
if (identity == null)
{
return(new IdentityInfo
{
Source = source,
Application = application,
IsAuthenticated = false,
RelatedApplicationIdentities = relatedApplicationIdentities
});
}
var groups = default(IList <IGroup>);
if (graphClient != null)
{
// Look up all the Azure AD groups for which there are group claims.
// [NOTE] To get group claims in the token, ensure to update the Azure AD application manifest.
// Change "groupMembershipClaims" from null to "SecurityGroup" (or "All" to include distribution groups).
// See http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ for more information.
var groupIds = identity.Claims.Where(claim => GroupClaimTypes.Any(groupClaimType => string.Equals(claim.Type, groupClaimType, StringComparison.OrdinalIgnoreCase))).Select(claim => claim.Value).ToArray();
groups = await graphClient.GetGroupsAsync(groupIds);
}
// [NOTE] Inspect the identity and its claims.
return(new IdentityInfo
{
Source = source,
Application = application,
IsAuthenticated = identity.IsAuthenticated,
Name = identity.Name,
AuthenticationType = identity.AuthenticationType,
GroupNames = (groups == null ? new string[0] : groups.Select(g => g.DisplayName).ToArray()),
RoleNames = identity.Claims.Where(claim => RoleClaimTypes.Any(roleClaimType => string.Equals(claim.Type, roleClaimType, StringComparison.OrdinalIgnoreCase))).Select(claim => claim.Value).ToArray(),
Claims = identity.Claims.Select(claim => new ClaimInfo {
Issuer = claim.Issuer, Type = claim.Type, Value = claim.Value, Remark = GetRemark(claim, groups)
}).ToArray(),
RelatedApplicationIdentities = relatedApplicationIdentities ?? new IdentityInfo[0]
});
}
/// <summary>
/// Creates identity infromation about the claims represented in the specified JWT token.
/// </summary>
/// <param name="jwt">The JWT token.</param>
/// <param name="application">The application from which the identity is observed.</param>
/// <param name="relatedApplicationIdentities">The identities as seen from other applications related to the current application.</param>
/// <param name="graphClient">The graph client used to look up group claim details.</param>
/// <returns>Identity information about the specified JWT token.</returns>
public static async Task <IdentityInfo> FromJwt(string jwt, string source, string application, IList <IdentityInfo> relatedApplicationIdentities, AadGraphClient graphClient)
{
try
{
var token = new JwtSecurityToken(jwt);
var identity = new ClaimsIdentity(token.Claims, "JWT", StsConfiguration.NameClaimType, StsConfiguration.RoleClaimType);
return(await FromIdentity(identity, source, application, relatedApplicationIdentities, graphClient));
}
catch (Exception)
{
// The JWT string is not a valid token, return an unauthenticated identity.
return(await FromIdentity(null, source, application, relatedApplicationIdentities, graphClient));
}
}
