private async Task <ClaimsPrincipal> CreatePrincipalFor(SiteMinderAuthenticationToken smAuthToken) { var claims = new List <Claim>(); claims.Add(new Claim(ClaimTypes.Role, "role_everyone")); if (smAuthToken.IsInternal()) { //EMBC admin claims.Add(new Claim(ClaimTypes.Role, "role_volunteer")); claims.Add(new Claim(ClaimTypes.Role, "role_local_authority")); claims.Add(new Claim(ClaimTypes.Role, "role_provincial_admin")); claims.Add(new Claim(ClaimTypes.Sid, smAuthToken.smgov_userguid)); claims.Add(new Claim(ClaimTypes.Upn, smAuthToken.sm_universalid)); claims.Add(new Claim(SiteMinderClaimTypes.USER_TYPE, smAuthToken.smgov_usertype)); claims.Add(new Claim(SiteMinderClaimTypes.NAME, smAuthToken.smgov_userdisplayname)); claims.Add(new Claim(EssClaimTypes.USER_ID, smAuthToken.smgov_userguid)); } else if (smAuthToken.IsExternal()) { //Volunteer var volunteer = dataInterface.GetVolunteerByBceidUserId(smAuthToken.sm_universalid); if (volunteer == null) { throw new ApplicationException($"Volunteer not found"); } if (volunteer.Externaluseridentifier != null && volunteer.Externaluseridentifier != smAuthToken.smgov_userguid) { throw new ApplicationException("Volunteer BCeID GUID does not match"); } if (volunteer.Organization.BCeIDBusinessGuid != null && volunteer.Organization.BCeIDBusinessGuid != smAuthToken.smgov_businessguid) { throw new ApplicationException("Volunteer doesn't belong to the correct organization"); } if (string.IsNullOrEmpty(volunteer.Externaluseridentifier)) { volunteer.Externaluseridentifier = smAuthToken.smgov_userguid; await dataInterface.UpdateVolunteerAsync(volunteer); } claims.Add(new Claim(ClaimTypes.Role, "role_volunteer")); if (volunteer.IsAdministrator ?? false) { claims.Add(new Claim(ClaimTypes.Role, "role_local_authority")); } claims.Add(new Claim(ClaimTypes.Sid, smAuthToken.smgov_userguid)); claims.Add(new Claim(ClaimTypes.Upn, smAuthToken.sm_universalid)); claims.Add(new Claim(SiteMinderClaimTypes.USER_TYPE, smAuthToken.smgov_usertype)); claims.Add(new Claim(SiteMinderClaimTypes.NAME, smAuthToken.smgov_userdisplayname)); claims.Add(new Claim(SiteMinderClaimTypes.BUSINESS_GUID, smAuthToken.smgov_businessguid)); claims.Add(new Claim(EssClaimTypes.USER_ID, volunteer.Id)); claims.Add(new Claim(EssClaimTypes.ORG_ID, volunteer.Organization.Id)); } return(new ClaimsPrincipal(new ClaimsIdentity(claims, Options.Scheme))); }
public static void AddToResponse(SiteMinderAuthenticationToken token, HttpResponse res) { res.Cookies.Append(SM_TOKEN_NAME, token.ToString().Base64Encode(), new CookieOptions() { SameSite = SameSiteMode.Strict, Expires = DateTimeOffset.Now.AddSeconds(30), HttpOnly = true }); }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { var smAuthToken = SiteMinderAuthenticationToken.CreateFromFwdHeaders(Request); if (!environment.IsProduction() && smAuthToken.IsAnonymous()) { smAuthToken = SiteMinderAuthenticationToken.CreateForDev(Request); Response.Cookies.Delete(SiteMinderAuthenticationToken.SM_TOKEN_NAME); } logger.LogDebug($"smAuthToken: {smAuthToken.ToString()}"); var claims = Context.Session.GetString("app.principal"); if (!string.IsNullOrEmpty(claims)) { var principal = claims.FromJwt(); logger.LogDebug($"Success (session): {principal.Identity.Name}"); return(AuthenticateResult.Success(new AuthenticationTicket(principal, Options.Scheme))); } if (smAuthToken.IsAnonymous()) { logger.LogDebug($"NoResult"); return(AuthenticateResult.NoResult()); } try { var principal = await CreatePrincipalFor(smAuthToken); Context.Session.SetString("app.principal", principal.ToJwt()); logger.LogDebug($"Success (new): {principal.Identity.Name}"); return(AuthenticateResult.Success(new AuthenticationTicket(principal, Options.Scheme))); } catch (ApplicationException e) { logger.LogError($"Fail to authenticate user with token '{smAuthToken.ToString()}': {e.Message}"); return(AuthenticateResult.Fail(e.Message)); } }