private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options) { var introspectionOptions = new OAuth2IntrospectionOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, ScopeName = options.ScopeName, ScopeSecret = options.ScopeSecret, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, TokenRetriever = _tokenRetriever, SaveTokensAsClaims = options.SaveTokensAsClaims, DiscoveryTimeout = options.BackChannelTimeouts, IntrospectionTimeout = options.BackChannelTimeouts }; if (options.IntrospectionBackChannelHandler != null) { introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler; } if (options.IntrospectionDiscoveryHandler != null) { introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler; } return introspectionOptions; }
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, Action<IdentityServerAuthenticationOptions> configureOptions) { var options = new IdentityServerAuthenticationOptions(); configureOptions(options); return app.UseIdentityServerAuthentication(options); }
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options) { var jwtOptions = new JwtBearerOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, RequireHttpsMetadata = options.RequireHttpsMetadata, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, BackchannelTimeout = options.BackChannelTimeouts, RefreshOnIssuerKeyNotFound = true, SaveToken = options.SaveToken, Events = new JwtBearerEvents { OnMessageReceived = e => { e.Token = _tokenRetriever(e.Request); return(options.JwtBearerEvents.MessageReceived(e)); }, OnTokenValidated = e => options.JwtBearerEvents.TokenValidated(e), OnAuthenticationFailed = e => options.JwtBearerEvents.AuthenticationFailed(e), OnChallenge = e => options.JwtBearerEvents.Challenge(e) } }; if (options.JwtBackChannelHandler != null) { jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler; } // if API name is set, do an audience check if (!string.IsNullOrWhiteSpace(options.ApiName)) { jwtOptions.Audience = options.ApiName; } else { // otherwise don't check the aud jwtOptions.TokenValidationParameters.ValidateAudience = false; } jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType; jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType; if (options.InboundJwtClaimTypeMap != null) { var handler = new JwtSecurityTokenHandler(); handler.InboundClaimTypeMap = options.InboundJwtClaimTypeMap; jwtOptions.SecurityTokenValidators.Clear(); jwtOptions.SecurityTokenValidators.Add(handler); } return(jwtOptions); }
public ConfigureInternalOptions( IdentityServerAuthenticationOptions identityServerOptions, string scheme ) { _identityServerOptions = identityServerOptions; _scheme = scheme; }
public static IApplicationBuilder UseIdentityServerAuthentication(this IApplicationBuilder app, IdentityServerAuthenticationOptions options) { var combinedOptions = new CombinedAuthenticationOptions(); combinedOptions.TokenRetriever = options.TokenRetriever; combinedOptions.AuthenticationScheme = options.AuthenticationScheme; switch (options.SupportedTokens) { case SupportedTokens.Jwt: combinedOptions.JwtBearerOptions = ConfigureJwt(options); break; case SupportedTokens.Reference: combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; case SupportedTokens.Both: combinedOptions.JwtBearerOptions = ConfigureJwt(options); combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; default: throw new Exception("SupportedTokens has invalid value"); } app.UseMiddleware<IdentityServerAuthenticationMiddleware>(app, combinedOptions); var allowedScopes = new List<string>(); if (!string.IsNullOrWhiteSpace(options.ScopeName)) { allowedScopes.Add(options.ScopeName); } if (options.AdditionalScopes != null && options.AdditionalScopes.Any()) { allowedScopes.AddRange(options.AdditionalScopes); } if (allowedScopes.Any()) { var scopeOptions = new ScopeValidationOptions { AllowedScopes = allowedScopes, AuthenticationScheme = options.AuthenticationScheme }; app.AllowScopes(scopeOptions); } return app; }
private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options) { if (String.IsNullOrWhiteSpace(options.ApiSecret)) { return(null); } if (String.IsNullOrWhiteSpace(options.ApiName)) { throw new ArgumentException("ApiName must be configured if ApiSecret is set."); } var introspectionOptions = new OAuth2IntrospectionOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, ClientId = options.ApiName, ClientSecret = options.ApiSecret, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, TokenRetriever = _tokenRetriever, SaveToken = options.SaveToken, EnableCaching = options.EnableCaching, CacheDuration = options.CacheDuration, DiscoveryTimeout = options.BackChannelTimeouts, IntrospectionTimeout = options.BackChannelTimeouts }; if (options.IntrospectionBackChannelHandler != null) { introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler; } if (options.IntrospectionDiscoveryHandler != null) { introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler; } return(introspectionOptions); }
private static OAuth2IntrospectionOptions ConfigureIntrospection(IdentityServerAuthenticationOptions options) { var introspectionOptions = new OAuth2IntrospectionOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, ScopeName = options.ScopeName, ScopeSecret = options.ScopeSecret, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, NameClaimType = options.NameClaimType, RoleClaimType = options.RoleClaimType, TokenRetriever = _tokenRetriever, SaveToken = options.SaveToken, EnableCaching = options.EnableCaching, CacheDuration = options.CacheDuration, DiscoveryTimeout = options.BackChannelTimeouts, IntrospectionTimeout = options.BackChannelTimeouts }; if (options.IntrospectionBackChannelHandler != null) { introspectionOptions.IntrospectionHttpHandler = options.IntrospectionBackChannelHandler; } if (options.IntrospectionDiscoveryHandler != null) { introspectionOptions.DiscoveryHttpHandler = options.IntrospectionDiscoveryHandler; } return(introspectionOptions); }
public static CombinedAuthenticationOptions FromIdentityServerAuthenticationOptions(IdentityServerAuthenticationOptions options) { var combinedOptions = new CombinedAuthenticationOptions() { TokenRetriever = options.TokenRetriever, AuthenticationScheme = options.AuthenticationScheme, PassThruOptions = new NopAuthenticationOptions() { AuthenticationScheme = options.AuthenticationScheme, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge } }; switch (options.SupportedTokens) { case SupportedTokens.Jwt: combinedOptions.JwtBearerOptions = ConfigureJwt(options); break; case SupportedTokens.Reference: combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; case SupportedTokens.Both: combinedOptions.JwtBearerOptions = ConfigureJwt(options); combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; default: throw new Exception("SupportedTokens has invalid value"); } combinedOptions.ScopeValidationOptions = new ScopeValidationOptions { AllowedScopes = new string[] { } }; if (options.ValidateScope) { var allowedScopes = new List <string>(); if (options.AllowedScopes != null && options.AllowedScopes.Any()) { allowedScopes.AddRange(options.AllowedScopes); } if (allowedScopes.Any()) { combinedOptions.ScopeValidationOptions = new ScopeValidationOptions { AllowedScopes = allowedScopes, AuthenticationScheme = options.AuthenticationScheme }; } } return(combinedOptions); }
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options) { var jwtOptions = new JwtBearerOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, RequireHttpsMetadata = options.RequireHttpsMetadata, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, BackchannelTimeout = options.BackChannelTimeouts, RefreshOnIssuerKeyNotFound = true, SaveToken = options.SaveToken, Events = new JwtBearerEvents { OnMessageReceived = e => { e.Token = _tokenRetriever(e.Request); return(options.JwtBearerEvents.MessageReceived(e)); }, OnTokenValidated = e => options.JwtBearerEvents.TokenValidated(e), OnAuthenticationFailed = e => options.JwtBearerEvents.AuthenticationFailed(e), OnChallenge = e => options.JwtBearerEvents.Challenge(e) } }; if (options.DiscoveryDocumentRefreshInterval.HasValue) { var parsedUrl = DiscoveryClient.ParseUrl(options.Authority); var httpClient = new HttpClient(options.JwtBackChannelHandler ?? new HttpClientHandler()) { Timeout = options.BackChannelTimeouts, MaxResponseContentBufferSize = 1024 * 1024 * 10 // 10 MB }; var manager = new ConfigurationManager <OpenIdConnectConfiguration>( parsedUrl.discoveryEndpoint, new OpenIdConnectConfigurationRetriever(), new HttpDocumentRetriever(httpClient) { RequireHttps = options.RequireHttpsMetadata }) { AutomaticRefreshInterval = options.DiscoveryDocumentRefreshInterval.Value }; jwtOptions.ConfigurationManager = manager; } if (options.JwtBackChannelHandler != null) { jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler; } // if API name is set, do a strict audience check for if (!string.IsNullOrWhiteSpace(options.ApiName) && !options.LegacyAudienceValidation) { jwtOptions.Audience = options.ApiName; } else { // no audience validation, rely on scope checks only jwtOptions.TokenValidationParameters.ValidateAudience = false; } jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType; jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType; if (options.InboundJwtClaimTypeMap != null) { var handler = new JwtSecurityTokenHandler(); handler.InboundClaimTypeMap = options.InboundJwtClaimTypeMap; jwtOptions.SecurityTokenValidators.Clear(); jwtOptions.SecurityTokenValidators.Add(handler); } return(jwtOptions); }
private static JwtBearerOptions ConfigureJwt(IdentityServerAuthenticationOptions options) { var jwtOptions = new JwtBearerOptions { AuthenticationScheme = options.AuthenticationScheme, Authority = options.Authority, RequireHttpsMetadata = false, AutomaticAuthenticate = options.AutomaticAuthenticate, AutomaticChallenge = options.AutomaticChallenge, BackchannelTimeout = options.BackChannelTimeouts, RefreshOnIssuerKeyNotFound = true, Events = new JwtBearerEvents { OnReceivingToken = e => { e.Token = _tokenRetriever(e.Request); return Task.FromResult(0); }, OnValidatedToken = e => { if (options.SaveTokensAsClaims) { e.AuthenticationTicket.Principal.Identities.First().AddClaim( new Claim("access_token", _tokenRetriever(e.Request))); } return Task.FromResult(0); } } }; if (options.JwtBackChannelHandler != null) { jwtOptions.BackchannelHttpHandler = options.JwtBackChannelHandler; } jwtOptions.TokenValidationParameters.ValidateAudience = false; jwtOptions.TokenValidationParameters.NameClaimType = options.NameClaimType; jwtOptions.TokenValidationParameters.RoleClaimType = options.RoleClaimType; return jwtOptions; }
public static CombinedAuthenticationOptions FromIdentityServerAuthenticationOptions(IdentityServerAuthenticationOptions options) { var combinedOptions = new CombinedAuthenticationOptions(); combinedOptions.TokenRetriever = options.TokenRetriever; combinedOptions.AuthenticationScheme = options.AuthenticationScheme; switch (options.SupportedTokens) { case SupportedTokens.Jwt: combinedOptions.JwtBearerOptions = ConfigureJwt(options); break; case SupportedTokens.Reference: combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; case SupportedTokens.Both: combinedOptions.JwtBearerOptions = ConfigureJwt(options); combinedOptions.IntrospectionOptions = ConfigureIntrospection(options); break; default: throw new Exception("SupportedTokens has invalid value"); } if (options.ValidateScope) { var allowedScopes = new List <string>(); if (!string.IsNullOrWhiteSpace(options.ScopeName)) { allowedScopes.Add(options.ScopeName); } if (options.AdditionalScopes != null && options.AdditionalScopes.Any()) { allowedScopes.AddRange(options.AdditionalScopes); } if (allowedScopes.Any()) { var scopeOptions = new ScopeValidationOptions { AllowedScopes = allowedScopes, AuthenticationScheme = options.AuthenticationScheme }; combinedOptions.ScopeValidationOptions = scopeOptions; } else { var scopeOptions = new ScopeValidationOptions { AllowedScopes = new string[] { } }; combinedOptions.ScopeValidationOptions = scopeOptions; } } return(combinedOptions); }
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(); loggerFactory.AddDebug(); app.UseExceptionHandler("/Home/Error"); app.UseCors("corsGlobalPolicy"); app.UseStaticFiles(); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions { Authority = "https://localhost:44318/", AllowedScopes = new List<string> { "dataEventRecords" }, ApiSecret = "dataEventRecordsSecret", ApiName = "dataEventRecords", AutomaticAuthenticate = true, SupportedTokens = SupportedTokens.Both, // TokenRetriever = _tokenRetriever, // required if you want to return a 403 and not a 401 for forbidden responses AutomaticChallenge = true, }; app.UseIdentityServerAuthentication(identityServerValidationOptions); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); var angularRoutes = new[] { "/Unauthorized", "/Forbidden", "/uihome", "/dataeventrecords/", "/dataeventrecords/create", "/dataeventrecords/edit/", "/dataeventrecords/list", "/usermanagement", }; app.Use(async (context, next) => { if (context.Request.Path.HasValue && null != angularRoutes.FirstOrDefault( (ar) => context.Request.Path.Value.StartsWith(ar, StringComparison.OrdinalIgnoreCase))) { context.Request.Path = new PathString("/"); } await next(); }); app.UseDefaultFiles(); app.UseStaticFiles(); if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseDatabaseErrorPage(); // Does not work with HTTPS //app.UseBrowserLink(); } else { app.UseExceptionHandler("/Home/Error"); } app.UseIdentity(); app.UseIdentityServer(); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions { Authority = Config.HOST_URL + "/", AllowedScopes = new List<string> { "dataEventRecords" }, ApiSecret = "dataEventRecordsSecret", ApiName = "dataEventRecords", AutomaticAuthenticate = true, SupportedTokens = SupportedTokens.Both, // TokenRetriever = _tokenRetriever, // required if you want to return a 403 and not a 401 for forbidden responses AutomaticChallenge = true, }; app.UseIdentityServerAuthentication(identityServerValidationOptions); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }