private static void AddMicrosoftIdentityWebAppInternal( AuthenticationBuilder builder, Action <MicrosoftIdentityOptions> configureMicrosoftIdentityOptions, Action <CookieAuthenticationOptions>?configureCookieAuthenticationOptions, string openIdConnectScheme, string?cookieScheme, bool subscribeToOpenIdConnectMiddlewareDiagnosticsEvents, string?displayName) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (configureMicrosoftIdentityOptions == null) { throw new ArgumentNullException(nameof(configureMicrosoftIdentityOptions)); } builder.Services.Configure(openIdConnectScheme, configureMicrosoftIdentityOptions); builder.Services.AddHttpClient(); if (!string.IsNullOrEmpty(cookieScheme)) { Action <CookieAuthenticationOptions> emptyOption = option => { }; builder.AddCookie(cookieScheme, configureCookieAuthenticationOptions ?? emptyOption); } builder.Services.TryAddSingleton <MicrosoftIdentityIssuerValidatorFactory>(); builder.Services.TryAddSingleton <ILoginErrorAccessor>(ctx => { // ITempDataDictionaryFactory is not always available, so we don't require it var tempFactory = ctx.GetService <ITempDataDictionaryFactory>(); var env = ctx.GetService <IHostEnvironment>(); // ex. Azure Functions will not have an env. if (env != null) { return(TempDataLoginErrorAccessor.Create(tempFactory, env.IsDevelopment())); } else { return(TempDataLoginErrorAccessor.Create(tempFactory, false)); } }); if (subscribeToOpenIdConnectMiddlewareDiagnosticsEvents) { builder.Services.AddSingleton <IOpenIdConnectMiddlewareDiagnostics, OpenIdConnectMiddlewareDiagnostics>(); } if (AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled) { builder.Services.AddAuthentication(AppServicesAuthenticationDefaults.AuthenticationScheme) .AddAppServicesAuthentication(); return; } if (!string.IsNullOrEmpty(displayName)) { builder.AddOpenIdConnect(openIdConnectScheme, displayName: displayName, options => { }); } else { builder.AddOpenIdConnect(openIdConnectScheme, options => { }); } builder.Services.AddOptions <OpenIdConnectOptions>(openIdConnectScheme) .Configure <IServiceProvider, IOptionsMonitor <MergedOptions>, IOptionsMonitor <MicrosoftIdentityOptions>, IOptions <MicrosoftIdentityOptions> >(( options, serviceProvider, mergedOptionsMonitor, msIdOptionsMonitor, msIdOptions) => { MicrosoftIdentityBaseAuthenticationBuilder.SetIdentityModelLogger(serviceProvider); MergedOptions mergedOptions = mergedOptionsMonitor.Get(openIdConnectScheme); MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptions.Value, mergedOptions); MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptionsMonitor.Get(openIdConnectScheme), mergedOptions); MergedOptionsValidation.Validate(mergedOptions); PopulateOpenIdOptionsFromMergedOptions(options, mergedOptions); var b2cOidcHandlers = new AzureADB2COpenIDConnectEventHandlers( openIdConnectScheme, mergedOptions, serviceProvider.GetRequiredService <ILoginErrorAccessor>()); if (!string.IsNullOrEmpty(cookieScheme)) { options.SignInScheme = cookieScheme; } if (string.IsNullOrWhiteSpace(options.Authority)) { options.Authority = AuthorityHelpers.BuildAuthority(mergedOptions); } // This is a Microsoft identity platform web app options.Authority = AuthorityHelpers.EnsureAuthorityIsV2(options.Authority); // B2C doesn't have preferred_username claims if (mergedOptions.IsB2C) { options.TokenValidationParameters.NameClaimType = ClaimConstants.Name; } else { options.TokenValidationParameters.NameClaimType = ClaimConstants.PreferredUserName; } // If the developer registered an IssuerValidator, do not overwrite it if (options.TokenValidationParameters.ValidateIssuer && options.TokenValidationParameters.IssuerValidator == null) { // If you want to restrict the users that can sign-in to several organizations // Set the tenant value in the appsettings.json file to 'organizations', and add the // issuers you want to accept to options.TokenValidationParameters.ValidIssuers collection MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory = serviceProvider.GetRequiredService <MicrosoftIdentityIssuerValidatorFactory>(); options.TokenValidationParameters.IssuerValidator = microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate; } // Avoids having users being presented the select account dialog when they are already signed-in // for instance when going through incremental consent var redirectToIdpHandler = options.Events.OnRedirectToIdentityProvider; options.Events.OnRedirectToIdentityProvider = async context => { var loginHint = context.Properties.GetParameter <string>(OpenIdConnectParameterNames.LoginHint); if (!string.IsNullOrWhiteSpace(loginHint)) { context.ProtocolMessage.LoginHint = loginHint; context.ProtocolMessage.SetParameter(Constants.XAnchorMailbox, $"{Constants.Upn}:{loginHint}"); // delete the login_hint from the Properties when we are done otherwise // it will take up extra space in the cookie. context.Properties.Parameters.Remove(OpenIdConnectParameterNames.LoginHint); } var domainHint = context.Properties.GetParameter <string>(OpenIdConnectParameterNames.DomainHint); if (!string.IsNullOrWhiteSpace(domainHint)) { context.ProtocolMessage.DomainHint = domainHint; // delete the domain_hint from the Properties when we are done otherwise // it will take up extra space in the cookie. context.Properties.Parameters.Remove(OpenIdConnectParameterNames.DomainHint); } context.ProtocolMessage.SetParameter(Constants.ClientInfo, Constants.One); context.ProtocolMessage.SetParameter(Constants.TelemetryHeaderKey, IdHelper.CreateTelemetryInfo()); // Additional claims if (context.Properties.Items.TryGetValue(OidcConstants.AdditionalClaims, out var additionClaims)) { context.ProtocolMessage.SetParameter( OidcConstants.AdditionalClaims, additionClaims); } if (mergedOptions.IsB2C) { // When a new Challenge is returned using any B2C user flow different than susi, we must change // the ProtocolMessage.IssuerAddress to the desired user flow otherwise the redirect would use the susi user flow await b2cOidcHandlers.OnRedirectToIdentityProvider(context).ConfigureAwait(false); } await redirectToIdpHandler(context).ConfigureAwait(false); }; if (mergedOptions.IsB2C) { var remoteFailureHandler = options.Events.OnRemoteFailure; options.Events.OnRemoteFailure = async context => { // Handles the error when a user cancels an action on the Azure Active Directory B2C UI. // Handle the error code that Azure Active Directory B2C throws when trying to reset a password from the login page // because password reset is not supported by a "sign-up or sign-in user flow". await b2cOidcHandlers.OnRemoteFailure(context).ConfigureAwait(false); await remoteFailureHandler(context).ConfigureAwait(false); }; } if (subscribeToOpenIdConnectMiddlewareDiagnosticsEvents) { var diagnostics = serviceProvider.GetRequiredService <IOpenIdConnectMiddlewareDiagnostics>(); diagnostics.Subscribe(options.Events); } }); }
private static void AddMicrosoftIdentityWebApiImplementation( AuthenticationBuilder builder, Action <JwtBearerOptions> configureJwtBearerOptions, Action <MicrosoftIdentityOptions> configureMicrosoftIdentityOptions, string jwtBearerScheme, bool subscribeToJwtBearerMiddlewareDiagnosticsEvents) { builder.AddJwtBearer(jwtBearerScheme, configureJwtBearerOptions); builder.Services.Configure(jwtBearerScheme, configureMicrosoftIdentityOptions); builder.Services.AddHttpContextAccessor(); builder.Services.AddHttpClient(); builder.Services.TryAddSingleton <MicrosoftIdentityIssuerValidatorFactory>(); builder.Services.AddRequiredScopeAuthorization(); builder.Services.AddRequiredScopeOrAppPermissionAuthorization(); builder.Services.AddOptions <AadIssuerValidatorOptions>(); if (subscribeToJwtBearerMiddlewareDiagnosticsEvents) { builder.Services.AddTransient <IJwtBearerMiddlewareDiagnostics, JwtBearerMiddlewareDiagnostics>(); } // Change the authentication configuration to accommodate the Microsoft identity platform endpoint (v2.0). builder.Services.AddOptions <JwtBearerOptions>(jwtBearerScheme) .Configure <IServiceProvider, IOptionsMonitor <MergedOptions>, IOptionsMonitor <MicrosoftIdentityOptions>, IOptions <MicrosoftIdentityOptions> >(( options, serviceProvider, mergedOptionsMonitor, msIdOptionsMonitor, msIdOptions) => { MicrosoftIdentityBaseAuthenticationBuilder.SetIdentityModelLogger(serviceProvider); MergedOptions mergedOptions = mergedOptionsMonitor.Get(jwtBearerScheme); MergedOptions.UpdateMergedOptionsFromJwtBearerOptions(options, mergedOptions); MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptions.Value, mergedOptions); MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptionsMonitor.Get(jwtBearerScheme), mergedOptions); MergedOptionsValidation.Validate(mergedOptions); if (string.IsNullOrWhiteSpace(options.Authority)) { options.Authority = AuthorityHelpers.BuildAuthority(mergedOptions); } // This is a Microsoft identity platform web API options.Authority = AuthorityHelpers.EnsureAuthorityIsV2(options.Authority); if (options.TokenValidationParameters.AudienceValidator == null && options.TokenValidationParameters.ValidAudience == null && options.TokenValidationParameters.ValidAudiences == null) { RegisterValidAudience registerAudience = new RegisterValidAudience(); registerAudience.RegisterAudienceValidation( options.TokenValidationParameters, mergedOptions); } // If the developer registered an IssuerValidator, do not overwrite it if (options.TokenValidationParameters.ValidateIssuer && options.TokenValidationParameters.IssuerValidator == null) { // Instead of using the default validation (validating against a single tenant, as we do in line of business apps), // we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens) MicrosoftIdentityIssuerValidatorFactory microsoftIdentityIssuerValidatorFactory = serviceProvider.GetRequiredService <MicrosoftIdentityIssuerValidatorFactory>(); options.TokenValidationParameters.IssuerValidator = microsoftIdentityIssuerValidatorFactory.GetAadIssuerValidator(options.Authority).Validate; } // If you provide a token decryption certificate, it will be used to decrypt the token if (mergedOptions.TokenDecryptionCertificates != null) { DefaultCertificateLoader.UserAssignedManagedIdentityClientId = mergedOptions.UserAssignedManagedIdentityClientId; IEnumerable <X509Certificate2?> certificates = DefaultCertificateLoader.LoadAllCertificates(mergedOptions.TokenDecryptionCertificates); IEnumerable <X509SecurityKey> keys = certificates.Select(c => new X509SecurityKey(c)); options.TokenValidationParameters.TokenDecryptionKeys = keys; } if (options.Events == null) { options.Events = new JwtBearerEvents(); } // When an access token for our own web API is validated, we add it to MSAL.NET's cache so that it can // be used from the controllers. if (!mergedOptions.AllowWebApiToBeAuthorizedByACL) { ChainOnTokenValidatedEventForClaimsValidation(options.Events, jwtBearerScheme); } if (subscribeToJwtBearerMiddlewareDiagnosticsEvents) { var diagnostics = serviceProvider.GetRequiredService <IJwtBearerMiddlewareDiagnostics>(); diagnostics.Subscribe(options.Events); } }); }