private static void RegisterAuthenticationServicesWithCertificate( IServiceCollection services, IConfiguration configuration, AuthenticationOptions authenticationOptions, AzureADOptions azureADOptions) { services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi( options => { options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0"; options.SaveToken = true; options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions); options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator; options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions); }, microsoftIdentityOptions => { configuration.Bind("AzureAd", microsoftIdentityOptions); microsoftIdentityOptions.ClientCertificates = new CertificateDescription[] { CertificateDescription.FromKeyVault(configuration.GetValue <string>("KeyVault:Url"), configuration.GetValue <string>("GraphAppCertName")), }; }) .EnableTokenAcquisitionToCallDownstreamApi( confidentialClientApplicationOptions => { configuration.Bind("AzureAd", confidentialClientApplicationOptions); }) .AddInMemoryTokenCaches(); }
// This method works specifically for single tenant application. private static void RegisterAuthenticationServices( IServiceCollection services, IConfiguration configuration, AuthenticationOptions authenticationOptions) { AuthenticationServiceCollectionExtensions.ValidateAuthenticationOptions(authenticationOptions); services.AddProtectedWebApi(configuration) .AddProtectedWebApiCallsProtectedWebApi(configuration) .AddInMemoryTokenCaches(); services.Configure <JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options => { var azureADOptions = new AzureADOptions { Instance = authenticationOptions.AzureAdInstance, TenantId = authenticationOptions.AzureAdTenantId, ClientId = authenticationOptions.AzureAdClientId, }; options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0"; options.SaveToken = true; options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions); options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator; options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions); }); }
/// <summary> /// Extension method to register the authentication services. /// </summary> /// <param name="services">IServiceCollection instance.</param> /// <param name="configuration">The configuration instance.</param> /// <param name="authenticationOptions">The authentication options.</param> public static void AddAuthentication( this IServiceCollection services, IConfiguration configuration, AuthenticationOptions authenticationOptions) { AuthenticationServiceCollectionExtensions.RegisterAuthenticationServices(services, configuration, authenticationOptions); AuthenticationServiceCollectionExtensions.RegisterAuthorizationPolicy(services, configuration); }
private static IEnumerable <string> GetValidIssuers(AuthenticationOptions authenticationOptions) { var tenantId = authenticationOptions.AzureAdTenantId; var validIssuers = AuthenticationServiceCollectionExtensions.SplitAuthenticationOptionsList( authenticationOptions.AzureAdValidIssuers); validIssuers = validIssuers.Select(validIssuer => validIssuer.Replace("TENANT_ID", tenantId)); return(validIssuers); }
private static IEnumerable <string> GetValidIssuers(IConfiguration configuration) { var tenantId = configuration[AuthenticationServiceCollectionExtensions.TenantIdConfigurationSettingsKey]; var validIssuers = AuthenticationServiceCollectionExtensions.GetSettings( configuration, AuthenticationServiceCollectionExtensions.ValidIssuersConfigurationSettingsKey); validIssuers = validIssuers.Select(validIssuer => validIssuer.Replace("TENANT_ID", tenantId)); return(validIssuers); }
private static void RegisterAuthenticationServicesWithSecret( IServiceCollection services, IConfiguration configuration, AuthenticationOptions authenticationOptions, AzureADOptions azureADOptions) { services.AddMicrosoftIdentityWebApiAuthentication(configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches(); services.Configure <JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options => { options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0"; options.SaveToken = true; options.TokenValidationParameters.ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(authenticationOptions); options.TokenValidationParameters.AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator; options.TokenValidationParameters.ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(authenticationOptions); }); }
// This method works specifically for single tenant application. private static void RegisterAuthenticationServices( IServiceCollection services, IConfiguration configuration) { AuthenticationServiceCollectionExtensions.ValidateAuthenticationConfigurationSettings(configuration); services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { var azureADOptions = new AzureADOptions(); configuration.Bind("AzureAd", azureADOptions); options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0"; options.TokenValidationParameters = new TokenValidationParameters { ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(configuration), ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(configuration), AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator, }; }); }
// This method works specifically for single tenant application. private static void RegisterAuthenticationServices( IServiceCollection services, IConfiguration configuration) { AuthenticationServiceCollectionExtensions.ValidateAuthenticationConfigurationSettings(configuration); var atWorkRioIdentityOptions = configuration.GetSection("AtWorkRioIdentity").Get <AtWorkRioIdentityOptions>(); services.AddTransient <AtWorkRioIdentityOptions>(svc => atWorkRioIdentityOptions); services.AddSingleton((serviceProvider) => { var options = serviceProvider.GetService <AtWorkRioIdentityOptions>(); return(new DiscoveryCache(options.Authority)); }); services .AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => { var azureADOptions = new AzureADOptions(); configuration.Bind("AzureAd", azureADOptions); options.Authority = $"{azureADOptions.Instance}{azureADOptions.TenantId}/v2.0"; options.TokenValidationParameters = new TokenValidationParameters { ValidAudiences = AuthenticationServiceCollectionExtensions.GetValidAudiences(configuration), ValidIssuers = AuthenticationServiceCollectionExtensions.GetValidIssuers(configuration), AudienceValidator = AuthenticationServiceCollectionExtensions.AudienceValidator, }; }) .AddIdentityServerAuthentication(PolicyNames.AtWorkRioIdentity, options => { options.Authority = atWorkRioIdentityOptions.Authority; options.ApiName = atWorkRioIdentityOptions.ApiName; options.ApiSecret = atWorkRioIdentityOptions.ApiSecret; options.RequireHttpsMetadata = false; }) ; }
// This method works specifically for single tenant application. private static void RegisterAuthenticationServices( IServiceCollection services, IConfiguration configuration, AuthenticationOptions authenticationOptions) { AuthenticationServiceCollectionExtensions.ValidateAuthenticationOptions(authenticationOptions); var azureADOptions = new AzureADOptions { Instance = authenticationOptions.AzureAdInstance, TenantId = authenticationOptions.AzureAdTenantId, ClientId = authenticationOptions.AzureAdClientId, }; var useCertificate = configuration.GetValue <bool>("UseCertificate"); if (useCertificate) { RegisterAuthenticationServicesWithCertificate(services, configuration, authenticationOptions, azureADOptions); } else { RegisterAuthenticationServicesWithSecret(services, configuration, authenticationOptions, azureADOptions); } }