private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
{
authBuilder.AddAzureADBearer(
scheme: schemes.ApiName,
jwtBearerScheme: schemes.JwtBearerName,
configureOptions: options =>
{
options.Instance = idp.Instance;
options.TenantId = idp.TenantId;
options.ClientId = application.IdentityProviderBinding.ClientId;
});
}
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
authBuilder.AddAzureAD(
scheme: schemes.WebName,
openIdConnectScheme: schemes.OpenIdName,
cookieScheme: schemes.CookieName,
displayName: schemes.DisplayName,
configureOptions: options =>
{
options.Instance = idp.Instance;
options.TenantId = idp.TenantId;
options.ClientId = application.IdentityProviderBinding.ClientId;
options.ClientSecret = application.IdentityProviderBinding.ClientSecret;
options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
});
}
}
private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken)
{
var schemes = ProxyAuthComponents.GetAuthSchemes(application);
if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
{
authBuilder.AddJwtBearer(schemes.ApiName, options =>
{
options.Authority = idp.Authority;
if (idp.AccessTokenIssuer != null)
{
options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer;
}
options.Audience = application.IdentityProviderBinding.ClientId;
options.SaveToken = retainApiToken;
options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri };
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth;
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
{
MapInboundClaims = false
});
});
}
if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
{
authBuilder.AddOpenIdConnect(schemes.OpenIdName, options =>
{
options.ClientId = application.IdentityProviderBinding.ClientId;
options.ClientSecret = application.IdentityProviderBinding.ClientSecret;
options.Authority = idp.Authority;
options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
options.SignInScheme = schemes.WebName;
options.UseTokenLifetime = true;
options.SaveTokens = retainWebToken;
options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
options.SecurityTokenValidator = new JwtSecurityTokenHandler
{
MapInboundClaims = false
};
});
authBuilder.AddCookie(schemes.WebName, options =>
{
options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
options.ForwardChallenge = schemes.OpenIdName;
});
}
}