示例#1
0
        private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp)
        {
            var schemes = ProxyAuthComponents.GetAuthSchemes(application);

            if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
            {
                authBuilder.AddAzureADBearer(
                    scheme: schemes.ApiName,
                    jwtBearerScheme: schemes.JwtBearerName,
                    configureOptions: options =>
                {
                    options.Instance = idp.Instance;
                    options.TenantId = idp.TenantId;
                    options.ClientId = application.IdentityProviderBinding.ClientId;
                });
            }

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                authBuilder.AddAzureAD(
                    scheme: schemes.WebName,
                    openIdConnectScheme: schemes.OpenIdName,
                    cookieScheme: schemes.CookieName,
                    displayName: schemes.DisplayName,
                    configureOptions: options =>
                {
                    options.Instance              = idp.Instance;
                    options.TenantId              = idp.TenantId;
                    options.ClientId              = application.IdentityProviderBinding.ClientId;
                    options.ClientSecret          = application.IdentityProviderBinding.ClientSecret;
                    options.CallbackPath          = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
                    options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
                });
            }
        }
示例#2
0
        private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken)
        {
            var schemes = ProxyAuthComponents.GetAuthSchemes(application);

            if (application.HasPathMode(PathAuthOptions.AuthMode.Api))
            {
                authBuilder.AddJwtBearer(schemes.ApiName, options =>
                {
                    options.Authority = idp.Authority;
                    if (idp.AccessTokenIssuer != null)
                    {
                        options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer;
                    }

                    options.Audience  = application.IdentityProviderBinding.ClientId;
                    options.SaveToken = retainApiToken;
                    options.TokenValidationParameters.ValidAudiences     = new string[] { application.IdentityProviderBinding.AppIdUri };
                    options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth;
                    options.SecurityTokenValidators.Clear();
                    options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    });
                });
            }

            if (application.HasPathMode(PathAuthOptions.AuthMode.Web))
            {
                authBuilder.AddOpenIdConnect(schemes.OpenIdName, options =>
                {
                    options.ClientId              = application.IdentityProviderBinding.ClientId;
                    options.ClientSecret          = application.IdentityProviderBinding.ClientSecret;
                    options.Authority             = idp.Authority;
                    options.CallbackPath          = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback);
                    options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback);
                    options.SignInScheme          = schemes.WebName;
                    options.UseTokenLifetime      = true;
                    options.SaveTokens            = retainWebToken;
                    options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth;
                    options.RemoteSignOutPath      = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut);
                    options.SecurityTokenValidator = new JwtSecurityTokenHandler
                    {
                        MapInboundClaims = false
                    };
                });
                authBuilder.AddCookie(schemes.WebName, options =>
                {
                    options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied);
                    options.Cookie.SameSite  = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax;
                    options.Cookie.Name      = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}";
                    options.ForwardChallenge = schemes.OpenIdName;
                });
            }
        }