private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { authBuilder.AddAzureADBearer( scheme: schemes.ApiName, jwtBearerScheme: schemes.JwtBearerName, configureOptions: options => { options.Instance = idp.Instance; options.TenantId = idp.TenantId; options.ClientId = application.IdentityProviderBinding.ClientId; }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { authBuilder.AddAzureAD( scheme: schemes.WebName, openIdConnectScheme: schemes.OpenIdName, cookieScheme: schemes.CookieName, displayName: schemes.DisplayName, configureOptions: options => { options.Instance = idp.Instance; options.TenantId = idp.TenantId; options.ClientId = application.IdentityProviderBinding.ClientId; options.ClientSecret = application.IdentityProviderBinding.ClientSecret; options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback); options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback); }); } }
private string[] GetAllNeededClaims(ProxyApplication application, ProxyOptions options) { var headerAuthenticators = application.AuthenticatorBindings? .Select(b => options.Authenticators.Single(a => a.Name == b.Name)) .Where(a => a.Type == AuthenticatorType.Headers); if (headerAuthenticators?.Count() > 0) { var claims = new List <string>(); foreach (var definition in headerAuthenticators.SelectMany(headerOptions => headerOptions.HeaderDefinitions)) { if (definition.ClaimName != null) { claims.Add(definition.ClaimName); } else { var matches = claimRegex.Matches(definition.Expression); claims.AddRange(matches.Select(m => m.Groups[1].Value)); } } if (claims.Count > 0) { return(claims.ToArray()); } } return(null); }
public ProxyApplicationService(IHttpContextAccessor context, IOptions <ProxyOptions> options) { _options = options.Value; // Should never fail. Host filtering middleware should short-circuit requests for unknown // hosts. HostString requestHost = context.HttpContext.Request.Host; _activeApplication = _options.Applications.First(app => app.Host.Value == requestHost); }
public static Schemes GetAuthSchemes(ProxyApplication application) { return(new Schemes() { WebName = $"{application.Name}.{AzureADDefaults.AuthenticationScheme}", DisplayName = $"{application.Name}.{AzureADDefaults.DisplayName}", OpenIdName = $"{application.Name}.{AzureADDefaults.OpenIdScheme}", CookieName = $"{application.Name}.{AzureADDefaults.CookieScheme}", ApiName = $"{application.Name}.{AzureADDefaults.BearerAuthenticationScheme}", JwtBearerName = $"{application.Name}.{AzureADDefaults.JwtBearerAuthenticationScheme}", }); }
public static bool IsSchemeForApplication(string scheme, ProxyApplication application) { return(scheme.StartsWith($"{application.Name}.")); }
public static string GetApiPolicyName(ProxyApplication application) { return(application.Name + ".oauth2"); }
public static string GetWebPolicyName(ProxyApplication application) { return(application.Name + ".openid"); }
private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { authBuilder.AddJwtBearer(schemes.ApiName, options => { options.Authority = idp.Authority; if (idp.AccessTokenIssuer != null) { options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer; } options.Audience = application.IdentityProviderBinding.ClientId; options.SaveToken = retainApiToken; options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri }; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth; options.SecurityTokenValidators.Clear(); options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler { MapInboundClaims = false }); }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { authBuilder.AddOpenIdConnect(schemes.OpenIdName, options => { options.ClientId = application.IdentityProviderBinding.ClientId; options.ClientSecret = application.IdentityProviderBinding.ClientSecret; options.Authority = idp.Authority; options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback); options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback); options.SignInScheme = schemes.WebName; options.UseTokenLifetime = true; options.SaveTokens = retainWebToken; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth; options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut); options.SecurityTokenValidator = new JwtSecurityTokenHandler { MapInboundClaims = false }; }); authBuilder.AddCookie(schemes.WebName, options => { options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied); options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax; options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}"; options.ForwardChallenge = schemes.OpenIdName; }); } }
private static void ConfigureAzureADAuthOptions(IServiceCollection services, ProxyApplication application, string[] additionalClaimsRetained, bool retainWebToken, bool retainApiToken) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { services.Configure <JwtBearerOptions>(schemes.JwtBearerName, options => { options.SaveToken = retainApiToken; options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri }; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth; options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles; options.TokenValidationParameters.NameClaimTypeRetriever = (token, _) => { var jwtToken = (JwtSecurityToken)token; return(jwtToken.Claims.Any(c => c.ValueType == AzureADClaims.UserPrincipalName) ? AzureADClaims.UserPrincipalName : AzureADClaims.ObjectId); }; options.SecurityTokenValidators.Clear(); options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler { MapInboundClaims = false }); }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { services.Configure <CookieAuthenticationOptions>(schemes.CookieName, options => { options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied); options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax; options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}"; }); services.Configure <OpenIdConnectOptions>(schemes.OpenIdName, options => { var stripClaims = new List <string> { "aio", "family_name", "given_name", "name", "tid", "unique_name", "uti" }; if (additionalClaimsRetained != null) { foreach (var claim in additionalClaimsRetained) { options.ClaimActions.Remove(claim); } stripClaims = stripClaims.Except(additionalClaimsRetained).ToList(); } if (application.SessionCookieRetainedClaims != null) { foreach (var claim in application.SessionCookieRetainedClaims) { options.ClaimActions.Remove(claim); } stripClaims = stripClaims.Except(application.SessionCookieRetainedClaims).ToList(); } if (application.SessionCookieStrippedClaims != null) { stripClaims.AddRange(application.SessionCookieStrippedClaims); } options.ClaimActions.DeleteClaims(stripClaims.ToArray()); options.SaveTokens = retainWebToken; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth; options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles; options.TokenValidationParameters.NameClaimType = AzureADClaims.UserPrincipalName; options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut); options.ResponseType = application.IdentityProviderBinding.DisableImplicitIdToken ? OpenIdConnectResponseType.Code : OpenIdConnectResponseType.IdToken; options.SecurityTokenValidator = new JwtSecurityTokenHandler { MapInboundClaims = false }; if (application.IdentityProviderBinding.UseApplicationMetadata) { options.MetadataAddress = $"{options.Authority}/.well-known/openid-configuration?appid={options.ClientId}"; } }); } }