private static void ConfigureAzureADAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { authBuilder.AddAzureADBearer( scheme: schemes.ApiName, jwtBearerScheme: schemes.JwtBearerName, configureOptions: options => { options.Instance = idp.Instance; options.TenantId = idp.TenantId; options.ClientId = application.IdentityProviderBinding.ClientId; }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { authBuilder.AddAzureAD( scheme: schemes.WebName, openIdConnectScheme: schemes.OpenIdName, cookieScheme: schemes.CookieName, displayName: schemes.DisplayName, configureOptions: options => { options.Instance = idp.Instance; options.TenantId = idp.TenantId; options.ClientId = application.IdentityProviderBinding.ClientId; options.ClientSecret = application.IdentityProviderBinding.ClientSecret; options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback); options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback); }); } }
private static void ConfigureOpenIDConnectAuth(AuthenticationBuilder authBuilder, ProxyApplication application, IdentityProvider idp, bool retainWebToken, bool retainApiToken) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { authBuilder.AddJwtBearer(schemes.ApiName, options => { options.Authority = idp.Authority; if (idp.AccessTokenIssuer != null) { options.TokenValidationParameters.ValidIssuer = idp.AccessTokenIssuer; } options.Audience = application.IdentityProviderBinding.ClientId; options.SaveToken = retainApiToken; options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri }; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth; options.SecurityTokenValidators.Clear(); options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler { MapInboundClaims = false }); }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { authBuilder.AddOpenIdConnect(schemes.OpenIdName, options => { options.ClientId = application.IdentityProviderBinding.ClientId; options.ClientSecret = application.IdentityProviderBinding.ClientSecret; options.Authority = idp.Authority; options.CallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignInCallback); options.SignedOutCallbackPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.SignedOutCallback); options.SignInScheme = schemes.WebName; options.UseTokenLifetime = true; options.SaveTokens = retainWebToken; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth; options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut); options.SecurityTokenValidator = new JwtSecurityTokenHandler { MapInboundClaims = false }; }); authBuilder.AddCookie(schemes.WebName, options => { options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied); options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax; options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}"; options.ForwardChallenge = schemes.OpenIdName; }); } }
private static void CreateAuthorizationPolicies(AuthorizationOptions authOptions, ProxyOptions options) { foreach (var application in options.Applications) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { authOptions.AddPolicy(ProxyAuthComponents.GetApiPolicyName(application), builder => { var apiSchemes = new List <string>() { schemes.ApiName }; if (application.ApiAllowWebSession) { bool isAzureAD = options.IdentityProviders.First(i => i.Name == application.IdentityProviderBinding.Name).Type == IdentityProviderType.AzureAD; if (isAzureAD) { apiSchemes.Add(schemes.CookieName); } else { apiSchemes.Add(schemes.WebName); } } builder.AddAuthenticationSchemes(apiSchemes.ToArray()) .RequireAuthenticatedUser() .AddRequirements(new AuthorizationClaimsRequirement(application.WebRequireRoleClaim)); }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { authOptions.AddPolicy(ProxyAuthComponents.GetWebPolicyName(application), builder => { builder.AddAuthenticationSchemes(schemes.WebName) .RequireAuthenticatedUser(); if (application.WebRequireRoleClaim) { builder.RequireRole(ProxyAuthComponents.WebUserRole); } }); } } }
public async Task InvokeAsync(HttpContext context, IProxyApplicationService applicationService) { var application = applicationService.GetActiveApplication(); if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { if (context.Request.Path == ProxyMetaEndpoints.AccessDenied) { await context.Response.WriteAsync("Access denied."); return; } if (context.Request.Path == ProxyMetaEndpoints.PostSignedOutCallback) { await context.Response.WriteAsync("Logged out."); return; } if (context.Request.Path == ProxyMetaEndpoints.UserSignOut) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); var properties = new AuthenticationProperties { RedirectUri = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.PostSignedOutCallback) }; await context.SignOutAsync(schemes.CookieName); await context.SignOutAsync(schemes.OpenIdName, properties); return; } } context.Response.StatusCode = (int)HttpStatusCode.NotFound; }
private static void ConfigureAzureADAuthOptions(IServiceCollection services, ProxyApplication application, string[] additionalClaimsRetained, bool retainWebToken, bool retainApiToken) { var schemes = ProxyAuthComponents.GetAuthSchemes(application); if (application.HasPathMode(PathAuthOptions.AuthMode.Api)) { services.Configure <JwtBearerOptions>(schemes.JwtBearerName, options => { options.SaveToken = retainApiToken; options.TokenValidationParameters.ValidAudiences = new string[] { application.IdentityProviderBinding.AppIdUri }; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.ApiAuth; options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles; options.TokenValidationParameters.NameClaimTypeRetriever = (token, _) => { var jwtToken = (JwtSecurityToken)token; return(jwtToken.Claims.Any(c => c.ValueType == AzureADClaims.UserPrincipalName) ? AzureADClaims.UserPrincipalName : AzureADClaims.ObjectId); }; options.SecurityTokenValidators.Clear(); options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler { MapInboundClaims = false }); }); } if (application.HasPathMode(PathAuthOptions.AuthMode.Web)) { services.Configure <CookieAuthenticationOptions>(schemes.CookieName, options => { options.AccessDeniedPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.AccessDenied); options.Cookie.SameSite = application.SessionCookieSameSiteMode ?? SameSiteMode.Lax; options.Cookie.Name = $"{ProxyAuthComponents.CookiePrefix}.{ProxyAuthComponents.AuthCookieId}.{application.Name}"; }); services.Configure <OpenIdConnectOptions>(schemes.OpenIdName, options => { var stripClaims = new List <string> { "aio", "family_name", "given_name", "name", "tid", "unique_name", "uti" }; if (additionalClaimsRetained != null) { foreach (var claim in additionalClaimsRetained) { options.ClaimActions.Remove(claim); } stripClaims = stripClaims.Except(additionalClaimsRetained).ToList(); } if (application.SessionCookieRetainedClaims != null) { foreach (var claim in application.SessionCookieRetainedClaims) { options.ClaimActions.Remove(claim); } stripClaims = stripClaims.Except(application.SessionCookieRetainedClaims).ToList(); } if (application.SessionCookieStrippedClaims != null) { stripClaims.AddRange(application.SessionCookieStrippedClaims); } options.ClaimActions.DeleteClaims(stripClaims.ToArray()); options.SaveTokens = retainWebToken; options.TokenValidationParameters.AuthenticationType = ProxyAuthComponents.WebAuth; options.TokenValidationParameters.RoleClaimType = AzureADClaims.Roles; options.TokenValidationParameters.NameClaimType = AzureADClaims.UserPrincipalName; options.RemoteSignOutPath = ProxyMetaEndpoints.FullPath(ProxyMetaEndpoints.RemoteSignOut); options.ResponseType = application.IdentityProviderBinding.DisableImplicitIdToken ? OpenIdConnectResponseType.Code : OpenIdConnectResponseType.IdToken; options.SecurityTokenValidator = new JwtSecurityTokenHandler { MapInboundClaims = false }; if (application.IdentityProviderBinding.UseApplicationMetadata) { options.MetadataAddress = $"{options.Authority}/.well-known/openid-configuration?appid={options.ClientId}"; } }); } }