private static AuthenticationBuilder AddCodeFlow(AuthenticationBuilder builder, OktaMvcOptions options)
{
var events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync,
};
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
builder.AddOpenIdConnect(oidcOptions => OpenIdConnectOptionsHelper.ConfigureOpenIdConnectOptions(options, events, oidcOptions));
return(builder);
}
public static AuthenticationBuilder AddOktaMvc(this AuthenticationBuilder builder, OktaMvcOptions options)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
new OktaMvcOptionsValidator().Validate(options);
return(AddCodeFlow(builder, options));
}
private static AuthenticationBuilder AddCodeFlow(AuthenticationBuilder builder, OktaMvcOptions options)
{
var events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync,
};
if (options.AuthenticationTicketExpiryInMinutes.HasValue)
{
events.OnTicketReceived = async(context) =>
{
context.Properties.ExpiresUtc = DateTime.UtcNow.AddMinutes(options.AuthenticationTicketExpiryInMinutes.Value);
};
}
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
builder.AddOpenIdConnect(oidcOptions => OpenIdConnectOptionsHelper.ConfigureOpenIdConnectOptions(options, events, oidcOptions));
return(builder);
}
private static AuthenticationBuilder AddCodeFlow(AuthenticationBuilder builder, OktaMvcOptions options)
{
var issuer = UrlHelper.CreateIssuerUrl(options.OktaDomain, options.AuthorizationServerId);
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
builder.AddOpenIdConnect(oidcOptions =>
{
oidcOptions.ClientId = options.ClientId;
oidcOptions.ClientSecret = options.ClientSecret;
oidcOptions.Authority = issuer;
oidcOptions.CallbackPath = new PathString(options.CallbackPath);
oidcOptions.SignedOutCallbackPath = new PathString(OktaDefaults.SignOutCallbackPath);
oidcOptions.ResponseType = OpenIdConnectResponseType.Code;
oidcOptions.GetClaimsFromUserInfoEndpoint = options.GetClaimsFromUserInfoEndpoint;
oidcOptions.SaveTokens = true;
oidcOptions.UseTokenLifetime = false;
oidcOptions.BackchannelHttpHandler = new UserAgentHandler();
var hasDefinedScopes = options.Scope?.Any() ?? false;
if (hasDefinedScopes)
{
oidcOptions.Scope.Clear();
foreach (var scope in options.Scope)
{
oidcOptions.Scope.Add(scope);
}
}
oidcOptions.TokenValidationParameters = new DefaultTokenValidationParameters(options, issuer)
{
ValidAudience = options.ClientId,
NameClaimType = "name",
};
});
return(builder);
}
/// <summary>
/// Configure an OpenIdConnectOptions object based on user's configuration.
/// </summary>
/// <param name="oktaMvcOptions">The <see cref="OktaMvcOptions"/> options.</param>
/// <param name="events">The OpenIdConnect events.</param>
/// <param name="oidcOptions">The OpenIdConnectOptions to configure.</param>
public static void ConfigureOpenIdConnectOptions(OktaMvcOptions oktaMvcOptions, OpenIdConnectEvents events, OpenIdConnectOptions oidcOptions)
{
var issuer = UrlHelper.CreateIssuerUrl(oktaMvcOptions.OktaDomain, oktaMvcOptions.AuthorizationServerId);
oidcOptions.ClientId = oktaMvcOptions.ClientId;
oidcOptions.ClientSecret = oktaMvcOptions.ClientSecret;
oidcOptions.Authority = issuer;
oidcOptions.CallbackPath = new PathString(oktaMvcOptions.CallbackPath);
oidcOptions.SignedOutCallbackPath = new PathString(OktaDefaults.SignOutCallbackPath);
oidcOptions.SignedOutRedirectUri = oktaMvcOptions.PostLogoutRedirectUri;
oidcOptions.ResponseType = OpenIdConnectResponseType.Code;
oidcOptions.GetClaimsFromUserInfoEndpoint = oktaMvcOptions.GetClaimsFromUserInfoEndpoint;
oidcOptions.SecurityTokenValidator = new StrictSecurityTokenValidator();
oidcOptions.SaveTokens = true;
oidcOptions.UseTokenLifetime = false;
oidcOptions.BackchannelHttpHandler = new OktaHttpMessageHandler(
"okta-aspnetcore",
typeof(OktaAuthenticationOptionsExtensions).Assembly.GetName().Version,
oktaMvcOptions);
var hasDefinedScopes = oktaMvcOptions.Scope?.Any() ?? false;
if (hasDefinedScopes)
{
oidcOptions.Scope.Clear();
foreach (var scope in oktaMvcOptions.Scope)
{
oidcOptions.Scope.Add(scope);
}
}
oidcOptions.TokenValidationParameters = new DefaultTokenValidationParameters(oktaMvcOptions, issuer)
{
ValidAudience = oktaMvcOptions.ClientId,
NameClaimType = "name",
};
oidcOptions.Events.OnRedirectToIdentityProvider = events.OnRedirectToIdentityProvider;
if (oktaMvcOptions.OnTokenValidated != null)
{
oidcOptions.Events.OnTokenValidated = oktaMvcOptions.OnTokenValidated;
}
if (oktaMvcOptions.GetClaimsFromUserInfoEndpoint && oktaMvcOptions.OnUserInformationReceived != null)
{
oidcOptions.Events.OnUserInformationReceived = oktaMvcOptions.OnUserInformationReceived;
}
if (oktaMvcOptions.GetClaimsFromUserInfoEndpoint)
{
oidcOptions.ClaimActions.Add(new MapAllClaimsAction());
}
if (oktaMvcOptions.OnOktaApiFailure != null)
{
oidcOptions.Events.OnRemoteFailure = oktaMvcOptions.OnOktaApiFailure;
}
if (oktaMvcOptions.OnAuthenticationFailed != null)
{
oidcOptions.Events.OnAuthenticationFailed = oktaMvcOptions.OnAuthenticationFailed;
}
}
