private AuthenticationBuilder AddSecondOpenIdConfiguration(AuthenticationBuilder builder) { var config = new OpenIdConfiguration(); Configuration.GetSection("Authentication:ADC2").Bind(config); return(builder.AddOpenIdConnect("ADC2", config.DisplayName, o => { o.Authority = config.Authority; o.ClientId = config.ClientId; o.ClientSecret = config.ClientSecret; o.ResponseType = config.ResponseType; var scopes = config.Scopes; if (!string.IsNullOrWhiteSpace(scopes)) { o.Scope.Clear(); foreach (var scope in scopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)) { o.Scope.Add(scope); } } o.TokenValidationParameters.NameClaimType = "name"; o.TokenValidationParameters.RoleClaimType = "role"; o.GetClaimsFromUserInfoEndpoint = true; o.SaveTokens = false; o.CallbackPath = "/signin-adc2"; o.RemoteSignOutPath = "/signout-adc2"; o.SignedOutCallbackPath = "/signedout-callback-adc2"; o.SignedOutRedirectUri = "/Contact"; o.Events = new OpenIdConnectEvents() { OnRedirectToIdentityProviderForSignOut = async context => { // für das Single Signout ein gemwerkets id_token also authoriserung für das Logout dem IdServer mitgeben var idToken = await context.HttpContext.GetTokenAsync("id_token"); if (!string.IsNullOrWhiteSpace(idToken)) { context.ProtocolMessage.IdTokenHint = idToken; } } }; })); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { var config = new OpenIdConfiguration(); Configuration.GetSection("Authentication:ADC").Bind(config); var authBuilder = services.AddAuthentication(o => { o.DefaultAuthenticateScheme = "Cookies"; o.DefaultChallengeScheme = "Cookies"; o.DefaultSignInScheme = "External"; o.DefaultSignOutScheme = "Cookies"; }) .AddCookie("Cookies", o => { o.Cookie.HttpOnly = true; o.LoginPath = "/Login"; o.Cookie.Name = "ADC.Authentication"; }) .AddCookie("External", o => { o.Cookie.HttpOnly = true; o.Cookie.Name = "ADC.External"; }) .AddOpenIdConnect("ADC", config.DisplayName, o => { o.Authority = config.Authority; o.ClientId = config.ClientId; o.ClientSecret = config.ClientSecret; o.ResponseType = config.ResponseType; var scopes = config.Scopes; if (!string.IsNullOrWhiteSpace(scopes)) { o.Scope.Clear(); foreach (var scope in scopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries)) { o.Scope.Add(scope); } } o.TokenValidationParameters.NameClaimType = "name"; o.TokenValidationParameters.RoleClaimType = "role"; o.GetClaimsFromUserInfoEndpoint = true; o.SaveTokens = true; // Standard ist signin-oidc, signout-oidc, signedout-callback-oidc, jedoch muss es je OpenIdConnect Configuration einmalig sein // um direkt für weitere Provider gewappnet zu sein, auch bei nur einem Pfad festlegen // so spart man sich später anpassungen, dies Pfade müssen dem OpenIdConnect Provider bekannt sein. o.CallbackPath = "/signin-adc"; o.RemoteSignOutPath = "/signout-adc"; o.SignedOutCallbackPath = "/signedout-callback-adc"; o.SignedOutRedirectUri = "/"; // dahin wird nach dem erfolgtem Logout weitergeleitet o.Events = new OpenIdConnectEvents() { OnRedirectToIdentityProviderForSignOut = async context => { // für das Single Signout ein gemwerkets id_token also authoriserung für das Logout dem IdServer mitgeben var idToken = await context.HttpContext.GetTokenAsync("id_token"); if (!string.IsNullOrWhiteSpace(idToken)) { context.ProtocolMessage.IdTokenHint = idToken; } } }; }); AddSecondOpenIdConfiguration(authBuilder); services.AddMvc(); }