/// <summary> /// Invoked whenever AzureAD successfully authenticates a user /// </summary> /// <param name="context">Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.</param> /// <returns>A <see cref="Task"/> representing the completed operation.</returns> public virtual Task Authenticated(AzureADAuthenticatedContext context) { return(OnAuthenticated(context)); }
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync() { AuthenticationProperties properties = null; try { string code = null; string state = null; string requestPrefix = Request.Scheme + "://" + Request.Host; string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath; var stateValues = Request.Query.GetValues("state"); var codeValues = Request.Query.GetValues("code"); var errorValues = Request.Query.GetValues("error"); if (stateValues == null && codeValues == null) { return(null); } if (stateValues != null && stateValues.Count == 1) { state = stateValues[0]; } else { if (Options.ErrorLogging) { LogWarning($"Could not find state on callback URL {Request.Uri}"); } return(new AuthenticationTicket(null, new AuthenticationProperties { RedirectUri = redirectUri })); } properties = Options.StateDataFormat.Unprotect(state); if (properties == null) { if (Options.ErrorLogging) { LogWarning($"Could not decode state"); } return(new AuthenticationTicket(null, new AuthenticationProperties { RedirectUri = redirectUri })); } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(properties, _logger)) { if (Options.ErrorLogging) { LogWarning($"Could not validate state"); } return(new AuthenticationTicket(null, new AuthenticationProperties { RedirectUri = redirectUri })); } if (codeValues != null && codeValues.Count == 1) { code = codeValues[0]; } else { if (errorValues == null && Options.ErrorLogging) { LogError($"Could not find code on callback URL {Request.Uri}"); } return(new AuthenticationTicket(null, properties)); } // Build up the body for the token request var body = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("grant_type", "authorization_code"), new KeyValuePair <string, string>("code", code), new KeyValuePair <string, string>("redirect_uri", redirectUri), new KeyValuePair <string, string>("client_id", Options.ClientId), new KeyValuePair <string, string>("client_secret", Options.ClientSecret), new KeyValuePair <string, string>("resource", Options.Resource) }; // Request the token var httpRequest = new HttpRequestMessage(HttpMethod.Post, String.Format(TokenEndpointFormat, DetermineTenant(properties))) { Content = new FormUrlEncodedContent(body) }; if (Options.RequestLogging) { _logger.WriteVerbose(httpRequest.ToLogString()); } var httpResponse = await _httpClient.SendAsync(httpRequest); if (!httpResponse.IsSuccessStatusCode && Options.ErrorLogging) { _logger.WriteError(httpResponse.ToLogString()); } else if (Options.ResponseLogging) { // Note: avoid using one of the Write* methods that takes a format string as input // because the curly brackets from a JSON response will be interpreted as // curly brackets for the format string and function will throw a FormatException _logger.WriteVerbose(httpResponse.ToLogString()); } httpResponse.EnsureSuccessStatusCode(); string content = await httpResponse.Content.ReadAsStringAsync(); // Deserializes the token response var tokenResponse = JsonConvert.DeserializeObject <JObject>(content); string accessToken = tokenResponse["access_token"].Value <string>(); string expires = tokenResponse.Value <string>("expires_in"); string refreshToken = tokenResponse.Value <string>("refresh_token"); // get user info string userDisplayName = null; string userEmail = null; if (!String.IsNullOrEmpty(accessToken) && (Options.Resource == GraphResource || Options.Resource == OutlookResource)) { var endpoint = Options.Resource == GraphResource ? GraphUserInfoEndpoint : OutlookUserInfoEndpoint; var userJson = await GetUserInfoAsync(endpoint, accessToken); if (userJson != null) { userDisplayName = Options.Resource == GraphResource ? userJson["displayName"]?.Value <string>() : userJson["DisplayName"]?.Value <string>(); userEmail = Options.Resource == GraphResource ? userJson["mail"]?.Value <string>() : userJson["EmailAddress"]?.Value <string>(); } } var context = new AzureADAuthenticatedContext(Context, accessToken, expires, refreshToken, tokenResponse); context.Identity = new ClaimsIdentity( Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); if (!string.IsNullOrEmpty(context.ObjectId)) { context.Identity.AddClaim( new Claim(ClaimTypes.NameIdentifier, context.ObjectId, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Upn)) { context.Identity.AddClaim( new Claim(ClaimTypes.Upn, context.Upn, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(userEmail)) { context.Email = userEmail; context.Identity.AddClaim( new Claim(ClaimTypes.Email, userEmail, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.GivenName)) { context.Identity.AddClaim( new Claim(ClaimTypes.GivenName, context.GivenName, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.FamilyName)) { context.Identity.AddClaim( new Claim(ClaimTypes.Surname, context.FamilyName, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(userDisplayName) || !string.IsNullOrEmpty(context.Name)) { context.Identity.AddClaim( new Claim(ClaimsIdentity.DefaultNameClaimType, userDisplayName ?? context.Name, XmlSchemaString, Options.AuthenticationType)); } context.Properties = properties; await Options.Provider.Authenticated(context); return(new AuthenticationTicket(context.Identity, context.Properties)); } catch (Exception ex) { _logger.WriteError("Authentication failed", ex); return(new AuthenticationTicket(null, properties)); } }
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync() { AuthenticationProperties properties = null; try { string code = null; string state = null; IReadableStringCollection query = Request.Query; IList <string> values = query.GetValues("code"); if (values != null && values.Count == 1) { code = values[0]; } values = query.GetValues("state"); if (values != null && values.Count == 1) { state = values[0]; } properties = Options.StateDataFormat.Unprotect(state); if (properties == null) { return(null); } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(properties, _logger)) { return(new AuthenticationTicket(null, properties)); } string requestPrefix = Request.Scheme + "://" + Request.Host; string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath; // Build up the body for the token request var body = new List <KeyValuePair <string, string> >(); body.Add(new KeyValuePair <string, string>("grant_type", "authorization_code")); body.Add(new KeyValuePair <string, string>("code", code)); body.Add(new KeyValuePair <string, string>("redirect_uri", redirectUri)); body.Add(new KeyValuePair <string, string>("client_id", Options.ClientId)); body.Add(new KeyValuePair <string, string>("client_secret", Options.ClientSecret)); // Request the token var httpRequest = new HttpRequestMessage(HttpMethod.Post, TokenEndpoint); httpRequest.Content = new FormUrlEncodedContent(body); if (Options.RequestLogging) { _logger.WriteInformation(httpRequest.ToLogString()); } var httpResponse = await _httpClient.SendAsync(httpRequest); httpResponse.EnsureSuccessStatusCode(); string text = await httpResponse.Content.ReadAsStringAsync(); if (Options.ResponseLogging) { // Note: avoid using one of the Write* methods that takes a format string as input // because the curly brackets from a JSON response will be interpreted as // curly brackets for the format string and function will throw a FormatException _logger.WriteInformation(httpResponse.ToLogString()); } // Deserializes the token response JObject response = JsonConvert.DeserializeObject <JObject>(text); string accessToken = response.Value <string>("access_token"); string scope = response.Value <string>("scope"); string expires = response.Value <string>("expires_in"); string refreshToken = response.Value <string>("refresh_token"); string pwdexpires = response.Value <string>("pwd_exp"); string pwdchange = response.Value <string>("pwd_url"); string idToken = response.Value <string>("id_token"); // id_token should be a Base64 url encoded JSON web token JObject id = null; string[] segments; if (!String.IsNullOrEmpty(idToken) && (segments = idToken.Split('.')).Length == 3) { string payload = base64urldecode(segments[1]); if (!String.IsNullOrEmpty(payload)) { id = JObject.Parse(payload); } } var context = new AzureADAuthenticatedContext(Context, id, accessToken, scope, expires, refreshToken, pwdexpires, pwdchange); context.Identity = new ClaimsIdentity( Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); if (!string.IsNullOrEmpty(context.Id)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Upn)) { context.Identity.AddClaim(new Claim(ClaimTypes.Upn, context.Upn, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.GivenName)) { context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, context.GivenName, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.FamilyName)) { context.Identity.AddClaim(new Claim(ClaimTypes.Surname, context.FamilyName, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Name)) { context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.Name, XmlSchemaString, Options.AuthenticationType)); } context.Properties = properties; await Options.Provider.Authenticated(context); return(new AuthenticationTicket(context.Identity, context.Properties)); } catch (Exception ex) { _logger.WriteError("Authentication failed", ex); return(new AuthenticationTicket(null, properties)); } }