-
Notifications
You must be signed in to change notification settings - Fork 0
/
Startup.cs
126 lines (114 loc) · 5 KB
/
Startup.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
using System.Security.Claims;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OAuth;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using Microsoft.Owin.Security.Jwt;
using System.Net.Http;
using Microsoft.IdentityModel.Protocols;
using System.IdentityModel.Tokens.Jwt;
using Microsoft.IdentityModel.Tokens;
using System.Threading;
using System.Collections.Generic;
[assembly: OwinStartup(typeof(LinkGRC.Startup))]
namespace LinkGRC
{
public class Startup
{
private HttpClient sharedClient = new HttpClient();
private string authority = System.Configuration.ConfigurationManager.AppSettings["oidc:authority"];
private string clientId = System.Configuration.ConfigurationManager.AppSettings["oidc:client-id"];
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
// TODO: Triage all the available options here - there are quite a few.
}
);
string discoveryEndpoint = string.Format("{0}/.well-known/openid-configuration", authority);
var configManager = new ConfigurationManager<OpenIdConnectConfiguration>(discoveryEndpoint, new OpenIdConnectConfigurationRetriever(), sharedClient);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Passive,
Authority = authority,
ClientId = clientId,
ResponseType = OpenIdConnectResponseType.IdTokenToken,
ResponseMode = OpenIdConnectResponseMode.FormPost,
Scope = OpenIdConnectScope.OpenIdProfile,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = notification =>
{
var pm = notification.ProtocolMessage;
pm.RedirectUri = notification.Request.Uri.AbsoluteUri;
return Task.CompletedTask;
},
SecurityTokenValidated = context =>
{
SetupWithDefaults(context.AuthenticationTicket.Identity);
return Task.CompletedTask;
}
},
ConfigurationManager = configManager
}
);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new [] { clientId },
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = clientId,
ValidIssuers = new[] { authority, $"{authority}/" },
IssuerSigningKeyResolver = (rawToken, secToken, kid, validationParameters) =>
{
var task = configManager.GetConfigurationAsync();
task.ConfigureAwait(false);
task.Wait();
var discoveryDocument = task.Result;
return discoveryDocument.SigningKeys;
},
},
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
if (context.IsValidated)
{
SetupWithDefaults(context.Ticket.Identity);
}
return Task.CompletedTask;
}
}
}
);
}
private static void SetupWithDefaults(ClaimsIdentity identity)
{
if (identity is null)
{
throw new System.ArgumentNullException(nameof(identity));
}
// The ClaimsPrincipal default behavior is to pull the Name from
// the System.Security.Claims.ClaimTypes.Name claim-type.
// Check for a fallback to the OIDC-default claim type ("name") in that case
if (string.IsNullOrWhiteSpace(identity.Name))
{
var nameClaim = identity.FindFirst("name");
if (nameClaim != null)
{
identity.AddClaim(new Claim(ClaimTypes.Name, nameClaim.Value));
}
}
}
}
}