using System; using System.Collections.Generic; using System.Linq; using System.Text.Encodings.Web; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Microsoft.IdentityModel.Protocols.OpenIdConnect; namespace OpenIdConnectSample { public class Startup { public Startup(IHostingEnvironment env) { Environment = env; var builder = new ConfigurationBuilder() .SetBasePath(env.ContentRootPath); if (env.IsDevelopment()) { // For more details on using the user secret store see http://go.microsoft.com/fwlink/?LinkID=532709 builder.AddUserSecrets(); } builder.AddEnvironmentVariables(); Configuration = builder.Build(); } public IConfiguration Configuration { get; set; } public IHostingEnvironment Environment { get; set; } public void ConfigureServices(IServiceCollection services) { services.AddAuthentication(sharedOptions => { sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }); services.AddCookieAuthentication(); services.AddOpenIdConnectAuthentication(o => { o.ClientId = Configuration["oidc:clientid"]; o.ClientSecret = Configuration["oidc:clientsecret"]; // for code flow o.Authority = Configuration["oidc:authority"]; o.ResponseType = OpenIdConnectResponseType.CodeIdToken; o.GetClaimsFromUserInfoEndpoint = true; o.Events = new OpenIdConnectEvents() { OnAuthenticationFailed = c => { c.HandleResponse(); c.Response.StatusCode = 500; c.Response.ContentType = "text/plain"; if (Environment.IsDevelopment()) { // Debug only, in production do not share exceptions with the remote host. return c.Response.WriteAsync(c.Exception.ToString()); } return c.Response.WriteAsync("An error occurred processing your authentication."); } }; }); } public void Configure(IApplicationBuilder app, ILoggerFactory loggerfactory) { loggerfactory.AddConsole(LogLevel.Information); loggerfactory.AddDebug(LogLevel.Information); app.UseDeveloperExceptionPage(); app.UseAuthentication(); app.Run(async context => { if (context.Request.Path.Equals("/signedout")) { await WriteHtmlAsync(context.Response, async res => { await res.WriteAsync($"

You have been signed out.

"); await res.WriteAsync("Sign In"); }); return; } if (context.Request.Path.Equals("/signout")) { await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await WriteHtmlAsync(context.Response, async res => { await context.Response.WriteAsync($"

Signed out {HtmlEncode(context.User.Identity.Name)}

"); await context.Response.WriteAsync("Sign In"); }); return; } if (context.Request.Path.Equals("/signout-remote")) { // Redirects await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties() { RedirectUri = "/signedout" }); return; } if (context.Request.Path.Equals("/Account/AccessDenied")) { await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await WriteHtmlAsync(context.Response, async res => { await context.Response.WriteAsync($"

Access Denied for user {HtmlEncode(context.User.Identity.Name)} to resource '{HtmlEncode(context.Request.Query["ReturnUrl"])}'

"); await context.Response.WriteAsync("Sign Out"); }); return; } // DefaultAuthenticateScheme causes User to be set var user = context.User; // This is what [Authorize] calls // var user = await context.AuthenticateAsync(); // This is what [Authorize(ActiveAuthenticationSchemes = OpenIdConnectDefaults.AuthenticationScheme)] calls // var user = await context.AuthenticateAsync(OpenIdConnectDefaults.AuthenticationScheme); // Not authenticated if (user == null || !user.Identities.Any(identity => identity.IsAuthenticated)) { // This is what [Authorize] calls await context.ChallengeAsync(); // This is what [Authorize(ActiveAuthenticationSchemes = OpenIdConnectDefaults.AuthenticationScheme)] calls // await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme); return; } // Authenticated, but not authorized if (context.Request.Path.Equals("/restricted") && !user.Identities.Any(identity => identity.HasClaim("special", "true"))) { await context.ChallengeAsync(); return; } await WriteHtmlAsync(context.Response, async response => { await response.WriteAsync($"

Hello Authenticated User {HtmlEncode(user.Identity.Name)}

"); await response.WriteAsync("Restricted"); await response.WriteAsync("Sign Out"); await response.WriteAsync("Sign Out Remote"); await response.WriteAsync("

Claims:

"); await WriteTableHeader(response, new string[] { "Claim Type", "Value" }, context.User.Claims.Select(c => new string[] { c.Type, c.Value })); }); }); } private static async Task WriteHtmlAsync(HttpResponse response, Func writeContent) { var bootstrap = ""; response.ContentType = "text/html"; await response.WriteAsync($"{bootstrap}

"); await writeContent(response); await response.WriteAsync("

"); } private static async Task WriteTableHeader(HttpResponse response, IEnumerable columns, IEnumerable> data) { await response.WriteAsync(""); await response.WriteAsync(""); foreach (var column in columns) { await response.WriteAsync($""); } await response.WriteAsync(""); foreach (var row in data) { await response.WriteAsync(""); foreach (var column in row) { await response.WriteAsync($""); } await response.WriteAsync(""); } await response.WriteAsync("

{HtmlEncode(column)}
{HtmlEncode(column)}

"); } private static string HtmlEncode(string content) => string.IsNullOrEmpty(content) ? string.Empty : HtmlEncoder.Default.Encode(content); } }