c#

  • // To allow OpenIddict to serialize them, you must attach them a destination, that specifies // whether they should be included in access tokens, in identity tokens or in both.
  • NameIdentifier is required by OpenIddict // but is not automatically added to the Windows principal, so // the primary security identifier is used as a fallback value.
  • Claims) { // In this sample, every claim is serialized in both the access and the identity tokens.
  • Validate(identity); return Task.
  • On your “resource server”, you have access to the current user’s identity and can use authorize attributes to limit access, etc…

I’ve asked a question before and the answer that was given was correct but the farther I go down this rabbit hole the more I realize; I don’t think I was asking the right question.

@CSharpStack: AngularJs, WebAPI, JWT, with (integrated) Windows authentication [Score:8]

public class AuthorizationController : Controller { // Warning: extreme caution must be taken to ensure the authorization endpoint is not included in a CORS policy // that would allow an attacker to force a victim to silently authenticate with his Windows credentials // and retrieve an access token using a cross-domain AJAX call. Avoiding CORS is strongly recommended. [HttpGet(“~/connect/authorize”)] public async Task Authorize(OpenIdConnectRequest request) { // Retrieve the Windows principal: if a null value is returned, apply an HTTP challenge // to allow IIS/WebListener to initiate the unmanaged integrated authentication dance. var principal = await HttpContext.Authentication.AuthenticateAsync(IISDefaults.Negotiate); if (principal == null) { return Challenge(IISDefaults.Negotiate); } // Note: while the principal is always a WindowsPrincipal object when using Kestrel behind IIS, // a WindowsPrincipal instance must be manually created from the WindowsIdentity with WebListener. var ticket = CreateTicket(request, principal as WindowsPrincipal ?? new WindowsPrincipal((WindowsIdentity) principal.Identity)); // Immediately return an authorization response without displaying a consent screen. return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme); } private AuthenticationTicket CreateTicket(OpenIdConnectRequest request, WindowsPrincipal principal) { // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); // Note: the ClaimTypes.NameIdentifier is required by OpenIddict // but is not automatically added to the Windows principal, so // the primary security identifier is used as a fallback value. identity.AddClaim(ClaimTypes.NameIdentifier, principal.GetClaim(ClaimTypes.PrimarySid)); // Note: by default, claims are NOT automatically included in the access and identity tokens. // To allow OpenIddict to serialize them, you must attach them a destination, that specifies // whether they should be included in access tokens, in identity tokens or in both. foreach (var claim in principal.Claims) { // In this sample, every claim is serialized in both the access and the identity tokens. // In a real world application, you’d probably want to exclude confidential claims // or apply a claims policy based on the scopes requested by the client application. claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); // Copy the claim from the Windows principal to the new identity. identity.AddClaim(claim); } // Create a new authentication ticket holding the user identity. return new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); } }

public class Startup { public void Configuration(IAppBuilder app) { app.UseOpenIdConnectServer(options => { // Register a new ephemeral key, that is discarded when the application // shuts down. Tokens signed using this key are automatically invalidated. // This method should only be used during development. options.SigningCredentials.AddEphemeralKey(); // Enable the authorization endpoint. options.AuthorizationEndpointPath = new PathString(“/connect/authorize”); // During development, you can disable the HTTPS requirement. options.AllowInsecureHttp = true; // Implement the ValidateAuthorizationRequest event to validate the response_type, // the client_id and the redirect_uri provided by the client application. options.Provider.OnValidateAuthorizationRequest = context => { if (!context.Request.IsImplicitFlow()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedResponseType, description: “The provided response_type is invalid.”); return Task.FromResult(0); } if (!string.Equals(context.ClientId, “spa-application”, StringComparison.Ordinal)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: “The provided client_id is invalid.”); return Task.FromResult(0); } if (!string.Equals(context.RedirectUri, “http://spa-app.com/redirect_uri”, StringComparison.Ordinal)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: “The provided redirect_uri is invalid.”); return Task.FromResult(0); } context.Validate(); return Task.FromResult(0); }; // Implement the HandleAuthorizationRequest event to return an implicit authorization response. options.Provider.OnHandleAuthorizationRequest = context => { // Retrieve the Windows principal: if a null value is returned, apply an HTTP challenge // to allow IIS/SystemWeb to initiate the unmanaged integrated authentication dance. var principal = context.OwinContext.Authentication.User as WindowsPrincipal; if (principal == null) { context.OwinContext.Authentication.Challenge(); return Task.FromResult(0); } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationType); // Note: the ClaimTypes.NameIdentifier is required by OpenIddict // but is not automatically added to the Windows principal, so // the primary security identifier is used as a fallback value. identity.AddClaim(ClaimTypes.NameIdentifier, principal.GetClaim(ClaimTypes.PrimarySid)); // Note: by default, claims are NOT automatically included in the access and identity tokens. // To allow OpenIddict to serialize them, you must attach them a destination, that specifies // whether they should be included in access tokens, in identity tokens or in both. foreach (var claim in principal.Claims) { // In this sample, every claim is serialized in both the access and the identity tokens. // In a real world application, you’d probably want to exclude confidential claims // or apply a claims policy based on the scopes requested by the client application. claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); // Copy the claim from the Windows principal to the new identity. identity.AddClaim(claim); } context.Validate(identity); return Task.FromResult(0); }; }); } }

c#

You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.