-
Notifications
You must be signed in to change notification settings - Fork 23
/
Startup.cs
157 lines (143 loc) · 6.62 KB
/
Startup.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using TwoTenantAppDoneBetter.Options;
namespace TwoTenantAppDoneBetter
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
private IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
var authSettings = Configuration.GetSection("Auth").Get<AuthSettings>();
services.AddAuthentication(o =>
{
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
o.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(o =>
{
o.Cookie.Name = "TwoTenantAppDoneBetter.Auth";
})
.AddOpenIdConnect(o =>
{
o.ClientId = authSettings.ClientId;
o.CallbackPath = "/signin-aad";
o.Authority = "https://login.microsoftonline.com/organizations/v2.0";
o.SignedOutRedirectUri = "/Account/SignedOut";
o.TokenValidationParameters = new TokenValidationParameters
{
// NOTE: We should not turn issuer validation off
// We should instead list the valid issuers
// You can find your issuer URI at: https://login.microsoftonline.com/tenant-id-here/v2.0/.well-known/openid-configuration
// It's in the "issuer" property
NameClaimType = "name",
ValidIssuers = new[] // THIS IS IMPORTANT Only accept tokens from these tenants
{
$"https://login.microsoftonline.com/{authSettings.EmployeeTenantId}/v2.0",
$"https://login.microsoftonline.com/{authSettings.PartnerTenantId}/v2.0"
}
};
o.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = ctx =>
{
// Replace the common endpoint with tenant-specific endpoint
// Trying to login with an account from another tenant causes an error in Azure AD
// NOTE: The flaw with this is that the user can just change the URL!
if (ctx.Properties.Parameters.TryGetValue("userType", out var userTypeObj)
&& userTypeObj is string userType)
{
// Here we specify prompt="consent" for the sake of demos,
// it forces user consent on every login
// Yoy may want to remove it to enable SSO
if (userType == "employee")
{
ctx.ProtocolMessage.IssuerAddress = authSettings.EmployeeAuthorizationEndpoint;
ctx.ProtocolMessage.SetParameter("prompt", "consent");
return Task.CompletedTask;
}
else if (userType == "partner")
{
ctx.ProtocolMessage.IssuerAddress = authSettings.PartnerAuthorizationEndpoint;
ctx.ProtocolMessage.SetParameter("prompt", "consent");
return Task.CompletedTask;
}
}
throw new ArgumentException("Invalid user type specified");
},
OnTokenValidated = ctx =>
{
string tid = ctx.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string userType;
// Extra check, the exception should never be thrown
if (tid == authSettings.EmployeeTenantId)
{
userType = "employee";
}
else if (tid == authSettings.PartnerTenantId)
{
userType = "partner";
}
else
{
throw new Exception("Tenant id not allowed");
}
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, userType)
};
var appIdentity = new ClaimsIdentity(claims);
ctx.Principal.AddIdentity(appIdentity);
return Task.CompletedTask;
}
};
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
}