All of the ITfoxtec.Identity.Saml2 example projects on Github load the SAML configuration in the ConfigureServices method of the Startup class. I have stored all the configurations in the database. Is there a way to load the SAML configuration from within the code at the runtime (after my .Net Core project is started)?
public void ConfigureServices(IServiceCollection services)
{
services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
services.Configure<Saml2Configuration>(saml2Configuration =>
{
//saml2Configuration.SignAuthnRequest = true;
saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);
//saml2Configuration.SignatureValidationCertificates.Add(CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SignatureValidationCertificateFile"])));
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
var entityDescriptor = new EntityDescriptor();
entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
if (entityDescriptor.IdPSsoDescriptor != null)
{
saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
{
saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
}
}
else
{
throw new Exception("IdPSsoDescriptor not loaded from metadata.");
}
});
services.AddSaml2(slidingExpiration: true);
services.AddControllersWithViews();
}
Yes, it is possible to move the configuration load from startup to later. You can load the content of the Saml2Configuration config object just before it is used by calling a method. In the sample e.g., before the Saml2Configuration is used in the Login method.
Related
I'm having some trouble getting claims from Google in a ASP.Net Core 2.1 Web API using OpenIdDict.
I've selected "No Authentication" in ASP.Net MVC template since I have no interest in storing usernames / passwords myself. I will be relying on external providers (such as Google) for authentication. The client is a SPA, so I'm using Implicit Flow.
My code is based on following this tutorial (except using Google rather than GitHub):
https://www.jerriepelser.com/blog/implementing-openiddict-authorization-server-part-2/
A Token is being returned from Google - but when I examine the JWT it does not contain any claims information.
What am I missing?
My Startup.cs looks like:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Register OpenIdDict database (EF Core)
services.AddDbContext<PD.Server.DataAccess.AuthorizationDbContext>(o =>
{
o.UseSqlServer(Configuration.GetConnectionString("AuthorizationDbContext"));
o.UseOpenIddict();
});
// Authentication
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
}).AddCookie()
.AddGoogle(o =>
{
o.ClientId = Configuration["Authentication:Google:ClientId";
o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
o.CallbackPath = "/signin-google";
});
services.AddOpenIddict()
.AddCore(o => o.UseEntityFrameworkCore().UseDbContext<AuthorizationDbContext>() )
.AddServer(o =>
{
o.UseMvc(); // Register MVC Binder
o.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout"); // Enable the Authorization end-point
o.RegisterScopes(OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
o.AllowImplicitFlow(); // Enable Implicit Flow (i.e. OAuth2 authentication for SPA's)
o.EnableRequestCaching();
o.DisableHttpsRequirement(); // DEV ONLY!
o.AddEphemeralSigningKey(); // DEV ONLY!
})
.AddValidation();
// Cors
services.AddCors();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseCors(builder =>
{
builder.WithOrigins("https://localhost:5001");
builder.WithMethods("GET");
builder.WithHeaders("Authorization");
});
app.UseAuthentication();
app.UseMvcWithDefaultRoute();
app.MigrateDatabase();
// Configure the OpenIdDict Database (not shown)
InitializeAsync(app.ApplicationServices, CancellationToken.None).GetAwaiter().GetResult();
}
And my Authenticate method:
[HttpGet("~/connect/authorize")]
public IActionResult Authorize(OpenIdConnectRequest request)
{
if (!User.Identity.IsAuthenticated) return Challenge("Google");
var claims = new List<Claim>();
claims.Add(new Claim(OpenIdConnectConstants.Claims.Subject, User.FindFirstValue(ClaimTypes.NameIdentifier), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.Name, User.FindFirstValue(ClaimTypes.Name), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.Email, User.FindFirstValue(ClaimTypes.Email), OpenIdConnectConstants.Destinations.IdentityToken));
claims.Add(new Claim(OpenIdConnectConstants.Claims.EmailVerified, "true", OpenIdConnectConstants.Destinations.IdentityToken));
var identity = new ClaimsIdentity(claims, "OpenIddict");
var principle = new ClaimsPrincipal(identity);
// Create a new Authentication Ticket
var ticket = new AuthenticationTicket(principle, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
Thanks in advance.
Your claim destinations are not set correctly.
When using the Claim constructor that takes 3 parameter, it's the claim value type that is actually set, not the destination (which is a concept specific to OpenIddict).
Consider using the following syntax:
claims.Add(new Claim(OpenIdConnectConstants.Claims.Email, User.FindFirstValue(ClaimTypes.Email)).SetDestinations(OpenIdConnectConstants.Destinations.IdentityToken));
I am currently trying to convert the phone sample app from the official ADAL github repo to a caliburn.micro MVVM app. But there are so many moving parts backed into the code-behind to get along with WebAuthenticationBroker that I don't now how to push that into viewmodels and handle navigation correctly when the app is activated again after the broker did the sign-on. Since I am totally clueless at the moment there is no code to share yet.
I've been using MvvmLight along with ADAL in my Windows Phone 8.1 App. What you need to do is as soon as you get a token, you need to send the message using the Messenger pattern. All of those view models which require the token and have already subscribed to it will receive it. Here is something I've done in my app using MvvmLight. Remember that you need to have a ContinuationManager class and IWebContinuable interface to make the app work.
private async void Login()
{
AuthenticationResult result = null;
context = AuthenticationContext.CreateAsync("https://login.windows.net/<tenant-id>").GetResults();
try
{
//try to check if you can get the token without showing pop-up
result = await context.AcquireTokenSilentAsync("https://management.core.windows.net/", "<clientid>");
if(result.Status==AuthenticationStatus.ClientError)
{
bool exists = CheckInVault();
if(exists)
{
PasswordVault vault = new PasswordVault();
var tokenvault = vault.FindAllByResource("Token");
string RefreshToken = tokenvault[0].Password;
var refresh=await context.AcquireTokenByRefreshTokenAsync(RefreshToken, clientid);
vault.Remove(tokenvault[0]);
StoreToken(refresh);
}
else
{
context.AcquireTokenAndContinue("https://management.core.windows.net/", clientid, WebAuthenticationBroker.GetCurrentApplicationCallbackUri(), StoreToken);
}
}
else if(result != null && result.Status == AuthenticationStatus.Success)
{
// A token was successfully retrieved. Post the new To Do item
bool exists = CheckInVault();
if (exists)
{
PasswordVault vault = new PasswordVault();
var tokenvault = vault.FindAllByResource("Token");
vault.Remove(tokenvault[0]);
}
StoreToken(result);
}
//this method will be called when app is opened first time and pop-up appears
result=await context.AcquireTokenSilentAsync("https://management.core.windows.net/", "<client-id>");
}
catch(Exception e)
{
MessageDialog dialog = new MessageDialog("Error");
}
}
What I am doing here is - after acquiring the access token and reference token when the user signs up first, I store the refresh token in the PasswordVault, so as to get it in the future to enable single sign-on. ADAL actually does using its caching feature, but sometimes the single sign-on failed for me, hence using the PasswordVault to store the refresh token. After the authentication completes, I have a delegate to StoreToken function, where I actually store the new refresh token and send the access token to all the subscribers using the Messenger class in MvvmLight.
private void StoreToken(AuthenticationResult result)
{
try
{
var token = result.AccessToken;
Messenger.Default.Send<string>(token); //send the access token.
PasswordVault vault = new PasswordVault();
PasswordCredential credential = new PasswordCredential();
credential.UserName = result.AccessToken;
credential.Password = result.RefreshToken;
credential.Resource = "Token";
vault.Add(credential);
}
catch(Exception e)
{
}
}
I would recommend handling the navigation in the view models. Define a helper class like NavigationService:
public class NavigationService:INavigationService
{
private Frame _frame;
public Frame Frame
{
get
{
return _frame;
}
set
{
_frame = value;
_frame.Navigated+= OnFrameNavigated;
}
}
public void NavigateTo(string type)
{
Frame.Navigate(Type.GetType(type));
}
public void GoForward()
{
if (Frame.CanGoForward)
Frame.GoForward();
}
public void GoBack()
{
if (Frame.CanGoBack)
Frame.GoBack();
}
}
To navigate to a page from the view models, you use the NavigateTo(string) method as
NavigateTo("<fully qualified class name of the page you want to navigate to>,<assembly name>")
I would also suggest using a IoC container (MvvmLight gives you a ViewModelLocator class) so that you can maintain singleton instances of your view models and helpers like NavigationService. I haven't used the CaliburnMicro framework but I would assume there would be similar features for Messaging and Dependency Injection.
I need to do some connectivity simulations to see that my code handles various connectivity errors to Facebook. I want to be able to simulate 500s, timeouts etc.
The easiest way to do that is to use Fiddler, but it seems to not be working with HTTPS (I get 403s when I try).
Is ther a way to force the SDK to work with HTTP instead of HTTPS for debugging purposes?
Facebook C# SDK supports your scenario for mocking the entire HttpWebRequest and HttpWebResponse. In fact we actually use that internally in our unit tests so that every single line of the code in Facebook C# SDK actually gets executed and the result is always the same. https://github.com/facebook-csharp-sdk/facebook-csharp-sdk/blob/v5/Source/Facebook.Tests/TestExtensions.cs For now you will need to check these tests in v5 branch as we haven't yet migrated those tests to v6.
For v5, you will need to override the protected CreateHttpWebRequest method in FacebookClient.
Here is an example for v5 when there is no internet connection. There are three hidden classes HttpWebRequestWrapper, HttpWebResponseWrapper and WebExceptionWrapper that you will need to make use of.
public static void NoInternetConnection(this Mock<Facebook.FacebookClient> facebookClient, out Mock<HttpWebRequestWrapper> mockRequest, out Mock<WebExceptionWrapper> mockWebException)
{
mockRequest = new Mock<HttpWebRequestWrapper>();
mockWebException = new Mock<WebExceptionWrapper>();
var mockAsyncResult = new Mock<IAsyncResult>();
var request = mockRequest.Object;
var webException = mockWebException.Object;
var asyncResult = mockAsyncResult.Object;
mockRequest.SetupProperty(r => r.Method);
mockRequest.SetupProperty(r => r.ContentType);
mockRequest.SetupProperty(r => r.ContentLength);
mockAsyncResult
.Setup(ar => ar.AsyncWaitHandle)
.Returns((ManualResetEvent)null);
mockWebException
.Setup(e => e.GetResponse())
.Returns<HttpWebResponseWrapper>(null);
mockRequest
.Setup(r => r.GetResponse())
.Throws(webException);
mockRequest
.Setup(r => r.EndGetResponse(It.IsAny<IAsyncResult>()))
.Throws(webException);
AsyncCallback callback = null;
mockRequest
.Setup(r => r.BeginGetResponse(It.IsAny<AsyncCallback>(), It.IsAny<object>()))
.Callback<AsyncCallback, object>((c, s) =>
{
callback = c;
})
.Returns(() =>
{
callback(asyncResult);
return asyncResult;
});
var mockRequestCopy = mockRequest;
var mockWebExceptionCopy = mockWebException;
facebookClient.Protected()
.Setup<HttpWebRequestWrapper>("CreateHttpWebRequest", ItExpr.IsAny<Uri>())
.Callback<Uri>(uri =>
{
mockRequestCopy.Setup(r => r.RequestUri).Returns(uri);
mockWebExceptionCopy.Setup(e => e.Message).Returns(string.Format("The remote name could not be resolved: '{0}'", uri.Host));
})
.Returns(request);
}
You can then write your tests as below.
[Fact]
public void SyncWhenThereIsNotInternetConnectionAndFiddlerIsNotOpen_ThrowsWebExceptionWrapper()
{
var mockFb = new Mock<FacebookClient> { CallBase = true };
Mock<HttpWebRequestWrapper> mockRequest;
Mock<WebExceptionWrapper> mockWebException;
mockFb.NoInternetConnection(out mockRequest, out mockWebException);
Exception exception = null;
try
{
var fb = mockFb.Object;
fb.Get(_parameters);
}
catch (Exception ex)
{
exception = ex;
}
mockFb.VerifyCreateHttpWebRequest(Times.Once());
mockRequest.VerifyGetResponse();
mockWebException.VerifyGetReponse();
Assert.IsAssignableFrom<WebExceptionWrapper>(exception);
}
In v6 we have made mocking the HttpWebRequest and HttpWebResponse much easier.
Create your custom HttpWebRequest and HttpWebResponse by inheriting HttpWebRequestWrapper and HttpWebReponseWrapper.
Then change the default http web request factory for Facebook C# SDK. Here is the sample of the default factory.
FacebookClient.SetDefaultHttpWebRequestFactory(uri => new HttpWebRequestWrapper((HttpWebRequest)WebRequest.Create(uri)));
If you want to change the HttpWebRequestFactor per FacebookClient instance then use the following code.
var fb = new FacebookClient();
fb.HttpWebRequestFactory = uri=> new MyHttpWebRequestWrapper(uri);
Note: HttpWebRequestWrapper, HttpWebResponseWrapper, WebExceptionWrapper, FacebookClient.SetDefaultHttpWebRequestFactory and FacebookClient.HttpWebRequestFactory has the attribute [EditorBrowsable(EditorBrowsableState.Never)] so you might not see it in the intellisense.
Things like no internet connection that you mention should actually be a part of facebook c# sdk tests and not your app unit tests. The sdk should guarantee that when there is not internet conenction it always throws WebExceptionWrapper and your app unit tests should actually be handling the WebExceptionWrapper exception and not mocking the entire httpwebrequest and httpwebresponse.
I'd suggest you introduce another level of abstraction to your code and code to that abstraction rather than the implementation. Eg.
public interface IFacebookClient {
IEnumerable<Friend> GetFriends();
}
public class HttpsClient : IFacebookClient {
public IEnumerable<Friend> GetFriends() {
// Make a call out to the Facebook API, as per usual
};
}
In your consuming code you'd do something like;
public class ConsumingCode {
private IFacebookClient _client;
public ConsumingCode(IFacebookClient client) {
_client = client;
foreach (Friend friend in _client.GetFriends()) {
// Do something with each Friend
}
}
}
If you're using an IoC container this can all get wired up for you automatically. MVVM frameworks like Caliburn.Micro tend to support this as well.
Then when it comes to unit testing (or manual testing) you can change the implementation of your interface;
public class Http403Client : IFacebookClient {
public IEnumerable<Friend> GetFriends() {
throw new HttpException(403, "Forbidden");
}
}
Obviously this is just a mock up example but I think it demonstrates the concept that you want to implement.
The task is to get the selected build configuration on the project's property page.
I have tried to achieve this by writing the following code:
private static IConfiguration getSelectedBuildConf(IProject proj) {
IManagedBuildInfo info = ManagedBuildManager.getBuildInfo(proj);
if (info == null) {
return null;
} else {
IConfiguration cfg = info.getSelectedConfiguration();
return cfg;
}
}
The problem here is that getSelectedConfiguration() always returns null.
getSelectedConfiguration() returns always Debug configuration.
I think you want to use getDefaultConfiguration() instead of getSelectedConfiguration()...
As explained on cdt-dev list here.
I have a few modules, one is an API. I want to set a different ErrorHandler for this API module.
Because when the default ErrorHandler is fired it uses the default module with the default layout, which contains HTML. Which is something I do not want my API to be returning.
I have looked on here and at the Zend Docs and have not come up with anything that allows me to do this.
Thanks for any help.
Here is the one I use:
<?php
class My_Controller_Plugin_Modular_ErrorController extends Zend_Controller_Plugin_Abstract
{
public function routeShutdown (Zend_Controller_Request_Abstract $request)
{
$front = Zend_Controller_Front::getInstance();
// Front controller has error handler plugin
// if the request is an error request.
// If the error handler plugin is not registered,
// we will be unable which MCA to run, so do not continue.
$errorHandlerClass = 'Zend_Controller_Plugin_ErrorHandler';
if (!$front->hasPlugin($errorHandlerClass)) {
return false;
}
// Determine new error controller module_ErrorController_ErrorAction
$plugin = $front->getPlugin($errorHandlerClass);
$errorController = $plugin->getErrorHandlerController();
$errorAaction = $plugin->getErrorHandlerAction();
$module = $request->getModuleName();
// Create test request module_ErrorController_ErrorAction...
$testRequest = new Zend_Controller_Request_Http();
$testRequest->setModuleName($module)
->setControllerName($errorController)
->setActionName($errorAaction);
// Set new error controller if available
if ($front->getDispatcher()->isDispatchable($testRequest)) {
$plugin->setErrorHandlerModule($module);
} else {
return false;
}
return true;
}
}
(BTW, This issue already was discussed here, look carefully.)
#takeshin: Thank you for sharing your plugin, this is great! And just the thing I was looking for on the google machine.
I made some changes, respectfully, to the logic that determines the request to be an "error request," since I found that the full plugin callback was running on every request, regardless of whether or not an error had occured.
I just changed the plugin hook to "postDispatch" and tested that an exception had actually occurred during dispatch. The rest of the code functions exactly the same as yours.
Now, you can put a die statement in the middle of the plugin, and you will only see it after an exception has occurred during the request.
<?php
class Rm_Controller_Plugin_Modular_ErrorController
extends Zend_Controller_Plugin_Abstract
{
public function postDispatch(Zend_Controller_Request_Abstract $request)
{
$front = Zend_Controller_Front::getInstance();
// true if response has any exception
$isError = $front->getResponse()->hasExceptionOfType('Exception');
// if there was no error during dispatch
if (!$isError) {
return false;
}
// standard error handler plugin class name
$errorHandlerClass = 'Zend_Controller_Plugin_ErrorHandler';
// if the error handler plugin is not registered, do not continue.
if (!$front->hasPlugin($errorHandlerClass)) {
return false;
}
$plugin = $front->getPlugin($errorHandlerClass);
// the module that was requested and threw error
$module = $request->getModuleName();
// the controller & action name that error handler will dispatch
$errorController = $plugin->getErrorHandlerController();
$errorAction = $plugin->getErrorHandlerAction();
// create a dummy request to test for dispatchablility
$testRequest = new Zend_Controller_Request_Http();
$testRequest->setModuleName($module)
->setControllerName($errorController)
->setActionName($errorAction);
// verify that the current module has defined an ErrorController::errorAction
if ($front->getDispatcher()->isDispatchable($testRequest)) {
// tell error controller plugin to use the module's error controller
$plugin->setErrorHandlerModule($module);
} else {
return false;
}
return true;
}
}
Just off the top of my head, you could store a copy of the original request object in the registry from a controller plugin. In the preDispatch() of your controller you could then forward to another error controller based on the requested module.
// Plugin
public function routeStartup(Zend_Controller_Request_Abstract $request)
{
$clonedRequest = clone $request;
Zend_Registry::set('originalRequest', $clonedRequest);
}
// ErrorController
public function preDispatch()
{
$request = Zend_Registry::get('originalRequest');
$this->_forward('error', 'error', $request->getModuleName());
}