refactor via skype and live share.

Author: paule96

README.md

@@ -106,9 +106,10 @@ For example:
 
 ## Authors
 
-* **Kirsten Kluge** - *Initial work* - [kirkone](https://github.com/kirkone)
-* **paule96** - *Refactoring* - [paule96](https://github.com/paule96)
-* **Christoph Sonntag** - *Made things even more uber* - [Compufreak345](https://github.com/Compufreak345)
+-   **Kirsten Kluge** - _Initial work_ - [kirkone](https://github.com/kirkone)
+-   **paule96** - _Refactoring_ - [paule96](https://github.com/paule96)
+-   **Christoph Sonntag** - _Made things even more uber_ - [Compufreak345](https://github.com/Compufreak345)
+-   **myusrn** - _Dropped some knowledge about making IsInRoles work_ - [myusrn](https://github.com/myusrn)
 
 See also the list of [contributors](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication/graphs/contributors) who participated in this project.
 
@@ -118,4 +119,4 @@ This project is licensed under the MIT License - see the [LICENSE.md](LICENSE.md
 
 ## Acknowledgments
 
-* Inspired by this [StackOverflow post](https://stackoverflow.com/a/42402163/6526640) and this [GitHub](https://github.com/lpunderscore/azureappservice-authentication-middleware) repo
+-   Inspired by this [StackOverflow post](https://stackoverflow.com/a/42402163/6526640) and this [GitHub](https://github.com/lpunderscore/azureappservice-authentication-middleware) repo

src/KK.AspNetCore.EasyAuthAuthentication/AuthenticationTicketBuilder.cs

@@ -13,21 +13,21 @@ public static class AuthenticationTicketBuilder
         /// Build a `AuthenticationTicket` from the given payload, the principal name and the provider name
         /// </summary>
         /// <param name="claimsPayload">A array of JObjects that have a `type` and a `val` property</param>
-        /// <param name="principalName">The principal name of the user.</param>
-        /// /// <param name="providerName">The provider name of the current auth provider.</param>
+        /// <param name="providerName">The provider name of the current auth provider.</param>
         /// <returns>A `AuthenticationTicket`</returns>
-        public static AuthenticationTicket Build(IEnumerable<JObject> claimsPayload, string principalName, string providerName)
+        public static AuthenticationTicket Build(IEnumerable<JObject> claimsPayload, string providerName)
         {
-            var identity = new ClaimsIdentity(createClaims(claimsPayload), AuthenticationTypesNames.Federation); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
-            addScpClaim(identity);
-            identity.AddClaim(new Claim("provider_name", providerName));
+            var identity = new ClaimsIdentity(
+                createClaims(claimsPayload),
+                // setting ClaimsIdentity.AuthenticationType to value that Azure AD non-EasyAuth setups use
+                AuthenticationTypesNames.Federation
+            );
+
+            addScopeClaim(identity);
+            addProviderNameClaim(identity, providerName);
             var genericPrincipal = new ClaimsPrincipal(identity);
-            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
-        }
 
-        private static IEnumerable<JObject> getTheClaimsNodeFromPayload(JObject payload)
-        {
-            return payload["user_claims"].Children<JObject>();
+            return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
         }
 
         private static IEnumerable<Claim> createClaims(IEnumerable<JObject> claimsAsJson)
@@ -56,11 +56,21 @@ private static IEnumerable<Claim> createClaims(IEnumerable<JObject> claimsAsJson
             }
         }
 
-        private static void addScpClaim(ClaimsIdentity identity)
+        private static void addScopeClaim(ClaimsIdentity identity)
         {
             if (!identity.Claims.Any(claim => claim.Type == "scp"))
             {
-                identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
+                // We are not sure if we should add this in to match what non-EasyAuth authenticated result would look like
+                // with EasyAuth + Express based application configurations the scope claim will always be `user_impersonation`
+                identity.AddClaim(new Claim("scp", "user_impersonation"));
+            }
+        }
+
+        private static void addProviderNameClaim(ClaimsIdentity identity, string providerName)
+        {
+            if (!identity.Claims.Any(claim => claim.Type == "provider_name"))
+            {
+                identity.AddClaim(new Claim("provider_name", providerName));
             }
         }
     }

src/KK.AspNetCore.EasyAuthAuthentication/EasyAuthAuthenticationHandler.cs

@@ -69,7 +69,6 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             {
                 if (isContextUserNotAuthenticated(this.Context.User))
                 {
-                    // TODO: If this the only auth middleware we maybe must return a `AuthenticateResult.Fail()`
                     this.Logger.LogInformation("The identity isn't set by easy auth.");
                 }
                 else

src/KK.AspNetCore.EasyAuthAuthentication/Services/EasyAuthWithAuthMeService.cs

@@ -95,7 +95,7 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
 
             this.Logger.LogInformation("building claims from payload...");
             var providerName = payload["provider_name"].Value<string>();
-            return AuthenticationTicketBuilder.Build(payload["user_claims"].Children<JObject>(), name, providerName);
+            return AuthenticationTicketBuilder.Build(payload["user_claims"].Children<JObject>(), providerName);
         }
 
         private async Task<JArray> GetAuthMe(HttpClientHandler handler, HttpRequestMessage httpRequest)

src/KK.AspNetCore.EasyAuthAuthentication/Services/EasyAuthWithHeaderService.cs

@@ -14,16 +14,16 @@ namespace KK.AspNetCore.EasyAuthAuthentication.Services
 {
     public class EasyAuthWithHeaderService
     {
-        public const string PrincipalNameHeader = "X-MS-CLIENT-PRINCIPAL-NAME";
+        private const string PrincipalNameHeader = "X-MS-CLIENT-PRINCIPAL-NAME";
         /// <summary>
         /// JWT
         /// </summary>
-        public const string PrincipalObjectHeader = "X-MS-CLIENT-PRINCIPAL";
-        public const string PrincipalIdpHeaderName = "X-MS-CLIENT-PRINCIPAL-IDP";
-        public ILogger Logger { get; }
-        public IHeaderDictionary Headers { get; }
+        private const string PrincipalObjectHeader = "X-MS-CLIENT-PRINCIPAL";
+        private const string PrincipalIdpHeaderName = "X-MS-CLIENT-PRINCIPAL-IDP";
+        private ILogger Logger { get; }
+        private IHeaderDictionary Headers { get; }
 
-        public EasyAuthWithHeaderService(
+        private EasyAuthWithHeaderService(
             ILogger logger,
             IHeaderDictionary headers
         )
@@ -37,30 +37,35 @@ IHeaderDictionary headers
         /// </summary>
         /// <param name="logger">a logger</param>
         /// <param name="context">Http context of the request</param>
-        /// <returns>An `AuthenticationTicket`</returns>
+        /// <returns>An <see cref="AuthenticationTicket" /></returns>
         public static AuthenticateResult AuthUser(ILogger logger, HttpContext context)
         {
             var service = new EasyAuthWithHeaderService(logger, context.Request.Headers);
             var ticket = service.BuildIdentityFromEasyAuthRequestHeaders();
+
             logger.LogInformation("Set identity to user context object.");
             context.User = ticket.Principal;
             logger.LogInformation("identity build was a success, returning ticket");
+
             return AuthenticateResult.Success(ticket);
         }
 
         private AuthenticationTicket BuildIdentityFromEasyAuthRequestHeaders()
         {
             var name = this.Headers[PrincipalNameHeader][0];
-            this.Logger.LogDebug($"payload was fetched from easyauth headers, name: {name}");
-
-            var identity = new GenericIdentity(name, AuthenticationTypesNames.Federation); // setting ClaimsIdentity.AuthenticationType to value that azureAd non-easyauth setups use
+            this.Logger.LogDebug($"payload was fetched from EasyAuth headers, name: {name}");
 
             this.Logger.LogInformation("building claims from payload...");
+            var xMsClientPrincipal = JObject.Parse(
+                                        Encoding.UTF8.GetString(
+                                            Convert.FromBase64String(this.Headers[PrincipalObjectHeader][0])
+                                        )
+                                    );
 
-            var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(this.Headers[PrincipalObjectHeader][0])));
             var claims = xMsClientPrincipal["claims"].Children<JObject>();
-            var providerName = this.Headers["X-MS-CLIENT-PRINCIPAL-IDP"][0];
-            return AuthenticationTicketBuilder.Build(claims, name, providerName);
+            var providerName = this.Headers[PrincipalIdpHeaderName][0];
+
+            return AuthenticationTicketBuilder.Build(claims, providerName);
         }
     }
 }