cleaning up and consolidating how claim sets are acquired in both easyauth headers and .auth/me json payload cases

robertob · robertob · commit 644b73abb560 · 2018-12-09T19:27:03.000-08:00
diff --git a/src/KK.AspNetCore.EasyAuthAuthentication/EasyAuthAuthenticationHandler.cs b/src/KK.AspNetCore.EasyAuthAuthentication/EasyAuthAuthenticationHandler.cs
@@ -46,7 +46,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 && !string.IsNullOrEmpty(this.Context.Request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].ToString()))
             {
                 // build up identity from X-MS-TOKEN-AAD-ID-TOKEN header set by EasyAuth filters if user openid connect session cookie or oauth bearer token authenticated ...
-                var ticket = this.BuildIdentityFromEasyAuthHeaders(this.Context.Request.Headers);
+                var ticket = this.BuildIdentityFromEasyAuthRequestHeaders(this.Context.Request.Headers);
 
                 this.Logger.LogInformation("Set identity to user context object.");
                 this.Context.User = ticket.Principal;
@@ -88,68 +88,56 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             }
         }
 
-        private AuthenticationTicket BuildIdentityFromEasyAuthHeaders(Microsoft.AspNetCore.Http.IHeaderDictionary requestHeaders)
+        private AuthenticationTicket BuildIdentityFromEasyAuthRequestHeaders(Microsoft.AspNetCore.Http.IHeaderDictionary requestHeaders)
         {
             var name = requestHeaders["X-MS-CLIENT-PRINCIPAL-NAME"][0];
-            var idToken = requestHeaders["X-MS-TOKEN-AAD-ID-TOKEN"][0];
-            var providerName = requestHeaders["X-MS-CLIENT-PRINCIPAL-IDP"][0];
-                        
             this.Logger.LogDebug("payload was fetched from easyauth headers, name: {0}", name);
 
             var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
 
             this.Logger.LogInformation("building claims from payload...");
 
-            // jwt token decode c# -> https://stackoverflow.com/questions/38340078/how-to-decode-jwt-token/38911599#38911599
-            // nuget.org search on "System.IdentityModel.Tokens.Jwt MicrosoftIdentityModel.Tokens" ->
-            // using System.IdentityModel.Tokens.Jwt 27.8m vs MicrosoftIdentityModel.Tokens 17.5m downloads both v5.3.0 released 10/05/2018
-            var idTokenJwt = new JwtSecurityToken(idToken);
+            var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(requestHeaders["X-MS-CLIENT-PRINCIPAL"][0])));
+            //var nameidentifier = xMsClientPrincipal["claims"].Children<JObject>().FirstOrDefault(c => c["typ"].ToString() == ClaimTypes.NameIdentifier)?["val"].ToString();
             var claims = new List<Claim>();
-            foreach (var claim in idTokenJwt.Claims as List<Claim>)
+            foreach (var claim in xMsClientPrincipal["claims"].Children<JObject>())
             {
-                if (claim.Type == "amr")
+                if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")
                 {
-                    foreach (var item in claim.Value.Split(','))
+                    foreach (var item in claim["val"].ToString().Split(','))
                     {
                         claims.Add(new Claim(ClaimTypes.Authentication, item));
                     }
                 }
-                else if (claim.Type == "roles")
+                else if (claim["typ"].ToString() == "roles")
                 {
-                    foreach (var item in claim.Value.Split(','))
+                    foreach (var item in claim["val"].ToString().Split(','))
                     {
                         //(User.Identity as ClaimsIdentity).RoleClaimType must match type that role claims are assigned to for Authorization and IsInRole to work
                         claims.Add(new Claim(ClaimTypes.Role, item));
                     }
                 }
-                else // if (claim.Type != "c_hash")
+                else
                 {
                     //(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work
-                    claims.Add(new Claim(claim.Type, claim.Value));
+                    claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));
                 }
             }
 
             this.Logger.LogInformation("Add claims to new identity");
 
             identity.AddClaims(claims);
-            var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(requestHeaders["X-MS-CLIENT-PRINCIPAL"][0])));
-            var nameidentifier = xMsClientPrincipal["claims"].Children<JObject>().FirstOrDefault(c => c["typ"].ToString() == ClaimTypes.NameIdentifier)?["val"].ToString();
-            //foreach (var claim in xMsClientPrincipal["claims"]) { if (claim["typ"].ToString() == ClaimTypes.NameIdentifier) { nameidentifier = claim["val"].ToString(); } } // line above works not required
-            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameidentifier));
             //identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this
             //identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this
-            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth not including this
-            identity.AddClaim(new Claim("provider_name", providerName));
+            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
+            identity.AddClaim(new Claim("provider_name", requestHeaders["X-MS-CLIENT-PRINCIPAL-IDP"][0]));
             var genericPrincipal = new GenericPrincipal(identity, null);
             return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
         }
 
         private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
         {
             var name = payload["user_id"].Value<string>(); // X-MS-CLIENT-PRINCIPAL-NAME
-            var idToken = payload["id_token"].Value<string>(); // X-MS-TOKEN-AAD-ID-TOKEN
-            var providerName = payload["provider_name"].Value<string>(); // X-MS-CLIENT-PRINCIPAL-IDP
-
             this.Logger.LogDebug("payload was fetched from easyauth me json, name: {0}", name);
 
             var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use
@@ -159,7 +147,7 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
             var claims = new List<Claim>();
             foreach (var claim in payload["user_claims"])
             {
-                if (claim["typ"].ToString() == "amr")
+                if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")
                 {
                     foreach (var item in claim["val"].ToString().Split(','))
                     {
@@ -174,7 +162,7 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
                         claims.Add(new Claim(ClaimTypes.Role, item));
                     }
                 }
-                else // if (claim["typ"].ToString() != "c_hash")
+                else
                 {
                     //(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work
                     claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));
@@ -186,8 +174,8 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)
             identity.AddClaims(claims);
             //identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this
             //identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this
-            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth not including this
-            identity.AddClaim(new Claim("provider_name", providerName));
+            if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this
+            identity.AddClaim(new Claim("provider_name", payload["provider_name"].Value<string>())); // X-MS-CLIENT-PRINCIPAL-IDP
             var genericPrincipal = new GenericPrincipal(identity, null);
             return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);
         }

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`46`	`46`	`&& !string.IsNullOrEmpty(this.Context.Request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].ToString()))`
`47`	`47`	`{`
`48`	`48`	`// build up identity from X-MS-TOKEN-AAD-ID-TOKEN header set by EasyAuth filters if user openid connect session cookie or oauth bearer token authenticated ...`
`49`		`- var ticket = this.BuildIdentityFromEasyAuthHeaders(this.Context.Request.Headers);`
	`49`	`+ var ticket = this.BuildIdentityFromEasyAuthRequestHeaders(this.Context.Request.Headers);`
`50`	`50`
`51`	`51`	`this.Logger.LogInformation("Set identity to user context object.");`
`52`	`52`	`this.Context.User = ticket.Principal;`
`@@ -88,68 +88,56 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`88`	`88`	`}`
`89`	`89`	`}`
`90`	`90`
`91`		`- private AuthenticationTicket BuildIdentityFromEasyAuthHeaders(Microsoft.AspNetCore.Http.IHeaderDictionary requestHeaders)`
	`91`	`+ private AuthenticationTicket BuildIdentityFromEasyAuthRequestHeaders(Microsoft.AspNetCore.Http.IHeaderDictionary requestHeaders)`
`92`	`92`	`{`
`93`	`93`	`var name = requestHeaders["X-MS-CLIENT-PRINCIPAL-NAME"][0];`
`94`		`- var idToken = requestHeaders["X-MS-TOKEN-AAD-ID-TOKEN"][0];`
`95`		`- var providerName = requestHeaders["X-MS-CLIENT-PRINCIPAL-IDP"][0];`
`96`		`-`
`97`	`94`	`this.Logger.LogDebug("payload was fetched from easyauth headers, name: {0}", name);`
`98`	`95`
`99`	`96`	`var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use`
`100`	`97`
`101`	`98`	`this.Logger.LogInformation("building claims from payload...");`
`102`	`99`
`103`		`- // jwt token decode c# -> https://stackoverflow.com/questions/38340078/how-to-decode-jwt-token/38911599#38911599`
`104`		`- // nuget.org search on "System.IdentityModel.Tokens.Jwt MicrosoftIdentityModel.Tokens" ->`
`105`		`- // using System.IdentityModel.Tokens.Jwt 27.8m vs MicrosoftIdentityModel.Tokens 17.5m downloads both v5.3.0 released 10/05/2018`
`106`		`- var idTokenJwt = new JwtSecurityToken(idToken);`
	`100`	`+ var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(requestHeaders["X-MS-CLIENT-PRINCIPAL"][0])));`
	`101`	`+ //var nameidentifier = xMsClientPrincipal["claims"].Children<JObject>().FirstOrDefault(c => c["typ"].ToString() == ClaimTypes.NameIdentifier)?["val"].ToString();`
`107`	`102`	`var claims = new List<Claim>();`
`108`		`- foreach (var claim in idTokenJwt.Claims as List<Claim>)`
	`103`	`+ foreach (var claim in xMsClientPrincipal["claims"].Children<JObject>())`
`109`	`104`	`{`
`110`		`- if (claim.Type == "amr")`
	`105`	`+ if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")`
`111`	`106`	`{`
`112`		`- foreach (var item in claim.Value.Split(','))`
	`107`	`+ foreach (var item in claim["val"].ToString().Split(','))`
`113`	`108`	`{`
`114`	`109`	`claims.Add(new Claim(ClaimTypes.Authentication, item));`
`115`	`110`	`}`
`116`	`111`	`}`
`117`		`- else if (claim.Type == "roles")`
	`112`	`+ else if (claim["typ"].ToString() == "roles")`
`118`	`113`	`{`
`119`		`- foreach (var item in claim.Value.Split(','))`
	`114`	`+ foreach (var item in claim["val"].ToString().Split(','))`
`120`	`115`	`{`
`121`	`116`	`//(User.Identity as ClaimsIdentity).RoleClaimType must match type that role claims are assigned to for Authorization and IsInRole to work`
`122`	`117`	`claims.Add(new Claim(ClaimTypes.Role, item));`
`123`	`118`	`}`
`124`	`119`	`}`
`125`		`- else // if (claim.Type != "c_hash")`
	`120`	`+ else`
`126`	`121`	`{`
`127`	`122`	`//(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work`
`128`		`- claims.Add(new Claim(claim.Type, claim.Value));`
	`123`	`+ claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));`
`129`	`124`	`}`
`130`	`125`	`}`
`131`	`126`
`132`	`127`	`this.Logger.LogInformation("Add claims to new identity");`
`133`	`128`
`134`	`129`	`identity.AddClaims(claims);`
`135`		`- var xMsClientPrincipal = JObject.Parse(Encoding.UTF8.GetString(Convert.FromBase64String(requestHeaders["X-MS-CLIENT-PRINCIPAL"][0])));`
`136`		`- var nameidentifier = xMsClientPrincipal["claims"].Children<JObject>().FirstOrDefault(c => c["typ"].ToString() == ClaimTypes.NameIdentifier)?["val"].ToString();`
`137`		`- //foreach (var claim in xMsClientPrincipal["claims"]) { if (claim["typ"].ToString() == ClaimTypes.NameIdentifier) { nameidentifier = claim["val"].ToString(); } } // line above works not required`
`138`		`- identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameidentifier));`
`139`	`130`	`//identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this`
`140`	`131`	`//identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this`
`141`		`- if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth not including this`
`142`		`- identity.AddClaim(new Claim("provider_name", providerName));`
	`132`	`+ if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this`
	`133`	`+ identity.AddClaim(new Claim("provider_name", requestHeaders["X-MS-CLIENT-PRINCIPAL-IDP"][0]));`
`143`	`134`	`var genericPrincipal = new GenericPrincipal(identity, null);`
`144`	`135`	`return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);`
`145`	`136`	`}`
`146`	`137`
`147`	`138`	`private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)`
`148`	`139`	`{`
`149`	`140`	`var name = payload["user_id"].Value<string>(); // X-MS-CLIENT-PRINCIPAL-NAME`
`150`		`- var idToken = payload["id_token"].Value<string>(); // X-MS-TOKEN-AAD-ID-TOKEN`
`151`		`- var providerName = payload["provider_name"].Value<string>(); // X-MS-CLIENT-PRINCIPAL-IDP`
`152`		`-`
`153`	`141`	`this.Logger.LogDebug("payload was fetched from easyauth me json, name: {0}", name);`
`154`	`142`
`155`	`143`	`var identity = new GenericIdentity(name, "AuthenticationTypes.Federation"); // setting ClaimsIdentity.AuthenticationType to value that azuread non-easyauth setups use`
`@@ -159,7 +147,7 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)`
`159`	`147`	`var claims = new List<Claim>();`
`160`	`148`	`foreach (var claim in payload["user_claims"])`
`161`	`149`	`{`
`162`		`- if (claim["typ"].ToString() == "amr")`
	`150`	`+ if (claim["typ"].ToString() == "http://schemas.microsoft.com/claims/authnmethodsreferences")`
`163`	`151`	`{`
`164`	`152`	`foreach (var item in claim["val"].ToString().Split(','))`
`165`	`153`	`{`
`@@ -174,7 +162,7 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)`
`174`	`162`	`claims.Add(new Claim(ClaimTypes.Role, item));`
`175`	`163`	`}`
`176`	`164`	`}`
`177`		`- else // if (claim["typ"].ToString() != "c_hash")`
	`165`	`+ else`
`178`	`166`	`{`
`179`	`167`	`//(User.Identity as ClaimsIdentity).NameClaimType must be what name claim is assigned to for User.Identity.Name to work`
`180`	`168`	`claims.Add(new Claim(claim["typ"].ToString(), claim["val"].ToString()));`
`@@ -186,8 +174,8 @@ private AuthenticationTicket BuildIdentityFromEasyAuthMeJson(JObject payload)`
`186`	`174`	`identity.AddClaims(claims);`
`187`	`175`	`//identity.AddClaim(new Claim("id_token", idToken)); // don't think we should be including this`
`188`	`176`	`//identity.AddClaim(new Claim("http://schemas.microsoft.com/claims/authnclassreference", 1)); // don't think we need to add this`
`189`		`- if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth not including this`
`190`		`- identity.AddClaim(new Claim("provider_name", providerName));`
	`177`	`+ if (!(identity.Claims as List<Claim>).Exists(claim => claim.Type == "scp")) identity.AddClaim(new Claim("scp", "user_impersonation")); // not sure why easyauth is dropping this`
	`178`	`+ identity.AddClaim(new Claim("provider_name", payload["provider_name"].Value<string>())); // X-MS-CLIENT-PRINCIPAL-IDP`
`191`	`179`	`var genericPrincipal = new GenericPrincipal(identity, null);`
`192`	`180`	`return new AuthenticationTicket(genericPrincipal, EasyAuthAuthenticationDefaults.AuthenticationScheme);`
`193`	`181`	`}`