-
Notifications
You must be signed in to change notification settings - Fork 218
/
MicrosoftIdentityOptions.cs
145 lines (129 loc) · 6.95 KB
/
MicrosoftIdentityOptions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System.Collections.Generic;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
namespace Microsoft.Identity.Web
{
/// <summary>
/// Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes.
/// </summary>
public class MicrosoftIdentityOptions : OpenIdConnectOptions
{
/// <summary>
/// Gets or sets the Azure Active Directory instance, e.g. "https://login.microsoftonline.com".
/// </summary>
public string Instance { get; set; }
/// <summary>
/// Gets or sets the tenant Id.
/// </summary>
public string TenantId { get; set; }
/// <summary>
/// Gets or sets the domain of the Azure Active Directory tenant, e.g. contoso.onmicrosoft.com.
/// </summary>
public string Domain { get; set; }
/// <summary>
/// In a web app, gets or sets the RedirectUri (URI where the token will be sent back by
/// Azure Active Directory or Azure Active Directory B2C).
/// This property is exclusive with <see cref="RemoteAuthenticationOptions.CallbackPath"/> which should be used preferably if you don't want
/// to have a different deployed configuration from your developer configuration.
/// There are cases where RedirectUri is needed, for instance when you use a reverse proxy that transforms HTTPS
/// URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for web apps running
/// in containers (for the same reasons).
/// If you don't specify the redirect URI, the redirect URI will be computed from the URL on which the app is
/// deployed and the CallbackPath.
/// </summary>
public string RedirectUri { get; set; }
/// <summary>
/// In a web app, gets or sets the PostLogoutRedirectUri.
/// This property is exclusive with <see cref="OpenIdConnectOptions.SignedOutCallbackPath"/> which should be used preferably if you don't want
/// to have a different deployed configuration from your developer configuration.
/// There are cases where PostLogoutRedirectUri is needed, for instance when you use a reverse proxy that transforms HTTPS
/// URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for web apps running
/// in containers (for the same reasons).
/// If you don't specify the PostLogoutRedirectUri, it will be computed by ASP.NET Core using the SignedOutCallbackPath.
/// </summary>
public string PostLogoutRedirectUri { get; set; }
/// <summary>
/// When set to true, forces the <see cref="OpenIdConnectMessage.RedirectUri"/> and the <see cref="OpenIdConnectMessage.PostLogoutRedirectUri"/> to use the HTTPS scheme.
/// This behavior can be desired, for instance, when you use a reverse proxy that transforms HTTPS
/// URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for web apps running
/// in containers (for the same reasons), for example when deploying your web app to
/// Azure App Services in Linux containers.
/// </summary>
public bool ForceHttpsRedirectUris { get; set; }
/// <summary>
/// Gets or sets TokenAcquisition as a Singleton. There are scenarios, like using the Graph SDK,
/// which require TokenAcquisition to be a Singleton.
/// </summary>
public bool SingletonTokenAcquisition { get; set; } = false;
/// <summary>
/// Gets or sets the edit profile user flow name for B2C, e.g. b2c_1_edit_profile.
/// </summary>
public string EditProfilePolicyId { get; set; }
/// <summary>
/// Gets or sets the sign up or sign in user flow name for B2C, e.g. b2c_1_susi.
/// </summary>
public string SignUpSignInPolicyId { get; set; }
/// <summary>
/// Gets or sets the reset password user flow name for B2C, e.g. B2C_1_password_reset.
/// </summary>
public string ResetPasswordPolicyId { get; set; }
/// <summary>
/// Gets the default user flow (which is signUpsignIn).
/// </summary>
public string DefaultUserFlow => SignUpSignInPolicyId;
/// <summary>
/// Is considered B2C if the attribute SignUpSignInPolicyId is defined.
/// </summary>
internal bool IsB2C
{
get => !string.IsNullOrWhiteSpace(DefaultUserFlow);
}
/// <summary>
/// Description of the certificates used to prove the identity of the Web app or Web API.
/// For the moment only the first certificate is considered.
/// </summary>
/// <example> An example in the appsetting.json:
/// <code>
/// "ClientCertificates": [
/// {
/// "SourceType": "StoreWithDistinguishedName",
/// "CertificateStorePath": "CurrentUser/My",
/// "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert"
/// }
/// ]
/// </code>
/// See also https://aka.ms/ms-id-web-certificates.
/// </example>
public IEnumerable<CertificateDescription> ClientCertificates { get; set; }
/// <summary>
/// Description of the certificates used to decrypt an encrypted token in a Web API.
/// For the moment only the first certificate is considered.
/// </summary>
/// <example> An example in the appsetting.json:
/// <code>
/// "TokenDecryptionCertificates": [
/// {
/// "SourceType": "StoreWithDistinguishedName",
/// "CertificateStorePath": "CurrentUser/My",
/// "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert"
/// }
/// ]
/// </code>
/// See also https://aka.ms/ms-id-web-certificates.
/// </example>
public IEnumerable<CertificateDescription> TokenDecryptionCertificates { get; set; }
/// <summary>
/// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
/// Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD:
/// this method will send the public certificate to Azure AD along with the token request,
/// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
/// This saves the application admin from the need to explicitly manage the certificate rollover
/// (either via portal or PowerShell/CLI operation). For details see https://aka.ms/msal-net-sni.
/// </summary>
/// The default is <c>false.</c>
public bool SendX5C { get; set; } = false;
}
}