diff --git a/Core/OfficeDevPnP.Core/AuthenticationManager.cs b/Core/OfficeDevPnP.Core/AuthenticationManager.cs index 80812b4267..1789d7551c 100644 --- a/Core/OfficeDevPnP.Core/AuthenticationManager.cs +++ b/Core/OfficeDevPnP.Core/AuthenticationManager.cs @@ -613,7 +613,7 @@ public ClientContext GetHighTrustCertificateAppAuthenticatedContext(string siteU // Configure the handler to generate the Bearer Access Token on each request and add it to the request clientContext.ExecutingWebRequest += (sender, args) => { - var accessToken = TokenHelper.GetS2SAccessTokenWithUserName(siteUri, loginName); + var accessToken = TokenHelper.GetS2SAccessTokenWithWindowsUserName(siteUri, loginName); args.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accessToken; }; diff --git a/Core/OfficeDevPnP.Core/Utilities/TokenHelper.cs b/Core/OfficeDevPnP.Core/Utilities/TokenHelper.cs index 78cec060aa..96f61ed7dd 100644 --- a/Core/OfficeDevPnP.Core/Utilities/TokenHelper.cs +++ b/Core/OfficeDevPnP.Core/Utilities/TokenHelper.cs @@ -523,13 +523,15 @@ public static string GetAppContextTokenRequestUrl(string contextUrl, string redi /// Url of the target SharePoint site /// Windows identity of the user on whose behalf to create the access token /// An access token with an audience of the target principal - public static string GetS2SAccessTokenWithWindowsIdentity( - Uri targetApplicationUri, - WindowsIdentity identity) + public static string GetS2SAccessTokenWithWindowsIdentity(Uri targetApplicationUri, WindowsIdentity identity) { - string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; + string realm = string.IsNullOrWhiteSpace(Realm) + ? GetRealmFromTargetUrl(targetApplicationUri) + : Realm; - JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithWindowsIdentity(identity) : null; + JsonWebTokenClaim[] claims = identity != null + ? GetClaimsWithWindowsIdentity(identity) + : null; return GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); } @@ -540,18 +542,41 @@ public static string GetS2SAccessTokenWithWindowsIdentity( /// web.config, an auth challenge will be issued to the targetApplicationUri to discover it. /// /// Url of the target SharePoint site - /// Name of the user (login name) on whose behalf to create the access token + /// Name of the user (login name) on whose behalf to create the access token. Supported name formats are SID and User Principal Name (UPN) /// An access token with an audience of the target principal - public static string GetS2SAccessTokenWithUserName( - Uri targetApplicationUri, - string identity) + public static string GetS2SAccessTokenWithWindowsUserName(Uri targetApplicationUri, string identity) { - string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; + string realm = string.IsNullOrWhiteSpace(Realm) + ? GetRealmFromTargetUrl(targetApplicationUri) + : Realm; JsonWebTokenClaim[] claims = string.IsNullOrWhiteSpace(identity) - ? GetClaimsWithUserName(identity) + ? null + : GetClaimsWithWindowsUserName(identity); + + return GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); + } + + /// + /// Retrieves an S2S access token signed by the application's private certificate on behalf of the specified + /// user name and intended for the SharePoint at the targetApplicationUri. If no Realm is specified in + /// web.config, an auth challenge will be issued to the targetApplicationUri to discover it. + /// + /// Url of the target SharePoint site + /// Claims identity of the user on whose behalf to create the access token + /// An access token with an audience of the target principal + public static string GetS2SAccessTokenWithClaimsIdentity(Uri targetApplicationUri, System.Security.Claims.ClaimsIdentity identity) + { + string realm = string.IsNullOrWhiteSpace(Realm) + ? GetRealmFromTargetUrl(targetApplicationUri) + : Realm; + + JsonWebTokenClaim[] claims = identity != null + ? GetClaimsWithClaimsIdentity(identity, IdentityClaimType, TrustedIdentityTokenIssuerName) : null; + string accessToken = GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); + return GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); } @@ -564,20 +589,28 @@ public static string GetS2SAccessTokenWithUserName( /// Url of the target SharePoint site /// Windows identity of the user on whose behalf to create the access token /// A ClientContext using an access token with an audience of the target application - public static ClientContext GetS2SClientContextWithWindowsIdentity( - Uri targetApplicationUri, - WindowsIdentity identity) + public static ClientContext GetS2SClientContextWithWindowsIdentity(Uri targetApplicationUri, WindowsIdentity identity) { - string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; + string accessToken = GetS2SAccessTokenWithWindowsIdentity(targetApplicationUri, identity); - JsonWebTokenClaim[] claims = identity != null - ? GetClaimsWithWindowsIdentity(identity) - : null; + return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken); + } - string accessToken = GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); + /// + /// Retrieves an S2S client context with an access token signed by the application's private certificate on + /// behalf of the specified WindowsIdentity and intended for application at the targetApplicationUri using the + /// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the + /// targetApplicationUri to discover it. + /// + /// Url of the target SharePoint site + /// Name of the user (login name) on whose behalf to create the access token. Supported name formats are SID and User Principal Name (UPN) + /// A ClientContext using an access token with an audience of the target application + public static ClientContext GetS2SClientContextWithWindowsUserName(Uri targetApplicationUri, string identity) + { + string accessToken = GetS2SAccessTokenWithWindowsUserName(targetApplicationUri, identity); return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken); - } + } /// /// Retrieves an S2S client context with an access token signed by the application's private certificate on @@ -597,11 +630,7 @@ public static ClientContext GetS2SClientContextWithWindowsIdentity( /// A ClientContext using an access token with an audience of the target application public static ClientContext GetS2SClientContextWithClaimsIdentity(Uri targetApplicationUri, System.Security.Claims.ClaimsIdentity identity) { - string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm; - - JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithClaimsIdentity(identity, IdentityClaimType, TrustedIdentityTokenIssuerName) : null; - - string accessToken = GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims); + string accessToken = GetS2SAccessTokenWithClaimsIdentity(targetApplicationUri, identity); return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken); } @@ -1074,10 +1103,10 @@ private static JsonWebTokenClaim[] GetClaimsWithWindowsIdentity(WindowsIdentity throw new ArgumentNullException("identity"); } #endif - return GetClaimsWithUserName(identity.User.Value); + return GetClaimsWithWindowsUserName(identity.User.Value); } - private static JsonWebTokenClaim[] GetClaimsWithUserName(string identity) + private static JsonWebTokenClaim[] GetClaimsWithWindowsUserName(string identity) { #if DEBUG if (string.IsNullOrWhiteSpace(identity))