-
Notifications
You must be signed in to change notification settings - Fork 218
/
MicrosoftIdentityOptions.cs
137 lines (121 loc) · 5.77 KB
/
MicrosoftIdentityOptions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System.Collections.Generic;
using System.Linq;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
namespace Microsoft.Identity.Web
{
/// <summary>
/// Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes.
/// </summary>
public class MicrosoftIdentityOptions : OpenIdConnectOptions
{
/// <summary>
/// Gets or sets the Azure Active Directory instance, e.g. "https://login.microsoftonline.com".
/// </summary>
public string Instance { get; set; } = null!;
/// <summary>
/// Gets or sets the tenant ID.
/// </summary>
public string? TenantId { get; set; }
/// <summary>
/// Gets or sets the domain of the Azure Active Directory tenant, e.g. contoso.onmicrosoft.com.
/// </summary>
public string? Domain { get; set; }
/// <summary>
/// Gets or sets the edit profile user flow name for B2C, e.g. b2c_1_edit_profile.
/// </summary>
public string? EditProfilePolicyId { get; set; }
/// <summary>
/// Gets or sets the sign up or sign in user flow name for B2C, e.g. b2c_1_susi.
/// </summary>
public string? SignUpSignInPolicyId { get; set; }
/// <summary>
/// Gets or sets the reset password user flow name for B2C, e.g. B2C_1_password_reset.
/// </summary>
public string? ResetPasswordPolicyId { get; set; }
/// <summary>
/// Gets the default user flow (which is signUpsignIn).
/// </summary>
public string? DefaultUserFlow => SignUpSignInPolicyId;
/// <summary>
/// Enables legacy ADAL cache serialization and deserialization.
/// Performance improvements when working with MSAL only apps.
/// Set to true if you have a shared cache with ADAL apps.
/// </summary>
/// The default is <c>false.</c>
public bool LegacyCacheCompatibilityEnabled { get; set; }
/// <summary>
/// Is considered B2C if the attribute SignUpSignInPolicyId is defined.
/// </summary>
internal bool IsB2C
{
get => !string.IsNullOrWhiteSpace(DefaultUserFlow);
}
/// <summary>
/// Is considered to have client credentials if the attribute ClientCertificates
/// or ClientSecret is defined.
/// </summary>
internal bool HasClientCredentials
{
get => !string.IsNullOrWhiteSpace(ClientSecret) || (ClientCertificates != null && ClientCertificates.Any());
}
/// <summary>
/// Description of the certificates used to prove the identity of the web app or web API.
/// For the moment only the first certificate is considered.
/// </summary>
/// <example> An example in the appsetting.json:
/// <code>
/// "ClientCertificates": [
/// {
/// "SourceType": "StoreWithDistinguishedName",
/// "CertificateStorePath": "CurrentUser/My",
/// "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert"
/// }
/// ]
/// </code>
/// See also https://aka.ms/ms-id-web-certificates.
/// </example>
public IEnumerable<CertificateDescription>? ClientCertificates { get; set; }
/// <summary>
/// Description of the certificates used to decrypt an encrypted token in a web API.
/// For the moment only the first certificate is considered.
/// </summary>
/// <example> An example in the appsetting.json:
/// <code>
/// "TokenDecryptionCertificates": [
/// {
/// "SourceType": "StoreWithDistinguishedName",
/// "CertificateStorePath": "CurrentUser/My",
/// "CertificateDistinguishedName": "CN=WebAppCallingWebApiCert"
/// }
/// ]
/// </code>
/// See also https://aka.ms/ms-id-web-certificates.
/// </example>
public IEnumerable<CertificateDescription>? TokenDecryptionCertificates { get; set; }
/// <summary>
/// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
/// Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD:
/// this method will send the public certificate to Azure AD along with the token request,
/// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
/// This saves the application admin from the need to explicitly manage the certificate rollover
/// (either via portal or PowerShell/CLI operation). For details see https://aka.ms/msal-net-sni.
/// </summary>
/// The default is <c>false.</c>
public bool SendX5C { get; set; }
/// <summary>
/// Daemon applications can validate a token based on roles, or using the ACL-based authorization
/// pattern to control tokens without a roles claim. If using ACL-based authorization,
/// Microsoft Identity Web will not throw if roles or scopes are not in the Claims.
/// For details see https://aka.ms/ms-identity-web/daemon-ACL.
/// </summary>
/// The default is <c>false.</c>
public bool AllowWebApiToBeAuthorizedByACL { get; set; }
/// <summary>
/// Used, when deployed to Azure, to specify explicitly a user assigned managed identity.
/// See https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.
/// </summary>
public string? UserAssignedManagedIdentityClientId { get; set; }
}
}