I've got an OpenIdConnect service running (Thinktecture IdSvr) and I can login to my app perfectly.
When a user successfully logs in using OpenId Connect I want to check if they exist in my client user store and either allow them to continue or log them out.
To do that I'm handling the AuthorizationCodeReceived event in the OpenIdConnectAuthenticationOptions.Notifications but I can't work out how to prevent the user from successfully logging on.
I assumed that not setting the n.AuthenticationTicket would prevent a principle from being created.
var userInfoClient = GetUserInfoClient();
var userInfo = await userInfoClient.GetAsync();
var email = GetEmailAddr(userInfo);
var user = GetClientUser(email)
if (user != null)
{
// access and refresh token
var tokenClient = GetTokenClient();
var tokenResponse = await GetToken(tokenClient);
claims.Add(new Claim("access_token", tokenResponse .AccessToken));
claims.Add(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse .ExpiresIn).ToLocalTime().ToString()));
claims.Add(new Claim("refresh_token", tokenResponse .RefreshToken));
claims.Add(new Claim("id_token", n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(
claims.Distinct(new ClaimComparer()),
n.AuthenticationTicket.Identity.AuthenticationType),
n.AuthenticationTicket.Properties);
}
This was simple. All I did was throw a new SecurityException in the AuthorizationCodeReceived event.