We have an existing SSO application with a login form that authenticates to ping federate.
I am trying to use this same SSO mechanism with angular cli 11.
I am to the point where I have the open token returned from Pingfederate. What I am trying to do no us set up my ASP.NET core application to accept this token, validate it, and grant me access to the claims within.
In an older MVC application, this token is decrypted using an opentoken library with what looks like just a password.
How do I configure my .net core 3.1 application to accept and validate this open token?
Here's what I have so far:
services.AddAuthentication()
.AddOAuth("urn:ietf:params:oauth:grant-type:saml2-bearer", opt =>
{
opt.ClientId = Configuration["PingOpenToken:ClientId"];
opt.ClientSecret = Configuration["PingOpenToken:ClientSecret"];
});
Where client secret is the same password we are using to decrypt tokens. I do not know what should be in the Client Id value.
The urn:ietf:params:oauth:grant-type:saml2-bearer came from This ping documentation
I am assuming I am going to place the open token that I have as in the Authorization header as bearer {token}.
And just to validate my pingfederate configuration and see if I need to turn anything else on, under my protocol settings, I have:
If I need to turn on oAuth 2.0, I would have no idea how to configure it.
After having a call with a couple people over at PingFederate, I figured out how to configure and use PF oauth instead of utilizing their opentoken implementation.
The gist is that the user is sent to SSO and when they come back to my angular app, they hit a url with a token. Then, I do an API call back to PF with the token to get their oauth token.
Then in my API, I have a dual configuration for azure ad service principal and PF like this:
services.AddAuthentication()
.AddJwtBearer(ApiConstants.AuthenticationSchemes.AzureBearerToken, opt =>
{
opt.Audience = Configuration["AzureAd:ResourceId"];
opt.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}";
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = false
};
})
.AddJwtBearer(ApiConstants.AuthenticationSchemes.PingBearerToken, opt =>
{
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Configuration["PingFederate:JwtIssuer"],
ValidAudience = Configuration["PingFederate:JwtAudience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["PingFederate:JwtSymmetricKey"]))
};
});
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(ApiConstants.AuthenticationSchemes.PingBearerToken,
ApiConstants.AuthenticationSchemes.AzureBearerToken)
.Build();
});
My two constants values are "azure" and "ping".