IIS => Auth 2.0

Author: HaoK

samples/IISSample/Startup.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Linq;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;

src/Microsoft.AspNetCore.Server.IISIntegration/AuthenticationHandler.cs

@@ -1,138 +1,104 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Linq;
-using System.Security.Claims;
+using System.Globalization;
+using System.Security.Principal;
 using System.Threading.Tasks;
-using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Http.Authentication;
-using Microsoft.AspNetCore.Http.Features.Authentication;
 using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Primitives;
 
 namespace Microsoft.AspNetCore.Server.IISIntegration
 {
     internal class AuthenticationHandler : IAuthenticationHandler
     {
-        internal AuthenticationHandler(HttpContext httpContext, IISOptions options, ClaimsPrincipal user)
-        {
-            HttpContext = httpContext;
-            User = user;
-            Options = options;
-        }
-
-        internal HttpContext HttpContext { get; }
+        private const string MSAspNetCoreWinAuthToken = "MS-ASPNETCORE-WINAUTHTOKEN";
+        private WindowsPrincipal _user;
+        private HttpContext _context;
 
-        internal IISOptions Options { get; }
+        internal AuthenticationScheme Scheme { get; private set; }
 
-        internal ClaimsPrincipal User { get; }
-
-        internal IAuthenticationHandler PriorHandler { get; set; }
-
-        public Task AuthenticateAsync(AuthenticateContext context)
+        public Task<AuthenticateResult> AuthenticateAsync() 
         {
-            if (ShouldHandleScheme(context.AuthenticationScheme))
+            var user = GetUser();
+            if (user != null)
             {
-                if (User != null)
-                {
-                    context.Authenticated(User, properties: null, description: null);
-                }
-                else
-                {
-                    context.NotAuthenticated();
-                }
+                return Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(user, Scheme.Name)));
             }
-
-            if (PriorHandler != null)
+            else
             {
-                return PriorHandler.AuthenticateAsync(context);
+                return Task.FromResult(AuthenticateResult.None());
             }
-
-            return TaskCache.CompletedTask;
         }
 
-        public Task ChallengeAsync(ChallengeContext context)
+        private WindowsPrincipal GetUser()
         {
-            // Some other provider may have already accepted this challenge. Having multiple providers with
-            // AutomaticChallenge = true is considered invalid, but changing the default would breaking
-            // normal Windows auth users.
-            if (!context.Accepted && ShouldHandleScheme(context.AuthenticationScheme))
+            if (_user == null)
             {
-                switch (context.Behavior)
-                {
-                    case ChallengeBehavior.Automatic:
-                        // If there is a principal already, invoke the forbidden code path
-                        if (User == null)
-                        {
-                            goto case ChallengeBehavior.Unauthorized;
-                        }
-                        else
-                        {
-                            goto case ChallengeBehavior.Forbidden;
-                        }
-                    case ChallengeBehavior.Unauthorized:
-                        HttpContext.Response.StatusCode = 401;
-                        // We would normally set the www-authenticate header here, but IIS does that for us.
-                        break;
-                    case ChallengeBehavior.Forbidden:
-                        HttpContext.Response.StatusCode = 403;
-                        break;
-                }
-                context.Accept();
-            }
+                var tokenHeader = _context.Request.Headers[MSAspNetCoreWinAuthToken];
 
-            if (PriorHandler != null)
-            {
-                return PriorHandler.ChallengeAsync(context);
-            }
+                int hexHandle;
+                if (!StringValues.IsNullOrEmpty(tokenHeader)
+                    && int.TryParse(tokenHeader, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out hexHandle))
+                {
+                    // Always create the identity if the handle exists, we need to dispose it so it does not leak.
+                    var handle = new IntPtr(hexHandle);
+                    var winIdentity = new WindowsIdentity(handle);
 
-            return TaskCache.CompletedTask;
-        }
+                    // WindowsIdentity just duplicated the handle so we need to close the original.
+                    NativeMethods.CloseHandle(handle);
 
-        public void GetDescriptions(DescribeSchemesContext context)
-        {
-            foreach (var description in Options.AuthenticationDescriptions)
-            {
-                context.Accept(description.Items);
+                    _context.Response.RegisterForDispose(winIdentity);
+                    _user = new WindowsPrincipal(winIdentity);
+                }
             }
 
-            if (PriorHandler != null)
-            {
-                PriorHandler.GetDescriptions(context);
-            }
+            return _user;
         }
 
-        public Task SignInAsync(SignInContext context)
+
+        public Task ChallengeAsync(ChallengeContext context)
         {
-            // Not supported, fall through
-            if (PriorHandler != null)
+            switch (context.Behavior)
             {
-                return PriorHandler.SignInAsync(context);
+                case ChallengeBehavior.Automatic:
+                    // If there is a principal already, invoke the forbidden code path
+                    if (GetUser() == null)
+                    {
+                        goto case ChallengeBehavior.Unauthorized;
+                    }
+                    else
+                    {
+                        goto case ChallengeBehavior.Forbidden;
+                    }
+                case ChallengeBehavior.Unauthorized:
+                    context.HttpContext.Response.StatusCode = 401;
+                    // We would normally set the www-authenticate header here, but IIS does that for us.
+                    break;
+                case ChallengeBehavior.Forbidden:
+                    context.HttpContext.Response.StatusCode = 403;
+                    break;
             }
-
             return TaskCache.CompletedTask;
         }
 
-        public Task SignOutAsync(SignOutContext context)
+        public Task InitializeAsync(AuthenticationScheme scheme, HttpContext context)
         {
-            // Not supported, fall through
-            if (PriorHandler != null)
-            {
-                return PriorHandler.SignOutAsync(context);
-            }
-
+            Scheme = scheme;
+            _context = context;
             return TaskCache.CompletedTask;
         }
 
-        private bool ShouldHandleScheme(string authenticationScheme)
+        public Task SignInAsync(SignInContext context)
         {
-            if (Options.AutomaticAuthentication && string.Equals(AuthenticationManager.AutomaticScheme, authenticationScheme, StringComparison.Ordinal))
-            {
-                return true;
-            }
+            throw new NotSupportedException();
+        }
 
-            return Options.AuthenticationDescriptions.Any(description => string.Equals(description.AuthenticationScheme, authenticationScheme, StringComparison.Ordinal));
+        public Task SignOutAsync(SignOutContext context)
+        {
+            return TaskCache.CompletedTask;
         }
     }
 }

src/Microsoft.AspNetCore.Server.IISIntegration/IISMiddleware.cs

@@ -2,15 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Diagnostics;
-using System.Globalization;
-using System.Security.Principal;
+using System.Linq;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
-using Microsoft.AspNetCore.Http.Features.Authentication;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -19,7 +18,8 @@ namespace Microsoft.AspNetCore.Server.IISIntegration
 {
     public class IISMiddleware
     {
-        private const string MSAspNetCoreWinAuthToken = "MS-ASPNETCORE-WINAUTHTOKEN";
+        public static readonly string AuthenticationScheme = "Windows";
+
         private const string MSAspNetCoreClientCert = "MS-ASPNETCORE-CLIENTCERT";
         private const string MSAspNetCoreToken = "MS-ASPNETCORE-TOKEN";
 
@@ -28,7 +28,7 @@ public class IISMiddleware
         private readonly ILogger _logger;
         private readonly string _pairingToken;
 
-        public IISMiddleware(RequestDelegate next, ILoggerFactory loggerFactory, IOptions<IISOptions> options, string pairingToken)
+        public IISMiddleware(RequestDelegate next, ILoggerFactory loggerFactory, IOptions<IISOptions> options, string pairingToken, IAuthenticationSchemeProvider authentication)
         {
             if (next == null)
             {
@@ -49,6 +49,13 @@ public IISMiddleware(RequestDelegate next, ILoggerFactory loggerFactory, IOption
 
             _next = next;
             _options = options.Value;
+
+
+            if (_options.ForwardWindowsAuthentication)
+            {
+                authentication.AddScheme(new AuthenticationScheme(AuthenticationScheme, displayName: null, handlerType: typeof(AuthenticationHandler)));
+            }
+
             _pairingToken = pairingToken;
             _logger = loggerFactory.CreateLogger<IISMiddleware>();
         }
@@ -80,80 +87,14 @@ public async Task Invoke(HttpContext httpContext)
 
             if (_options.ForwardWindowsAuthentication)
             {
-                var winPrincipal = UpdateUser(httpContext);
-                var handler = new AuthenticationHandler(httpContext, _options, winPrincipal);
-                AttachAuthenticationHandler(handler);
-                try
-                {
-                    await _next(httpContext);
-                }
-                finally
-                {
-                   DetachAuthenticationhandler(handler);
-                }
-            }
-            else
-            {
-                await _next(httpContext);
-            }
-        }
-
-        private WindowsPrincipal UpdateUser(HttpContext httpContext)
-        {
-            var tokenHeader = httpContext.Request.Headers[MSAspNetCoreWinAuthToken];
-
-            int hexHandle;
-            WindowsPrincipal winPrincipal = null;
-            if (!StringValues.IsNullOrEmpty(tokenHeader)
-                && int.TryParse(tokenHeader, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out hexHandle))
-            {
-                // Always create the identity if the handle exists, we need to dispose it so it does not leak.
-                var handle = new IntPtr(hexHandle);
-                var winIdentity = new WindowsIdentity(handle);
-
-                // WindowsIdentity just duplicated the handle so we need to close the original.
-                NativeMethods.CloseHandle(handle);
-
-                httpContext.Response.RegisterForDispose(winIdentity);
-                winPrincipal = new WindowsPrincipal(winIdentity);
-
-                if (_options.AutomaticAuthentication)
+                var result = await httpContext.AuthenticateAsync(AuthenticationScheme);
+                if (result.Succeeded)
                 {
-                    // Don't get it from httpContext.User, that always returns a non-null anonymous user by default.
-                    var existingPrincipal = httpContext.Features.Get<IHttpAuthenticationFeature>()?.User;
-                    if (existingPrincipal != null)
-                    {
-                        httpContext.User = SecurityHelper.MergeUserPrincipal(existingPrincipal, winPrincipal);
-                    }
-                    else
-                    {
-                        httpContext.User = winPrincipal;
-                    }
+                    httpContext.User = result.Principal;
                 }
             }
 
-            return winPrincipal;
-        }
-
-        private void AttachAuthenticationHandler(AuthenticationHandler handler)
-        {
-            var auth = handler.HttpContext.Features.Get<IHttpAuthenticationFeature>();
-            if (auth == null)
-            {
-                auth = new HttpAuthenticationFeature();
-                handler.HttpContext.Features.Set(auth);
-            }
-            handler.PriorHandler = auth.Handler;
-            auth.Handler = handler;
-        }
-
-        private void DetachAuthenticationhandler(AuthenticationHandler handler)
-        {
-            var auth = handler.HttpContext.Features.Get<IHttpAuthenticationFeature>();
-            if (auth != null)
-            {
-                auth.Handler = handler.PriorHandler;
-            }
+            await _next(httpContext);
         }
     }
 }

src/Microsoft.AspNetCore.Server.IISIntegration/IISOptions.cs

@@ -1,21 +1,10 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Collections.Generic;
-using Microsoft.AspNetCore.Http.Authentication;
-using Microsoft.AspNetCore.Server.IISIntegration;
-
 namespace Microsoft.AspNetCore.Builder
 {
     public class IISOptions
     {
-        /// <summary>
-        /// If true the authentication middleware alter the request user coming in and respond to generic challenges.
-        /// If false the authentication middleware will only provide identity and respond to challenges when explicitly indicated
-        /// by the AuthenticationScheme.
-        /// </summary>
-        public bool AutomaticAuthentication { get; set; } = true;
-
         /// <summary>
         /// If true authentication middleware will try to authenticate using platform handler windows authentication
         /// If false authentication middleware won't be added
@@ -26,20 +15,5 @@ public class IISOptions
         /// Populates the ITLSConnectionFeature if the MS-ASPNETCORE-CLIENTCERT request header is present.
         /// </summary>
         public bool ForwardClientCertificate { get; set; } = true;
-
-        /// <summary>
-        /// Additional information about the authentication type which is made available to the application.
-        /// </summary>
-        public IList<AuthenticationDescription> AuthenticationDescriptions { get; } = new List<AuthenticationDescription>()
-        {
-            new AuthenticationDescription()
-            {
-                AuthenticationScheme = IISDefaults.Negotiate
-            },
-            new AuthenticationDescription()
-            {
-                AuthenticationScheme = IISDefaults.Ntlm
-            }
-        };
     }
 }

src/Microsoft.AspNetCore.Server.IISIntegration/Microsoft.AspNetCore.Server.IISIntegration.csproj

@@ -11,6 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Core" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Extensions" Version="$(AspNetCoreVersion)" />