var authOptions = services.BindValidateReturn<OpenIdOptions>(config);
services.AddOptions<JwtSettings>()
.BindConfiguration(nameof(JwtSettings))
.ValidateDataAnnotations()
.ValidateOnStart();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
//options.LoginPath = "/account/clogin";
}) // For session-based authentication
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// Set the identity provider's base URL (this will handle discovery of other endpoints)
options.Authority = authOptions.Authority;
options.MetadataAddress = authOptions.MetadataAddress;
// Client ID and Client Secret for your application
options.ClientId = authOptions.ClientId;
options.ClientSecret = authOptions.ClientSecret;
// Specify the type of OpenID Connect flow (Authorization Code flow in this case)
options.ResponseType = OpenIdConnectResponseType.Code;
// Save tokens (access_token, id_token) in the authentication ticket
options.SaveTokens = true;
// Handle the callback after login
options.CallbackPath = authOptions.CallbackPath;
//options.CallbackPath = "/api/odc/callback";
//options.ForwardSignIn
// Fetch user info after authentication
options.GetClaimsFromUserInfoEndpoint = true;
//options.ForwardSignIn = CookieAuthenticationDefaults.AuthenticationScheme;
// Scope includes 'openid' which is required for OpenID Connect
options.Scope.Add("openid");
//options.Scope.Add("openid");
//options.Scope.Add("profile");
//options.Scope.Add("email");
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.HttpContext.Response.Headers.Add("OIDC-DEBUG", "Redirecting to IDP"); // Add custom headers for debugging
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
// Capture and log more detailed error messages
context.Response.StatusCode = 500;
context.HandleResponse();
return context.Response.WriteAsync("Authentication failed: " + context.Exception.Message);
},
OnAccessDenied = context =>
{
// Capture and log more detailed error messages
context.Response.StatusCode = 403;
context.HandleResponse();
return context.Response.WriteAsync("Access denied: " + context.Result.ToString());
},
//OnAuthorizationCodeReceived = context =>
//{
// // Capture and log more detailed error messages
// context.Response.StatusCode = 200;
// context.HandleResponse();
// return context.Response.WriteAsync("Authorization code received: " + context.TokenEndpointRequest.Code);
//},
OnRemoteFailure = context =>
{
// Capture remote failures for better error handling
context.HandleResponse();
context.Response.Redirect("/error?message=" + context.Failure?.Message);
return Task.CompletedTask;
}
};
// JWT Signing algorithm based on metadata
//options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
//{
// ValidIssuer = authOptions.Authority,
// NameClaimType = "email",
// RoleClaimType = "role"
//};
});