README.md

@@ -16,6 +16,10 @@ Instructions for making it run:
 	* You should be logged in with that User Guid
 * Have fun!
 
+For ORCiD:
+
+* Set the values for "coscine/global/orcid/url", "coscine/global/orcid/clientid", "coscine/global/orcid/jwksurl" and "coscine/global/orcid/issuer". 
+
 ### Links 
 
 *  [Commit convention](docs/ESLintConvention.md)

src/STS/Controllers/AccountController.cs

@@ -13,6 +13,8 @@ using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication;
 using System.Threading.Tasks;
 using System;
+using Coscine.STS.Utils;
+using System.Net;
 
 namespace Coscine.STS.Controllers
 {
@@ -21,34 +23,13 @@ namespace Coscine.STS.Controllers
         [Route("[controller]/login")]
         public ActionResult Login(string returnUrl)
         {
-            ViewBag.ReturnUrl = ExtendReturnUrl(returnUrl);
+            ViewBag.ReturnUrl = UrlGenerator.ExtendReturnUrl(returnUrl, Request);
+            ViewBag.ORCiDUrl = ORCiDHandler.GetORCiDOAuthUrl() + UrlGenerator.ORCiDRedirectUrl();
             System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
             ViewBag.AppJs = enc.GetString(Program.Configuration.GetAndWait("coscine/apps/login/appjs"));
             return View();
         }
 
-        private string ExtendReturnUrl(string returnUrl)
-        {
-            string retString = returnUrl;
-            if (!retString.Contains("?"))
-            {
-                retString += "?wa=wsignin1.0";
-            }
-            if(Request.Query["wtrealm"].Count != 0 && !retString.Contains("wtrealm="))
-            {
-                retString += "&wtrealm=" + Request.Query["wtrealm"][0];
-            }
-            if (Request.Query["wctx"].Count != 0 && !retString.Contains("wctx="))
-            {
-                retString += "&wctx=" + Request.Query["wctx"][0];
-            }
-            if (Request.Query["wreply"].Count != 0 && !retString.Contains("wreply="))
-            {
-                retString += "&wreply=" + Request.Query["wreply"][0];
-            }
-            return retString;
-        }
-
         [HttpPost("[controller]/login")]
         public async Task<ActionResult> Login(LoginModel model, string returnUrl)
         {
@@ -60,10 +41,11 @@ namespace Coscine.STS.Controllers
 
                 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
                 
-                return Redirect(ExtendReturnUrl(returnUrl));
+                return Redirect(UrlGenerator.ExtendReturnUrl(returnUrl, Request));
             }
 
-            ViewBag.ReturnUrl = ExtendReturnUrl(returnUrl);
+            ViewBag.ReturnUrl = UrlGenerator.ExtendReturnUrl(returnUrl, Request);
+            ViewBag.ORCiDUrl = ORCiDHandler.GetORCiDOAuthUrl() + UrlGenerator.ORCiDRedirectUrl();
             ModelState.AddModelError("", "The userid provided is incorrect.");
             return View(model);
         }

src/STS/Controllers/ORCiDController.cs

+using Coscine.ApiCommons.Utils;
+using Coscine.Database.Model;
+using Coscine.STS.Models;
+using Coscine.STS.Utils;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Mvc;
+using System.Threading.Tasks;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using System;
+using System.IdentityModel.Tokens.Jwt;
+using Microsoft.IdentityModel.Tokens;
+using System.Net;
+using Microsoft.IdentityModel.Logging;
+using Coscine.ApiCommons.Models;
+using System.Linq;
+
+namespace Coscine.STS.Controllers
+{
+    public class ORCiDController : Controller
+    {
+        [Route("[controller]/login")]
+        public ActionResult Login(string returnUrl)
+        {
+            ViewBag.ReturnUrl = UrlGenerator.ExtendReturnUrl(returnUrl, Request);
+            return View();
+        }
+        
+        [HttpPost("[controller]/login")]
+        public async Task<ActionResult> Login(ORCiDModel model, string returnUrl)
+        {
+            if (ModelState.IsValid)
+            {
+                var claimsPrincipal = ORCiDHandler.VerifiyORCiDJWT(model.ORCiD_JWT);
+                string surName = "";
+                string givenName = "";
+                string ORCiD = "";
+                foreach (var claim in claimsPrincipal.Claims)
+                {
+                    if(claim.Type == ClaimTypes.NameIdentifier)
+                    {
+                        ORCiD = claim.Value;
+                    }
+                    else if(claim.Type == ClaimTypes.Surname)
+                    {
+                        surName = claim.Value;
+                    }
+                    else if(claim.Type == ClaimTypes.GivenName)
+                    {
+                        givenName = claim.Value;
+                    }
+                }
+
+                ExternalAuthenticatorModel externalAuthenticatorModel = new ExternalAuthenticatorModel();
+                var orcidAuthItem = externalAuthenticatorModel.GetWhere((externalAuthenticator) => externalAuthenticator.DisplayName == "ORCiD");
+
+                ExternalIdModel externalIdModel = new ExternalIdModel();
+                var mapping = externalIdModel.GetAllWhere((map) => map.ExternalId_Column == ORCiD && map.ExternalAuthenticatorId == orcidAuthItem.Id);
+                Guid userId;
+                if (mapping.Count() > 0)
+                {
+                    userId = mapping.First().UserId;
+                }
+                else
+                {
+                    UserPlainModel userPlainModel = new UserPlainModel(Program.Configuration);
+                    var user = new User
+                    {
+                        DisplayName = surName + " " + givenName,
+                        EmailAddress = ORCiD + "@orcid.org"
+                    };
+                    userPlainModel.Insert(user);
+                    externalIdModel.Insert(new ExternalId
+                    {
+                        ExternalId_Column = ORCiD,
+                        ExternalAuthenticatorId = orcidAuthItem.Id,
+                        UserId = user.Id
+                    });
+                    userId = user.Id;
+                }
+
+                var identityClaims = new[] { new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.Name, userId.ToString()) };
+
+                var identity = new ClaimsIdentity(identityClaims, CookieAuthenticationDefaults.AuthenticationScheme);
+
+                await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
+
+                return Redirect(UrlGenerator.ExtendReturnUrl(returnUrl, Request));
+            }
+            ViewBag.ReturnUrl = UrlGenerator.ExtendReturnUrl(returnUrl, Request);
+            return View();
+        }
+    }
+}

src/STS/Models/ExternalAuthenticatorModel.cs

+using Coscine.ApiCommons.Models;
+using Coscine.Database.Model;
+using LinqToDB;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Linq.Expressions;
+using System.Threading.Tasks;
+
+namespace Coscine.STS.Models
+{
+    public class ExternalAuthenticatorModel : DatabaseModel<ExternalAuthenticator>
+    {
+        public ExternalAuthenticatorModel() : base(Program.Configuration)
+        {
+
+        }
+
+        public override Expression<Func<ExternalAuthenticator, Guid>> GetIdFromObject()
+        {
+            return (value) => value.Id;
+        }
+
+        public override ITable<ExternalAuthenticator> GetITableFromDatabase(CoscineDB db)
+        {
+            return db.ExternalAuthenticators;
+        }
+
+        public override void SetObjectId(ExternalAuthenticator databaseObject, Guid id)
+        {
+            databaseObject.Id = id;
+        }
+    }
+}

src/STS/Models/ExternalIdModel.cs

+using Coscine.ApiCommons.Models;
+using Coscine.Database.Model;
+using LinqToDB;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Linq.Expressions;
+using System.Threading.Tasks;
+
+namespace Coscine.STS.Models
+{
+    public class ExternalIdModel : DatabaseModel<ExternalId>
+    {
+        public ExternalIdModel() : base(Program.Configuration)
+        {
+
+        }
+
+        public override Expression<Func<ExternalId, Guid>> GetIdFromObject()
+        {
+            return (value) => value.RelationId;
+        }
+
+        public override ITable<ExternalId> GetITableFromDatabase(CoscineDB db)
+        {
+            return db.ExternalIds;
+        }
+
+        public override void SetObjectId(ExternalId databaseObject, Guid id)
+        {
+            databaseObject.RelationId = id;
+        }
+    }
+}

src/STS/Models/ORCiDModel.cs

+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace Coscine.STS.Models
+{
+    public class ORCiDModel
+    {
+        [Required]
+        [Display(Name = "ORCiD_JWT")]
+        public string ORCiD_JWT { get; set; }
+    }
+}

src/STS/Properties/AssemblyInfo.cs

+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by Cake.
+// </auto-generated>
+//------------------------------------------------------------------------------
+using System.Reflection;
+
+[assembly: AssemblyTitle("STS")]
+[assembly: AssemblyDescription("STS is a part of the CoScInE group.")]
+[assembly: AssemblyCompany("IT Center, RWTH Aachen University")]
+[assembly: AssemblyProduct("STS")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
+[assembly: AssemblyInformationalVersion("1.1.0.0")]
+[assembly: AssemblyCopyright("2019 IT Center, RWTH Aachen University")]
+

src/STS/STS.csproj

@@ -5,10 +5,11 @@
     <DebugType>full</DebugType>
     <AssemblyName>Coscine.STS</AssemblyName>
     <RootNamespace>Coscine.STS</RootNamespace>
+    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Coscine.ApiCommons" Version="1.1.0" />
+    <PackageReference Include="Coscine.ApiCommons" Version="1.2.0" />
     <PackageReference Include="Microsoft.AspNetCore" Version="2.2.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication" Version="2.2.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Abstractions" Version="2.2.0" />
@@ -19,6 +20,7 @@
     <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.2.0" />
     <PackageReference Include="Microsoft.IdentityModel" Version="7.0.0" />
     <PackageReference Include="Microsoft.NET.Sdk.Razor" Version="2.2.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.5.0" />
   </ItemGroup>
 
   <ItemGroup>

src/STS/Security/CustomSecurityTokenService.cs

@@ -80,6 +80,8 @@ namespace Coscine.STS.Security
             var claims = new[]
                 {
                     new Claim(System.IdentityModel.Claims.ClaimTypes.Name, user.DisplayName),
+                    new Claim(System.IdentityModel.Claims.ClaimTypes.Surname, user.DisplayName.Contains(" ") ? user.DisplayName.Split(' ')[0] : user.DisplayName),
+                    new Claim(System.IdentityModel.Claims.ClaimTypes.GivenName, user.DisplayName.Contains(" ") ? user.DisplayName.Split(' ')[1] : ""),
                     new Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, user.Id.ToString()),
                     new Claim(System.IdentityModel.Claims.ClaimTypes.Email, user.EmailAddress),
                 };

src/STS/Utils/ORCiDHandler.cs

+using Microsoft.IdentityModel.Tokens;
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Net;
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace Coscine.STS.Utils
+{
+    public class ORCiDHandler
+    {
+        public static string GetORCiDOAuthUrl()
+        {
+            return Program.Configuration.GetStringAndWait("coscine/global/orcid/url")
+                .Replace("{client_id}", Program.Configuration.GetStringAndWait("coscine/global/orcid/clientid"));
+        }
+
+        public static ClaimsPrincipal VerifiyORCiDJWT(string jwt)
+        {
+            var th = new JwtSecurityTokenHandler();
+            var webKeyJson = new WebClient().DownloadString(Program.Configuration.GetStringAndWait("coscine/global/orcid/jwksurl"));
+            webKeyJson = webKeyJson.Substring(webKeyJson.IndexOf("[") + 1);
+            webKeyJson = webKeyJson.Substring(0, webKeyJson.LastIndexOf("]"));
+            var jsonWebKey = new JsonWebKey(webKeyJson);
+
+            var validationParameters = new TokenValidationParameters
+            {
+                ValidateAudience = false,
+                ValidateLifetime = false,
+                ValidateIssuer = true,
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = jsonWebKey,
+                ValidIssuers = new[] { Program.Configuration.GetStringAndWait("coscine/global/orcid/issuer") }
+            };
+            return th.ValidateToken(jwt, validationParameters, out _);
+        }
+    }
+}

src/STS/Utils/UrlGenerator.cs

+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using System.IdentityModel;
+using System.IdentityModel.Configuration;
+using System.IdentityModel.Protocols.WSTrust;
+using System.IdentityModel.Tokens;
+using Microsoft.AspNetCore.Http;
+using System.Net;
+
+namespace Coscine.STS.Utils
+{
+    public class UrlGenerator
+    {
+        public static string ExtendReturnUrl(string returnUrl, HttpRequest request)
+        {
+            string retString = returnUrl;
+            string localSharePointUrl = Program.Configuration.GetStringAndWait("coscine/local/sharepoint/additional/url");
+
+            if (!retString.Contains("?"))
+            {
+                retString += "?wa=wsignin1.0";
+            }
+
+            if (request.Query["wtrealm"].Count != 0 && !retString.Contains("wtrealm="))
+            {
+                retString += "&wtrealm=" + request.Query["wtrealm"][0];
+            }
+            else if (request.Query["wtrealm"].Count == 0 && !retString.Contains("wtrealm="))
+            {
+                retString += "&wtrealm=" + localSharePointUrl + "/_trust/default.aspx";
+            }
+
+            if (request.Query["wctx"].Count != 0 && !retString.Contains("wctx="))
+            {
+                retString += "&wctx=" + request.Query["wctx"][0];
+            }
+            else if (request.Query["wctx"].Count == 0 && !retString.Contains("wctx="))
+            {
+                retString += "&wctx=" + localSharePointUrl + "/_layouts/15/Authenticate.aspx";
+            }
+
+            if (request.Query["wreply"].Count != 0 && !retString.Contains("wreply="))
+            {
+                retString += "&wreply=" + request.Query["wreply"][0];
+            }
+            else if(request.Query["wreply"].Count == 0 && !retString.Contains("wreply="))
+            {
+                retString += "&wreply=" + localSharePointUrl + "/_trust/default.aspx";
+            }
+
+            return retString;
+        }
+
+        public static string ORCiDRedirectUrl()
+        {
+            return Program.MainUrl + "/orcid/login?ReturnUrl=" + Program.MainUrl;
+        }
+    }
+}

src/STS/Views/Account/Login.cshtml

@@ -12,7 +12,7 @@
 </head>
 <body>
     <div>
-        <div id="loginpage" returnUrl="@ViewBag.ReturnUrl"></div>
+        <div id="loginpage" returnUrl="@ViewBag.ReturnUrl" orcidUrl="@ViewBag.ORCiDUrl"></div>
         <script src="@ViewBag.AppJs"></script>
     </div>
 </body>

src/STS/Views/ORCiD/Login.cshtml

+@model Coscine.STS.Models.ORCiDModel
+
+@{
+    Layout = null;
+}
+
+
+<!DOCTYPE html>
+
+<html>
+<head>
+    <title>Login</title>
+</head>
+<body>
+    <div>
+        @using (Html.BeginForm(new { returnUrl = ViewBag.ReturnUrl}))
+        {
+            @Html.AntiForgeryToken()
+            @Html.ValidationSummary(true)
+
+            @Html.HiddenFor(m => m.ORCiD_JWT, new { id = "ORCiD_JWT" })
+            <input type="hidden" name="wa" value="wsignin1.0" />
+            <button type="button" style="display: none;" id="ORCiD_submit" value="Submit" class="submit">Proceed</button>
+        }
+    </div>
+
+    <script>
+        (function () {
+            document.getElementById("ORCiD_submit").addEventListener("click", function () {
+                var hash = window.location.hash;
+                hash = hash.substr(hash.indexOf("id_token") + "id_token".length + 1);
+                hash = hash.substr(0, hash.indexOf("&"));
+
+                document.getElementById("ORCiD_JWT").value = hash;
+                this.form.submit();
+            });
+            document.getElementById("ORCiD_submit").click();
+        })();
+    </script>
+</body>
+</html>

src/deploySTS.ps1

@@ -5,13 +5,13 @@ Add-PSSnapin Microsoft.SharePoint.PowerShell -erroraction SilentlyContinue
 Remove-SPTrustedIdentityTokenIssuer $name
 
 $pfx = $( consul kv get 'coscine/global/sts/pfx' )
-if(!$result) {
+if(!$pfx) {
 	$pfxFilePath = $( Read-Host "Input the file path to the pfx file please" )
 	consul kv put 'coscine/global/sts/pfx' @$pfxFilePath
 }
 
 $pfxpassword = $( consul kv get 'coscine/global/sts/pfxpassword' )
-if(!$result) {
+if(!$pfxpassword) {
 	$pfxpassword = $( Read-Host "Input the pfx file passwod please" )
 	consul kv put 'coscine/global/sts/pfxpassword' $pfxpassword
 }
@@ -24,9 +24,15 @@ $cert.Import($enc.GetBytes($certText))
 
 New-SPTrustedRootAuthority -Name 'Coscine STS certificate' -Certificate $cert
 
-$map0 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' -IncomingClaimTypeDisplayName 'NameIdentifier' -LocalClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username'
+# TODO work on Claim Mapping
+# Also figure out why the search is not working
+$map0 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' -IncomingClaimTypeDisplayName 'DisplayName' -LocalClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname'
 $map1 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' -IncomingClaimTypeDisplayName 'IdentityProvider' -SameAsIncoming
 $map2 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' -IncomingClaimTypeDisplayName 'Email' -SameAsIncoming 
+$map3 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' -IncomingClaimTypeDisplayName 'Surname' -SameAsIncoming
+$map4 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' -IncomingClaimTypeDisplayName 'GivenName' -SameAsIncoming 
+$map5 = New-SPClaimTypeMapping -IncomingClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' -IncomingClaimTypeDisplayName 'NameIdentifier' -LocalClaimType 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid'
+
 
 #$realm = 'http://claims.sp2013.local/_trust/default.aspx'
 #$signinurl = 'https://sp2013-reference.accesscontrol.windows.net:443/v2/wsfederation'
@@ -46,12 +52,14 @@ $realm = $sharePointUrl + '_trust/default.aspx'
 # Example: $signinurl = 'https://d-sp11.devlef.campus.rwth-aachen.de/coscine/api/Coscine.STS/'
 $signinurl = $( Read-Host 'Input the STS Url' )
 
-$ip = New-SPTrustedIdentityTokenIssuer -Name $name -Description 'Coscine STS' -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map0,$map1,$map2 -SignInUrl $signinurl -IdentifierClaim $map0.InputClaimType
+$ip = New-SPTrustedIdentityTokenIssuer -Name $name -Description 'Coscine STS' -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map0,$map1,$map2,$map3,$map4,$map5 -SignInUrl $signinurl -IdentifierClaim $map5.InputClaimType
 
 $ip.UseWReplyParameter=$true 
 $ip.Update()
 
-Set-SPWebApplication -Identity $sharePointUrl -AuthenticationProvider $ip -Zone "Default"
+$winAp = new-SPAuthenticationProvider -UseWindowsIntegratedAuthentication -DisableKerberos
+
+Set-SPWebApplication -Identity $sharePointUrl -AuthenticationProvider $ip,$winAp -Zone "Default"
 
 Write-Host 'Give Everyone Read Access'