jglozano · August 19, 2022 15:45
diff --git a/Startup.cs b/Startup.cs
 using Microsoft.Owin;
 using Owin;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Cookies;
 using Microsoft.Owin.Security.OpenIdConnect;
 using System.Threading.Tasks;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using System.Configuration;
 using System.Security.Claims;
 using IdentityModel.Client;
 using System;
 using System.Collections.Generic;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.IdentityModel.Logging;
 using System.Net;
 using Microsoft.Owin.Security.Notifications;
 using Microsoft.Owin.Host.SystemWeb;
 using Microsoft.IdentityModel.Tokens;
 using Okta.AspNet;
 using IRGC.RevenueCollection.Web.Infrastructure;
 using System.Web.Mvc;
 using IRGC.RevenueCollection.Web.RemoteDAL;
 using System.Security.RightsManagement;
 using Microsoft.Owin.Infrastructure;

 [assembly: OwinStartup(typeof(IRGC.RevenueCollection.Web.Startup))]

 namespace IRGC.RevenueCollection.Web
 {
    public class Startup
    {
        private readonly string clientId = ConfigurationManager.AppSettings["okta:ClientId"];
        private readonly string redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"];
        private readonly string domain = ConfigurationManager.AppSettings["okta:OrgUri"];
        private readonly string clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"];
        private readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"];

        /// <summary>
        /// Configure OWIN to use OpenID Connect to log in with Okta.
        /// </summary>
        /// <param name="app"></param>
        public void Configuration(IAppBuilder app)
        {
            IdentityModelEventSource.ShowPII = true;

            //OpenIdConnectProtocolValidator.RequireNonce = false;// = false;
            System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;// |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            // Define same-site cookie manager
            var sameSiteManager = new SameSiteCookieManager(new SystemWebCookieManager());

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                CookieHttpOnly = true,
                CookieSameSite = SameSiteMode.None,
                CookieSecure = CookieSecureOption.Always,
                CookieManager = sameSiteManager
            });

            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

            var oktaOptions = new OktaMvcOptions
            {
                OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
                ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
                ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
                AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
                RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
                PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
                GetClaimsFromUserInfoEndpoint = true,
                Scope = new List<string> { "openid", "profile", "email" },
            };

            var optionsBuilder = new Okta.AspNet.OpenIdConnectAuthenticationOptionsBuilder(Okta.AspNet.OktaDefaults.MvcAuthenticationType, oktaOptions);
            var oidcOptions = optionsBuilder.BuildOpenIdConnectAuthenticationOptions();
            oidcOptions.CookieManager = sameSiteManager;

            app.UseOpenIdConnectAuthentication(oidcOptions);
    }

    // from https://docs.microsoft.com/en-us/aspnet/samesite/owin-samesite
    public class SameSiteCookieManager : ICookieManager
    {
        private readonly ICookieManager _innerManager;

        public SameSiteCookieManager()
            : this(new CookieManager())
        {
        }

        public SameSiteCookieManager(ICookieManager innerManager)
        {
            _innerManager = innerManager;
        }

        public static bool DisallowsSameSiteNone(IOwinContext context)
        {
            return false;
        }

        public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
        {
            CheckSameSite(context, options);
            _innerManager.AppendResponseCookie(context, key, value, options);
        }

        public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
        {
            CheckSameSite(context, options);
            _innerManager.DeleteCookie(context, key, options);
        }

        public string GetRequestCookie(IOwinContext context, string key)
        {
            return _innerManager.GetRequestCookie(context, key);
        }

        private void CheckSameSite(IOwinContext context, CookieOptions options)
        {
            if (options.SameSite == SameSiteMode.None && DisallowsSameSiteNone(context))
            {
                options.SameSite = null;
            }
        }
    }
 }
	using Microsoft.Owin;
	using Owin;
	using Microsoft.Owin.Security;
	using Microsoft.Owin.Security.Cookies;
	using Microsoft.Owin.Security.OpenIdConnect;
	using System.Threading.Tasks;
	using Microsoft.IdentityModel.Protocols.OpenIdConnect;
	using System.Configuration;
	using System.Security.Claims;
	using IdentityModel.Client;
	using System;
	using System.Collections.Generic;
	using Microsoft.IdentityModel.Tokens;
	using Microsoft.IdentityModel.Logging;
	using System.Net;
	using Microsoft.Owin.Security.Notifications;
	using Microsoft.Owin.Host.SystemWeb;
	using Microsoft.IdentityModel.Tokens;
	using Okta.AspNet;
	using IRGC.RevenueCollection.Web.Infrastructure;
	using System.Web.Mvc;
	using IRGC.RevenueCollection.Web.RemoteDAL;
	using System.Security.RightsManagement;
	using Microsoft.Owin.Infrastructure;

	[assembly: OwinStartup(typeof(IRGC.RevenueCollection.Web.Startup))]

	namespace IRGC.RevenueCollection.Web
	{
	public class Startup
	{
	private readonly string clientId = ConfigurationManager.AppSettings["okta:ClientId"];
	private readonly string redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"];
	private readonly string domain = ConfigurationManager.AppSettings["okta:OrgUri"];
	private readonly string clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"];
	private readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"];

	/// <summary>
	/// Configure OWIN to use OpenID Connect to log in with Okta.
	/// </summary>
	/// <param name="app"></param>
	public void Configuration(IAppBuilder app)
	{
	IdentityModelEventSource.ShowPII = true;

	//OpenIdConnectProtocolValidator.RequireNonce = false;// = false;
	System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;// \|= SecurityProtocolType.Tls11 \| SecurityProtocolType.Tls12;
	app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

	// Define same-site cookie manager
	var sameSiteManager = new SameSiteCookieManager(new SystemWebCookieManager());

	app.UseCookieAuthentication(new CookieAuthenticationOptions
	{
	CookieHttpOnly = true,
	CookieSameSite = SameSiteMode.None,
	CookieSecure = CookieSecureOption.Always,
	CookieManager = sameSiteManager
	});

	JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

	var oktaOptions = new OktaMvcOptions
	{
	OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
	ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
	ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
	AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
	RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
	PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
	GetClaimsFromUserInfoEndpoint = true,
	Scope = new List<string> { "openid", "profile", "email" },
	};

	var optionsBuilder = new Okta.AspNet.OpenIdConnectAuthenticationOptionsBuilder(Okta.AspNet.OktaDefaults.MvcAuthenticationType, oktaOptions);
	var oidcOptions = optionsBuilder.BuildOpenIdConnectAuthenticationOptions();
	oidcOptions.CookieManager = sameSiteManager;

	app.UseOpenIdConnectAuthentication(oidcOptions);
	}

	// from https://docs.microsoft.com/en-us/aspnet/samesite/owin-samesite
	public class SameSiteCookieManager : ICookieManager
	{
	private readonly ICookieManager _innerManager;

	public SameSiteCookieManager()
	: this(new CookieManager())
	{
	}

	public SameSiteCookieManager(ICookieManager innerManager)
	{
	_innerManager = innerManager;
	}

	public static bool DisallowsSameSiteNone(IOwinContext context)
	{
	return false;
	}

	public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
	{
	CheckSameSite(context, options);
	_innerManager.AppendResponseCookie(context, key, value, options);
	}

	public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
	{
	CheckSameSite(context, options);
	_innerManager.DeleteCookie(context, key, options);
	}

	public string GetRequestCookie(IOwinContext context, string key)
	{
	return _innerManager.GetRequestCookie(context, key);
	}

	private void CheckSameSite(IOwinContext context, CookieOptions options)
	{
	if (options.SameSite == SameSiteMode.None && DisallowsSameSiteNone(context))
	{
	options.SameSite = null;
	}
	}
	}
	}