vbookie/CustomExternalAuthenticationProvider_OpenIdConnect.cs

## CustomExternalAuthenticationProvider_OpenIdConnect.cs
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using Telerik.Sitefinity.Authentication;
using Telerik.Sitefinity.Authentication.Configuration.SecurityTokenService.ExternalProviders;
using Telerik.Sitefinity.Security.Claims;

namespace SitefinityWebApp.ExternalAuth
{
    public class CustomAuthenticationProvidersInitializer : AuthenticationProvidersInitializer
    {
        public override Dictionary<string, Action<IAppBuilder, string, AuthenticationProviderElement>> GetAdditionalIdentityProviders()
        {
            var providers = base.GetAdditionalIdentityProviders();

            // 'CustomSTS' is the name of the external authentication provider as configured in the Advanced settings
            providers.Add("CustomSTS", (IAppBuilder app, string signInAsType, AuthenticationProviderElement providerConfig) =>
            {
                // You can add any parameter in the configuration. We use this as an example.
                var clientId = providerConfig.GetParameter("clientId");

                var options = new OpenIdConnectAuthenticationOptions()
                {
                    ClientId = clientId,

                    Authority = "https://external-sts-address/",
                    AuthenticationType = providerConfig.Name,
                    SignInAsAuthenticationType = signInAsType,

                    // you can change the 'signin-customsts' part
                    CallbackPath = new PathString("/Sitefinity/Authenticate/OpenID/signin-customsts"),
                    RedirectUri = "http://yoursitefinitysite/Sitefinity/Authenticate/OpenID/signin-customsts",

                    PostLogoutRedirectUri = "http://yoursitefinitysite/",
                    ResponseType = "id_token",
                    Scope = "openid profile email",
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        SecurityTokenValidated = n => this.SecurityTokenValidatedInternal(n),
                    }
                };

                app.UseOpenIdConnectAuthentication(options);
            });

            return providers;
        }

        private Task SecurityTokenValidatedInternal(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
        {
            // We have to enhance the identity, because the local STS works only with the following claims:
            //     SitefinityClaimTypes.ExternalUserEmail
            //     SitefinityClaimTypes.ExternalUserId
            //     SitefinityClaimTypes.ExternalUserName
            //     SitefinityClaimTypes.ExternalUserPictureUrl
            // Note that only the SitefinityClaimTypes.ExternalUserEmail is required for successful authentication. The rest are optional.

            var identity = notification.AuthenticationTicket.Identity;

            var externalUserEmail = identity.FindFirst("email");
            if (externalUserEmail != null)
                identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserEmail, externalUserEmail.Value));

            var externalUserId = identity.FindFirst("sub");
            if (externalUserId != null)
                identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserId, externalUserId.Value));

            var externalUserName = identity.FindFirst("name");
            if (externalUserName != null)
                identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserName, externalUserName.Value));

            var externalUserPicture = identity.FindFirst("picture");
            if (externalUserPicture != null)
                identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserPictureUrl, externalUserPicture.Value));

            return Task.FromResult(0);
        }
    }
}

// Register the initializer the following way:
    public class Global : System.Web.HttpApplication
    {
        protected void Application_Start(object sender, EventArgs e)
        {
            SystemManager.ApplicationStart += SystemManager_ApplicationStart;
        }

        private void SystemManager_ApplicationStart(object sender, EventArgs e)
        {
            ObjectFactory.Container.RegisterType<AuthenticationProvidersInitializer, CustomAuthenticationProvidersInitializer>(new ContainerControlledLifetimeManager());
        }
    }
	using System;
	using System.Collections.Generic;
	using System.Security.Claims;
	using System.Threading.Tasks;
	using Microsoft.IdentityModel.Protocols;
	using Microsoft.Owin;
	using Microsoft.Owin.Security.Notifications;
	using Microsoft.Owin.Security.OpenIdConnect;
	using Owin;
	using Telerik.Sitefinity.Authentication;
	using Telerik.Sitefinity.Authentication.Configuration.SecurityTokenService.ExternalProviders;
	using Telerik.Sitefinity.Security.Claims;

	namespace SitefinityWebApp.ExternalAuth
	{
	public class CustomAuthenticationProvidersInitializer : AuthenticationProvidersInitializer
	{
	public override Dictionary<string, Action<IAppBuilder, string, AuthenticationProviderElement>> GetAdditionalIdentityProviders()
	{
	var providers = base.GetAdditionalIdentityProviders();

	// 'CustomSTS' is the name of the external authentication provider as configured in the Advanced settings
	providers.Add("CustomSTS", (IAppBuilder app, string signInAsType, AuthenticationProviderElement providerConfig) =>
	{
	// You can add any parameter in the configuration. We use this as an example.
	var clientId = providerConfig.GetParameter("clientId");

	var options = new OpenIdConnectAuthenticationOptions()
	{
	ClientId = clientId,

	Authority = "https://external-sts-address/",
	AuthenticationType = providerConfig.Name,
	SignInAsAuthenticationType = signInAsType,

	// you can change the 'signin-customsts' part
	CallbackPath = new PathString("/Sitefinity/Authenticate/OpenID/signin-customsts"),
	RedirectUri = "http://yoursitefinitysite/Sitefinity/Authenticate/OpenID/signin-customsts",

	PostLogoutRedirectUri = "http://yoursitefinitysite/",
	ResponseType = "id_token",
	Scope = "openid profile email",
	Notifications = new OpenIdConnectAuthenticationNotifications()
	{
	SecurityTokenValidated = n => this.SecurityTokenValidatedInternal(n),
	}
	};

	app.UseOpenIdConnectAuthentication(options);
	});

	return providers;
	}

	private Task SecurityTokenValidatedInternal(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
	{
	// We have to enhance the identity, because the local STS works only with the following claims:
	// SitefinityClaimTypes.ExternalUserEmail
	// SitefinityClaimTypes.ExternalUserId
	// SitefinityClaimTypes.ExternalUserName
	// SitefinityClaimTypes.ExternalUserPictureUrl
	// Note that only the SitefinityClaimTypes.ExternalUserEmail is required for successful authentication. The rest are optional.

	var identity = notification.AuthenticationTicket.Identity;

	var externalUserEmail = identity.FindFirst("email");
	if (externalUserEmail != null)
	identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserEmail, externalUserEmail.Value));

	var externalUserId = identity.FindFirst("sub");
	if (externalUserId != null)
	identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserId, externalUserId.Value));

	var externalUserName = identity.FindFirst("name");
	if (externalUserName != null)
	identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserName, externalUserName.Value));

	var externalUserPicture = identity.FindFirst("picture");
	if (externalUserPicture != null)
	identity.AddClaim(new Claim(SitefinityClaimTypes.ExternalUserPictureUrl, externalUserPicture.Value));

	return Task.FromResult(0);
	}
	}
	}

	// Register the initializer the following way:
	public class Global : System.Web.HttpApplication
	{
	protected void Application_Start(object sender, EventArgs e)
	{
	SystemManager.ApplicationStart += SystemManager_ApplicationStart;
	}

	private void SystemManager_ApplicationStart(object sender, EventArgs e)
	{
	ObjectFactory.Container.RegisterType<AuthenticationProvidersInitializer, CustomAuthenticationProvidersInitializer>(new ContainerControlledLifetimeManager());
	}
	}