From cc095101682170a3ebe99cc87364d0b124759b05 Mon Sep 17 00:00:00 2001
From: Dave Tillman <dtillman@vmware.com>
Date: Tue, 1 Nov 2016 10:39:04 -0600
Subject: [PATCH] For JWT, map UAA claims to standard claim types

---
 .../CloudFoundryAppBuilderExtensions.cs       | 10 +-
 .../CloudFoundryJwtBearerEvents.cs            | 98 +++++++++++++++++++
 2 files changed, 104 insertions(+), 4 deletions(-)
 create mode 100644 src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryJwtBearerEvents.cs

diff --git a/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryAppBuilderExtensions.cs b/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryAppBuilderExtensions.cs
index bebd94e..78c096c 100644
--- a/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryAppBuilderExtensions.cs
+++ b/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryAppBuilderExtensions.cs
@@ -106,11 +106,14 @@ namespace Steeltoe.Security.Authentication.CloudFoundry
             tokenParameters.ValidateAudience = false;
             tokenParameters.AudienceValidator = null;
 
-            return new JwtBearerOptions()
+            var bearerOpts = new JwtBearerOptions()
             {
-                TokenValidationParameters = tokenParameters
-                
+                ClaimsIssuer = options.ClaimsIssuer,
+                TokenValidationParameters = tokenParameters,
+                Events = new CloudFoundryJwtBearerEvents()
             };
+
+            return bearerOpts;
         }
 
         private static TokenValidationParameters GetTokenValidationParameters(CloudFoundryOptions options)
@@ -151,7 +154,6 @@ namespace Steeltoe.Security.Authentication.CloudFoundry
             if (options.AccessDeniedPath != null)
             {
                 cookieOptions.AccessDeniedPath = options.AccessDeniedPath;
-                cookieOptions.LogoutPath = options.AccessDeniedPath;
             }
 
             if (options.TokenValidator != null)
diff --git a/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryJwtBearerEvents.cs b/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryJwtBearerEvents.cs
new file mode 100644
index 0000000..41862e2
--- /dev/null
+++ b/src/Steeltoe.Security.Authentication.CloudFoundry/CloudFoundryJwtBearerEvents.cs
@@ -0,0 +1,98 @@
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Security.Claims;
+using System.Security.Principal;
+using System.Threading.Tasks;
+
+namespace Steeltoe.Security.Authentication.CloudFoundry
+{
+    public class CloudFoundryJwtBearerEvents : JwtBearerEvents
+    {
+        public override Task TokenValidated(TokenValidatedContext context)
+        {
+            if (context == null)
+            {
+                return Task.FromResult(0);
+            }
+
+            var identity = context.Ticket.Principal.Identity as ClaimsIdentity;
+            if (identity == null)
+            {
+                return Task.FromResult(0);
+            }
+
+            var identifier = GetId(identity);
+            if (!string.IsNullOrEmpty(identifier))
+            {
+                identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identifier, ClaimValueTypes.String, context.Options.ClaimsIssuer));
+            }
+
+            var givenName = GetGivenName(identity);
+            if (!string.IsNullOrEmpty(givenName))
+            {
+                identity.AddClaim(new Claim(ClaimTypes.GivenName, givenName, ClaimValueTypes.String, context.Options.ClaimsIssuer));
+            }
+
+            var familyName = GetFamilyName(identity);
+            if (!string.IsNullOrEmpty(familyName))
+            {
+                identity.AddClaim(new Claim(ClaimTypes.Surname, familyName, ClaimValueTypes.String, context.Options.ClaimsIssuer));
+            }
+
+            var email = GetEmail(identity);
+            if (!string.IsNullOrEmpty(email))
+            {
+                identity.AddClaim(new Claim(ClaimTypes.Email, email, ClaimValueTypes.String, context.Options.ClaimsIssuer));
+            }
+
+            var name = GetName(identity);
+            if (!string.IsNullOrEmpty(name))
+            {
+                identity.AddClaim(new Claim(ClaimTypes.Name, name, ClaimValueTypes.String, context.Options.ClaimsIssuer));
+            }
+
+            return Task.FromResult(0);
+        }
+
+        private string GetGivenName(IIdentity identity)
+        {
+            return GetClaim(identity, "given_name");
+        }
+
+        private string GetFamilyName(IIdentity identity)
+        {
+            return GetClaim(identity, "family_name");
+        }
+
+        private string GetEmail(IIdentity identity)
+        {
+            return GetClaim(identity, "email");
+        }
+        private string GetName(IIdentity identity)
+        {
+            return GetClaim(identity, "user_name");
+        }
+        private string GetId(IIdentity identity)
+        {
+            return GetClaim(identity, "user_id");
+        }
+
+        private string GetClaim(IIdentity identity, string claim)
+        {
+            var claims = identity as ClaimsIdentity;
+            if (claims == null)
+            {
+                return null;
+            }
+            var idClaim = claims.FindFirst(claim);
+            if (idClaim == null)
+            {
+                return null;
+            }
+            return idClaim.Value;
+        }
+    }
+}