public string Protect(AuthenticationTicket data)
{
if (data == null)
{
throw new ArgumentNullException("data");
}
string audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;
if (string.IsNullOrWhiteSpace(audienceId))
{
throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience");
}
Audience audience = AudienceRepository.FindAudience(audienceId);
string symmetricKeyAsBase64 = audience.Base64Secret;
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
var issued = data.Properties.IssuedUtc;
var expires = data.Properties.ExpiresUtc;
var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
var handler = new JwtSecurityTokenHandler();
var jwt = handler.WriteToken(token);
return(jwt);
}
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId = string.Empty;
string clientSecret = string.Empty;
string symmetricKeyAsBase64 = string.Empty; //TODO: implement this
if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
{
context.TryGetFormCredentials(out clientId, out clientSecret);
}
if (context.ClientId == null)
{
context.SetError("invalid_clientId", "client_Id is not set");
return(Task.FromResult <object>(null));
}
var audience = AudienceRepository.FindAudience(context.ClientId);
if (audience == null)
{
context.SetError("invalid_clientId", string.Format("Invalid client_id '{0}'", context.ClientId));
return(Task.FromResult <object>(null));
}
if (audience.ApplicationType == ApplicationTypes.NativeConfidential)
{
if (string.IsNullOrWhiteSpace(clientSecret))
{
context.SetError("invalid_clientId", "Client/Audeince secret should be sent.");
return(Task.FromResult <object>(null));
}
else
{
if (audience.Base64Secret != Helper.GetHash(clientSecret))
{
context.SetError("invalid_clientId", "Client/Audeience secret is invalid.");
return(Task.FromResult <object>(null));
}
}
}
if (!audience.Active)
{
context.SetError("invalid_clientId", "Client is inactive.");
return(Task.FromResult <object>(null));
}
context.OwinContext.Set <string>("as:clientAllowedOrigin", audience.AllowedOrigin);
context.OwinContext.Set <string>("as:clientRefreshTokenLifeTime", audience.RefreshTokenLifeTime.ToString());
context.Validated();
return(Task.FromResult <object>(null));
}