protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
        {
            string authority = GetRequestAuthority(message.Request);
            string scope     = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");

            if (scope != null)
            {
                scope = scope + "/.default";
            }
            else
            {
                scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
            }

            if (scope is null)
            {
                if (_scopeCache.TryGetValue(authority, out _scope))
                {
                    return(false);
                }
            }
            else
            {
                _scope = new AuthorityScope(authority, new string[] { scope });
                _scopeCache[authority] = _scope;
            }

            context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
            return(true);
        }
        protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
        {
            // Once we're here, we've completed Step 1.

            // Step 2: Parse challenge string to retrieve serviceName and scope, where scope is the ACR Scope
            var service = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "service");
            var scope   = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");

            string acrAccessToken = string.Empty;

            if (async)
            {
                // Step 3: Exchange AAD Access Token for ACR Refresh Token
                string acrRefreshToken = await ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, true).ConfigureAwait(false);

                // Step 4: Send in acrRefreshToken and get back acrAccessToken
                acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, true, message.CancellationToken).ConfigureAwait(false);
            }
            else
            {
                // Step 3: Exchange AAD Access Token for ACR Refresh Token
                string acrRefreshToken = ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, false).EnsureCompleted();

                // Step 4: Send in acrRefreshToken and get back acrAccessToken
                acrAccessToken = ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, false, message.CancellationToken).EnsureCompleted();
            }

            // Step 5 - Authorize Request.  Note, we don't use SetAuthorizationHeader here, because it
            // sets an AAD access token header, and at this point we're done with AAD and using an ACR access token.
            message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {acrAccessToken}");

            return(true);
        }
        private async ValueTask <bool> AuthorizeRequestOnChallengeInternalAsync(HttpMessage message, bool async)
        {
            try
            {
                var authUri = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "authorization_uri");

                // tenantId should be the guid as seen in this example: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                tenantId = new Uri(authUri).Segments[1].Trim('/');

                string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource_id");
                if (scope != null)
                {
                    scope  += Constants.DefaultScope;
                    _scopes = new string[] { scope };
                }

                TokenRequestContext context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, tenantId: tenantId);
                if (async)
                {
                    await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
                }
                else
                {
                    AuthenticateAndAuthorizeRequest(message, context);
                }
                return(true);
            }
            catch
            {
                return(default);
Beispiel #4
0
        protected override bool AuthorizeRequestOnChallenge(HttpMessage message)
        {
            var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");

            if (challenge == null)
            {
                return(false);
            }

            string claimsChallenge = Base64Url.DecodeString(challenge);
            var    context         = new TokenRequestContext(_scopes, message.Request.ClientRequestId, claimsChallenge);

            AuthenticateAndAuthorizeRequest(message, context);
            return(true);
        }
        protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
        {
            var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");

            if (challenge == null)
            {
                return(false);
            }

            string claimsChallenge = Base64Url.DecodeString(challenge.ToString());
            var    context         = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);

            await SetAuthorizationHeader(message, context, async);

            return(true);
        }
Beispiel #6
0
        protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
        {
            context = default;

            var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");

            if (challenge == null)
            {
                return(false);
            }

            string claimsChallenge = Base64Url.DecodeString(challenge.ToString());

            context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
            return(true);
        }
Beispiel #7
0
        private async ValueTask <bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, bool async)
        {
            if (message.Request.Content == null && message.TryGetProperty(KeyVaultStashedContentKey, out var content))
            {
                message.Request.Content = content as RequestContent;
            }

            string authority = GetRequestAuthority(message.Request);
            string scope     = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");

            if (scope != null)
            {
                scope = scope + "/.default";
            }
            else
            {
                scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
            }

            if (scope is null)
            {
                if (_scopeCache.TryGetValue(authority, out _scope))
                {
                    return(false);
                }
            }
            else
            {
                _scope = new AuthorityScope(authority, new string[] { scope });
                _scopeCache[authority] = _scope;
            }

            var context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);

            if (async)
            {
                await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
            }
            else
            {
                AuthenticateAndAuthorizeRequest(message, context);
            }
            return(true);
        }