protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
{
string authority = GetRequestAuthority(message.Request);
string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");
if (scope != null)
{
scope = scope + "/.default";
}
else
{
scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
}
if (scope is null)
{
if (_scopeCache.TryGetValue(authority, out _scope))
{
return(false);
}
}
else
{
_scope = new AuthorityScope(authority, new string[] { scope });
_scopeCache[authority] = _scope;
}
context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
return(true);
}
protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
{
// Once we're here, we've completed Step 1.
// Step 2: Parse challenge string to retrieve serviceName and scope, where scope is the ACR Scope
var service = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "service");
var scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
string acrAccessToken = string.Empty;
if (async)
{
// Step 3: Exchange AAD Access Token for ACR Refresh Token
string acrRefreshToken = await ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, true).ConfigureAwait(false);
// Step 4: Send in acrRefreshToken and get back acrAccessToken
acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, true, message.CancellationToken).ConfigureAwait(false);
}
else
{
// Step 3: Exchange AAD Access Token for ACR Refresh Token
string acrRefreshToken = ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, false).EnsureCompleted();
// Step 4: Send in acrRefreshToken and get back acrAccessToken
acrAccessToken = ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, false, message.CancellationToken).EnsureCompleted();
}
// Step 5 - Authorize Request. Note, we don't use SetAuthorizationHeader here, because it
// sets an AAD access token header, and at this point we're done with AAD and using an ACR access token.
message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {acrAccessToken}");
return(true);
}
private async ValueTask <bool> AuthorizeRequestOnChallengeInternalAsync(HttpMessage message, bool async)
{
try
{
var authUri = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "authorization_uri");
// tenantId should be the guid as seen in this example: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
tenantId = new Uri(authUri).Segments[1].Trim('/');
string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource_id");
if (scope != null)
{
scope += Constants.DefaultScope;
_scopes = new string[] { scope };
}
TokenRequestContext context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, tenantId: tenantId);
if (async)
{
await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
}
else
{
AuthenticateAndAuthorizeRequest(message, context);
}
return(true);
}
catch
{
return(default);
protected override bool AuthorizeRequestOnChallenge(HttpMessage message)
{
var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
if (challenge == null)
{
return(false);
}
string claimsChallenge = Base64Url.DecodeString(challenge);
var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, claimsChallenge);
AuthenticateAndAuthorizeRequest(message, context);
return(true);
}
protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
{
var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
if (challenge == null)
{
return(false);
}
string claimsChallenge = Base64Url.DecodeString(challenge.ToString());
var context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
await SetAuthorizationHeader(message, context, async);
return(true);
}
protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
{
context = default;
var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
if (challenge == null)
{
return(false);
}
string claimsChallenge = Base64Url.DecodeString(challenge.ToString());
context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
return(true);
}
private async ValueTask <bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, bool async)
{
if (message.Request.Content == null && message.TryGetProperty(KeyVaultStashedContentKey, out var content))
{
message.Request.Content = content as RequestContent;
}
string authority = GetRequestAuthority(message.Request);
string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");
if (scope != null)
{
scope = scope + "/.default";
}
else
{
scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
}
if (scope is null)
{
if (_scopeCache.TryGetValue(authority, out _scope))
{
return(false);
}
}
else
{
_scope = new AuthorityScope(authority, new string[] { scope });
_scopeCache[authority] = _scope;
}
var context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
if (async)
{
await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
}
else
{
AuthenticateAndAuthorizeRequest(message, context);
}
return(true);
}