protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            string token = Options.TokenRetriever(Context.Request);

            if (token.IsMissing())
            {
                return(AuthenticateResult.Skip());
            }

            if (token.Contains('.') && Options.SkipTokensWithDots)
            {
                _logger.LogTrace("Token contains a dot - skipped because SkipTokensWithDots is set.");
                return(AuthenticateResult.Skip());
            }

            // Resolve request generator
            _requestGenerator = Context.RequestServices.GetService <IIntrospectionRequestGenerator>() ?? new DefaultIntrospectionRequestGenerator();

            if (Options.EnableCaching)
            {
                var claims = await _cache.GetClaimsAsync(token).ConfigureAwait(false);

                if (claims != null && await _requestGenerator.UseCacheAsync(Context.Request, claims))
                {
                    var ticket = CreateTicket(claims);

                    _logger.LogTrace("Token found in cache.");

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    return(AuthenticateResult.Success(ticket));
                }

                _logger.LogTrace("Token is not cached, or the introspection response generator rejected the currently cached claims.");
            }

            // Use a LazyAsync to ensure only one thread is requesting introspection for a token - the rest will wait for the result
            var lazyIntrospection = _lazyTokenIntrospections.GetOrAdd(token, CreateLazyIntrospection);

            try
            {
                var response = await lazyIntrospection.Value.ConfigureAwait(false);

                if (response.IsError)
                {
                    _logger.LogError("Error returned from introspection endpoint: " + response.Error);
                    return(AuthenticateResult.Fail("Error returned from introspection endpoint: " + response.Error));
                }

                if (response.IsActive)
                {
                    var ticket = CreateTicket(response.Claims);

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    if (Options.EnableCaching)
                    {
                        await _cache.SetClaimsAsync(token, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                    }

                    return(AuthenticateResult.Success(ticket));
                }
                else
                {
                    return(AuthenticateResult.Fail("Token is not active."));
                }
            }
            finally
            {
                // If caching is on and it succeeded, the claims are now in the cache.
                // If caching is off and it succeeded, the claims will be discarded.
                // Either way, we want to remove the temporary store of claims for this token because it is only intended for de-duping fetch requests
                AsyncLazy <IntrospectionResponse> removed;
                _lazyTokenIntrospections.TryRemove(token, out removed);
            }
        }
        /// <summary>
        /// Tries to authenticate a reference token on the current request
        /// </summary>
        /// <returns></returns>
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            string token = Options.TokenRetriever(Context.Request);

            if (token.IsMissing())
            {
                return(AuthenticateResult.NoResult());
            }

            if (token.Contains('.') && Options.SkipTokensWithDots)
            {
                _logger.LogTrace("Token contains a dot - skipped because SkipTokensWithDots is set.");
                return(AuthenticateResult.NoResult());
            }

            if (Options.EnableCaching)
            {
                var claims = await _cache.GetClaimsAsync(token).ConfigureAwait(false);

                if (claims != null)
                {
                    var ticket = CreateTicket(claims);

                    _logger.LogTrace("Token found in cache.");

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    return(AuthenticateResult.Success(ticket));
                }

                _logger.LogTrace("Token is not cached.");
            }

            // Use a LazyAsync to ensure only one thread is requesting introspection for a token - the rest will wait for the result
            var lazyIntrospection = Options.LazyIntrospections.GetOrAdd(token, CreateLazyIntrospection);
            var lazyUserinfo      = Options.LazyUserinfos.GetOrAdd(token, CreateLazyUserinfos);

            try
            {
                var introspectionResponse = await lazyIntrospection.Value.ConfigureAwait(false);

                if (introspectionResponse.IsError)
                {
                    _logger.LogError("Error returned from introspection endpoint: " + introspectionResponse.Error);
                    return(AuthenticateResult.Fail("Error returned from introspection endpoint: " + introspectionResponse.Error));
                }

                if (introspectionResponse.IsActive)
                {
                    var claims = introspectionResponse.Claims;

                    if (Options.GetClaimsFromUserinfoEndpoint)
                    {
                        var userinfoResponse = await lazyUserinfo.Value.ConfigureAwait(false);

                        if (userinfoResponse.IsError)
                        {
                            _logger.LogError("Error returned from userinfo endpoint: " + userinfoResponse.Error);
                            return(AuthenticateResult.Fail("Error returned from userinfo endpoint: " + userinfoResponse.Error));
                        }

                        claims = claims.Union(userinfoResponse.Claims);
                    }

                    if (Options.RoleClaimValueSplitting)
                    {
                        var roleClaimQuery = from c in claims
                                             where c.Type == Options.RoleClaimType
                                             select c;
                        if (roleClaimQuery.Count() == 1)
                        {
                            var roleClaim     = roleClaimQuery.Single();
                            var newRoleClaims = SplitClaim(roleClaim, Options.RoleClaimValueSplittingChar);
                            claims = claims.Union(newRoleClaims);
                        }
                    }

                    var ticket = CreateTicket(claims);

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    if (Options.EnableCaching)
                    {
                        await _cache.SetClaimsAsync(token, claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                    }

                    return(AuthenticateResult.Success(ticket));
                }
                else
                {
                    return(AuthenticateResult.Fail("Token is not active."));
                }
            }
            finally
            {
                // If caching is on and it succeeded, the claims are now in the cache.
                // If caching is off and it succeeded, the claims will be discarded.
                // Either way, we want to remove the temporary store of claims for this token because it is only intended for de-duping fetch requests
                Options.LazyIntrospections.TryRemove(token, out _);
                Options.LazyUserinfos.TryRemove(token, out _);
            }
        }
Beispiel #3
0
        /// <summary>
        /// Tries to authenticate a reference token on the current request
        /// </summary>
        /// <returns></returns>
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            string token = Options.TokenRetriever(Context.Request);

            if (token.IsMissing())
            {
                return(AuthenticateResult.NoResult());
            }

            if (token.Contains('.') && Options.SkipTokensWithDots)
            {
                _logger.LogTrace("Token contains a dot - skipped because SkipTokensWithDots is set.");
                return(AuthenticateResult.NoResult());
            }

            if (Options.EnableCaching)
            {
                var key    = $"{Options.CacheKeyPrefix}{token}";
                var claims = await _cache.GetClaimsAsync(key).ConfigureAwait(false);

                if (claims != null)
                {
                    // find out if it is a cached inactive token
                    var isInActive = claims.FirstOrDefault(c => string.Equals(c.Type, "active", StringComparison.OrdinalIgnoreCase) && string.Equals(c.Value, "false", StringComparison.OrdinalIgnoreCase));
                    if (isInActive != null)
                    {
                        return(await ReportNonSuccessAndReturn("Cached token is not active."));
                    }

                    return(await CreateTicket(claims, token));
                }

                _logger.LogTrace("Token is not cached.");
            }

            // Use a LazyAsync to ensure only one thread is requesting introspection for a token - the rest will wait for the result
            var lazyIntrospection = Options.LazyIntrospections.GetOrAdd(token, CreateLazyIntrospection);

            try
            {
                var response = await lazyIntrospection.Value.ConfigureAwait(false);

                if (response.IsError)
                {
                    _logger.LogError("Error returned from introspection endpoint: " + response.Error);
                    return(await ReportNonSuccessAndReturn("Error returned from introspection endpoint: " + response.Error));
                }

                if (response.IsActive)
                {
                    if (Options.EnableCaching)
                    {
                        var key = $"{Options.CacheKeyPrefix}{token}";
                        await _cache.SetClaimsAsync(key, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                    }

                    return(await CreateTicket(response.Claims, token));
                }
                else
                {
                    if (Options.EnableCaching)
                    {
                        var key = $"{Options.CacheKeyPrefix}{token}";

                        // add an exp claim - otherwise caching will not work
                        var claimsWithExp = response.Claims.ToList();
                        claimsWithExp.Add(new Claim("exp", DateTimeOffset.UtcNow.Add(Options.CacheDuration).ToUnixTimeSeconds().ToString()));
                        await _cache.SetClaimsAsync(key, claimsWithExp, Options.CacheDuration, _logger).ConfigureAwait(false);
                    }

                    return(await ReportNonSuccessAndReturn("Token is not active."));
                }
            }
            finally
            {
                // If caching is on and it succeeded, the claims are now in the cache.
                // If caching is off and it succeeded, the claims will be discarded.
                // Either way, we want to remove the temporary store of claims for this token because it is only intended for de-duping fetch requests
                Options.LazyIntrospections.TryRemove(token, out _);
            }
        }
Beispiel #4
0
        /// <summary>
        /// Tries to authenticate a reference token on the current request
        /// </summary>
        /// <returns></returns>
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            string token = Options.TokenRetriever(Context.Request);

            if (token.IsMissing())
            {
                return(ReportNonSuccessAndReturn(AuthenticateResult.NoResult()));
            }

            if (token.Contains(".") && Options.SkipTokensWithDots)
            {
                _logger.LogTrace("Token contains a dot - skipped because SkipTokensWithDots is set.");
                return(ReportNonSuccessAndReturn(AuthenticateResult.NoResult()));
            }

            if (Options.EnableCaching)
            {
                var key    = $"{Options.CacheKeyPrefix}{token}";
                var claims = await _cache.GetClaimsAsync(key).ConfigureAwait(false);

                if (claims.Any())
                {
                    var ticket = await CreateTicket(claims);

                    _logger.LogTrace("Token found in cache.");

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    return(AuthenticateResult.Success(ticket));
                }

                _logger.LogTrace("Token is not cached.");
            }

            // Use a LazyAsync to ensure only one thread is requesting introspection for a token - the rest will wait for the result
            var lazyIntrospection = Options.LazyIntrospections.GetOrAdd(token, CreateLazyIntrospection);

            try
            {
                var response = await lazyIntrospection.Value.ConfigureAwait(false);

                if (response.IsError)
                {
                    _logger.LogError("Error returned from introspection endpoint: " + response.Error);
                    return(ReportNonSuccessAndReturn(AuthenticateResult.Fail("Error returned from introspection endpoint: " + response.Error)));
                }

                if (response.IsActive)
                {
                    var ticket = await CreateTicket(response.Claims);

                    if (Options.SaveToken)
                    {
                        ticket.Properties.StoreTokens(new[]
                        {
                            new AuthenticationToken {
                                Name = "access_token", Value = token
                            }
                        });
                    }

                    if (Options.EnableCaching)
                    {
                        var key = $"{Options.CacheKeyPrefix}{token}";
                        await _cache.SetClaimsAsync(key, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                    }

                    return(AuthenticateResult.Success(ticket));
                }
                else
                {
                    return(ReportNonSuccessAndReturn(AuthenticateResult.Fail("Token is not active.")));
                }
            }
            finally
            {
                // If caching is on and it succeeded, the claims are now in the cache.
                // If caching is off and it succeeded, the claims will be discarded.
                // Either way, we want to remove the temporary store of claims for this token because it is only intended for de-duping fetch requests
                Options.LazyIntrospections.TryRemove(token, out _);
            }
        }
        /// <summary>
        /// Tries to authenticate a reference token on the current request
        /// </summary>
        /// <returns></returns>
        protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            string token = Options.TokenRetriever(Context.Request);

            // no token - nothing to do here
            if (token.IsMissing())
            {
                return(AuthenticateResult.NoResult());
            }

            // if token contains a dot - it might be a JWT and we are skipping
            // this is configurable
            if (token.Contains('.') && Options.SkipTokensWithDots)
            {
                _logger.LogTrace("Token contains a dot - skipped because SkipTokensWithDots is set.");
                return(AuthenticateResult.NoResult());
            }

            // if caching is enable - let's check if we have a cached introspection
            if (Options.EnableCaching)
            {
                var key    = $"{Options.CacheKeyPrefix}{token}";
                var claims = await _cache.GetClaimsAsync(key).ConfigureAwait(false);

                if (claims != null)
                {
                    // find out if it is a cached inactive token
                    var isInActive = claims.FirstOrDefault(c => string.Equals(c.Type, "active", StringComparison.OrdinalIgnoreCase) && string.Equals(c.Value, "false", StringComparison.OrdinalIgnoreCase));
                    if (isInActive != null)
                    {
                        return(await ReportNonSuccessAndReturn("Cached token is not active."));
                    }

                    return(await CreateTicket(claims, token));
                }

                _logger.LogTrace("Token is not cached.");
            }

            // no cached result - let's make a network roundtrip to the introspection endpoint
            // this code block tries to make sure that we only do a single roundtrip, even when multiple requests
            // with the same token come in at the same time
            try
            {
                return(await IntrospectionDictionary.GetOrAdd(token, _ =>
                {
                    return new Lazy <Task <AuthenticateResult> >(async() =>
                    {
                        var response = await LoadClaimsForToken(token);

                        if (response.IsError)
                        {
                            _logger.LogError("Error returned from introspection endpoint: " + response.Error);
                            return await ReportNonSuccessAndReturn("Error returned from introspection endpoint: " + response.Error);
                        }

                        if (response.IsActive)
                        {
                            if (Options.EnableCaching)
                            {
                                var key = $"{Options.CacheKeyPrefix}{token}";
                                await _cache.SetClaimsAsync(key, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                            }

                            return await CreateTicket(response.Claims, token);
                        }
                        else
                        {
                            if (Options.EnableCaching)
                            {
                                var key = $"{Options.CacheKeyPrefix}{token}";

                                // add an exp claim - otherwise caching will not work
                                var claimsWithExp = response.Claims.ToList();
                                claimsWithExp.Add(new Claim("exp",
                                                            DateTimeOffset.UtcNow.Add(Options.CacheDuration).ToUnixTimeSeconds().ToString()));
                                await _cache.SetClaimsAsync(key, claimsWithExp, Options.CacheDuration, _logger)
                                .ConfigureAwait(false);
                            }

                            return await ReportNonSuccessAndReturn("Token is not active.");
                        }
                    });
                }).Value);
            }
            finally
            {
                IntrospectionDictionary.TryRemove(token, out _);
            }
        }