Beispiel #1
0
        /// <summary>
        /// Finds a relying party by realm
        /// </summary>
        /// <param name="realm">The realm</param>
        /// <returns>
        /// The relying party
        /// </returns>
        public async Task <RelyingParty> FindRelyingPartyByRealm(string realm)
        {
            var relyingParty = await _cache.GetAsync(realm,
                                                     _options.Caching.ClientStoreExpiration,
                                                     () => _inner.FindRelyingPartyByRealm(realm),
                                                     _logger);

            return(relyingParty);
        }
        public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
        {
            //Logger.Info("Start WS-Federation signin request validation");
            var result = new SignInValidationResult
            {
                WsFederationMessage = message
            };

            // check client
            var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);

            if (client == null)
            {
                LogError("Client not found: " + message.Wtrealm, result);

                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party"
                });
            }
            if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
            {
                LogError("Client is not configured for WS-Federation", result);

                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party"
                });
            }

            result.Client   = client;
            result.ReplyUrl = client.RedirectUris.First();

            // check if additional relying party settings exist
            var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm);

            if (rp == null)
            {
                rp = new RelyingParty
                {
                    TokenType                = _options.DefaultTokenType,
                    SignatureAlgorithm       = _options.DefaultSignatureAlgorithm,
                    DigestAlgorithm          = _options.DefaultDigestAlgorithm,
                    SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat,
                    ClaimMapping             = _options.DefaultClaimMapping
                };
            }

            result.RelyingParty = rp;

            if (user == null ||
                user.Identity.IsAuthenticated == false)
            {
                result.SignInRequired = true;
            }

            result.User = user;

            LogSuccess(result);
            return(result);
        }
Beispiel #3
0
        /// <summary>
        /// Validates the asynchronous.
        /// </summary>
        /// <param name="message">The message.</param>
        /// <param name="user">The user.</param>
        /// <returns></returns>
        public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
        {
            var result = new SignInValidationResult
            {
                WsFederationMessage = message
            };

            // check client
            var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);

            if (client == null)
            {
                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party",
                    ErrorMessage = $"{message.Wtrealm} client not found."
                });
            }
            if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
            {
                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party",
                    ErrorMessage = $"{message.Wtrealm} client is not a wsfed client."
                });
            }

            var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm).ConfigureAwait(false);

            if (rp == null)
            {
                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party",
                    ErrorMessage = $"{message.Wtrealm} relying party not found."
                });
            }

            var replyUrl = message.Wreply ?? client.RedirectUris.FirstOrDefault();

            if (!Uri.TryCreate(replyUrl, UriKind.Absolute, out Uri _))
            {
                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party",
                    ErrorMessage = $"'{replyUrl}' is not a valid absolute uri. Message wreply received: {message.Wreply}. Client 1st redirect uri: {client.RedirectUris.FirstOrDefault()}."
                });
            }

            result.Client       = client;
            result.ReplyUrl     = replyUrl;
            result.RelyingParty = rp;

            if (user == null || !user.Identity.IsAuthenticated)
            {
                result.SignInRequired = true;
            }

            result.User = user;

            return(result);
        }
        public async Task <SignInValidationResult> ValidateAsync(WsFederationMessage message, ClaimsPrincipal user)
        {
            _logger.LogInformation("Start WS-Federation signin request validation");
            var result = new SignInValidationResult
            {
                WsFederationMessage = message
            };

            // check client
            var client = await _clients.FindEnabledClientByIdAsync(message.Wtrealm);

            if (client == null)
            {
                LogError("Client not found: " + message.Wtrealm, result);

                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party"
                });
            }
            if (client.Enabled == false)
            {
                LogError("Client is disabled: " + message.Wtrealm, result);

                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party"
                });
            }
            if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
            {
                LogError("Client is not configured for WS-Federation", result);

                return(new SignInValidationResult
                {
                    Error = "invalid_relying_party"
                });
            }

            result.Client   = client;
            result.ReplyUrl = client.RedirectUris.First();

            // check if additional relying party settings exist
            var rp = await _relyingParties.FindRelyingPartyByRealm(message.Wtrealm);

            if (rp == null)
            {
                rp = new RelyingParty
                {
                    TokenType                = _options.DefaultTokenType,
                    SignatureAlgorithm       = _options.DefaultSignatureAlgorithm,
                    DigestAlgorithm          = _options.DefaultDigestAlgorithm,
                    SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat,
                    ClaimMapping             = _options.DefaultClaimMapping
                };
            }

            result.RelyingParty = rp;

            if (user == null ||
                user.Identity.IsAuthenticated == false)
            {
                result.SignInRequired = true;
                return(result);
            }

            result.User = user;

            if (!string.IsNullOrEmpty(message.Wfresh))
            {
                if (int.TryParse(message.Wfresh, out int maxAgeInMinutes))
                {
                    if (maxAgeInMinutes == 0)
                    {
                        _logger.LogInformation("Showing login: Requested wfresh=0.");
                        message.Wfresh        = null;
                        result.SignInRequired = true;
                        return(result);
                    }
                    var authTime = user.GetAuthenticationTime();
                    if (_clock.UtcNow.UtcDateTime > authTime.AddMinutes(maxAgeInMinutes))
                    {
                        _logger.LogInformation("Showing login: Requested wfresh time exceeded.");
                        result.SignInRequired = true;
                        return(result);
                    }
                }
            }

            LogSuccess(result);
            return(result);
        }