Beispiel #1
0
        public async Task <bool> RemoveToken(string token, CancellationToken cancellationToken)
        {
            var result = await _tokenQueryRepository.Get(token, cancellationToken);

            if (result == null)
            {
                return(false);
            }

            await _tokenCommandRepository.Delete(result, cancellationToken);

            await _tokenCommandRepository.SaveChanges(cancellationToken);

            return(true);
        }
Beispiel #2
0
        public async Task <GetAccountsResult> Handle(GetAccountsQuery request, CancellationToken cancellationToken)
        {
            var jwsPayload = await Extract(request.AccessToken);

            if (jwsPayload == null)
            {
                _logger.LogError("access token is invalid");
                throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN);
            }

            var token = await _tokenQueryRepository.Get(request.AccessToken, cancellationToken);

            if (token == null)
            {
                _logger.LogError("cannot get accounts because access token has been rejected");
                throw new OAuthException(ErrorCodes.INVALID_TOKEN, ErrorMessages.ACCESS_TOKEN_REJECTED);
            }

            var consentId = jwsPayload[_options.OpenBankingApiConsentClaimName].ToString();
            var consent   = await _accountAccessConsentRepository.Get(consentId, cancellationToken);

            if (!consent.Permissions.Contains(AccountAccessConsentPermission.ReadAccountsBasic) &&
                !consent.Permissions.Contains(AccountAccessConsentPermission.ReadAccountsDetail))
            {
                _logger.LogError("no permissions to read accounts");
                throw new OAuthException(ErrorCodes.INVALID_REQUEST, Global.NoPermissionToReadAccounts);
            }

            var result = await _accountRepository.Get(consent.AccountIds, cancellationToken);

            return(GetAccountsResult.ToResult(result, consent.Permissions, request.Issuer, 1));
        }
Beispiel #3
0
        private async Task <IActionResult> Common(JObject content, CancellationToken cancellationToken)
        {
            try
            {
                var accessToken = ExtractAccessToken(content);
                var jwsPayload  = await Extract(accessToken);

                if (jwsPayload == null)
                {
                    throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN);
                }

                var subject   = jwsPayload.GetSub();
                var scopes    = jwsPayload.GetScopes();
                var audiences = jwsPayload.GetAudiences();
                var claims    = jwsPayload.GetClaimsFromAccessToken(AuthorizationRequestClaimTypes.UserInfo);
                var authTime  = jwsPayload.GetAuthTime();
                var user      = await _oauthUserRepository.FindOAuthUserByLogin(subject, cancellationToken);

                if (user == null)
                {
                    return(new UnauthorizedResult());
                }

                var filteredClients = await _oauthClientRepository.FindOAuthClientByIds(audiences, cancellationToken);

                if (!filteredClients.Any())
                {
                    throw new OAuthException(ErrorCodes.INVALID_CLIENT, ErrorMessages.INVALID_AUDIENCE);
                }

                var oauthClient = (OpenIdClient)filteredClients.First();
                if (!user.HasOpenIDConsent(oauthClient.ClientId, scopes, claims, AuthorizationRequestClaimTypes.UserInfo))
                {
                    throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.NO_CONSENT);
                }

                var token = await _tokenQueryRepository.Get(accessToken, cancellationToken);

                if (token == null)
                {
                    _logger.LogError("Cannot get user information because access token has been rejected");
                    throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.ACCESS_TOKEN_REJECTED);
                }

                var oauthScopes = (await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken)).Cast <OpenIdScope>();
                var payload     = new JwsPayload();
                IdTokenBuilder.EnrichWithScopeParameter(payload, oauthScopes, user, subject);
                _claimsJwsPayloadEnricher.EnrichWithClaimsParameter(payload, claims, user, authTime, AuthorizationRequestClaimTypes.UserInfo);
                foreach (var claimsSource in _claimsSources)
                {
                    await claimsSource.Enrich(payload, oauthClient).ConfigureAwait(false);
                }

                string contentType = "application/json";
                var    result      = JsonConvert.SerializeObject(payload).ToString();
                if (!string.IsNullOrWhiteSpace(oauthClient.UserInfoSignedResponseAlg))
                {
                    result = await _jwtBuilder.BuildClientToken(oauthClient, payload, oauthClient.UserInfoSignedResponseAlg, oauthClient.UserInfoEncryptedResponseAlg, oauthClient.UserInfoEncryptedResponseEnc);

                    contentType = "application/jwt";
                }

                return(new ContentResult
                {
                    Content = result,
                    ContentType = contentType
                });
            }
            catch (OAuthException ex)
            {
                var jObj = new JObject
                {
                    { ErrorResponseParameters.Error, ex.Code },
                    { ErrorResponseParameters.ErrorDescription, ex.Message }
                };
                return(new ContentResult
                {
                    Content = jObj.ToString(),
                    ContentType = "application/json",
                    StatusCode = (int)HttpStatusCode.BadRequest
                });
            }
        }