protected override TopicClient OnCreateTopicClient(string path)
{
MessagingUtilities.ThrowIfContainsSubQueueName(path);
return(new SbmpTopicClient(this, path));
}
/// <summary>
/// Creates a new nonce.
/// </summary>
/// <returns>The newly instantiated instance.</returns>
internal static CustomNonce NewNonce()
{
return(new CustomNonce(DateTime.UtcNow, MessagingUtilities.GetCryptoRandomData(NonceByteLength)));
}
/// <summary>
/// Checks whether the specified client secret is correct.
/// </summary>
/// <param name="secret">The secret obtained from the client.</param>
/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
/// <remarks>
/// All string equality checks, whether checking secrets or their hashes,
/// should be done using <see cref="MessagingUtilities.EqualsConstantTime"/> to mitigate timing attacks.
/// </remarks>
bool IClientDescription.IsValidClientSecret(string secret)
{
return(MessagingUtilities.EqualsConstantTime(secret, this.ClientSecret));
}
/// <summary>
/// Searches an incoming HTTP request for data that could be used to assemble
/// a protocol request message.
/// </summary>
/// <param name="request">The HTTP request to search.</param>
/// <returns>The deserialized message, if one is found. Null otherwise.</returns>
protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestBase request)
{
// First search the Authorization header.
string authorization = request.Headers[HttpRequestHeaders.Authorization];
var fields = MessagingUtilities.ParseAuthorizationHeader(Protocol.AuthorizationHeaderScheme, authorization).ToDictionary();
fields.Remove("realm"); // ignore the realm parameter, since we don't use it, and it must be omitted from signature base string.
// Scrape the entity
if (!string.IsNullOrEmpty(request.Headers[HttpRequestHeaders.ContentType]))
{
var contentType = new ContentType(request.Headers[HttpRequestHeaders.ContentType]);
if (string.Equals(contentType.MediaType, HttpFormUrlEncoded, StringComparison.Ordinal))
{
foreach (string key in request.Form)
{
if (key != null)
{
fields.Add(key, request.Form[key]);
}
else
{
Logger.OAuth.WarnFormat("Ignoring query string parameter '{0}' since it isn't a standard name=value parameter.", request.Form[key]);
}
}
}
}
// Scrape the query string
var qs = request.GetQueryStringBeforeRewriting();
foreach (string key in qs)
{
if (key != null)
{
fields.Add(key, qs[key]);
}
else
{
Logger.OAuth.WarnFormat("Ignoring query string parameter '{0}' since it isn't a standard name=value parameter.", qs[key]);
}
}
MessageReceivingEndpoint recipient;
try {
recipient = request.GetRecipient();
} catch (ArgumentException ex) {
Logger.OAuth.WarnFormat("Unrecognized HTTP request: " + ex.ToString());
return(null);
}
// Deserialize the message using all the data we've collected.
var message = (IDirectedProtocolMessage)this.Receive(fields, recipient);
// Add receiving HTTP transport information required for signature generation.
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null)
{
signedMessage.Recipient = request.GetPublicFacingUrl();
signedMessage.HttpMethod = request.HttpMethod;
}
return(message);
}
/// <summary>
/// Creates a new salt to assign to a user.
/// </summary>
/// <returns>A non-null buffer of length <see cref="NewSaltLength"/> filled with a random salt.</returns>
protected virtual byte[] CreateSalt()
{
// We COULD use a crypto random function, but for a salt it seems overkill.
return(MessagingUtilities.GetNonCryptoRandomData(this.NewSaltLength));
}
/// <summary>
/// Applies OAuth authorization to the specified request.
/// This method is applied automatically to outbound requests that use this message handler instance.
/// However this method may be useful for obtaining the OAuth 1.0 signature without actually sending the request.
/// </summary>
/// <param name="request">The request.</param>
public void ApplyAuthorization(HttpRequestMessage request)
{
Requires.NotNull(request, "request");
var oauthParameters = this.GetOAuthParameters();
string signature = this.GetSignature(request, oauthParameters);
oauthParameters.Add("oauth_signature", signature);
// Add parameters and signature to request.
switch (this.Location)
{
case OAuthParametersLocation.AuthorizationHttpHeader:
// Some oauth parameters may have been put in the query string of the original message.
// We want to move any that we find into the authorization header.
oauthParameters.Add(ExtractOAuthParametersFromQueryString(request));
request.Headers.Authorization = new AuthenticationHeaderValue(Protocol.AuthorizationHeaderScheme, MessagingUtilities.AssembleAuthorizationHeader(oauthParameters.AsKeyValuePairs()));
break;
case OAuthParametersLocation.QueryString:
var uriBuilder = new UriBuilder(request.RequestUri);
uriBuilder.AppendQueryArgs(oauthParameters.AsKeyValuePairs());
request.RequestUri = uriBuilder.Uri;
break;
}
}
/// <summary>
/// Generates a string of random characters for use as a nonce.
/// </summary>
/// <returns>The nonce string.</returns>
private string GenerateUniqueFragment()
{
return(MessagingUtilities.GetRandomString(this.nonceLength, AllowedCharacters));
}
public void ApplyHeadersToResponseNullListenerResponse()
{
MessagingUtilities.ApplyHeadersToResponse(new WebHeaderCollection(), (HttpListenerResponse)null);
}
public void ApplyHeadersToResponseNullHeaders()
{
MessagingUtilities.ApplyHeadersToResponse(null, new HttpResponse(new StringWriter()));
}
public void VerifyCallback(Uri callback)
{
ErrorUtilities.VerifyProtocol(MessagingUtilities.AreEquivalentConstantTime(this.CallbackHash, CalculateCallbackHash(callback)), Protocol.redirect_uri_mismatch);
}
public void ToDictionaryNull()
{
Assert.IsNull(MessagingUtilities.ToDictionary(null));
}
public bool IsValidClientSecret(string secret)
{
return(MessagingUtilities.EqualsConstantTime(secret, this.ClientSecret));
}
public void ApplyHeadersToResponseNullAspNetResponse()
{
MessagingUtilities.ApplyHeadersToResponse(new WebHeaderCollection(), (HttpResponseBase)null);
}
internal OutgoingWebResponse ProcessResponseFromPopup(HttpRequestBase request, Action <AuthenticationStatus> callback)
{
Requires.NotNull(request, "request");
Contract.Ensures(Contract.Result <OutgoingWebResponse>() != null);
string extensionsJson = null;
var authResponse = this.NonVerifyingRelyingParty.GetResponse();
ErrorUtilities.VerifyProtocol(authResponse != null, OpenIdStrings.PopupRedirectMissingResponse);
// Give the caller a chance to notify the hosting page and fill up the clientScriptExtensions collection.
if (callback != null)
{
callback(authResponse.Status);
}
Logger.OpenId.DebugFormat("Popup or iframe callback from OP: {0}", request.Url);
Logger.Controls.DebugFormat(
"An authentication response was found in a popup window or iframe using a non-verifying RP with status: {0}",
authResponse.Status);
if (authResponse.Status == AuthenticationStatus.Authenticated)
{
var extensionsDictionary = new Dictionary <string, string>();
foreach (var pair in this.clientScriptExtensions)
{
IClientScriptExtensionResponse extension = (IClientScriptExtensionResponse)authResponse.GetExtension(pair.Key);
if (extension == null)
{
continue;
}
var positiveResponse = (PositiveAuthenticationResponse)authResponse;
string js = extension.InitializeJavaScriptData(positiveResponse.Response);
if (!string.IsNullOrEmpty(js))
{
extensionsDictionary[pair.Value] = js;
}
}
extensionsJson = MessagingUtilities.CreateJsonObject(extensionsDictionary, true);
}
string payload = "document.URL";
if (request.HttpMethod == "POST")
{
// Promote all form variables to the query string, but since it won't be passed
// to any server (this is a javascript window-to-window transfer) the length of
// it can be arbitrarily long, whereas it was POSTed here probably because it
// was too long for HTTP transit.
UriBuilder payloadUri = new UriBuilder(request.Url);
payloadUri.AppendQueryArgs(request.Form.ToDictionary());
payload = MessagingUtilities.GetSafeJavascriptValue(payloadUri.Uri.AbsoluteUri);
}
if (!string.IsNullOrEmpty(extensionsJson))
{
payload += ", " + extensionsJson;
}
return(InvokeParentPageScript("dnoa_internal.processAuthorizationResult(" + payload + ")"));
}
internal static Uri GetCallbackUrlFromContext()
{
Uri callback = MessagingUtilities.GetRequestUrlFromContext().StripQueryArgumentsWithPrefix("oauth_");
return(callback);
}
public void GetHttpVerbOutOfRangeTest()
{
MessagingUtilities.GetHttpVerb(HttpDeliveryMethods.PutRequest | HttpDeliveryMethods.PostRequest);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public MessageProtections?ProcessIncomingMessage(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
MessageProtections protectionsApplied = MessageProtections.TamperProtection;
this.EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null)
{
string signature = this.GetSignature(signedMessage, association);
if (!MessagingUtilities.EqualsConstantTime(signedMessage.Signature, signature))
{
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
}
else
{
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
if (this.IsOnProvider)
{
throw new InvalidSignatureException(message);
}
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel);
var checkSignatureResponse = this.Channel.Request <CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid)
{
Logger.Bindings.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle))
{
if (this.rpAssociations != null)
{
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
// When we're in dumb mode we can't provide our own replay protection,
// but for OpenID 2.0 Providers we can rely on them providing it as part
// of signature verification.
if (message.Version.Major >= 2)
{
protectionsApplied |= MessageProtections.ReplayProtection;
}
}
return(protectionsApplied);
}
return(null);
}
public void GetHttpDeliveryMethodOutOfRangeTest()
{
MessagingUtilities.GetHttpDeliveryMethod("UNRECOGNIZED");
}
/// <summary>
/// Escapes a value for transport in a URI, per RFC 3986.
/// </summary>
/// <param name="value">The value to escape. Null and empty strings are OK.</param>
/// <returns>The escaped value. Never null.</returns>
private static string UrlEscape(string value)
{
return(MessagingUtilities.EscapeUriDataStringRfc3986(value ?? string.Empty));
}
public void CreateQueryStringEmptyCollection()
{
Assert.AreEqual(0, MessagingUtilities.CreateQueryString(new Dictionary <string, string>()).Length);
}
/// <summary>
/// Constructs the OAuth Signature Base String and returns the result.
/// </summary>
/// <param name="message">The message.</param>
/// <param name="messageDictionary">The message to derive the signature base string from.</param>
/// <returns>The signature base string.</returns>
/// <remarks>
/// This method implements OAuth 1.0 section 9.1.
/// </remarks>
internal static string ConstructSignatureBaseString(ITamperResistantOAuthMessage message, MessageDictionary messageDictionary)
{
Contract.Requires <ArgumentNullException>(message != null);
Contract.Requires <ArgumentException>(!string.IsNullOrEmpty(message.HttpMethod));
Contract.Requires <ArgumentNullException>(messageDictionary != null);
Contract.Requires <ArgumentException>(messageDictionary.Message == message);
List <string> signatureBaseStringElements = new List <string>(3);
signatureBaseStringElements.Add(message.HttpMethod.ToUpperInvariant());
// For multipart POST messages, only include the message parts that are NOT
// in the POST entity (those parts that may appear in an OAuth authorization header).
var encodedDictionary = new Dictionary <string, string>();
IEnumerable <KeyValuePair <string, string> > partsToInclude = Enumerable.Empty <KeyValuePair <string, string> >();
var binaryMessage = message as IMessageWithBinaryData;
if (binaryMessage != null && binaryMessage.SendAsMultipart)
{
HttpDeliveryMethods authHeaderInUseFlags = HttpDeliveryMethods.PostRequest | HttpDeliveryMethods.AuthorizationHeaderRequest;
ErrorUtilities.VerifyProtocol((binaryMessage.HttpMethods & authHeaderInUseFlags) == authHeaderInUseFlags, OAuthStrings.MultipartPostMustBeUsedWithAuthHeader);
// Include the declared keys in the signature as those will be signable.
// Cache in local variable to avoid recalculating DeclaredKeys in the delegate.
ICollection <string> declaredKeys = messageDictionary.DeclaredKeys;
partsToInclude = messageDictionary.Where(pair => declaredKeys.Contains(pair.Key));
}
else
{
partsToInclude = messageDictionary;
}
foreach (var pair in OAuthChannel.GetUriEscapedParameters(partsToInclude))
{
encodedDictionary[pair.Key] = pair.Value;
}
// An incoming message will already have included the query and form parameters
// in the message dictionary, but an outgoing message COULD have SOME parameters
// in the query that are not in the message dictionary because they were included
// in the receiving endpoint (the original URL).
// In an outgoing message, the POST entity can only contain parameters if they were
// in the message dictionary, so no need to pull out any parameters from there.
if (message.Recipient.Query != null)
{
NameValueCollection nvc = HttpUtility.ParseQueryString(message.Recipient.Query);
foreach (string key in nvc)
{
string escapedKey = MessagingUtilities.EscapeUriDataStringRfc3986(key);
string escapedValue = MessagingUtilities.EscapeUriDataStringRfc3986(nvc[key]);
string existingValue;
if (!encodedDictionary.TryGetValue(escapedKey, out existingValue))
{
encodedDictionary.Add(escapedKey, escapedValue);
}
else
{
ErrorUtilities.VerifyInternal(escapedValue == existingValue, "Somehow we have conflicting values for the '{0}' parameter.", escapedKey);
}
}
}
encodedDictionary.Remove("oauth_signature");
UriBuilder endpoint = new UriBuilder(message.Recipient);
endpoint.Query = null;
endpoint.Fragment = null;
signatureBaseStringElements.Add(endpoint.Uri.AbsoluteUri);
var sortedKeyValueList = new List <KeyValuePair <string, string> >(encodedDictionary);
sortedKeyValueList.Sort(SignatureBaseStringParameterComparer);
StringBuilder paramBuilder = new StringBuilder();
foreach (var pair in sortedKeyValueList)
{
if (paramBuilder.Length > 0)
{
paramBuilder.Append("&");
}
paramBuilder.Append(pair.Key);
paramBuilder.Append('=');
paramBuilder.Append(pair.Value);
}
signatureBaseStringElements.Add(paramBuilder.ToString());
StringBuilder signatureBaseString = new StringBuilder();
foreach (string element in signatureBaseStringElements)
{
if (signatureBaseString.Length > 0)
{
signatureBaseString.Append("&");
}
signatureBaseString.Append(MessagingUtilities.EscapeUriDataStringRfc3986(element));
}
Logger.Bindings.DebugFormat("Constructed signature base string: {0}", signatureBaseString);
return(signatureBaseString.ToString());
}
public void CreateQueryStringNullDictionary()
{
MessagingUtilities.CreateQueryString(null);
}
/// <summary>
/// Prepares to send a request to the Service Provider via the Authorization header.
/// </summary>
/// <param name="requestMessage">The message to be transmitted to the ServiceProvider.</param>
/// <returns>The web request ready to send.</returns>
/// <remarks>
/// <para>If the message has non-empty ExtraData in it, the request stream is sent to
/// the server automatically. If it is empty, the request stream must be sent by the caller.</para>
/// <para>This method implements OAuth 1.0 section 5.2, item #1 (described in section 5.4).</para>
/// </remarks>
private HttpWebRequest InitializeRequestAsAuthHeader(IDirectedProtocolMessage requestMessage)
{
var dictionary = this.MessageDescriptions.GetAccessor(requestMessage);
// copy so as to not modify original
var fields = new Dictionary <string, string>();
foreach (string key in dictionary.DeclaredKeys)
{
fields.Add(key, dictionary[key]);
}
if (this.Realm != null)
{
fields.Add("realm", this.Realm.AbsoluteUri);
}
HttpWebRequest httpRequest;
UriBuilder recipientBuilder = new UriBuilder(requestMessage.Recipient);
bool hasEntity = HttpMethodHasEntity(GetHttpMethod(requestMessage));
if (!hasEntity)
{
MessagingUtilities.AppendQueryArgs(recipientBuilder, requestMessage.ExtraData);
}
httpRequest = (HttpWebRequest)WebRequest.Create(recipientBuilder.Uri);
this.PrepareHttpWebRequest(httpRequest);
httpRequest.Method = GetHttpMethod(requestMessage);
httpRequest.Headers.Add(HttpRequestHeader.Authorization, MessagingUtilities.AssembleAuthorizationHeader(Protocol.AuthorizationHeaderScheme, fields));
if (hasEntity)
{
// WARNING: We only set up the request stream for the caller if there is
// extra data. If there isn't any extra data, the caller must do this themselves.
var requestMessageWithBinaryData = requestMessage as IMessageWithBinaryData;
if (requestMessageWithBinaryData != null && requestMessageWithBinaryData.SendAsMultipart)
{
// Include the binary data in the multipart entity, and any standard text extra message data.
// The standard declared message parts are included in the authorization header.
var multiPartFields = new List <MultipartPostPart>(requestMessageWithBinaryData.BinaryData);
multiPartFields.AddRange(requestMessage.ExtraData.Select(field => MultipartPostPart.CreateFormPart(field.Key, field.Value)));
this.SendParametersInEntityAsMultipart(httpRequest, multiPartFields);
}
else
{
ErrorUtilities.VerifyProtocol(requestMessageWithBinaryData == null || requestMessageWithBinaryData.BinaryData.Count == 0, MessagingStrings.BinaryDataRequiresMultipart);
if (requestMessage.ExtraData.Count > 0)
{
this.SendParametersInEntity(httpRequest, requestMessage.ExtraData);
}
else
{
// We'll assume the content length is zero since the caller may not have
// anything. They're responsible to change it when the add the payload if they have one.
httpRequest.ContentLength = 0;
}
}
}
return(httpRequest);
}
public void AppendQueryArgsNullUriBuilder()
{
MessagingUtilities.AppendQueryArgs(null, new Dictionary <string, string>());
}
/// <summary>
/// Queues a message for sending in the response stream where the fields
/// are sent in the response stream in querystring style.
/// </summary>
/// <param name="response">The message to send as a response.</param>
/// <returns>
/// The pending user agent redirect based message to be sent as an HttpResponse.
/// </returns>
/// <remarks>
/// This method implements spec OAuth V1.0 section 5.3.
/// </remarks>
protected override HttpResponseMessage PrepareDirectResponse(IProtocolMessage response)
{
var webResponse = new HttpResponseMessage();
// The only direct response from a resource server is some authorization error (400, 401, 403).
var unauthorizedResponse = response as UnauthorizedResponse;
ErrorUtilities.VerifyInternal(unauthorizedResponse != null, "Only unauthorized responses are expected.");
// First initialize based on the specifics within the message.
ApplyMessageTemplate(response, webResponse);
if (!(response is IHttpDirectResponse))
{
webResponse.StatusCode = HttpStatusCode.Unauthorized;
}
// Now serialize all the message parts into the WWW-Authenticate header.
var fields = this.MessageDescriptions.GetAccessor(response);
webResponse.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue(unauthorizedResponse.Scheme, MessagingUtilities.AssembleAuthorizationHeader(fields)));
return(webResponse);
}
public void AppendQueryArgsNullDictionary()
{
MessagingUtilities.AppendQueryArgs(new UriBuilder(), null);
}
/// <summary>
/// Checks whether the specified client secret is correct.
/// </summary>
/// <param name="secret">The secret obtained from the client.</param>
/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
/// <remarks>
/// All string equality checks, whether checking secrets or their hashes,
/// should be done using <see cref="MessagingUtilities.EqualsConstantTime"/> to mitigate timing attacks.
/// </remarks>
public virtual bool IsValidClientSecret(string secret)
{
Requires.NotNullOrEmpty(secret, "secret");
return(MessagingUtilities.EqualsConstantTime(secret, this.secret));
}
private async Task <string> ObtainValidAccessTokenAsync()
{
string accessToken = null;
var authServer = CreateAuthorizationServerMock();
authServer.Setup(
a => a.IsAuthorizationValid(It.Is <IAuthorizationDescription>(d => d.User == null && d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns(true);
authServer.Setup(
a => a.CheckAuthorizeClientCredentialsGrant(It.Is <IAccessTokenRequest>(d => d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns <IAccessTokenRequest>(req => new AutomatedAuthorizationCheckResponse(req, true));
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServer.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = await client.GetClientAccessTokenAsync(TestScopes);
Assert.That(authState.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(authState.RefreshToken, Is.Null);
accessToken = authState.AccessToken;
return(accessToken);
}
public XrdsDocument(string xml)
: this(new XPathDocument(XmlReader.Create(new StringReader(xml), MessagingUtilities.CreateUntrustedXmlReaderSettings())).CreateNavigator())
{
}
protected override SubscriptionClient OnCreateSubscriptionClient(string topicPath, string name, ReceiveMode receiveMode)
{
MessagingUtilities.ThrowIfContainsSubQueueName(topicPath);
return(new SbmpSubscriptionClient(this, topicPath, name, receiveMode));
}
