/// <summary> /// Refresh credentials after expiry. If the role profile is configured with user identity /// information and a callback has been registered to obtain the user credential, the callback /// will be invoked ahead of authentication. For role profiles configured with user identity /// but no callback registration, the SDK will fall back to attempting to use the default /// user identity of the current process. /// </summary> /// <returns></returns> protected override CredentialsRefreshState GenerateNewCredentials() { Validate(); // If the profile indicates the user has already authenticated and received // credentials which are still valid, adopt them instead of requiring a fresh // authentication. SAMLImmutableCredentials currentSession; if (TryGetRoleSession(out currentSession)) { // Since cached role session credentials can be obtained, stored credentials exist // and they were not expired. However, since the stored credentials are actual // expiration time and not preempt expiration time we must preempt the expiration // to check that they will not expire before this call completes. var cachedState = new CredentialsRefreshState(currentSession, currentSession.Expires); // Use the cached credentials as long as they are not within the preempt expiry window // or have since actually expired since the prior call to TryGetRoleSession. //Verify the actual expiration is not within the preempt expiration time. if (!cachedState.IsExpiredWithin(PreemptExpiryTime)) { // The credentials have plenty of time left before they expire so they can be used. After // return the expiration time will be preempted for future checks using ShouldUpdate. return(cachedState); } } CredentialsRefreshState newState = null; var attempts = 0; do { try { NetworkCredential userCredential = null; if (Options.UserIdentity != null) { if (Options.CredentialRequestCallback != null) { var callbackArgs = new CredentialRequestCallbackArgs { ProfileName = Options.ProfileName, UserIdentity = Options.UserIdentity, CustomState = Options.CustomCallbackState, PreviousAuthenticationFailed = attempts > 0 }; userCredential = Options.CredentialRequestCallback(callbackArgs); if (userCredential == null) // user declined to authenticate { throw new FederatedAuthenticationCancelledException( "User cancelled credential request."); } } else { var logger = Logger.GetLogger(typeof(FederatedAWSCredentials)); logger.InfoFormat( "FederatedAWSCredentials configured for a specific user but no credential request callback registered; falling back to default identity."); } } newState = Authenticate(userCredential); } catch (FederatedAuthenticationFailureException) { if (attempts < MaxAuthenticationRetries) { attempts++; } else { throw; } } } while (newState == null && attempts < MaxAuthenticationRetries); return(newState); }
/// <summary> /// Refresh credentials after expiry. If the role profile is configured with user identity /// information and a callback has been registered to obtain the user credential the callback /// will be invoked ahead of authentication. For role profiles configured with user identity /// but no callback registration, the SDK will fall back to attempting to use the default /// user identity of the current process. /// </summary> /// <returns></returns> protected override CredentialsRefreshState GenerateNewCredentials() { Validate(); // lock across the entire process for generating credentials so multiple // threads don't attempt to invoke any registered callback at the same time // and if we do callback, we only do it once to get the user authentication // data lock (_synclock) { // If the profile indicates the user has already authenticated and received // credentials which are still valid, adopt them instead of requiring a fresh // authentication var currentSession = ProfileData.GetCurrentSession(); if (currentSession != null) { return(new CredentialsRefreshState(currentSession, currentSession.Expires)); } CredentialsRefreshState newState = null; var attempts = 0; do { try { NetworkCredential userCredential = null; if (!ProfileData.UseDefaultUserIdentity) { if (_credentialRequestCallback != null) { var callbackArgs = new CredentialRequestCallbackArgs { ProfileName = ProfileData.Name, UserIdentity = ProfileData.UserIdentity, CustomState = CustomCallbackState, PreviousAuthenticationFailed = attempts > 0 }; userCredential = _credentialRequestCallback(callbackArgs); if (userCredential == null) // user declined to authenticate { throw new FederatedAuthenticationCancelledException("User cancelled credential request."); } } else { var logger = Logger.GetLogger(typeof(StoredProfileFederatedCredentials)); logger.InfoFormat("Role profile {0} is configured for a specific user but no credential request callback registered; falling back to default identity.", ProfileName); } } newState = Authenticate(userCredential, _credentialDuration); } catch (FederatedAuthenticationFailureException) { if (attempts < MaxAuthenticationRetries) { attempts++; } else { throw; } } } while (newState == null && attempts < MaxAuthenticationRetries); return(newState); } }
/// <summary> /// Refresh credentials after expiry. If the role profile is configured with user identity /// information and a callback has been registered to obtain the user credential, the callback /// will be invoked ahead of authentication. For role profiles configured with user identity /// but no callback registration, the SDK will fall back to attempting to use the default /// user identity of the current process. /// </summary> /// <returns></returns> protected override CredentialsRefreshState GenerateNewCredentials() { Validate(); // lock across the entire process for generating credentials so multiple // threads don't attempt to invoke any registered callback at the same time // and if we do callback, we only do it once to get the user authentication // data lock (syncLock) { // If the profile indicates the user has already authenticated and received // credentials which are still valid, adopt them instead of requiring a fresh // authentication. SAMLImmutableCredentials currentSession; if (TryGetRoleSession(out currentSession)) { // Since cached role session credentials can be obtained, stored credentials exist // and they were not expired. However, since the stored credentials are actual // expiration time and not preempt expiration time we must preempt the expiration // to check that they will not expire before this call completes. var cachedState = new CredentialsRefreshState(currentSession, currentSession.Expires); // If currentState is null this is a new SDK startup. In this case we can possibly // use the cached credentials as long as they are not within the preempt expiry window // or have since actually expired since the prior call to TryGetRoleSession. if (currentState == null) { //Verify the actual expiration is not within the preempt expiration time. if (!cachedState.IsExpiredWithin(PreemptExpiryTime)) { // The credentials have plenty of time left before they expire so they can be used. After // return the expiration time will be preempted for future checks using ShouldUpdate. return(cachedState); } } else if (!ShouldUpdate) { // If currentState is not null we already have the credential state. This could // have come from a cached load or a new authentication. The preempted expiration // time would have already been built in to the ShouldUpdate check in this case. return(cachedState); } // If the currentState was null but the credentials are already in the preempt expiry window // or the currentState was not null and we are currently in the preempt expiry window // new credentials must be obtained before the window closes. No longer use the cached // credentials so fall through to obtain new ones. } CredentialsRefreshState newState = null; var attempts = 0; do { try { NetworkCredential userCredential = null; if (Options.UserIdentity != null) { if (Options.CredentialRequestCallback != null) { var callbackArgs = new CredentialRequestCallbackArgs { ProfileName = Options.ProfileName, UserIdentity = Options.UserIdentity, CustomState = Options.CustomCallbackState, PreviousAuthenticationFailed = attempts > 0 }; userCredential = Options.CredentialRequestCallback(callbackArgs); if (userCredential == null) // user declined to authenticate { throw new FederatedAuthenticationCancelledException("User cancelled credential request."); } } else { var logger = Logger.GetLogger(typeof(FederatedAWSCredentials)); logger.InfoFormat("FederatedAWSCredentials configured for a specific user but no credential request callback registered; falling back to default identity."); } } newState = Authenticate(userCredential); } catch (FederatedAuthenticationFailureException) { if (attempts < MaxAuthenticationRetries) { attempts++; } else { throw; } } } while (newState == null && attempts < MaxAuthenticationRetries); return(newState); } }