public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
{
if (instruction == null)
{
throw new ArgumentNullException(nameof(instruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (instruction.Certificate == null || client.Secrets == null)
{
return(null);
}
var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint);
var name = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name);
if (thumbPrint == null || name == null)
{
return(null);
}
var certificate = instruction.Certificate;
var isSameThumbPrint = thumbPrint == null || thumbPrint != null && thumbPrint.Value == certificate.Thumbprint;
var isSameName = name == null || name != null && name.Value == certificate.SubjectName.Name;
return(isSameName && isSameThumbPrint ? client : null);
}
/// <summary>
/// Try to get the client id.
/// </summary>
/// <param name="instruction"></param>
/// <returns></returns>
public string GetClientId(AuthenticateInstruction instruction)
{
if (instruction.ClientAssertionType != Dtos.Constants.ClientAssertionTypes.JwtBearer || string.IsNullOrWhiteSpace(instruction.ClientAssertion))
{
return(string.Empty);
}
var clientAssertion = instruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
var isJwsToken = _jwtParser.IsJwsToken(clientAssertion);
if (isJweToken && isJwsToken)
{
return(string.Empty);
}
// It's a JWE token then return the client_id from the HTTP body
if (isJweToken)
{
return(instruction.ClientIdFromHttpRequestBody);
}
// It's a JWS token then return the client_id from the token.
var payload = _jwsParser.GetPayload(clientAssertion);
if (payload == null)
{
return(string.Empty);
}
return(payload.Issuer);
}
public string GetClientId(AuthenticateInstruction instruction)
{
if (instruction == null)
{
throw new ArgumentNullException("the instruction cannot be null");
}
return(instruction.ClientIdFromAuthorizationHeader);
}
public string GetClientId(AuthenticateInstruction instruction)
{
if (instruction == null)
{
throw new ArgumentNullException("the instruction parameter cannot be null");
}
return(instruction.ClientIdFromHttpRequestBody);
}
public AuthenticateInstruction GetAuthenticateInstruction(AuthenticationHeaderValue authenticationHeaderValue)
{
var result = new AuthenticateInstruction();
if (authenticationHeaderValue != null &&
!string.IsNullOrWhiteSpace(authenticationHeaderValue.Parameter))
{
var parameters = GetParameters(authenticationHeaderValue.Parameter);
if (parameters != null && parameters.Count() == 2)
{
result.ClientIdFromAuthorizationHeader = parameters[0];
result.ClientSecretFromAuthorizationHeader = parameters[1];
}
}
return(result);
}
/// <summary>
/// Try to get the client id from the HTTP body or HTTP header.
/// </summary>
/// <param name="instruction">Authentication instruction</param>
/// <returns>Client id</returns>
private string TryGettingClientId(AuthenticateInstruction instruction)
{
var clientId = _clientAssertionAuthentication.GetClientId(instruction);
if (!string.IsNullOrWhiteSpace(clientId))
{
return(clientId);
}
clientId = _clientSecretBasicAuthentication.GetClientId(instruction);
if (!string.IsNullOrWhiteSpace(clientId))
{
return(clientId);
}
return(_clientSecretPostAuthentication.GetClientId(instruction));
}
public Client AuthenticateClient(AuthenticateInstruction instruction, Client client)
{
if (client == null || instruction == null)
{
throw new ArgumentNullException("the client or instruction cannot be null");
}
if (client.Secrets == null)
{
return(null);
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
return(null);
}
var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromAuthorizationHeader), StringComparison.CurrentCultureIgnoreCase) == 0;
return(sameSecret ? client : null);
}
public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
{
if (instruction == null || client == null)
{
throw new ArgumentNullException("the instruction or client parameter cannot be null");
}
if (client.Secrets == null)
{
return(null);
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
return(null);
}
var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromHttpRequestBody), StringComparison.CurrentCultureIgnoreCase) == 0;
return(sameSecret ? client : null);
}
public async Task <AuthenticationResult> AuthenticateClientWithPrivateKeyJwtAsync(AuthenticateInstruction instruction, string expectedIssuer)
{
if (instruction == null)
{
throw new ArgumentNullException("instruction");
}
var clientAssertion = instruction.ClientAssertion;
var isJwsToken = _jwtParser.IsJwsToken(clientAssertion);
if (!isJwsToken)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken));
}
var jws = instruction.ClientAssertion;
var jwsPayload = _jwsParser.GetPayload(jws);
if (jwsPayload == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted));
}
var clientId = jwsPayload.Issuer;
var payload = await _jwtParser.UnSignAsync(jws, clientId);
if (payload == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheSignatureIsNotCorrect));
}
return(await ValidateJwsPayLoad(payload, expectedIssuer));
}
public async Task <AuthenticationResult> AuthenticateClientWithClientSecretJwtAsync(AuthenticateInstruction instruction, string clientSecret, string expectedIssuer)
{
if (instruction == null)
{
throw new ArgumentNullException(nameof(instruction));
}
var clientAssertion = instruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
if (!isJweToken)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJweToken));
}
var jwe = instruction.ClientAssertion;
var clientId = instruction.ClientIdFromHttpRequestBody;
var jws = await _jwtParser.DecryptWithPasswordAsync(jwe, clientId, clientSecret);
if (string.IsNullOrWhiteSpace(jws))
{
return(new AuthenticationResult(null, ErrorDescriptions.TheJweTokenCannotBeDecrypted));
}
var isJwsToken = _jwtParser.IsJwsToken(jws);
if (!isJwsToken)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken));
}
var jwsPayload = await _jwtParser.UnSignAsync(jws, clientId);
if (jwsPayload == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted));
}
return(await ValidateJwsPayLoad(jwsPayload, expectedIssuer));
}
public async Task <AuthenticationResult> AuthenticateAsync(AuthenticateInstruction instruction, string issuerName, bool isAuthorizationCodeGrantType = false)
{
if (instruction == null)
{
throw new ArgumentNullException(nameof(instruction));
}
Client client = null;
// First we try to fetch the client_id
// The different client authentication mechanisms are described here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
var clientId = TryGettingClientId(instruction);
if (!string.IsNullOrWhiteSpace(clientId))
{
client = await _clientRepository.GetClientByIdAsync(clientId).ConfigureAwait(false);
}
if (client == null)
{
return(new AuthenticationResult(null, ErrorDescriptions.TheClientDoesntExist));
}
if (isAuthorizationCodeGrantType && client.RequirePkce)
{
return(new AuthenticationResult(client, string.Empty));
}
var tokenEndPointAuthMethod = client.TokenEndPointAuthMethod;
var authenticationType = Enum.GetName(typeof(TokenEndPointAuthenticationMethods), tokenEndPointAuthMethod);
_oauthEventSource.StartToAuthenticateTheClient(client.ClientId,
authenticationType);
var errorMessage = string.Empty;
switch (tokenEndPointAuthMethod)
{
case TokenEndPointAuthenticationMethods.client_secret_basic:
client = _clientSecretBasicAuthentication.AuthenticateClient(instruction, client);
if (client == null)
{
errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretBasic;
}
break;
case TokenEndPointAuthenticationMethods.client_secret_post:
client = _clientSecretPostAuthentication.AuthenticateClient(instruction, client);
if (client == null)
{
errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretPost;
}
break;
case TokenEndPointAuthenticationMethods.client_secret_jwt:
if (client.Secrets == null || !client.Secrets.Any(s => s.Type == ClientSecretTypes.SharedSecret))
{
errorMessage = string.Format(ErrorDescriptions.TheClientDoesntContainASharedSecret, client.ClientId);
break;
}
return(await _clientAssertionAuthentication.AuthenticateClientWithClientSecretJwtAsync(instruction, client.Secrets.First(s => s.Type == ClientSecretTypes.SharedSecret).Value, issuerName).ConfigureAwait(false));
case TokenEndPointAuthenticationMethods.private_key_jwt:
return(await _clientAssertionAuthentication.AuthenticateClientWithPrivateKeyJwtAsync(instruction, issuerName).ConfigureAwait(false));
case TokenEndPointAuthenticationMethods.tls_client_auth:
client = _clientTlsAuthentication.AuthenticateClient(instruction, client);
if (client == null)
{
errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithTls;
}
break;
}
if (client != null)
{
_oauthEventSource.FinishToAuthenticateTheClient(client.ClientId, authenticationType);
}
return(new AuthenticationResult(client, errorMessage));
}