//Validate the Client Resource (Audience ) from where the request came from
//In this sample application its hard coded. But in real projects this validation happens against registrerd Clients in the Database
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId = string.Empty;
string clientSecret = string.Empty;
string symmetricKeyAsBase64 = string.Empty;
if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
{
context.TryGetFormCredentials(out clientId, out clientSecret);
}
if (clientId == null)
{
context.SetError("invalid_clientId", "client_Id is not set");
return(Task.FromResult <object>(null));
}
var audience = AudienceStore.FindAudience(clientId);
if (audience == null)
{
context.SetError("invalid_clientId", string.Format("Invalid client_id '{0}'", context.ClientId));
return(Task.FromResult <object>(null));
}
context.Validated();
return(Task.FromResult <object>(null));
}
public string Protect(AuthenticationTicket data)
{
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
var audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;
if (string.IsNullOrWhiteSpace(audienceId))
{
throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience");
}
var audience = AudienceStore.FindAudience(audienceId);
var symmetricKeyAsBase64 = audience.Base64Secret;
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
var issued = data.Properties.IssuedUtc;
var expires = data.Properties.ExpiresUtc;
var token = new JwtSecurityToken(issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
var handler = new JwtSecurityTokenHandler();
var jwt = handler.WriteToken(token);
return(jwt);
}
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId;
string clientSecret;
if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
{
context.TryGetFormCredentials(out clientId, out clientSecret);
}
if (context.ClientId == null)
{
context.SetError("invalid_audienceId", "audience_Id is not set");
return(Task.FromResult <object>(null));
}
var audience = AudienceStore.FindAudience(context.ClientId);
if (audience == null)
{
context.SetError("audience_clientId", $"Invalid audience_id '{context.ClientId}'");
return(Task.FromResult <object>(null));
}
context.Validated();
return(Task.FromResult <object>(null));
}
public string Protect(AuthenticationTicket data)
{
if (data == null)
{
throw new ArgumentNullException("data");
}
// string audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;
if (string.IsNullOrWhiteSpace(_audienceId))
{
throw new InvalidOperationException("AuthenticationTicket.Properties does not include audience");
}
// Dummy check to see if the Audience is registered. It should actually check against Client table(which has registered audiences details )
// For this sample application I have hard coded the audience as there is only one audience.
Audience audience = AudienceStore.FindAudience(_audienceId);
var issued = data.Properties.IssuedUtc;
var now = DateTime.UtcNow;
DateTime expires = DateTime.UtcNow.AddMinutes(30);
var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(_secret));
var signingCredentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey, Microsoft.IdentityModel.Tokens.SecurityAlgorithms.HmacSha256Signature);
// ClaimsIdentity claimsIdentity = new ClaimsIdentity(new[]
//{
// new Claim(ClaimTypes.Name, username)
// });
var handler = new JwtSecurityTokenHandler();
var _token =
(JwtSecurityToken)
handler.CreateJwtSecurityToken(issuer: "http://localhost:57293", audience: "http://localhost:57293",
subject: data.Identity, notBefore: now, expires: expires, signingCredentials: signingCredentials);
var jwt = handler.WriteToken(_token);
return(jwt);
}