public async Task <ActionResult> Respond(string request, bool approval)
{
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(new Uri(request));
IProtocolMessage responseMessage;
if (approval)
{
var grantedResponse = authServer.PrepareApproveAuthorizationRequest(
authRequest, this.User.Identity.Name, authRequest.Scope);
responseMessage = grantedResponse;
}
else
{
var rejectionResponse = authServer.PrepareRejectAuthorizationRequest(authRequest);
rejectionResponse.Error = Protocol.EndUserAuthorizationRequestErrorCodes.AccessDenied;
responseMessage = rejectionResponse;
}
var response = await authServer.Channel.PrepareResponseAsync(responseMessage);
Response.ContentType = response.Content.Headers.ContentType.ToString();
return(response.AsActionResult());
}
[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public async Task <ActionResult> Authorize()
{
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(this.Request);
this.ViewData["scope"] = authRequest.Scope;
this.ViewData["request"] = this.Request.Url;
return(View());
}
public async Task DecodeRefreshToken()
{
var refreshTokenSource = new TaskCompletionSource <string>();
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return(await server.Channel.PrepareResponseAsync(response));
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var response = await server.HandleTokenRequestAsync(req, ct);
var authorization = server.DecodeRefreshToken(refreshTokenSource.Task.Result);
Assert.That(authorization, Is.Not.Null);
Assert.That(authorization.User, Is.EqualTo(ResourceOwnerUsername));
return(response);
});
var client = new WebServerClient(AuthorizationServerDescription);
try {
var authState = new AuthorizationState(TestScopes)
{
Callback = ClientCallback,
};
var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback);
Uri authCompleteUri;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) {
response.EnsureSuccessStatusCode();
authCompleteUri = response.Headers.Location;
}
}
var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri);
this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest);
var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
refreshTokenSource.SetResult(result.RefreshToken);
} catch {
refreshTokenSource.TrySetCanceled();
}
}
public async Task CreateAccessTokenSeesAuthorizingUserAuthorizationCodeGrant()
{
var authServerMock = CreateAuthorizationServerMock();
authServerMock
.Setup(a => a.IsAuthorizationValid(It.IsAny <IAuthorizationDescription>()))
.Returns <IAuthorizationDescription>(req => {
Assert.That(req.User, Is.EqualTo(ResourceOwnerUsername));
return(true);
});
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return(await server.Channel.PrepareResponseAsync(response));
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = new AuthorizationState(TestScopes)
{
Callback = ClientCallback,
};
var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback);
Uri authCompleteUri;
this.HostFactories.AllowAutoRedirects = false;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) {
Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.Redirect));
authCompleteUri = response.Headers.Location;
}
}
var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri);
this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest);
var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
}
public async Task <ActionResult> Authorize()
{
var pendingRequest = await _authorizationServer.ReadAuthorizationRequestAsync(Request, Response.ClientDisconnectedToken);
if (pendingRequest == null)
{
throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
}
var approval = _authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
var response = await _authorizationServer.Channel.PrepareResponseAsync(approval, Response.ClientDisconnectedToken);
Response.ContentType = response.Content.Headers.ContentType.ToString();
FormsAuthentication.SignOut();
return(response.AsActionResult());
}
public async Task AuthorizationCodeGrant()
{
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return(await server.Channel.PrepareResponseAsync(response, ct));
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
return(await server.HandleTokenRequestAsync(req, ct));
});
{
var client = new UserAgentClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = new AuthorizationState(TestScopes)
{
Callback = ClientCallback,
};
var request = client.PrepareRequestUserAuthorization(authState);
Assert.AreEqual(EndUserAuthorizationResponseType.AuthorizationCode, request.ResponseType);
var authRequestRedirect = await client.Channel.PrepareResponseAsync(request);
Uri authRequestResponse;
this.HostFactories.AllowAutoRedirects = false;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var httpResponse = await httpClient.GetAsync(authRequestRedirect.Headers.Location)) {
authRequestResponse = httpResponse.Headers.Location;
}
}
var incoming =
await
client.Channel.ReadFromRequestAsync(
new HttpRequestMessage(HttpMethod.Get, authRequestResponse), CancellationToken.None);
var result = await client.ProcessUserAuthorizationAsync(authState, incoming, CancellationToken.None);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
}
}