/// <summary>
/// Determines whether a given set of resource owner credentials is valid based on the authorization server's user database
/// and if so records an authorization entry such that subsequent calls to <see cref="M:DotNetOpenAuth.OAuth2.IAuthorizationServerHost.IsAuthorizationValid(DotNetOpenAuth.OAuth2.ChannelElements.IAuthorizationDescription)" /> would
/// return <c>true</c>.
/// </summary>
/// <param name="userName">Username on the account.</param>
/// <param name="password">The user's password.</param>
/// <param name="accessRequest">The access request the credentials came with.
/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.</param>
/// <returns>
/// A value that describes the result of the authorization check.
/// </returns>
public AutomatedUserAuthorizationCheckResponse CheckAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest)
{
IOAuth2AuthorizationStoreAgent agent = DependencyInjection.Get <IOAuth2AuthorizationStoreAgent>();
var user = agent.GetUser(userName, password);
// We use a fixed username and password to determine if the username/password combination is correct.
var userCredentialsAreCorrect = user != null;
// Add the user's scopes.
IList <OAuth2Scope> scopes = agent.GetUserScopes(userName);
scopes.Select(x => x.Code).ToList().ForEach(x =>
{
accessRequest.Scope.Add(x);
});
OAuth2UserIdentity userIdentity = agent.GetUserIdentity(userName);
var _userIdentity = userIdentity.ToDataTransferValue();
accessRequest.ExtraData.Add(new KeyValuePair <string, string>("userIdentity", JsonConvert.SerializeObject(_userIdentity)));
// The token request is approved when the user credentials are correct and the user is authorized for the requested scopes
var isApproved = userCredentialsAreCorrect && UserIsAuthorizedForRequestedScopes(userName, accessRequest.Scope);
return(new AutomatedUserAuthorizationCheckResponse(accessRequest, isApproved, userName));
}
/// <summary>
/// Gets the client with a given identifier.
/// </summary>
/// <param name="clientIdentifier">The client identifier.</param>
/// <returns>The client registration. Never null.</returns>
public IClientDescription GetClient(string clientIdentifier)
{
IOAuth2AuthorizationStoreAgent agent = DependencyInjection.Get <IOAuth2AuthorizationStoreAgent>();
OAuth2ClientApplication clientApplication = agent.GetClientApplication(clientIdentifier);
// Does the CLIENT IDENTIFIER exist or is expired ? Oh yes ... then an exception is thrown.
if (clientApplication == null)
{
throw new ArgumentException("No client could be found with the specified client identifier.", "clientIdentifier");
}
return(new ClientDescription(clientApplication.Secret, null, ClientType.Public));
}
/// <summary>
/// Get the user's profile.
/// </summary>
/// <returns></returns>
public DataTransfer.OAuth2UserIdentity GetUserIdentity()
{
DataTransfer.OAuth2UserIdentity value =
UnitOfWork.Execute <DataTransfer.OAuth2UserIdentity>(() =>
{
IOAuth2AuthorizationStoreAgent agent = DependencyInjection.Get <IOAuth2AuthorizationStoreAgent>();
Domain.Entity.OAuth2UserIdentity entity = agent.GetUserIdentity(Thread.CurrentPrincipal.Identity.Name);
var _value = entity.ToDataTransferValue();
return(_value);
});
return(value);
}
/// <summary>
/// Sign up a new <see cref="OAuth2User"/> account.
/// </summary>
/// <param name="user">The <see cref="OAuth2User"/> data transfer object.</param>
/// <returns>The registered <see cref="OAuth2User"/> account.</returns>
public DataTransfer.OAuth2UserIdentity SignUpUser(OAuth2UserIdentity userIdentity)
{
DataTransfer.OAuth2UserIdentity value =
UnitOfWork.Execute <DataTransfer.OAuth2UserIdentity>(() =>
{
IOAuth2AuthorizationStoreAgent agent = DependencyInjection.Get <IOAuth2AuthorizationStoreAgent>();
Domain.Entity.OAuth2UserIdentity _userIdentity = userIdentity.ToEntity();
Domain.Entity.OAuth2UserIdentity entity = agent.SignUpUser(_userIdentity);
DataTransfer.OAuth2UserIdentity _value = entity.ToDataTransferValue();
return(_value);
});
return(value);
}
/// <summary>
/// Check if the user is authorized.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="requestedScopes">The scopes the user has requested.</param>
/// <returns><c>true</c>, if the user is authorized for the specified scopes; otherwise, <c>false</c>.</returns>
private static bool UserIsAuthorizedForRequestedScopes(string userName, HashSet <string> requestedScopes)
{
// We define the scopes the user is authorized for. Once again, you would expect these scopes to be retrieved from
// a persistent store. Note: the scopes a user is authorized for can very well differ between users. Think of an
// admin user being authorized for more scopes than a regular user
// Get the scopes the user is authorized for from the database.
IOAuth2AuthorizationStoreAgent agent = DependencyInjection.Get <IOAuth2AuthorizationStoreAgent>();
IList <OAuth2Scope> scopes = agent.GetUserScopes(userName);
HashSet <string> scopesUserIsAuthorizedFor = new HashSet <string>(OAuthUtilities.ScopeStringComparer);
scopes.Select(x => x.Code).ToList().ForEach(x =>
{
scopesUserIsAuthorizedFor.Add(x);
});
// Check if the scopes that are being requested are a subset of the scopes the user is authorized for.
// If not, that means that the user has requested at least one scope it is not authorized for
bool userIsAuthorizedForRequestedScopes = requestedScopes.IsSubsetOf(scopesUserIsAuthorizedFor);
return(userIsAuthorizedForRequestedScopes);
}
