public async Task <IActionResult> VerifyAuthorize(OAuthActorModel model)
{
if (!string.IsNullOrWhiteSpace(model.Deny))
{
return(_buildRedir(model.RedirectUri, model.ResponseType, $"error=access_denied&state={model.State}"));
}
var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
var actor = await _entityStore.GetEntity(model.ActorID, false);
var hasAccess = await _connection.ExecuteScalarAsync <bool>("select exists(select 1 from \"UserActorPermissions\" where \"UserId\" = @UserId and \"ActorId\" = @ActorId)", new { UserId = userId, ActorId = actor.DbId });
model.Actor = actor;
if (!hasAccess || !ModelState.IsValid)
{
return(View("ChooseActorOAuth", model));
}
var exp = TimeSpan.FromSeconds(model.Expiry);
if (exp > _tokenSettings.ExpiryTime)
{
exp = _tokenSettings.ExpiryTime;
}
var claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, User.FindFirstValue(ClaimTypes.NameIdentifier)),
new Claim(JwtTokenSettings.ActorClaim, model.ActorID)
};
var jwt = new JwtSecurityToken(
issuer: _tokenSettings.Issuer,
audience: _tokenSettings.Audience,
claims: claims,
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.Add(exp),
signingCredentials: _tokenSettings.Credentials
);
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
if (model.ResponseType == "token")
{
return(_buildRedir(model.RedirectUri, model.ResponseType, $"access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State ?? "")}"));
}
else if (model.ResponseType == "code")
{
encodedJwt = _dataProtector.Protect(encodedJwt);
return(_buildRedir(model.RedirectUri, model.ResponseType, $"code={Uri.EscapeDataString(encodedJwt)}&state={Uri.EscapeDataString(model.State ?? "")}"));
}
return(StatusCode(500));
}
public async Task <IActionResult> DoChooseActorOAuth(OAuthActorModel model)
{
var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
var actor = await _entityStore.GetEntity(model.ActorID, false);
var hasAccess = await _context.UserActorPermissions.AnyAsync(a => a.UserId == userId && a.ActorId == model.ActorID);
model.Actor = actor;
if (!hasAccess || !ModelState.IsValid)
{
return(View("ChooseActorOAuth", model));
}
var exp = TimeSpan.FromSeconds(model.Expiry);
if (exp > _tokenSettings.ExpiryTime)
{
exp = _tokenSettings.ExpiryTime;
}
if (!string.IsNullOrWhiteSpace(model.Deny))
{
if (model.ResponseType == "token")
{
if (model.RedirectUri.Contains("#"))
{
return(RedirectPermanent(model.RedirectUri + "&error=access_denied&state=" + Uri.EscapeDataString(model.State)));
}
else
{
return(RedirectPermanent(model.RedirectUri + "#error=access_denied&state=" + Uri.EscapeDataString(model.State)));
}
}
else
{
return(RedirectPermanent(_appendToUri(model.RedirectUri, "error=access_denied&state=" + Uri.EscapeDataString(model.State))));
}
}
var claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, User.FindFirstValue(ClaimTypes.NameIdentifier)),
new Claim(JwtTokenSettings.ActorClaim, model.ActorID)
};
var jwt = new JwtSecurityToken(
issuer: _tokenSettings.Issuer,
audience: _tokenSettings.Audience,
claims: claims,
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.Add(exp),
signingCredentials: _tokenSettings.Credentials
);
var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
if (model.ResponseType == "token")
{
if (model.RedirectUri.Contains("#"))
{
return(RedirectPermanent(model.RedirectUri + $"&access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State)}"));
}
else
{
return(RedirectPermanent(model.RedirectUri + $"#access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State)}"));
}
}
else if (model.ResponseType == "code")
{
encodedJwt = _dataProtector.Protect(encodedJwt);
return(RedirectPermanent(_appendToUri(model.RedirectUri, $"code={Uri.EscapeDataString(encodedJwt)}&state={Uri.EscapeDataString(model.State)}")));
}
return(StatusCode(500));
}
