public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newClaim = newIdentity.Claims.FirstOrDefault(c => c.Type == "newClaim"); if (newClaim != null) { newIdentity.RemoveClaim(newClaim); } newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // chance to change authentication ticket for refresh token requests var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); return(base.GrantRefreshToken(context)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var newIdentity = new ClaimsIdentity(context.Ticket.Identity); newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); await Task.Run(() => { var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // Change auth ticket for refresh token requests var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>(); ApplicationUser user = await userManager.FindByNameAsync(context.Ticket.Identity.Name); var newIdentity = await user.GenerateUserIdentityAsync(userManager, OAuthDefaults.AuthenticationType); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { if (context.Ticket == null || context.Ticket.Identity == null || !context.Ticket.Identity.IsAuthenticated) { context.SetError("invalid_grant", "Refresh token is not valid"); } else { //Additional claim is needed to separate access token updating from authentication //requests in RefreshTokenProvider.CreateAsync() method } return(base.GrantRefreshToken(context)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // Change auth ticket for refresh token requests var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>(); ApplicationUser user = await userManager.FindByNameAsync(context.Ticket.Identity.Name); var newIdentity = await user.GenerateUserIdentityAsync(userManager, OAuthDefaults.AuthenticationType); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var identity = context.Ticket.Identity; var id = identity.GetUserId(); var domain = identity.FindFirst("ac_domain"); var companyToken = identity.FindFirst("c_token"); Identity.AdobeConnectUser user = null; using (Identity.AdobeConnectUserManager userManager = _userManagerFactory()) { try { user = await userManager.RefreshSession(id, companyToken.Value, domain.Value, identity.Name); _logger?.Info($"[GrantRefreshToken.AfterLogin] ACSession={user.AcSessionToken}"); } catch (Exception ex) { // TODO: production-ready exceptions context.SetError("server_error", ex.Message); return; } } if (user == null) { context.SetError("token_refresh_error", "User session has not been updated successfully."); return; } // check for existing claim and remove it var existingClaims = identity.Claims.Where(x => x.Type == "ac_session" || x.Type == ClaimTypes.Role); foreach (var existingClaim in existingClaims) { identity.RemoveClaim(existingClaim); } identity.AddClaim(new Claim("ac_session", user.AcSessionToken)); if (user.Roles != null) { foreach (var role in user.Roles) { var roleClaim = new Claim(ClaimTypes.Role, role); identity.AddClaim(roleClaim); } } context.Validated(context.Ticket); _logger?.Info($"[GrantRefreshToken.Success] PrincipalId={user.Id}, ACSession={context.Ticket.Identity.FindFirst("ac_session")}"); // return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { string originalClient = context.Ticket.Properties.Dictionary["Client_Id"]; string currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } context.Validated(); return(Task.FromResult <object>(null)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.OwinContext.Get <string>("as:client_id"); // enforce client binding of refresh token if (originalClient != currentClient) { context.Rejected(); return; } context.Validated(); }
/// <summary> /// 刷新客户端令牌 /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { string originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; string currentClient = context.ClientId; if (originalClient != currentClient) { context.Rejected(); return Task.FromResult(0); } ClaimsIdentity identity = new ClaimsIdentity(context.Ticket.Identity); identity.AddClaim(new Claim("newClaim", "refreshToken")); AuthenticationTicket ticket = new AuthenticationTicket(identity, context.Ticket.Properties); context.Validated(ticket); return base.GrantRefreshToken(context); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } context.Validated(new AuthenticationTicket(context.Ticket.Identity, context.Ticket.Properties)); return(Task.FromResult <object>(null)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return; } var newIdentity = await DoGrantRefreshToken(context); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
/// <summary> /// 验证持有 refresh token 的 clientId /// </summary> /// <param name="context"></param> /// <returns></returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClientId = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClientId = context.ClientId; if (originalClientId != currentClientId) { await Task.FromResult <object>(null); } var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }
/// <summary> /// 客户端模式 重载RefreshToken分发 /// </summary> /// <param name="context"></param> /// <returns></returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { try { var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); await base.GrantRefreshToken(context); } catch (Exception ex) { throw ex; } }
//called when a request for token is called passing (refresh_token) as a grant_type public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { return(Task.Run(() => { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.OwinContext.Get <string>("as:client_id"); // enforce client binding of refresh token if (originalClient != currentClient) { context.Rejected(); return; } // chance to change authentication ticket for refresh token requests var newId = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); })); }
/// <summary> /// 刷新Token /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newClaim = newIdentity.Claims.Where(c => c.Type == "newClaim").FirstOrDefault(); if (newClaim != null) { newIdentity.RemoveClaim(newClaim); } newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult(0)); }
/// <summary> /// 刷新客户端令牌 /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { string originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; string currentClient = context.ClientId; if (originalClient != currentClient) { context.Rejected(); return(Task.FromResult(0)); } ClaimsIdentity identity = new ClaimsIdentity(context.Ticket.Identity); identity.AddClaim(new Claim("newClaim", "refreshToken")); AuthenticationTicket ticket = new AuthenticationTicket(identity, context.Ticket.Properties); context.Validated(ticket); return(base.GrantRefreshToken(context)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //var oAuthIdentity = new ClaimsIdentity(); //oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, "jeremy")); //oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "admin")); //var ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties { AllowRefresh = true, RedirectUri = "/token", IssuedUtc = DateTime.Now, ExpiresUtc = DateTime.Now.AddMonths(1)}); //context.Validated(context.Ticket); var originalClient = "jeremy"; var currentClient = context.OwinContext.Get<string>("as:client_id"); //var newId = new ClaimsIdentity(context.Ticket.Identity); var newId = new ClaimsIdentity("refresh_token"); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }
/// <summary> /// 授予刷新令牌 /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("无效的客户端信息", "刷新令牌是来自一个不同的客户ID。"); return(Task.FromResult <object>(null)); } // Change auth ticket for refresh token requests 改变授权票刷新令牌的请求 var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId"); return(Task.FromResult <object>(null)); } var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["client_id"]; var currentClient = context.ClientId; var originalIPAddress = context.Ticket.Properties.Dictionary["ip_address"]; var currentIPAddress = HttpContext.Current.Request.Form["ip_address"]; var originalUserAgent = context.Ticket.Properties.Dictionary["user_agent"]; var currentUserAgent = HttpContext.Current.Request.Form["user_agent"]; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } if (TokenHelper.ValidateIPAddress()) { if (originalIPAddress != currentIPAddress) { context.SetError("invalid_IP_Address", "Refresh token is issued to a different IP Address."); return(Task.FromResult <object>(null)); } } if (TokenHelper.ValidateUserAgent()) { if (originalUserAgent != currentUserAgent) { context.SetError("invalid_User_Agent", "Refresh token is issued to a different device."); return(Task.FromResult <object>(null)); } } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); newIdentity.AddClaim(new System.Security.Claims.Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override async System.Threading.Tasks.Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.Rejected(); return; } var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // TODO: Implement this when each member website has their own ClientID //var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; //var currentClient = context.ClientId; //// enforce client binding of refresh token //if (originalClient != currentClient) //{ // context.Rejected(); // return; //} var identity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(identity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult(0)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { using (var repo = new ApplicationUserManager(new UserStore <ApplicationUser>())) { var user = repo.Users.SingleOrDefault(u => u.UserName == context.Ticket.Identity.Name); if (user == null) { // unlikely, but it's possible the account has been deleted context.SetError("invalid_grant", "Account does not exist."); return; } context.Validated(); this.LogInfo("Successfully refreshed {0}'s auth token.", user.UserName); } }
/// <summary> /// RefreshToken /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { context.OwinContext.Set(_asGrantType, GrantTypes.RefreshToken); context.OwinContext.Set(_asClientID, context.ClientId); var newId = new ClaimsIdentity(context.Ticket.Identity); var role = newId.FindFirstValue(newId.RoleClaimType); if (role != null) { if (role.Split(',').All(c => !c.Equals(RoleConfig.AppRole, StringComparison.OrdinalIgnoreCase))) { context.OwinContext.Set(_asUserID, newId.GetUserId()); } } var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); return(base.GrantRefreshToken(context)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; // enforce client binding of refresh token if (originalClient != currentClient) { context.Rejected(); return; } // chance to change authentication ticket for refresh token requests var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
//http://discoveringdotnet.alexeyev.org/2014/08/simple-explanation-of-bearer-authentication-for-web-api-2.html public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //enforce client binding of refresh token if (context.Ticket == null || context.Ticket.Identity == null || !context.Ticket.Identity.IsAuthenticated) { context.SetError("invalid_grant", "Refresh token is not valid"); } else { var userIdentity = context.Ticket.Identity; var authenticationTicket = await CreateAuthenticationTicket(context.OwinContext, userIdentity); //Additional claim is needed to separate access token updating from authentication //requests in RefreshTokenProvider.CreateAsync() method authenticationTicket.Identity.AddClaim(new Claim("refreshToken", "refreshToken")); context.Validated(authenticationTicket); } }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token" /// </summary> /// <param name="context"></param> /// <returns></returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { logger.Debug("GrantRefreshToken"); if (context.Ticket.Properties != null) { logger.Debug("GrantResourceOwnerCredentials,context.Ticket.Properties:" + JsonConvert.SerializeObject(context.Ticket.Properties)); } string error = "invalid_grant"; var originalClientId = context.OwinContext.Get <string>(OAuthKeys.ClientId); var currentClientId = context.ClientId; if (!string.IsNullOrEmpty(originalClientId) && !string.IsNullOrEmpty(currentClientId)) { if (originalClientId != currentClientId) { context.SetError(error, "Refresh token is issued to a different clientId."); } else { // Change auth ticket for refresh token requests var newOAuthIdentity = new ClaimsIdentity(context.Ticket.Identity); //获取附加的请求参数 IDictionary <string, object> parameters = context.OwinContext.Environment; if (parameters != null) { //foreach (var item in parameters) //{ // //添加附加凭证信息 // newOAuthIdentity.AddClaim(new Claim(OAuthKeys.Prefix + item.Key, item.Value.ToString())); //} } newOAuthIdentity.AddClaim(new Claim(OAuthKeys.RefreshTokenClaim, "refreshToken")); var newTicket = new AuthenticationTicket(newOAuthIdentity, context.Ticket.Properties); bool validateResult = context.Validated(newTicket); if (!validateResult) { context.SetError(error, "validate 失败"); } } } await base.GrantRefreshToken(context); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; if (originalClient != _clientId) { context.Rejected(); } else { var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); } return base.GrantRefreshToken(context); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var identity = new ClaimsIdentity(context.Ticket.Identity); var properties = context.Ticket.Properties.Dictionary; ViewUser user = null; using (var auth = new AuthRepository()) user = await auth.ViewUserGetAsync(Guid.Parse(identity.GetUserId())); if (object.Equals(user, null) || !user.IsActive) { return; } identity.AddClaims(user); context.Validated(new AuthenticationTicket(identity, context.Ticket.Properties)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //var originalClient = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "aud").Value; var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.OwinContext.Get <string>("as:client_id"); // var currentClient = context.OwinContext.Request.Get<string>("as:client_id"); ////var currentClient = context.ClientId; //http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/ if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return(Task.FromResult <object>(null)); } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var renwewRefreshToken = newIdentity.Claims.Where(c => c.Type == "RenwewRefreshToken").FirstOrDefault(); if (renwewRefreshToken != null) { newIdentity.RemoveClaim(renwewRefreshToken); } newIdentity.AddClaim(new Claim("RenwewRefreshToken", DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss"))); // var currentClient = context.OwinContext.Get<string>("m:expiredOn"); if (context.Ticket.Properties.Dictionary != null && context.Ticket.Properties.Dictionary.ContainsKey("m:expiredOn")) { //refresh custom expire date var expiredOn = DateTime.UtcNow.AddMinutes(General.MAXMinutesExpiredApiToken); context.Ticket.Properties.Dictionary["m:expiredOn"] = expiredOn.ToString("yyyy-MM-dd HH:mm:ss"); } var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return(Task.FromResult <object>(null)); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var identity = new ClaimsIdentity(context.Ticket.Identity); var properties = context.Ticket.Properties.Dictionary; var client = context.OwinContext.Get <Client>("client"); var sessionToken = context.OwinContext.Get <SessionToken>("sessionToken"); properties["session"] = Guid.NewGuid().ToString("N"); if (!string.IsNullOrEmpty(sessionToken.ExternalClientName)) { properties["externalClient"] = sessionToken.ExternalClientName; } string[] scope = context.OwinContext.Get <string[]>("scope"); var accountId = Guid.Parse(identity.GetUserId()); using (var auth = new AuthRepository()) { using (var authProduct = new AuthProductRepository()) { var account = await auth.AccountGetAsync(accountId); if (object.Equals(account, null)) { return; } context.OwinContext.Set("user", account); identity.TryRemoveClaim("module"); identity.AddClaims(account, client); var scopeWorker = SaaSScopeWorkerFactory.Create(scope, context, auth, authProduct); await scopeWorker.GrantClaims(identity); } } context.Validated(new AuthenticationTicket(identity, context.Ticket.Properties)); }
public async Task WhenGrantingRefreshToken_AndItSucceedes_ItShouldUpdateTheAccessTokenTimestamp() { var context = new OAuthGrantRefreshTokenContext( new OwinContext(this.environment), new OAuthAuthorizationServerOptions() { AuthenticationType = AuthenticationType }, new AuthenticationTicket( new ClaimsIdentity( new List <Claim> { new Claim(ClaimTypes.NameIdentifier, UserClaimsIdentity.UserId.Value.EncodeGuid()) }, AuthenticationType), new AuthenticationProperties(new Dictionary <string, string> { { Constants.TokenClientIdKey, ClientId } })), ClientId); this.getUserClaimsIdentity .Setup(v => v.HandleAsync(new GetUserClaimsIdentityQuery(UserClaimsIdentity.UserId, null, null, AuthenticationType))) .ReturnsAsync(UserClaimsIdentity); UpdateLastAccessTokenDateCommand updateTimestampCommand = null; this.updateLastAccessTokenDate .Setup(v => v.HandleAsync(It.IsAny <UpdateLastAccessTokenDateCommand>())) .Callback <UpdateLastAccessTokenDateCommand>(v => updateTimestampCommand = v) .Returns(Task.FromResult(0)); var before = DateTime.UtcNow; await this.target.GrantRefreshTokenAsync(context); var after = DateTime.UtcNow; Assert.IsNotNull(updateTimestampCommand); Assert.AreEqual(UserClaimsIdentity.UserId, updateTimestampCommand.UserId); Assert.AreEqual(UpdateLastAccessTokenDateCommand.AccessTokenCreationType.RefreshToken, updateTimestampCommand.CreationType); Assert.IsTrue(updateTimestampCommand.Timestamp <= after); Assert.IsTrue(updateTimestampCommand.Timestamp >= before); }
public abstract Task<ClaimsIdentity> DoGrantRefreshToken(OAuthGrantRefreshTokenContext context);
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return; } var newIdentity = await DoGrantRefreshToken(context); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token" /// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token". /// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties /// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the /// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may /// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to /// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to /// the access token unmodified. /// See also http://tools.ietf.org/html/rfc6749#section-6 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns> /// Task to enable asynchronous execution /// </returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { this.options.Logger.Debug("Authenticating refresh token flow"); var user = new SentinelPrincipal(context.Ticket.Identity); // Add grant type claim user.Identity.RemoveClaim(x => x.Type == ClaimType.GrantType); user.Identity.AddClaim(ClaimType.GrantType, GrantType.RefreshToken); // Activate event if subscribed to if (this.options.Events.PrincipalCreated != null) { var args = new PrincipalCreatedEventArgs(user, context); await this.options.Events.PrincipalCreated(args); user = new SentinelPrincipal(args.Principal); } context.Validated(user.Identity.AsClaimsIdentity()); }
public Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { throw new NotImplementedException(); }
/* public override Task ValidateTokenRequest(OAuthValidateTokenRequestContext context) { var token = context.TokenRequest; return base.ValidateTokenRequest(context); } */ /// <summary> /// 验证持有 refresh token 的客户端 /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { if (context.Ticket == null || context.Ticket.Identity == null) { context.Rejected(); return base.GrantRefreshToken(context); } var currentClient = context.OwinContext.Get<string>("as:client_id"); var originalClient = context.ClientId; // enforce client binding of refresh token if (originalClient != currentClient) { context.Rejected(); return base.GrantRefreshToken(context); } context.OwinContext.Set<string>("as:client_id", currentClient); context.OwinContext.Set<string>("as:refresh_token_time", "36000"); // chance to change authentication ticket for refresh token requests var claimsIdentity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(claimsIdentity, context.Ticket.Properties); context.Validated(newTicket); return base.GrantRefreshToken(context); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { return base.GrantRefreshToken(context); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } // INFO: Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); // FIXME: Need to figure out how would I actually handle things here // This is a refresh token here, need to add proper claims and values here, but Im stuck like a moron newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //We are reading the client id value from the original ticket, //this is the client id which get stored in the magical signed string, //then we compare this client id against the client id sent with the request, //if they are different we’ll reject this request because we need to make //sure that the refresh token used here is bound to the same client when it was generated. var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } //We have the chance now to add new claims or remove existing claims, //this was not achievable without refresh tokens, then we call //“context.Validated(newTicket)” which will generate new access //token and return it in the response body. // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var newClaim = newIdentity.Claims.Where(c => c.Type == "newClaim").FirstOrDefault(); if (newClaim != null) { newIdentity.RemoveClaim(newClaim); } newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); //Lastly after this method executes successfully, the flow for the code //will hit method “CreateAsync” in class “SimpleRefreshTokenProvider” //and a new refresh token is generated and returned in the response //along with the new access token. }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { /*ClientUserManager manager = context.OwinContext.GetUserManager<ClientUserManager>(); ClientRoleManager managerRoles = context.OwinContext.Get<ClientRoleManager>();*/ IDependencyScope Scope = context.OwinContext.Get<IDependencyScope>(); ClientUserManager manager = Scope.GetService(typeof(ClientUserManager)) as ClientUserManager; ClientRoleManager managerRoles = Scope.GetService(typeof(ClientRoleManager)) as ClientRoleManager; var originalClient = context.Ticket.Properties.Dictionary[GenericNames.AUTHENTICATION_CLIENT_ID_KEY]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("client_id", GenericError.INVALID_GIVEN_PARAMETER); return Task.FromResult<object>(null); } var identity = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(identity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //Se lee la información original del cliente var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; //Se compara el cliente firmado con el cliente recibido como parámetro if (originalClient != currentClient) { context.SetError("clientId_invalido", "El token emitido no concide con el cliente recibido"); return Task.FromResult<object>(null); } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token issued to a different clientId."); return; } var newIdentity = new ClaimsIdentity(context.Ticket.Identity); var userManager = context.OwinContext.GetUserManager<Identity.ApplicationUserManager>(); DataLayer.Models.Identity.ApplicationUser user = await userManager.FindByNameAsync(context.Ticket.Identity.Name); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { }
/* public override Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context) { if (context.ClientId == _publicClientId) { Uri expectedRootUri = new Uri(context.Request.Uri, "/"); if (expectedRootUri.AbsoluteUri == context.RedirectUri) { context.Validated(); } } return Task.FromResult<object>(null); } */ public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { bool validated = false; if (context.Ticket != null && context.Ticket.Identity != null) { ApplicationUser user = context.OwinContext.Get<ApplicationUser>(OwinUserKey); OAuthClient oauthClient = context.OwinContext.Get<OAuthClient>(OwinClientKey); ApplicationDbContext dbContext = context.OwinContext.Get<ApplicationDbContext>(); var oauthSessions = dbContext.OAuthSessions.Where(oas => oas.UserId.ToString() == user.Id && oas.ClientId == oauthClient.Id); foreach (OAuthSession oauthSession in oauthSessions) { dbContext.OAuthSessions.Remove(oauthSession); } Guid oauthSessionValue = Guid.NewGuid(); dbContext.OAuthSessions.Add(new OAuthSession { ClientId = oauthClient.Id, OrganizationId = user.OrganizationId, UserId = user.Id, Id = oauthSessionValue }); dbContext.SaveChanges(); context.Ticket.Identity.AddClaim(new Claim(OAuthBearerAuthenticationWithRevocationProvider.OAuthSessionClaimKey, oauthSessionValue.ToString())); context.Validated(); context.Request.Context.Authentication.SignIn(context.Ticket.Identity); validated = true; } if (!validated) { context.SetError("Authentication Failed"); context.Rejected(); } return Task.FromResult<object>(null); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; if (originalClient != context.ClientId) { context.SetError("invalid_grant", TokenStatus.InvalidClientId.ToString()); } else { var newId = new ClaimsIdentity(context.Ticket.Identity); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); } return Task.FromResult<object>(null); ; }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var clientId = context.Ticket.Properties.Dictionary["client_id"]; if (clientId != context.ClientId) { context.Rejected(); return; } var properties = new AuthenticationProperties(new Dictionary<string, string> { {"client_id", context.ClientId} }); var ticket = new AuthenticationTicket(context.Ticket.Identity, properties); context.Validated(ticket); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.OwinContext.Get<string>("as:client_id"); // enforce client binding of refresh token if (originalClient != currentClient) { context.Rejected(); return; } // chance to change authentication ticket for refresh token requests var newId = new ClaimsIdentity(context.Ticket.Identity); newId.RemoveClaim(newId.FindFirst(c => c.Type == "RefreshToken")); newId.AddClaim(new Claim("RefreshToken", Guid.NewGuid().ToString())); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); context.Validated(newTicket); }
/// <summary> /// 授予刷新令牌 /// 验证持有 refresh token 的客户端 /// grant_type:refresh_token /// 如:grant_type=refresh_token&refresh_token=fd08939b38e94f0ba154b8c51f57d256fb919fc818f4437ea24fd30fbc7c1936 /// </summary> /// <param name="context"></param> /// <returns></returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //获取'第二步'创建的元数据 var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; //获取用户信息、验证用户身份合法性 // 刷新令牌请求更改身份验证的机会 var newId = new ClaimsIdentity(context.Ticket.Identity); newId.AddClaim(new Claim("newClaim", "refreshToken")); var newTicket = new AuthenticationTicket(newId, context.Ticket.Properties); bool flag = context.Validated(newTicket); }
//TODO: common parts of grant refresh token and grant resource owner credentials to separate method public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var options = new JsonSerializerSettings() { ContractResolver = new CamelCasePropertyNamesContractResolver() }; options.Converters.Insert(0, new HttpServiceErrorConverter()); var identity = context.Ticket.Identity; if (identity == null) { context.SetError("Couldn't deserialize identity from refresh token."); return Task.FromResult<object>(null); } var userIdClaim = identity.FindFirst(ClaimTypes.Sid); if (userIdClaim == null) { context.SetError("Refresh token doesn't contain user id. Can't grant access."); return Task.FromResult<object>(null); } var container = context.OwinContext.GetAutofacLifetimeScope(); var transactionFactory = container.Resolve<ITransactionFactory>(); var membershipService = container.Resolve<IAuthorizationService>(); var userId = Guid.Parse(userIdClaim.Value); UserIdentityModel user = null; var transaction = transactionFactory.BeginTransaction(IsolationLevel.ReadCommitted); try { user = membershipService.RefreshLogin(new IdentityQuery<Guid>(userId)); transaction.Commit(); } catch (SecurityException ex) { transaction.Commit(); var errorJson = JsonConvert.SerializeObject(ex.UserMessage, options); context.SetError("LoginFailure", errorJson); return Task.FromResult<object>(null); } finally { transaction.Dispose(); } if (user == null) { throw new InvalidOperationException("Refresh login returned null"); } var newIdentity = new ClaimsIdentity(context.Options.AuthenticationType); foreach (var claimModel in user.Claims) { newIdentity.AddClaim(new Claim(claimModel.Type, claimModel.Value)); } var client = context.OwinContext.Get<ApplicationClientModel>("vabank:client"); newIdentity.AddClaim(new Claim(ClaimModel.Types.ClientId, client.Id)); context.OwinContext.Set("vabank:user", user); // Set CORS header context.Response.Headers.Set("Access-Control-Allow-Origin", client.AllowedOrigin); // Set state as validated context.Validated(newIdentity); var cookieIdentity = new ClaimsIdentity(identity.Claims, CookieAuthenticationDefaults.AuthenticationType); context.Request.Context.Authentication.SignIn(cookieIdentity); return base.GrantRefreshToken(context); }
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { // pega o id do cliente gravado no ticket e o id do cliente da requisição var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; // se os ID forem diferentes if (originalClient != currentClient) { // invalida o cliente context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return; } // adiciona ou remove novas claims setadas para este determinado usuário var newIdentity = new ClaimsIdentity(context.Options.AuthenticationType); var usuarioDomain = new UsuarioDomain(); var claimsCollection = await usuarioDomain.GetClaimsByUsernameAsync(context.Ticket.Identity.Name); if (claimsCollection != null) newIdentity.AddClaims(claimsCollection); // MOCKING START newIdentity.AddClaim(new Claim(ClaimTypes.Name, context.Ticket.Identity.Name)); // MOCKING END // gera um novo ticket e valida o contexto fazendo gerar um novo token de acesso // e retorná-lo na resposta da requisição var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } var user = context.OwinContext.GetUserManager<ApplicationUserManager>().FindById(context.Ticket.Identity.GetUserId()); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return Task.FromResult<object>(null); } var identity = user.GenerateUserIdentity(context.OwinContext.GetUserManager<ApplicationUserManager>(), OAuthDefaults.AuthenticationType); var claimsList = identity.Claims.Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToList(); var roles = ""; if (claimsList.Count > 0) { roles = claimsList.Aggregate((i, j) => i + "," + j); } context.Ticket.Properties.Dictionary["Roles"] = roles; var newTicket = new AuthenticationTicket(identity, context.Ticket.Properties); context.Validated(newTicket); return Task.FromResult<object>(null); }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token" /// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token". /// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties /// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the /// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may /// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to /// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to /// the access token unmodified. /// See also http://tools.ietf.org/html/rfc6749#section-6 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public virtual Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { return OnGrantRefreshToken.Invoke(context); }
public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary["as:client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return Task.FromResult<object>(null); } // Change auth ticket for refresh token requests var newIdentity = new ClaimsIdentity(context.Ticket.Identity); // TODO //We have the chance now to add new claims or remove existing claims, //this was not achievable without refresh tokens, then we call “context.Validated(newTicket)” which will generate new access token and return it in the response body. //newIdentity.AddClaim(new Claim("newClaim", "newValue")); var newTicket = new AuthenticationTicket(newIdentity, context.Ticket.Properties); context.Validated(newTicket); //Lastly after this method executes successfully, the flow for the code will hit method “CreateAsync” in class “SimpleRefreshTokenProvider” //and a new refresh token is generated and returned in the response along with the new access token. return Task.FromResult<object>(null); }