| private VerifyAccess ( AccessToken &accessToken ) : OutgoingWebResponse | ||
| accessToken | AccessToken | |
| return | OutgoingWebResponse | |
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
HttpRequestMessage request = actionContext.Request;
HttpContextBase httpContext;
string userName;
HashSet<string> scope;
if (!request.TryGetHttpContext(out httpContext))
throw new InvalidOperationException("HttpContext must not be null.");
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(
(RSACryptoServiceProvider)_configuration.IssuerSigningCertificate.PublicKey.Key,
(RSACryptoServiceProvider)_configuration.EncryptionVerificationCertificate.PrivateKey));
var error = resourceServer.VerifyAccess(httpContext.Request, out userName, out scope);
if (error != null)
return Task<HttpResponseMessage>.Factory.StartNew(error.ToHttpResponseMessage);
//var identity = new ClaimsIdentity(scope.Select(s => new Claim(s, s)));
//if (!string.IsNullOrEmpty(userName))
// identity.AddClaim(new Claim(ClaimTypes.Name, userName));
//httpContext.User = new GenericPrincipal(identity, null);
//Thread.CurrentPrincipal = httpContext.User;
return continuation();
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
HttpContextBase httpContext;
string userName;
HashSet<string> scope;
if (!request.TryGetHttpContext(out httpContext))
throw new InvalidOperationException("HttpContext must not be null.");
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(
(RSACryptoServiceProvider)_configuration.IssuerSigningCertificate.PublicKey.Key,
(RSACryptoServiceProvider)_configuration.EncryptionVerificationCertificate.PrivateKey));
var error = resourceServer.VerifyAccess(httpContext.Request, out userName, out scope);
if (error != null)
return Task<HttpResponseMessage>.Factory.StartNew(error.ToHttpResponseMessage);
Microsoft.IdentityModel.Claims.ClaimsIdentity identity = new Microsoft.IdentityModel.Claims.ClaimsIdentity(scope.Select(s => new Microsoft.IdentityModel.Claims.Claim(s, s)));
if (!string.IsNullOrEmpty(userName))
identity.Claims.Add(new Microsoft.IdentityModel.Claims.Claim(Microsoft.IdentityModel.Claims.ClaimTypes.Name, userName));
httpContext.User = Microsoft.IdentityModel.Claims.ClaimsPrincipal.CreateFromIdentity(identity);
Thread.CurrentPrincipal = httpContext.User;
return base.SendAsync(request, cancellationToken);
}
private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri) {
// for this sample where the auth server and resource server are the same site,
// we use the same public/private key.
using (var signing = Global.CreateAuthorizationServerSigningServiceProvider()) {
using (var encrypting = Global.CreateResourceServerEncryptionServiceProvider()) {
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
IPrincipal result;
var error = resourceServer.VerifyAccess(new HttpRequestInfo(httpDetails, requestUri), out result);
// TODO: return the prepared error code.
return error != null ? null : result;
}
}
}
/// <summary>
/// Handles the AuthenticateRequest event of the HttpApplication.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
private void context_AuthenticateRequest(object sender, EventArgs e) {
// Don't read OAuth messages directed at the OAuth controller or else we'll fail nonce checks.
if (this.IsOAuthControllerRequest()) {
return;
}
using (var crypto = OAuthResourceServer.CreateRSA()) {
var tokenAnalyzer = new SpecialAccessTokenAnalyzer(crypto, crypto);
var resourceServer = new ResourceServer(tokenAnalyzer);
IPrincipal principal;
var errorMessage = resourceServer.VerifyAccess(new HttpRequestInfo(this.application.Context.Request), out principal);
if (errorMessage == null) {
this.application.Context.User = principal;
}
}
}
protected override bool CheckAccessCore(OperationContext operationContext) {
if (!base.CheckAccessCore(operationContext)) {
return false;
}
var httpDetails = operationContext.RequestContext.RequestMessage.Properties[HttpRequestMessageProperty.Name] as HttpRequestMessageProperty;
var requestUri = operationContext.RequestContext.RequestMessage.Properties.Via;
using (var crypto = OAuthAuthorizationServer.CreateAsymmetricKeyServiceProvider()) {
var tokenAnalyzer = new SpecialAccessTokenAnalyzer(crypto, crypto);
var resourceServer = new ResourceServer(tokenAnalyzer);
try {
IPrincipal principal;
var errorResponse = resourceServer.VerifyAccess(httpDetails, requestUri, out principal);
if (errorResponse == null) {
var policy = new OAuthPrincipalAuthorizationPolicy(principal);
var policies = new List<IAuthorizationPolicy> {
policy,
};
var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
if (operationContext.IncomingMessageProperties.Security != null) {
operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
} else {
operationContext.IncomingMessageProperties.Security = new SecurityMessageProperty {
ServiceSecurityContext = securityContext,
};
}
securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
principal.Identity,
};
// Only allow this method call if the access token scope permits it.
if (principal.IsInRole(operationContext.IncomingMessageHeaders.Action)) {
return true;
}
}
} catch (ProtocolException /*ex*/) {
////Logger.Error("Error processing OAuth messages.", ex);
}
}
return false;
}