public static async Task OnTokenValidated(TokenValidatedContext context) { var logger = GetLogger(context.HttpContext.RequestServices); AuthenticationLogMessages.AuthenticationTokenValidationHandling(logger, context.SecurityToken); var jwtSecurityToken = (JwtSecurityToken)context.SecurityToken; var ticketId = (long)jwtSecurityToken.Payload[ApiAuthenticationDefaults.TicketIdClaimType]; AuthenticationLogMessages.AuthenticationPerforming(logger, ticketId); var ticket = await context.HttpContext.RequestServices .GetRequiredService <IAuthenticationService>() .OnAuthenticatedAsync( ticketId: ticketId, userId: ((string)jwtSecurityToken.Payload["nameid"]) .ParseUInt64(), username: (string)jwtSecurityToken.Payload["unique_name"], discriminator: (string)jwtSecurityToken.Payload[ApiAuthenticationDefaults.DiscriminatorClaimType], avatarHash: (string)jwtSecurityToken.Payload[ApiAuthenticationDefaults.AvatarHashClaimType], grantedPermissions: ((JObject)jwtSecurityToken.Payload[ApiAuthenticationDefaults.PermissionsClaimType]) .ToObject <Dictionary <int, string> >(), context.HttpContext.RequestAborted); AuthenticationLogMessages.AuthenticationPerformed(logger, ticket); var renewSignIn = ticket.Id != ticketId; if (!renewSignIn) { AuthenticationLogMessages.AuthenticationTokenExpirationValidating(logger, jwtSecurityToken.ValidFrom); var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <ApiAuthenticationOptions> >().Value; var now = context.HttpContext.RequestServices.GetRequiredService <ISystemClock>().UtcNow; renewSignIn = (now - jwtSecurityToken.ValidFrom) > options.TokenRefreshInterval; } if (renewSignIn) { AuthenticationLogMessages.AuthenticationTokenRenewing(logger); var identity = context.Principal.Identities.First(); identity.RemoveClaim(identity.FindFirst(ApiAuthenticationDefaults.TicketIdClaimType)); identity.AddClaim(new Claim( ApiAuthenticationDefaults.TicketIdClaimType, ticket.Id.ToString(), ClaimValueTypes.Integer64)); await context.HttpContext.SignInAsync(ApiAuthenticationDefaults.AuthenticationScheme, context.Principal); AuthenticationLogMessages.AuthenticationTokenRenewed(logger); } AuthenticationLogMessages.AuthenticationTokenValidationHandled(logger); }
public static Task OnAuthenticationFailed(AuthenticationFailedContext context) { var logger = GetLogger(context.HttpContext.RequestServices); AuthenticationLogMessages.AuthenticationFailureHandling(logger); var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <ApiAuthenticationOptions> >().Value; context.Response.Cookies.Delete(options.TokenHeaderAndPayloadCookieKey); AuthenticationLogMessages.AuthenticationTokenHeaderAndPayloadDetached(logger, options.TokenSignatureCookieKey); context.Response.Cookies.Delete(options.TokenSignatureCookieKey); AuthenticationLogMessages.AuthenticationTokenSignatureDetached(logger, options.TokenSignatureCookieKey); AuthenticationLogMessages.AuthenticationFailureHandled(logger); return(Task.CompletedTask); }
public static async Task OnCreatingTicket(OAuthCreatingTicketContext context) { var logger = GetLogger(context.HttpContext.RequestServices); AuthenticationLogMessages.AuthenticationTicketCreationHandling(logger); var userId = ulong.Parse(context.Identity.Claims .First(x => x.Type == ClaimTypes.NameIdentifier) .Value); var ticket = await context.HttpContext.RequestServices .GetRequiredService <IAuthenticationService>() .OnSignInAsync( userId: userId, username: context.Identity.Claims .First(x => x.Type == ClaimTypes.Name) .Value, discriminator: context.Identity.Claims .First(x => x.Type == ApiAuthenticationDefaults.DiscriminatorClaimType) .Value, avatarHash: context.Identity.Claims .First(x => x.Type == ApiAuthenticationDefaults.AvatarHashClaimType) .Value, getGuildIdsDelegate: cancellationToken => GetGuildIds(context, cancellationToken), context.HttpContext.RequestAborted); if (ticket is null) { AuthenticationLogMessages.AuthenticationTicketNotIssued(logger, userId); return; } AuthenticationLogMessages.AuthenticationTicketCreated(logger, ticket); context.Identity.AddClaim(new Claim( ApiAuthenticationDefaults.TicketIdClaimType, ticket.Id.ToString(), ClaimValueTypes.Integer64)); AuthenticationLogMessages.AuthenticationTicketIdClaimAdded(logger, ticket.Id); context.Identity.AddClaim(new Claim( ApiAuthenticationDefaults.PermissionsClaimType, JsonConvert.SerializeObject(ticket.GrantedPermissions, _jsonSerializerSettings), JsonClaimValueTypes.Json)); AuthenticationLogMessages.GrantedPermissionsClaimAdded(logger, ticket.GrantedPermissions); AuthenticationLogMessages.AuthenticationTicketCreationHandled(logger); }
public JwtSecurityToken BuildToken(ClaimsIdentity identity) { var expires = _systemClock.UtcNow.UtcDateTime + _options.Value.TokenLifetime; AuthenticationLogMessages.AuthenticationTokenBuilding(_logger, identity, expires); var descriptor = new SecurityTokenDescriptor() { Subject = identity, SigningCredentials = _signingCredentials, Expires = expires }; var token = _tokenHandler.CreateJwtSecurityToken(descriptor); AuthenticationLogMessages.AuthenticationTokenBuilt(_logger, token); return(token); }
protected override Task HandleSignOutAsync(AuthenticationProperties properties) { AuthenticationLogMessages.SignOutHandling(Logger); Response.Cookies.Delete(Options.TokenHeaderAndPayloadCookieKey); AuthenticationLogMessages.AuthenticationTokenHeaderAndPayloadDetached(Logger, Options.TokenSignatureCookieKey); Response.Cookies.Delete(Options.TokenSignatureCookieKey); AuthenticationLogMessages.AuthenticationTokenSignatureDetached(Logger, Options.TokenSignatureCookieKey); if (properties.RedirectUri is string) { AuthenticationLogMessages.IssuingSignOutRedirect(Logger, properties.RedirectUri); Response.Redirect(properties.RedirectUri); } AuthenticationLogMessages.SignOutHandled(Logger); return(Task.CompletedTask); }
public static Task OnMessageReceived(MessageReceivedContext context) { var logger = GetLogger(context.HttpContext.RequestServices); AuthenticationLogMessages.HttpMessageReceiptHandling(logger); var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <ApiAuthenticationOptions> >().Value; var cookies = context.Request.Cookies; if (cookies.TryGetValue(options.TokenHeaderAndPayloadCookieKey, out var tokenHeaderAndPayload) && cookies.TryGetValue(options.TokenSignatureCookieKey, out var tokenSignature)) { context.Token = $"{tokenHeaderAndPayload}.{tokenSignature}"; AuthenticationLogMessages.AuthenticationTokenExtracted(logger, context.Token); } AuthenticationLogMessages.AuthenticationTokenNotFound(logger, options.TokenHeaderAndPayloadCookieKey, options.TokenSignatureCookieKey); AuthenticationLogMessages.HttpMessageReceiptHandled(logger); return(Task.CompletedTask); }
protected override Task HandleSignInAsync(ClaimsPrincipal user, AuthenticationProperties properties) { AuthenticationLogMessages.SignInHandling(Logger); var token = _apiAuthenticationTokenBuilder.BuildToken(user.Identities.First()); AuthenticationLogMessages.AuthenticationTokenBuilt(Logger, token); var tokenRawHeaderAndPayload = $"{token.RawHeader}.{token.RawPayload}"; Response.Cookies.Append( key: Options.TokenHeaderAndPayloadCookieKey, value: tokenRawHeaderAndPayload, options: new CookieOptions() { IsEssential = true, SameSite = SameSiteMode.Strict, HttpOnly = false, Secure = true, Expires = token.ValidTo }); AuthenticationLogMessages.AuthenticationTokenHeaderAndPayloadAttached(Logger, Options.TokenHeaderAndPayloadCookieKey, tokenRawHeaderAndPayload); Response.Cookies.Append( key: Options.TokenSignatureCookieKey, value: token.RawSignature, options: new CookieOptions() { IsEssential = true, SameSite = SameSiteMode.Strict, HttpOnly = true, Secure = true, Expires = token.ValidTo }); AuthenticationLogMessages.AuthenticationTokenSignatureAttached(Logger, Options.TokenSignatureCookieKey, token.RawSignature); AuthenticationLogMessages.SignInHandled(Logger); return(Task.CompletedTask); }