/// <exception cref="ArgumentException"><paramref name="credential"/> is <see langword="null" />.</exception>
public void Store(string url, [NotNull] OAuthTokenCredential credential)
{
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
_CredentialCache.AddOrUpdate(url, key => credential, (key, value) => credential);
SaveToFile();
}
private static async Task <OAuthTokenCredential> TryGetOAuthTokenFromAuthorizeResponseAsync(TokenClient tokenClient, CryptoNumbers cryptoNumbers, AuthorizeResponse response)
{
if (response != null)
{
// claims des IdentityToken decodieren
var claims = DecodeSecurityToken(response.IdentityToken).Claims.ToArray();
// die folgenden validierungen sind notwendig, um diversen CSRF / man in the middle / etc. Angriffsszenarien zu begegnen
// state validieren
if (!string.Equals(cryptoNumbers.State, response.State, StringComparison.Ordinal))
{
throw new InvalidOperationException("invalid state value in openid service responce.");
}
// nonce validieren
if (!ValidateNonce(cryptoNumbers.Nonce, claims))
{
throw new InvalidOperationException("invalid nonce value in identity token.");
}
// c_hash validieren
if (!ValidateCodeHash(response.Code, claims))
{
throw new InvalidOperationException("invalid c_hash value in identity token.");
}
// code eintauschen gegen access token und refresh token, dabei den code verifier mitschicken, um man-in-the-middle Angriff auf authorization code zu begegnen (PKCE)
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
code : response.Code,
redirectUri : RedirectUri,
codeVerifier : cryptoNumbers.Verifier).ConfigureAwait(false);
if (tokenResponse.IsError)
{
throw new InvalidOperationException("error during request of access token using authorization code: " + tokenResponse.Error);
}
return(OAuthTokenCredential.CreateWithIdentityToken(tokenResponse.IdentityToken, tokenResponse.AccessToken, DateTime.UtcNow + TimeSpan.FromSeconds(tokenResponse.ExpiresIn), tokenResponse.RefreshToken));
}
return(null);
}
private static async Task <OAuthTokenCredential> TryGetOAuthTokenFromRefreshTokenAsync(TokenClient tokenClient, string authority, string refreshToken)
{
// when a refresh token is present try to use it to acquire a new access token
if (!string.IsNullOrEmpty(refreshToken))
{
var tokenResponse = await tokenClient.RequestRefreshTokenAsync(refreshToken).ConfigureAwait(false);
if (!tokenResponse.IsError)
{
// TODO: discover userinfo endpoint via ".well-known/openid-configuration"
var infoClient = new UserInfoClient(authority + "/connect/userinfo");
var userInfo = await infoClient.GetAsync(tokenResponse.AccessToken).ConfigureAwait(false);
return(OAuthTokenCredential.CreateWithClaims(
userInfo.Claims,
tokenResponse.AccessToken,
DateTime.UtcNow + TimeSpan.FromSeconds(tokenResponse.ExpiresIn),
tokenResponse.RefreshToken));
}
}
return(null);
}
public bool TryGetCredential(string url, out OAuthTokenCredential credential)
{
ReadFromFile();
return(_CredentialCache.TryGetValue(url, out credential));
}
