public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); // Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks // of access tokens that are used over standard HTTP. // But this is just the lifetime of the access token. The client can still renew it using their refresh token until // the authorization itself expires. accessToken.Lifetime = TimeSpan.FromMinutes(2); // Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime // to account for that if necessary. //// TODO: code here // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider(); accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey); accessToken.AccessTokenSigningKey = CreateRSA(); var result = new AccessTokenResult(accessToken); return(result); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { // Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks // of access tokens that are used over standard HTTP. // But this is just the lifetime of the access token. The client can still renew it using their refresh token until // the authorization itself expires. var accessToken = new AuthorizationServerAccessToken() { Lifetime = TimeSpan.FromDays(14) }; // Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime // to account for that if necessary. //// TODO: code here // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. // accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider(); accessToken.ResourceServerEncryptionKey = CreateRSA(); // string szPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC32W+vIY9eZYY13Z0TqONE5LG3BHH6x4EWgb/LSEV674eFRw/AOvxphM7FjvoS4auZ1Yom4G6oFjDCR917gttma2b+7IuEhV5XdHM3lbH0dSrglASKtM6uHR0qjW0FPQR6rCKMHC1xSytAudI46nr/OkpcPM8KeXgJYvp+BYE0E6gjbwydcrgULCtcC0A3mZABixshjSaxzxUWCxA9RC7hSKPp9JptEcHcrJddaWzVORZHW+lUiNcFqXsm1K4CxoXE/KHenaz7d9GtA2vAvk1miueA6tsH1UOmZUY9rNVTKLoig5kKtYePSaa9/CZTEFYnhPkQtHZNZDoiN/e327ld [email protected]"; // accessToken.ResourceServerEncryptionKey.ImportCspBlob(System.Text.Encoding.ASCII.GetBytes(szPubKey)); // accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey); accessToken.AccessTokenSigningKey = CreateRSA(); var result = new AccessTokenResult(accessToken); return(result); }
/// <summary> /// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a /// client. /// </summary> /// <param name="accessTokenRequestMessage"> /// Details regarding the resources that the access token will grant access to, and the identity of the client /// that will receive that access. /// Based on this information the receiving resource server can be determined and the lifetime of the access /// token can be set based on the sensitivity of the resources. /// </param> /// <returns>A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.</returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { TimeSpan clientApplicationLifetime = GetClientLifetime(accessTokenRequestMessage); var accessToken = new AuthorizationServerAccessToken { // Note: all other fields are assigned by IsAuthorizationValid() (i.e. ClientIdentifier, Scope, User and UtcIssued) // Set the crypto keys for accessing the secured services (assume there is only one secured service) AccessTokenSigningKey = CryptoKeyProvider.GetCryptoKey(CryptoKeyType.AuthZServer).PrivateEncryptionKey, ResourceServerEncryptionKey = GetRequestedSecureResourceCryptoKey(), // Set the limited lifetime of the token Lifetime = (clientApplicationLifetime != TimeSpan.Zero) ? clientApplicationLifetime : TimeSpan.FromMinutes(DefaultLifetime), }; // Insert user specific information string username = GetUserFromAccessTokenRequest(accessTokenRequestMessage); if (username.HasValue()) { IUserAuthInfo user = GetUserAuthInfo(username); if (user != null) { accessToken.ExtraData.Add(new KeyValuePair <string, string>( RequireAuthorizationAttribute.ExtraDataRoles, String.Join(@",", user.Roles))); } } return(new AccessTokenResult(accessToken)); }
/// <summary> /// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client. /// </summary> /// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client /// that will receive that access. /// Based on this information the receiving resource server can be determined and the lifetime of the access /// token can be set based on the sensitivity of the resources.</param> /// <returns> /// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used. /// </returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); accessToken.Lifetime = TimeSpan.FromHours(1); accessToken.ResourceServerEncryptionKey = EncryptionKeys.GetResourceServerEncryptionPublicKey(); accessToken.AccessTokenSigningKey = EncryptionKeys.GetAuthorizationServerSigningPrivateKey(); return(new AccessTokenResult(accessToken)); }
/// <summary> /// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client. /// </summary> /// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client /// that will receive that access. /// Based on this information the receiving resource server can be determined and the lifetime of the access /// token can be set based on the sensitivity of the resources.</param> /// <returns> /// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used. /// </returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { // If your resource server and authorization server are different web apps, // consider using asymmetric keys instead of symmetric ones by setting different // properties on the access token below. var accessToken = new AuthorizationServerAccessToken { Lifetime = TimeSpan.FromHours(1), SymmetricKeyStore = this.CryptoKeyStore, }; var result = new AccessTokenResult(accessToken); return(result); }
/// <summary> /// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client. /// </summary> /// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client that will receive that access. /// Based on this information the receiving resource server can be determined and the lifetime of the access token can be set based on the sensitivity of the resources. /// </param> /// <returns>A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.</returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { AuthorizationServerAccessToken accessToken = new AuthorizationServerAccessToken(); accessToken.Lifetime = TimeSpan.FromMinutes(5); accessToken.ExtraData.Add("userIdentity", "{ user: \"some identity\" }"); //accessToken.Lifetime = TimeSpan.FromSeconds(20); accessToken.ResourceServerEncryptionKey = CreateRsaCryptoServiceProvider(ResourceServerEncryptionPublicKey); accessToken.AccessTokenSigningKey = CreateRsaCryptoServiceProvider(AuthorizationServerSigningPrivateKey); return(new AccessTokenResult(accessToken)); }
/// <summary> /// Obtains parameters to go into the formulation of an access token. /// </summary> /// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client /// that will receive that access. /// Based on this information the receiving resource server can be determined and the lifetime of the access /// token can be set based on the sensitivity of the resources.</param> /// <returns> /// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used. /// </returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken() { // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. ResourceServerEncryptionKey = OAuthResourceServer.CreateRSA(), }; var result = new AccessTokenResult(accessToken); return(result); }
// Generate an access token, given parameters in request that tell use what scopes to include, // and thus what resource's encryption key to use in addition to the authroization server key public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken { Lifetime = TimeSpan.FromMinutes(10) }; // could parameterize lifetime var targetResource = _resourceRepository.FindWithSupportedScopes(accessTokenRequestMessage.Scope); accessToken.ResourceServerEncryptionKey = targetResource.PublicTokenEncrypter; accessToken.AccessTokenSigningKey = _tokenSigner.GetSigner(); var result = new AccessTokenResult(accessToken); return(result); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var rsa = new RSACryptoServiceProvider(); rsa.ImportCspBlob(Convert.FromBase64String(ConfigurationManager.AppSettings["PrivateAsymmetricKey"])); var accessToken = new AuthorizationServerAccessToken() { AccessTokenSigningKey = rsa, ResourceServerEncryptionKey = rsa, }; var result = new AccessTokenResult(accessToken); result.AllowRefreshToken = false; return(result); }
/// <summary> /// Token创建 /// </summary> /// <param name="accessTokenRequestMessage"></param> /// <returns></returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); accessToken.Lifetime = _configuration.TokenLifetime;//设置Token的有效时间 // 设置加密公钥 accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)_configuration.EncryptionCertificate.PublicKey.Key; // 设置签名私钥 accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)_configuration.SigningCertificate.PrivateKey; var result = new AccessTokenResult(accessToken); return(result); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); accessToken.Lifetime = TimeSpan.FromMinutes(2); // Using the certificate of our one and only resource server blindly accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)WebApiApplication.EncryptionCertificate.PublicKey.Key; accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)WebApiApplication.SigningCertificate.PrivateKey; var result = new AccessTokenResult(accessToken); return(result); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { //Default to a lifespan of one hours for all tokens. var accessToken = new AuthorizationServerAccessToken { Lifetime = TimeSpan.FromHours(1), }; //Provide both signing and encryption keys for the token (the private/public relationships will be reversed //when the resource server digests the token accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)AuthorizationServerCertificate.PrivateKey; accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)ResourceServerCertificate.PublicKey.Key; //Return an access token result. var result = new AccessTokenResult(accessToken); return(result); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); // TODO: work out and implement appropriate lifespan for access tokens based on your specific application requirements accessToken.Lifetime = TimeSpan.FromSeconds(_tokenLifetime); // TODO: artificially shorten the access token's lifetime if the original authorization is due to expire sooner than the default lifespan. // (i.e. don't give out 7-day access tokens to somebody who has only granted your app access for 24 hours) // TODO: choose the appropriate signing keys for the specific resource server being used. // If you need to support multiple resource servers, there's two options. // 1) Use the same RSA key pair on every resource server. // 2) Select the appropriate key pair based on the requested scope (this assumes each scope maps to exactly one resource server) accessToken.ResourceServerEncryptionKey = _dataServerKeys.PublicSigningKey; accessToken.AccessTokenSigningKey = _authServerKeys.PrivateEncryptionKey; return(new AccessTokenResult(accessToken)); }
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) { var accessToken = new AuthorizationServerAccessToken(); // Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks // of access tokens that are used over standard HTTP. // But this is just the lifetime of the access token. The client can still renew it using their refresh token until // the authorization itself expires. accessToken.Lifetime = TimeSpan.FromMinutes(20); // Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime // to account for that if necessary. //// TODO: code here PublicEncryptionKey = (RSACryptoServiceProvider)EncryptionCertificate.PublicKey.Key; accessToken.ResourceServerEncryptionKey = PublicEncryptionKey; PrivateSigningKey = (RSACryptoServiceProvider)SigningCertificate.PrivateKey; accessToken.AccessTokenSigningKey = PrivateSigningKey; return(new AccessTokenResult(accessToken)); }
public AccessTokenResult CreateAccessToken( IAccessTokenRequest accessTokenRequestMessage) { var token = new AuthorizationServerAccessToken(); token.Lifetime = TimeSpan.FromMinutes(10); var signCert = LoadCert(Config.STS_CERT); token.AccessTokenSigningKey = (RSACryptoServiceProvider)signCert.PrivateKey; var encryptCert = LoadCert(Config.SERVICE_CERT); token.ResourceServerEncryptionKey = (RSACryptoServiceProvider)encryptCert.PublicKey.Key; var result = new AccessTokenResult(token); return(result); }
public AccessTokenResult CreateAccessToken(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage) { var token = new AuthorizationServerAccessToken(); token.Lifetime = TimeSpan.FromMinutes(2); token.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; foreach (string s in accessTokenRequestMessage.Scope) { token.Scope.Add(s); } token.User = accessTokenRequestMessage.UserName; // token.ExtraData.Add("id_token","thisisthejwt"); var signCert = LoadCert(Config.ALHAMBRA_AUTHORIZATION); token.AccessTokenSigningKey = (RSACryptoServiceProvider)signCert.PrivateKey; var encryptCert = LoadCert(Config.ALHAMBRA_RESOURCES); token.ResourceServerEncryptionKey = (RSACryptoServiceProvider)encryptCert.PublicKey.Key; var accessTokenResult = new AccessTokenResult(token); accessTokenResult.AccessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; //Page 13 on draft 26 - Open Id Connect Basic Client Profile //if (token.Scope.Contains("offline_access")) //{ // accessTokenResult.AllowRefreshToken = true; //} accessTokenResult.AllowRefreshToken = true; return(accessTokenResult); }
/// <summary> /// Create an access token using xAuth. /// </summary> /// <param name="accessTokenRequestMessage">A request from a client that should be responded to directly with an access token.</param> /// <param name="nonce">The nonce data.</param> /// <returns>Describes the parameters to be fed into creating a response to an access token request.</returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage, string nonce) { // Get the client for the consumer key var client = GetSpecificClient(accessTokenRequestMessage.ClientIdentifier); if (client != null) { // Make sure then client has been authenticated. if (accessTokenRequestMessage.ClientAuthenticated) { long clientID = client.ClientID; // Get the file store of the certificate to // return the private key for use in signing // the access token. var cryptoKey = new Nequeo.DataAccess.CloudInteraction.Data.Extension.SymmetricCryptoKey().Select.SelectDataEntity(u => u.ClientID == clientID); X509Certificate2 certificate = base.GetConsumerX509Certificate(client.ClientIdentifier); var accessToken = new AuthorizationServerAccessToken(); long oAuthConsumerID = 0; // Get the specific nonce var nonceData = GetSpecificNonce(nonce); if (nonceData != null) { oAuthConsumerID = nonceData.OAuthConsumerID; accessToken.Nonce = System.Text.Encoding.Default.GetBytes(nonce); accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; } else { throw new Exception("Could not insert token; Internal database exception."); } // Insert the access token. if (!InsertAccessToken(oAuthConsumerID, accessToken, client.Callback, accessTokenRequestMessage.Version.ToString(), AccessTokenLifetime)) { throw new Exception("Could not insert token; Internal database exception."); } // If the certificate exists. if (certificate != null) { // This can be useful to mitigate the security risks // of access tokens that are used over standard HTTP. // But this is just the lifetime of the access token. // The client can still renew it using their refresh // token until the authorization itself expires. accessToken.Lifetime = TimeSpan.FromMinutes(AccessTokenLifetime); accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)certificate.PublicKey.Key; accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)certificate.PrivateKey; } // Create the access token result. var result = new AccessTokenResult(accessToken); // Return the new access token data. return(result); } else { throw new Exception("The client has not been authenticated."); } } else { throw new Exception("The client for consumer key : " + accessTokenRequestMessage.ClientIdentifier + " does not exist."); } }
public AccessTokenResult(AuthorizationServerAccessToken accessToken) { this.AllowRefreshToken = true; this.AccessToken = accessToken; }