public void Init() { _sm = new StaffMemberIndicator(SeedGuidFactory.Get("1")); _ti = new TenancyIndicator(SeedGuidFactory.Get("1")); _cii = new ClientInstanceIndicator(SeedGuidFactory.Get("1")); _secKey = new StubSecurityKeyFactory("SecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKey").SecurityKey; }
public ValidatedJWTokenTestForgery(StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions, TenancyIndicator tenancy, ClientInstanceIndicator clientInstance, DateTime requestTime, bool hasExpiration) { var sskf = new StubSecurityKeyFactory("SecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKey"); ACC = new AuthenticatedClientClaims { Tenancy = tenancy, User = user, Client = clientInstance, }; ACC.SecurityActions.UnionWith(securityActions); RawTokenData = new JWToken(clientInstance, user, securityActions, tenancy, requestTime, hasExpiration, sskf.SigningCredentials).SignedToken; }
private void CreateToken(ClientInstanceIndicator client, StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions, TenancyIndicator tenancy, DateTime requestTime, bool hasExpiration, SigningCredentials creds) { var claims = new List <Claim> { new Claim(JwtRegisteredClaimNames.Jti, Id.ToString()), new Claim(UserIdKey, user.GuidID.ToString()), new Claim(TenancyIdKey, tenancy.GuidID.ToString()), new Claim(ClientIdKey, client.GuidID.ToString()), new Claim(GrantsDocumentKey, JsonConvert.SerializeObject(securityActions.Select(x => x.ToString()).ToList())), }; var expiry = hasExpiration ? requestTime.ToUniversalTime().AddMinutes(AccessTokenExpirationMinutes) : (DateTime?)null; var tok = new JwtSecurityToken(Issuer, Audience, claims, null, expiry, creds); SignedToken = new JwtSecurityTokenHandler().WriteToken(tok); }
public virtual async Task <SessionSvcStartSessionResult> StartSession(string candidateUsername, string candidatePassword , ClientInstance clientInstance) { var clientInstanceIndicator = new ClientInstanceIndicator(_sp.ClientInstanceId); if (clientInstance != null) { clientInstance.InstanceId = clientInstanceIndicator; } var startReq = new SessionSvcStartSessionRequest { CandidateUsername = candidateUsername, CandidatePassword = candidatePassword, ClientInstanceId = clientInstanceIndicator, OauthClientId = _clientId, ClientInstance = clientInstance }; // NOTE(DA) This section of the code has given me more grief than would be expected. // // Our gRPC server only uses SSL. We have one port open and it expects all incoming // traffic to be SSL. This means our client has to speak SSL to the server. // // Somewhat annoyingly (though we'll grudgingly admit the safety benefits), gRPC is // very opinionated in its use of SSL. There is only one way to get it to use SSL -- // supply a bearer credential -- which is exactly what we don't have, we're trying to // get one with this call! (Chicken and egg problem). // // We resort to forgery to trick gRPC into using SSL. We keep this forged channel // separate and use it only for authentication purposes, throwing it out after we use // it here. // // We were originally keeping the channel around to avoid recreating it, but it's used // pretty infrequently, which means (1) we don't care about performance and (2) it was // sitting idle too long, and NAT rules were killing it off. Don't try it, we did it // and it didn't work. // // Future: currently, we don't support "session multiplexing" -- users of this // component (AppClient) start a single session, and expect it to stay open for the // life of the client. We need session multiplexing for service-service communication // where we have numerous security contexts existing side-by-side. We need to do some // thinking on how to design an interface that facilitates both use cases without making // either needlessly complicated. One option would be to force the client to suply a // credential at call time, implementing an optional ApplicationClient-maintained // "credential registry" or "session registry" that the client could use to retrieve // the token at call-time, if desired. var loginChannel = new Channel($"{_sp.AppSvcHostname}:{_sp.AppSvcPort}", AccessToken.NullToken.ToChannelCredentials()); var ss = new SessionSvc.SessionSvcClient(loginChannel); var sessionResponse = await ss.TryStartSessionAsync(startReq, new CallOptions(null, DateTime.UtcNow.AddSeconds(30))); if (sessionResponse.Result == SessionSvcStartSessionResult.Success) { SS = new SessionService(sessionResponse.SessionContext); StartServicesChannelRefresh(sessionResponse.SessionContext); } await loginChannel.ShutdownAsync(); return(sessionResponse.Result); }
public JWToken(ClientInstanceIndicator client, StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions, TenancyIndicator tenancy, DateTime requestTime, bool hasExpiration, SigningCredentials creds) { Id = Guid.NewGuid(); CreateToken(client, user, securityActions, tenancy, requestTime, hasExpiration, creds); }