Example #1
0
        internal static void ProcessAuthenticationChallenge(IAuthenticationRequest idrequest)
        {
            // Verify that RP discovery is successful.
            if (idrequest.IsReturnUrlDiscoverable(ProviderEndpoint.Provider) != RelyingPartyDiscoveryResult.Success)
            {
                idrequest.IsAuthenticated = false;
                return;
            }

            // Verify that the RP is on the whitelist.  Realms are case sensitive.
            string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
            if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0)
            {
                idrequest.IsAuthenticated = false;
                return;
            }

            if (idrequest.IsDirectedIdentity)
            {
                if (HttpContext.Current.User.Identity.IsAuthenticated)
                {
                    idrequest.LocalIdentifier = Util.BuildIdentityUrl();
                    idrequest.IsAuthenticated = true;
                }
                else
                {
                    idrequest.IsAuthenticated = false;
                }
            }
            else
            {
                string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);

                // NOTE: in a production provider site, you may want to only
                // respond affirmatively if the user has already authorized this consumer
                // to know the answer.
                idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;
            }

            if (idrequest.IsAuthenticated.Value)
            {
                // add extension responses here.
                var fetchRequest = idrequest.GetExtension <FetchRequest>();
                if (fetchRequest != null)
                {
                    var fetchResponse = new FetchResponse();
                    if (fetchRequest.Attributes.Contains(RolesAttribute))
                    {
                        // Inform the RP what roles this user should fill
                        // These roles would normally come out of the user database.
                        fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
                    }
                    idrequest.AddResponseExtension(fetchResponse);
                }
            }
        }
Example #2
0
        /// <summary>
        /// Called when the Provider is preparing to send a response to an authentication request.
        /// </summary>
        /// <param name="request">The request that is configured to generate the outgoing response.</param>
        /// <returns>
        ///     <c>true</c> if this behavior owns this request and wants to stop other behaviors
        /// from handling it; <c>false</c> to allow other behaviors to process this request.
        /// </returns>
        bool IProviderBehavior.OnOutgoingResponse(IAuthenticationRequest request)
        {
            // Nothing to do for negative assertions.
            if (!request.IsAuthenticated.Value)
            {
                return(false);
            }

            var requestInternal = (Provider.AuthenticationRequest)request;
            var responseMessage = (IProtocolMessageWithExtensions)requestInternal.Response;

            // Only apply our special policies if the RP requested it.
            var papeRequest = request.GetExtension <PolicyRequest>();

            if (papeRequest != null)
            {
                if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier))
                {
                    ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);

                    if (PpidIdentifierProvider == null)
                    {
                        Logger.OpenId.Error(BehaviorStrings.PpidProviderNotGiven);
                        return(false);
                    }

                    // Mask the user's identity with a PPID.
                    if (PpidIdentifierProvider.IsUserLocalIdentifier(request.LocalIdentifier))
                    {
                        Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
                        requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
                    }

                    // Indicate that the RP is receiving a PPID claimed_id
                    var papeResponse = responseMessage.Extensions.OfType <PolicyResponse>().SingleOrDefault();
                    if (papeResponse == null)
                    {
                        request.AddResponseExtension(papeResponse = new PolicyResponse());
                    }

                    if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier))
                    {
                        papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
                    }

                    Reporting.RecordEventOccurrence(this, string.Empty);
                }
            }

            return(false);
        }
Example #3
0
		internal static void ProcessAuthenticationChallenge(IAuthenticationRequest idrequest) {
			// Verify that RP discovery is successful.
			if (idrequest.IsReturnUrlDiscoverable(ProviderEndpoint.Provider) != RelyingPartyDiscoveryResult.Success) {
				idrequest.IsAuthenticated = false;
				return;
			}

			// Verify that the RP is on the whitelist.  Realms are case sensitive.
			string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
			if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0) {
				idrequest.IsAuthenticated = false;
				return;
			}

			if (idrequest.IsDirectedIdentity) {
				if (HttpContext.Current.User.Identity.IsAuthenticated) {
					idrequest.LocalIdentifier = Util.BuildIdentityUrl();
					idrequest.IsAuthenticated = true;
				} else {
					idrequest.IsAuthenticated = false;
				}
			} else {
				string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);

				// NOTE: in a production provider site, you may want to only 
				// respond affirmatively if the user has already authorized this consumer
				// to know the answer.
				idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;
			}

			if (idrequest.IsAuthenticated.Value) {
				// add extension responses here.
				var fetchRequest = idrequest.GetExtension<FetchRequest>();
				if (fetchRequest != null) {
					var fetchResponse = new FetchResponse();
					if (fetchRequest.Attributes.Contains(RolesAttribute)) {
						// Inform the RP what roles this user should fill
						// These roles would normally come out of the user database.
						fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
					}
					idrequest.AddResponseExtension(fetchResponse);
				}
			}
		}
Example #4
0
		/// <summary>
		/// Called when the Provider is preparing to send a response to an authentication request.
		/// </summary>
		/// <param name="request">The request that is configured to generate the outgoing response.</param>
		/// <returns>
		/// 	<c>true</c> if this behavior owns this request and wants to stop other behaviors
		/// from handling it; <c>false</c> to allow other behaviors to process this request.
		/// </returns>
		bool IProviderBehavior.OnOutgoingResponse(IAuthenticationRequest request) {
			// Nothing to do for negative assertions.
			if (!request.IsAuthenticated.Value) {
				return false;
			}

			var requestInternal = (Provider.AuthenticationRequest)request;
			var responseMessage = (IProtocolMessageWithExtensions)requestInternal.Response;

			// Only apply our special policies if the RP requested it.
			var papeRequest = request.GetExtension<PolicyRequest>();
			if (papeRequest != null) {
				if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
					ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);

					if (PpidIdentifierProvider == null) {
						Logger.OpenId.Error(BehaviorStrings.PpidProviderNotGiven);
						return false;
					}

					// Mask the user's identity with a PPID.
					if (PpidIdentifierProvider.IsUserLocalIdentifier(request.LocalIdentifier)) {
						Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
						requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
					}

					// Indicate that the RP is receiving a PPID claimed_id
					var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
					if (papeResponse == null) {
						request.AddResponseExtension(papeResponse = new PolicyResponse());
					}

					if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
						papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
					}

					Reporting.RecordEventOccurrence(this, string.Empty);
				}
			}

			return false;
		}
Example #5
0
        internal static void ProcessAuthenticationChallenge(IAuthenticationRequest idrequest)
        {
            // Verify that RP discovery is successful.
            if (idrequest.IsReturnUrlDiscoverable(ProviderEndpoint.Provider.Channel.WebRequestHandler) != RelyingPartyDiscoveryResult.Success)
            {
                idrequest.IsAuthenticated = false;
                return;
            }

            // Verify that the RP is on the whitelist.  Realms are case sensitive.
            string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
            if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0)
            {
                idrequest.IsAuthenticated = false;
                return;
            }

            if (idrequest.IsDirectedIdentity)
            {
                if (HttpContext.Current.User.Identity.IsAuthenticated)
                {
                    idrequest.LocalIdentifier = Util.BuildIdentityUrl();
                    idrequest.IsAuthenticated = true;
                }
                else
                {
                    // If the RP demands an immediate answer, or if we're using implicit authentication
                    // and therefore have nothing further to ask the user, just reject the authentication.
                    if (idrequest.Immediate || ImplicitAuth)
                    {
                        idrequest.IsAuthenticated = false;
                    }
                    else
                    {
                        // Send the user to a page to actually log into the OP.
                        if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase))
                        {
                            HttpContext.Current.Response.Redirect("~/Login.aspx");
                        }
                    }
                }
            }
            else
            {
                string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);

                // NOTE: in a production provider site, you may want to only
                // respond affirmatively if the user has already authorized this consumer
                // to know the answer.
                idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;

                if (!idrequest.IsAuthenticated.Value && !ImplicitAuth && !idrequest.Immediate)
                {
                    // Send the user to a page to actually log into the OP.
                    if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase))
                    {
                        HttpContext.Current.Response.Redirect("~/Login.aspx");
                    }
                }
            }

            if (idrequest.IsAuthenticated.Value)
            {
                // add extension responses here.
                var fetchRequest = idrequest.GetExtension <FetchRequest>();
                if (fetchRequest != null)
                {
                    var fetchResponse = new FetchResponse();
                    if (fetchRequest.Attributes.Contains(RolesAttribute))
                    {
                        // Inform the RP what roles this user should fill
                        // These roles would normally come out of the user database
                        // or Windows security groups.
                        fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
                    }
                    idrequest.AddResponseExtension(fetchResponse);
                }
            }
        }
Example #6
0
        /// <summary>
        /// Actually send a response to the given request if possible.
        /// 
        /// May also result in some prompting for permissions, unless noPrompt is set.
        /// </summary>
        protected ActionResult SendAssertion(IAuthenticationRequest authReq, bool noPrompt = false)
        {
            if (authReq == null)
            {
                throw new InvalidOperationException("There's no pending authentication request!");
            }

            if (authReq.IsDirectedIdentity)
            {
                authReq.LocalIdentifier = Current.LoggedInUser.GetClaimedIdentifier();
            }
            if (!authReq.IsDelegatedIdentifier)
            {
                authReq.ClaimedIdentifier = authReq.LocalIdentifier;
            }

            authReq.IsAuthenticated = this.UserControlsIdentifier(authReq);

            if (authReq.IsAuthenticated.Value)
            {
                authReq.LocalIdentifier = Current.LoggedInUser.GetClaimedIdentifier();

                // Respond to SREG extension requests.
                var claimsReq = authReq.GetExtension<ClaimsRequest>();
                if (claimsReq != null)
                {
                    var claimsResp = claimsReq.CreateResponse();

                    if (claimsReq.Email != DemandLevel.NoRequest)
                    {
                        claimsResp.Email = Current.LoggedInUser.Email;
                    }

                    if (claimsReq.FullName != DemandLevel.NoRequest)
                    {
                        var realName = Current.LoggedInUser.RealName;

                        if (realName.HasValue())
                            claimsResp.FullName = realName;
                    }

                    authReq.AddResponseExtension(claimsResp);
                }

                // Response to AX extension requests
                var fetchReq = authReq.GetExtension<FetchRequest>();
                if (fetchReq != null)
                {
                    var fetchResp = new FetchResponse();

                    if (fetchReq.Attributes.Contains(WellKnownAttributes.Contact.Email))
                    {
                        fetchResp.Attributes.Add(WellKnownAttributes.Contact.Email, Current.LoggedInUser.Email);
                    }

                    if (fetchReq.Attributes.Contains(WellKnownAttributes.Name.FullName))
                    {
                        var realName = Current.LoggedInUser.RealName;

                        if (realName.HasValue())
                            fetchResp.Attributes.Add(WellKnownAttributes.Name.FullName, realName);
                    }

                    authReq.AddResponseExtension(fetchResp);
                }

                var writeableUser = Current.WriteDB.Users.Single(u => u.Id == Current.LoggedInUser.Id);
                writeableUser.AuthenticatedTo(Current.Now, authReq.Realm.Host);
            }

            var req = OpenIdProvider.PrepareResponse(authReq).AsActionResult();

            return req;
        }
Example #7
0
		internal static async Task ProcessAuthenticationChallengeAsync(IAuthenticationRequest idrequest, CancellationToken cancellationToken) {
			// Verify that RP discovery is successful.
			var providerEndpoint = new ProviderEndpoint();
			if (await idrequest.IsReturnUrlDiscoverableAsync(providerEndpoint.Provider.Channel.HostFactories, cancellationToken) != RelyingPartyDiscoveryResult.Success) {
				idrequest.IsAuthenticated = false;
				return;
			}

			// Verify that the RP is on the whitelist.  Realms are case sensitive.
			string[] whitelist = ConfigurationManager.AppSettings["whitelistedRealms"].Split(';');
			if (Array.IndexOf(whitelist, idrequest.Realm.ToString()) < 0) {
				idrequest.IsAuthenticated = false;
				return;
			}

			if (idrequest.IsDirectedIdentity) {
				if (HttpContext.Current.User.Identity.IsAuthenticated) {
					idrequest.LocalIdentifier = Util.BuildIdentityUrl();
					idrequest.IsAuthenticated = true;
				} else {
					// If the RP demands an immediate answer, or if we're using implicit authentication
					// and therefore have nothing further to ask the user, just reject the authentication.
					if (idrequest.Immediate || ImplicitAuth) {
						idrequest.IsAuthenticated = false;
					} else {
						// Send the user to a page to actually log into the OP.
						if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase)) {
							HttpContext.Current.Response.Redirect("~/Login.aspx");
						}
					}
				}
			} else {
				string userOwningOpenIdUrl = Util.ExtractUserName(idrequest.LocalIdentifier);

				// NOTE: in a production provider site, you may want to only 
				// respond affirmatively if the user has already authorized this consumer
				// to know the answer.
				idrequest.IsAuthenticated = userOwningOpenIdUrl == HttpContext.Current.User.Identity.Name;

				if (!idrequest.IsAuthenticated.Value && !ImplicitAuth && !idrequest.Immediate) {
					// Send the user to a page to actually log into the OP.
					if (!HttpContext.Current.Request.Path.EndsWith("Login.aspx", StringComparison.OrdinalIgnoreCase)) {
						HttpContext.Current.Response.Redirect("~/Login.aspx");
					}
				}
			}

			if (idrequest.IsAuthenticated.Value) {
				// add extension responses here.
				var fetchRequest = idrequest.GetExtension<FetchRequest>();
				if (fetchRequest != null) {
					var fetchResponse = new FetchResponse();
					if (fetchRequest.Attributes.Contains(RolesAttribute)) {
						// Inform the RP what roles this user should fill
						// These roles would normally come out of the user database
						// or Windows security groups.
						fetchResponse.Attributes.Add(RolesAttribute, "Member", "Admin");
					}
					idrequest.AddResponseExtension(fetchResponse);
				}
			}
		}
Example #8
0
        /// <summary>
        /// Actually send a response to the given request if possible.
        ///
        /// May also result in some prompting for permissions, unless noPrompt is set.
        /// </summary>
        protected ActionResult SendAssertion(IAuthenticationRequest authReq, bool noPrompt = false)
        {
            if (authReq == null)
            {
                throw new InvalidOperationException("There's no pending authentication request!");
            }

            if (authReq.IsDirectedIdentity)
            {
                authReq.LocalIdentifier = Current.LoggedInUser.GetClaimedIdentifier();
            }
            if (!authReq.IsDelegatedIdentifier)
            {
                authReq.ClaimedIdentifier = authReq.LocalIdentifier;
            }

            authReq.IsAuthenticated = this.UserControlsIdentifier(authReq);

            if (authReq.IsAuthenticated.Value)
            {
                authReq.LocalIdentifier = Current.LoggedInUser.GetClaimedIdentifier();

                // Respond to SREG extension requests.
                var claimsReq = authReq.GetExtension <ClaimsRequest>();
                if (claimsReq != null)
                {
                    var claimsResp = claimsReq.CreateResponse();

                    if (claimsReq.Email != DemandLevel.NoRequest)
                    {
                        claimsResp.Email = Current.LoggedInUser.Email;
                    }

                    if (claimsReq.FullName != DemandLevel.NoRequest)
                    {
                        var realName = Current.LoggedInUser.RealName;

                        if (realName.HasValue())
                        {
                            claimsResp.FullName = realName;
                        }
                    }

                    authReq.AddResponseExtension(claimsResp);
                }

                // Response to AX extension requests
                var fetchReq = authReq.GetExtension <FetchRequest>();
                if (fetchReq != null)
                {
                    var fetchResp = new FetchResponse();

                    if (fetchReq.Attributes.Contains(WellKnownAttributes.Contact.Email))
                    {
                        fetchResp.Attributes.Add(WellKnownAttributes.Contact.Email, Current.LoggedInUser.Email);
                    }

                    if (fetchReq.Attributes.Contains(WellKnownAttributes.Name.FullName))
                    {
                        var realName = Current.LoggedInUser.RealName;

                        if (realName.HasValue())
                        {
                            fetchResp.Attributes.Add(WellKnownAttributes.Name.FullName, realName);
                        }
                    }

                    authReq.AddResponseExtension(fetchResp);
                }

                var writeableUser = Current.WriteDB.Users.Single(u => u.Id == Current.LoggedInUser.Id);
                writeableUser.AuthenticatedTo(Current.Now, authReq.Realm.Host);
            }

            var req = OpenIdProvider.PrepareResponse(authReq).AsActionResult();

            return(req);
        }