public FakedAuthenticationProvider(IClaimsIdentityProvider claimsIdentityProvider)
{
_namespacePrefixes = new Lazy <List <string> >(() => new List <string> {
"uri://ed-fi.org"
});
_educationOrganizationIds = new Lazy <List <int> >(() => new List <int> {
255901
});
_identity = new Lazy <ClaimsIdentity>(
() => claimsIdentityProvider
.GetClaimsIdentity(
_educationOrganizationIds.Value, ClaimSetName, _namespacePrefixes.Value, new List <string>()));
_apiKeyContext = new Lazy <ApiKeyContext>(
() => new ApiKeyContext(
Guid.NewGuid().ToString("n"),
ClaimSetName,
_educationOrganizationIds.Value,
_namespacePrefixes.Value,
null,
null,
null,
null));
}
/// <summary>
/// Implements the signature needed by the <see cref="ClaimsPrincipal.ClaimsPrincipalSelector"/> static delegate for
/// obtaining <see cref="ClaimsPrincipal"/> instances.
/// </summary>
/// <returns>The <see cref="ClaimsPrincipal"/> that can be used to make authorization decisions.</returns>
public static ClaimsPrincipal GetClaimsPrincipal(IClaimsIdentityProvider identityProvider)
{
// If we've already establish the OAuth-based claims principal on this thread, return it.
if (Thread.CurrentPrincipal.Identity.AuthenticationType == EdFiAuthenticationTypes.OAuth)
{
return(Thread.CurrentPrincipal as ClaimsPrincipal);
}
// Establish the ClaimsPrincipal based on the current context
var claimsIdentity = identityProvider.GetClaimsIdentity();
return(new ClaimsPrincipal(claimsIdentity));
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// TODO: Go to database to verify.
if (context.UserName != context.Password)
{
context.SetError("invalid_grant", "The user name or password is incorrect");
return(Task.FromResult(0));
}
// If still here we have validated the credentials. Lets proceed to issue claims.
var userId = "55";
var identity = _claimsIdentityProvider.GetClaimsIdentity(userId);
context.Validated(identity);
return(Task.FromResult(0));
}
public string GetToken(string user, DateTime?expires)
{
var handler = new JwtSecurityTokenHandler();
var identity = _claimsIdentityProvider.GetClaimsIdentity("abc123");
var securityTokenDescriptor = new SecurityTokenDescriptor
{
// Issuer
TokenIssuerName = _applicationSettingsProvider.GetValue("JWT.Issuer"),
//Audience = tokenOptions.Audience,
AppliesToAddress = _applicationSettingsProvider.GetValue("JWT.Audience"), // Audience
SigningCredentials = _signingCredentialsProvider.GetSigningCredentials(),
Subject = identity,
//Expires = expires
Lifetime = new Lifetime(DateTime.Now, expires)
};
var securityToken = handler.CreateToken(securityTokenDescriptor);
return(handler.WriteToken(securityToken));
}
public async Task <AuthenticationResult> GetAuthenticationResultAsync(AuthenticationHeaderValue authHeader)
{
ApiClientDetails apiClientDetails;
try
{
// If there are credentials but the filter does not recognize the authentication scheme, do nothing.
if (!authHeader.Scheme.EqualsIgnoreCase(AuthenticationScheme))
{
_logger.Debug("Unknown auth header scheme");
return(new AuthenticationResult {
AuthenticateResult = AuthenticateResult.NoResult()
});
}
// If the credentials are bad, set the error result.
if (string.IsNullOrEmpty(authHeader.Parameter))
{
_logger.Debug("Missing auth header parameter");
return(new AuthenticationResult
{
AuthenticateResult = AuthenticateResult.Fail("Missing auth header parameter")
});
}
// If there are credentials that the filter understands, try to validate them.
apiClientDetails = await _oAuthTokenValidator.GetClientDetailsForTokenAsync(authHeader.Parameter);
}
catch (Exception e)
{
_logger.Error(e);
return(new AuthenticationResult {
AuthenticateResult = AuthenticateResult.Fail("Invalid Authorization Header")
});
}
if (_expectedUseSandboxValue.Value.HasValue &&
apiClientDetails.IsSandboxClient != _expectedUseSandboxValue.Value.Value)
{
string message = apiClientDetails.IsSandboxClient
? "Sandbox credentials used in call to Production API"
: "Production credentials used in call to Sandbox API";
return(new AuthenticationResult {
AuthenticateResult = AuthenticateResult.Fail(message)
});
}
var identity = _claimsIdentityProvider.GetClaimsIdentity(
apiClientDetails.EducationOrganizationIds,
apiClientDetails.ClaimSetName,
apiClientDetails.NamespacePrefixes,
apiClientDetails.Profiles.ToList());
var apiKeyContext = new ApiKeyContext(
apiClientDetails.ApiKey,
apiClientDetails.ClaimSetName,
apiClientDetails.EducationOrganizationIds,
apiClientDetails.NamespacePrefixes,
apiClientDetails.Profiles,
apiClientDetails.StudentIdentificationSystemDescriptor,
apiClientDetails.CreatorOwnershipTokenId,
apiClientDetails.OwnershipTokenIds);
return(new AuthenticationResult
{
ClaimsIdentity = identity,
ApiKeyContext = apiKeyContext
});
}
/// <inheritdoc cref="IOAuthTokenAuthenticator.AuthenticateAsync" />
public async Task <AuthenticateResult> AuthenticateAsync(string token, string authorizationScheme)
{
ApiClientDetails apiClientDetails;
try
{
// If there are credentials that the filter understands, try to validate them.
apiClientDetails = await _apiClientDetailsProvider.GetClientDetailsForTokenAsync(token);
if (!apiClientDetails.IsTokenValid)
{
return(AuthenticateResult.Fail("Invalid token"));
}
}
catch (Exception e)
{
_logger.Error(e);
return(AuthenticateResult.Fail("Invalid Authorization Header"));
}
if (_expectedUseSandboxValue.Value.HasValue &&
apiClientDetails.IsSandboxClient != _expectedUseSandboxValue.Value.Value)
{
string message = apiClientDetails.IsSandboxClient
? "Sandbox credentials used in call to Production API"
: "Production credentials used in call to Sandbox API";
return(AuthenticateResult.Fail(message));
}
var identity = _claimsIdentityProvider.GetClaimsIdentity(
apiClientDetails.EducationOrganizationIds,
apiClientDetails.ClaimSetName,
apiClientDetails.NamespacePrefixes,
apiClientDetails.Profiles.ToList(),
apiClientDetails.OwnershipTokenIds.ToList());
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, CreateAuthenticationProperties(), authorizationScheme);
return(AuthenticateResult.Success(ticket));
AuthenticationProperties CreateAuthenticationProperties()
{
var parameters = new Dictionary <string, object>()
{
{
"ApiKeyContext",
new ApiKeyContext(
apiClientDetails.ApiKey,
apiClientDetails.ClaimSetName,
apiClientDetails.EducationOrganizationIds,
apiClientDetails.NamespacePrefixes,
apiClientDetails.Profiles,
apiClientDetails.StudentIdentificationSystemDescriptor,
apiClientDetails.CreatorOwnershipTokenId,
apiClientDetails.OwnershipTokenIds)
}
};
var items = new Dictionary <string, string>()
{
{ ".expires", apiClientDetails.ExpiresUtc.ToString("O") }
};
return(new AuthenticationProperties(items, parameters));
}
}