public async Task <JwsPayload> UpdatePayloadDate(JwsPayload jwsPayload)
{
if (jwsPayload == null)
{
throw new ArgumentNullException(nameof(jwsPayload));
}
var timeKeyValuePair = await GetExpirationAndIssuedTime();
var expirationInSeconds = timeKeyValuePair.Key;
var issuedAtTime = timeKeyValuePair.Value;
if (jwsPayload.ContainsKey(StandardClaimNames.Iat))
{
jwsPayload[StandardClaimNames.Iat] = issuedAtTime;
}
else
{
jwsPayload.Add(StandardClaimNames.Iat, issuedAtTime);
}
if (jwsPayload.ContainsKey(StandardClaimNames.ExpirationTime))
{
jwsPayload[StandardClaimNames.ExpirationTime] = expirationInSeconds;
}
else
{
jwsPayload.Add(StandardClaimNames.ExpirationTime, expirationInSeconds);
}
return(jwsPayload);
}
protected virtual void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context)
{
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, OAuth.ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_SIGNATURE_ALG);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.RequestData.GetResponseTypesFromAuthorizationRequest().OrderBy(s => s)))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
}
private static void Init(JwsPayload payload)
{
if (!payload.ContainsKey(CLAIM_NAMES))
{
payload.Add(CLAIM_NAMES, new JObject());
}
if (!payload.ContainsKey(CLAIM_SOURCES))
{
payload.Add(CLAIM_SOURCES, new JObject());
}
}
private static bool CompareJwsPayload(JwsPayload firstJwsPayload, JwsPayload secondJwsPayload)
{
foreach (var record in firstJwsPayload)
{
if (!Core.Jwt.Constants.AllStandardResourceOwnerClaimNames.Contains(record.Key))
{
continue;
}
if (!secondJwsPayload.ContainsKey(record.Key))
{
return(false);
}
if (!string.Equals(
record.Value.ToString(),
secondJwsPayload[record.Key].ToString(),
StringComparison.CurrentCultureIgnoreCase))
{
return(false);
}
}
return(true);
}
public static IEnumerable <AuthorizationRequestClaimParameter> GetClaims(this JwsPayload jObj)
{
if (!jObj.ContainsKey(AuthorizationRequestParameters.Claims))
{
return(new AuthorizationRequestClaimParameter[0]);
}
return(((JObject)JsonConvert.DeserializeObject(jObj[AuthorizationRequestParameters.Claims].ToString())).GetClaims());
}
public void When_JwsAlg_Is_RS512_And_AuthorizationCode_And_AccessToken_Are_Not_Empty_Then_OtherClaims_Are_FilledIn()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenSignedResponseAlg = Constants.JwsAlgNames.RS512;
var jwsPayload = new JwsPayload();
var authorizationParameter = new AuthorizationParameter
{
ClientId = client.ClientId
};
// ACT & ASSERT
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, "authorization_code", "access_token", authorizationParameter, client);
Assert.True(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
Assert.True(jwsPayload.ContainsKey(StandardClaimNames.CHash));
}
public void When_JwsAlg_Is_None_And_Trying_To_FillIn_Other_Claims_Then_The_Properties_Are_Not_Filled_In()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenSignedResponseAlg = "none";
var jwsPayload = new JwsPayload();
var authorizationParameter = new AuthorizationParameter
{
ClientId = client.ClientId
};
// ACT & ASSERT
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, null, null, authorizationParameter, new Client());
Assert.False(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
Assert.False(jwsPayload.ContainsKey(StandardClaimNames.CHash));
}
/// <summary>
/// Try to get the value from the PAYLOAD.
/// </summary>
/// <param name="jwsPayload"></param>
/// <param name="key"></param>
/// <returns></returns>
private static string TryGetKey(JwsPayload jwsPayload, string key)
{
if (!jwsPayload.ContainsKey(key))
{
return(string.Empty);
}
return(jwsPayload[key].ToString());
}
public static IEnumerable <AuthorizationRequestClaimParameter> GetClaimsFromAccessToken(this JwsPayload jObj, AuthorizationRequestClaimTypes type)
{
if (!jObj.ContainsKey(AuthorizationRequestParameters.Claims))
{
return(new AuthorizationRequestClaimParameter[0]);
}
var claims = jObj[AuthorizationRequestParameters.Claims] as JObject;
return(claims.ExtractClaims(type));
}
private bool CompareJwsPayload(JwsPayload firstJwsPayload, JwsPayload secondJwsPayload)
{
foreach (var record in firstJwsPayload)
{
if (!_userClaims.Contains(record.Key))
{
continue;
}
if (!secondJwsPayload.ContainsKey(record.Key))
{
return(false);
}
if (!string.Equals(record.Value.ToString(), secondJwsPayload[record.Key].ToString(), StringComparison.CurrentCultureIgnoreCase))
{
return(false);
}
}
return(true);
}
public async Task Enrich(JwsPayload result, JObject queryParameters, CancellationToken cancellationToken)
{
var authRequestId = queryParameters.GetAuthRequestId();
if (!string.IsNullOrWhiteSpace(authRequestId))
{
var authorize = await _bcAuthorizeRepository.Get(authRequestId, cancellationToken);
if (authorize != null && authorize.Permissions.Any())
{
var firstPermission = authorize.Permissions.First();
if (result.ContainsKey(_options.OpenBankingApiConsentClaimName))
{
result[_options.OpenBankingApiConsentClaimName] = firstPermission.ConsentId;
}
else
{
result.Add(_options.OpenBankingApiConsentClaimName, firstPermission.ConsentId);
}
}
if (authorize.Scopes.Contains(SIDOpenIdConstants.StandardScopes.OpenIdScope.Name) && !result.ContainsKey(UserClaims.Subject))
{
result.Add(UserClaims.Subject, authorize.UserId);
}
}
var requestedClaims = queryParameters.GetClaimsFromAuthorizationRequest();
if (requestedClaims != null)
{
var requestedClaim = requestedClaims.FirstOrDefault(c => c.Name == _options.OpenBankingApiConsentClaimName);
if (requestedClaim != null)
{
result.Add(_options.OpenBankingApiConsentClaimName, requestedClaim.Values.First());
}
}
}
protected override void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context)
{
base.CheckRequestObject(header, jwsPayload, openidClient, context);
if (!jwsPayload.ContainsKey(Jwt.Constants.OAuthClaims.ExpirationTime))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(ErrorMessages.MISSING_PARAMETER, Jwt.Constants.OAuthClaims.ExpirationTime));
}
var currentDateTime = DateTime.UtcNow.ConvertToUnixTimestamp();
var exp = jwsPayload.GetExpirationTime();
if (currentDateTime > exp)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_IS_EXPIRED);
}
var audiences = jwsPayload.GetAudiences();
if (audiences.Any() && !audiences.Contains(context.Request.IssuerName))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.REQUEST_OBJECT_BAD_AUDIENCE);
}
}
