public void Decode_ShouldDecodeValidJWTokenPayload()
{
string validToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFBMjMyVEVTVCIsImFsZyI6IkhTMjU2In0.eyJmYW1pbHlfbmFtZSI6IkRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwibmFtZSI6IkpvaG4gRG9lIiwib2lkIjoiZTYwMmFkYTctNmVmZC00ZTE4LWE5NzktNjNjMDJiOWYzYzc2Iiwic2NwIjoiVXNlci5SZWFkQmFzaWMuQWxsIiwidGlkIjoiNmJjMTUzMzUtZTJiOC00YTlhLTg2ODMtYTUyYTI2YzhjNTgzIiwidW5pcXVlX25hbWUiOiJqb2huQGRvZS50ZXN0LmNvbSIsInVwbiI6ImpvaG5AZG9lLnRlc3QuY29tIn0.hf9xI5XYBjGec - 4n4_Kxj8Nd2YHBtihdevYhzFxbpXQ";
JwtPayload decodedJwtPayload = JwtHelpers.DecodeToObject <JwtPayload>(validToken.Split('.')[1]);
Assert.IsNotNull(decodedJwtPayload, "Unexpected jwt payload decoded.");
Assert.IsNotNull(decodedJwtPayload.Oid, "Unexpected oid set decoded.");
}
public CartItemsController(
JwtHelpers jwt,
ICartItemRepository cartItemRepository,
IMapper mapper
)
{
_jwt = jwt;
_cartItemRepository = cartItemRepository;
_mapper = mapper;
}
public NotesController(
JwtHelpers jwt,
INoteRepository noteRepository,
IMapper mapper
)
{
_jwt = jwt;
_noteRepository = noteRepository;
_mapper = mapper;
}
public UsersController(
JwtHelpers jwt,
IUserRepository userRepository,
IMapper mapper
)
{
_jwt = jwt;
_userRepository = userRepository;
_mapper = mapper;
}
public ActionResult SignIn(AccountModel account)
{
if (account != null && ValidateUser(account))
{
var issuer = _configuration["Payload:Claims:Issuer"];
var signKey = _configuration["Payload:Claims:SignKey"];
var expires = _configuration.GetValue<int>("Payload:Claims:Expires"); // min
var token = JwtHelpers.GenerateToken(issuer, signKey, account.Id, expires);
var result = _domainController.SignIn(account, token);
if (result != null)
{
return Ok(result);
}
}
return NotFound("User not Exist or Pssword Error");
}
public ActionResult <ResultModel> SignIn([FromBody] LoginViewModel login)
{
//https://blog.johnwu.cc/article/ironman-day09-asp-net-core-model-binding.html
try
{
if (!ModelState.IsValid)
{
return(BadRequest(ModelState));
}
_logger.Debug("登入驗證,並取得token");
var issuer = _settings.Value.Tokens.ValidIssuer;
var signKey = _settings.Value.Tokens.IssuerSigningKey; // 請換成至少 16 字元以上的安全亂碼
var expires = _settings.Value.Tokens.ValidExpires; // 單位: 分鐘
if (_ILoginService.ValidateUser(login))
{
//List相當於mvc的index api/Customers
var result = new ResultModel
{
Data = JwtHelpers.GenerateToken(issuer, signKey, login.Username, expires),
IsSuccess = true
};
return(Ok(result));
}
else
{
return(BadRequest(new ResultModel {
IsSuccess = false, Message = "失敗"
}));
}
}
catch (Exception e)
{
_logger.Error(e, "");
return(BadRequest(new ResultModel {
IsSuccess = false, Message = ""
}));
throw;
}
}
/// <summary>
/// Creats a <see cref="GraphUserAccount"/> object from a JWT access token.
/// </summary>
/// <param name="jwtAccessToken">JWT token to parse.</param>
/// <returns></returns>
private GraphUserAccount GetGraphUserAccount(string jwtAccessToken)
{
if (string.IsNullOrEmpty(jwtAccessToken))
{
return(null);
}
// Get jwt payload
string[] jwtSegments = jwtAccessToken.Split('.');
string payloadSegmant = jwtSegments.Count() == 1 ? jwtSegments.First() : jwtSegments[1];
JwtPayload jwtPayload = JwtHelpers.DecodeToObject <JwtPayload>(payloadSegmant);
return(new GraphUserAccount()
{
Email = jwtPayload.Upn,
ObjectId = jwtPayload.Oid.ToString(),
TenantId = jwtPayload.Oid.ToString()
});
}
public ActionResult <string> SignIn(string username)
{
//TODO: 要放到Config中
var issuer = "JwtAuthDemo";
var signKey = "1234567890123456";
var expires = 30; //min
var login = new LoginViewModel()
{
Username = username
};
if (ValidateUser(login))
{
return(JwtHelpers.GenerateToken(issuer, signKey, login.Username, expires));
}
else
{
return(BadRequest());
}
}
public async Task <string> Login(LoginRequest request)
{
var account = await _accountsService.GetFullAccountByEmail(request.Email).ConfigureAwait(false);
if (account == null)
{
throw new Exception("Login failed");
}
var valid = IntegraTestEncryption.IsCorrectPassword(request.Password, account.PasswordHash);
if (!valid)
{
throw new Exception("Login failed");
}
return(JwtHelpers.CreateJwt(new JwtRequest()
{
UserEmail = account.Email,
UserId = account.Id
}));
}
public IActionResult Token([FromBody] LoginInfo loginInfo)
{
//TODO: 要放到Config中
var issuer = _config["Payload:Claims:Issuer"];
var signKey = _config["Payload:Claims:SignKey"];
var expires = 30; //min
int?userId = _userService.ValidateUser(loginInfo);
if (userId != null)
{
string token = JwtHelpers.GenerateToken(issuer, signKey, loginInfo.account, expires);
Token viewmodel = new Token()
{
token = token,
userId = userId
};
return(Ok(viewmodel));
}
else
{
return(BadRequest("wrong account or password"));
}
}
public BaseTokenApiController(BaseContext dbContext, JwtHelpers jwtHelpers)
{
_dbContext = _dbContext ?? dbContext;
_jwtHelpers = _jwtHelpers ?? jwtHelpers;
}
protected override void ProcessRecord()
{
base.ProcessRecord();
AuthConfig authConfig = new AuthConfig {
TenantId = TenantId
};
CancellationToken cancellationToken = CancellationToken.None;
if (ParameterSetName == Constants.UserParameterSet)
{
// 2 mins timeout. 1 min < HTTP timeout.
TimeSpan authTimeout = new TimeSpan(0, 0, Constants.MaxDeviceCodeTimeOut);
CancellationTokenSource cts = new CancellationTokenSource(authTimeout);
cancellationToken = cts.Token;
authConfig.AuthType = AuthenticationType.Delegated;
authConfig.Scopes = Scopes ?? new string[] { "User.Read" };
}
else
{
authConfig.AuthType = AuthenticationType.AppOnly;
authConfig.ClientId = ClientId;
authConfig.CertificateThumbprint = CertificateThumbprint;
authConfig.CertificateName = CertificateName;
}
try
{
// Gets a static instance of IAuthenticationProvider when the client app hasn't changed.
IAuthenticationProvider authProvider = AuthenticationHelpers.GetAuthProvider(authConfig);
IClientApplicationBase clientApplication = null;
if (ParameterSetName == Constants.UserParameterSet)
{
clientApplication = (authProvider as DeviceCodeProvider).ClientApplication;
}
else
{
clientApplication = (authProvider as ClientCredentialProvider).ClientApplication;
}
// Incremental scope consent without re-instanciating the auth provider. We will use a static instance.
GraphRequestContext graphRequestContext = new GraphRequestContext();
graphRequestContext.CancellationToken = cancellationToken;
graphRequestContext.MiddlewareOptions = new Dictionary <string, IMiddlewareOption>
{
{
typeof(AuthenticationHandlerOption).ToString(),
new AuthenticationHandlerOption
{
AuthenticationProviderOption = new AuthenticationProviderOption
{
Scopes = authConfig.Scopes,
ForceRefresh = ForceRefresh
}
}
}
};
// Trigger consent.
HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
httpRequestMessage.Properties.Add(typeof(GraphRequestContext).ToString(), graphRequestContext);
authProvider.AuthenticateRequestAsync(httpRequestMessage).GetAwaiter().GetResult();
var accounts = clientApplication.GetAccountsAsync().GetAwaiter().GetResult();
var account = accounts.FirstOrDefault();
JwtPayload jwtPayload = JwtHelpers.DecodeToObject <JwtPayload>(httpRequestMessage.Headers.Authorization?.Parameter);
authConfig.Scopes = jwtPayload?.Scp?.Split(' ') ?? jwtPayload?.Roles;
authConfig.TenantId = jwtPayload?.Tid ?? account?.HomeAccountId?.TenantId;
authConfig.AppName = jwtPayload?.AppDisplayname;
authConfig.Account = jwtPayload?.Upn ?? account?.Username;
// Save auth config to session state.
SessionState.PSVariable.Set(Constants.GraphAuthConfigId, authConfig);
}
catch (AuthenticationException authEx)
{
if ((authEx.InnerException is TaskCanceledException) && cancellationToken.IsCancellationRequested)
{
throw new Exception($"Device code terminal timed-out after {Constants.MaxDeviceCodeTimeOut} seconds. Please try again.");
}
else
{
throw authEx.InnerException ?? authEx;
}
}
catch (Exception ex)
{
throw ex.InnerException ?? ex;
}
WriteObject("Welcome To Microsoft Graph!");
}
public AccountController(JwtHelpers jwt)
{
this.jwt = jwt;
}
public LoginController(ILogger <LoginController> logger, JwtHelpers jwtHelper)
{
this.logger = logger;
this.jwtHelper = jwtHelper;
}
public TokenController(JwtHelpers jwt, PTCERPContext context)
{
this.jwt = jwt;
this._context = context;
}
public JwtLoginController(JwtHelpers jwt)
{
this.jwt = jwt;
}
public MemberController(IMemberService memberService, JwtHelpers jwt, IMapper mapper)
{
_memberService = memberService;
_jwt = jwt;
_mapper = mapper;
}
public JwtController(JwtHelpers jwt)
{
_jwt = jwt;
}
public UserApiController(BaseContext dbContext, JwtHelpers jwtHelpers) : base(dbContext, jwtHelpers)
{
}
public TokenController(JwtHelpers helper)
{
this.helper = helper;
}
public TokenController(JwtHelpers jwt, MiniChatRoomContext context)
{
this.jwt = jwt;
_context = context;
}
public LoginController(IUserService _UserIdentity, JwtHelpers _jwt)
{
this.UserIdentity = _UserIdentity;
this.jwt = _jwt;
}
public MemberController(JwtHelpers jwt)
{
this._jwt = jwt;
}
public TokenController(JwtHelpers jwt)
{
this.jwt = jwt;
}
public void Decode_ShouldThrowExceptionWhenInvalidJWTokenPayloadIsSet()
{
string validToken = "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFBMjMyVEVTVCIsImFsZyI6IkhTMjU2In0.eyJmYW1pbHlfbmFtZSI6IkRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwibmFtZSI6IkpvaG4gRG9lIiwib2lkIjoiZTYwMmFkYTctNmVmZC00ZTE4LWE5NzktNjNjMDJiOWYzYzc2Iiwic2NwIjoiVXNlci5SZWFkQmFzaWMuQWxsIiwidGlkIjoiNmJjMTUzMzUtZTJiOC00YTlhLTg2ODMtYTUyYTI2YzhjNTgzIiwidW5pcXVlX25hbWUiOiJqb2huQGRvZS50ZXN0LmNvbSIsInVwbiI6ImpvaG5AZG9lLnRlc3QuY29tIn0.hf9xI5XYBjGec - 4n4_Kxj8Nd2YHBtihdevYhzFxbpXQ";
AuthenticationException exception = Assert.ThrowsException <AuthenticationException>(() => JwtHelpers.DecodeToObject <JwtPayload>(validToken));
Assert.AreEqual(exception.Error.Code, ErrorConstants.Codes.InvalidJWT);
Assert.AreEqual(exception.Error.Message, ErrorConstants.Message.InvalidJWT);
}
public AccountController(ILogger <AccountController> logger, JwtHelpers jwt)
{
this.logger = logger;
this.jwt = jwt;
}
public TokenController(JwtHelpers jwt, IHttpContextAccessor httpContextAccessor)
{
this.jwt = jwt;
_httpContextAccessor = httpContextAccessor;
}
/// <summary>
/// Authenticates the client using the provided <see cref="IAuthContext"/>.
/// </summary>
/// <param name="authContext">The <see cref="IAuthContext"/> to authenticate.</param>
/// <param name="forceRefresh">Whether or not to force refresh a token if one exists.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns></returns>
public static async Task <IAuthContext> AuthenticateAsync(IAuthContext authContext, bool forceRefresh, CancellationToken cancellationToken)
{
try
{
// Gets a static instance of IAuthenticationProvider when the client app hasn't changed.
IAuthenticationProvider authProvider = AuthenticationHelpers.GetAuthProvider(authContext);
IClientApplicationBase clientApplication = null;
if (authContext.AuthType == AuthenticationType.Delegated)
{
clientApplication = (authProvider as DeviceCodeProvider).ClientApplication;
}
if (authContext.AuthType == AuthenticationType.AppOnly)
{
clientApplication = (authProvider as ClientCredentialProvider).ClientApplication;
}
// Incremental scope consent without re-instantiating the auth provider. We will use a static instance.
GraphRequestContext graphRequestContext = new GraphRequestContext();
graphRequestContext.CancellationToken = cancellationToken;
graphRequestContext.MiddlewareOptions = new Dictionary <string, IMiddlewareOption>
{
{
typeof(AuthenticationHandlerOption).ToString(),
new AuthenticationHandlerOption
{
AuthenticationProviderOption = new AuthenticationProviderOption
{
Scopes = authContext.Scopes,
ForceRefresh = forceRefresh
}
}
}
};
// Trigger consent.
HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
httpRequestMessage.Properties.Add(typeof(GraphRequestContext).ToString(), graphRequestContext);
await authProvider.AuthenticateRequestAsync(httpRequestMessage);
IAccount account = null;
if (clientApplication != null)
{
// Only get accounts when we are using MSAL to get an access token.
IEnumerable <IAccount> accounts = clientApplication.GetAccountsAsync().GetAwaiter().GetResult();
account = accounts.FirstOrDefault();
}
JwtHelpers.DecodeJWT(httpRequestMessage.Headers.Authorization?.Parameter, account, ref authContext);
return(authContext);
}
catch (AuthenticationException authEx)
{
if ((authEx.InnerException is TaskCanceledException) && cancellationToken.IsCancellationRequested)
{
// DeviceCodeTimeout
throw new Exception(string.Format(
CultureInfo.CurrentCulture,
ErrorConstants.Message.DeviceCodeTimeout,
Constants.MaxDeviceCodeTimeOut));
}
else
{
throw authEx.InnerException ?? authEx;
}
}
catch (Exception ex)
{
throw ex.InnerException ?? ex;
}
}
/// <summary>
/// Authenticates the client using the provided <see cref="IAuthContext"/>.
/// </summary>
/// <param name="authContext">The <see cref="IAuthContext"/> to authenticate.</param>
/// <param name="forceRefresh">Whether or not to force refresh a token if one exists.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <param name="fallBackWarning">Callback to report FallBack to DeviceCode Authentication</param>
/// <returns></returns>
public static async Task <IAuthContext> AuthenticateAsync(IAuthContext authContext, bool forceRefresh, CancellationToken cancellationToken, Action fallBackWarning = null)
{
// Gets a static instance of IAuthenticationProvider when the client app hasn't changed.
var authProvider = AuthenticationHelpers.GetAuthProvider(authContext);
IClientApplicationBase clientApplication = null;
switch (authContext.AuthProviderType)
{
case AuthProviderType.DeviceCodeProvider:
case AuthProviderType.DeviceCodeProviderFallBack:
clientApplication = (authProvider as DeviceCodeProvider).ClientApplication;
break;
case AuthProviderType.InteractiveAuthenticationProvider:
{
var interactiveProvider = (authProvider as InteractiveAuthenticationProvider).ClientApplication;
//When User is not Interactive, Pre-Emptively Fallback and warn, to DeviceCode
if (!interactiveProvider.IsUserInteractive())
{
authContext.AuthProviderType = AuthProviderType.DeviceCodeProviderFallBack;
fallBackWarning?.Invoke();
var fallBackAuthContext = await AuthenticateAsync(authContext, forceRefresh, cancellationToken, fallBackWarning);
return(fallBackAuthContext);
}
break;
}
case AuthProviderType.ClientCredentialProvider:
{
clientApplication = (authProvider as ClientCredentialProvider).ClientApplication;
break;
}
}
try
{
// Incremental scope consent without re-instantiating the auth provider. We will use provided instance.
GraphRequestContext graphRequestContext = new GraphRequestContext();
graphRequestContext.CancellationToken = cancellationToken;
graphRequestContext.MiddlewareOptions = new Dictionary <string, IMiddlewareOption>
{
{
typeof(AuthenticationHandlerOption).ToString(),
new AuthenticationHandlerOption
{
AuthenticationProviderOption = new AuthenticationProviderOption
{
Scopes = authContext.Scopes,
ForceRefresh = forceRefresh
}
}
}
};
// Trigger consent.
HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
httpRequestMessage.Properties.Add(typeof(GraphRequestContext).ToString(), graphRequestContext);
await authProvider.AuthenticateRequestAsync(httpRequestMessage);
IAccount account = null;
if (clientApplication != null)
{
// Only get accounts when we are using MSAL to get an access token.
IEnumerable <IAccount> accounts = clientApplication.GetAccountsAsync().GetAwaiter().GetResult();
account = accounts.FirstOrDefault();
}
JwtHelpers.DecodeJWT(httpRequestMessage.Headers.Authorization?.Parameter, account, ref authContext);
return(authContext);
}
catch (AuthenticationException authEx)
{
//Interactive Authentication Failure: Could Not Open Browser, fallback to DeviceAuth
if (IsUnableToOpenWebPageError(authEx))
{
authContext.AuthProviderType = AuthProviderType.DeviceCodeProviderFallBack;
//ReAuthenticate using DeviceCode as fallback.
var fallBackAuthContext = await AuthenticateAsync(authContext, forceRefresh, cancellationToken);
//Indicate that this was a Fallback
if (fallBackWarning != null && fallBackAuthContext.AuthProviderType == AuthProviderType.DeviceCodeProviderFallBack)
{
fallBackWarning();
}
return(fallBackAuthContext);
}
if (authEx.InnerException is TaskCanceledException && cancellationToken.IsCancellationRequested)
{
// Authentication requets timeout.
throw new Exception(string.Format(CultureInfo.CurrentCulture, ErrorConstants.Message.DeviceCodeTimeout, Constants.MaxDeviceCodeTimeOut));
}
else if (authEx.InnerException is MsalServiceException msalServiceEx &&
msalServiceEx.StatusCode == 400 &&
msalServiceEx.ErrorCode == "invalid_scope" &&
string.IsNullOrWhiteSpace(authContext.TenantId) &&
(authContext.AuthProviderType == AuthProviderType.DeviceCodeProvider ||
authContext.AuthProviderType == AuthProviderType.DeviceCodeProviderFallBack))
{
// MSAL scope validation error. Ask customer to specify sign-in audience or tenant Id.
throw new MsalClientException(msalServiceEx.ErrorCode, $"{msalServiceEx.Message}.\r\n{ErrorConstants.Message.InvalidScope}", msalServiceEx);
}
//Something Unknown Went Wrong
throw authEx.InnerException ?? authEx;
}
catch (Exception ex)
{
throw ex.InnerException ?? ex;
}
}
