public OAuthServiceCall(HttpRequest request) { if (request == null) { throw new ArgumentNullException("request"); } OriginalRequest = request; ServiceCall = ServiceFromString(request.PathInfo); ResponseCallback = util.GetStringParam(request, "callback"); ResultFormat = (util.GetIntParam(request, "json", 0) != 0) ? (String.IsNullOrEmpty(ResponseCallback) ? OutputFormat.JSON : OutputFormat.JSONP) : OutputFormat.XML; using (RSACryptoServiceProvider rsaSigning = new RSACryptoServiceProvider()) { using (RSACryptoServiceProvider rsaEncryption = new RSACryptoServiceProvider()) { rsaSigning.ImportParameters(OAuth2AuthorizationServer.AuthorizationServerSigningPublicKey); rsaEncryption.ImportParameters(OAuth2AuthorizationServer.CreateAuthorizationServerSigningKey()); ResourceServer server = new ResourceServer(new StandardAccessTokenAnalyzer(rsaSigning, rsaEncryption)); Token = server.GetAccessToken(); if (Token.Lifetime.HasValue && Token.UtcIssued.Add(Token.Lifetime.Value).CompareTo(DateTime.UtcNow) < 0) { throw new MyFlightbookException("oAuth2 - Token has expired!"); } if (String.IsNullOrEmpty(Token.User)) { throw new MyFlightbookException("Invalid oAuth token - no user"); } GeneratedAuthToken = MFBWebService.AuthTokenFromOAuthToken(Token); } } }
//[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking public ActionResult Authorise() { using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]), new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"])))) { AuthorizationServer authorizationServer = new AuthorizationServer(server); var pendingRequest = authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } var requestingClient = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); // Consider auto-approving if safe to do so. if (((OAuth2AuthorizationServer)authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest)) { var approval = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name); return(authorizationServer.Channel.PrepareResponse(approval).AsActionResult()); } var model = new AccountAuthorizeModel { ClientApp = requestingClient.Name, Scope = pendingRequest.Scope, AuthorizationRequest = pendingRequest, }; return(View(model)); } }
/// <summary> /// The OAuth 2.0 token endpoint. /// </summary> /// <returns>The response to the Client.</returns> public ActionResult Token() { using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]), new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"])))) { AuthorizationServer authorizationServer = new AuthorizationServer(server); OutgoingWebResponse response = authorizationServer.HandleTokenRequest(this.Request); return(response.AsActionResult()); } }
public ActionResult AuthoriseResponse(bool isApproved) { using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]), new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"])))) { AuthorizationServer authorizationServer = new AuthorizationServer(server); var pendingRequest = authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } IDirectedProtocolMessage response; if (isApproved) { // The authorization we file in our database lasts until the user explicitly revokes it. // You can cause the authorization to expire by setting the ExpirationDateUTC // property in the below created ClientAuthorization. var client = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); client.ClientAuthorizations.Add( new ClientAuthorization { Scope = OAuthUtilities.JoinScopes(pendingRequest.Scope), User = MvcApplication.DataContext.Users.FirstOrDefault(u => u.Username == System.Web.HttpContext.Current.User.Identity.Name), CreatedOnUtc = DateTime.UtcNow, }); MvcApplication.DataContext.SaveChanges(); // submit now so that this new row can be retrieved later in this same HTTP request // In this simple sample, the user either agrees to the entire scope requested by the client or none of it. // But in a real app, you could grant a reduced scope of access to the client by passing a scope parameter to this method. response = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, User.Identity.Name); } else { response = authorizationServer.PrepareRejectAuthorizationRequest(pendingRequest); } return(authorizationServer.Channel.PrepareResponse(response).AsActionResult()); } }