public OpenIDLoginResponse(Binding <JObject> binding) { if (binding.BindingDirection != this.BindingDirection) { throw new ArgumentException("Binding has the wrong binding direction for this document"); } var json = binding.GetDocument(); if (json == null) { return; } this.AccessCode = json["code"]?.ToObject <string>(); this.ID = json[nameof(JwtOpenIDPayload.JsonTokenID)]?.ToObject <string>(); this.Issuer = json[nameof(JwtOpenIDPayload.Issuer)]?.ToObject <string>(); this.Subject = json[nameof(JwtOpenIDPayload.Subject)]?.ToObject <string>(); this.Audience = json[nameof(JwtOpenIDPayload.Audience)]?.ToObject <string>(); this.UserID = json[nameof(JwtOpenIDPayload.AAD_ObjectID)]?.ToObject <string>(); this.UserName = json[nameof(JwtOpenIDPayload.UniqueName)]?.ToObject <string>(); if (this.UserName == null) { this.UserName = json[nameof(JwtOpenIDPayload.AAD_UserPrincipalName)]?.ToObject <string>(); } this.Name = json[nameof(JwtOpenIDPayload.AAD_Name)]?.ToObject <string>(); if (json[nameof(JwtOpenIDPayload.Roles)] != null) { if (json[nameof(JwtOpenIDPayload.Roles)].Type == JTokenType.Array) { this.Roles = json[nameof(JwtOpenIDPayload.Roles)]?.ToObject <string[]>(); } else { this.Roles = json[nameof(JwtOpenIDPayload.Roles)]?.ToObject <string>().Split(new String[] { "," }, StringSplitOptions.RemoveEmptyEntries).Select(x => x.Trim()).ToArray(); } } this.Emails = json[nameof(JwtOpenIDPayload.AAD_Emails)]?.ToObject <string[]>(); this.Nonce = json[nameof(JwtOpenIDPayload.Nonce)]?.ToObject <string>(); this.IssuedAtTime = json[nameof(JwtOpenIDPayload.IssuedAtTime)]?.ToObject <long>(); this.NotBefore = json[nameof(JwtOpenIDPayload.NotBefore)]?.ToObject <long>(); this.Expiration = json[nameof(JwtOpenIDPayload.Expiration)]?.ToObject <long>(); this.X509Thumbprint = json[nameof(JwtHeader.X509Thumbprint)]?.ToObject <string>(); this.KeyID = json[nameof(JwtHeader.KeyID)]?.ToObject <string>(); this.State = json["state"]?.ToObject <string>(); this.OtherClaims = OpenIDJwtBinding.GetOtherClaims(json); this.Error = json["error"]?.ToObject <string>(); this.ErrorDescription = json["error_description"]?.ToObject <string>(); }
public OpenIDLogoutResponse(Binding <JObject> binding) { if (binding.BindingDirection != this.BindingDirection) { throw new ArgumentException("Binding has the wrong binding direction for this document"); } var json = binding.GetDocument(); if (json == null) { return; } this.ServiceProvider = json[OpenIDBinding.ClientFormName]?.ToObject <string>(); this.State = json["state"]?.ToObject <string>(); this.OtherClaims = OpenIDJwtBinding.GetOtherClaims(json); }
public async ValueTask <IdentityModel> LoginCallback(IdentityHttpRequest request) { OpenIDJwtBinding callbackBinding; if (OpenIDJwtBinding.IsCodeBinding(request)) { var callbackCodeBinding = OpenIDBinding.GetBindingForRequest(request, BindingDirection.Response); var callbackCodeDocument = new OpenIDLoginResponse(callbackCodeBinding); if (!String.IsNullOrWhiteSpace(callbackCodeDocument.Error)) { throw new IdentityProviderException($"{callbackCodeDocument.Error}: {callbackCodeDocument.ErrorDescription}"); } //Get Token-------------------- var requestTokenDocument = new OpenIDTokenRequest(callbackCodeDocument.AccessCode, this.secret, OpenIDGrantType.authorization_code, redirectUrl); var requestTokenBinding = OpenIDBinding.GetBindingForDocument(requestTokenDocument, BindingType.Form); var requestTokenBody = requestTokenBinding.GetContent(); var requestToken = WebRequest.Create(tokenUrl); requestToken.Method = "POST"; requestToken.ContentType = "application/x-www-form-urlencoded"; var requestTokenBodyBytes = Encoding.UTF8.GetBytes(requestTokenBody); requestToken.ContentLength = requestTokenBodyBytes.Length; using (var stream = await requestToken.GetRequestStreamAsync()) { #if NETSTANDARD2_0 || NET461_OR_GREATER await stream.WriteAsync(requestTokenBodyBytes, 0, requestTokenBodyBytes.Length); #else await stream.WriteAsync(requestTokenBodyBytes.AsMemory()); #endif await stream.FlushAsync(); } WebResponse responseToken; try { responseToken = await requestToken.GetResponseAsync(); } catch (WebException ex) { if (ex.Response == null) { throw ex; } var responseTokenStream = ex.Response.GetResponseStream(); var error = await new StreamReader(responseTokenStream).ReadToEndAsync(); ex.Response.Close(); ex.Response.Dispose(); throw new IdentityProviderException(error); } //access_code is a JWT callbackBinding = OpenIDJwtBinding.GetBindingForResponse(responseToken, BindingDirection.Response); } else { callbackBinding = OpenIDJwtBinding.GetBindingForRequest(request, BindingDirection.Response); } var callbackDocument = new OpenIDLoginResponse(callbackBinding); if (!String.IsNullOrWhiteSpace(callbackDocument.Error)) { throw new IdentityProviderException($"{callbackDocument.Error}: {callbackDocument.ErrorDescription}"); } NonceManager.Validate(serviceProvider, callbackDocument.Nonce); if (callbackDocument.Audience != serviceProvider) { throw new IdentityProviderException("OpenID Audience is not valid", $"Received: {serviceProvider}, Expected: {callbackDocument.Audience}"); } var keys = await GetSignaturePublicKeys(this.identityProviderCertUrl); var key = keys.FirstOrDefault(x => x.X509Thumbprint == callbackDocument.X509Thumbprint); if (key == null) { key = keys.FirstOrDefault(x => x.KeyID == callbackDocument.KeyID); } if (key == null) { throw new IdentityProviderException("Identity Provider OpenID certificate not found from Json Key Url"); } if (key.KeyType != "RSA") { throw new IdentityProviderException("Identity Provider OpenID only supporting RSA at the moment"); } RSA rsa; if (key.X509Certificates == null || key.X509Certificates.Length == 0) { var rsaParams = new RSAParameters() { Modulus = Base64UrlEncoder.FromBase64String(key.Modulus), Exponent = Base64UrlEncoder.FromBase64String(key.Exponent) }; rsa = RSA.Create(); rsa.ImportParameters(rsaParams); } else { var certString = key.X509Certificates.First(); var certBytes = Convert.FromBase64String(certString); var cert = new X509Certificate2(certBytes); rsa = cert.GetRSAPublicKey(); } callbackBinding.ValidateSignature(rsa, requiredSignature); callbackBinding.ValidateFields(); var identity = new IdentityModel() { UserID = callbackDocument.UserID, UserName = callbackDocument.UserName ?? callbackDocument.Emails?.FirstOrDefault(), Name = callbackDocument.Name, Roles = callbackDocument.Roles, ServiceProvider = callbackDocument.Issuer, OtherClaims = callbackDocument.OtherClaims, State = callbackDocument.State, AccessToken = callbackBinding.AccessToken, }; return(identity); }