Example #1
0
        /*************** Start defining OAuth flows ************************/
        public Task Login_StartAsync(HttpContext httpContext)
        {
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);

            // The SymT doesn't actually get used, but why not.
            var _AuthorizationRequest = SVX.SVX_Ops.Call(createAuthorizationRequest, context.channel);

            // NOTE: We are assuming that the target URL used by
            // marshalAuthorizationRequest belongs to the principal
            // idpParticipantId.principal.  We haven't extended SVX enforcement
            // that far yet.
            messageStructures.authorizationRequest.Export(_AuthorizationRequest, context.channel, idpParticipantId.principal);
            var rawReq = marshalAuthorizationRequest(_AuthorizationRequest);

            rawReq = attach_concdst_conckey(rawReq, httpContext, "++");
            //set the referrer in the CurrentUrl cookie
            try
            {
                Microsoft.Extensions.Primitives.StringValues referer;
                if (context.http.Request.Headers.TryGetValue("referer", out referer))
                {
                    context.http.Response.Headers["set-cookie"] = Microsoft.Extensions.Primitives.StringValues.Concat
                                                                      (context.http.Response.Headers["set-cookie"], "LandingUrl=" + System.Net.WebUtility.UrlDecode(referer) + ";path=/");
                }
            }
            catch (Exception ex)
            {
                //there is already a set-cookie for LandingUrl
            };
            context.http.Response.StatusCode = 303;
            context.http.Response.Redirect(rawReq);

            return(Task.CompletedTask);
        }
Example #2
0
        JObject detach_concdst_conckey_formpost(ref SVAuthRequestContext context, string delim)
        {
            JObject jo    = new JObject(context.http.Request.Form.Select(q => new JProperty(q.Key, q.Value.Single())));
            string  state = jo["state"].ToString();

            if (String.IsNullOrEmpty(state))
            {
                throw new Exception("The STATE parameter is missing.");
            }

            int pos1 = state.IndexOf(delim);

            if (pos1 > 1)
            {
                int pos2 = state.Substring(pos1 + 2).IndexOf(delim);
                if (pos2 > 1)
                {
                    context.concdst = System.Net.WebUtility.UrlDecode(state.Substring(0, pos1));
                    context.conckey = System.Net.WebUtility.UrlDecode(state.Substring(pos1 + 2, pos2));
                    var state1 = state.Substring(pos1 + pos2 + 2 + 2);
                    jo["state"] = state1;
                }
            }
            return(jo);
        }
Example #3
0
        string detach_concdst_conckey(ref SVAuthRequestContext context, string delim)
        {
            string rawReq = System.Net.WebUtility.UrlDecode(context.http.Request.QueryString.Value);
            int    pos0   = rawReq.IndexOf("&state=") + ("&state=".Length);

            if (pos0 < "&state=".Length)
            {
                pos0 = rawReq.IndexOf("?state=") + ("?state=".Length);
                if (pos0 < "?state=".Length)
                {
                    throw new Exception("state parameter is missing");
                }
            }

            int pos1 = rawReq.Substring(pos0).IndexOf(delim);

            if (pos1 > 1)
            {
                int pos2 = rawReq.Substring(pos0 + pos1 + 2).IndexOf(delim);
                if (pos2 > 1)
                {
                    context.concdst = System.Net.WebUtility.UrlDecode(rawReq.Substring(pos0, pos1));
                    context.conckey = System.Net.WebUtility.UrlDecode(rawReq.Substring(pos0 + pos1 + 2, pos2));
                    var rawReq1 = rawReq.Substring(0, pos0) + rawReq.Substring(pos0 + pos1 + pos2 + 2 + 2);
                    rawReq = rawReq1;
                }
            }
            return(rawReq);
        }
Example #4
0
        public override async Task AuthorizationCodeFlow_Login_CallbackAsync(HttpContext httpContext)
        {
            var idp = CreateModelOIDCAuthenticationServer();

            Trace.Write("AuthorizationCodeFlow_Login_CallbackAsync");
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);

            var dummyAuthorizationRequest = new AuthorizationRequest();

            //REDACTED's original implementation, without detaching concdst_conckey

            /*var authorizationResponse = (OAuth20.AuthorizationResponse)Utils.ObjectFromFormPost(
             *  context.http.Request.Form,typeof(OAuth20.AuthorizationResponse));
             */

            JObject jo = detach_concdst_conckey_formpost(ref context, "  ");
            AuthorizationResponse authorizationResponse = (AuthorizationResponse)Utils.UnreflectObject(jo, typeof(AuthorizationResponse));;

            GetMessageStructures().authorizationResponse.ImportWithModel(authorizationResponse,
                                                                         () => { idp.FakeCodeEndpoint(dummyAuthorizationRequest, authorizationResponse); },
                                                                         SVX.Channel.GenerateNew(SVX_Principal), // unknown producer
                                                                         context.channel);

            /*GetMessageStructures().authorizationResponse.Import(authenticationResponse,
             *  SVX.PrincipalFacet.GenerateNew(SVX_Principal),  // unknown producer
             *  context.client);*/

            var _AccessTokenRequest = SVX.SVX_Ops.Call(createAccessTokenRequest, authorizationResponse);

            GetMessageStructures().accessTokenRequest.Export(_AccessTokenRequest, idpParticipantId.principal, null);
            var rawReq = marshalAccessTokenRequest(_AccessTokenRequest);
            var RawAccessTokenResponse = await Utils.PerformHttpRequestAsync(rawReq);

            Trace.Write("Got AccessTokenResponse");

            JObject       jObject       = JObject.Parse(RawAccessTokenResponse.Content.ReadAsStringAsync().Result);
            TokenResponse tokenResponse = Utils.UnreflectObject <TokenResponse>(jObject);

            GetMessageStructures().tokenResponse.ImportDirectResponseWithModel(tokenResponse,
                                                                               () => { idp.FakeTokenEndpoint(_AccessTokenRequest, tokenResponse); },
                                                                               idpParticipantId.principal,
                                                                               SVX_Principal
                                                                               );

            if (!String.IsNullOrEmpty(tokenResponse.id_token.theParams.nonce))
            {
                HashAlgorithm hashAlgo       = SHA1.Create();
                string        expected_nonce = BitConverter.ToString(hashAlgo.ComputeHash(System.Text.Encoding.UTF8.GetBytes(context.channel.id)));
                if (expected_nonce != tokenResponse.id_token.theParams.nonce)
                {
                    throw new Exception("invalid nonce");
                }
            }
            var conclusion = SVX.SVX_Ops.Call(createConclusionOidc, authorizationResponse, tokenResponse);

            await AuthenticationDone(conclusion, context);
        }
        public Task Login_StartAsync(HttpContext httpContext)
        {
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);

            var _AuthenticationRequest = SVX.SVX_Ops.Call(createAuthenticationRequest, context.channel);

            // NOTE: We are assuming that the target URL used by
            // marshalAuthorizationRequest belongs to the principal
            // idpParticipantId.principal.  We haven't extended SVX enforcement
            // that far yet.
            GetMessageStructures().authenticationRequest.Export(_AuthenticationRequest, context.channel, idpParticipantId.principal);

            // Move CSRF_state into return_to.
            _AuthenticationRequest.openid__return_to += "?CSRF_state=" + Uri.EscapeDataString(_AuthenticationRequest.CSRF_state.Export());
            _AuthenticationRequest.CSRF_state         = null;
            //add conckey

            /* string conckey = httpContext.Request.Query["conckey"];
             * if (conckey!=null)
             *    _AuthenticationRequest.openid__return_to += "&conckey=" + Uri.EscapeDataString(conckey);*/

            string concdst = httpContext.Request.Query["concdst"];

            if (concdst != null)
            {
                _AuthenticationRequest.openid__assoc_handle = Uri.EscapeDataString(concdst);
            }
            string conckey = httpContext.Request.Query["conckey"];

            if (conckey != null)
            {
                _AuthenticationRequest.openid__assoc_handle += "++" + Uri.EscapeDataString(conckey);
            }

            var rawReq = marshalAuthenticationRequest(_AuthenticationRequest);

            //set the referrer in the CurrentUrl cookie
            try
            {
                Microsoft.Extensions.Primitives.StringValues referer;
                if (context.http.Request.Headers.TryGetValue("referer", out referer))
                {
                    context.http.Response.Headers["set-cookie"] = Microsoft.Extensions.Primitives.StringValues.Concat
                                                                      (context.http.Response.Headers["set-cookie"], "LandingUrl=" + System.Net.WebUtility.UrlDecode(referer) + ";path=/");
                }
            }
            catch (Exception ex)
            {
                //there is already a set-cookie for LandingUrl
            };
            context.http.Response.StatusCode = 303;
            context.http.Response.Redirect(rawReq);

            return(Task.CompletedTask);
        }
        public async Task AuthenticationDone(AuthenticationConclusion conclusion, SVAuthRequestContext context)
        {
            if (context.channel != conclusion.channel)
            {
                throw new Exception("Attempt to apply an AuthenticationConclusion to the wrong channel.");
            }

            if (!BypassCertification)
            {
                SVX.SVX_Ops.Certify(conclusion, LoginSafety, idpParticipantId);
                SVX.SVX_Ops.Certify(conclusion, LoginIntent, idpParticipantId);
            }
            await Utils.AbandonAndCreateSessionAsync(conclusion, context);
        }
Example #7
0
        public async Task ImplicitFlow_Login_CallbackAsync(HttpContext httpContext)
        {
            Trace.Write("ImplicitFlow_Login_CallbackAsync");
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);

            //REDACTED's original implementation, without detaching concdst_conckey

            /*AuthenticationResponse_with_id_token authenticationResponse_with_id_token= (AuthenticationResponse_with_id_token)Utils.ObjectFromFormPost
             *  (context.http.Request.Form, typeof(AuthenticationResponse_with_id_token));
             */
            JObject jo = detach_concdst_conckey_formpost(ref context, "  ");
            AuthenticationResponse_with_id_token authenticationResponse_with_id_token = (AuthenticationResponse_with_id_token)Utils.UnreflectObject(jo, typeof(AuthenticationResponse_with_id_token));;
            var idp = CreateModelOIDCAuthenticationServer();
            var dummyAuthorizationRequest = new AuthorizationRequest();

            GetMessageStructures().authenticationResponse_with_id_token.ImportWithModel(authenticationResponse_with_id_token,
                                                                                        () => { idp.FakeImplicitFlowIDTokenEndpoint(dummyAuthorizationRequest, authenticationResponse_with_id_token); },
                                                                                        SVX.Channel.GenerateNew(SVX_Principal), // unknown producer
                                                                                        context.channel);
            Trace.Write("Got Valid AuthenticationResponse");

            if (!String.IsNullOrEmpty(authenticationResponse_with_id_token.id_token.theParams.nonce))
            {
                HashAlgorithm hashAlgo       = SHA1.Create();
                string        expected_nonce = BitConverter.ToString(hashAlgo.ComputeHash(System.Text.Encoding.UTF8.GetBytes(context.channel.id)));
                if (expected_nonce != authenticationResponse_with_id_token.id_token.theParams.nonce)
                {
                    throw new Exception("invalid nonce");
                }
            }

            GenericAuth.AuthenticationConclusion conclusion = SVX_Ops.Call(createConclusionOidcImplicit, authenticationResponse_with_id_token);
            if (conclusion == null)
            {
                context.http.Response.StatusCode = 303;
                context.http.Response.Redirect(context.http.Request.Cookies["LandingUrl"]);
                return;
            }

            await AuthenticationDone(conclusion, context);
        }
        public async Task Login_CallbackAsync(HttpContext httpContext)
        {
            var idp = CreateModelOpenID20AuthenticationServer();
            var dummyAuthenticationRequest = new AuthenticationRequest();

            Trace.Write("Login_CallbackAsync");
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);
            AuthenticationResponse inputMSG = parse_AuthenticationResponse(context.http);

            if (inputMSG.openid__ns != "http://specs.openid.net/auth/2.0")
            {
                throw new Exception("Openid.ns does not contain the expected value.");
            }
            GetMessageStructures().authenticationResponse.ImportWithModel(inputMSG,
                                                                          () => { idp.FakeAuthenticationEndpoint(dummyAuthenticationRequest, inputMSG); },
                                                                          SVX.Channel.GenerateNew(SVX_Principal), // unknown producer
                                                                          context.channel);
            Trace.Write("Got Valid AuthenticationResponse");

            GenericAuth.AuthenticationConclusion conclusion = SVX_Ops.Call(createConclusion, inputMSG);
            if (conclusion == null)
            {
                context.http.Response.StatusCode = 303;
                context.http.Response.Redirect(context.http.Request.Cookies["LandingUrl"]);
                return;
            }
            if (Config.config.AgentSettings.agentScope != "local")
            {
                string s     = inputMSG.FieldsExpectedToBeSigned.theParams.openid__invalidate_handle;
                int    delim = s.IndexOf("++");
                if (delim < 7)
                {
                    throw new Exception("invalid conckey and concdst");
                }
                context.conckey = s.Substring(delim + 2);
                context.concdst = System.Net.WebUtility.UrlDecode(s.Substring(0, delim));
            }
            await AuthenticationDone(conclusion, context);
        }
Example #9
0
        public virtual async Task AuthorizationCodeFlow_Login_CallbackAsync(HttpContext httpContext)
        {
            Trace.Write("AuthorizationCodeFlow_Login_CallbackAsync");
            var context = new SVAuthRequestContext(SVX_Principal, httpContext);
            var idp     = CreateModelAuthorizationServer();
            var rawReq  = detach_concdst_conckey(ref context, "  ");

            // See if any subclasses need us to use their special
            // AuthorizationRequest subclass.
            var dummyAuthorizationRequest = new AuthorizationRequest();

            // This design is following the original Auth.JS as closely as
            // possible.  Arguably, we should give concrete subclasses full
            // control of unmarshalling, just like marshalling.  The original
            // parseHttpMessage supports both requests (query) and responses,
            // but here we know which is which.
            // ~ REDACTED 2016-06-01
            //   var authorizationResponse = (AuthorizationResponse)Utils.ObjectFromQuery(
            //       context.http.Request.Query, LoginCallbackRequestType);
            var authorizationResponse = (AuthorizationResponse)Utils.ObjectFromQueryString(
                rawReq, LoginCallbackRequestType);

            messageStructures.authorizationResponse.ImportWithModel(authorizationResponse,
                                                                    () => { idp.FakeCodeEndpoint(dummyAuthorizationRequest, authorizationResponse); },
                                                                    SVX.Channel.GenerateNew(SVX_Principal), // unknown producer
                                                                    context.channel);

            var accessTokenRequest = SVX.SVX_Ops.Call(createAccessTokenRequest, authorizationResponse);

            messageStructures.accessTokenRequest.Export(accessTokenRequest, idp.SVX_Principal, null);

            /*string concdst = httpContext.Request.Query["concdst"];
             * if (concdst != null)
             *  accessTokenRequest.redirect_uri += "?concdst=" + Uri.EscapeDataString(concdst);
             * string conckey = httpContext.Request.Query["conckey"];
             * if (conckey != null)
             *  accessTokenRequest.redirect_uri += "&conckey=" + Uri.EscapeDataString(conckey);*/
            var rawAccessTokenRequest  = marshalAccessTokenRequest(accessTokenRequest);
            var rawAccessTokenResponse = await Utils.PerformHttpRequestAsync(rawAccessTokenRequest);

            Trace.Write("Got AccessTokenResponse");

            var accessTokenResponse = (AccessTokenResponse)JsonConvert.DeserializeObject(
                Utils.ReadContent(rawAccessTokenResponse.Content), AccessTokenResponseType);

            messageStructures.accessTokenResponse.ImportDirectResponseWithModel(accessTokenResponse,
                                                                                () => { idp.FakeTokenEndpoint(accessTokenRequest, accessTokenResponse); },
                                                                                idp.SVX_Principal, SVX_Principal);

            var userProfileRequest = SVX.SVX_Ops.Call(createUserProfileRequest, accessTokenResponse);

            messageStructures.userProfileRequest.Export(userProfileRequest, idp.SVX_Principal, null);
            var rawUserProfileRequest  = marshalUserProfileRequest(userProfileRequest);
            var rawUserProfileResponse = await Utils.PerformHttpRequestAsync(rawUserProfileRequest);

            Trace.Write("Got UserProfileResponse");
            var userProfileResponse = (UserProfileResponse)JsonConvert.DeserializeObject(
                Utils.ReadContent(rawUserProfileResponse.Content), UserProfileResponseType);

            messageStructures.userProfileResponse.ImportDirectResponseWithModel(userProfileResponse,
                                                                                () => { idp.FakeUserProfileEndpoint(userProfileRequest, userProfileResponse); },
                                                                                idp.SVX_Principal, SVX_Principal);

            var conclusion = SVX.SVX_Ops.Call(createConclusion, authorizationResponse, userProfileResponse);

            await AuthenticationDone(conclusion, context);
        }