Example #1
0
        public SessionIdModel CreateSession(InitializeModel model)
        {
            // Creates a new user session and returns the Session ID and One Time Code
            // used to logon

            if (model == null || string.IsNullOrEmpty(model.AccessToken))
            {
                throw new InvalidOperationException();
            }

            // Makes sure the access token is valid and meant for us
            if (!TokenValidator.ValidateAccessToken(model.AccessToken, out _))
            {
                throw new Exception("Access token was not validated");
            }

            // Generates a unique session id and a unique one time code
            var sessionId   = GenerateRandomValue();
            var oneTimeCode = GenerateRandomValue();

            // Stores the access token, the hashed nonce and the one time code used for the session
            _memoryCache.Set(sessionId + "_at", model.AccessToken);
            _memoryCache.Set(sessionId + "_hash", model.NonceHash);
            _memoryCache.Set(oneTimeCode, sessionId);

            return(new SessionIdModel {
                OneTimeCode = oneTimeCode, SessionId = sessionId
            });
        }
Example #2
0
        public string Post()
        {
            // This is just a very simple api that returns a string
            // We handle the token manually so we don't have to setup a much more complex web application
            // that handles many types of authentication

            var token = Request.Headers["Authorization"].ToString().Replace("Bearer ", "");

            if (TokenValidator.ValidateAccessToken(token, out _))
            {
                return("API called OK");
            }
            else
            {
                return("API failed");
            }
        }
Example #3
0
        public IActionResult RefreshSession(UpdateModel model)
        {
            // Updates an existing session with a new access token
            // The access token is validated and the session id is validated
            // Finally we ensure that the access token belongs to this session

            if (model == null || string.IsNullOrEmpty(model.AccessToken))
            {
                throw new InvalidOperationException();
            }

            // Validates the new access token, keeps the claims for later validation
            if (!TokenValidator.ValidateAccessToken(model.AccessToken, out ClaimsPrincipal newPrincipal))
            {
                throw new Exception("Access token was not validated");
            }

            // Ensures that we have an existing session by fetching the access token for that session id
            // In a real application you will probably have different mechanisms for session validation... :-)
            var originalAccessToken = _memoryCache.Get <string>(model.SessionId + "_at");

            // Extracts the claims from the original access token
            TokenValidator.ValidateAccessToken(originalAccessToken, out ClaimsPrincipal originalPrincipal);

            // Validates that the new access token is a valid replacement of the current access token
            // Since we are using a simplified model here, we only have the client id to use for validation.
            // In a real application you would also check the user PID, possibly the SFM_ID claim when it is ready
            // and possibly other claims as well
            if (newPrincipal.FindFirstValue("client_id") != originalPrincipal.FindFirstValue("client_id"))
            {
                throw new Exception("Client ID of original and new access token does not match!");
            }

            // Replaces the current access token with the new one for the given session
            _memoryCache.Set(model.SessionId + "_at", model.AccessToken);

            return(Ok());
        }