public void GetAccessTokenWithTotallyFakeToken() {
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer foobar" },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
Assert.That(() => resourceServer.GetAccessTokenAsync(request).GetAwaiter().GetResult(), Throws.InstanceOf<ProtocolException>());
}
public async Task GetAccessTokenWithCorruptedToken() {
var accessToken = await this.ObtainValidAccessTokenAsync();
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer " + accessToken.Substring(0, accessToken.Length - 1) + "zzz" },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
Assert.That(() => resourceServer.GetAccessTokenAsync(request).GetAwaiter().GetResult(), Throws.InstanceOf<ProtocolException>());
}
public async Task GetAccessTokenWithValidToken() {
var accessToken = await this.ObtainValidAccessTokenAsync();
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer " + accessToken },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
var resourceServerDecodedToken = await resourceServer.GetAccessTokenAsync(request);
Assert.That(resourceServerDecodedToken, Is.Not.Null);
}
public override async void OnActionExecuting(HttpActionContext actionContext)
{
// we must have either WWW-Authorize header or access_token parameter to proceed
if (actionContext.Request.Headers.Authorization == null &&
!actionContext.Request.Properties.ContainsKey("access_token"))
{
actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.BadRequest);
}
else
{
try
{
var resourceServer =
new ResourceServer(
new StandardAccessTokenAnalyzer(OAuth2AuthorizationServerHost.HardCodedCryptoKeyStore));
// validate token againt a revocation list
var accessToken = await resourceServer.GetAccessTokenAsync(actionContext.Request);
var lastRevoke = OAuth2AuthorizationServerHost.ClientRevokes
.Where(c => c.ClientIdentifier == accessToken.ClientIdentifier)
.OrderByDescending(t => t.RevokeTime)
.FirstOrDefault();
if (lastRevoke != null && lastRevoke.RevokeTime > accessToken.UtcIssued)
{
actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.Unauthorized, "invalid_token", "The access token has been revoked");
}
else
{
// get principal
var principal = await resourceServer.GetPrincipalAsync(actionContext.Request);
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
}
}
catch (ProtocolException pe)
{
actionContext.Response = BearerHttpResponseMessageError(pe);
}
catch (Exception) // need to handle all exceptions to ensure resource isn't returned
{
actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.InternalServerError);
}
}
base.OnActionExecuting(actionContext);
}