public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var claims = context.Ticket.Identity.Claims;
if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "LOCAL_AUTHORITY"))
context.Rejected();
return Task.FromResult<object>(null);
}
protected override async Task <AuthenticationTicket> AuthenticateCore()
{
_logger.WriteVerbose("AuthenticateCore");
try
{
string authorization = Request.GetHeader("Authorization");
if (authorization == null || !authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
_logger.WriteWarning("null or non-bearer token in authorization header");
return(null);
}
string protectedText = authorization.Substring("Bearer ".Length).Trim();
AuthenticationTicket ticket = Options.AccessTokenHandler.Unprotect(protectedText);
var context = new OAuthValidateIdentityContext(ticket.Identity, ticket.Extra.Properties);
if (Options.Provider != null)
{
await Options.Provider.ValidateIdentity(context);
}
return(new AuthenticationTicket(context.Identity, context.Extra));
}
catch (Exception ex)
{
_logger.WriteError(ex.Message);
// TODO: trace
return(null);
}
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var requestSite = context.Request.Uri.Host.Split('.')[0];
var tokenSite = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == OAuthDefaults.ClaimKeySite);
if (tokenSite == null || requestSite != tokenSite.Value)
return null;
return base.ValidateIdentity(context);
}
/// <summary>
/// Called each time a request identity has been validated by the middleware. By implementing this method the
/// application may alter or reject the identity which has arrived with the request.
/// </summary>
/// <param name="context">Contains information about the login session as well as the user <see cref="T:System.Security.Claims.ClaimsIdentity" />.</param>
/// <returns>
/// A <see cref="T:System.Threading.Tasks.Task" /> representing the completed operation.
/// </returns>
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (_inner != null)
{
return _inner.ValidateIdentity(context);
}
return Task.FromResult(0);
}
public override System.Threading.Tasks.Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims.Any(c => c.Issuer != "LOCAL AUTHORITY"))
{
context.Rejected();
}
return Task.FromResult<object>((object)null);
}
// method copied from Owin.AppBuilderExtensions.ApplicationOAuthBearerProvider (private class)
private Task ValidateIdentity(OAuthValidateIdentityContext context)
{
/**
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims
.Any(c => c.Issuer != ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}**/
return Task.FromResult<object>(null);
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
bool validated = false;
base.ValidateIdentity(context);
ApplicationDbContext dbContext = context.OwinContext.Get<ApplicationDbContext>();
ApplicationUserManager userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
if(context.Ticket!= null && context.Ticket.Identity != null)
{
if(context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthClientCredentialsGrantKey) != null)
{
Guid clientId = new Guid(context.Ticket.Identity.Name);
if (dbContext.OAuthClients.SingleOrDefault(oac => oac.ClientId == clientId && oac.Enabled==true) != null)
{
validated = true;
context.Validated();
}
}
else {
Claim oauthSessionId = context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthSessionClaimKey);
if (oauthSessionId != null)
{
OAuthSession oauthSession = dbContext.OAuthSessions.SingleOrDefault(oas => oas.Id.ToString() == oauthSessionId.Value);
if (oauthSession != null)
{
validated = true;
context.Validated();
}
}
}
}
if (!validated)
{
context.SetError("Invalid Token", "The Access Token is invalid.");
context.Rejected();
}
return Task.FromResult<object>(null);
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context.Ticket.Properties.ExpiresUtc < DateTime.UtcNow)
{
context.SetError("invalid_grant", "Access Token has expired.");
context.Rejected();
return ThreadingExtensions.NoResult;
}
var userId = context.Ticket.Identity.GetUserGuid();
var issuedGuid = context.Ticket.Properties
.GetIssuedGuid();
if (!_authKeyRepository.ValidateAuthKey(userId, issuedGuid))
{
context.SetError("invalid_token", "Access Token has not been properly set or has been invalidated.");
context.Rejected();
return ThreadingExtensions.NoResult;
}
context.Validated();
return ThreadingExtensions.NoResult;
}
/// <summary>
/// Handles validating the identity produced from an OAuth bearer token.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public virtual Task ValidateIdentity(OAuthValidateIdentityContext context)
{
return OnValidateIdentity.Invoke(context);
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
try
{
// Find token in default location
string requestToken = null;
string authorization = Request.Headers.Get("Authorization");
if (!string.IsNullOrEmpty(authorization))
{
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
requestToken = authorization.Substring("Bearer ".Length).Trim();
}
}
// Give application opportunity to find from a different location, adjust, or reject token
var requestTokenContext = new OAuthRequestTokenContext(Context, requestToken);
await Options.Provider.RequestToken(requestTokenContext);
// If no token found, no further work possible
if (string.IsNullOrEmpty(requestTokenContext.Token))
{
return(null);
}
// Call provider to process the token into data
var tokenReceiveContext = new AuthenticationTokenReceiveContext(
Context,
Options.AccessTokenFormat,
requestTokenContext.Token);
await Options.AccessTokenProvider.ReceiveAsync(tokenReceiveContext);
if (tokenReceiveContext.Ticket == null)
{
tokenReceiveContext.DeserializeTicket(tokenReceiveContext.Token);
}
AuthenticationTicket ticket = tokenReceiveContext.Ticket;
if (ticket == null)
{
_logger.WriteWarning("invalid bearer token received");
return(null);
}
// Validate expiration time if present
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc.Value < currentUtc)
{
_logger.WriteWarning("expired bearer token received");
return(null);
}
// Give application final opportunity to override results
var context = new OAuthValidateIdentityContext(Context, Options, ticket);
if (ticket != null &&
ticket.Identity != null &&
ticket.Identity.IsAuthenticated)
{
// bearer token with identity starts validated
context.Validated();
}
if (Options.Provider != null)
{
await Options.Provider.ValidateIdentity(context);
}
if (!context.IsValidated)
{
return(null);
}
// resulting identity values go back to caller
return(context.Ticket);
}
catch (Exception ex)
{
_logger.WriteError("Authentication failed", ex);
return(null);
}
}
public virtual Task ValidateIdentity(OAuthValidateIdentityContext context)
{
return(OnValidateIdentity.Invoke(context));
}
/// <summary>
/// Called each time a request identity has been validated by the middleware. By implementing this method the
/// application may alter or reject the identity which has arrived with the request.
/// </summary>
/// <param name="context">Contains information about the login session as well as the user <see cref="T:System.Security.Claims.ClaimsIdentity" />.</param>
/// <returns>
/// A <see cref="T:System.Threading.Tasks.Task" /> representing the completed operation.
/// </returns>
public virtual Task ValidateIdentity(OAuthValidateIdentityContext context)
{
return Task.FromResult(0);
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
return Task.FromResult<object>(null);
}
public override async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
// TODO: validate claims identity
context.Validated(context.Ticket.Identity);
}
