/// <summary>
/// Gets the authentication client.
/// </summary>
/// <returns></returns>
private AuthClient GetAuthClient()
{
if (_authClient == null)
{
var rockContext = new RockContext();
var authClientService = new AuthClientService(rockContext);
var authClientId = PageParameter(PageParamKey.ClientId);
_authClient = authClientService.GetByClientId(authClientId);
}
return(_authClient);
}
private void AcceptAuthorization()
{
var owinContext = Context.GetOwinContext();
var request = owinContext.GetOpenIdConnectRequest();
// TODO: only allow valid scopes.
var requestedScopes = request.GetScopes();
var authClientId = PageParameter(PageParamKey.ClientId);
IDictionary <string, string> clientAllowedClaims = null;
AuthClient authClient = null;
IEnumerable <string> clientAllowedScopes = null;
using (var rockContext = new RockContext())
{
var authClientService = new AuthClientService(rockContext);
authClient = authClientService.GetByClientId(authClientId);
clientAllowedScopes = RockIdentityHelper.NarrowRequestedScopesToApprovedScopes(rockContext, authClientId, requestedScopes);
clientAllowedClaims = RockIdentityHelper.GetAllowedClientClaims(rockContext, authClientId, clientAllowedScopes);
}
if (authClient == null || clientAllowedScopes == null || clientAllowedClaims == null)
{
// TODO: Error
return;
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = RockIdentityHelper.GetRockClaimsIdentity(CurrentUser, clientAllowedClaims, authClientId);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
// We should set the scopes to the requested valid scopes.
ticket.SetScopes(requestedScopes);
// Set the resource servers the access token should be issued for.
ticket.SetResources("resource_server");
// Returning a SignInResult will ask ASOS to serialize the specified identity
// to build appropriate tokens. You should always make sure the identities
// you return contain the OpenIdConnectConstants.Claims.Subject claim. In this sample,
// the identity always contains the name identifier returned by the external provider.
owinContext.Authentication.SignIn(ticket.Properties, identity);
}
/// <summary>
/// Calls when a process requests authorization.
/// </summary>
/// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param>
public override void OnAuthorization(HttpActionContext actionContext)
{
// See if user is logged in
var principal = System.Threading.Thread.CurrentPrincipal;
if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name))
{
actionContext.Request.SetUserPrincipal(principal);
return;
}
// If check if ASOS authentication occurred.
principal = actionContext.RequestContext.Principal;
if (principal != null && principal.Identity != null)
{
var claimIdentity = principal.Identity as ClaimsIdentity;
if (claimIdentity != null)
{
var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value;
if (clientId.IsNotNullOrWhiteSpace())
{
using (var rockContext = new RockContext())
{
var authClientService = new AuthClientService(rockContext);
var authClient = authClientService.GetByClientId(clientId);
if (authClient.AllowUserApiAccess)
{
var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value;
if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace())
{
UserLogin userLogin = null;
var userLoginService = new UserLoginService(rockContext);
userLogin = userLoginService.GetByUserName(userName);
if (userLogin != null)
{
var identity = new GenericIdentity(userLogin.UserName);
principal = new GenericPrincipal(identity, null);
actionContext.Request.SetUserPrincipal(principal);
return;
}
}
}
}
}
}
}
// If not, see if there's a valid Rock APIKey token
TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken);
if (string.IsNullOrWhiteSpace(authToken))
{
string queryString = actionContext.Request.RequestUri.Query;
authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey");
}
if (!string.IsNullOrWhiteSpace(authToken))
{
var userLoginService = new UserLoginService(new Rock.Data.RockContext());
var userLogin = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault();
if (userLogin != null)
{
var identity = new GenericIdentity(userLogin.UserName);
principal = new GenericPrincipal(identity, null);
actionContext.Request.SetUserPrincipal(principal);
return;
}
}
// If still not successful, check for a JSON Web Token
if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString))
{
// If the JSON Web Token is in the header, we can determine the User from that
var userLogin = JwtHelper.GetUserLoginByJSONWebToken(new RockContext(), jwtString);
if (userLogin != null)
{
var identity = new GenericIdentity(userLogin.UserName);
principal = new GenericPrincipal(identity, null);
actionContext.Request.SetUserPrincipal(principal);
return;
}
// Just in rare case the GetPersonFromJWTPersonSearchKey feature is being used, see if person can be determined this way
var person = JwtHelper.GetPersonFromJWTPersonSearchKey(jwtString);
if (person != null)
{
actionContext.Request.Properties.Add("Person", person);
return;
}
}
}
/// <summary>
/// Calls when a process requests authorization.
/// </summary>
/// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param>
public override void OnAuthorization(HttpActionContext actionContext)
{
// See if user is logged in
var principal = System.Threading.Thread.CurrentPrincipal;
if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name))
{
actionContext.Request.SetUserPrincipal(principal);
return;
}
// If check if ASOS authentication occurred.
principal = actionContext.RequestContext.Principal;
if (principal != null && principal.Identity != null)
{
var claimIdentity = principal.Identity as ClaimsIdentity;
if (claimIdentity != null)
{
var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value;
if (clientId.IsNotNullOrWhiteSpace())
{
using (var rockContext = new RockContext())
{
var authClientService = new AuthClientService(rockContext);
var authClient = authClientService.GetByClientId(clientId);
if (authClient.AllowUserApiAccess)
{
var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value;
if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace())
{
UserLogin userLogin = null;
var userLoginService = new UserLoginService(rockContext);
userLogin = userLoginService.GetByUserName(userName);
if (userLogin != null)
{
var identity = new GenericIdentity(userLogin.UserName);
principal = new GenericPrincipal(identity, null);
actionContext.Request.SetUserPrincipal(principal);
return;
}
}
}
}
}
}
}
// If not, see if there's a valid token
TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken);
if (string.IsNullOrWhiteSpace(authToken))
{
string queryString = actionContext.Request.RequestUri.Query;
authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey");
}
if (!string.IsNullOrWhiteSpace(authToken))
{
var userLoginService = new UserLoginService(new Rock.Data.RockContext());
var userLogin = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault();
if (userLogin != null)
{
var identity = new GenericIdentity(userLogin.UserName);
principal = new GenericPrincipal(identity, null);
actionContext.Request.SetUserPrincipal(principal);
return;
}
}
// If still not successful, check for a JSON Web Token
if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString))
{
Person person = null;
// We need to wait for the JwtHelper.GetPerson method rather than using the await keyword. The await keyword
// forces this entire method to be async causing the Secured attribute to process before everything
// is finished here
Task.Run(async() =>
{
person = await JwtHelper.GetPerson(jwtString);
}).Wait();
if (person != null)
{
actionContext.Request.Properties.Add("Person", person);
return;
}
}
}