public async Task<AuthorizeResponse> CreateCodeFlowResponseAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal subject)
{
var code = new AuthorizationCode
{
Client = request.Client,
Subject = subject,
IsOpenId = request.IsOpenIdRequest,
RequestedScopes = request.ValidatedScopes.GrantedScopes,
RedirectUri = request.RedirectUri,
WasConsentShown = request.WasConsentShown,
RefreshTokenLifetime = request.Client.RefreshTokenLifetime
};
// store id token and access token and return authorization code
var id = Guid.NewGuid().ToString("N");
await _authorizationCodes.StoreAsync(id, code);
return new AuthorizeResponse
{
RedirectUri = request.RedirectUri,
Code = id,
State = request.State
};
}
public async Task Valid_Code_Request()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
RedirectUri = new Uri("https://server/cb"),
RequestedScopes = new List<Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsFalse(result.IsError);
}
public BsonDocument Serialize(string key, AuthorizationCode code)
{
var doc = new BsonDocument();
doc["_id"] = key;
doc["_version"] = 1;
doc["_clientId"] = code.ClientId;
doc["_subjectId"] = code.SubjectId;
doc["_expires"] = code.CreationTime.AddSeconds(code.Client.AuthorizationCodeLifetime);
doc["creationTime"] = code.CreationTime;
doc["isOpenId"] = code.IsOpenId;
doc["redirectUri"] = code.RedirectUri.ToString();
doc["wasConsentShown"] = code.WasConsentShown;
doc["subject"] = SerializeIdentities(code);
doc["client"] = _clientSerializer.Serialize(code.Client);
var requestedScopes = new BsonArray();
foreach (Scope scope in code.RequestedScopes)
{
requestedScopes.Add(_scopeSerializer.Serialize(scope));
}
doc["requestedScopes"] = requestedScopes;
return(doc);
}
public static void Main(string[] args)
{
DataProviderConfiguration.Initialize("mongodb://localhost:27017", "OAuthService");
List <string> scopes = new List <string>();
scopes.Add("library");
scopes.Add("card");
scopes.Add("invaild");
AuthorizationCode service = new AuthorizationCode();
Console.WriteLine(
service.VerifyScopes(scopes)
);
IEnumerable <ScopeEntity> scopeEntities = service.GetScopes(scopes);
foreach (var item in scopeEntities)
{
Console.WriteLine("name:{0} Logical:{1}", item.ScopeName, item.ScopeLogicalName);
}
Console.WriteLine(service.VerifyClient("123asd2345sdfgsdfg3546t34eeas"));
}
public async Task Code_Request_with_disabled_User()
{
var client = await _clients.FindEnabledClientByIdAsync("codeclient");
var store = Factory.CreateAuthorizationCodeStore();
var code = new AuthorizationCode
{
CreationTime = DateTime.UtcNow,
ClientId = client.ClientId,
Lifetime = client.AuthorizationCodeLifetime,
Subject = new IdentityServerUser("123").CreatePrincipal(),
RedirectUri = "https://server/cb",
RequestedScopes = new List <string>
{
"openid"
}
};
var handle = await store.StoreAuthorizationCodeAsync(code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
profile: new TestProfileService(shouldBeActive: false));
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, handle);
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client.ToValidationResult());
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.TokenErrors.InvalidGrant);
}
public async stt::Task ResetAuthorizationCodeRequestObjectAsync()
{
moq::Mock <Domains.DomainsClient> mockGrpcClient = new moq::Mock <Domains.DomainsClient>(moq::MockBehavior.Strict);
mockGrpcClient.Setup(x => x.CreateOperationsClient()).Returns(new moq::Mock <lro::Operations.OperationsClient>().Object);
ResetAuthorizationCodeRequest request = new ResetAuthorizationCodeRequest
{
RegistrationAsRegistrationName = RegistrationName.FromProjectLocationRegistration("[PROJECT]", "[LOCATION]", "[REGISTRATION]"),
};
AuthorizationCode expectedResponse = new AuthorizationCode
{
Code = "code946733c1",
};
mockGrpcClient.Setup(x => x.ResetAuthorizationCodeAsync(request, moq::It.IsAny <grpccore::CallOptions>())).Returns(new grpccore::AsyncUnaryCall <AuthorizationCode>(stt::Task.FromResult(expectedResponse), null, null, null, null));
DomainsClient client = new DomainsClientImpl(mockGrpcClient.Object, null);
AuthorizationCode responseCallSettings = await client.ResetAuthorizationCodeAsync(request, gaxgrpc::CallSettings.FromCancellationToken(st::CancellationToken.None));
xunit::Assert.Same(expectedResponse, responseCallSettings);
AuthorizationCode responseCancellationToken = await client.ResetAuthorizationCodeAsync(request, st::CancellationToken.None);
xunit::Assert.Same(expectedResponse, responseCancellationToken);
mockGrpcClient.VerifyAll();
}
private async Task <string> CreateCodeAsync(ValidatedAuthorizeRequest request)
{
var code = new AuthorizationCode
{
ClientId = request.Client.ClientId,
Lifetime = request.Client.AuthorizationCodeLifetime,
Subject = request.Subject,
SessionId = request.SessionId,
CodeChallenge = request.CodeChallenge.Sha256(),
CodeChallengeMethod = request.CodeChallengeMethod,
IsOpenId = request.IsOpenIdRequest,
RequestedScopes = request.ValidatedScopes.GrantedResources.ToScopeNames(),
RedirectUri = request.RedirectUri,
Nonce = request.Nonce,
WasConsentShown = request.WasConsentShown,
};
// store id token and access token and return authorization code
var id = await _authorizationCodeStore.StoreAuthorizationCodeAsync(code);
return(id);
}
private async Task <string> CreateCodeAsync(ValidatedAuthorizeRequest request)
{
var code = new AuthorizationCode
{
Client = request.Client,
Subject = request.Subject,
SessionId = request.SessionId,
IsOpenId = request.IsOpenIdRequest,
RequestedScopes = request.ValidatedScopes.GrantedScopes,
RedirectUri = request.RedirectUri,
Nonce = request.Nonce,
WasConsentShown = request.WasConsentShown,
};
// store id token and access token and return authorization code
var id = CryptoRandom.CreateUniqueId();
await _authorizationCodes.StoreAsync(id, code);
await RaiseCodeIssuedEventAsync(id, code);
return(id);
}
public IActionResult PostConsent(int clientId, string scopes, string redirectUrl)
{
// Kiểm tra người dùng đăng nhập chưa
var loggedEmail = HttpContext.Session.GetString("loggedUserEmail");
var loggedIdString = HttpContext.Session.GetString("loggedUserId");
long loggedId = 0;
try
{
loggedId = Int64.Parse(loggedIdString);
}
catch (Exception e)
{
Console.WriteLine(e);
}
var currentAccount = _context.Account.SingleOrDefault(a => a.Id == loggedId);
if (currentAccount == null)
{
// Đưa người dùng sang trang đăng nhập
return(Redirect("/Accounts/Login?redirectUrl=" + WebUtility.UrlEncode(Request.GetDisplayUrl())));
}
var currentApp = _context.RegisterApplication.SingleOrDefault(ra => ra.Id == clientId);
if (currentApp == null)
{
Response.StatusCode = (int)(HttpStatusCode.Forbidden);
return(new JsonResult(HttpStatusCode.Forbidden.ToString()));
}
var scopeIds = scopes.Split(",");
List <CredentialScope> listRequestScopes = new List <CredentialScope>();
foreach (var strId in scopeIds)
{
var id = Int32.Parse(strId);
if (!_credentialScopes.ContainsKey(id))
{
Response.StatusCode = (int)(HttpStatusCode.NotFound);
return(new JsonResult(HttpStatusCode.NotFound.ToString()));
}
}
// Tạo credential lưu vào database với status deactive
var credential = new Credential(currentAccount.Id, scopes);
credential.Status = CredentialStatus.Deactive;
_context.Credential.Add(credential);
_context.SaveChanges();
var cacheEntryOptions = new MemoryCacheEntryOptions()
// Keep in cache for this time, reset time if accessed.
.SetSlidingExpiration(TimeSpan.FromSeconds(5));
AuthorizationCode authorizationCode = new AuthorizationCode(credential);
// Tạo authorization code có liên kết với credential vừa tạo
_cache.Set(authorizationCode.Code, authorizationCode, cacheEntryOptions);
// Đưa người dùng về redirectUrl kèm theo
return(Redirect(currentApp.RedirectUrl + "?exchange-code=" + authorizationCode.Code));
}
public bool addAuthorization(AuthorizationCode authorizaction)
{
if (authorizaction != null)
{
_session.Transact(session => session.SaveOrUpdate(authorizaction));
MrCMS.Entities.People.User usergenerated = _userService.GetUser(authorizaction.generatedby);
MrCMS.Entities.People.User userauth = _userService.GetUser(authorizaction.Authorizedby);
Provider provider = _providersvc.GetProvider(authorizaction.provider);
QueuedMessage emailmsg = new QueuedMessage();
emailmsg.FromAddress = _mailSettings.SystemEmailAddress;
emailmsg.ToAddress = userauth.Email;
emailmsg.Subject = "NovoHub Authorization Code Generated ";
emailmsg.FromName = "NOVOHUB";
emailmsg.Body = string.Format("An authorization code {5} was generated for {0} by {1} and was authorized by you on {2} for {4} with policy number {3}", provider.Name.ToUpper(), usergenerated.Name.ToUpper(), Convert.ToDateTime(authorizaction.CreatedOn).ToString(CurrentRequestData.CultureInfo.DateTimeFormat.FullDateTimePattern), authorizaction.policyNumber, authorizaction.enrolleeName, authorizaction.authorizationCode);
//_emailSender.AddToQueue(emailmsg);
//send admission shit
if (authorizaction.Isadmission)
{
StringBuilder bodyText = new StringBuilder();
bodyText.Append("<p>Dear Admin,</p>");
bodyText.AppendLine(string.Format("<p>A new admission was approved with code {5} for {0} and generated by {1} and was authorized by {6} on {2} for {4} with policy number {3} </p>", provider.Name.ToUpper(), usergenerated.Name.ToUpper(), Convert.ToDateTime(authorizaction.CreatedOn).ToString(CurrentRequestData.CultureInfo.DateTimeFormat.FullDateTimePattern), authorizaction.policyNumber, authorizaction.enrolleeName, authorizaction.authorizationCode, userauth.Name.ToUpper()));
bodyText.AppendLine(Environment.NewLine);
bodyText.AppendLine("<p>You are required to follow up on the admission.</p>");
bodyText.AppendLine("<p>Thank You.</p>");
//send to client service.
MrCMS.Entities.People.UserRole role = _roleSvc.GetRoleByName("CLIENT SERVICE");
if (role != null)
{
foreach (MrCMS.Entities.People.User user in role.Users)
{
//each user
QueuedMessage emailmsgAdd = new QueuedMessage();
emailmsgAdd.FromAddress = _mailSettings.SystemEmailAddress;
emailmsgAdd.ToAddress = user.Email;
emailmsgAdd.Subject = "NovoHub -New Admission ";
emailmsgAdd.FromName = "NOVOHUB";
emailmsgAdd.Body = bodyText.ToString();
emailmsgAdd.IsHtml = true;
//_emailSender.AddToQueue(emailmsgAdd);
}
}
//added else
else
{
}
//send to provider service.
role = _roleSvc.GetRoleByName("PROVIDER");
if (role != null)
{
foreach (MrCMS.Entities.People.User user in role.Users)
{
//each user
QueuedMessage emailmsgAdd = new QueuedMessage();
emailmsgAdd.FromAddress = _mailSettings.SystemEmailAddress;
emailmsgAdd.ToAddress = user.Email;
emailmsgAdd.Subject = "NovoHub -New Admission ";
emailmsgAdd.FromName = "NOVOHUB";
emailmsgAdd.Body = bodyText.ToString();
emailmsgAdd.IsHtml = true;
// _emailSender.AddToQueue(emailmsgAdd);
}
}
//added else
else
{
}
//send to medical service.
role = _roleSvc.GetRoleByName("MEDICAL UNIT");
if (role != null)
{
foreach (MrCMS.Entities.People.User user in role.Users)
{
//each user
QueuedMessage emailmsgAdd = new QueuedMessage();
emailmsgAdd.FromAddress = _mailSettings.SystemEmailAddress;
emailmsgAdd.ToAddress = user.Email;
emailmsgAdd.Subject = "NovoHub -New Admission ";
emailmsgAdd.FromName = "NOVOHUB";
emailmsgAdd.Body = bodyText.ToString();
emailmsgAdd.IsHtml = true;
// _emailSender.AddToQueue(emailmsgAdd);
}
}
//added else
else
{
}
}
//Notify the theres a new verificationCode
AuthenticationCodeCreatedArgs args = new AuthenticationCodeCreatedArgs
{
AuthorizationCode = authorizaction
};
//Notify the Hub of the new Input
EventContext.Instance.Publish(typeof(INewNotificationEvent), args);
return(true);
}
return(false);
}
public IActionResult FetchToken()
{
var url = AuthorizationCode.GetUrl(_spotifyAuthService.GetAuthParameters(), "");
return(Redirect(url));
}
public async Task When_Requesting_Token_And_There_Is_No_Valid_Granted_Token_Then_Grant_A_New_One()
{
// ARRANGE
InitializeFakeObjects();
const string accessToken = "accessToken";
const string identityToken = "identityToken";
const string clientId = "clientId";
var authorizationCodeGrantTypeParameter = new AuthorizationCodeGrantTypeParameter
{
ClientAssertion = "clientAssertion",
ClientAssertionType = "clientAssertionType",
ClientSecret = "clientSecret",
RedirectUri = "redirectUri",
ClientId = clientId
};
var authResult = new AuthenticationResult(new Models.Client
{
ClientId = clientId
}, null);
var authorizationCode = new AuthorizationCode
{
ClientId = clientId,
RedirectUri = "redirectUri",
CreateDateTime = DateTime.UtcNow
};
var grantedToken = new GrantedToken
{
AccessToken = accessToken,
IdToken = identityToken
};
_clientValidatorFake.Setup(c => c.CheckPkce(It.IsAny <Client>(), It.IsAny <string>(), It.IsAny <AuthorizationCode>()))
.Returns(true);
_authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
.Returns(new AuthenticateInstruction());
_authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>()))
.Returns(Task.FromResult(authResult));
_authorizationCodeRepositoryFake.Setup(a => a.GetAsync(It.IsAny <string>()))
.Returns(Task.FromResult(authorizationCode));
_simpleIdentityServerConfiguratorFake.Setup(s => s.GetAuthorizationCodeValidityPeriodInSecondsAsync())
.Returns(Task.FromResult((double)3000));
_clientValidatorFake.Setup(c => c.GetRedirectionUrls(It.IsAny <Models.Client>(), It.IsAny <string>()))
.Returns(new[] { "redirectUri" });
_grantedTokenHelperStub.Setup(g => g.GetValidGrantedTokenAsync(It.IsAny <string>(),
It.IsAny <string>(),
It.IsAny <JwsPayload>(),
It.IsAny <JwsPayload>()))
.Returns(() => Task.FromResult((GrantedToken)null));
_grantedTokenGeneratorHelperFake.Setup(g => g.GenerateTokenAsync(It.IsAny <string>(),
It.IsAny <string>(),
It.IsAny <JwsPayload>(),
It.IsAny <JwsPayload>()))
.Returns(Task.FromResult(grantedToken));;
// ACT
var result = await _getTokenByAuthorizationCodeGrantTypeAction.Execute(authorizationCodeGrantTypeParameter, null);
// ASSERTS
_grantedTokenRepositoryFake.Verify(g => g.InsertAsync(grantedToken));
_simpleIdentityServerEventSourceFake.Verify(s => s.GrantAccessToClient(
clientId,
accessToken,
identityToken));
Assert.True(result.AccessToken == accessToken);
}
public void Add(AuthorizationCode code)
{
_dbContext.AuthorizationCodes.Add(code);
}
/// <inheritdoc />
public Task <bool> Add(AuthorizationCode authorizationCode, CancellationToken cancellationToken)
{
var json = JsonConvert.SerializeObject(authorizationCode);
return(_database.StringSetAsync(authorizationCode.Code, json, _expiry));
}
private async Task <ValidationResult> ValidateAuthorizationCodeRequestAsync(NameValueCollection parameters)
{
Logger.Info("Start validation of authorization code token request");
/////////////////////////////////////////////
// check if client is authorized for grant type
/////////////////////////////////////////////
if (_validatedRequest.Client.Flow != Flows.AuthorizationCode &&
_validatedRequest.Client.Flow != Flows.Hybrid)
{
LogError("Client not authorized for code flow");
return(Invalid(Constants.TokenErrors.UnauthorizedClient));
}
/////////////////////////////////////////////
// validate authorization code
/////////////////////////////////////////////
string code = parameters.Get(Constants.TokenRequest.Code);
if (code.IsMissing())
{
string error = "Authorization code is missing.";
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(null, error);
return(Invalid(Constants.TokenErrors.InvalidGrant));
}
_validatedRequest.AuthorizationCodeHandle = code;
AuthorizationCode authZcode = await _authorizationCodes.GetAsync(code);
if (authZcode == null)
{
LogError("Invalid authorization code: " + code);
RaiseFailedAuthorizationCodeRedeemedEvent(code, "Invalid handle");
return(Invalid(Constants.TokenErrors.InvalidGrant));
}
await _authorizationCodes.RemoveAsync(code);
/////////////////////////////////////////////
// validate client binding
/////////////////////////////////////////////
if (authZcode.Client.ClientId != _validatedRequest.Client.ClientId)
{
LogError(string.Format("Client {0} is trying to use a code from client {1}",
_validatedRequest.Client.ClientId, authZcode.Client.ClientId));
RaiseFailedAuthorizationCodeRedeemedEvent(code, "Invalid client binding");
return(Invalid(Constants.TokenErrors.InvalidGrant));
}
/////////////////////////////////////////////
// validate code expiration
/////////////////////////////////////////////
if (authZcode.CreationTime.HasExceeded(_validatedRequest.Client.AuthorizationCodeLifetime))
{
string error = "Authorization code is expired";
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(code, error);
return(Invalid(Constants.TokenErrors.InvalidGrant));
}
_validatedRequest.AuthorizationCode = authZcode;
/////////////////////////////////////////////
// validate redirect_uri
/////////////////////////////////////////////
string redirectUri = parameters.Get(Constants.TokenRequest.RedirectUri);
if (redirectUri.IsMissing())
{
string error = "Redirect URI is missing.";
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(code, error);
return(Invalid(Constants.TokenErrors.UnauthorizedClient));
}
if (redirectUri.Equals(_validatedRequest.AuthorizationCode.RedirectUri, StringComparison.Ordinal) == false)
{
string error = "Invalid redirect_uri: " + redirectUri;
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(code, error);
return(Invalid(Constants.TokenErrors.UnauthorizedClient));
}
/////////////////////////////////////////////
// validate scopes are present
/////////////////////////////////////////////
if (_validatedRequest.AuthorizationCode.RequestedScopes == null ||
!_validatedRequest.AuthorizationCode.RequestedScopes.Any())
{
string error = "Authorization code has no associated scopes.";
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(code, error);
return(Invalid(Constants.TokenErrors.InvalidRequest));
}
/////////////////////////////////////////////
// make sure user is enabled
/////////////////////////////////////////////
if (await _users.IsActiveAsync(_validatedRequest.AuthorizationCode.Subject) == false)
{
string error = "User has been disabled: " + _validatedRequest.AuthorizationCode.Subject;
LogError(error);
RaiseFailedAuthorizationCodeRedeemedEvent(code, error);
return(Invalid(Constants.TokenErrors.InvalidRequest));
}
Logger.Info("Validation of authorization code token request success");
RaiseSuccessfulAuthorizationCodeRedeemedEvent();
return(Valid());
}
private void RaiseCodeIssuedEvent(string id, AuthorizationCode code)
{
_events.RaiseAuthorizationCodeIssuedEvent(id, code);
}
private TokenRequestValidationResult ValidateAuthorizationCodeWithProofKeyParameters(string codeVerifier, AuthorizationCode authZcode)
{
if (authZcode.CodeChallenge.IsMissing() || authZcode.CodeChallengeMethod.IsMissing())
{
LogError("{clientId} is missing code challenge or code challenge method", _validatedRequest.Client.ClientId);
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
if (codeVerifier.IsMissing())
{
LogError("Missing code_verifier");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
if (codeVerifier.Length < _options.InputLengthRestrictions.CodeVerifierMinLength ||
codeVerifier.Length > _options.InputLengthRestrictions.CodeVerifierMaxLength)
{
LogError("code_verifier is too short or too long");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
if (Constants.SupportedCodeChallengeMethods.Contains(authZcode.CodeChallengeMethod) == false)
{
LogError("Unsupported code challenge method: {codeChallengeMethod}", authZcode.CodeChallengeMethod);
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
if (ValidateCodeVerifierAgainstCodeChallenge(codeVerifier, authZcode.CodeChallenge, authZcode.CodeChallengeMethod) == false)
{
LogError("Transformed code verifier does not match code challenge");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
return(Valid());
}
public async Task failed_resource_validation_should_fail()
{
var mockResourceValidator = new MockResourceValidator();
var client = await _clients.FindEnabledClientByIdAsync("codeclient");
var grants = Factory.CreateAuthorizationCodeStore();
{
var code = new AuthorizationCode
{
CreationTime = DateTime.UtcNow,
Subject = new IdentityServerUser("123").CreatePrincipal(),
ClientId = client.ClientId,
Lifetime = client.AuthorizationCodeLifetime,
RedirectUri = "https://server/cb",
RequestedScopes = new List <string>
{
"openid", "scope1"
},
RequestedResourceIndicators = new[] { "urn:api1", "urn:api2" }
};
var handle = await grants.StoreAuthorizationCodeAsync(code);
var validator = Factory.CreateTokenRequestValidator(resourceValidator: mockResourceValidator, authorizationCodeStore: grants);
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, handle);
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
parameters.Add(OidcConstants.TokenRequest.Resource, "urn:api1");
mockResourceValidator.Result = new ResourceValidationResult
{
InvalidScopes = { "foo" }
};
var result = await validator.ValidateRequestAsync(parameters, client.ToValidationResult());
result.IsError.Should().BeTrue();
result.Error.Should().Be("invalid_scope");
}
{
var code = new AuthorizationCode
{
CreationTime = DateTime.UtcNow,
Subject = new IdentityServerUser("123").CreatePrincipal(),
ClientId = client.ClientId,
Lifetime = client.AuthorizationCodeLifetime,
RedirectUri = "https://server/cb",
RequestedScopes = new List <string>
{
"openid", "scope1"
},
RequestedResourceIndicators = new[] { "urn:api1", "urn:api2" }
};
var handle = await grants.StoreAuthorizationCodeAsync(code);
var validator = Factory.CreateTokenRequestValidator(resourceValidator: mockResourceValidator, authorizationCodeStore: grants);
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, handle);
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
parameters.Add(OidcConstants.TokenRequest.Resource, "urn:api1");
mockResourceValidator.Result = new ResourceValidationResult
{
InvalidResourceIndicators = { "foo" }
};
var result = await validator.ValidateRequestAsync(parameters, client.ToValidationResult());
result.IsError.Should().BeTrue();
result.Error.Should().Be("invalid_target");
}
}
public static IdentityServer4.Models.AuthorizationCode ToModel(this AuthorizationCode entity)
{
return(entity == null ? null : Mapper.Map <IdentityServer4.Models.AuthorizationCode>(entity));
}
public async Task TestMethod1()
{
IdentityServerTableContext storageContext = new IdentityServerTableContext(
new CloudStorageAccount(new StorageCredentials("c1azuretests", File.ReadAllText("C:\\dev\\storagekey.txt")), true));
storageContext.InsertionMode = SInnovations.Azure.TableStorageRepository.InsertionMode.AddOrReplace;
var localClients = GetClients().ToArray();
var localScopes = GetScopes().ToArray();
foreach (var client in localClients)
{
storageContext.Clients.Add(client);
}
foreach (var scope in localScopes)
{
storageContext.Scopes.Add(scope);
}
await storageContext.SaveChangesAsync();
var clients = (from ent in storageContext.Clients select ent).ToArray();
foreach (var client in localClients)
{
var remoteClient = clients.Single(c => c.ClientId == client.ClientId);
Assert.AreEqual(client.AccessTokenLifetime, remoteClient.AccessTokenLifetime);
Assert.AreEqual(client.AccessTokenType, remoteClient.AccessTokenType);
Assert.AreEqual(client.AllowRememberConsent, remoteClient.AllowRememberConsent);
Assert.AreEqual(client.ApplicationType, remoteClient.ApplicationType);
Assert.AreEqual(client.AuthorizationCodeLifetime, remoteClient.AuthorizationCodeLifetime);
Assert.AreEqual(client.ClientName, remoteClient.ClientName);
Assert.AreEqual(client.ClientSecret, remoteClient.ClientSecret);
Assert.AreEqual(client.ClientUri, remoteClient.ClientUri);
Assert.AreEqual(client.Flow, remoteClient.Flow);
Assert.AreEqual(client.IdentityTokenLifetime, remoteClient.IdentityTokenLifetime);
Assert.AreEqual(client.IdentityTokenSigningKeyType, remoteClient.IdentityTokenSigningKeyType);
Assert.AreEqual(client.LogoUri, remoteClient.LogoUri);
CollectionAssert.AreEqual(client.RedirectUris, remoteClient.RedirectUris);
Assert.AreEqual(client.RefreshTokenLifetime, remoteClient.RefreshTokenLifetime);
Assert.AreEqual(client.RequireConsent, remoteClient.RequireConsent);
CollectionAssert.AreEqual(client.ScopeRestrictions, remoteClient.ScopeRestrictions);
Assert.AreEqual(client.SectorIdentifierUri, remoteClient.SectorIdentifierUri);
Assert.AreEqual(client.SubjectType, remoteClient.SubjectType);
}
var scopes = (from ent in storageContext.Scopes select ent).ToArray();
foreach (var scope in localScopes)
{
var remoteScope = scopes.Single(c => c.Name == scope.Name);
Assert.AreEqual(scope.Description, remoteScope.Description);
Assert.AreEqual(scope.DisplayName, remoteScope.DisplayName);
Assert.AreEqual(scope.Emphasize, remoteScope.Emphasize);
Assert.AreEqual(scope.IsOpenIdScope, remoteScope.IsOpenIdScope);
CollectionAssert.AreEqual(new List<ScopeClaim>(scope.Claims ?? new ScopeClaim[] { }),
new List<ScopeClaim>(remoteScope.Claims ?? new ScopeClaim[] { }), new ScopeClaimComparer());
Assert.AreEqual(scope.Required, remoteScope.Required);
}
var subject = new ClaimsPrincipal(new ClaimsIdentity(new Claim[]{
new Claim("name","poul")
}, "Google", "MyName", "MyROle"));
var code = new AuthorizationCode
{
Client = clients.First(),
IsOpenId = true,
RedirectUri = new Uri("http://www.s-innovations.net"),
Subject = subject,
RequestedScopes = scopes.Take(3),
CreationTime = DateTime.UtcNow
};
AzureTableStoreAuthorizationCodeStore store = new AzureTableStoreAuthorizationCodeStore(storageContext);
await store.StoreAsync("test", code);
var remotecode = await store.GetAsync("test");
Trace.TraceInformation(string.Join(", ", remotecode.Subject.Claims.Select(c => c.Type + "," + c.Value)));
Assert.AreEqual(code.Client.ClientId, remotecode.Client.ClientId);
Assert.AreEqual(code.CreationTime, remotecode.CreationTime);
Assert.AreEqual(code.Subject.Identities.Count(), remotecode.Subject.Identities.Count());
try
{
await store.GetAsync("test");
Assert.Fail("test should have been removed");
}
catch (Exception ex)
{
Trace.TraceInformation(ex.ToString());
}
AzureTableStoreTokenHandlerStore tokens = new AzureTableStoreTokenHandlerStore(storageContext);
await tokens.StoreAsync("testtoken", new Token("blabla") { Lifetime = 120, Audience = "asda", Issuer = "adsa", Client = clients.First() });
var token = await tokens.GetAsync("testtoken");
}
public static async Task RaiseAuthorizationCodeIssuedEventAsync(this IEventService events, string id, AuthorizationCode code)
{
//var evt = new Event<AuthorizationCodeDetails>(
// EventConstants.Categories.TokenService,
// "Authorization code issued",
// EventTypes.Information,
// EventConstants.Ids.AuthorizationCodeIssued);
//evt.DetailsFunc = () => new AuthorizationCodeDetails
//{
// HandleId = id,
// ClientId = code.ClientId,
// Scopes = code.RequestedScopes,
// SubjectId = code.Subject.GetSubjectId(),
// RedirectUri = code.RedirectUri,
// Lifetime = code.Lifetime
//};
//await events.RaiseEventAsync(evt);
}
/// <summary>
/// Stores the data.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="value">The value.</param>
/// <returns></returns>
public Task StoreAsync(string key, AuthorizationCode value)
{
return(_bucket.InsertAsync(AuthorizationCodeWrapper.AuthorizationCodeId(key), new AuthorizationCodeWrapper(key, value)));
}
public List <AuthorizationCode> GetAuthorizationCodes([FromRoute] string routeCode)
{
// Verify whether route is not presale
if (IsPresaleRoute(routeCode))
{
// Return empty list
return(new List <AuthorizationCode>());
}
// Query authorization codes from database
List <AuthorizationCode> authorizationCodes = _context
.AuthorizationCodes
.Where(x => x.Route == routeCode)
.Where(
x =>
x.CreatedAt.Year == DateTime.Now.Year &&
x.CreatedAt.Month == DateTime.Now.Month &&
x.CreatedAt.Day == DateTime.Now.Day
)
.ToList();
// Verify whether none authorization code is already save in the database
if (!authorizationCodes.Any())
{
// Create authorization codes quantity key
string AUTHORIZATION_CODES_QUANTITY = "AUTHORIZATION_CODES_QUANTITY";
// Create authorization codes quantity
int authorizationCodesQuantity = 30;
// Get quantity of authorization codes to be created from application settings
ApplicationSetting applicationSetting = _context
.ApplicationSettings
.Where(x => x.Name == AUTHORIZATION_CODES_QUANTITY)
.FirstOrDefault();
// Verify whether any application setting was found in the database
if (applicationSetting != null)
{
authorizationCodesQuantity = Int32.Parse(applicationSetting.Value);
}
// Create password options
PasswordOptions passwordOptions = new PasswordOptions()
{
RequiredLength = 8,
RequiredUniqueChars = 4,
RequireDigit = true,
RequireLowercase = true,
RequireNonAlphanumeric = false,
RequireUppercase = false
};
// Iterate through the number of authorization codes to be created
for (int i = 0; i < authorizationCodesQuantity; i++)
{
// Create a brand new random code by route
string randomCode = CreateRandomCode(routeCode, passwordOptions);
// Create a new authorization code entity
AuthorizationCode authorizationCode = new AuthorizationCode
{
Code = randomCode,
Route = routeCode,
Status = Enumerations.Status.Active,
CreatedAt = DateTimeOffset.Now
};
// Add authorization code to database context
_context.AuthorizationCodes.Add(authorizationCode);
// Save authorization code
_context.SaveChanges();
// Add new authorization code created to authorization code list
authorizationCodes.Add(authorizationCode);
}
}
return(authorizationCodes);
}
public async Task <EndpointResult> Generate(
EndpointResult endpointResult,
AuthorizationParameter authorizationParameter,
ClaimsPrincipal claimsPrincipal,
Client client,
string?issuerName,
CancellationToken cancellationToken)
{
var allowedTokenScopes = string.Empty;
GrantedToken?grantedToken = null;
var responses = authorizationParameter.ResponseType.ParseResponseTypes();
var generateIdToken = await GenerateIdTokenPayload(
claimsPrincipal,
authorizationParameter,
issuerName,
cancellationToken)
.ConfigureAwait(false);
if (generateIdToken is Option <JwtPayload> .Result p)
{
var idTokenPayload = p.Item;
var payload = await GenerateUserInformationPayload(
claimsPrincipal,
authorizationParameter,
cancellationToken)
.ConfigureAwait(false);
if (payload is Option <JwtPayload> .Error er)
{
return(EndpointResult.CreateBadRequestResult(er.Details));
}
var userInformationPayload = (payload as Option <JwtPayload> .Result) !.Item;
if (responses.Contains(ResponseTypeNames.Token))
{
// 1. Generate an access token.
var tokenScopes = authorizationParameter.Scope.ParseScopes();
allowedTokenScopes = string.Join(' ', tokenScopes);
grantedToken = await _tokenStore.GetValidGrantedToken(
_jwksStore,
allowedTokenScopes,
client.ClientId,
cancellationToken,
idTokenJwsPayload : userInformationPayload,
userInfoJwsPayload : idTokenPayload)
.ConfigureAwait(false)
?? await client.GenerateToken(
_jwksStore,
tokenScopes,
issuerName,
userInformationPayload,
idTokenPayload,
cancellationToken : cancellationToken,
claimsPrincipal.Claims.Where(
c => client.UserClaimsToIncludeInAuthToken.Any(
r => r.IsMatch(c.Type)))
.ToArray())
.ConfigureAwait(false);
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken)
};
}
AuthorizationCode?authorizationCode = null;
var authorizationParameterClientId = authorizationParameter.ClientId;
if (responses.Contains(ResponseTypeNames.Code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal.GetSubject() !;
var assignedConsent = await _consentRepository
.GetConfirmedConsents(subject, authorizationParameter, cancellationToken)
.ConfigureAwait(false);
if (assignedConsent != null)
{
if (authorizationParameterClientId == null ||
authorizationParameter.RedirectUrl == null ||
authorizationParameter.Scope == null)
{
throw new ArgumentException(Strings.MissingValues, nameof(authorizationParameter));
}
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Id.Create(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTimeOffset.UtcNow,
ClientId = authorizationParameterClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code)
};
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(
idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
client);
if (grantedToken != null)
// 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
if (authorizationParameterClientId == null || authorizationParameter.ResponseType == null)
{
throw new ArgumentException(Strings.MissingValues, nameof(authorizationParameter));
}
await _tokenStore.AddToken(grantedToken, cancellationToken).ConfigureAwait(false);
await _eventPublisher.Publish(
new TokenGranted(
Id.Create(),
claimsPrincipal.GetSubject(),
authorizationParameterClientId,
allowedTokenScopes,
authorizationParameter.ResponseType,
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
}
if (authorizationCode != null) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode = authorizationCode with
{
CodeChallenge = authorizationParameter.CodeChallenge ?? string.Empty,
CodeChallengeMethod = authorizationParameter.CodeChallengeMethod ?? string.Empty
};
}
await _authorizationCodeStore.Add(authorizationCode, cancellationToken).ConfigureAwait(false);
await _eventPublisher.Publish(
new AuthorizationGranted(
Id.Create(),
claimsPrincipal.GetSubject(),
authorizationParameterClientId !,
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
}
if (responses.Contains(ResponseTypeNames.IdToken))
{
var idToken = await _clientStore.GenerateIdToken(
authorizationParameterClientId !,
idTokenPayload,
_jwksStore,
cancellationToken)
.ConfigureAwait(false);
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.IdTokenName,
idToken)
};
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.StateName,
authorizationParameter.State)
};
}
var sessionState = GetSessionState(
authorizationParameterClientId,
authorizationParameter.OriginUrl,
authorizationParameter.SessionId);
if (sessionState != null)
{
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.SessionState,
sessionState)
};
}
if (authorizationParameter.ResponseMode == ResponseModes.FormPost)
{
endpointResult = endpointResult with
{
Type = ActionResultType.RedirectToAction,
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
"redirect_uri",
authorizationParameter.RedirectUrl?.AbsoluteUri) with
{
Action = SimpleAuthEndPoints.FormIndex
}
};
}
// Set the response mode
if (endpointResult.Type == ActionResultType.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseModes.None)
{
var responseTypes = authorizationParameter.ResponseType.ParseResponseTypes();
var authorizationFlow = responseTypes.GetAuthorizationFlow(authorizationParameter.State);
switch (authorizationFlow)
{
case Option <AuthorizationFlow> .Error error:
return(EndpointResult.CreateBadRequestResult(error.Details));
case Option <AuthorizationFlow> .Result r:
responseMode = CoreConstants.MappingAuthorizationFlowAndResponseModes[r.Item];
break;
}
}
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !with {
ResponseMode = responseMode
}
};
}
return(endpointResult);
}
var e = generateIdToken as Option <JwtPayload> .Error;
return(EndpointResult.CreateBadRequestResult(e !.Details));
}
public Task StoreAuthorizationCodeAsync(string handle, AuthorizationCode code)
{
return(StoreItem(handle, code, Constants.PersistedGrantTypes.AuthorizationCode, code.ClientId, code.Subject.GetSubjectId(), code.CreationTime, code.Lifetime));
}
public async Task StoreAsync(string key, AuthorizationCode value)
{
var record = new AuthorizationCodeHandle(key, value);
await CreateAsync(record);
}
public async Task StoreAsync(string key, AuthorizationCode value)
{
await _cache.StringSetAsync(key, SerializeCode(value));
}
public static async Task RaiseAuthorizationCodeIssuedEventAsync(this IEventService events, string id, AuthorizationCode code)
{
var evt = new Event <AuthorizationCodeDetails>(
EventConstants.Categories.TokenService,
"Authorization code issued",
EventTypes.Information,
EventConstants.Ids.AuthorizationCodeIssued);
evt.DetailsFunc = () => new AuthorizationCodeDetails
{
HandleId = id,
ClientId = code.ClientId,
Scopes = code.Scopes,
SubjectId = code.SubjectId,
RedirectUri = code.RedirectUri,
Lifetime = code.Client.AuthorizationCodeLifetime
};
await events.RaiseEventAsync(evt);
}
private string SerializeCode(AuthorizationCode code)
{
return(JsonConvert.SerializeObject(code, GetJsonSerializerSettings()));
}
public Task StoreAsync(string key, AuthorizationCode value)
{
_repository[key] = value;
return(Task.FromResult <object>(null));
}
public override bool Equals(object obj)
{
if (obj == null)
{
return(false);
}
if (obj == this)
{
return(true);
}
return(obj is CreateMobileAuthorizationCodeResponse other &&
((Context == null && other.Context == null) || (Context?.Equals(other.Context) == true)) &&
((AuthorizationCode == null && other.AuthorizationCode == null) || (AuthorizationCode?.Equals(other.AuthorizationCode) == true)) &&
((ExpiresAt == null && other.ExpiresAt == null) || (ExpiresAt?.Equals(other.ExpiresAt) == true)) &&
((Error == null && other.Error == null) || (Error?.Equals(other.Error) == true)));
}
private async Task RaiseCodeIssuedEventAsync(string id, AuthorizationCode code)
{
await _events.RaiseAuthorizationCodeIssuedEventAsync(id, code);
}
public async Task StoreAsync(string key, AuthorizationCode value)
{
var data = _serializer.Serialize(value);
await _cache.SetAsync(key, data, _dceo);
}
