public static void UpdateClaim(this ClaimsPrincipal principal, String type, String value) { ClaimsIdentity?identity = (ClaimsIdentity?)principal.Identity; identity?.TryRemoveClaim(identity.FindFirst(type)); identity?.AddClaim(new Claim(type, value)); }
private static void AddClaim(ClaimsIdentity claimsIdentity, string claimName, string claimValue) { if (claimValue != null) { claimsIdentity?.AddClaim(new Claim(claimName, claimValue)); } }
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { try { _panelRepository = Bootstrapper.WindsorContainer.Resolve <IPanelRepository>(); string deviceId = context.OwinContext.Get <string>("as:device_id"); var allowedOrigin = context.OwinContext.Get <string>("as:clientAllowedOrigin"); if (allowedOrigin == null) { allowedOrigin = "*"; } context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin }); var client = _repository.FindClient(context.ClientId); if (client == null) { context.SetError("invalid_clientId", $"Client '{context.ClientId}' is not registered in the system."); return; } if (client.ApplicationType == ApplicationType.JavaScript) { var user = await _panelRepository.FindUser(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } var roles = await _panelRepository.GetUserRoles(user); var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName)); identity.AddClaim(new Claim("FirstName", user.FirstName)); identity.AddClaim(new Claim("LastName", user.LastName)); identity.AddClaim(new Claim("UserId", user.Id)); foreach (var role in roles) { identity.AddClaim(new Claim(ClaimTypes.Role, role)); } var props = new AuthenticationProperties(new Dictionary <string, string> { { "as:client_id", context.ClientId ?? string.Empty }, { "userId", user.Id }, { "firstName", user.FirstName }, { "lastName", user.LastName } }); var ticket = new AuthenticationTicket(identity, props); context.Validated(ticket); } else if (client.ApplicationType == ApplicationType.CustomerUserApp || client.ApplicationType == ApplicationType.ShopUserApp) { var appUser = _userManager.Users.SingleOrDefault(item => item.PhoneNumber == context.UserName); var rolesApp = await _repository.GetUserRoles(appUser); if (appUser == null) { context.SetError("invalid_grant", "کاربر یافت نشد"); return; } switch (client.ApplicationType) { case ApplicationType.CustomerUserApp: { if (!appUser.CustomerIsActive) { context.SetError("invalid_grant", "کاربر غیرفعال می باشد"); } break; } case ApplicationType.ShopUserApp: { if (!appUser.ShopIsActive) { context.SetError("invalid_grant", "کاربر غیرفعال می باشد"); } break; } } await VerifyPhoneNumber(appUser, context.Password, context.UserName); var identityApp = new ClaimsIdentity(context.Options.AuthenticationType); identityApp.AddClaim(new Claim(ClaimTypes.Name, context.UserName)); identityApp.AddClaim(new Claim("UserId", appUser.Id)); identityApp.AddClaim(new Claim("MobileNumber", appUser.PhoneNumber)); identityApp.AddClaim(new Claim("DeviceId", deviceId)); identityApp.AddClaim(new Claim("ShopIsActive", appUser.ShopIsActive.ToString())); identityApp.AddClaim(new Claim("CustomerIsActive", appUser.CustomerIsActive.ToString())); identityApp.AddClaim(new Claim("RegisterDate", appUser.RegisterDate.ToString())); foreach (var role in rolesApp) { identityApp.AddClaim(new Claim(ClaimTypes.Role, role)); } var appProps = new AuthenticationProperties(new Dictionary <string, string> { { "as:client_id", context.ClientId ?? string.Empty }, { "userId", appUser.Id }, { "mobileNumber", appUser.PhoneNumber } }); var appTicket = new AuthenticationTicket(identityApp, appProps); context.Validated(appTicket); } } catch (Exception e) { context.SetError("invalid_grant", e.Message); } }
public static void SetUserLogin(this ClaimsIdentity identity, string login) { identity?.AddClaim(new Claim(UserLoginClaimType, login)); }
private string GetOpenId(ActionExecutingContext filterContext) { //var objLoginInfo = Session["UserInfo"] as WechatUser; //LogManager.GetLogger(this.GetType()).Debug("objLoginInfo : " + (objLoginInfo == null?"NULL":objLoginInfo.wechatUserID)); ////判断用户是否为空 //if (objLoginInfo == null) { //LogManager.GetLogger(this.GetType()).Debug("objLoginInfo is null"); if (HttpContext.Request.IsAuthenticated) { LogManager.GetLogger(this.GetType()).Debug("HttpContext.Request.IsAuthenticated"); if (Request.UserAgent.IndexOf("MicroMessenger") >= 0) { LogManager.GetLogger(this.GetType()).Debug("WeChat Browser"); var windowsIdentity = User.Identity; if (windowsIdentity != null) { return(windowsIdentity.Name); } else { return(string.Empty); } } } else { if (!string.IsNullOrEmpty(Request["Ticket"])) { var ticket = Request["Ticket"]; Session["Ticket"] = ticket; string enTicket = EncryptionHelper.DecodeFrom64(ticket); enTicket = DesHelper.Decrypt(enTicket, WebConfigurationManager.AppSettings["EncryptKey"]); var openid = enTicket.Split('|')[0]; //登录 ClaimsIdentity claimsIdentity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); claimsIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, openid, "http://www.w3.org/2001/XMLSchema#string")); claimsIdentity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, openid, "http://www.w3.org/2001/XMLSchema#string")); claimsIdentity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string")); HttpContext.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, claimsIdentity); // } else if (Session["Ticket"] == null) { var strUrl = WebConfigurationManager.AppSettings["OAuthUrl"]; filterContext.Result = new RedirectResult(strUrl + Server.UrlEncode(EncryptionHelper.ConvertBase64(Request.Url.ToString()))); } // LogManager.GetLogger(this.GetType()).Debug("SessionId:" + Session.SessionID); // Session["ReturnUrlMP"] = Request.Url.ToString(); // string strRet = WebConfigurationManager.AppSettings["UserBackUrlMP"]; // // string AppId = Request["AppId"]; // string strwechatid = Request["wechatid"]; // string strBackUrl = string.Format("{0}?wechatid={1}", strRet, strwechatid); // LogManager.GetLogger(this.GetType()).Debug("UrlStart:" + strBackUrl); // // var weChatConfig = WeChatCommonService.GetWeChatConfigByID(int.Parse(strwechatid)); // LogManager.GetLogger(this.GetType()).Debug("UrlStart"); // string strUrl = OAuthApi.GetAuthorizeUrl("wx2a3f5167603c5caf", strBackUrl, "About", Innocellence.Weixin.MP.OAuthScope.snsapi_base); // LogManager.GetLogger(this.GetType()).Debug(strUrl); // if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest()) // { // AjaxResult<int> result = new AjaxResult<int>(); // result.Message = new JsonMessage((int)HttpStatusCode.Unauthorized, strUrl); // filterContext.Result = Json(result, JsonRequestBehavior.AllowGet); // } // else // { // LogManager.GetLogger(this.GetType()).Debug("filterContext.Result = new RedirectResult(strUrl)"); // filterContext.Result = new RedirectResult(strUrl); // } // return string.Empty; } } return(string.Empty); }
public async Task <IActionResult> SaveActiveProfile([FromBody] AccountProfileViewModel vm = null) { Account activeAccount = null; string fullName = null; AccountToken toSend = null; List <IdentityModel> toSave = null; Exception ex1 = null, ex2 = null; ClaimsIdentity claimsIdentity = null; try { if (vm == null) { throw new NullReferenceException(); } if (!string.IsNullOrEmpty(vm.Email) && !Helper.IsEmailValid(vm.Email)) { throw new ExceptionID(MessageIdentifier.INVALID_EMAIL); } activeAccount = _dbi.GetActiveAccount(); if (activeAccount == null || activeAccount.UID != vm.UID) { throw new NullReferenceException(); } toSave = new List <IdentityModel>(); if (!string.IsNullOrEmpty(vm.Email) && activeAccount.GetEmailValue()?.ToLower() != vm.Email.ToLower()) { string emailValue = activeAccount.GetEmailValue(); if (Helper.IsEmailValid(emailValue)) { toSave.AddRange(from t in activeAccount.AccountTokens where t.Type == AccountTokenType.EmailChange select t.SetRecordState(RecordState.Deleted)); } toSend = new AccountToken() { RecordState = RecordState.Added, Value = _dbi.GenerateTokenValue(), Type = AccountTokenType.EmailChange, EmailSentStatus = EmailSatus.NotSent, AddData = vm.Email, Account_Id = activeAccount.ID }; activeAccount.RegisterForRecordStateChange(); activeAccount.Email = activeAccount.UID; activeAccount.EmailConfirmed = false; activeAccount.UnregisterForRecordStateChange(); } activeAccount.RegisterForRecordStateChange(); activeAccount.AccountName = vm.AccountName; activeAccount.FName = vm.FName; activeAccount.LName = vm.LName; activeAccount.UnregisterForRecordStateChange(); if (activeAccount.RecordState != RecordState.None) { toSave.Add(activeAccount); } if (toSend == null) { if (toSave.Count > 0) { _dbi.ManageIdentityModels(toSave.ToArray()); } } else { await Task.WhenAll( Helper.GetFunc(() => { try { if (toSave.Count > 0) { _dbi.ManageIdentityModels(toSave.ToArray()); } } catch (Exception ex) { ex1 = ex; } return(Task.CompletedTask); })(), Helper.GetFunc(() => { try { toSend = _dbi.ManageModel(toSend); } catch (Exception ex) { ex2 = ex; } return(Task.CompletedTask); })()); if (ex1 != null) { throw ex1; } if (ex2 != null) { throw ex2; } string lang = this.GetSelectedLanguage(); using (var mailService = this.GetMailService()) { await Task.WhenAll( Helper.GetFunc(() => { try { toSend.RegisterForRecordStateChange(); toSend.EmailSentStatus = EmailSatus.Sending; toSend.UnregisterForRecordStateChange(); if (toSend.RecordState != RecordState.None) { toSend = _dbi.ManageModel(toSend); } } catch (Exception ex) { ex1 = ex; } return(Task.CompletedTask); })(), Helper.GetFunc(async() => { string link = null; try { link = Url.Action("xxXxx", "confirmemail", null, this.Request.Scheme); link += (link.EndsWith("/") ? "" : "/") + toSend.Value; link = link.Replace("/xxXxx/", "/"); await mailService.SendEmailAsync( $"{LanguageManager.GetLabel("AppTitle", lang)} {LanguageManager.GetLabel("lbl_CnfrmEmailAddr", lang)}", LanguageManager.GetOther("email_ChngEmail", lang) .Replace("{1}", LanguageManager.GetLabel("AppTitle", lang)) .Replace("{2}", link), toEmail: toSend.AddData, fromName: LanguageManager.GetLabel("AppTitle", lang), replyToEmail: "*****@*****.**", replyToName: "NO REPLY"); } catch (Exception ex) { ex2 = new ExceptionID(MessageIdentifier.INVALID_EMAIL, ex, false); } finally { link = null; } })()); if (ex1 != null) { throw ex1; } if (ex2 != null) { _dbi.ManageModel(toSend.SetRecordState(RecordState.Deleted)); throw ex2; } toSend.RegisterForRecordStateChange(); toSend.EmailSentStatus = EmailSatus.Sent; toSend.UnregisterForRecordStateChange(); if (toSend.RecordState != RecordState.None) { toSend = _dbi.ManageModel(toSend); } } } fullName = DbInteractor.GetAccountFullName(activeAccount); claimsIdentity = new ClaimsIdentity(BaseController.APP_ID); claimsIdentity.AddClaims(this.User.Claims.Where(l => l.Type != USER_FULL_NAME)); claimsIdentity.AddClaim(new Claim(USER_FULL_NAME, fullName)); if (GetRememberUser(this.User)) { await this.HttpContext.Authentication.SignInAsync( BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties { IsPersistent = true, ExpiresUtc = GetClaimExpDate(this.User) }); } else { await this.HttpContext.Authentication.SignInAsync(BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity)); } return(Json(new { Ok = true, FullName = fullName, profile = this.GetActiveProfileViewModel() })); } catch (Exception ex) { return(InternalServerError(ex)); } finally { activeAccount = null; claimsIdentity = null; toSave?.Clear(); toSave = null; } }
public async Task <IActionResult> SignIn([FromBody] LoginViewModel vm) { object result = null; string refreshTokenValue = null; string accessTokenValue = null; bool invalidPassword = false; string fullName = null; ClaimsIdentity claimsIdentity = null; int refreshExpValueInSecs = 0; Exception ex1 = null, ex2 = null; try { if (vm == null) { throw new NullReferenceException(nameof(vm)); } await Task.WhenAll( Helper.GetFunc(async() => { try { result = await _dbi.SignIn(vm.User, vm.Password, TokenClientType.WebApp); } catch (Exception ex) { ex1 = ex; } })(), Helper.GetFunc(() => { try { refreshExpValueInSecs = _dbi.GetSysParDetailValue("TokenParams", "RefreshTokenLifeSpan")?.IntVal ?? 0; if (refreshExpValueInSecs <= 0) { throw new ExceptionID(MessageIdentifier.TOKEN_SYS_PARS_NOT_FOUND); } } catch (Exception ex) { ex2 = ex; } return(Task.CompletedTask); })()); if (ex1 != null) { throw ex1; } if (ex2 != null) { throw ex2; } refreshTokenValue = result.GetPropVal <string>("r"); accessTokenValue = result.GetPropVal <string>("a"); invalidPassword = result.GetPropVal <bool>("i"); fullName = result.GetPropVal <string>("fn"); claimsIdentity = new ClaimsIdentity(BaseController.APP_ID); claimsIdentity.AddClaims(new Claim[] { new Claim(REFRESH_TOKEN_KEY, refreshTokenValue), new Claim(ACCESS_TOKEN_KEY, accessTokenValue), new Claim(REMEMBER_USER, vm.Remember.ToString()), new Claim(PASSWORD_FORMAT_INVALID, invalidPassword.ToString()), new Claim(USER_FULL_NAME, fullName), }); if (vm.Remember) { claimsIdentity.AddClaim( new Claim(REFRESH_TOKEN_EXP_DATE_KEY, Helper.JSonSerializeObject(DateTimeOffset.UtcNow.AddSeconds(refreshExpValueInSecs)))); await HttpContext.Authentication.SignInAsync( BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddSeconds(refreshExpValueInSecs) }); } else { await HttpContext.Authentication.SignInAsync(BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity)); } return(Json(new { Ok = true, FullName = fullName, Email = (_dbi?.LoginConnectionToken?.Email == _dbi?.LoginConnectionToken?.Uid ? "" : _dbi?.LoginConnectionToken?.Email), Gender = _dbi?.LoginConnectionToken?.Gender })); } catch (Exception ex) { return(InternalServerError(ex)); } finally { vm = null; result = null; refreshTokenValue = null; accessTokenValue = null; invalidPassword = false; fullName = null; } }
/// <summary> /// Raises the <see cref="E:System.Web.UI.Control.Load" /> event. /// </summary> /// <param name="e">The <see cref="T:System.EventArgs" /> object that contains the event data.</param> protected override void OnLoad(EventArgs e) { base.OnLoad(e); var authentication = HttpContext.Current.GetOwinContext().Authentication; if (IsAuthenticationNotPermitted()) { Rock.Security.Authorization.SignOut(); authentication.SignOut("OAuth"); authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); NavigateToLinkedPage(AttributeKeys.RejectedAuthenticationPage); return; } var ticket = authentication.AuthenticateAsync(DefaultAuthenticationTypes.ApplicationCookie).Result; var identity = ticket != null ? ticket.Identity : null; string userName = null; string[] authorizedScopes = null; var scopes = (Request.QueryString.Get("scope") ?? "").Split(' '); bool scopesApproved = false; //The user is logged in but does not have OAuth identity if (CurrentUser != null && identity == null) { CreateOAuthIdentity(authentication); Response.Redirect(Request.RawUrl, true); } //The user is not logged in and does not have OAuth identity else if (identity == null) { authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie); //Send them off to log in StoreQueryStringCookie(); Response.Redirect(OAuthSettings["OAuthLoginPath"], true); } //The user has an OAuth identity else { OAuthContext context = new OAuthContext(); ClientService clientService = new ClientService(context); Client OAuthClient = clientService.GetByApiKey(PageParameter(PageParameterKeys.ClientId).AsGuid()); if (OAuthClient != null) { ClientScopeService clientScopeService = new ClientScopeService(context); userName = identity.Name; AuthorizationService authorizationService = new AuthorizationService(context); authorizedScopes = authorizationService.Queryable().Where(a => a.Client.Id == OAuthClient.Id && a.UserLogin.UserName == identity.Name && a.Active == true).Select(a => a.Scope.Identifier).ToArray <string>(); if (!clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Any() || (authorizedScopes != null && scopes.Where(s => !authorizedScopes.Select(a => a.ToLower()).Contains(s.ToLower())).Count() == 0)) { scopesApproved = true; } if (scopesApproved) { identity = new ClaimsIdentity(identity.Claims, "Bearer", identity.NameClaimType, identity.RoleClaimType); //only allow claims that have been requested and the client has been authorized for foreach (var scope in scopes.Where(s => clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(cs => cs.Scope.Identifier.ToLower()).Contains(s.ToLower()))) { identity.AddClaim(new Claim("urn:oauth:scope", scope)); } authentication.SignIn(identity); } else { rptScopes.DataSource = clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(s => s.Scope).ToList(); rptScopes.DataBind(); } lClientName.Text = OAuthClient.ClientName; lClientName2.Text = OAuthClient.ClientName; lUsername.Text = CurrentUser.Person.FullName + " (" + userName + ")"; hlLogout.NavigateUrl = Request.RawUrl + "&OAuthLogout=true"; } else { throw new Exception("Invalid Client ID for OAuth authentication."); } } }
public static async Task <ExternalLoginData> FromToken(string provider, string accessToken) { ExternalLoginData loginData = null; using (var client = new HttpClient()) { var verifyTokenEndPoint = GetUserProfileEndPoint(provider, accessToken); var verifyTokenPicturendPoint = GetUserProfilePictureEndPoint(provider, accessToken); var verifyAppEndpoint = GetAppProfileEndPoint(provider, accessToken); if (verifyTokenEndPoint == null || verifyAppEndpoint == null) { return(null); } Uri uri = new Uri(verifyTokenEndPoint); using (HttpResponseMessage response = await client.GetAsync(uri)) { ClaimsIdentity identity = null; if (response.IsSuccessStatusCode) { var content = await response.Content.ReadAsStringAsync(); dynamic iObj = (JObject)Newtonsoft.Json.JsonConvert.DeserializeObject(content); loginData = FromJObject(iObj); if (loginData == null) { return(null); } using (var profilePictureResponse = await client.GetAsync(verifyTokenPicturendPoint)) { if (profilePictureResponse.IsSuccessStatusCode) { var appContent = await profilePictureResponse.Content.ReadAsStringAsync(); dynamic profilePictureContent = (JObject)Newtonsoft.Json.JsonConvert.DeserializeObject(appContent); loginData.ProfilePicture = profilePictureContent["data"]["url"] ?? ""; } } identity = new ClaimsIdentity(OAuthDefaults.AuthenticationType); if (provider == "Facebook") { uri = new Uri(verifyAppEndpoint); using (var appResonse = await client.GetAsync(uri)) { var appContent = await appResonse.Content.ReadAsStringAsync(); dynamic appObj = (JObject)Newtonsoft.Json.JsonConvert.DeserializeObject(appContent); if (appObj["id"] != Startup.FacebookAuthOptions.AppId) { return(null); } identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, iObj["id"].ToString(), ClaimValueTypes.String, "Facebook", "Facebook")); } } } Claim providerKeyClaim = identity?.FindFirst(ClaimTypes.NameIdentifier); if (string.IsNullOrEmpty(providerKeyClaim?.Issuer) || string.IsNullOrEmpty(providerKeyClaim.Value)) { return(null); } if (providerKeyClaim.Issuer == ClaimsIdentity.DefaultIssuer) { return(null); } loginData.LoginProvider = provider; loginData.UserName = loginData.Email; return(loginData); } } }
public async Task <IHttpActionResult> RegisterExternalToken(RegisterExternalTokenBindingModel model) { if (!ModelState.IsValid) { return(BadRequest(ModelState)); } //validate token ExternalLoginData externalLogin = await ExternalLoginData.FromToken(model.Provider, model.Token); if (externalLogin == null) { return(InternalServerError()); } if (externalLogin.LoginProvider != model.Provider) { Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie); return(InternalServerError()); } //if we reached this point then token is valid ApplicationUser user = await UserManager.FindByEmailAsync(externalLogin.Email); bool hasRegistered = user != null; if (!hasRegistered) { user = new ApplicationUser { UserName = externalLogin.ProviderKey, Email = externalLogin.Email, ProfilePicture = externalLogin.ProfilePicture, CoverPicture = externalLogin.CoverPicture, Gender = externalLogin.Gender, Verified = externalLogin.Verified, Name = externalLogin.Name, FacebookId = externalLogin.ProviderKey, FacebookAccessToken = model.Token }; var result = await UserManager.CreateAsync(user); if (!result.Succeeded) { return(GetErrorResult(result)); } } //authenticate var identity = await UserManager.CreateIdentityAsync(user, OAuthDefaults.AuthenticationType); IEnumerable <Claim> claims = externalLogin.GetClaims(); identity.AddClaims(claims); Authentication.SignIn(identity); ClaimsIdentity oAuthIdentity = new ClaimsIdentity(Startup.OAuthOptions.AuthenticationType); oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, user.UserName)); oAuthIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties()); DateTime currentUtc = DateTime.UtcNow; ticket.Properties.IssuedUtc = currentUtc; ticket.Properties.ExpiresUtc = currentUtc.Add(Startup.OAuthOptions.AccessTokenExpireTimeSpan); string accessToken = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket); Request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken); // Create the response building a JSON object that mimics exactly the one issued by the default /Token endpoint JObject token = new JObject( new JProperty("userName", user.UserName), new JProperty("userId", user.Id), new JProperty("access_token", accessToken), new JProperty("token_type", "bearer"), new JProperty("expires_in", Startup.OAuthOptions.AccessTokenExpireTimeSpan.TotalSeconds.ToString()), new JProperty("issued", currentUtc.ToString("ddd, dd MMM yyyy HH':'mm':'ss 'GMT'")), new JProperty("expires", currentUtc.Add(Startup.OAuthOptions.AccessTokenExpireTimeSpan) .ToString("ddd, dd MMM yyyy HH:mm:ss 'GMT'")) ); return(Ok(token)); }
public async Task <IActionResult> Accept(CancellationToken cancellationToken) { var response = HttpContext.GetOpenIdConnectResponse(); if (response != null) { return(View("Error", response)); } var request = HttpContext.GetOpenIdConnectRequest(); if (request == null) { return(View("Error", new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.ServerError, ErrorDescription = "An internal error has occurred." })); } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = new ClaimsIdentity( OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role); // Note: the "sub" claim is mandatory and an exception is thrown if this claim is missing. identity.AddClaim( new Claim(OpenIdConnectConstants.Claims.Subject, User.FindFirst(ClaimTypes.NameIdentifier).Value) .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken)); identity.AddClaim( new Claim(OpenIdConnectConstants.Claims.Name, User.FindFirst(ClaimTypes.Name).Value) .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken)); var application = await GetApplicationAsync(request.ClientId, cancellationToken); if (application == null) { return(View("Error", new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidClient, ErrorDescription = "The specified client identifier is invalid." })); } // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); // Set the list of scopes granted to the client application. // Note: this sample always grants the "openid", "email" and "profile" scopes // when they are requested by the client application: a real world application // would probably display a form allowing to select the scopes to grant. ticket.SetScopes(new[] { /* openid: */ OpenIdConnectConstants.Scopes.OpenId, /* email: */ OpenIdConnectConstants.Scopes.Email, /* profile: */ OpenIdConnectConstants.Scopes.Profile, /* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess }.Intersect(request.GetScopes())); // Set the resources servers the access token should be issued for. ticket.SetResources("resource_server"); // Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public async Task <IActionResult> Login(LoginInputModel model) { if (ModelState.IsValid) { if (_marvinUserRepository.AreUserCredentialsValid(model.Username, model.Password)) { var user = _marvinUserRepository.GetUserByUsername(model.Username); var id = new ClaimsIdentity(); id.AddClaim(new Claim(JwtClaimTypes.Subject, user.SubjectId)); await HttpContext.Authentication.SignInAsync("idsrv.2FA", new ClaimsPrincipal(id)); // send code... var redirectToAdditionalFactorUrl = Url.Action("AdditionalAuthenticationFactor", new { returnUrl = model.ReturnUrl, rememberLogin = model.RememberLogin }); if (_interaction.IsValidReturnUrl(model.ReturnUrl) || Url.IsLocalUrl(model.ReturnUrl)) { return(Redirect(redirectToAdditionalFactorUrl)); } return(Redirect("~/")); //AuthenticationProperties props = null; //// only set explicit expiration here if persistent. //// otherwise we reply upon expiration configured in cookie middleware. //if (AccountOptions.AllowRememberLogin && model.RememberLogin) //{ // props = new AuthenticationProperties // { // IsPersistent = true, // ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration) // }; //}; //// issue authentication cookie with subject ID and username //var user = _marvinUserRepository.GetUserByUsername(model.Username); //await _events.RaiseAsync(new UserLoginSuccessEvent(user.Username, user.SubjectId, user.Username)); //await HttpContext.Authentication.SignInAsync(user.SubjectId, user.Username, props); //// make sure the returnUrl is still valid, and if yes - redirect back to authorize endpoint or a local page //if (_interaction.IsValidReturnUrl(model.ReturnUrl) || Url.IsLocalUrl(model.ReturnUrl)) //{ // return Redirect(model.ReturnUrl); //} //return Redirect("~/"); } await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials")); ModelState.AddModelError("", AccountOptions.InvalidCredentialsErrorMessage); } // something went wrong, show form with error var vm = await _account.BuildLoginViewModelAsync(model); return(View(vm)); }
public IActionResult Login(string username, string password, Rol rol) { string returnUrl = TempData[_Return_Url] as string; if (!string.IsNullOrWhiteSpace(username) && !string.IsNullOrWhiteSpace(password)) { Usuario usuario = null; if (rol == Rol.Estudiante) { usuario = _context.Alumnos.FirstOrDefault(usr => usr.Username == username); } else { usuario = _context.Administradores.FirstOrDefault(usr => usr.Username == username); } if (usuario != null) { var passwordEncriptada = password.Encriptar(); if (usuario.Password.SequenceEqual(passwordEncriptada)) { // Se crean las credenciales del usuario que serán incorporadas al contexto ClaimsIdentity identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme); // El lo que luego obtendré al acceder a User.Identity.Name identity.AddClaim(new Claim(ClaimTypes.Name, username)); // Se utilizará para la autorización por roles identity.AddClaim(new Claim(ClaimTypes.Role, rol.ToString())); // Lo utilizaremos para acceder al Id del usuario que se encuentra en el sistema. identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, usuario.Id.ToString())); // Lo utilizaremos cuando querramos mostrar el nombre del usuario logueado en el sistema. identity.AddClaim(new Claim(ClaimTypes.GivenName, usuario.NombreYApellido)); ClaimsPrincipal principal = new ClaimsPrincipal(identity); // En este paso se hace el login del usuario al sistema HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal).Wait(); _context.SaveChanges(); TempData["JustLoggedIn"] = true; if (!string.IsNullOrWhiteSpace(returnUrl)) { return(Redirect(returnUrl)); } return(RedirectToAction(nameof(HomeController.Index), "Home")); } } } // Completo estos dos campos para poder retornar a la vista en caso de errores. ViewBag.Error = "Usuario o contraseña incorrectos"; ViewBag.UserName = username; TempData[_Return_Url] = returnUrl; return(View()); }
public async Task <object> LogIn([FromBody] User user) { bool validCredentials = false; var userIdentity = new ApplicationUser(); if (user != null && !string.IsNullOrWhiteSpace(user.UserID)) { userIdentity = _userManager .FindByNameAsync(user.UserID).Result; if (userIdentity != null) { var loginResult = _signInManager .CheckPasswordSignInAsync(userIdentity, user.Password, false) .Result; if (loginResult.Succeeded) { validCredentials = _userManager.IsInRoleAsync( userIdentity, Roles.ROLE_USER).Result; } } } if (validCredentials) { ClaimsIdentity identity = new ClaimsIdentity( new GenericIdentity(user.UserID, "Login"), new[] { new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N")), new Claim(JwtRegisteredClaimNames.UniqueName, user.UserID) } ); var roles = await _userManager.GetRolesAsync(userIdentity); foreach (var role in roles) { identity.AddClaim(new Claim(ClaimTypes.Role, role)); } DateTime createDate = DateTime.Now; DateTime expirationDate = createDate + TimeSpan.FromSeconds(_tokenConfigurations.Seconds); var handler = new JwtSecurityTokenHandler(); var securityToken = handler.CreateToken(new SecurityTokenDescriptor { Issuer = _tokenConfigurations.Issuer, Audience = _tokenConfigurations.Audience, SigningCredentials = _signInConfigurations.SigningCredentials, Subject = identity, NotBefore = createDate, Expires = expirationDate }); var token = handler.WriteToken(securityToken); return(new { authenticated = true, created = createDate.ToString("yyyy-MM-dd HH:mm:ss"), expiration = expirationDate.ToString("yyyy-MM-dd HH:mm:ss"), accessToken = token, message = "OK" }); } else { return(new { authenticated = false, message = "Not authenticating" }); } }
/// <summary> /// Owin middleware overrided method /// </summary> /// <param name="context">the owin context</param> /// <returns>next invoke task</returns> public override async Task Invoke(IOwinContext context) { var header = context.Request.Headers.FirstOrDefault(m => m.Key.ToLower() == "authorization"); if (!string.IsNullOrWhiteSpace(header.Key)) { string headerValue = header.Value.FirstOrDefault().Trim(); if (!headerValue.StartsWith("Bearer")) { string[] parts; try { string parameter = Encoding.UTF8.GetString( Convert.FromBase64String( header.Value.FirstOrDefault())); parts = parameter.Split(':'); } catch (Exception e) { throw new Exception("invalid value"); } if (parts.Count() == 2) { var allowedOrigin = context.Get <string>("as:clientAllowedOrigin") ?? "*"; context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin }); var user = await this.authRepository.FindUser(parts[0], parts[1]); if (user != null) { string userId = user.Id.ToString(); string roleName = this.authRepository.GetRoleName(user.Roles.ToList()[0].RoleId); var claims = new[] { new Claim(ClaimTypes.Name, user.UserName) }; var identity = new ClaimsIdentity(claims, "Basic"); identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userId)); identity.AddClaim(new Claim(ClaimTypes.Role, roleName)); identity.AddClaim(new Claim("sub", user.UserName)); identity.AddClaim(new Claim("role", roleName)); context.Request.User = new ClaimsPrincipal(identity); var props = new AuthenticationProperties(new Dictionary <string, string> { { "userName", user.UserName }, { "userId", userId }, { "type", roleName } }); var ticket = new AuthenticationTicket(identity, props); } } } } await Next.Invoke(context); }
private async Task <string> SerializeAccessTokenAsync( ClaimsIdentity identity, AuthenticationProperties properties, OpenIdConnectMessage request, OpenIdConnectMessage response) { // properties.IssuedUtc and properties.ExpiresUtc // should always be preferred when explicitly set. if (properties.IssuedUtc == null) { properties.IssuedUtc = Options.SystemClock.UtcNow; } if (properties.ExpiresUtc == null) { properties.ExpiresUtc = properties.IssuedUtc + Options.AccessTokenLifetime; } // Create a new identity containing only the filtered claims. // Actors identities are also filtered (delegation scenarios). identity = identity.Clone(claim => { // Never exclude ClaimTypes.NameIdentifier. if (string.Equals(claim.Type, ClaimTypes.NameIdentifier, StringComparison.OrdinalIgnoreCase)) { return(true); } // Claims whose destination is not explicitly referenced or doesn't // contain "access_token" are not included in the access token. return(claim.HasDestination(OpenIdConnectConstants.Destinations.AccessToken)); }); // Create a new ticket containing the updated properties and the filtered identity. var ticket = new AuthenticationTicket(identity, properties); ticket.SetUsage(OpenIdConnectConstants.Usages.AccessToken); ticket.SetAudiences(ticket.GetResources()); // Associate a random identifier with the access token. ticket.SetTicketId(Guid.NewGuid().ToString()); // By default, add the client_id to the list of the // presenters allowed to use the access token. if (!string.IsNullOrEmpty(request.ClientId)) { ticket.SetPresenters(request.ClientId); } var notification = new SerializeAccessTokenContext(Context, Options, request, response, ticket) { DataFormat = Options.AccessTokenFormat, Issuer = Context.GetIssuer(Options), SecurityTokenHandler = Options.AccessTokenHandler, SigningCredentials = Options.SigningCredentials.FirstOrDefault() }; await Options.Provider.SerializeAccessToken(notification); if (notification.HandledResponse || !string.IsNullOrEmpty(notification.AccessToken)) { return(notification.AccessToken); } else if (notification.Skipped) { return(null); } if (!notification.Audiences.Any()) { Options.Logger.LogInformation("No explicit audience was associated with the access token."); } if (notification.SecurityTokenHandler == null) { return(notification.DataFormat?.Protect(ticket)); } if (notification.SigningCredentials == null) { Options.Logger.LogWarning("No signing credentials are registered in the OpenID Connect server options. " + "Consider registering a X.509 certificate to ensure access tokens are signed."); } // Store the "unique_id" property as a claim. ticket.Identity.AddClaim(notification.SecurityTokenHandler is JwtSecurityTokenHandler ? OpenIdConnectConstants.Claims.JwtId : OpenIdConnectConstants.Claims.TokenId, ticket.GetTicketId()); // Store the "usage" property as a claim. ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Usage, ticket.GetUsage()); // If the ticket is marked as confidential, add a new // "confidential" claim in the security token. if (ticket.IsConfidential()) { ticket.Identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Confidential, "true", ClaimValueTypes.Boolean)); } // Create a new claim per scope item, that will result // in a "scope" array being added in the access token. foreach (var scope in notification.Scopes) { ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Scope, scope); } var handler = notification.SecurityTokenHandler as JwtSecurityTokenHandler; if (handler != null) { // Note: when used as an access token, a JWT token doesn't have to expose a "sub" claim // but the name identifier claim is used as a substitute when it has been explicitly added. // See https://tools.ietf.org/html/rfc7519#section-4.1.2 var subject = identity.FindFirst(OpenIdConnectConstants.Claims.Subject); if (subject == null) { var identifier = identity.FindFirst(ClaimTypes.NameIdentifier); if (identifier != null) { identity.AddClaim(OpenIdConnectConstants.Claims.Subject, identifier.Value); } } // Remove the ClaimTypes.NameIdentifier claims to avoid getting duplicate claims. // Note: the "sub" claim is automatically mapped by JwtSecurityTokenHandler // to ClaimTypes.NameIdentifier when validating a JWT token. // Note: make sure to call ToArray() to avoid an InvalidOperationException // on old versions of Mono, where FindAll() is implemented using an iterator. foreach (var claim in ticket.Identity.FindAll(ClaimTypes.NameIdentifier).ToArray()) { ticket.Identity.RemoveClaim(claim); } // Store the audiences as claims. foreach (var audience in notification.Audiences) { ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Audience, audience); } // Extract the presenters from the authentication ticket. var presenters = notification.Presenters.ToArray(); switch (presenters.Length) { case 0: break; case 1: identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]); break; default: Options.Logger.LogWarning("Multiple presenters have been associated with the access token " + "but the JWT format only accepts single values."); // Only add the first authorized party. identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]); break; } var token = handler.CreateToken( subject: ticket.Identity, issuer: notification.Issuer, signingCredentials: notification.SigningCredentials, notBefore: ticket.Properties.IssuedUtc.Value.UtcDateTime, expires: ticket.Properties.ExpiresUtc.Value.UtcDateTime); token.Payload[OpenIdConnectConstants.Claims.IssuedAt] = EpochTime.GetIntDate(ticket.Properties.IssuedUtc.Value.UtcDateTime); // Try to extract a key identifier from the signing credentials // and add the "kid" property to the JWT header if applicable. LocalIdKeyIdentifierClause clause = null; if (notification.SigningCredentials?.SigningKeyIdentifier != null && notification.SigningCredentials.SigningKeyIdentifier.TryFind(out clause)) { token.Header[JwtHeaderParameterNames.Kid] = clause.LocalId; } return(handler.WriteToken(token)); } else { var descriptor = new SecurityTokenDescriptor { Subject = ticket.Identity, AppliesToAddress = notification.Audiences.ElementAtOrDefault(0), TokenIssuerName = notification.Issuer, EncryptingCredentials = notification.EncryptingCredentials, SigningCredentials = notification.SigningCredentials, Lifetime = new Lifetime( notification.Ticket.Properties.IssuedUtc.Value.UtcDateTime, notification.Ticket.Properties.ExpiresUtc.Value.UtcDateTime) }; // When the encrypting credentials use an asymmetric key, replace them by a // EncryptedKeyEncryptingCredentials instance to generate a symmetric key. if (descriptor.EncryptingCredentials != null && descriptor.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey) { // Note: EncryptedKeyEncryptingCredentials automatically generates an in-memory key // that will be encrypted using the original credentials and added to the resulting token // if the security token handler fully supports token encryption (e.g SAML or SAML2). descriptor.EncryptingCredentials = new EncryptedKeyEncryptingCredentials( wrappingCredentials: notification.EncryptingCredentials, keySizeInBits: 256, encryptionAlgorithm: SecurityAlgorithms.Aes256Encryption); } var token = notification.SecurityTokenHandler.CreateToken(descriptor); // Note: the security token is manually serialized to prevent // an exception from being thrown if the handler doesn't implement // the SecurityTokenHandler.WriteToken overload returning a string. var builder = new StringBuilder(); using (var writer = XmlWriter.Create(builder, new XmlWriterSettings { Encoding = new UTF8Encoding(false), OmitXmlDeclaration = true })) { notification.SecurityTokenHandler.WriteToken(writer, token); } return(builder.ToString()); } }
private async Task <string> SerializeIdentityTokenAsync( ClaimsIdentity identity, AuthenticationProperties properties, OpenIdConnectMessage request, OpenIdConnectMessage response) { // properties.IssuedUtc and properties.ExpiresUtc // should always be preferred when explicitly set. if (properties.IssuedUtc == null) { properties.IssuedUtc = Options.SystemClock.UtcNow; } if (properties.ExpiresUtc == null) { properties.ExpiresUtc = properties.IssuedUtc + Options.IdentityTokenLifetime; } // Replace the identity by a new one containing only the filtered claims. // Actors identities are also filtered (delegation scenarios). identity = identity.Clone(claim => { // Never exclude ClaimTypes.NameIdentifier. if (string.Equals(claim.Type, ClaimTypes.NameIdentifier, StringComparison.OrdinalIgnoreCase)) { return(true); } // Claims whose destination is not explicitly referenced or doesn't // contain "id_token" are not included in the identity token. return(claim.HasDestination(OpenIdConnectConstants.Destinations.IdentityToken)); }); // Create a new ticket containing the updated properties and the filtered identity. var ticket = new AuthenticationTicket(identity, properties); ticket.SetUsage(OpenIdConnectConstants.Usages.IdentityToken); // Associate a random identifier with the identity token. ticket.SetTicketId(Guid.NewGuid().ToString()); // By default, add the client_id to the list of the // presenters allowed to use the identity token. if (!string.IsNullOrEmpty(request.ClientId)) { ticket.SetAudiences(request.ClientId); ticket.SetPresenters(request.ClientId); } var notification = new SerializeIdentityTokenContext(Context, Options, request, response, ticket) { Issuer = Context.GetIssuer(Options), SecurityTokenHandler = Options.IdentityTokenHandler, SigningCredentials = Options.SigningCredentials.FirstOrDefault() }; await Options.Provider.SerializeIdentityToken(notification); if (notification.HandledResponse || !string.IsNullOrEmpty(notification.IdentityToken)) { return(notification.IdentityToken); } else if (notification.Skipped) { return(null); } if (notification.SecurityTokenHandler == null) { return(null); } if (!identity.HasClaim(claim => claim.Type == OpenIdConnectConstants.Claims.Subject) && !identity.HasClaim(claim => claim.Type == ClaimTypes.NameIdentifier)) { throw new InvalidOperationException("A unique identifier cannot be found to generate a 'sub' claim: " + "make sure to add a 'ClaimTypes.NameIdentifier' claim."); } if (notification.SigningCredentials == null) { Options.Logger.LogWarning("No signing credentials are registered in the OpenID Connect server options. " + "Consider registering a X.509 certificate to ensure identity tokens are signed."); } // Store the unique subject identifier as a claim. if (!identity.HasClaim(claim => claim.Type == OpenIdConnectConstants.Claims.Subject)) { identity.AddClaim(OpenIdConnectConstants.Claims.Subject, identity.GetClaim(ClaimTypes.NameIdentifier)); } // Remove the ClaimTypes.NameIdentifier claims to avoid getting duplicate claims. // Note: the "sub" claim is automatically mapped by JwtSecurityTokenHandler // to ClaimTypes.NameIdentifier when validating a JWT token. // Note: make sure to call ToArray() to avoid an InvalidOperationException // on old versions of Mono, where FindAll() is implemented using an iterator. foreach (var claim in identity.FindAll(ClaimTypes.NameIdentifier).ToArray()) { identity.RemoveClaim(claim); } // Store the "unique_id" property as a claim. ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.JwtId, ticket.GetTicketId()); // Store the "usage" property as a claim. ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Usage, ticket.GetUsage()); // If the ticket is marked as confidential, add a new // "confidential" claim in the security token. if (ticket.IsConfidential()) { ticket.Identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Confidential, "true", ClaimValueTypes.Boolean)); } // Store the audiences as claims. foreach (var audience in notification.Audiences) { ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Audience, audience); } // If a nonce was present in the authorization request, it MUST // be included in the id_token generated by the token endpoint. // See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation var nonce = request.Nonce; if (request.IsAuthorizationCodeGrantType()) { // Restore the nonce stored in the authentication // ticket extracted from the authorization code. nonce = ticket.GetNonce(); } if (!string.IsNullOrEmpty(nonce)) { ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.Nonce, nonce); } if (!string.IsNullOrEmpty(response.Code)) { using (var algorithm = HashAlgorithm.Create(notification.SigningCredentials.DigestAlgorithm)) { // Create the c_hash using the authorization code returned by SerializeAuthorizationCodeAsync. var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.Code)); // Note: only the left-most half of the hash of the octets is used. // See http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.CodeHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2)); } } if (!string.IsNullOrEmpty(response.AccessToken)) { using (var algorithm = HashAlgorithm.Create(notification.SigningCredentials.DigestAlgorithm)) { // Create the at_hash using the access token returned by SerializeAccessTokenAsync. var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.AccessToken)); // Note: only the left-most half of the hash of the octets is used. // See http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken ticket.Identity.AddClaim(OpenIdConnectConstants.Claims.AccessTokenHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2)); } } // Extract the presenters from the authentication ticket. var presenters = notification.Presenters.ToArray(); switch (presenters.Length) { case 0: break; case 1: identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]); break; default: Options.Logger.LogWarning("Multiple presenters have been associated with the identity token " + "but the JWT format only accepts single values."); // Only add the first authorized party. identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]); break; } var token = notification.SecurityTokenHandler.CreateToken( subject: ticket.Identity, issuer: notification.Issuer, signingCredentials: notification.SigningCredentials, notBefore: ticket.Properties.IssuedUtc.Value.UtcDateTime, expires: ticket.Properties.ExpiresUtc.Value.UtcDateTime); token.Payload[OpenIdConnectConstants.Claims.IssuedAt] = EpochTime.GetIntDate(ticket.Properties.IssuedUtc.Value.UtcDateTime); // Try to extract a key identifier from the signing credentials // and add the "kid" property to the JWT header if applicable. LocalIdKeyIdentifierClause clause = null; if (notification.SigningCredentials?.SigningKeyIdentifier != null && notification.SigningCredentials.SigningKeyIdentifier.TryFind(out clause)) { token.Header[JwtHeaderParameterNames.Kid] = clause.LocalId; } return(notification.SecurityTokenHandler.WriteToken(token)); }
public async Task <IActionResult> Login(LoginIM im) { if (im == null) { AR.Setfailure(Messages.InvalidUserNameOrPassword); return(Json(AR)); } // var lookupUser = _userServices.SignIn(im.Username, im.Password); var user = await _context.Users.FirstOrDefaultAsync(predicate : u => u.UserName == im.Username); if (user == null) { AR.Setfailure(Messages.InvalidUserNameOrPassword); return(Json(AR)); } var salt = Convert.FromBase64String(user.SecurityStamp); var pwdHash = Hash.HashPasswordWithSalt(im.Password, salt); if (user.PasswordHash != pwdHash) { AR.Setfailure(Messages.InvalidUserNameOrPassword); return(Json(AR)); } ; // create claims var claims = new List <Claim> { new Claim(ClaimTypes.Sid, user.Id.ToString()), new Claim("RealName", user.RealName ?? "无"), new Claim(ClaimTypes.Name, user.UserName), new Claim(ClaimTypes.Email, user.Email) }; // create identity var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme); var userRoles = await _context.Roles.Where(d => d.UserRoles.Any(r => r.UserId == user.Id)).ToArrayAsync(); //add a list of roles if (userRoles.Any()) { var roles = string.Join(",", userRoles.Select(d => d.RoleName)); identity.AddClaim(new Claim(ClaimTypes.Role, roles)); } // create principal var principal = new ClaimsPrincipal(identity); await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties { IsPersistent = im.RememberMe, ExpiresUtc = DateTimeOffset.Now.Add(TimeSpan.FromDays(180)) }); AR.SetSuccess(Messages.Wellcome); return(Json(AR)); }
public async Task <IActionResult> Accept(CancellationToken cancellationToken) { var response = HttpContext.GetOpenIdConnectResponse(); if (response != null) { return(View("Error", response)); } var request = HttpContext.GetOpenIdConnectRequest(); if (request == null) { return(View("Error", new OpenIdConnectMessage { Error = OpenIdConnectConstants.Errors.ServerError, ErrorDescription = "An internal error has occurred" })); } // Remove the authorization request from the user session. if (!string.IsNullOrEmpty(request.GetRequestId())) { HttpContext.Session.Remove("authorization-request:" + request.GetRequestId()); } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); // Copy the claims retrieved from the external identity provider // (e.g Google, Facebook, a WS-Fed provider or another OIDC server). foreach (var claim in HttpContext.User.Claims) { // Allow ClaimTypes.Name to be added in the id_token. // ClaimTypes.NameIdentifier is automatically added, even if its // destination is not defined or doesn't include "id_token". // The other claims won't be visible for the client application. if (claim.Type == ClaimTypes.Name) { claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); } identity.AddClaim(claim); } var application = await GetApplicationAsync(request.ClientId, cancellationToken); if (application == null) { return(View("Error", new OpenIdConnectMessage { Error = OpenIdConnectConstants.Errors.InvalidClient, ErrorDescription = "Details concerning the calling client application cannot be found in the database" })); } // Create a new ClaimsIdentity containing the claims associated with the application. // Note: setting identity.Actor is not mandatory but can be useful to access // the whole delegation chain from the resource server (see ResourceController.cs). identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID); identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); // Set the list of scopes granted to the client application. // Note: this sample always grants the "openid", "email" and "profile" scopes // when they are requested by the client application: a real world application // would probably display a form allowing to select the scopes to grant. ticket.SetScopes(new[] { /* openid: */ OpenIdConnectConstants.Scopes.OpenId, /* email: */ OpenIdConnectConstants.Scopes.Email, /* profile: */ OpenIdConnectConstants.Scopes.Profile, /* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess }.Intersect(request.GetScopes())); // Set the resources servers the access token should be issued for. ticket.SetResources("resource_server"); // Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens. // Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim. // In this sample, the identity always contains the name identifier returned by the external provider. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddDbContext <ApplicationDbContext>(options => options.UseSqlServer( Configuration.GetConnectionString("DefaultConnection"))); // this is for DI purposes services.TryAddSingleton <IHttpContextAccessor, HttpContextAccessor>(); services // .AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAuthentication(cfg => { cfg.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; cfg.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.Authority = "https://securetoken.google.com/abtestinghost"; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = "https://securetoken.google.com/abtestinghost", ValidateAudience = true, ValidAudience = "abtestinghost", ValidateLifetime = true }; options.Events = new JwtBearerEvents { OnTokenValidated = async ctx => { // grabs the unique id from firebase var name = ctx.Principal.Claims.First(c => c.Type == "user_id").Value; //Get userManager out of DI var _userManager = ctx.HttpContext.RequestServices.GetRequiredService <UserManager <ApplicationUser> >(); // retrieves the roles that the user has ApplicationUser user = await _userManager.FindByNameAsync(name); if (user == null) { user = new ApplicationUser(name); user.Email = "*****@*****.**"; user.customField = "haha"; var newPineapple = new Pineapple() { name = "random name of things " + name }; user.Pineapples = new List <Pineapple>(); user.Pineapples.Add(newPineapple); var result = await _userManager.CreateAsync(user); var roleResult = await _userManager.AddToRoleAsync(user, "admin"); } var userRoles = await _userManager.GetRolesAsync(user); // adds the role as a new claim ClaimsIdentity identity = ctx.Principal.Identity as ClaimsIdentity; if (identity != null) { foreach (var role in userRoles) { identity.AddClaim(new System.Security.Claims.Claim(ClaimTypes.Role, role)); } } } }; }); services.AddIdentityCore <ApplicationUser>() .AddRoles <IdentityRole>() .AddEntityFrameworkStores <ApplicationDbContext>(); services.TryAddScoped <SignInManager <ApplicationUser> >(); services.AddSingleton <IDocumentExecuter, DocumentExecuter>(); services.AddSingleton <BaseGraphQLQuery>(); services.AddSingleton <GraphQLQuery>(); services.AddSingleton <GraphQLSchema>(); services.AddSingleton <GraphQLMutation>(); services.AddSingleton <PineappleType>(); services.AddSingleton <PineappleInputType>(); services.AddSingleton <ApplicationUserType>(); var sp = services.BuildServiceProvider(); services.AddSingleton <ISchema>(new GraphQLSchema(new FuncDependencyResolver(type => sp.GetService(type)))); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader())); }
private async Task <string[]> ChangeUserPassword(string resetToken, string oldPassword, string newPassword) { string[] result = null; PasswordPolicy passpol = null; string accessTokenValue = null; bool isPasswordValid = true; ClaimsIdentity claimsIdentity = null; try { resetToken = resetToken ?? ""; oldPassword = oldPassword ?? ""; newPassword = newPassword ?? ""; passpol = _dbi.GetPasswordPolicy(); if (passpol != null) { string lang = this.GetSelectedLanguage(); var verifResult = passpol.IsPasswordFormatValid(newPassword); if (!verifResult.IsValid()) { isPasswordValid = false; result = passpol .SetAlphaErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_Alpha", lang)) .SetMinLenErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_MinLen", lang)) .SetNumericErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_Numeric", lang)) .SetSpacesErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_Spaces", lang)) .SetSpecialErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_Special", lang)) .SetUppercaseErrorMsg(LanguageManager.GetMessage("errMsg_Pswrd_Uppercase", lang)) .GetErrorMessages(verifResult); } } if (isPasswordValid) { accessTokenValue = _dbi.ChangeAccountPassword(oldPassword, newPassword, resetToken); if (string.IsNullOrEmpty(resetToken)) { claimsIdentity = new ClaimsIdentity(BaseController.APP_ID); claimsIdentity.AddClaims(this.User.Claims.Where(l => l.Type != ACCESS_TOKEN_KEY && l.Type != PASSWORD_FORMAT_INVALID)); claimsIdentity.AddClaim(new Claim(ACCESS_TOKEN_KEY, accessTokenValue)); claimsIdentity.AddClaim(new Claim(PASSWORD_FORMAT_INVALID, false.ToString())); if (GetRememberUser(this.User)) { await this.HttpContext.Authentication.SignInAsync( BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties { IsPersistent = true, ExpiresUtc = GetClaimExpDate(this.User) }); } else { await this.HttpContext.Authentication.SignInAsync(BaseController.APP_ID, new ClaimsPrincipal(claimsIdentity)); } } } return(result); } catch (Exception ex) { throw ex; } finally { result = null; passpol = null; accessTokenValue = null; claimsIdentity = null; } }
public void Configuration(IAppBuilder app) { JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary <string, string>(); AntiForgeryConfig.UniqueClaimTypeIdentifier = IdentityModel.JwtClaimTypes.Name; AntiForgeryConfig.SuppressXFrameOptionsHeader = true; app.Use <RequireSslMiddleware>(); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = Constants.AuthenticationTypeCookies, ExpireTimeSpan = new TimeSpan(0, 30, 0), SlidingExpiration = true }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = Constants.ClientCredentials.ClientId, Authority = Constants.Endpoints.IdentityServerEndpoint, SignInAsAuthenticationType = Constants.AuthenticationTypeCookies, ResponseType = string.Join(" ", Constants.OpenIdConnectSettings.ResponseTypes), Scope = string.Join(" ", Constants.OpenIdConnectSettings.ScopesRequesting), UseTokenLifetime = false, //PostLogoutRedirectUri = "" Notifications = new OpenIdConnectAuthenticationNotifications { RedirectToIdentityProvider = async context => { var appBaseUrl = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.PathBase}"; if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest) { context.ProtocolMessage.RedirectUri = $"{appBaseUrl}/"; } if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest) { var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token"); if (idTokenHint != null) { context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl; context.ProtocolMessage.IdTokenHint = idTokenHint.Value; } } await Task.FromResult(context); }, SecurityTokenValidated = async context => { var subClaim = context.AuthenticationTicket.Identity.FindFirst(IdentityModel.JwtClaimTypes.Subject); var sidClaim = context.AuthenticationTicket.Identity.FindFirst(IdentityModel.JwtClaimTypes.SessionId); var nameClaim = new Claim(IdentityModel.JwtClaimTypes.Name, $"{Constants.Endpoints.IdentityServerEndpoint}{subClaim.Value}"); var givenNameClaim = context.AuthenticationTicket.Identity.FindFirst(IdentityModel.JwtClaimTypes.GivenName); var familyNameClaim = context.AuthenticationTicket.Identity.FindFirst(IdentityModel.JwtClaimTypes.FamilyName); var preferredUserNameClaim = context.AuthenticationTicket.Identity.FindFirst(IdentityModel.JwtClaimTypes.PreferredUserName); var imisbaseAddressClaim = context.AuthenticationTicket.Identity.FindFirst("imisbaseaddress"); var imisapiClaim = context.AuthenticationTicket.Identity.FindFirst("imisapi"); var newClaimsIdentity = new ClaimsIdentity(context.AuthenticationTicket.Identity.AuthenticationType, IdentityModel.JwtClaimTypes.Name, IdentityModel.JwtClaimTypes.Role); if (subClaim != null) { newClaimsIdentity.AddClaim(subClaim); } if (sidClaim != null) { newClaimsIdentity.AddClaim(sidClaim); } if (nameClaim != null) { newClaimsIdentity.AddClaim(nameClaim); } if (givenNameClaim != null) { newClaimsIdentity.AddClaim(givenNameClaim); } if (familyNameClaim != null) { newClaimsIdentity.AddClaim(familyNameClaim); } if (preferredUserNameClaim != null) { newClaimsIdentity.AddClaim(preferredUserNameClaim); } if (imisbaseAddressClaim != null) { newClaimsIdentity.AddClaim(imisbaseAddressClaim); } if (imisapiClaim != null) { newClaimsIdentity.AddClaim(imisapiClaim); } var appBaseUrl = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.PathBase}"; var client = new TokenClient(Constants.Endpoints.TokenEndpoint, Constants.ClientCredentials.ClientId, Constants.ClientCredentials.ClientSecret); var response = await client.RequestAuthorizationCodeAsync(context.ProtocolMessage.Code, appBaseUrl + "/"); var expirationDateAsRoundtripString = DateTime.SpecifyKind(DateTime.UtcNow.AddSeconds(response.ExpiresIn), DateTimeKind.Utc).ToString("o"); newClaimsIdentity.AddClaim(new Claim("refresh_token", response.RefreshToken)); newClaimsIdentity.AddClaim(new Claim("access_token", context.ProtocolMessage.AccessToken)); newClaimsIdentity.AddClaim(new Claim("expires_at", expirationDateAsRoundtripString)); newClaimsIdentity.AddClaim(new Claim("id_token", response.IdentityToken)); context.AuthenticationTicket = new AuthenticationTicket(newClaimsIdentity, context.AuthenticationTicket.Properties); await Task.FromResult(context); } } }); }
//ati login public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { try { UnitOfWork unitOfWork = new UnitOfWork(); var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>(); ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } var roles = userManager.GetRoles(user.Id).First(); var scope = context.Scope.ToList(); var customerId = Convert.ToInt32(context.Scope[0]); ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, OAuthDefaults.AuthenticationType); ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager, CookieAuthenticationDefaults.AuthenticationType); oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, context.UserName)); if (roles == "Company") { oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "Company")); } else if (roles == "User") { oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "User")); } else { oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "xuser")); } oAuthIdentity.AddClaim(new Claim("sub", context.UserName)); oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, "Vahid")); AuthenticationProperties properties = CreateProperties(user.UserName, (context.ClientId == null) ? string.Empty : context.ClientId); properties.Dictionary.Add("AuthId", user.Id); var company = await unitOfWork.CompanyRepository.GetViewCompanyByMobile(context.UserName); if (roles == "Company") { if (company != null) { properties.Dictionary.Add("Name", company.Name); properties.Dictionary.Add("UserId", company.Id.ToString()); properties.Dictionary.Add("Image", string.IsNullOrEmpty(company.ImageUrl) ? "" : company.ImageUrl.ToString()); properties.Dictionary.Add("Role", "Company"); // properties.Dictionary.Add("EmployeeId", employee.Id.ToString()); } } else { //ViewPerson person = await unitOfWork.PersonRepository.GetViewPersonByUserId(user.Id); if (company != null) { properties.Dictionary.Add("Name", company.FullName); properties.Dictionary.Add("UserId", company.Id.ToString()); properties.Dictionary.Add("Image", string.IsNullOrEmpty(company.ImageUrl) ? "" : company.ImageUrl.ToString()); properties.Dictionary.Add("Role", "User"); // properties.Dictionary.Add("EmployeeId", employee.Id.ToString()); } } AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties); context.Validated(ticket); context.Request.Context.Authentication.SignIn(cookiesIdentity); } catch (Exception ex) { int i = 0; } }
/// <summary> /// Represents an event called for each validated token request /// to allow the user code to decide how the request should be handled. /// </summary> /// <param name="context">The context instance associated with this event.</param> public override Task HandleTokenRequest(HandleTokenRequestContext context) { // Only handle grant_type=password requests and let ASOS // process grant_type=refresh_token requests automatically. if (context.Request.IsPasswordGrantType()) { UserLogin user = null; ClaimsIdentity identity = null; IEnumerable <string> allowedClientScopes = null; var loginValid = false; // Do all the data access here so we can dispose of the rock context asap. using (var rockContext = new RockContext()) { var userLoginService = new UserLoginService(rockContext); user = userLoginService.GetByUserName(context.Request.Username); // Populate the entity type for use later. _ = user.EntityType; allowedClientScopes = RockIdentityHelper.NarrowRequestedScopesToApprovedScopes(rockContext, context.Request.ClientId, context.Request.GetScopes()).ToList(); var allowedClientClaims = RockIdentityHelper.GetAllowedClientClaims(rockContext, context.Request.ClientId, allowedClientScopes); identity = RockIdentityHelper.GetRockClaimsIdentity(user, allowedClientClaims, context.Request.ClientId); var component = AuthenticationContainer.GetComponent(user.EntityType.Name); if (component != null && component.IsActive && !component.RequiresRemoteAuthentication) { loginValid = component.AuthenticateAndTrack(user, context.Request.Password); rockContext.SaveChanges(); } } if (identity == null || allowedClientScopes == null) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Invalid client configuration."); return(Task.FromResult(0)); } if (user == null || !loginValid) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidGrant, description: "Invalid credentials."); return(Task.FromResult(0)); } // Ensure the user is allowed to sign in. if (!user.IsConfirmed.HasValue || !user.IsConfirmed.Value || (user.IsPasswordChangeRequired != null && user.IsPasswordChangeRequired.Value)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidGrant, description: "The specified user is not allowed to sign in."); return(Task.FromResult(0)); } // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket(identity, new AuthenticationProperties()); // Set the list of scopes granted to the client application. ticket.SetScopes(allowedClientScopes); // Set the resource servers the access token should be issued for. ticket.SetResources("resource_server"); context.Validate(ticket); } if (context.Request.IsClientCredentialsGrantType()) { // We don't need to validate the client id here because it was already validated in the ValidateTokenRequest method. var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationType); identity.AddClaim(OpenIdConnectConstants.Claims.Subject, context.Request.ClientId, OpenIdConnectConstants.Destinations.AccessToken); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( identity, new AuthenticationProperties()); context.Validate(ticket); } return(Task.FromResult(0)); }
protected override async Task <AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties, OAuthTokenResponse tokens) { var endpoint = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, "access_token", tokens.AccessToken); if (Options.SendAppSecretProof) { endpoint = QueryHelpers.AddQueryString(endpoint, "appsecret_proof", GenerateAppSecretProof(tokens.AccessToken)); } if (Options.Fields.Count > 0) { endpoint = QueryHelpers.AddQueryString(endpoint, "fields", string.Join(",", Options.Fields)); } var response = await Backchannel.GetAsync(endpoint, Context.RequestAborted); response.EnsureSuccessStatusCode(); var payload = JObject.Parse(await response.Content.ReadAsStringAsync()); var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), properties, Options.AuthenticationScheme); var context = new OAuthCreatingTicketContext(ticket, Context, Options, Backchannel, tokens, payload); var identifier = FacebookHelper.GetId(payload); if (!string.IsNullOrEmpty(identifier)) { identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identifier, ClaimValueTypes.String, Options.ClaimsIssuer)); } var ageRangeMin = FacebookHelper.GetAgeRangeMin(payload); if (!string.IsNullOrEmpty(ageRangeMin)) { identity.AddClaim(new Claim("urn:facebook:age_range_min", ageRangeMin, ClaimValueTypes.String, Options.ClaimsIssuer)); } var ageRangeMax = FacebookHelper.GetAgeRangeMax(payload); if (!string.IsNullOrEmpty(ageRangeMax)) { identity.AddClaim(new Claim("urn:facebook:age_range_max", ageRangeMax, ClaimValueTypes.String, Options.ClaimsIssuer)); } var birthday = FacebookHelper.GetBirthday(payload); if (!string.IsNullOrEmpty(birthday)) { identity.AddClaim(new Claim(ClaimTypes.DateOfBirth, birthday, ClaimValueTypes.String, Options.ClaimsIssuer)); } var email = FacebookHelper.GetEmail(payload); if (!string.IsNullOrEmpty(email)) { identity.AddClaim(new Claim(ClaimTypes.Email, email, ClaimValueTypes.String, Options.ClaimsIssuer)); } var firstName = FacebookHelper.GetFirstName(payload); if (!string.IsNullOrEmpty(firstName)) { identity.AddClaim(new Claim(ClaimTypes.GivenName, firstName, ClaimValueTypes.String, Options.ClaimsIssuer)); } var gender = FacebookHelper.GetGender(payload); if (!string.IsNullOrEmpty(gender)) { identity.AddClaim(new Claim(ClaimTypes.Gender, gender, ClaimValueTypes.String, Options.ClaimsIssuer)); } var lastName = FacebookHelper.GetLastName(payload); if (!string.IsNullOrEmpty(lastName)) { identity.AddClaim(new Claim(ClaimTypes.Surname, lastName, ClaimValueTypes.String, Options.ClaimsIssuer)); } var link = FacebookHelper.GetLink(payload); if (!string.IsNullOrEmpty(link)) { identity.AddClaim(new Claim("urn:facebook:link", link, ClaimValueTypes.String, Options.ClaimsIssuer)); } var location = FacebookHelper.GetLocation(payload); if (!string.IsNullOrEmpty(location)) { identity.AddClaim(new Claim("urn:facebook:location", location, ClaimValueTypes.String, Options.ClaimsIssuer)); } var locale = FacebookHelper.GetLocale(payload); if (!string.IsNullOrEmpty(locale)) { identity.AddClaim(new Claim(ClaimTypes.Locality, locale, ClaimValueTypes.String, Options.ClaimsIssuer)); } var middleName = FacebookHelper.GetMiddleName(payload); if (!string.IsNullOrEmpty(middleName)) { identity.AddClaim(new Claim("urn:facebook:middle_name", middleName, ClaimValueTypes.String, Options.ClaimsIssuer)); } var name = FacebookHelper.GetName(payload); if (!string.IsNullOrEmpty(name)) { identity.AddClaim(new Claim(ClaimTypes.Name, name, ClaimValueTypes.String, Options.ClaimsIssuer)); } var timeZone = FacebookHelper.GetTimeZone(payload); if (!string.IsNullOrEmpty(timeZone)) { identity.AddClaim(new Claim("urn:facebook:timezone", timeZone, ClaimValueTypes.String, Options.ClaimsIssuer)); } await Options.Events.CreatingTicket(context); return(context.Ticket); }
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenRefreshTokenIsInvalid() { // Arrange var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur"); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); var format = new Mock <ISecureDataFormat <AuthenticationTicket> >(); format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA")) .Returns(ticket); var token = new OpenIddictToken(); var manager = CreateTokenManager(instance => { instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny <CancellationToken>())) .ReturnsAsync(token); instance.Setup(mock => mock.IsValidAsync(token, It.IsAny <CancellationToken>())) .ReturnsAsync(false); }); var server = CreateAuthorizationServer(builder => { builder.Services.AddSingleton(CreateApplicationManager(instance => { var application = new OpenIddictApplication(); instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny <CancellationToken>())) .ReturnsAsync(application); instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny <CancellationToken>())) .ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential); instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny <CancellationToken>())) .ReturnsAsync(true); })); builder.Services.AddSingleton(manager); builder.Configure(options => options.RefreshTokenFormat = format.Object); }); var client = new OpenIdConnectClient(server.CreateClient()); // Act var response = await client.PostAsync(IntrospectionEndpoint, new OpenIdConnectRequest { ClientId = "Fabrikam", ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw", Token = "2YotnFZFEjr1zCsicMWpAA" }); // Assert Assert.Single(response.GetParameters()); Assert.False((bool)response[OpenIdConnectConstants.Claims.Active]); Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny <CancellationToken>()), Times.Once()); Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny <CancellationToken>()), Times.Once()); }
public static void SetUserId(this ClaimsIdentity identity, Guid id) { identity?.AddClaim(new Claim(UserIdClaimType, id.ToString(), typeof(Guid).ToString())); }
private bool IsLogin(ClaimsIdentity identity) { var strCookieKey = _navigationService.GetLoginKey(); // 如果Cookie存在,获取cookie值。 //如果Session存在且与cookie信息一致,则返回true,否则并将用户信息保存到Session中,返回true。 if (_context.Request.Cookies[_cookieName] != null && !string.IsNullOrEmpty(_context.Request.Cookies[_cookieName])) { try { string cookieValue = DESEncryptor.Decrypt(_context.Request.Cookies[_cookieName], strCookieKey); if (string.IsNullOrEmpty(cookieValue)) { Logger.LogError("IsLogin无法获取cookie"); return(false); } string[] strCookieArr = cookieValue.Split('|'); if (strCookieArr.Length == 0) { Logger.LogError("IsLogin--》cookie格式不对:" + cookieValue); return(false); } string useridstr = DESEncryptor.Decrypt(strCookieArr[0], strCookieKey); int userid; if (int.TryParse(useridstr, out userid)) { string token = _navigationService.GetUserLoginToken(userid); if (string.Equals(token, DESEncryptor.Decrypt(strCookieArr[7], strCookieKey))) { userid = Convert.ToInt32(DESEncryptor.Decrypt(strCookieArr[0], strCookieKey)); var username = DESEncryptor.Decrypt(WebUtility.UrlDecode(strCookieArr[1]), strCookieKey); var truename = DESEncryptor.Decrypt(WebUtility.UrlDecode(strCookieArr[2]), strCookieKey); var sysID = ""; var gid = DESEncryptor.Decrypt(strCookieArr[4], strCookieKey); var departID = DESEncryptor.Decrypt(strCookieArr[5], strCookieKey); var pid = DESEncryptor.Decrypt(strCookieArr[6], strCookieKey); var token1 = DESEncryptor.Decrypt(strCookieArr[7], strCookieKey); var adname = DESEncryptor.Decrypt(strCookieArr[8], strCookieKey); var usercode = DESEncryptor.Decrypt(strCookieArr[9], strCookieKey); identity.AddClaim(new Claim("userId", userid.ToString())); identity.AddClaim(new Claim(ClaimTypes.Name, truename)); identity.AddClaim(new Claim("truename", truename)); identity.AddClaim(new Claim("sysID", sysID)); identity.AddClaim(new Claim("gid", gid)); identity.AddClaim(new Claim("departID", departID)); identity.AddClaim(new Claim("pid", pid)); identity.AddClaim(new Claim("token", token1)); identity.AddClaim(new Claim("adname", adname)); identity.AddClaim(new Claim("usercode", usercode)); return(true); } return(false); } return(false); } catch (Exception e) { Logger.LogError("IsLogin异常", e); throw; } } return(false); }
public ActionResult CheckListCompleted() { try { AuthenticatedUser _authUser; AccountCheckListInfo _accountCheckList; var _employeeRegInfo = new EmployeeRegistrationInfo(); using (AuthRepository Repo = new AuthRepository()) { _authUser = Repo.GetAuthenticatedUserById(CurrentUser.EmployeeInfoId); } if (_authUser.IsCheckListCompleted == true) { return(RedirectToAction("Logout", "Auth", new { area = "" })); } using (AccountCheckListRepository Repo = new AccountCheckListRepository()) { _accountCheckList = Repo.GetAccountCheckListByUserId(CurrentUser.AccountId); } if (_accountCheckList.IsPictureUploaded == false) { return(RedirectToAction("UploadPicture", "File")); } using (EmployeeRepository Repo = new EmployeeRepository()) { _employeeRegInfo = Repo.GetRegisterEmployeeInfoById(CurrentUser.EmployeeInfoId); _employeeRegInfo.DateOfJoin = DateTime.Now; Repo.RegisterEmployee(_employeeRegInfo); } using (AccountRepository Repo = new AccountRepository()) { Repo.CheckListCompleted(CurrentUser.AccountId); } using (AuthRepository Repo = new AuthRepository()) { _authUser = Repo.GetAuthenticatedUserById(CurrentUser.EmployeeInfoId); } var _authManager = HttpContext.GetOwinContext().Authentication; var _identity = new ClaimsIdentity(User.Identity); _identity.RemoveClaim(_identity.FindFirst(ClaimTypes.Role)); _identity.AddClaim(new Claim(ClaimTypes.Role, _authUser.Role)); _identity.RemoveClaim(_identity.FindFirst(ClaimTypes.Name)); _identity.AddClaim(new Claim(ClaimTypes.Name, _authUser.FirstName + " " + _authUser.LastName)); //_identity.RemoveClaim(_identity.FindFirst("AccountNo")); //_identity.AddClaim(new Claim("AccountNo", "12345")); _authManager.AuthenticationResponseGrant = new AuthenticationResponseGrant( new ClaimsPrincipal(_identity), new AuthenticationProperties { ExpiresUtc = DateTime.UtcNow.AddMinutes(30), AllowRefresh = true, IsPersistent = false } ); return(RedirectToAction("Dashboard", "Home", new { Area = "Employee" })); } catch (Exception ex) { TempData["Msg"] = AlertMessageProvider.FailureMessage(ex.ToString()); return(View()); } }
private static void AddCourseRole(this ClaimsIdentity identity, string courseId, CourseRoleType roleType) { identity.AddClaim(new Claim(courseRoleClaimType, courseId + " " + roleType)); }