protected void gOAuthClients_RowSelected(object sender, Rock.Web.UI.Controls.RowEventArgs e) { ClientService clientService = new ClientService(OAuthContext); Client client = clientService.Get(e.RowKeyId); hfClientId.Value = client.Id.ToString(); tbClientName.Text = client.ClientName; tbApiKey.Text = client.ApiKey.ToString(); tbApiSecret.Text = client.ApiSecret.ToString(); tbCallbackUrl.Text = client.CallbackUrl; cbActive.Checked = client.Active; ClientScopeService clientScopeService = new ClientScopeService(OAuthContext); ScopeService scopeService = new ScopeService(OAuthContext); cblClientScopes.DataSource = scopeService.Queryable().Select(s => new { Id = s.Id, Value = s.Identifier + " - " + s.Description }).ToList(); cblClientScopes.DataBind(); clientScopeService.Queryable().Where(cs => cs.ClientId == client.Id).ToList().ForEach(cs => cblClientScopes.Items.FindByValue(cs.ScopeId.ToString()).Selected = cs.Active ); gOAuthClientEdit.Show(); }
/// <summary> /// Raises the <see cref="E:System.Web.UI.Control.Init" /> event. /// </summary> /// <param name="e">An <see cref="T:System.EventArgs" /> object that contains the event data.</param> protected override void OnInit(EventArgs e) { base.OnInit(e); if (OAuthSettings["OAuthRequireSsl"].AsBoolean() && Request.Url.Scheme.ToLower() != "https") { throw new Exception("OAuth requires SSL."); } CheckAcceptableDomain(); // Log the user out if (!String.IsNullOrEmpty(PageParameter("OAuthLogout"))) { var authentication = HttpContext.Current.GetOwinContext().Authentication; authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie); Response.Redirect(OAuthSettings["OAuthLoginPath"] + "?logout=true&ReturnUrl=" + Server.UrlEncode(Request.RawUrl.Replace("&OAuthLogout=true", ""))); } if (IsPostBack) { if (!string.IsNullOrEmpty(Request.Form.Get("__EVENTTARGET")) && Request.Form.Get("__EVENTTARGET") == btnGrant.UniqueID) { if (CurrentUser != null) { OAuthContext context = new OAuthContext(); ClientService clientService = new ClientService(context); Client OAuthClient = clientService.GetByApiKey(PageParameter(PageParameterKeys.ClientId).AsGuid()); if (OAuthClient != null && OAuthClient.Active == true) { ClientScopeService clientScopeService = new ClientScopeService(context); AuthorizationService authorizationService = new AuthorizationService(context); foreach (var clientScope in clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(cs => cs.Scope)) { var authorization = authorizationService.Queryable().Where(a => a.Client.Id == OAuthClient.Id && a.UserLoginId == CurrentUser.Id && a.ScopeId == clientScope.Id).FirstOrDefault(); if (authorization == null) { authorization = new org.secc.OAuth.Model.Authorization(); authorizationService.Add(authorization); } authorization.Active = true; authorization.ClientId = OAuthClient.Id; authorization.UserLoginId = CurrentUser.Id; authorization.ScopeId = clientScope.Id; } context.SaveChanges(); Response.Redirect(Request.RawUrl); } } } } }
public void Configuration(IAppBuilder app) { Log.Logger = new LoggerConfiguration() .MinimumLevel.Debug() .WriteTo.File(@"c:\logs\CAIdentityServer.txt") .CreateLogger(); ClientScopeService clientscopeservice = new ClientScopeService(); app.Map("/core", coreApp => { var factory = new IdentityServerServiceFactory() //.UseInMemoryClients(Clients.Get()) .UseInMemoryClients(clientscopeservice.GetCLients()) //.UseInMemoryScopes(Scopes.Get()); .UseInMemoryScopes(clientscopeservice.GetScopes()); factory.UserService = new Registration <IUserService, MidasUserService>(); factory.ConfigureClientStoreCache(); factory.ConfigureScopeStoreCache(); factory.ConfigureUserServiceCache(); var options = new IdentityServerOptions { SiteName = "IdentityServer3 - Custom Login Page", SigningCertificate = Certificate.Get(), Factory = factory, AuthenticationOptions = new AuthenticationOptions { EnableSignOutPrompt = false, RequireSignOutPrompt = false, EnablePostSignOutAutoRedirect = true }, EventsOptions = new EventsOptions { RaiseSuccessEvents = true, RaiseErrorEvents = true, RaiseFailureEvents = true, RaiseInformationEvents = true } }; coreApp.UseIdentityServer(options); }); }
public TokenResponse GetToken(string clientid, string clientsecret, string username, string password) { string tokenEndPointUrl = Convert.ToString(System.Web.Configuration.WebConfigurationManager.AppSettings.Get("TokenEndpointUrl")); TokenClient _tokenClient = new TokenClient( tokenEndPointUrl, clientid, clientsecret); ClientScopeService service = new ClientScopeService(); string scope = service.GetClientScopes(clientid); var response = _tokenClient.RequestResourceOwnerPasswordAsync(username, password, scope).Result; return(response); }
private System.Threading.Tasks.Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { if (!string.IsNullOrEmpty(context.UserName) && !string.IsNullOrEmpty(context.Password)) { var userLoginService = new UserLoginService(new RockContext()); var userLogin = userLoginService.GetByUserName(context.UserName); if (userLogin != null && userLogin.EntityType != null) { var component = AuthenticationContainer.GetComponent(userLogin.EntityType.Name); if (component != null && component.IsActive && !component.RequiresRemoteAuthentication) { if (component.Authenticate(userLogin, context.Password)) { if ((userLogin.IsConfirmed ?? true) && !(userLogin.IsLockedOut ?? false)) { OAuthContext oAuthContext = new OAuthContext(); ClientScopeService clientScopeService = new ClientScopeService(oAuthContext); AuthorizationService authorizationService = new AuthorizationService(oAuthContext); ClientService clientService = new ClientService(oAuthContext); var scopes = (context.Scope.FirstOrDefault() ?? "").Split(','); bool scopesApproved = false; Client OAuthClient = clientService.GetByApiKey(context.ClientId.AsGuid()); string[] authorizedScopes = authorizationService.Queryable().Where(a => a.Client.Id == OAuthClient.Id && a.UserLogin.UserName == context.UserName && a.Active == true).Select(a => a.Scope.Identifier).ToArray <string>(); if (!clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Any() || (authorizedScopes != null && scopes.Where(s => !authorizedScopes.Select(a => a.ToLower()).Contains(s.ToLower())).Count() == 0)) { scopesApproved = true; } if (scopesApproved) { var identity = new ClaimsIdentity(new GenericIdentity(context.UserName, OAuthDefaults.AuthenticationType)); //only allow claims that have been requested and the client has been authorized for foreach (var scope in scopes.Where(s => clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(cs => cs.Scope.Identifier.ToLower()).Contains(s.ToLower()))) { identity.AddClaim(new Claim("urn:oauth:scope", scope)); } UserLoginService.UpdateLastLogin(context.UserName); context.Validated(identity); return(System.Threading.Tasks.Task.FromResult(0)); } else { context.SetError("Authentication Error", "All scopes are not authorized for this user."); } } if (!userLogin.IsConfirmed ?? true) { context.SetError("Authentication Error", "Account email is unconfirmed."); } if (userLogin.IsLockedOut ?? false) { context.SetError("Authentication Error", "Account is locked."); } } else { context.SetError("Authentication Error", "Invalid Username/Password."); } } else { context.SetError("Authentication Error", "Invalid Authentication Configuration."); } } else { context.SetError("Authentication Error", "Invalid Username/Password."); } } else { context.SetError("Authentication Error", "Invalid Username/Password."); } context.Rejected(); return(System.Threading.Tasks.Task.FromResult(0)); }
protected void gOAuthClientEdit_SaveClick(object sender, EventArgs e) { divErrors.Visible = false; if (String.IsNullOrEmpty(tbClientName.Text)) { divErrors.InnerText = "A valid Client Name must be provided."; divErrors.Visible = true; return; } if (tbApiKey.Text.AsGuidOrNull() == null) { divErrors.InnerText = "A valid GUID must be provided for the API Key."; divErrors.Visible = true; return; } if (tbApiSecret.Text.AsGuidOrNull() == null) { divErrors.InnerText = "A valid GUID must be provided for the API Secret."; divErrors.Visible = true; return; } if (string.IsNullOrEmpty(tbCallbackUrl.Text)) { divErrors.InnerText = "A valid Callback URL must be provided."; divErrors.Visible = true; return; } ClientScopeService clientScopeService = new ClientScopeService(OAuthContext); ClientService clientService = new ClientService(OAuthContext); Client client = null; if (hfClientId.Value.AsIntegerOrNull().HasValue) { client = clientService.Get(hfClientId.Value.AsInteger()); } else { client = new Client(); clientService.Add(client); } client.ClientName = tbClientName.Text; client.ApiKey = tbApiKey.Text.AsGuid(); client.ApiSecret = tbApiSecret.Text.AsGuid(); client.CallbackUrl = tbCallbackUrl.Text; client.Active = cbActive.Checked; foreach (System.Web.UI.WebControls.ListItem item in cblClientScopes.Items) { int scopeId = item.Value.AsInteger(); ClientScope clientScope = clientScopeService.Queryable().Where(cs => cs.ClientId == client.Id && cs.ScopeId == scopeId).FirstOrDefault(); if (clientScope != null) { clientScope.Active = item.Selected; } else if (item.Selected) { clientScope = new ClientScope(); clientScope.ClientId = client.Id; clientScope.ScopeId = item.Value.AsInteger(); clientScope.Active = item.Selected; clientScopeService.Add(clientScope); } } OAuthContext.SaveChanges(); OAuthContext = new OAuthContext(); gOAuthClients_Bind(sender, e); gOAuthClientEdit.Hide(); }
/// <summary> /// Raises the <see cref="E:System.Web.UI.Control.Load" /> event. /// </summary> /// <param name="e">The <see cref="T:System.EventArgs" /> object that contains the event data.</param> protected override void OnLoad(EventArgs e) { base.OnLoad(e); var authentication = HttpContext.Current.GetOwinContext().Authentication; var ticket = authentication.AuthenticateAsync(DefaultAuthenticationTypes.ApplicationCookie).Result; var identity = ticket != null ? ticket.Identity : null; string userName = null; string[] authorizedScopes = null; var scopes = (Request.QueryString.Get("scope") ?? "").Split(' '); bool scopesApproved = false; if (identity == null) { authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie); Response.Redirect(OAuthSettings["OAuthLoginPath"] + "?ReturnUrl=" + Server.UrlEncode(Request.RawUrl), true); } else if (CurrentUser == null) { // Kill the OAuth session authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie); Response.Redirect(OAuthSettings["OAuthLoginPath"] + "?ReturnUrl=" + Server.UrlEncode(Request.RawUrl), true); } else { OAuthContext context = new OAuthContext(); ClientService clientService = new ClientService(context); Client OAuthClient = clientService.GetByApiKey(PageParameter("client_id").AsGuid()); if (OAuthClient != null) { ClientScopeService clientScopeService = new ClientScopeService(context); userName = identity.Name; AuthorizationService authorizationService = new AuthorizationService(context); authorizedScopes = authorizationService.Queryable().Where(a => a.Client.Id == OAuthClient.Id && a.UserLogin.UserName == identity.Name && a.Active == true).Select(a => a.Scope.Identifier).ToArray <string>(); if (!clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Any() || (authorizedScopes != null && scopes.Where(s => !authorizedScopes.Select(a => a.ToLower()).Contains(s.ToLower())).Count() == 0)) { scopesApproved = true; } if (scopesApproved) { identity = new ClaimsIdentity(identity.Claims, "Bearer", identity.NameClaimType, identity.RoleClaimType); //only allow claims that have been requested and the client has been authorized for foreach (var scope in scopes.Where(s => clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(cs => cs.Scope.Identifier.ToLower()).Contains(s.ToLower()))) { identity.AddClaim(new Claim("urn:oauth:scope", scope)); } authentication.SignIn(identity); } else { rptScopes.DataSource = clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(s => s.Scope).ToList(); rptScopes.DataBind(); } lClientName.Text = OAuthClient.ClientName; lClientName2.Text = OAuthClient.ClientName; lUsername.Text = CurrentUser.Person.FullName + " (" + userName + ")"; hlLogout.NavigateUrl = Request.RawUrl + "&OAuthLogout=true"; } else { throw new Exception("Invalid Client ID for OAuth authentication."); } } }
private System.Threading.Tasks.Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { if (!string.IsNullOrEmpty(context.UserName) && !string.IsNullOrEmpty(context.Password)) { var rockContext = new RockContext(); var userLoginService = new UserLoginService(rockContext); //Older Avalanche Clients use __PHONENUMBER__+1 prefix vs the newer SMS_ prefix //This makes sure we are using the new ROCK external sms authentication var userName = context.UserName.Replace("__PHONENUMBER__+1", "SMS_"); //SMS login does not use the phone number as the username. //Instead we need to change it to use the person's id. if (userName.StartsWith("SMS_")) { string error; var smsAuthentication = new SMSAuthentication(); var person = smsAuthentication.GetNumberOwner(userName.Split('_').Last(), rockContext, out error); if (person != null) { userName = string.Format("SMS_{0}", person.Id); } //If we cannot find a person, do nothing and just pass through the existing username } var userLogin = userLoginService.GetByUserName(userName); if (userLogin != null && userLogin.EntityType != null) { var component = AuthenticationContainer.GetComponent(userLogin.EntityType.Name); if (component != null && component.IsActive && (!component.RequiresRemoteAuthentication || component.TypeName == "Rock.Security.ExternalAuthentication.SMSAuthentication")) { if (component.Authenticate(userLogin, context.Password)) { if ((userLogin.IsConfirmed ?? true) && !(userLogin.IsLockedOut ?? false)) { OAuthContext oAuthContext = new OAuthContext(); ClientScopeService clientScopeService = new ClientScopeService(oAuthContext); AuthorizationService authorizationService = new AuthorizationService(oAuthContext); ClientService clientService = new ClientService(oAuthContext); var scopes = (context.Scope.FirstOrDefault() ?? "").Split(','); bool scopesApproved = false; Client OAuthClient = clientService.GetByApiKey(context.ClientId.AsGuid()); string[] authorizedScopes = authorizationService.Queryable().Where(a => a.Client.Id == OAuthClient.Id && a.UserLogin.UserName == userName && a.Active == true).Select(a => a.Scope.Identifier).ToArray <string>(); if (!clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Any() || (authorizedScopes != null && scopes.Where(s => !authorizedScopes.Select(a => a.ToLower()).Contains(s.ToLower())).Count() == 0)) { scopesApproved = true; } if (scopesApproved) { var identity = new ClaimsIdentity(new GenericIdentity(userName, OAuthDefaults.AuthenticationType)); //only allow claims that have been requested and the client has been authorized for foreach (var scope in scopes.Where(s => clientScopeService.Queryable().Where(cs => cs.ClientId == OAuthClient.Id && cs.Active == true).Select(cs => cs.Scope.Identifier.ToLower()).Contains(s.ToLower()))) { identity.AddClaim(new Claim("urn:oauth:scope", scope)); } UserLoginService.UpdateLastLogin(userName); context.Validated(identity); return(System.Threading.Tasks.Task.FromResult(0)); } else { context.Rejected(); context.SetError("Authentication Error", "All scopes are not authorized for this user."); } } if (!userLogin.IsConfirmed ?? true) { context.Rejected(); context.SetError("Authentication Error", "Account email is unconfirmed."); } if (userLogin.IsLockedOut ?? false) { context.Rejected(); context.SetError("Authentication Error", "Account is locked."); } } else { context.Rejected(); context.SetError("Authentication Error", "Invalid Username/Password."); } } else { context.Rejected(); context.SetError("Authentication Error", "Invalid Authentication Configuration."); } } else { context.Rejected(); context.SetError("Authentication Error", "Invalid Username/Password."); } } else { context.Rejected(); context.SetError("Authentication Error", "Invalid Username/Password."); } return(System.Threading.Tasks.Task.FromResult(0)); }