private void JwtBearerTokenAuthenticationPipeline_OnStartup(IAppBuilder app)
{
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions {
AllowedAudiences = new string[] { "audience" },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new X509CertificateSecurityTokenProvider("issuer", SigningCertificate.Cert)
},
Provider = new OAuthBearerAuthenticationProvider
{
OnRequestToken = async ctx =>
{
ctx.Token = await DefaultPopTokenProvider.GetAccessTokenFromPopTokenAsync(ctx.OwinContext.Environment);
}
}
});
app.Run(ctx =>
{
if (ctx.Authentication.User != null &&
ctx.Authentication.User.Identity != null &&
ctx.Authentication.User.Identity.IsAuthenticated)
{
ctx.Response.StatusCode = 200;
}
else
{
ctx.Response.StatusCode = 401;
}
return(Task.FromResult(0));
});
}
public void Configuration(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
// The HttpSignatureValidation middleware looks for another middleware called PoP
AuthenticationType = "PoP",
Authority = "https://localhost:44333/core",
RequiredScopes = new[] { "write" },
// client credentials for the introspection endpoint
ClientId = "write",
ClientSecret = "secret",
// this is used to extract the access token from the pop token
TokenProvider = new OAuthBearerAuthenticationProvider
{
OnRequestToken = async ctx =>
{
ctx.Token = await DefaultPopTokenProvider.GetAccessTokenFromPopTokenAsync(ctx.OwinContext.Environment);
}
}
});
// this registers the middleware that does the signature validation of the request against the pop token secret
app.UseHttpSignatureValidation();
app.UseWebApi(WebApiConfig.Register());
}
public async Task GetPopTokenAsync_should_find_token_in_authorization_header()
{
var ctx = new OwinContext();
ctx.Request.Headers.Add("Authorization", new string[] { "PoP token" });
var token = await DefaultPopTokenProvider.GetPopTokenAsync(ctx.Environment);
token.Should().Be("token");
}
public async Task when_no_params_GetPopTokenAsync_should_return_null()
{
var ctx = new OwinContext();
ctx.Request.Method = "GET";
ctx.Request.Path = new PathString("/hello");
var token = await DefaultPopTokenProvider.GetPopTokenAsync(ctx.Environment);
token.Should().BeNull();
}
public void pop_token_missing_at_passed_to_GetAccessTokenFromPopToken_should_return_no_access_token()
{
var pop = new
{
};
var token = JWT.Encode(pop, null, JwsAlgorithm.none);
var access_token = DefaultPopTokenProvider.GetAccessTokenFromPopToken(token);
access_token.Should().BeNull();
}
public async Task GetPopTokenAsync_should_find_token_in_query_string()
{
var ctx = new OwinContext();
ctx.Request.Path = new PathString("/hello");
ctx.Request.QueryString = new QueryString("x=1&pop_access_token=token&y=2");
var token = await DefaultPopTokenProvider.GetPopTokenAsync(ctx.Environment);
token.Should().Be("token");
}
public async Task GetPopTokenAsync_should_find_token_in_POST_body()
{
var ctx = new OwinContext();
ctx.Request.Method = "POST";
ctx.Request.Path = new PathString("/hello");
ctx.Request.ContentType = "application/x-www-form-urlencoded";
using (var ms = new MemoryStream())
{
var form = "foo=bar&pop_access_token=token&baz=quux";
var bytes = Encoding.UTF8.GetBytes(form);
ms.Write(bytes, 0, bytes.Length);
ms.Seek(0, SeekOrigin.Begin);
ctx.Request.Body = ms;
var token = await DefaultPopTokenProvider.GetPopTokenAsync(ctx.Environment);
token.Should().Be("token");
}
}
public async Task when_multiple_tokens_sent_GetPopTokenAsync_should_find_authorization_header_first()
{
var ctx = new OwinContext();
ctx.Request.Method = "POST";
ctx.Request.Path = new PathString("/hello");
ctx.Request.Headers.Add("Authorization", new string[] { "PoP token1" });
ctx.Request.QueryString = new QueryString("x=1&pop_access_token=token3&y=2");
ctx.Request.ContentType = "application/x-www-form-urlencoded";
using (var ms = new MemoryStream())
{
var form = "foo=bar&pop_access_token=token2&baz=quux";
var bytes = Encoding.UTF8.GetBytes(form);
ms.Write(bytes, 0, bytes.Length);
ms.Seek(0, SeekOrigin.Begin);
ctx.Request.Body = ms;
var token = await DefaultPopTokenProvider.GetPopTokenAsync(ctx.Environment);
token.Should().Be("token1");
}
}
public WebApiPipeline(HttpMessageHandler idSvrBackchannel)
{
AuthenticationOptions.BackchannelHttpHandler = idSvrBackchannel;
AuthenticationOptions.IntrospectionHttpHandler = idSvrBackchannel;
AuthenticationOptions.AuthenticationType = "PoP";
AuthenticationOptions.Authority = IdentityServerPipeline.Authority;
AuthenticationOptions.RequiredScopes = new string[] { "api1" };
AuthenticationOptions.ClientId = "api1";
AuthenticationOptions.ClientSecret = "secret";
AuthenticationOptions.TokenProvider = new OAuthBearerAuthenticationProvider
{
OnRequestToken = async ctx =>
{
if (AuthenticationOptions.AuthenticationType == "PoP")
{
ctx.Token = await DefaultPopTokenProvider.GetAccessTokenFromPopTokenAsync(ctx.OwinContext.Environment);
}
}
};
OnConfiguration += WebApiPipeline_OnConfiguration;
}
public void empty_pop_token_passed_to_GetAccessTokenFromPopToken_should_return_no_access_token()
{
DefaultPopTokenProvider.GetAccessTokenFromPopToken(null).Should().BeNull();
DefaultPopTokenProvider.GetAccessTokenFromPopToken("").Should().BeNull();
DefaultPopTokenProvider.GetAccessTokenFromPopToken(" ").Should().BeNull();
}