protected override async Task <HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken) { var req = request; var h = req.Headers; var client = h.Contains(Headers.XClient) ? h.GetValues(Headers.XClient).FirstOrDefault() : null; var nonce = h.Contains(Headers.XNonce) ? h.GetValues(Headers.XNonce).FirstOrDefault() : null; var scheme = h.Authorization?.Scheme; var token = h.Authorization?.Parameter; var date = h.Date ?? DateTimeOffset.MinValue; if ( client != null && nonce != null && scheme == Schemas.Bearer && token != null && time.UtcNow - date <= clockSkew) { var builder = new CannonicalRepresentationBuilder(); var content = builder.BuildRepresentation( nonce, client, req.Method.Method, req.Content.Headers.ContentType?.ToString(), req.Headers.Accept.Select(x => x.ToString()).ToArray(), req.Content.Headers.ContentMD5, date, req.RequestUri); SecureString secret = secretRepository.GetSecret(client); if (secret != null) { var isTokenValid = signingAlgorithm.Verify( secret, Encoding.UTF8.GetBytes(content), Convert.FromBase64String(token)); if (isTokenValid) { return(await base.SendAsync(request, cancellationToken)); } } } return(new HttpResponseMessage(HttpStatusCode.Unauthorized) { Headers = { { Headers.WWWAuthenticate, Schemas.Bearer } } }); }
internal static bool Validate(IOwinRequest req, ISigningAlgorithm algorithm, ISecretRepository secretRepository, ITime time, TimeSpan clockSkew) { var h = req.Headers; var client = GetClient(req); var nonce = GetNonce(req); var auth = h.Get(Headers.Authorization)?.Split(' '); var scheme = auth?.Length == 2 ? auth[0] : null; var token = auth?.Length == 2 ? auth[1] : null; DateTimeOffset date = DateTimeOffset.TryParse(h.Get(Headers.Date), out date) ? date : DateTimeOffset.MinValue; if (client != null && nonce != null && scheme == Schemas.Bearer && token != null && time.UtcNow - date <= clockSkew) { var contentMd5 = h.Get(Headers.ContentMD5); var builder = new CannonicalRepresentationBuilder(); var content = builder.BuildRepresentation( nonce, client, req.Method, req.ContentType, req.Accept.Split(','), contentMd5 == null ? null : Convert.FromBase64String(contentMd5), date, req.Uri); SecureString secret = secretRepository.GetSecret(client); if (secret != null) { var isTokenValid = algorithm.Verify( secret, Encoding.UTF8.GetBytes(content), Convert.FromBase64String(token)); if (isTokenValid) { return(true); } } } return(false); }