public async Task <IActionResult> Post(CancellationToken token) { var clientCertificate = await Request.HttpContext.Connection.GetClientCertificateAsync(); var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); var userSubject = claimName == null ? string.Empty : claimName.Value; var jObjHeader = Request.Headers.ToJObject(); var jObjBody = Request.Form.ToJObject(); var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, jObjBody, jObjHeader, null, clientCertificate)); return(await _tokenRequestHandler.Handle(context, token)); }
public async Task <IActionResult> Post(CancellationToken token) { var clientCertificate = await Request.HttpContext.Connection.GetClientCertificateAsync(); var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); var userSubject = claimName == null ? string.Empty : claimName.Value; var jObjHeader = Request.Headers.ToJObject(); var jObjBody = Request.Form.ToJObject(); var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, jObjBody, jObjHeader, Request.Cookies, clientCertificate)); var result = await _tokenRequestHandler.Handle(context, token); // rfc6749 : the authorization server must include the HTTP "Cache-Control" response header field with a value of "no-store" // in any response containing tokens, credentials, or sensitive information. Response.SetNoCache(); return(result); }
public async Task <IActionResult> Post() { var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); var claimAuthTime = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.AuthenticationInstant); var userSubject = claimName == null ? string.Empty : claimName.Value; DateTime?authTime = null; DateTime auth; if (claimAuthTime != null && !string.IsNullOrWhiteSpace(claimAuthTime.Value) && DateTime.TryParse(claimAuthTime.Value, out auth)) { authTime = auth; } var jObjHeader = Request.Headers.ToJObject(); var jObjBody = Request.Form.ToJObject(); var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, authTime, jObjBody, jObjHeader)); return(await _tokenRequestHandler.Handle(context)); }
public IHttpActionResult Post([FromBody] TokenRequest tokenRequest) { IHttpActionResult actionResult; var httpRequest = ActionContext.Request; // Only handle the "client_credentials" grant type if (!RequestIsRequiredGrantType(tokenRequest)) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.UnsupportedGrantType))); } // If there is Authorization in the header if (httpRequest.Headers.Authorization != null) { // Only Basic authorization is supported if (!httpRequest.Headers.Authorization.Scheme.EqualsIgnoreCase("Basic")) { return(new AuthenticationUnauthorized(httpRequest)); } // If there is an Authorization header, the authorization parameter is required. if (!HasCredentialsInHeader(httpRequest)) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest))); } // Go and try to retrieve the ID and Secret from the header var headerTokenRequest = GetIdSecretFromHeader(httpRequest, tokenRequest); // If we failed to get the credentials from the header, the request was invalid. if (headerTokenRequest == null) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest))); } // If body contains a value for Client_id, verify it matches Client_id retrieved from authorization header if (!string.IsNullOrEmpty(tokenRequest.Client_id) && tokenRequest.Client_id != headerTokenRequest.Client_id) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest))); } // If body contains a value for Client_secret, verify it matches Client_secret retrieved from authorization header if (!string.IsNullOrEmpty(tokenRequest.Client_secret) && tokenRequest.Client_secret != headerTokenRequest.Client_secret) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest))); } // If a valid token request retrieved from header, override body token request values. tokenRequest.Client_id = headerTokenRequest.Client_id; tokenRequest.Client_secret = headerTokenRequest.Client_secret; } // Verify client_id and client_secret are present if (!IsIdAndSecretPresent(tokenRequest)) { return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidClient))); } // Handle token request _requestHandler.Handle(ActionContext.Request, tokenRequest, out actionResult); return(actionResult); }