Exemple #1
0
        /// <summary>
        /// Given an <see cref="ResourceOwnerTokenRequest" />, it will do the authentication on the provider and return an <see cref="AccessTokenResponse"./>
        /// </summary>
        /// <param name="request">The authentication request details containing information regarding the username, password etc.</param>
        /// <returns>An <see cref="AccessTokenResponse" /> with the response.</returns>
        /// <remarks>
        /// The grant_type parameter required by the /oauth/token endpoint will automatically be inferred from the <paramref name="request"/> parameter. If no Realm was specified,
        /// then the grant_type will be set to "password". If a Realm was specified, then the grant_type will be set to "http://auth0.com/oauth/grant-type/password-realm"
        /// </remarks>
        public Task <AccessTokenResponse> GetTokenAsync(ResourceOwnerTokenRequest request)
        {
            var parameters = new Dictionary <string, object>
            {
                { "client_id", request.ClientId },
                { "username", request.Username },
                { "password", request.Password },
                { "scope", request.Scope }
            };

            if (!string.IsNullOrEmpty(request.ClientSecret))
            {
                parameters.Add("client_secret", request.ClientSecret);
            }

            if (!string.IsNullOrEmpty(request.Audience))
            {
                parameters.Add("audience", request.Audience);
            }

            if (string.IsNullOrEmpty(request.Realm))
            {
                parameters.Add("grant_type", "password");
            }
            else
            {
                parameters.Add("grant_type", "http://auth0.com/oauth/grant-type/password-realm");
                parameters.Add("realm", request.Realm);
            }

            return(Connection.PostAsync <AccessTokenResponse>("oauth/token", null, parameters, null, null, null, null));
        }
Exemple #2
0
        /// <inheritdoc/>
        public async Task <AccessTokenResponse> GetTokenAsync(ResourceOwnerTokenRequest request)
        {
            if (request == null)
            {
                throw new ArgumentNullException(nameof(request));
            }

            var body = new Dictionary <string, string> {
                { "client_id", request.ClientId },
                { "username", request.Username },
                { "password", request.Password },
                { "scope", request.Scope }
            };

            body.AddIfNotEmpty("client_secret", request.ClientSecret);
            body.AddIfNotEmpty("audience", request.Audience);
            body.AddIfNotEmpty("realm", request.Realm);
            body.Add("grant_type", String.IsNullOrEmpty(request.Realm) ? "password" : "http://auth0.com/oauth/grant-type/password-realm");

            var headers = String.IsNullOrEmpty(request.ForwardedForIp) ? null
                : new Dictionary <string, string> {
                { "auth0-forwarded-for", request.ForwardedForIp }
            };

            var response = await connection.SendAsync <AccessTokenResponse>(
                HttpMethod.Post,
                tokenUri,
                body,
                headers
                ).ConfigureAwait(false);

            await AssertIdTokenValid(response.IdToken, request.ClientId, request.SigningAlgorithm, request.ClientSecret).ConfigureAwait(false);

            return(response);
        }
Exemple #3
0
        public async Task <TokenMintingResponse> MintResourceOwnerTokenAsync(ResourceOwnerTokenRequest resourceOwnerTokenRequest)
        {
            var extensionGrantRequest = ToArbitraryResourceOwnerRequest(resourceOwnerTokenRequest);
            var result = await _tokenEndpointHandlerExtra.ProcessRawAsync(extensionGrantRequest);

            return(ToTokenMintingResponse(result));
        }
Exemple #4
0
 Dictionary <string, string> MakeParamaters(ResourceOwnerTokenRequest resourceOwnerTokenRequest)
 {
     return(new Dictionary <string, string>()
     {
         {
             OidcConstants.TokenRequest.Scope, resourceOwnerTokenRequest.Scope
         },
         {
             "arbitrary_claims",
             JsonConvert.SerializeObject(resourceOwnerTokenRequest.ArbitraryClaims)
         },
         {
             "subject", resourceOwnerTokenRequest.Subject
         },
         { "access_token_lifetime", $"{resourceOwnerTokenRequest.AccessTokenLifetime}" }
     });
 }
Exemple #5
0
        public async Task <TokenMintingResponse> MintResourceOwnerTokenAsync(ResourceOwnerTokenRequest resourceOwnerTokenRequest)
        {
            Dictionary <string, string> paramaters = MakeParamaters(resourceOwnerTokenRequest);
            var client            = new HttpClient();
            var discoveryResponse = await _discoveryContainer.DiscoveryCache.GetAsync();

            var response = await client.RequestTokenAsync(new TokenRequest
            {
                Address      = discoveryResponse.TokenEndpoint,
                GrantType    = "arbitrary_resource_owner",
                ClientId     = _clientId,
                ClientSecret = _clientSecret,
                Parameters   = paramaters
            });


            return(ToTokenMintingResponse(response));
        }
Exemple #6
0
        /// <summary>
        /// Given an <see cref="ResourceOwnerTokenRequest" />, it will do the authentication on the provider and return an <see cref="AccessTokenResponse"/>.
        /// </summary>
        /// <param name="request">The authentication request details containing information regarding the username, password etc.</param>
        /// <returns>An <see cref="AccessTokenResponse" /> with the response.</returns>
        /// <remarks>
        /// The grant_type parameter required by the /oauth/token endpoint will automatically be inferred from the <paramref name="request"/> parameter. If no Realm was specified,
        /// then the grant_type will be set to "password". If a Realm was specified, then the grant_type will be set to "http://auth0.com/oauth/grant-type/password-realm"
        /// </remarks>
        public async Task <AccessTokenResponse> GetTokenAsync(ResourceOwnerTokenRequest request)
        {
            var parameters = new Dictionary <string, object>
            {
                { "client_id", request.ClientId },
                { "username", request.Username },
                { "password", request.Password },
                { "scope", request.Scope }
            };

            if (!string.IsNullOrEmpty(request.ClientSecret))
            {
                parameters.Add("client_secret", request.ClientSecret);
            }

            if (!string.IsNullOrEmpty(request.Audience))
            {
                parameters.Add("audience", request.Audience);
            }

            if (string.IsNullOrEmpty(request.Realm))
            {
                parameters.Add("grant_type", "password");
            }
            else
            {
                parameters.Add("grant_type", "http://auth0.com/oauth/grant-type/password-realm");
                parameters.Add("realm", request.Realm);
            }

            var headers = new Dictionary <string, object>();

            if (!string.IsNullOrEmpty(request.ForwardedForIp))
            {
                headers.Add("auth0-forwarded-for", request.ForwardedForIp);
            }

            var response = await Connection.PostAsync <AccessTokenResponse>("oauth/token", null, parameters, null, null, headers, null).ConfigureAwait(false);

            IdentityTokenValidator validator = new IdentityTokenValidator();
            await validator.ValidateAsync(response.IdToken, _baseUri.AbsoluteUri, request.ClientId);

            return(response);
        }
Exemple #7
0
        internal ArbitraryResourceOwnerRequest ToArbitraryResourceOwnerRequest(ResourceOwnerTokenRequest resourceOwnerTokenRequest)
        {
            Guard.ArgumentNotNull(nameof(resourceOwnerTokenRequest), resourceOwnerTokenRequest);
            var valid = !string.IsNullOrWhiteSpace(_clientId) ||
                        !string.IsNullOrWhiteSpace(resourceOwnerTokenRequest.ClientId);

            Guard.OperationValid(valid, "all clientId(s) are null!");

            var scopesList            = resourceOwnerTokenRequest.Scope.Split(' ').ToList();
            var extensionGrantRequest = new ArbitraryResourceOwnerRequest()
            {
                ClientId            = string.IsNullOrEmpty(resourceOwnerTokenRequest.ClientId) ? _clientId : resourceOwnerTokenRequest.ClientId,
                Scopes              = scopesList,
                Subject             = resourceOwnerTokenRequest.Subject,
                ArbitraryClaims     = resourceOwnerTokenRequest.ArbitraryClaims,
                AccessTokenLifetime = resourceOwnerTokenRequest.AccessTokenLifetime.ToString()
            };

            return(extensionGrantRequest);
        }
Exemple #8
0
 private string _getKey(ResourceOwnerTokenRequest r)
 {
     return($"ResourceOwnerTokenRequest{r.ClientId}{r.Username}{r.Realm}{r.Audience}{r.Scope}");
 }
Exemple #9
0
 public Task <AccessTokenResponse> GetTokenAsync(ResourceOwnerTokenRequest request)
 {
     return(_getToken(request));
 }
Exemple #10
0
        private async void LoginUser(ANWI.Messaging.LoginRequest cred)
        {
            // Authenticate the user with Auth0
            try {
                // Check version
                if (minimumVersion.CompareTo(cred.clientVer) > 0)
                {
                    logger.Info(
                        $"User {cred.username} has invalid version. " +
                        $"Client: {cred.clientVer} Minimum: {minimumVersion}");
                    DenyLogin(ANWI.Messaging.LoginResponse.Code.FAILED_VERSION);
                    return;
                }

                ResourceOwnerTokenRequest req
                    = new ResourceOwnerTokenRequest()
                    {
                    ClientId     = Configuration.auth0Settings.client,
                    ClientSecret = Configuration.auth0Settings.secret,
                    Realm        = Configuration.auth0Settings.connection,
                    Username     = cred.username,
                    Password     = cred.password
                    };


                AccessTokenResponse token = null;
                try {
                    token = await auth0Client.GetTokenAsync(req);
                } catch (Auth0.Core.Exceptions.ApiException e) {
                    logger.Error(
                        $"Failed to log in user {cred.username}: {e.Message}");
                    DenyLogin(
                        ANWI.Messaging.LoginResponse.Code.FAILED_CREDENTIALS);
                    return;
                }

                UserInfo user
                    = await auth0Client.GetUserInfoAsync(token.AccessToken);

                logger.Info("Successfully authenticated user.  Token: " +
                            token.AccessToken);

                ANWI.AuthenticatedAccount account = new AuthenticatedAccount();
                account.authToken = token.AccessToken;
                account.auth0_id  = user.UserId;
                account.nickname  = user.NickName;

                // Get the main user profile
                Datamodel.User dbUser = null;
                if (!Datamodel.User.FetchByAuth0(ref dbUser, account.auth0_id))
                {
                    logger.Info("Profile not found for user " +
                                account.auth0_id + ". It will be created.");

                    // Create a basic profile
                    if (!CreateDatabaseUser(user.NickName, user.UserId))
                    {
                        DenyLogin(ANWI.Messaging.LoginResponse.
                                  Code.FAILED_SERVER_ERROR);
                        return;
                    }
                }

                account.profile = Profile.FetchByAuth0(account.auth0_id);

                ANWI.Messaging.Message resp = new ANWI.Messaging.Message(
                    0,
                    new ANWI.Messaging.LoginResponse(
                        ANWI.Messaging.LoginResponse.Code.OK,
                        account)
                    );

                SendMessage(resp);
            } catch (System.Net.Http.HttpRequestException e) {
                logger.Info("HTTP error when connecting to Auth0:\n"
                            + e);
                DenyLogin(
                    ANWI.Messaging.LoginResponse.Code.FAILED_SERVER_ERROR);
                return;
            }
        }
Exemple #11
0
        public async Task <List <TokenExchangeResponse> > ProcessExchangeAsync(TokenExchangeRequest tokenExchangeRequest)
        {
            if (tokenExchangeRequest.Extras == null || tokenExchangeRequest.Extras.Count == 0)
            {
                throw new Exception($"{Name}: We require that extras be populated!");
            }

            List <ValidatedToken> validatedIdentityTokens = new List <ValidatedToken>();

            foreach (var item in tokenExchangeRequest.Tokens)
            {
                var prince = await _tokenValidator.ValidateTokenAsync(new TokenDescriptor
                {
                    TokenScheme = item.TokenScheme,
                    Token       = item.Token
                });

                var sub = prince.GetSubjectFromPincipal();
                if (string.IsNullOrEmpty(sub))
                {
                    _summaryLogger.Add("subject", "A subject was not found in the ClaimsPrincipal object!");
                    throw new Exception("A subject was not found in the ClaimsPrincipal object!");
                }
                validatedIdentityTokens.Add(new ValidatedToken
                {
                    Token       = item.Token,
                    TokenScheme = item.TokenScheme,
                    Principal   = prince
                });
            }

            // for this demo, lets assume all the extras are roles.
            var roles = tokenExchangeRequest.Extras;

            roles.Add("user");


            ResourceOwnerTokenRequest resourceOwnerTokenRequest = new ResourceOwnerTokenRequest()
            {
                AccessTokenLifetime = 3600,
                ArbitraryClaims     = new Dictionary <string, List <string> >()
                {
                    { "role", roles }
                },
                Scope    = "offline_access graphQLPlay",
                Subject  = validatedIdentityTokens[0].Principal.GetSubjectFromPincipal(),
                ClientId = "arbitrary-resource-owner-client"
            };
            var response = await _tokenMintingService.MintResourceOwnerTokenAsync(resourceOwnerTokenRequest);

            if (response.IsError)
            {
                throw new Exception(response.Error);
            }

            var tokenExchangeResponse = new TokenExchangeResponse()
            {
                accessToken = new AccessTokenResponse()
                {
                    access_token  = response.AccessToken,
                    refresh_token = response.RefreshToken,
                    expires_in    = response.ExpiresIn,
                    token_type    = response.TokenType,
                    authority     =
                        $"{_httpContextAssessor.HttpContext.Request.Scheme}://{_httpContextAssessor.HttpContext.Request.Host}",
                    HttpHeaders = new List <HttpHeader>
                    {
                        new HttpHeader()
                        {
                            Name = "x-authScheme", Value = response.Scheme
                        }
                    }
                }
            };

            return(new List <TokenExchangeResponse> {
                tokenExchangeResponse
            });
        }
Exemple #12
0
        public async Task <List <TokenExchangeResponse> > ProcessExchangeAsync(
            TokenExchangeRequest tokenExchangeRequest,
            Dictionary <string, List <KeyValuePair <string, string> > > mapOpaqueKeyValuePairs)
        {
            var access_token = await GetTokenAsync();

            if (string.IsNullOrEmpty(access_token))
            {
                throw new Exception("Unable to fetch client_credentials access_token");
            }

            var headers = new List <HttpHeader>(_externalExchangeRecord.oAuth2_client_credentials.AdditionalHeaders)
            {
                new HttpHeader()
                {
                    Name = "Authorization", Value = $"Bearer {access_token}"
                },
                new HttpHeader()
                {
                    Name = "Accept", Value = $"application/json"
                }
            };
            var passThrough = _externalExchangeRecord.MintType == "passThroughHandler";
            var externalUrl = passThrough ? _externalExchangeRecord.PassThroughHandler.Url : _externalExchangeRecord.ExternalFinalExchangeHandler.Url;

            (string content, HttpStatusCode statusCode)responseBag;
            using (var httpClient = _defaultHttpClientFactory.HttpClient)
            {
                responseBag = await Utils.EfficientApiCalls.HttpClientHelpers.PostStreamAsync(
                    _defaultHttpClientFactory.HttpClient,
                    externalUrl,
                    headers,
                    new TokenExchangeRequestPackage(tokenExchangeRequest)
                {
                    MapOpaqueKeyValuePairs = mapOpaqueKeyValuePairs
                },
                    CancellationToken.None);
            }

            if (responseBag.statusCode == HttpStatusCode.OK)
            {
                if (passThrough)
                {
                    var passThroughResult = JsonConvert.DeserializeObject <List <TokenExchangeResponse> >(responseBag.content);
                    return(passThroughResult);
                }
                else
                {
                    var tokenExchangeResponses        = new List <TokenExchangeResponse>();
                    var externalExchangeTokenRequests = JsonConvert.DeserializeObject <List <ExternalExchangeTokenResponse> >(responseBag.content);

                    foreach (var externalExchangeResourceOwnerTokenRequest in externalExchangeTokenRequests)
                    {
                        if (externalExchangeResourceOwnerTokenRequest.CustomTokenResponse != null)
                        {
                            var tokenExchangeResponse = new TokenExchangeResponse()
                            {
                                customToken = externalExchangeResourceOwnerTokenRequest.CustomTokenResponse
                            };
                            tokenExchangeResponses.Add(tokenExchangeResponse);
                        }
                        if (externalExchangeResourceOwnerTokenRequest.ArbitraryIdentityTokenRequest != null)
                        {
                            var arbitraryIdentityTokenRequest = externalExchangeResourceOwnerTokenRequest
                                                                .ArbitraryIdentityTokenRequest;
                            IdentityTokenRequest tokenRequest = new IdentityTokenRequest()
                            {
                                IdentityTokenLifetime = arbitraryIdentityTokenRequest.IdentityTokenLifetime,
                                ArbitraryClaims       = arbitraryIdentityTokenRequest.ArbitraryClaims,
                                Scope    = arbitraryIdentityTokenRequest.Scope,
                                Subject  = arbitraryIdentityTokenRequest.Subject,
                                ClientId = _externalExchangeRecord.ExternalFinalExchangeHandler.ClientId // configured value
                            };

                            var response =
                                await _tokenMintingService.MintIdentityTokenAsync(tokenRequest);

                            if (response.IsError)
                            {
                                throw new Exception(response.Error);
                            }
                            var tokenExchangeResponse = new TokenExchangeResponse()
                            {
                                IdentityToken = new IdentityTokenResponse()
                                {
                                    hint       = arbitraryIdentityTokenRequest.Hint,
                                    id_token   = response.IdentityToken,
                                    expires_in = response.ExpiresIn,
                                    authority  =
                                        $"{_httpContextAssessor.HttpContext.Request.Scheme}://{_httpContextAssessor.HttpContext.Request.Host}",
                                    HttpHeaders = arbitraryIdentityTokenRequest.HttpHeaders
                                }
                            };
                            tokenExchangeResponses.Add(tokenExchangeResponse);
                        }

                        if (externalExchangeResourceOwnerTokenRequest.ArbitraryResourceOwnerTokenRequest != null)
                        {
                            var arbitraryResourceOwnerTokenRequest = externalExchangeResourceOwnerTokenRequest
                                                                     .ArbitraryResourceOwnerTokenRequest;
                            ResourceOwnerTokenRequest resourceOwnerTokenRequest = new ResourceOwnerTokenRequest()
                            {
                                AccessTokenLifetime = arbitraryResourceOwnerTokenRequest.AccessTokenLifetime,
                                ArbitraryClaims     = arbitraryResourceOwnerTokenRequest.ArbitraryClaims,
                                Scope    = arbitraryResourceOwnerTokenRequest.Scope,
                                Subject  = arbitraryResourceOwnerTokenRequest.Subject,
                                ClientId = _externalExchangeRecord.ExternalFinalExchangeHandler.ClientId // configured value
                            };

                            var response =
                                await _tokenMintingService.MintResourceOwnerTokenAsync(resourceOwnerTokenRequest);

                            if (response.IsError)
                            {
                                throw new Exception(response.Error);
                            }

                            var tokenExchangeResponse = new TokenExchangeResponse()
                            {
                                accessToken = new AccessTokenResponse()
                                {
                                    hint          = arbitraryResourceOwnerTokenRequest.Hint,
                                    access_token  = response.AccessToken,
                                    refresh_token = response.RefreshToken,
                                    expires_in    = response.ExpiresIn,
                                    token_type    = response.TokenType,
                                    authority     =
                                        $"{_httpContextAssessor.HttpContext.Request.Scheme}://{_httpContextAssessor.HttpContext.Request.Host}",
                                    HttpHeaders = arbitraryResourceOwnerTokenRequest.HttpHeaders
                                }
                            };
                            tokenExchangeResponses.Add(tokenExchangeResponse);
                        }
                    }
                    return(tokenExchangeResponses);
                }
            }

            return(null);
        }
Exemple #13
0
 public Task <AccessTokenResponse> GetTokenAsync(ResourceOwnerTokenRequest request, CancellationToken cancellationToken = default)
 {
     return(_getToken(request, cancellationToken));
 }