private static TokenManager GetTokenManager() { var options = CreateOptions(); var claimsManager = CreateClaimsManager(options); var factory = new LoggerFactory(); var protector = new EphemeralDataProtectionProvider(factory).CreateProtector("test"); var codeSerializer = new TokenDataSerializer <AuthorizationCode>(options, ArrayPool <char> .Shared); var codeDataFormat = new SecureDataFormat <AuthorizationCode>(codeSerializer, protector); var refreshTokenSerializer = new TokenDataSerializer <RefreshToken>(options, ArrayPool <char> .Shared); var refreshTokenDataFormat = new SecureDataFormat <RefreshToken>(refreshTokenSerializer, protector); var timeStampManager = new TimeStampManager(); var credentialsPolicy = GetCredentialsPolicy(options, timeStampManager); var codeIssuer = new AuthorizationCodeIssuer(claimsManager, codeDataFormat, new ProtocolErrorProvider()); var accessTokenIssuer = new JwtAccessTokenIssuer(claimsManager, credentialsPolicy, new JwtSecurityTokenHandler(), options); var idTokenIssuer = new JwtIdTokenIssuer(claimsManager, credentialsPolicy, new JwtSecurityTokenHandler(), options); var refreshTokenIssuer = new RefreshTokenIssuer(claimsManager, refreshTokenDataFormat); return(new TokenManager( codeIssuer, accessTokenIssuer, idTokenIssuer, refreshTokenIssuer, new ProtocolErrorProvider())); }
public DiscourseAuthenticationOptions() { CallbackPath = "/auth-discourse"; _nonceCookieBuilder = new DiscourseNonceCookieBuilder(this) { Name = ".CitizenFX.Discourse.Nonce.", HttpOnly = true, SameSite = SameSiteMode.None, SecurePolicy = CookieSecurePolicy.SameAsRequest, IsEssential = true, }; DataProtectionProvider = Microsoft.AspNetCore.DataProtection.DataProtectionProvider.Create("FXServer"); var dataProtector = DataProtectionProvider.CreateProtector( typeof(DiscourseAuthenticationHandler).FullName, typeof(string).FullName, "DAO", "v1"); StringDataFormat = new SecureDataFormat <string>(new StringSerializer(), dataProtector); StateDataFormat = new PropertiesDataFormat(dataProtector); }
public void Configuration(IAppBuilder app) { var container = new Container(); container.Options.DefaultScopedLifestyle = new AsyncScopedLifestyle(); container.RegisterWebApiControllers(GlobalConfiguration.Configuration); var sdt = new SecureDataFormat <AuthenticationTicket>( new TicketSerializer(), new DpapiDataProtectionProvider().Create("ASP.NET Identity"), TextEncodings.Base64 ); container.Options.AllowOverridingRegistrations = true; container.Register <AccountController>(() => new AccountController(sdt), Lifestyle.Scoped); container.Options.AllowOverridingRegistrations = false; Services.Startup.RegisterComponents(container); // This is an extension method from the integration package. container.Verify(); app.Use(async(context, next) => { using (container.BeginExecutionContextScope()) { await next(); } }); GlobalConfiguration.Configuration.DependencyResolver = new SimpleInjectorWebApiDependencyResolver(container); ConfigureAuth(app); }
public void OwinDataHandler(SecureDataFormat <AuthenticationProperties> secure) { AuthenticationProperties props = new AuthenticationProperties(); string secured = secure.Protect(props); AuthenticationProperties unsecured = secure.Unprotect(secured); byte[] decoded = new byte[10]; }
public void ProtectDataRoundTrips() { var provider = ServiceProvider.GetRequiredService <IDataProtectionProvider>(); var prototector = provider.CreateProtector("test"); var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector); string input = "abcdefghijklmnopqrstuvwxyz0123456789"; var protectedData = secureDataFormat.Protect(input); var result = secureDataFormat.Unprotect(protectedData); Assert.Equal(input, result); }
public void OwinDataHandler(ITextEncoder encoder, SecureDataFormat <AuthenticationProperties> secure) { AuthenticationProperties props = new AuthenticationProperties(); string secured = secure.Protect(props); AuthenticationProperties unsecured = secure.Unprotect(secured); byte[] decoded = new byte[10]; string encoded = encoder.Encode(decoded); decoded = encoder.Decode(encoded); }
public void UnprotectWithDifferentPurposeFails() { var provider = ServiceProvider.GetRequiredService <IDataProtectionProvider>(); var prototector = provider.CreateProtector("test"); var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector); string input = "abcdefghijklmnopqrstuvwxyz0123456789"; string purpose = "purpose1"; var protectedData = secureDataFormat.Protect(input, purpose); var result = secureDataFormat.Unprotect(protectedData); // Null other purpose Assert.Null(result); result = secureDataFormat.Unprotect(protectedData, "purpose2"); Assert.Null(result); }
public async Task JwtRefreshTokenIssuer_ExchangeRefreshTokenAsync_ReadTheRefreshTokenCorrectly() { // Arrange var options = GetOptions(); var protector = new EphemeralDataProtectionProvider(new LoggerFactory()).CreateProtector("test"); var refreshTokenSerializer = new TokenDataSerializer <RefreshToken>(options, ArrayPool <char> .Shared); var dataFormat = new SecureDataFormat <RefreshToken>(refreshTokenSerializer, protector); var expectedDateTime = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.FromHours(1)); var now = DateTimeOffset.UtcNow; var expires = new DateTimeOffset(now.Year, now.Month, now.Day, now.Hour, now.Minute, now.Second, TimeSpan.Zero); var timeManager = GetTimeManager(expectedDateTime, expires, expectedDateTime); var issuer = new RefreshTokenIssuer(GetClaimsManager(timeManager), dataFormat); var context = GetTokenGenerationContext( new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, "user") })), new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(IdentityServiceClaimTypes.ClientId, "clientId") }))); context.InitializeForToken(TokenTypes.RefreshToken); await issuer.IssueRefreshTokenAsync(context); var message = new OpenIdConnectMessage(); message.ClientId = "clientId"; message.RefreshToken = context.RefreshToken.SerializedValue; // Act var grant = await issuer.ExchangeRefreshTokenAsync(message); // Assert Assert.NotNull(grant); Assert.NotNull(grant.Token); var refreshToken = Assert.IsType <RefreshToken>(grant.Token); Assert.Equal("clientId", refreshToken.ClientId); Assert.Equal("user", refreshToken.UserId); Assert.Equal(expectedDateTime, refreshToken.IssuedAt); Assert.Equal(expires, refreshToken.Expires); Assert.Equal(expectedDateTime, refreshToken.NotBefore); Assert.Equal(new[] { "openid profile" }, refreshToken.Scopes.ToArray()); }
public static void Initialize(IAppBuilder app) { var container = new Container(); container.Options.DefaultScopedLifestyle = new WebApiRequestLifestyle(); container.RegisterWebApiControllers(GlobalConfiguration.Configuration); container.Options.AllowOverridingRegistrations = true; //container.Register<IAuthenticationManager>(() => AdvancedExtensions.IsVerifying(container) ? new OwinContext(new Dictionary<string, object>()).Authentication : HttpContext.Current.GetOwinContext().Authentication); ApplicationUserManager um = new ApplicationUserManager(new UserStore <ApplicationUser>(new ApplicationDbContext("DefaultConnection"))); //ApplicationSignInManager sm = new ApplicationSignInManager(um, container.GetInstance<IAuthenticationManager>()); SecureDataFormat <AuthenticationTicket> sdt = new SecureDataFormat <AuthenticationTicket>( new TicketSerializer(), new DpapiDataProtectionProvider().Create("ASP.NET Identity"), TextEncodings.Base64); container.Register <AccountController>(() => new AccountController(um, sdt), Lifestyle.Scoped); //container.Register<ApplicationSignInManager>(() => new ApplicationSignInManager(um, container.GetInstance<IAuthenticationManager>()), Lifestyle.Scoped); //container.Register<LoginController>(() => new LoginController(um, sm), Lifestyle.Scoped); container.Options.AllowOverridingRegistrations = false; container.RegisterWebApiRequest <ApplicationDbContext>(() => new ApplicationDbContext("DefaultConnection")); container.Register(typeof(IRepository <>), typeof(GenericRepository <>), Lifestyle.Scoped); container.Verify(); app.Use(async(context, next) => { using (container.BeginExecutionContextScope()) { await next(); } }); GlobalConfiguration.Configuration.DependencyResolver = new SimpleInjectorWebApiDependencyResolver(container); }
public async Task CanFetchUserDetails() { var verifyCredentialsEndpoint = "https://api.twitter.com/1.1/account/verify_credentials.json"; var finalVerifyCredentialsEndpoint = string.Empty; var finalAuthorizationParameter = string.Empty; var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest")); using var host = await CreateHost((options) => { options.ConsumerKey = "Test App Id"; options.ConsumerSecret = "PLACEHOLDER"; options.RetrieveUserDetails = true; options.StateDataFormat = stateFormat; options.BackchannelHttpHandler = new TestHttpMessageHandler { Sender = req => { if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token") { var res = new HttpResponseMessage(HttpStatusCode.OK); var content = new Dictionary <string, string>() { ["oauth_token"] = "Test Access Token", ["oauth_token_secret"] = "PLACEHOLDER", ["user_id"] = "123456", ["screen_name"] = "@dotnet" }; res.Content = new FormUrlEncodedContent(content); return(res); } if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == new Uri(verifyCredentialsEndpoint).GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped)) { finalVerifyCredentialsEndpoint = req.RequestUri.ToString(); finalAuthorizationParameter = req.Headers.Authorization.Parameter; var res = new HttpResponseMessage(HttpStatusCode.OK); var graphResponse = "{ \"email\": \"Test email\" }"; res.Content = new StringContent(graphResponse, Encoding.UTF8); return(res); } return(null); } }; }); var token = new RequestToken() { Token = "TestToken", TokenSecret = "PLACEHOLDER", Properties = new() }; var correlationKey = ".xsrf"; var correlationValue = "TestCorrelationId"; token.Properties.Items.Add(correlationKey, correlationValue); token.Properties.RedirectUri = "/me"; var state = stateFormat.Protect(token); using var server = host.GetTestServer(); var transaction = await server.SendAsync( "https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier", $".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}"); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First()); Assert.Equal(1, finalVerifyCredentialsEndpoint.Count(c => c == '?')); Assert.Contains("include_email=true", finalVerifyCredentialsEndpoint); Assert.Contains("oauth_consumer_key=", finalAuthorizationParameter); Assert.Contains("oauth_nonce=", finalAuthorizationParameter); Assert.Contains("oauth_signature=", finalAuthorizationParameter); Assert.Contains("oauth_signature_method=", finalAuthorizationParameter); Assert.Contains("oauth_timestamp=", finalAuthorizationParameter); Assert.Contains("oauth_token=", finalAuthorizationParameter); Assert.Contains("oauth_version=", finalAuthorizationParameter); var authCookie = transaction.AuthenticationCookieValue; transaction = await server.SendAsync("https://example.com/me", authCookie); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); var expectedIssuer = TwitterDefaults.AuthenticationScheme; Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer)); Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer)); Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer)); Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer)); Assert.Equal("Test email", transaction.FindClaimValue(ClaimTypes.Email, expectedIssuer)); }
public async Task CanSignIn() { var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest")); using var host = await CreateHost((options) => { options.ConsumerKey = "Test App Id"; options.ConsumerSecret = "PLACEHOLDER"; options.SaveTokens = true; options.StateDataFormat = stateFormat; options.BackchannelHttpHandler = new TestHttpMessageHandler { Sender = req => { if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token") { var res = new HttpResponseMessage(HttpStatusCode.OK); var content = new Dictionary <string, string>() { ["oauth_token"] = "Test Access Token", ["oauth_token_secret"] = "PLACEHOLDER", ["user_id"] = "123456", ["screen_name"] = "@dotnet" }; res.Content = new FormUrlEncodedContent(content); return(res); } return(null); } }; }); var token = new RequestToken() { Token = "TestToken", TokenSecret = "PLACEHOLDER", Properties = new() }; var correlationKey = ".xsrf"; var correlationValue = "TestCorrelationId"; token.Properties.Items.Add(correlationKey, correlationValue); token.Properties.RedirectUri = "/me"; var state = stateFormat.Protect(token); using var server = host.GetTestServer(); var transaction = await server.SendAsync( "https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier", $".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}"); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First()); var authCookie = transaction.AuthenticationCookieValue; transaction = await server.SendAsync("https://example.com/me", authCookie); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); var expectedIssuer = TwitterDefaults.AuthenticationScheme; Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer)); Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer)); Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer)); Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer)); transaction = await server.SendAsync("https://example.com/tokens", authCookie); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); Assert.Equal("Test Access Token", transaction.FindTokenValue("access_token")); Assert.Equal("PLACEHOLDER", transaction.FindTokenValue("access_token_secret")); }