/// <summary>
///
/// </summary>
/// <param name="eventEndpoint"></param>
public AuditTrailClient(string eventEndpoint, string scope, TokenClientOptions tokenClientOptions)
{
if (eventEndpoint is null)
{
throw new ArgumentNullException(nameof(eventEndpoint));
}
if (scope is null)
{
throw new ArgumentNullException(nameof(scope));
}
if (tokenClientOptions is null)
{
throw new ArgumentNullException(nameof(tokenClientOptions));
}
_httpClient = new HttpClient();
_sink = new NullSink();
_logger = new ConsoleLogger <AuditTrailClient>();
_writer = new JwtWriter();
_store = new NullStore();
_options = new AuditTrailClientOptions
{
DeliveryEndpoint = eventEndpoint,
AccessTokenScope = scope,
TokenClientOptions = tokenClientOptions
};
_accessTokenAcquirer = new DefaultAccessTokenAcquirer(
new ConsoleLogger <DefaultAccessTokenAcquirer>(),
new TokenClient(new HttpClient(), tokenClientOptions),
Options.Create(_options));
}
/// <summary>
/// Constructs a JwtAssertionTokenClient with specified options
/// </summary>
/// <param name="options">Token client options</param>
public JwtAssertionTokenClient(TokenClientOptions options)
{
ValidateOptions(options);
_cache = options.Cache ?? DefaultTokenCache.Value;
_internalClient = new PrivateKeyJwtClientCredentialsTokenClient(options);
_partialCacheKey = string.Join("|", options.TokenEndpointUrl, options.ClientId, options.Certificate.Thumbprint);
}
public JwtAssertionFactory(TokenClientOptions options)
{
_audience = options.Audience ?? options.TokenEndpointUrl;
_clientId = options.ClientId;
_certificate = options.Certificate;
_embedCertificate = options.EmbedCertificate;
}
public async Task <string> GetRefreshAccessToken()
{
var discoClient = await client.GetDiscoveryDocumentAsync(Configuration["AuthServer:AuthBaseUrl"]);
var tokenClientOptions = new TokenClientOptions
{
Address = Configuration["AuthServer:AuthBaseUrl"],
AuthorizationHeaderStyle = BasicAuthenticationHeaderStyle.Rfc6749,
ClientId = Configuration["AuthServer:ClientId"],
ClientSecret = Configuration["AuthServer:ClientSecret"]
};
var tokenClient = new TokenClient(client, tokenClientOptions);
var refreshToken = await _httpContextAccessor.HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
var tokenResponse = await tokenClient.RequestRefreshTokenAsync(refreshToken);
if (!tokenResponse.IsError)
{
var auth = await _httpContextAccessor.HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
auth.Properties.UpdateTokenValue(OpenIdConnectParameterNames.AccessToken, tokenResponse.AccessToken);
auth.Properties.UpdateTokenValue(OpenIdConnectParameterNames.RefreshToken, tokenResponse.RefreshToken);
var expieresAt = DateTime.UtcNow + TimeSpan.FromSeconds(tokenResponse.ExpiresIn);
auth.Properties.UpdateTokenValue("expieres_at", expieresAt.ToString("o", CultureInfo.InvariantCulture));
await _httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, auth.Principal, auth.Properties);
return(tokenResponse.AccessToken);
}
//return await GetAccessToken();
throw tokenResponse.Exception;
}
public string Login()//string Login, string Password)
{
var ru = new RequestUrl("https://localhost:6001/connect/authorize");
var payload = new
{
token = "mmm"
};
TokenClientOptions tco = new TokenClientOptions();
// create token client
//var client = new TokenClient(tco);
// send custom grant to token endpoint, return response
//return await client.RequestCustomGrantAsync("delegation", "api2", payload);
var client = new HttpClient();
var s = new TokenJson
{
Token = "123"
};
var d = System.Text.Json.Serialization.JsonSerializer.ToString(s);
HttpContent con = new StringContent(d);
con.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json");
var dupa = new Dictionary <string, string>();
dupa.Add("Token", "123");
var response = client.RequestTokenAsync(new TokenRequest
{
Address = "https://localhost:6001/connect/token",
ClientId = "userid",
ClientSecret = "apisecret",
GrantType = "userid",
Parameters = dupa
}).Result;
//var response = client.RequestPasswordTokenAsync(new PasswordTokenRequest
//{
// Address = "https://localhost:6001/connect/token",
// ClientId = "ApiClient",
// ClientSecret = "apisecret",
// Scope = "profile",
// UserName = "******",
// Password = "******"
//}).Result;
if (response.IsError)
{
}
return(response.AccessToken);
}
public RealAuthorizationServerTest()
{
var options = new TokenClientOptions()
{
TokenEndpointUrl = "https://localhost:44300/connect/token",
ClientId = "test_client",
Certificate = TestCertificate.Load()
};
_tokenClient = new JwtAssertionTokenClient(options);
}
public void CreateClient_TokenClientOptionsPropertiesMayBeNull_ThrowsArgumentException()
{
var tokenClientOptions = new TokenClientOptions();
var exception = Assert.Throws <ArgumentException>(() => _tokenManagerFixture.GetTokenClientFactory().CreateClient(tokenClientOptions));
Assert.Equal("'AuthorityUrl' must not be null, empty or whitespace. (Parameter 'AuthorityUrl')", exception.Message);
tokenClientOptions.AuthorityUrl = "localhost";
exception = Assert.Throws <ArgumentException>(() => _tokenManagerFixture.GetTokenClientFactory().CreateClient(tokenClientOptions));
Assert.Equal("'ClientId' must not be null, empty or whitespace. (Parameter 'ClientId')", exception.Message);
}
// ReSharper disable once InconsistentNaming
private async Task <string> ObtainSTSAccessToken()
{
var httpClient = new HttpClient();
var discovery = await httpClient.GetDiscoveryDocumentAsync(TestConfig.STSAuthority);
var options = new TokenClientOptions
{
Address = discovery.TokenEndpoint,
ClientId = TestConfig.STSClientId,
ClientSecret = TestConfig.STSClientSecret,
};
var client = new TokenClient(httpClient, options);
var tokenResponse = await client.RequestClientCredentialsTokenAsync(TestConfig.STSScope);
return(tokenResponse.AccessToken);
}
public static async Task Main(string[] args)
{
var httpClient = new HttpClient();
var options = new TokenClientOptions
{
Address = "http://localhost:5000/connect/token",
ClientId = "ro.client",
ClientSecret = "secret"
};
var tokenClient = new TokenClient(httpClient, options);
var tokenResponse = await tokenClient.RequestClientCredentialsTokenAsync("api1");
Console.WriteLine("Error : {0}", tokenResponse.Error);
Console.WriteLine("Token : {0}", tokenResponse.AccessToken);
Console.Read();
}
static void Main(string[] args)
{
var options = new TokenClientOptions();
options.AudienceUri = new Uri("http://localhost");
options.StoreName = StoreName.Root;
options.StoreLocation = StoreLocation.LocalMachine;
options.CertificateDnsIdentity = "SecureTokenServiceTest";
options.SubjectDistinguishedName = "CN=SecureTokenServiceTest";
options.TokenServiceUri = new Uri("http://localhost:6690/STS");
var unityContainer = new UnityContainer();
unityContainer.RegisterType <TrustedIssuerNameRegistry>();
unityContainer.RegisterInstance(typeof(ITokenClientOptions), options);
unityContainer.RegisterType <TokenClient>();
Console.WriteLine("Login test");
try
{
Console.WriteLine("Valid test");
var client = unityContainer.Resolve <TokenClient>();
client.SignIn("Dessel Bane", "pass");
foreach (Claim claimsPrincipalClaim in client.SessionToken.ClaimsPrincipal.Claims)
{
Console.WriteLine($"Claim type: {claimsPrincipalClaim.Type}, Claim Value: {claimsPrincipalClaim.Value}");
}
client.SignOut();
client.SignIn("Dessel Bane", "pas123s");
Console.WriteLine(client?.SessionToken?.ClaimsPrincipal?.Identity?.Name ?? "Not Authenticated");
}
catch (Exception e)
{
Console.WriteLine(e);
}
Console.WriteLine("Press any key to exit");
Console.ReadKey();
}
/// <inheritdoc />
public ITokenClient CreateClient([NotNull] TokenClientOptions tokenClientOptions)
{
if (tokenClientOptions == null)
{
throw new ArgumentNullException(nameof(tokenClientOptions));
}
if (string.IsNullOrWhiteSpace(tokenClientOptions.AuthorityUrl))
{
throw new ArgumentException($"'{nameof(tokenClientOptions.AuthorityUrl)}' must not be null, empty or whitespace.", nameof(tokenClientOptions.AuthorityUrl));
}
if (string.IsNullOrWhiteSpace(tokenClientOptions.ClientId))
{
throw new ArgumentException($"'{nameof(tokenClientOptions.ClientId)}' must not be null, empty or whitespace.", nameof(tokenClientOptions.ClientId));
}
return(new TokenClient(_httpClientFactory.CreateClient(),
_loggerFactory.CreateLogger <TokenClient>(),
tokenClientOptions, _dateTimeProvider));
}
/// <inheritdoc/>
public async Task <TokenResponse> RequestClientAccessToken(string clientName = AccessTokenManagementDefaults.DefaultTokenClientName)
{
TokenClientOptions tokenClientOptions;
// if a named client configuration was passed in, try to load it
if (string.Equals(clientName, AccessTokenManagementDefaults.DefaultTokenClientName))
{
// if only one client configuration exists, load that
if (_accessTokenManagementOptions.Client.Clients.Count == 1)
{
tokenClientOptions = _accessTokenManagementOptions.Client.Clients.First().Value;
}
// otherwise fall back to the scheme configuration
else
{
var(options, configuration) = await GetOpenIdConnectSettingsAsync(_accessTokenManagementOptions.User.Scheme);
tokenClientOptions = new TokenClientOptions
{
Address = configuration.TokenEndpoint,
ClientId = options.ClientId,
ClientSecret = options.ClientSecret
};
}
}
else
{
if (!_accessTokenManagementOptions.Client.Clients.TryGetValue(clientName, out tokenClientOptions))
{
throw new InvalidOperationException($"No access token client configuration found for client: {clientName}");
}
}
return(await _httpClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = tokenClientOptions.Address,
ClientId = tokenClientOptions.ClientId,
ClientSecret = tokenClientOptions.ClientSecret
}));
}
protected override async Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
// Set the client details and the idsvc token endpoint address
TokenClientOptions tokenOptions = new TokenClientOptions
{
ClientId = "rshp.gateway",
ClientSecret = "secret", // DEV: for development purposes. Use proper secret in prod.
Address = "http://identity.svc/connect/token"
};
var client = new TokenClient(new HttpClient(), tokenOptions);
// Get currently attached token (reference) from downstream-bound request
var accessToken = request.Headers.Authorization.Parameter;
_logger.LogDebug("Exchanging reference token to JWT - reference token: {0} ", accessToken);
// Set desired scope and attach current reference token
var opt = new Dictionary <string, string>
{
{ "scope", "bm acc" },
{ "reference_token", accessToken }
};
// Send request for token using custom grant type
var tokenResponse = await client.RequestTokenAsync("exchange_reference_token", opt);
_logger.LogDebug("Token exchange result: {0}", tokenResponse?.AccessToken);
// Modify request with new JWT token if it returned successfully
if (!tokenResponse.IsError)
{
request.SetBearerToken(tokenResponse.AccessToken);
}
else
{
_logger.LogError("RequestTokenAsync() Failed! {0}, {1} \t Exception: {2}", tokenResponse.Error, tokenResponse.ErrorDescription, tokenResponse.Exception.ToString());
}
_logger.LogDebug("Final token result: {0}", request.Headers.Authorization.Parameter);
return(await base.SendAsync(request, cancellationToken));
}
public async Task Local_custom_parameters_should_not_interfere_with_global()
{
var globalOptions = new TokenClientOptions {
Parameters = { { "global", "value" } }
};
var tokenClient = new TokenClient(_client, globalOptions);
var localParameters = new Dictionary <string, string>
{
{ "client_id", "custom" },
{ "client_secret", "custom" },
{ "custom", "custom" }
};
_ = await tokenClient.RequestTokenAsync(grantType : "test", parameters : localParameters);
globalOptions.Parameters.Should().HaveCount(1);
globalOptions.Parameters.TryGetValue("global", out var globalValue);
globalValue.Should().Be("value");
}
public async Task Local_custom_parameters_should_not_interfere_with_global()
{
var globalOptions = new TokenClientOptions {
Parameters = { { "global", "value" } }
};
var tokenClient = new TokenClient(_client, globalOptions);
var localParameters = new Parameters
{
{ "client_id", "custom" },
{ "client_secret", "custom" },
{ "custom", "custom" }
};
_ = await tokenClient.RequestTokenAsync(grantType : "test", parameters : localParameters);
globalOptions.Parameters.Should().HaveCount(1);
var globalValue = globalOptions.Parameters.FirstOrDefault(p => p.Key == "global").Value;
globalValue.Should().Be("value");
}
/// <summary>
/// Get access token.
/// </summary>
/// <param name="baseUrl">the base url</param>
/// <param name="userName">the username</param>
/// <param name="password">the password</param>
public static async Task <string> GetAccessToken(string baseUrl, string userName, string password)
{
//TODO replace all hardcoded strings
var tokenOptions = new TokenClientOptions
{
Address = baseUrl + TokenEndPoint,
ClientId = "chat_console_client",
ClientSecret = "superdupersecret"
};
var handler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = (message, xCertificate2, chain, errors) => true
};
// Get a token.
var tokenClient = new TokenClient(new HttpMessageInvoker(handler), tokenOptions);
var tokenResponse = await tokenClient.RequestPasswordTokenAsync(userName, password, "shortlivedchat");
if (!tokenResponse.IsError)
{
return(tokenResponse.AccessToken);
}
Console.WriteLine(tokenResponse.Error);
return(null);
}
private void ValidateOptions(TokenClientOptions options)
{
if (options == null)
{
throw new ArgumentException("Options cannot be null", nameof(options));
}
if (string.IsNullOrWhiteSpace(options.TokenEndpointUrl))
{
throw new ArgumentException("TokenEndpointUrl must be set", nameof(options.TokenEndpointUrl));
}
if (string.IsNullOrWhiteSpace(options.ClientId))
{
throw new ArgumentException("ClientId must be set", nameof(options.ClientId));
}
if (options.Certificate == null)
{
throw new ArgumentException("Certificate must be set", nameof(options.Certificate));
}
ValidateCertificate(options.Certificate);
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenClient"/> class.
/// </summary>
/// <param name="client">The client func.</param>
/// <param name="options">The options.</param>
/// <exception cref="ArgumentNullException">client</exception>
public TokenClient(Func <HttpMessageInvoker> client, TokenClientOptions options)
{
_client = client ?? throw new ArgumentNullException(nameof(client));
_options = options ?? throw new ArgumentNullException(nameof(options));
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenClient"/> class.
/// </summary>
/// <param name="client">The client.</param>
/// <param name="options">The options.</param>
/// <exception cref="ArgumentNullException">client</exception>
public TokenClient(HttpMessageInvoker client, TokenClientOptions options)
: this(() => client, options)
{
}
public PrivateKeyJwtClientCredentialsTokenClient(TokenClientOptions options)
{
_jwtAssertionFactory = new JwtAssertionFactory(options);
_tokenEndpointUrl = options.TokenEndpointUrl;
_clientId = options.ClientId;
}
/// <summary>
/// Refreshes the Api tokens for the given ApplicationUser
/// </summary>
/// <param name="user"></param>
/// <param name="signInUser"></param>
/// <returns></returns>
public async Task <bool> RefreshTokens(ApplicationUser user, bool signInUser = false)
{
var lichessAuthNSection = _configuration.GetSection("Authentication:Lichess");
HttpMessageHandler _handler = new HttpClientHandler();
HttpClient _client = new HttpClient(_handler)
{
BaseAddress = new Uri(AspNet.Security.OAuth.Lichess.LichessAuthenticationDefaults.TokenEndpoint)
};
TokenClientOptions options = new TokenClientOptions
{
ClientId = lichessAuthNSection["ClientID"],
ClientSecret = lichessAuthNSection["ClientSecret"]
};
var tokenClient = new TokenClient(_client, options);
var rt = user.RefreshToken;
var tokenResult = await tokenClient.RequestRefreshTokenAsync(rt);
if (!tokenResult.IsError)
{
var newAccessToken = tokenResult.AccessToken;
var newRefreshToken = tokenResult.RefreshToken;
var expiresAt = DateTime.UtcNow + TimeSpan.FromSeconds(tokenResult.ExpiresIn);
if (signInUser)
{
var tokens = new List <AuthenticationToken>
{
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.AccessToken, Value = newAccessToken
},
new AuthenticationToken
{
Name = OpenIdConnectParameterNames.RefreshToken, Value = newRefreshToken
},
new AuthenticationToken
{
Name = "expires_at", Value = expiresAt.ToString("o", CultureInfo.InvariantCulture)
}
};
var props = new AuthenticationProperties();
props.StoreTokens(tokens);
props.IsPersistent = true;
await _signInManager.SignInAsync(user, props);
}
user.AccessToken = newAccessToken;
user.RefreshToken = newRefreshToken;
user.ExpiresAt = expiresAt;
await _userManager.UpdateAsync(user);
return(true);
}
return(false);
}
public void Configure(ExternalExchangeRecord externalExchangeRecord)
{
_externalExchangeRecord = externalExchangeRecord;
_settings = _optionsSnapshot.Get(_externalExchangeRecord.ExchangeName);
_cacheKey = $"{_externalExchangeRecord.ExchangeName}_{_cacheKey}";
}
public TokenClient(TokenClientOptions options)
{
_log = Log.ForContext <TokenClient>();
BaseAddress = new Uri(options.TokenUrl);
}
