protected virtual void EnsureClientExists(TokenRequestMessage message)
{
var clientId = message.Parameters[OAuthConstants.ClientId];
if (!this.ClientStore.ClientExists(clientId))
{
throw new OAuthException(OAuthErrorCodes.InvalidClient, string.Format("The client_id '{0}' is not registered", clientId));
}
}
public override bool CanValidateMessage(TokenRequestMessage message)
{
if (message.Type == RequestGrantType.Assertion)
{
return(true);
}
return(false);
}
private string CreateAccessToken(TokenRequestMessage message, NameValueCollection additionalInfo)
{
var scope = message.Parameters["scope"];
var validity = TimeSpan.FromSeconds(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.TokenExpirationInSeconds);
var swt = CreateSimpleWebToken(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.IssuerIdentifier, scope, validity, additionalInfo);
var accessToken = SerializeToken(swt, this.serviceConfig.SecurityTokenHandlers);
return(accessToken);
}
public TokenResponseMessage CreateResponse(TokenRequestMessage message, NameValueCollection additionalInfo)
{
TokenResponseMessage response = new TokenResponseMessage();
response.AccessToken = this.CreateAccessToken(message, additionalInfo);
response.RefreshToken = this.CreateRefreshToken();
response.AccessTokenExpiresIn = TimeSpan.FromSeconds(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.TokenExpirationInSeconds);
return(response);
}
public NameValueCollection Validate(TokenRequestMessage message)
{
if (message == null)
{
throw new ArgumentNullException("message");
}
foreach (OAuthMessageHandler handler in this)
{
if (handler.CanValidateMessage(message))
{
return(handler.Validate(message));
}
}
return(null);
}
public override NameValueCollection Validate(TokenRequestMessage message)
{
string clientId = message.Parameters[OAuthConstants.ClientId];
string clientSecret = message.Parameters[OAuthConstants.ClientSecret];
if (string.IsNullOrEmpty(clientId) || string.IsNullOrEmpty(clientSecret))
{
throw new InvalidOperationException("client_id and client_secret must be present for this profile");
}
bool valid = this.ClientStore.ValidateClient(clientId, clientSecret);
if (!valid)
{
throw new InvalidOperationException("client_id is not registered or client_secret is invalid");
}
message.Parameters.Remove(OAuthConstants.ClientSecret);
return(message.Parameters);
}
public virtual TokenRequestMessage ReadMessage(StreamReader reader)
{
NameValueCollection requestParameters;
string requestString;
requestString = reader.ReadToEnd();
reader.Close();
requestParameters = HttpUtility.ParseQueryString(requestString);
var message = new TokenRequestMessage();
foreach (string key in requestParameters.AllKeys)
{
if (key == OAuthConstants.GrantType)
{
message.Type = requestParameters[key];
requestParameters.Remove(key);
}
message.Parameters = requestParameters;
}
return(message);
}
public override NameValueCollection Validate(TokenRequestMessage message)
{
if (!this.CanValidateMessage(message))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "This handler cannot validate this message.");
}
if (!message.Parameters[OAuthConstants.AssertionType].Equals("saml", StringComparison.OrdinalIgnoreCase))
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, string.Format("Assertion format '{0}' not supported. Only Saml Supported", message.Parameters[OAuthConstants.AssertionType]));
}
string assertion = message.Parameters[OAuthConstants.Assertion];
if (assertion == null)
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, "Parameter 'assertion' is mandatory");
}
this.EnsureClientExists(message);
SecurityToken token = null;
SecurityToken xtoken = null;
using (var stringReader = new StringReader(assertion))
{
var reader = XmlReader.Create(stringReader);
if (!ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "No Token handler defined can read this assertion");
}
// TODO: this should be changed to be in config
// CHANGE: matias: read decryption cert from servicecertificate instead of hardcoding localhost
using (var xprovider = new X509SecurityTokenProvider(ServiceConfiguration.ServiceCertificate))
{
xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1));
}
var outOfBandTokens = new Collection <SecurityToken>();
outOfBandTokens.Add(xtoken);
// CHANGED: matias, don't validate certificate (should be read from service config)
ServiceConfiguration.CertificateValidator = X509CertificateValidator.None;
// encryptedtoken handler is 6 . Add the X509TOken which has the key to decrypt this token
ServiceConfiguration.SecurityTokenHandlers[6].Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false);
token = ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader);
}
ClaimsIdentityCollection cc;
try
{
cc = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
}
catch (SecurityTokenException ex)
{
throw new OAuthException(OAuthErrorCodes.InvalidGrant, ex.Message, ex);
}
// CHANGE: matias: add CAM in order to be able to tranform claims
IClaimsPrincipal principal = new ClaimsPrincipal(cc);
if (ServiceConfiguration.ClaimsAuthenticationManager != null)
{
principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate("replace", principal);
}
var collection = new NameValueCollection();
foreach (Claim claim in cc[0].Claims)
{
collection.Add(claim.ClaimType, claim.Value);
}
return(collection);
}
public abstract NameValueCollection Validate(TokenRequestMessage message);
public virtual bool CanValidateMessage(TokenRequestMessage message)
{
return(false);
}
