public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException(nameof(instruction));
            }

            if (client == null)
            {
                throw new ArgumentNullException(nameof(client));
            }

            if (instruction.Certificate == null || client.Secrets == null)
            {
                return(null);
            }

            var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint);
            var name       = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name);

            if (thumbPrint == null || name == null)
            {
                return(null);
            }

            var certificate      = instruction.Certificate;
            var isSameThumbPrint = thumbPrint == null || thumbPrint != null && thumbPrint.Value == certificate.Thumbprint;
            var isSameName       = name == null || name != null && name.Value == certificate.SubjectName.Name;

            return(isSameName && isSameThumbPrint ? client : null);
        }
Exemple #2
0
        /// <summary>
        /// Try to get the client id.
        /// </summary>
        /// <param name="instruction"></param>
        /// <returns></returns>
        public string GetClientId(AuthenticateInstruction instruction)
        {
            if (instruction.ClientAssertionType != Dtos.Constants.ClientAssertionTypes.JwtBearer || string.IsNullOrWhiteSpace(instruction.ClientAssertion))
            {
                return(string.Empty);
            }

            var clientAssertion = instruction.ClientAssertion;
            var isJweToken      = _jwtParser.IsJweToken(clientAssertion);
            var isJwsToken      = _jwtParser.IsJwsToken(clientAssertion);

            if (isJweToken && isJwsToken)
            {
                return(string.Empty);
            }

            // It's a JWE token then return the client_id from the HTTP body
            if (isJweToken)
            {
                return(instruction.ClientIdFromHttpRequestBody);
            }

            // It's a JWS token then return the client_id from the token.
            var payload = _jwsParser.GetPayload(clientAssertion);

            if (payload == null)
            {
                return(string.Empty);
            }

            return(payload.Issuer);
        }
        public string GetClientId(AuthenticateInstruction instruction)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException("the instruction cannot be null");
            }

            return(instruction.ClientIdFromAuthorizationHeader);
        }
        public string GetClientId(AuthenticateInstruction instruction)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException("the instruction parameter cannot be null");
            }

            return(instruction.ClientIdFromHttpRequestBody);
        }
Exemple #5
0
        public AuthenticateInstruction GetAuthenticateInstruction(AuthenticationHeaderValue authenticationHeaderValue)
        {
            var result = new AuthenticateInstruction();

            if (authenticationHeaderValue != null &&
                !string.IsNullOrWhiteSpace(authenticationHeaderValue.Parameter))
            {
                var parameters = GetParameters(authenticationHeaderValue.Parameter);
                if (parameters != null && parameters.Count() == 2)
                {
                    result.ClientIdFromAuthorizationHeader     = parameters[0];
                    result.ClientSecretFromAuthorizationHeader = parameters[1];
                }
            }

            return(result);
        }
        /// <summary>
        /// Try to get the client id from the HTTP body or HTTP header.
        /// </summary>
        /// <param name="instruction">Authentication instruction</param>
        /// <returns>Client id</returns>
        private string TryGettingClientId(AuthenticateInstruction instruction)
        {
            var clientId = _clientAssertionAuthentication.GetClientId(instruction);

            if (!string.IsNullOrWhiteSpace(clientId))
            {
                return(clientId);
            }

            clientId = _clientSecretBasicAuthentication.GetClientId(instruction);
            if (!string.IsNullOrWhiteSpace(clientId))
            {
                return(clientId);
            }

            return(_clientSecretPostAuthentication.GetClientId(instruction));
        }
        public Client AuthenticateClient(AuthenticateInstruction instruction, Client client)
        {
            if (client == null || instruction == null)
            {
                throw new ArgumentNullException("the client or instruction cannot be null");
            }

            if (client.Secrets == null)
            {
                return(null);
            }

            var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);

            if (clientSecret == null)
            {
                return(null);
            }

            var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromAuthorizationHeader), StringComparison.CurrentCultureIgnoreCase) == 0;

            return(sameSecret ? client : null);
        }
        public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
        {
            if (instruction == null || client == null)
            {
                throw new ArgumentNullException("the instruction or client parameter cannot be null");
            }

            if (client.Secrets == null)
            {
                return(null);
            }

            var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);

            if (clientSecret == null)
            {
                return(null);
            }

            var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromHttpRequestBody), StringComparison.CurrentCultureIgnoreCase) == 0;

            return(sameSecret ? client : null);
        }
Exemple #9
0
        public async Task <AuthenticationResult> AuthenticateClientWithPrivateKeyJwtAsync(AuthenticateInstruction instruction, string expectedIssuer)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException("instruction");
            }

            var clientAssertion = instruction.ClientAssertion;
            var isJwsToken      = _jwtParser.IsJwsToken(clientAssertion);

            if (!isJwsToken)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken));
            }

            var jws        = instruction.ClientAssertion;
            var jwsPayload = _jwsParser.GetPayload(jws);

            if (jwsPayload == null)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted));
            }

            var clientId = jwsPayload.Issuer;
            var payload  = await _jwtParser.UnSignAsync(jws, clientId);

            if (payload == null)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheSignatureIsNotCorrect));
            }

            return(await ValidateJwsPayLoad(payload, expectedIssuer));
        }
Exemple #10
0
        public async Task <AuthenticationResult> AuthenticateClientWithClientSecretJwtAsync(AuthenticateInstruction instruction, string clientSecret, string expectedIssuer)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException(nameof(instruction));
            }

            var clientAssertion = instruction.ClientAssertion;
            var isJweToken      = _jwtParser.IsJweToken(clientAssertion);

            if (!isJweToken)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJweToken));
            }

            var jwe      = instruction.ClientAssertion;
            var clientId = instruction.ClientIdFromHttpRequestBody;
            var jws      = await _jwtParser.DecryptWithPasswordAsync(jwe, clientId, clientSecret);

            if (string.IsNullOrWhiteSpace(jws))
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheJweTokenCannotBeDecrypted));
            }

            var isJwsToken = _jwtParser.IsJwsToken(jws);

            if (!isJwsToken)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken));
            }

            var jwsPayload = await _jwtParser.UnSignAsync(jws, clientId);

            if (jwsPayload == null)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted));
            }

            return(await ValidateJwsPayLoad(jwsPayload, expectedIssuer));
        }
        public async Task <AuthenticationResult> AuthenticateAsync(AuthenticateInstruction instruction, string issuerName, bool isAuthorizationCodeGrantType = false)
        {
            if (instruction == null)
            {
                throw new ArgumentNullException(nameof(instruction));
            }

            Client client = null;
            // First we try to fetch the client_id
            // The different client authentication mechanisms are described here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
            var clientId = TryGettingClientId(instruction);

            if (!string.IsNullOrWhiteSpace(clientId))
            {
                client = await _clientRepository.GetClientByIdAsync(clientId).ConfigureAwait(false);
            }

            if (client == null)
            {
                return(new AuthenticationResult(null, ErrorDescriptions.TheClientDoesntExist));
            }

            if (isAuthorizationCodeGrantType && client.RequirePkce)
            {
                return(new AuthenticationResult(client, string.Empty));
            }

            var tokenEndPointAuthMethod = client.TokenEndPointAuthMethod;
            var authenticationType      = Enum.GetName(typeof(TokenEndPointAuthenticationMethods), tokenEndPointAuthMethod);

            _oauthEventSource.StartToAuthenticateTheClient(client.ClientId,
                                                           authenticationType);
            var errorMessage = string.Empty;

            switch (tokenEndPointAuthMethod)
            {
            case TokenEndPointAuthenticationMethods.client_secret_basic:
                client = _clientSecretBasicAuthentication.AuthenticateClient(instruction, client);
                if (client == null)
                {
                    errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretBasic;
                }
                break;

            case TokenEndPointAuthenticationMethods.client_secret_post:
                client = _clientSecretPostAuthentication.AuthenticateClient(instruction, client);
                if (client == null)
                {
                    errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretPost;
                }
                break;

            case TokenEndPointAuthenticationMethods.client_secret_jwt:
                if (client.Secrets == null || !client.Secrets.Any(s => s.Type == ClientSecretTypes.SharedSecret))
                {
                    errorMessage = string.Format(ErrorDescriptions.TheClientDoesntContainASharedSecret, client.ClientId);
                    break;
                }
                return(await _clientAssertionAuthentication.AuthenticateClientWithClientSecretJwtAsync(instruction, client.Secrets.First(s => s.Type == ClientSecretTypes.SharedSecret).Value, issuerName).ConfigureAwait(false));

            case TokenEndPointAuthenticationMethods.private_key_jwt:
                return(await _clientAssertionAuthentication.AuthenticateClientWithPrivateKeyJwtAsync(instruction, issuerName).ConfigureAwait(false));

            case TokenEndPointAuthenticationMethods.tls_client_auth:
                client = _clientTlsAuthentication.AuthenticateClient(instruction, client);
                if (client == null)
                {
                    errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithTls;
                }
                break;
            }

            if (client != null)
            {
                _oauthEventSource.FinishToAuthenticateTheClient(client.ClientId, authenticationType);
            }

            return(new AuthenticationResult(client, errorMessage));
        }