public ActionResult Callback()
{
string input;
using (var reader = new StreamReader(Request.InputStream))
{
input = reader.ReadToEnd();
}
string locationBase = string.Format("{0}/auth/broker/end",
Request.Url.GetComponents(UriComponents.SchemeAndServer,
UriFormat.Unescaped));
var inputInQueryStringUri = new Uri(locationBase + "?" + input);
NameValueCollection tokenValues = inputInQueryStringUri.ParseQueryString();
string tokenData = tokenValues["wresult"];
//Validate SWT token
var tokenSerializer = new WSTrustFeb2005ResponseSerializer();
RequestSecurityTokenResponse requestSecrityTokenResponse =
tokenSerializer.ReadXml(new XmlTextReader(new StringReader(tokenData)),
new WSTrustSerializationContext());
var simpleWebTokenHandler = new SimpleWebTokenHandler("https://" + _registrationService.ServiceNamespace + ".accesscontrol.windows.net/", _swtSigningKey);
var securityToken = simpleWebTokenHandler.ReadToken(requestSecrityTokenResponse.RequestedSecurityToken.SecurityTokenXml.InnerText) as SimpleWebToken;
simpleWebTokenHandler.ValidateToken(securityToken, _acsRealm);
//Create delegation in ACS
var authServerIdentifier = securityToken.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier);
var authServerIdentity = new AuthorizationServerIdentity
{
NameIdentifier = authServerIdentifier.Value,
IdentityProvider = authServerIdentifier.Issuer
};
//todo: Check if we can add some claims (role claims) to the scope
string code = _registrationService.GetAuthorizationCode(_clientId, authServerIdentity, "scope");
//todo: use OAuth parameter names in the return URL
//return the token
string location = string.Format("{0}?acsToken={1}", locationBase, code);
Response.StatusCode = (int)HttpStatusCode.Redirect;
Response.Headers.Add("Location", location);
Response.End();
return null;
}
/// <summary>
/// This method parses the incoming token and validates it.
/// </summary>
/// <param name="accessToken">The incoming access token.</param>
/// <param name="error">This out paramter is set if any error occurs.</param>
/// <returns>True on success, False on error.</returns>
protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error)
{
bool tokenValid = false;
error = null;
SecurityToken token = null;
ClaimsIdentityCollection claimsIdentityCollection = null;
try
{
var handler = new SimpleWebTokenHandler(_issuer, _tokenSigningKey);
// read the token
token = handler.ReadToken(accessToken);
// validate the token
claimsIdentityCollection = handler.ValidateToken(token, _realm);
// create a claims Principal from the token
var claimsPrincipal = ClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection);
if (claimsPrincipal != null)
{
tokenValid = true;
// push it through the pipeline
foreach (var step in authenticationPipeline)
{
claimsPrincipal = step.Authenticate(token, claimsPrincipal);
}
// assign to threads
if (HttpContext.Current != null)
{
HttpContext.Current.User = claimsPrincipal;
}
Thread.CurrentPrincipal = claimsPrincipal;
}
}
catch (InvalidTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (ExpiredTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (Exception)
{
error = new ResourceAccessErrorResponse(_realm, "SWT401", "Token validation failed");
}
return tokenValid;
}
