public async Task <AccessTokenResponseDto> GetAccessTokenAsync(AccessTokenRequestDto requestDto)
{
// discover endpoints from metadata
var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync(_configuration["AuthServer:Authority"]);
if (disco.IsError)
{
throw new System.Exception("Error");
}
// request token
var tokenResponse = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = _configuration["AuthServer:AppClientId"],
ClientSecret = _configuration["AuthServer:AppClientSecret"],
UserName = requestDto.UserNameOrEmailAddress,
Password = requestDto.Password,
Scope = _configuration["AuthServer:Scope"]
});
if (tokenResponse.IsError)
{
throw new System.Exception("Error");
}
return(new AccessTokenResponseDto()
{
AccessToken = tokenResponse.AccessToken,
ExpiresIn = tokenResponse.ExpiresIn,
RefreshToken = tokenResponse.RefreshToken,
TokenType = tokenResponse.TokenType
});
}
public async Task <bool> IsRequestValid(AccessTokenRequestDto request, Func <AccessTokenRequestDto, string> signatureCreator = null)
{
signatureCreator = signatureCreator ?? (accessTokenReq =>
{
var baseString = System.Text.Encoding.UTF8.GetBytes($"{request.OAuthAccessTokenBase64String}:{request.Nonce}:{request.EndUserMobileIdentifier}");
return(Convert.ToBase64String(baseString));
});
var publicKey = await _publicKeyRepo.GetPublicKey(request.EndUserMobileIdentifier, request.DeviceType.ToString());
if (string.IsNullOrWhiteSpace(publicKey))
{
return(false);
}
var rsaCrypto = new RSACryptoServiceProvider(Constants.Crypto.KeySizes);
var rsaParam = rsaCrypto.ExportParameters(false);
rsaCrypto.PublicKeyFromXmlString(publicKey);
/*rsaParam.Modulus = Convert.FromBase64String(publicKey.Replace("-----BEGIN PUBLIC KEY-----", "").Replace("-----END PUBLIC KEY-----", ""));
* rsaCrypto.ImportParameters(rsaParam);*/
var dataToVerify = signatureCreator(request);
return(rsaCrypto.VerifyData(Convert.FromBase64String(dataToVerify), SHA1.Create(), Convert.FromBase64String(request.Signature)));
}
public async Task <GateKeeperAccessTokenDto> Create(AccessTokenRequestDto requestDto)
{
var signature = String.Empty;
if (!await _requestValidator.IsRequestValid(requestDto))
{
throw new ArgumentException("Invalid request");
}
//Verify nonce
if (await _nonceRepo.Any(requestDto.Nonce))
{
throw new ArgumentException("Invalid request");
}
//Create digitally signed gatekeeper access token
var privateKey = (await _gateKeeperKeyRepo.GetPrivateAndPublicKey(Constants.GateKeeper.GateKeeperId, Constants.GateKeeper.EphemeralVersion)).Item1;
var rsa = new RSACryptoServiceProvider(Constants.Crypto.KeySizes);
rsa.FromXmlString(privateKey);
byte[] baseString = System.Text.Encoding.UTF8.GetBytes($"{requestDto.OAuthAccessTokenBase64String}:{true}");
signature = Convert.ToBase64String(rsa.SignData(baseString, SHA1.Create()));
TrackNonce(requestDto);
return(new GateKeeperAccessTokenDto
{
OAuthAccessToken = requestDto.OAuthAccessTokenBase64String,
Verified = true,
Signature = signature
});
}
public bool IsRequestValid(AccessTokenRequestDto request, RSACryptoServiceProvider rsa, Func <AccessTokenRequestDto, string> signatureCreator = null)
{
signatureCreator = signatureCreator ?? (accessTokenReq =>
{
var baseString = System.Text.Encoding.UTF8.GetBytes($"{request.OAuthAccessTokenBase64String}:{request.Nonce}:{request.EndUserMobileIdentifier}");
return(Convert.ToBase64String(baseString));
});
var dataToVerify = signatureCreator(request);
var result = rsa.VerifyData(Convert.FromBase64String(dataToVerify), "SHA1", Convert.FromBase64String(request.Signature));
return(result);
}
public async Task Post([FromBody] AccessTokenRequestDto requestDto)
{
if (String.IsNullOrWhiteSpace(requestDto.EndUserMobileIdentifier) ||
String.IsNullOrWhiteSpace(requestDto.OAuthAccessTokenBase64String) ||
String.IsNullOrWhiteSpace(requestDto.Nonce) ||
String.IsNullOrWhiteSpace(requestDto.Signature))
{
throw new ArgumentException("Invalid request");
}
var result = await _accessTokenAgg.CreateParallel(requestDto);
}
private Task TrackNonce(AccessTokenRequestDto requestDto)
{
return(_nonceRepo.Save(new NonceDto
{
Nonce = requestDto.Nonce,
OAuthAccessTokenBase64String = requestDto.OAuthAccessTokenBase64String,
Signature = requestDto.Signature
}).ContinueWith(task =>
{
if (task.IsCanceled || task.IsFaulted)
{
var ex = task.Exception;
}
}));
}
public void Given_A_Valid_OAuth_AccessToken_Signed_Then_Validate_Return_True()
{
//arrange
var rsa = CreateAndPublishKey();
var request = new AccessTokenRequestDto();
request.OAuthAccessTokenBase64String = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("First-AccessToken"));
request.DeviceType = DeviceType.AndroidPhone;
request.EndUserMobileIdentifier = "yusbel_gmail_Android_TD_Spend";
request.Nonce = "garcia.diaz";
byte[] baseString = System.Text.Encoding.UTF8.GetBytes($"{request.OAuthAccessTokenBase64String}:{request.Nonce}:{request.EndUserMobileIdentifier}");
request.Signature = Convert.ToBase64String(rsa.SignData(baseString, SHA1.Create()));
//act
DeviceRequestValidator validator = new DeviceRequestValidator(new PublicKeyRepo());
var result = validator.IsRequestValid(request).Result;
AccessTokenAggregateRoot aggregateRoot = new AccessTokenAggregateRoot(validator, new GateKeeperKeyRepo(), new NonceRepo(), new Logger());
var created = aggregateRoot.Create(request).Result;
//assert
Microsoft.VisualStudio.TestTools.UnitTesting.Assert.IsTrue(result);
}
public ActionResult <AccessTokenResponseDto> CreateLifetimeToken([FromBody] AccessTokenRequestDto request)
{
var user = _userRetriever.RetrieveUser();
return(Ok(_storage.CreateLifetimeToken(request.FriendlyName, user.Id)));
}
