Esempio n. 1
0
        /// <summary>
        /// Gets the authentication client.
        /// </summary>
        /// <returns></returns>
        private AuthClient GetAuthClient()
        {
            if (_authClient == null)
            {
                var rockContext       = new RockContext();
                var authClientService = new AuthClientService(rockContext);
                var authClientId      = PageParameter(PageParamKey.ClientId);
                _authClient = authClientService.GetByClientId(authClientId);
            }

            return(_authClient);
        }
Esempio n. 2
0
        private void AcceptAuthorization()
        {
            var owinContext = Context.GetOwinContext();
            var request     = owinContext.GetOpenIdConnectRequest();

            // TODO: only allow valid scopes.
            var requestedScopes = request.GetScopes();
            var authClientId    = PageParameter(PageParamKey.ClientId);
            IDictionary <string, string> clientAllowedClaims = null;

            AuthClient           authClient          = null;
            IEnumerable <string> clientAllowedScopes = null;

            using (var rockContext = new RockContext())
            {
                var authClientService = new AuthClientService(rockContext);
                authClient          = authClientService.GetByClientId(authClientId);
                clientAllowedScopes = RockIdentityHelper.NarrowRequestedScopesToApprovedScopes(rockContext, authClientId, requestedScopes);
                clientAllowedClaims = RockIdentityHelper.GetAllowedClientClaims(rockContext, authClientId, clientAllowedScopes);
            }

            if (authClient == null || clientAllowedScopes == null || clientAllowedClaims == null)
            {
                // TODO: Error
                return;
            }

            // Create a new ClaimsIdentity containing the claims that
            // will be used to create an id_token, a token or a code.
            var identity = RockIdentityHelper.GetRockClaimsIdentity(CurrentUser, clientAllowedClaims, authClientId);

            // Create a new authentication ticket holding the user identity.
            var ticket = new AuthenticationTicket(identity, new AuthenticationProperties());

            // We should set the scopes to the requested valid scopes.
            ticket.SetScopes(requestedScopes);

            // Set the resource servers the access token should be issued for.
            ticket.SetResources("resource_server");

            // Returning a SignInResult will ask ASOS to serialize the specified identity
            // to build appropriate tokens. You should always make sure the identities
            // you return contain the OpenIdConnectConstants.Claims.Subject claim. In this sample,
            // the identity always contains the name identifier returned by the external provider.

            owinContext.Authentication.SignIn(ticket.Properties, identity);
        }
Esempio n. 3
0
        /// <summary>
        /// Calls when a process requests authorization.
        /// </summary>
        /// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param>
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            // See if user is logged in
            var principal = System.Threading.Thread.CurrentPrincipal;

            if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name))
            {
                actionContext.Request.SetUserPrincipal(principal);
                return;
            }

            // If check if ASOS authentication occurred.
            principal = actionContext.RequestContext.Principal;
            if (principal != null && principal.Identity != null)
            {
                var claimIdentity = principal.Identity as ClaimsIdentity;
                if (claimIdentity != null)
                {
                    var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value;
                    if (clientId.IsNotNullOrWhiteSpace())
                    {
                        using (var rockContext = new RockContext())
                        {
                            var authClientService = new AuthClientService(rockContext);
                            var authClient        = authClientService.GetByClientId(clientId);
                            if (authClient.AllowUserApiAccess)
                            {
                                var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value;

                                if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace())
                                {
                                    UserLogin userLogin = null;

                                    var userLoginService = new UserLoginService(rockContext);
                                    userLogin = userLoginService.GetByUserName(userName);

                                    if (userLogin != null)
                                    {
                                        var identity = new GenericIdentity(userLogin.UserName);
                                        principal = new GenericPrincipal(identity, null);
                                        actionContext.Request.SetUserPrincipal(principal);
                                        return;
                                    }
                                }
                            }
                        }
                    }
                }
            }

            // If not, see if there's a valid Rock APIKey token
            TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken);

            if (string.IsNullOrWhiteSpace(authToken))
            {
                string queryString = actionContext.Request.RequestUri.Query;
                authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey");
            }

            if (!string.IsNullOrWhiteSpace(authToken))
            {
                var userLoginService = new UserLoginService(new Rock.Data.RockContext());
                var userLogin        = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault();
                if (userLogin != null)
                {
                    var identity = new GenericIdentity(userLogin.UserName);
                    principal = new GenericPrincipal(identity, null);
                    actionContext.Request.SetUserPrincipal(principal);
                    return;
                }
            }

            // If still not successful, check for a JSON Web Token
            if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString))
            {
                // If the JSON Web Token is in the header, we can determine the User from that
                var userLogin = JwtHelper.GetUserLoginByJSONWebToken(new RockContext(), jwtString);
                if (userLogin != null)
                {
                    var identity = new GenericIdentity(userLogin.UserName);
                    principal = new GenericPrincipal(identity, null);
                    actionContext.Request.SetUserPrincipal(principal);
                    return;
                }

                // Just in rare case the GetPersonFromJWTPersonSearchKey feature is being used, see if person can be determined this way
                var person = JwtHelper.GetPersonFromJWTPersonSearchKey(jwtString);

                if (person != null)
                {
                    actionContext.Request.Properties.Add("Person", person);
                    return;
                }
            }
        }
Esempio n. 4
0
        /// <summary>
        /// Calls when a process requests authorization.
        /// </summary>
        /// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param>
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            // See if user is logged in
            var principal = System.Threading.Thread.CurrentPrincipal;

            if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name))
            {
                actionContext.Request.SetUserPrincipal(principal);
                return;
            }

            // If check if ASOS authentication occurred.
            principal = actionContext.RequestContext.Principal;
            if (principal != null && principal.Identity != null)
            {
                var claimIdentity = principal.Identity as ClaimsIdentity;
                if (claimIdentity != null)
                {
                    var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value;
                    if (clientId.IsNotNullOrWhiteSpace())
                    {
                        using (var rockContext = new RockContext())
                        {
                            var authClientService = new AuthClientService(rockContext);
                            var authClient        = authClientService.GetByClientId(clientId);
                            if (authClient.AllowUserApiAccess)
                            {
                                var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value;

                                if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace())
                                {
                                    UserLogin userLogin = null;

                                    var userLoginService = new UserLoginService(rockContext);
                                    userLogin = userLoginService.GetByUserName(userName);

                                    if (userLogin != null)
                                    {
                                        var identity = new GenericIdentity(userLogin.UserName);
                                        principal = new GenericPrincipal(identity, null);
                                        actionContext.Request.SetUserPrincipal(principal);
                                        return;
                                    }
                                }
                            }
                        }
                    }
                }
            }

            // If not, see if there's a valid token
            TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken);

            if (string.IsNullOrWhiteSpace(authToken))
            {
                string queryString = actionContext.Request.RequestUri.Query;
                authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey");
            }

            if (!string.IsNullOrWhiteSpace(authToken))
            {
                var userLoginService = new UserLoginService(new Rock.Data.RockContext());
                var userLogin        = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault();
                if (userLogin != null)
                {
                    var identity = new GenericIdentity(userLogin.UserName);
                    principal = new GenericPrincipal(identity, null);
                    actionContext.Request.SetUserPrincipal(principal);
                    return;
                }
            }

            // If still not successful, check for a JSON Web Token
            if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString))
            {
                Person person = null;

                // We need to wait for the JwtHelper.GetPerson method rather than using the await keyword. The await keyword
                // forces this entire method to be async causing the Secured attribute to process before everything
                // is finished here
                Task.Run(async() =>
                {
                    person = await JwtHelper.GetPerson(jwtString);
                }).Wait();

                if (person != null)
                {
                    actionContext.Request.Properties.Add("Person", person);
                    return;
                }
            }
        }