public static AuthenticationTicket Read(BinaryReader reader) { if (reader.ReadInt32() != FormatVersion) { return(null); } string authenticationType = reader.ReadString(); string nameClaimType = reader.ReadString(); string roleClaimType = reader.ReadString(); int count = reader.ReadInt32(); var claims = new Claim[count]; for (int index = 0; index != count; ++index) { string type = reader.ReadString(); string value = reader.ReadString(); string valueType = reader.ReadString(); string issuer = reader.ReadString(); claims[index] = new Claim(type, value, valueType, issuer); } var identity = new ClaimsIdentity(claims, authenticationType, nameClaimType, roleClaimType); AuthenticationExtra extra = ExtraSerializer.Read(reader); return(new AuthenticationTicket(identity, extra)); }
public FormsResponseSignInContext(IDictionary <string, object> environment, string authenticationType, ClaimsIdentity identity, AuthenticationExtra extra) { Environment = environment; AuthenticationType = authenticationType; Identity = identity; Extra = extra; }
public FormsResponseSignInContext(IDictionary<string, object> environment, string authenticationType, ClaimsIdentity identity, IDictionary<string, string> extra) { Environment = environment; AuthenticationType = authenticationType; Identity = identity; Extra = new AuthenticationExtra(extra); }
public Task Invoke(IDictionary <string, object> env) { var request = new OwinRequest(env); var response = new OwinResponse(env); // The forms auth module has a bug where it null refs on a null Extra var headers = request.Get <IDictionary <string, string[]> >(Owin.Types.OwinConstants.RequestHeaders); var cookies = request.GetCookies(); string cookieValue; if (cookies != null && cookies.TryGetValue("jabbr.id", out cookieValue)) { AuthenticationTicket ticket = _ticketHandler.Unprotect(cookieValue); if (ticket != null && ticket.Extra == null) { var extra = new AuthenticationExtra(); extra.IsPersistent = true; extra.IssuedUtc = DateTime.UtcNow; extra.ExpiresUtc = DateTime.UtcNow.AddDays(30); var newTicket = new AuthenticationTicket(ticket.Identity, extra); var cookieBuilder = new StringBuilder(); foreach (var cookie in cookies) { string value = cookie.Value; if (cookie.Key == "jabbr.id") { // Create a new ticket preserving the identity of the user // so they don't get logged out value = _ticketHandler.Protect(newTicket); response.AddCookie("jabbr.id", value, new CookieOptions { Expires = extra.ExpiresUtc.Value.UtcDateTime, HttpOnly = true }); } if (cookieBuilder.Length > 0) { cookieBuilder.Append(";"); } cookieBuilder.Append(cookie.Key) .Append("=") .Append(Uri.EscapeDataString(value)); } headers["Cookie"] = new[] { cookieBuilder.ToString() }; } } return(_next(env)); }
private static ExternalAccessToken Deserialize(AuthenticationExtra extra) { return(new ExternalAccessToken { LoginProvider = extra.Properties[LoginProvider], ProviderKey = extra.Properties[ProviderKey], DisplayName = extra.Properties[DisplayName], Expires = DateTime.ParseExact(extra.Properties[Expires], "u", CultureInfo.InvariantCulture) }); }
/// <summary></summary> /// <param name="context"></param> /// <param name="user"></param> /// <param name="extra"></param> public static void SignIn(this HttpContext context, ClaimsPrincipal user, AuthenticationExtra extra) { if (context == null) { throw new ArgumentNullException("context"); } OwinResponse response = GetOwinResponse(context); response.Grant(user, extra); }
public Task Invoke(IDictionary <string, object> env) { var request = new OwinRequest(env); var response = new OwinResponse(env); string cookieValue = request.Cookies["jabbr.id"]; if (!String.IsNullOrEmpty(cookieValue)) { AuthenticationTicket ticket = _ticketHandler.Unprotect(cookieValue); if (ticket != null && ticket.Extra == null) { var extra = new AuthenticationExtra(); extra.IsPersistent = true; extra.IssuedUtc = DateTime.UtcNow; extra.ExpiresUtc = DateTime.UtcNow.AddDays(30); var newTicket = new AuthenticationTicket(ticket.Identity, extra); var cookieBuilder = new StringBuilder(); foreach (var cookie in request.Cookies) { string value = cookie.Value; if (cookie.Key == "jabbr.id") { // Create a new ticket preserving the identity of the user // so they don't get logged out value = _ticketHandler.Protect(newTicket); response.Cookies.Append("jabbr.id", value, new CookieOptions { Expires = extra.ExpiresUtc.Value.UtcDateTime, HttpOnly = true }); } if (cookieBuilder.Length > 0) { cookieBuilder.Append(";"); } cookieBuilder.Append(cookie.Key) .Append("=") .Append(Uri.EscapeDataString(value)); } request.Headers["Cookie"] = cookieBuilder.ToString(); } } return(_next(env)); }
public GoogleAuthenticatedContext( IDictionary <string, object> environment, ClaimsIdentity identity, AuthenticationExtra extra, XElement responseMessage, IDictionary <string, string> attributeExchangeProperties) : base(environment) { Identity = identity; Extra = extra; ResponseMessage = responseMessage; AttributeExchangeProperties = attributeExchangeProperties; }
public GoogleAuthenticatedContext( IDictionary<string, object> environment, ClaimsIdentity identity, AuthenticationExtra extra, XElement responseMessage, IDictionary<string, string> attributeExchangeProperties) : base(environment) { Identity = identity; Extra = extra; ResponseMessage = responseMessage; AttributeExchangeProperties = attributeExchangeProperties; }
private static AuthenticationExtra Serialize(ExternalAccessToken token) { AuthenticationExtra extra = new AuthenticationExtra(); if (token == null) { return(extra); } extra.Properties[LoginProvider] = token.LoginProvider ?? String.Empty; extra.Properties[ProviderKey] = token.ProviderKey ?? String.Empty; extra.Properties[DisplayName] = token.DisplayName ?? String.Empty; extra.Properties[Expires] = token.Expires.ToString("u", CultureInfo.InvariantCulture); return(extra); }
public ExternalAccessToken Unprotect(string protectedText) { AuthenticationTicket ticket = InnerHandler.Unprotect(protectedText); if (ticket == null) { return(null); } AuthenticationExtra extra = ticket.Extra; if (extra == null) { return(null); } return(Deserialize(extra)); }
protected override async Task ApplyResponseChallenge() { _logger.WriteVerbose("ApplyResponseChallenge"); if (Response.StatusCode != 401) { return; } AuthenticationResponseChallenge challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode); if (challenge != null) { string requestPrefix = Request.Scheme + "://" + Request.Host; string currentQueryString = Request.QueryString; string currentUri = string.IsNullOrEmpty(currentQueryString) ? requestPrefix + Request.PathBase + Request.Path : requestPrefix + Request.PathBase + Request.Path + "?" + currentQueryString; string redirectUri = requestPrefix + Request.PathBase + Options.ReturnEndpointPath; AuthenticationExtra extra = challenge.Extra; if (string.IsNullOrEmpty(extra.RedirectUrl)) { extra.RedirectUrl = currentUri; } // OAuth2 10.12 CSRF GenerateCorrelationId(extra); string state = Options.StateDataHandler.Protect(extra); string authorizationEndpoint = "https://www.facebook.com/dialog/oauth" + "?response_type=code" + "&client_id=" + Uri.EscapeDataString(Options.AppId ?? string.Empty) + "&redirect_uri=" + Uri.EscapeDataString(redirectUri) + "&scope=" + Uri.EscapeDataString(Options.Scope ?? string.Empty) + "&state=" + Uri.EscapeDataString(state); Response.Redirect(authorizationEndpoint); } }
protected void GenerateCorrelationId(AuthenticationExtra extra) { var correlationKey = Constants.CorrelationPrefix + BaseOptions.AuthenticationType; var nonceBytes = new byte[32]; Random.GetBytes(nonceBytes); var correlationId = TextEncodings.Base64Url.Encode(nonceBytes); var cookieOptions = new CookieOptions { HttpOnly = true, Secure = Request.IsSecure }; extra.Properties[correlationKey] = correlationId; Response.AddCookie(correlationKey, correlationId, cookieOptions); }
public AuthenticationTicket Unprotect(string protectedText) { var expectedIssuer = MetadataResolver.GetIssuer(Tenant); var validSigningTokens = MetadataResolver.GetSigningTokens(Tenant); var tokenHandler = new JwtSecurityTokenHandler() { CertificateValidator = X509CertificateValidator.None }; var validationParameters = new TokenValidationParameters { AllowedAudience = Audience, ValidIssuer = expectedIssuer, SigningTokens = validSigningTokens }; ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(protectedText, validationParameters); var claimsIdentity = (ClaimsIdentity)claimsPrincipal.Identity; var authenticationExtra = new AuthenticationExtra(new Dictionary <string, string>()); if (claimsIdentity.Claims.Any(c => c.Type == "exp")) { var expiryClaim = (from c in claimsIdentity.Claims where c.Type == "exp" select c.Value).Single(); authenticationExtra.ExpiresUtc = _epoch.AddSeconds(Convert.ToInt64(expiryClaim)); } if (claimsIdentity.Claims.Any(c => c.Type == "iat")) { var issued = (from c in claimsIdentity.Claims where c.Type == "iat" select c.Value).Single(); authenticationExtra.IssuedUtc = _epoch.AddSeconds(Convert.ToInt64(issued)); } return(new AuthenticationTicket(claimsIdentity, authenticationExtra)); }
/// <summary></summary> /// <param name="context"></param> /// <param name="authenticationType"> </param> /// <param name="claims"></param> /// <param name="nameClaimType"></param> /// <param name="roleClaimType"></param> /// <param name="isPersistent"></param> /// <exception cref="ArgumentNullException"></exception> public static void SignIn(this HttpContextBase context, string authenticationType, IEnumerable <Claim> claims, string nameClaimType, string roleClaimType, bool isPersistent) { if (authenticationType == null) { throw new ArgumentNullException("authenticationType"); } if (claims == null) { throw new ArgumentNullException("claims"); } if (nameClaimType == null) { throw new ArgumentNullException("nameClaimType"); } if (roleClaimType == null) { throw new ArgumentNullException("roleClaimType"); } var extra = new AuthenticationExtra { IsPersistent = isPersistent }; context.SignIn(new ClaimsPrincipal(new ClaimsIdentity(claims, authenticationType, nameClaimType, roleClaimType)), extra); }
protected bool ValidateCorrelationId(AuthenticationExtra extra, ILogger logger) { var correlationKey = Constants.CorrelationPrefix + BaseOptions.AuthenticationType; string correlationCookie; if (!Request.GetCookies().TryGetValue( correlationKey, out correlationCookie)) { logger.WriteWarning(string.Format("{0} cookie not found", correlationKey)); return(false); } Response.DeleteCookie(correlationKey); string correlationExtra; if (!extra.Properties.TryGetValue( correlationKey, out correlationExtra)) { logger.WriteWarning(string.Format("{0} state property not found", correlationKey)); return(false); } extra.Properties.Remove(correlationKey); if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal)) { logger.WriteWarning(string.Format("{0} correlation cookie and state property mismatch", correlationKey)); return(false); } return(true); }
public void Grant(ClaimsIdentity identity, AuthenticationExtra extra) { AuthenticationResponseGrant = new AuthenticationResponseGrant(identity, extra); }
private async Task <RequestToken> ObtainRequestToken(string consumerKey, string consumerSecret, string callBackUri, AuthenticationExtra extra) { _logger.WriteVerbose("ObtainRequestToken"); var obtainRequestTokenRequest = CreateTwitterWebRequest(RequestTokenEndpoint); var nonce = Guid.NewGuid().ToString("N"); var authorizationParts = new SortedDictionary <string, string> { { "oauth_callback", callBackUri }, { "oauth_consumer_key", consumerKey }, { "oauth_nonce", nonce }, { "oauth_signature_method", "HMAC-SHA1" }, { "oauth_timestamp", GenerateTimeStamp() }, { "oauth_version", "1.0" } }; var parameterBuilder = new StringBuilder(); foreach (var authorizationKey in authorizationParts) { parameterBuilder.AppendFormat("{0}={1}&", Uri.EscapeDataString(authorizationKey.Key), Uri.EscapeDataString(authorizationKey.Value)); } parameterBuilder.Length--; var parameterString = parameterBuilder.ToString(); var canonicalizedRequestBuilder = new StringBuilder(); canonicalizedRequestBuilder.Append(obtainRequestTokenRequest.Method); canonicalizedRequestBuilder.Append("&"); canonicalizedRequestBuilder.Append(Uri.EscapeDataString(obtainRequestTokenRequest.RequestUri.ToString())); canonicalizedRequestBuilder.Append("&"); canonicalizedRequestBuilder.Append(Uri.EscapeDataString(parameterString)); var signature = ComputeSignature(consumerSecret, null, canonicalizedRequestBuilder.ToString()); authorizationParts.Add("oauth_signature", signature); var authorizationHeaderBuilder = new StringBuilder(); authorizationHeaderBuilder.Append("OAuth "); foreach (var authorizationPart in authorizationParts) { authorizationHeaderBuilder.AppendFormat( "{0}=\"{1}\", ", authorizationPart.Key, Uri.EscapeDataString(authorizationPart.Value)); } authorizationHeaderBuilder.Length = authorizationHeaderBuilder.Length - 2; obtainRequestTokenRequest.Headers.Add("Authorization", authorizationHeaderBuilder.ToString()); // TODO : Error handling var obtainRequestTokenResponse = await obtainRequestTokenRequest.GetResponseAsync() as HttpWebResponse; using (var reader = new StreamReader(obtainRequestTokenResponse.GetResponseStream())) { string responseText = await reader.ReadToEndAsync(); responseText = responseText.Replace('+', ' '); var responseParameters = responseText.Split('&').Select(responseParameter => responseParameter.Split('=')).ToDictionary(brokenParameter => brokenParameter[0], brokenParameter => brokenParameter[1]); if (responseParameters.ContainsKey("oauth_callback_confirmed") || string.Equals(responseParameters["oauth_callback_confirmed"], "true", StringComparison.InvariantCulture)) { return(new RequestToken { Token = Uri.UnescapeDataString(responseParameters["oauth_token"]), TokenSecret = Uri.UnescapeDataString(responseParameters["oauth_token_secret"]), CallbackConfirmed = true, Extra = extra }); } } return(new RequestToken()); }
protected override async Task <AuthenticationTicket> AuthenticateCore() { _logger.WriteVerbose("AuthenticateCore"); AuthenticationExtra extra = null; try { IDictionary <string, string[]> query = Request.GetQuery(); var protectedRequestToken = Request.GetCookies()[StateCookie]; var requestToken = _tokenProtectionHandler.Unprotect(protectedRequestToken); if (requestToken == null) { _logger.WriteWarning("Invalid state", null); return(null); } extra = requestToken.Extra; if (!query.ContainsKey("oauth_token")) { _logger.WriteWarning("Missing oauth_token", null); return(new AuthenticationTicket(null, extra)); } if (!query.ContainsKey("oauth_verifier")) { _logger.WriteWarning("Missing oauth_verifier", null); return(new AuthenticationTicket(null, extra)); } var returnedToken = query["oauth_token"].FirstOrDefault(); string oauthVerifier = query["oauth_verifier"].FirstOrDefault(); if (returnedToken != requestToken.Token) { _logger.WriteWarning("Unmatched token", null); return(new AuthenticationTicket(null, extra)); } if (string.IsNullOrWhiteSpace(oauthVerifier)) { _logger.WriteWarning("Blank oauth_verifier", null); return(new AuthenticationTicket(null, extra)); } var accessToken = await ObtainAccessToken(Options.ConsumerKey, Options.ConsumerSecret, requestToken, oauthVerifier); var context = new TwitterAuthenticatedContext(Request.Environment, accessToken.UserId, accessToken.ScreenName); context.Identity = new ClaimsIdentity( new[] { new Claim(ClaimTypes.NameIdentifier, accessToken.UserId, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim(ClaimTypes.Name, accessToken.ScreenName, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim("urn:twitter:userid", accessToken.UserId, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim("urn:twitter:screenname", accessToken.ScreenName, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), }, Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); context.Extra = requestToken.Extra; Response.DeleteCookie(StateCookie); await Options.Provider.Authenticated(context); return(new AuthenticationTicket(context.Identity, context.Extra)); } catch (Exception ex) { _logger.WriteError("Authentication failed", ex); return(new AuthenticationTicket(null, extra)); } }
protected override async Task <AuthenticationTicket> AuthenticateCore() { _logger.WriteVerbose("AuthenticateCore"); AuthenticationExtra extra = null; try { string code = null; string state = null; IDictionary <string, string[]> query = Request.GetQuery(); string[] values; if (query.TryGetValue("code", out values) && values != null && values.Length == 1) { code = values[0]; } if (query.TryGetValue("state", out values) && values != null && values.Length == 1) { state = values[0]; } extra = Options.StateDataHandler.Unprotect(state); if (extra == null) { return(null); } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(extra, _logger)) { return(new AuthenticationTicket(null, extra)); } var tokenRequestParameters = string.Format( CultureInfo.InvariantCulture, "client_id={0}&redirect_uri={1}&client_secret={2}&code={3}&grant_type=authorization_code", Uri.EscapeDataString(Options.ClientId), Uri.EscapeDataString(GenerateRedirectUri()), Uri.EscapeDataString(Options.ClientSecret), code); WebRequest tokenRequest = WebRequest.Create(TokenEndpoint); tokenRequest.Method = "POST"; tokenRequest.ContentType = "application/x-www-form-urlencoded"; tokenRequest.ContentLength = tokenRequestParameters.Length; tokenRequest.Timeout = Options.BackChannelRequestTimeOut; using (var bodyStream = new StreamWriter(tokenRequest.GetRequestStream())) { bodyStream.Write(tokenRequestParameters); } WebResponse tokenResponse = await tokenRequest.GetResponseAsync(); string accessToken = null; using (var reader = new StreamReader(tokenResponse.GetResponseStream())) { string oauthTokenResponse = await reader.ReadToEndAsync(); JObject oauth2Token = JObject.Parse(oauthTokenResponse); accessToken = oauth2Token["access_token"].Value <string>(); } if (string.IsNullOrWhiteSpace(accessToken)) { _logger.WriteWarning("Access token was not found"); return(new AuthenticationTicket(null, extra)); } JObject accountInformation; var accountInformationRequest = WebRequest.Create(GraphApiEndpoint + "?access_token=" + Uri.EscapeDataString(accessToken)); accountInformationRequest.Timeout = Options.BackChannelRequestTimeOut; var accountInformationResponse = await accountInformationRequest.GetResponseAsync(); using (var reader = new StreamReader(accountInformationResponse.GetResponseStream())) { accountInformation = JObject.Parse(await reader.ReadToEndAsync()); } var context = new MicrosoftAccountAuthenticatedContext(Request.Environment, accountInformation, accessToken); context.Identity = new ClaimsIdentity( new[] { new Claim(ClaimTypes.NameIdentifier, context.Id, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim(ClaimTypes.Name, context.Name, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim("urn:microsoftaccount:id", context.Id, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), new Claim("urn:microsoftaccount:name", context.Name, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType), }, Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); if (!string.IsNullOrWhiteSpace(context.Email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } await Options.Provider.Authenticated(context); context.Extra = extra; return(new AuthenticationTicket(context.Identity, context.Extra)); } catch (Exception ex) { _logger.WriteWarning("Authentication failed", ex); return(new AuthenticationTicket(null, extra)); } }
protected override async Task <AuthenticationTicket> AuthenticateCore() { _logger.WriteVerbose("AuthenticateCore"); AuthenticationExtra extra = null; try { string code = null; string state = null; IDictionary <string, string[]> query = Request.GetQuery(); string[] values; if (query.TryGetValue("code", out values) && values != null && values.Length == 1) { code = values[0]; } if (query.TryGetValue("state", out values) && values != null && values.Length == 1) { state = values[0]; } extra = Options.StateDataHandler.Unprotect(state); if (extra == null) { return(null); } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(extra, _logger)) { return(new AuthenticationTicket(null, extra)); } string tokenEndpoint = "https://graph.facebook.com/oauth/access_token"; string requestPrefix = Request.Scheme + "://" + Request.Host; string redirectUri = requestPrefix + Request.PathBase + Options.ReturnEndpointPath; string tokenRequest = "grant_type=authorization_code" + "&code=" + Uri.EscapeDataString(code) + "&redirect_uri=" + Uri.EscapeDataString(redirectUri) + "&client_id=" + Uri.EscapeDataString(Options.AppId) + "&client_secret=" + Uri.EscapeDataString(Options.AppSecret); WebRequest webRequest = WebRequest.Create(tokenEndpoint + "?" + tokenRequest); WebResponse webResponse = await webRequest.GetResponseAsync(); NameValueCollection form; using (var reader = new StreamReader(webResponse.GetResponseStream())) { string text = await reader.ReadToEndAsync(); form = WebHelpers.ParseNameValueCollection(text); } string accessToken = form["access_token"]; string expires = form["expires"]; string graphApiEndpoint = "https://graph.facebook.com/me"; webRequest = WebRequest.Create(graphApiEndpoint + "?access_token=" + Uri.EscapeDataString(accessToken)); webResponse = await webRequest.GetResponseAsync(); JObject user; using (var reader = new StreamReader(webResponse.GetResponseStream())) { user = JObject.Parse(await reader.ReadToEndAsync()); } var context = new FacebookAuthenticatedContext(Request.Environment, user, accessToken); context.Identity = new ClaimsIdentity( Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); if (!string.IsNullOrEmpty(context.Id)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Username)) { context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.Username, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Name)) { context.Identity.AddClaim(new Claim("urn:facebook:name", context.Name, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Link)) { context.Identity.AddClaim(new Claim("urn:facebook:link", context.Link, XmlSchemaString, Options.AuthenticationType)); } context.Extra = extra; await Options.Provider.Authenticated(context); return(new AuthenticationTicket(context.Identity, context.Extra)); } catch (Exception ex) { _logger.WriteError(ex.Message); } return(new AuthenticationTicket(null, extra)); }
public void Issue(ClaimsIdentity identity, AuthenticationExtra extra) { Identity = identity; Extra = extra; TokenIssued = true; }
protected override async Task <AuthenticationTicket> AuthenticateCore() { _logger.WriteVerbose("AuthenticateCore"); AuthenticationExtra extra = null; try { IDictionary <string, string[]> query = Request.GetQuery(); extra = UnpackStateParameter(query); if (extra == null) { _logger.WriteWarning("Invalid return state", null); return(null); } // Anti-CSRF if (!ValidateCorrelationId(extra, _logger)) { return(new AuthenticationTicket(null, extra)); } var message = await ParseRequestMessage(query); bool messageValidated = false; Property mode; if (!message.Properties.TryGetValue("mode.http://specs.openid.net/auth/2.0", out mode)) { _logger.WriteWarning("Missing mode parameter", null); return(new AuthenticationTicket(null, extra)); } if (string.Equals("cancel", mode.Value, StringComparison.Ordinal)) { _logger.WriteWarning("User cancelled signin request", null); return(new AuthenticationTicket(null, extra)); } if (string.Equals("id_res", mode.Value, StringComparison.Ordinal)) { mode.Value = "check_authentication"; WebRequest verifyRequest = WebRequest.Create("https://www.google.com/accounts/o8/ud"); verifyRequest.Method = "POST"; verifyRequest.ContentType = "application/x-www-form-urlencoded"; using (var writer = new StreamWriter(await verifyRequest.GetRequestStreamAsync())) { string body = message.ToFormUrlEncoded(); await writer.WriteAsync(body); } WebResponse verifyResponse = await verifyRequest.GetResponseAsync(); using (var reader = new StreamReader(verifyResponse.GetResponseStream())) { var verifyBody = new Dictionary <string, string[]>(); string body = await reader.ReadToEndAsync(); foreach (var line in body.Split(new[] { '\n' }, StringSplitOptions.RemoveEmptyEntries)) { int delimiter = line.IndexOf(':'); if (delimiter != -1) { verifyBody.Add("openid." + line.Substring(0, delimiter), new[] { line.Substring(delimiter + 1) }); } } var verifyMessage = new Message(verifyBody, strict: false); Property isValid; if (verifyMessage.Properties.TryGetValue("is_valid.http://specs.openid.net/auth/2.0", out isValid)) { if (string.Equals("true", isValid.Value, StringComparison.Ordinal)) { messageValidated = true; } else { messageValidated = false; } } } } // http://openid.net/specs/openid-authentication-2_0.html#verify_return_to // To verify that the "openid.return_to" URL matches the URL that is processing this assertion: // * The URL scheme, authority, and path MUST be the same between the two URLs. // * Any query parameters that are present in the "openid.return_to" URL MUST also // be present with the same values in the URL of the HTTP request the RP received. if (messageValidated) { // locate the required return_to parameter string actualReturnTo; if (!message.TryGetValue("return_to.http://specs.openid.net/auth/2.0", out actualReturnTo)) { _logger.WriteWarning("openid.return_to parameter missing at return address"); messageValidated = false; } else { // create the expected return_to parameter based on the URL that is processing // the assertion, plus exactly and only the the query string parameter (state) // that this RP must have received string expectedReturnTo = BuildReturnTo(GetStateParameter(query)); if (!string.Equals(actualReturnTo, expectedReturnTo, StringComparison.Ordinal)) { _logger.WriteWarning("openid.return_to parameter not equal to expected value based on return address"); messageValidated = false; } } } if (messageValidated) { IDictionary <string, string> attributeExchangeProperties = new Dictionary <string, string>(); foreach (var typeProperty in message.Properties.Values) { if (typeProperty.Namespace == "http://openid.net/srv/ax/1.0" && typeProperty.Name.StartsWith("type.")) { string qname = "value." + typeProperty.Name.Substring("type.".Length) + "http://openid.net/srv/ax/1.0"; Property valueProperty; if (message.Properties.TryGetValue(qname, out valueProperty)) { attributeExchangeProperties.Add(typeProperty.Value, valueProperty.Value); } } } var responseNamespaces = new object[] { new XAttribute(XNamespace.Xmlns + "openid", "http://specs.openid.net/auth/2.0"), new XAttribute(XNamespace.Xmlns + "openid.ax", "http://openid.net/srv/ax/1.0") }; IEnumerable <object> responseProperties = message.Properties .Where(p => p.Value.Namespace != null) .Select(p => (object)new XElement(XName.Get(p.Value.Name.Substring(0, p.Value.Name.Length - 1), p.Value.Namespace), p.Value.Value)); var responseMessage = new XElement("response", responseNamespaces.Concat(responseProperties).ToArray()); var identity = new ClaimsIdentity(Options.AuthenticationType); XElement claimedId = responseMessage.Element(XName.Get("claimed_id", "http://specs.openid.net/auth/2.0")); if (claimedId != null) { identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, claimedId.Value, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } string firstValue; if (attributeExchangeProperties.TryGetValue("http://axschema.org/namePerson/first", out firstValue)) { identity.AddClaim(new Claim(ClaimTypes.GivenName, firstValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } string lastValue; if (attributeExchangeProperties.TryGetValue("http://axschema.org/namePerson/last", out lastValue)) { identity.AddClaim(new Claim(ClaimTypes.Surname, lastValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } string nameValue; if (attributeExchangeProperties.TryGetValue("http://axschema.org/namePerson", out nameValue)) { identity.AddClaim(new Claim(ClaimTypes.Name, nameValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } else if (!string.IsNullOrEmpty(firstValue) && !string.IsNullOrEmpty(lastValue)) { identity.AddClaim(new Claim(ClaimTypes.Name, firstValue + " " + lastValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } else if (!string.IsNullOrEmpty(firstValue)) { identity.AddClaim(new Claim(ClaimTypes.Name, firstValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } else if (!string.IsNullOrEmpty(lastValue)) { identity.AddClaim(new Claim(ClaimTypes.Name, lastValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } string emailValue; if (attributeExchangeProperties.TryGetValue("http://axschema.org/contact/email", out emailValue)) { identity.AddClaim(new Claim(ClaimTypes.Email, emailValue, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } var context = new GoogleAuthenticatedContext( Request.Environment, identity, extra, responseMessage, attributeExchangeProperties); await Options.Provider.Authenticated(context); return(new AuthenticationTicket(context.Identity, context.Extra)); } return(new AuthenticationTicket(null, extra)); } catch (Exception ex) { _logger.WriteError("Authentication failed", ex); return(new AuthenticationTicket(null, extra)); } }
/// <summary></summary> /// <param name="context"></param> /// <param name="authenticationTypes"></param> /// <param name="extra"></param> public static void Challenge(this HttpContextBase context, string[] authenticationTypes, AuthenticationExtra extra) { if (context == null) { throw new ArgumentNullException("context"); } if (extra == null) { throw new ArgumentNullException("extra"); } OwinResponse response = GetOwinResponse(context); response.Challenge(authenticationTypes, extra); }
protected override async Task <AuthenticationTicket> AuthenticateCore() { Logger.WriteVerbose("AuthenticateCore"); AuthenticationExtra extra = null; try { var query = this.Request.GetQuery(); string[] lookup; string code = null; string state = null; if (query.TryGetValue("code", out lookup) && lookup != null && lookup.Length == 1) { code = lookup[0]; } if (code == null) { return(null); } if (query.TryGetValue("state", out lookup) && lookup != null && lookup.Length == 1) { state = lookup[0]; } extra = Options.StateDataHandler.Unprotect(state); if (extra == null) { return(null); } if (ValidateCorrelationId(extra, Logger)) { var accessToken = await GetAccessToken(code); if (accessToken != null) { var userInfo = await GetUserInfo(accessToken); var authenticatedContext = new OAuth2AuthenticatedContext( accessToken, userInfo.UserId, userInfo.UserName, Request.Environment) { Identity = new ClaimsIdentity( Options.AuthenticationType, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), Extra = extra }; if (!string.IsNullOrWhiteSpace(authenticatedContext.UserId)) { authenticatedContext.Identity.AddClaim( new Claim( "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", authenticatedContext.UserId, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } if (!string.IsNullOrWhiteSpace(authenticatedContext.UserName)) { authenticatedContext.Identity.AddClaim( new Claim( "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", authenticatedContext.UserName, "http://www.w3.org/2001/XMLSchema#string", Options.AuthenticationType)); } await Options.Provider.Authenticated(authenticatedContext); return(new AuthenticationTicket( authenticatedContext.Identity, authenticatedContext.Extra)); } } } catch (Exception e) { Logger.WriteError(e.Message); } return(new AuthenticationTicket(null, extra)); }
public static void SignIn(this IAuthenticationManager authenticationManager, ClaimsIdentity identity) { var extra = new AuthenticationExtra(); authenticationManager.SignIn(extra, identity); }
public void Grant(ClaimsPrincipal principal, AuthenticationExtra extra) { AuthenticationResponseGrant = new AuthenticationResponseGrant(principal, extra); }
protected bool ValidateCorrelationId(AuthenticationExtra extra, ILogger logger) { var correlationKey = Constants.CorrelationPrefix + BaseOptions.AuthenticationType; string correlationCookie; if (!Request.GetCookies().TryGetValue( correlationKey, out correlationCookie)) { logger.WriteWarning(string.Format("{0} cookie not found", correlationKey)); return false; } Response.DeleteCookie(correlationKey); string correlationExtra; if (!extra.Properties.TryGetValue( correlationKey, out correlationExtra)) { logger.WriteWarning(string.Format("{0} state property not found", correlationKey)); return false; } extra.Properties.Remove(correlationKey); if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal)) { logger.WriteWarning(string.Format("{0} correlation cookie and state property mismatch", correlationKey)); return false; } return true; }
public void Challenge(string[] authenticationTypes, AuthenticationExtra extra) { StatusCode = 401; AuthenticationResponseChallenge = new AuthenticationResponseChallenge(authenticationTypes, extra); }