public async Task <Option <GrantedToken> > GetTokenByTicketId(
GetTokenViaTicketIdParameter parameter,
AuthenticationHeaderValue?authenticationHeaderValue,
X509Certificate2?certificate,
string issuerName,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
_logger.LogError("Ticket is null or empty");
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidRequest,
Detail = string.Format(Strings.MissingParameter, UmaConstants.RptClaims.Ticket)
});
}
var instruction = authenticationHeaderValue.GetAuthenticateInstruction(parameter, certificate);
var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken)
.ConfigureAwait(false);
var client = authResult.Client;
if (client == null)
{
_logger.LogError("Client not found.");
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidClient,
Detail = authResult.ErrorMessage !
});
private AuthenticateInstruction CreateAuthenticateInstruction(GetTokenViaTicketIdParameter authorizationCodeGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue)
{
var result = _authenticateInstructionGenerator.GetAuthenticateInstruction(authenticationHeaderValue);
result.ClientAssertion = authorizationCodeGrantTypeParameter.ClientAssertion;
result.ClientAssertionType = authorizationCodeGrantTypeParameter.ClientAssertionType;
result.ClientIdFromHttpRequestBody = authorizationCodeGrantTypeParameter.ClientId;
result.ClientSecretFromHttpRequestBody = authorizationCodeGrantTypeParameter.ClientSecret;
return(result);
}
public Task <GetTokenByTicketIdResponse> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
{
return(_getTokenByTicketIdAction.Execute(parameter, openidProvider, issuerName));
}
public Task <GrantedToken> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue)
{
return(_getTokenByTicketIdAction.Execute(parameter, authenticationHeaderValue));
}
public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
// 2. Try to authenticate the client.
var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket));
}
// 3. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 4. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter);
if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied);
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(grantedToken);
}
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
// 2. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 3. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false);
if (!authorizationResult.IsValid)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
return(new GetTokenByTicketIdResponse
{
IsValid = false,
ResourceValidationResult = authorizationResult
});
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(new GetTokenByTicketIdResponse
{
IsValid = true,
GrantedToken = grantedToken
});
}
public Task <GrantedToken> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
return(_getTokenByTicketIdAction.Execute(parameter, authenticationHeaderValue, certificate, issuerName));
}
