/// <summary>
/// Gets the OAuth authorization request included with an OpenID authentication
/// request, if there is one.
/// </summary>
/// <param name="openIdRequest">The OpenID authentication request.</param>
/// <returns>
/// The scope of access the relying party is requesting, or null if no OAuth request
/// is present.
/// </returns>
/// <remarks>
/// <para>Call this method rather than simply extracting the OAuth extension
/// out from the authentication request directly to ensure that the additional
/// security measures that are required are taken.</para>
/// </remarks>
public AuthorizationRequest ReadAuthorizationRequest(IHostProcessedRequest openIdRequest)
{
Requires.NotNull(openIdRequest, "openIdRequest");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
ErrorUtilities.VerifyOperation(openidTokenManager != null, OAuthStrings.OpenIdOAuthExtensionRequiresSpecialTokenManagerInterface, typeof(IOpenIdOAuthTokenManager).FullName);
var authzRequest = openIdRequest.GetExtension <AuthorizationRequest>();
if (authzRequest == null)
{
return(null);
}
// OpenID+OAuth spec section 9:
// The Combined Provider SHOULD verify that the consumer key passed in the
// request is authorized to be used for the realm passed in the request.
string expectedConsumerKey = openidTokenManager.GetConsumerKey(openIdRequest.Realm);
ErrorUtilities.VerifyProtocol(
string.Equals(expectedConsumerKey, authzRequest.Consumer, StringComparison.Ordinal),
OAuthStrings.OpenIdOAuthRealmConsumerKeyDoNotMatch);
return(authzRequest);
}
public void SignIn(UserModel user, bool createPersistentCookie)
{
RedisHelper.SetLoginSession(user.UserName + ":session",
Util.GetRootedUri("").ToString(), HttpContext.Current.Session.SessionID);
IHostProcessedRequest RpRequest = ProviderEndpoint.PendingRequest;
//如果从其他站点登录
if (RpRequest != null)
{
string url = Util.GetRequestHost(RpRequest.Realm);
string rpSession = Util.GetRpStoreExtension(url);
if (!string.IsNullOrEmpty(rpSession))
{
// 此处原是接受 RP 发来的SessionId,后发现SessionID会发生变化,和OP的一样
RedisHelper.SetLoginSession(user.UserName + ":session", url, rpSession);
}
}
RedisHelper.SetUserInfo(user.UserName + ":master", user);
if (!createPersistentCookie)
{
int span = (int)TimeSpan.FromMinutes(10).TotalSeconds;
RedisHelper.SetExpire(user.UserName + ":master", span);
RedisHelper.SetExpire(user.UserName + ":session", span);
}
OpenIDPrincipal identity = new OpenIDPrincipal(new OpenIDIdentity(user));
HttpContext.Current.Session["customidentity"] = identity;
HttpContext.Current.User = identity;
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string scope)
{
Requires.NotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
IOpenIdMessageExtension response;
if (scope != null)
{
// Generate an authorized request token to return to the relying party.
string consumerKey = openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm);
var approvedResponse = new AuthorizationApprovedResponse {
RequestToken = this.TokenGenerator.GenerateRequestToken(consumerKey),
Scope = scope,
};
openidTokenManager.StoreOpenIdAuthorizedRequestToken(consumerKey, approvedResponse);
response = approvedResponse;
}
else
{
response = new AuthorizationDeclinedResponse();
}
openIdAuthenticationRequest.AddResponseExtension(response);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope)
{
Requires.NotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
Requires.That((consumerKey == null) == (scope == null), null, "consumerKey and scope must either be both provided or both omitted.");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = (ICombinedOpenIdProviderTokenManager)this.TokenManager;
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), OAuthStrings.OpenIdOAuthRealmConsumerKeyDoNotMatch);
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope)
{
Contract.Requires <ArgumentNullException>(openIdAuthenticationRequest != null);
Contract.Requires <ArgumentException>((consumerKey == null) == (scope == null));
Contract.Requires <InvalidOperationException>(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = (ICombinedOpenIdProviderTokenManager)this.TokenManager;
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), "The consumer key and the realm did not match according to the token manager.");
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
private void BuildResponse(IHostProcessedRequest pendingRequest)
{
// Look for a Simple Registration request. When the AXFetchAsSregTransform behavior is turned on
// in the web.config file as it is in this sample, AX requests will come in as SReg requests.
var claimsRequest = pendingRequest.GetExtension <ClaimsRequest>();
if (claimsRequest != null)
{
var claimsResponse = claimsRequest.CreateResponse();
// This simple respond to a request check may be enhanced to only respond to an individual attribute
// request if the user consents to it explicitly, in which case this response extension creation can take
// place in the confirmation page action rather than here.
if (claimsRequest.Email != DemandLevel.NoRequest)
{
claimsResponse.Email = this.User.Identity.Name + "@dotnetopenauth.net";
}
pendingRequest.AddResponseExtension(claimsResponse);
}
// Look for PAPE requests.
var papeRequest = pendingRequest.GetExtension <PolicyRequest>();
if (papeRequest == null)
{
return;
}
var papeResponse = new PolicyResponse();
if (papeRequest.MaximumAuthenticationAge.HasValue)
{
papeResponse.AuthenticationTimeUtc = this.FormsAuth.SignedInTimestampUtc;
}
pendingRequest.AddResponseExtension(papeResponse);
}
/// <summary>
/// Determines whether the currently logged in user has authorized auto login to the requesting relying party.
/// </summary>
/// <param name="request">The incoming request.</param>
/// <returns>
/// <c>true</c> if it is safe to respond affirmatively to this request and all extensions
/// without further user confirmation; otherwise, <c>false</c>.
/// </returns>
private bool HasUserAuthorizedAutoLogin(IHostProcessedRequest request)
{
// TODO: host should implement this method meaningfully, consulting their user database.
// Make sure the user likes the RP
if (true /*User.UserLikesRP(request.Realm))*/)
{
// And make sure the RP is only asking for information about the user that the user has granted before.
if (true /*User.HasGrantedExtensions(request)*/)
{
// For now for the purposes of the sample, we'll disallow auto-logins when an sreg request is present.
if (request.GetExtension <ClaimsRequest>() != null)
{
return(false);
}
return(true);
}
}
// If we aren't sure the user likes this site and is willing to disclose the requested info, return false
// so the user has the opportunity to explicity choose whether to share his/her info.
return(false);
}
/// <summary>
/// Determines whether the currently logged in user has authorized auto login to the requesting relying party.
/// </summary>
/// <param name="request">The incoming request.</param>
/// <returns>
/// <c>true</c> if it is safe to respond affirmatively to this request and all extensions
/// without further user confirmation; otherwise, <c>false</c>.
/// </returns>
private bool HasUserAuthorizedAutoLogin(IHostProcessedRequest request)
{
// TODO: host should implement this method meaningfully, consulting their user database.
// Make sure the user likes the RP
if (true/*User.UserLikesRP(request.Realm))*/)
{
// And make sure the RP is only asking for information about the user that the user has granted before.
if (true/*User.HasGrantedExtensions(request)*/)
{
// For now for the purposes of the sample, we'll disallow auto-logins when an sreg request is present.
if (request.GetExtension<ClaimsRequest>() != null)
{
return false;
}
return true;
}
}
// If we aren't sure the user likes this site and is willing to disclose the requested info, return false
// so the user has the opportunity to explicity choose whether to share his/her info.
return false;
}
/// <summary>
/// Gets the OAuth authorization request included with an OpenID authentication
/// request, if there is one.
/// </summary>
/// <param name="openIdRequest">The OpenID authentication request.</param>
/// <returns>
/// The scope of access the relying party is requesting, or null if no OAuth request
/// is present.
/// </returns>
/// <remarks>
/// <para>Call this method rather than simply extracting the OAuth extension
/// out from the authentication request directly to ensure that the additional
/// security measures that are required are taken.</para>
/// </remarks>
public AuthorizationRequest ReadAuthorizationRequest(IHostProcessedRequest openIdRequest) {
Requires.NotNull(openIdRequest, "openIdRequest");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
ErrorUtilities.VerifyOperation(openidTokenManager != null, OAuthStrings.OpenIdOAuthExtensionRequiresSpecialTokenManagerInterface, typeof(IOpenIdOAuthTokenManager).FullName);
var authzRequest = openIdRequest.GetExtension<AuthorizationRequest>();
if (authzRequest == null) {
return null;
}
// OpenID+OAuth spec section 9:
// The Combined Provider SHOULD verify that the consumer key passed in the
// request is authorized to be used for the realm passed in the request.
string expectedConsumerKey = openidTokenManager.GetConsumerKey(openIdRequest.Realm);
ErrorUtilities.VerifyProtocol(
string.Equals(expectedConsumerKey, authzRequest.Consumer, StringComparison.Ordinal),
OAuthStrings.OpenIdOAuthRealmConsumerKeyDoNotMatch);
return authzRequest;
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string scope) {
Requires.NotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
IOpenIdMessageExtension response;
if (scope != null) {
// Generate an authorized request token to return to the relying party.
string consumerKey = openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm);
var approvedResponse = new AuthorizationApprovedResponse {
RequestToken = this.TokenGenerator.GenerateRequestToken(consumerKey),
Scope = scope,
};
openidTokenManager.StoreOpenIdAuthorizedRequestToken(consumerKey, approvedResponse);
response = approvedResponse;
} else {
response = new AuthorizationDeclinedResponse();
}
openIdAuthenticationRequest.AddResponseExtension(response);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope) {
Requires.NotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
Requires.That((consumerKey == null) == (scope == null), null, "consumerKey and scope must either be both provided or both omitted.");
RequiresEx.ValidState(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = (ICombinedOpenIdProviderTokenManager)this.TokenManager;
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), OAuthStrings.OpenIdOAuthRealmConsumerKeyDoNotMatch);
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope) {
Contract.Requires<ArgumentNullException>(openIdAuthenticationRequest != null);
Contract.Requires<ArgumentException>((consumerKey == null) == (scope == null));
Contract.Requires<InvalidOperationException>(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = (ICombinedOpenIdProviderTokenManager)this.TokenManager;
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), "The consumer key and the realm did not match according to the token manager.");
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope) {
Contract.Requires<ArgumentNullException>(openIdAuthenticationRequest != null);
Contract.Requires<ArgumentException>((consumerKey == null) == (scope == null));
Contract.Requires<InvalidOperationException>(this.TokenManager is ICombinedOpenIdProviderTokenManager);
var openidTokenManager = (ICombinedOpenIdProviderTokenManager)this.TokenManager;
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), OAuthStrings.OpenIdOAuthRealmConsumerKeyDoNotMatch);
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string scope)
{
Contract.Requires(openIdAuthenticationRequest != null);
Contract.Requires(this.TokenManager is IOpenIdOAuthTokenManager);
ErrorUtilities.VerifyArgumentNotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
ErrorUtilities.VerifyOperation(openidTokenManager != null, OAuthStrings.OpenIdOAuthExtensionRequiresSpecialTokenManagerInterface, typeof(ICombinedOpenIdProviderTokenManager).FullName);
IOpenIdMessageExtension response;
if (scope != null) {
// Generate an authorized request token to return to the relying party.
string consumerKey = openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm);
var approvedResponse = new AuthorizationApprovedResponse {
RequestToken = this.TokenGenerator.GenerateRequestToken(consumerKey),
Scope = scope,
};
openidTokenManager.StoreOpenIdAuthorizedRequestToken(consumerKey, approvedResponse);
response = approvedResponse;
} else {
response = new AuthorizationDeclinedResponse();
}
openIdAuthenticationRequest.AddResponseExtension(response);
}
public void AttachAuthorizationResponse(IHostProcessedRequest openIdAuthenticationRequest, string consumerKey, string scope)
{
Contract.Requires(openIdAuthenticationRequest != null);
Contract.Requires((consumerKey == null) == (scope == null));
Contract.Requires(this.TokenManager is IOpenIdOAuthTokenManager);
ErrorUtilities.VerifyArgumentNotNull(openIdAuthenticationRequest, "openIdAuthenticationRequest");
var openidTokenManager = this.TokenManager as ICombinedOpenIdProviderTokenManager;
ErrorUtilities.VerifyOperation(openidTokenManager != null, OAuthStrings.OpenIdOAuthExtensionRequiresSpecialTokenManagerInterface, typeof(IOpenIdOAuthTokenManager).FullName);
ErrorUtilities.VerifyArgument(consumerKey == null || consumerKey == openidTokenManager.GetConsumerKey(openIdAuthenticationRequest.Realm), "The consumer key and the realm did not match according to the token manager.");
this.AttachAuthorizationResponse(openIdAuthenticationRequest, scope);
}
