/// <summary> /// Try to get the client id. /// </summary> /// <param name="instruction"></param> /// <returns></returns> public string GetClientId(AuthenticateInstruction instruction) { if (instruction.ClientAssertionType != Dtos.Constants.ClientAssertionTypes.JwtBearer || string.IsNullOrWhiteSpace(instruction.ClientAssertion)) { return(string.Empty); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (isJweToken && isJwsToken) { return(string.Empty); } // It's a JWE token then return the client_id from the HTTP body if (isJweToken) { return(instruction.ClientIdFromHttpRequestBody); } // It's a JWS token then return the client_id from the token. var payload = _jwsParser.GetPayload(clientAssertion); if (payload == null) { return(string.Empty); } return(payload.Issuer); }
public string GetClientIdFromClientAssertion(AuthenticateInstruction instruction) { if (instruction.ClientAssertionType != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" || string.IsNullOrWhiteSpace(instruction.ClientAssertion)) { return(string.Empty); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (isJweToken && isJwsToken) { return(string.Empty); } if (isJweToken) { return(instruction.ClientIdFromHttpRequestBody); } var payload = _jwsGenerator.ExtractPayload(clientAssertion); if (payload == null) { return(string.Empty); } return(payload.GetClaimValue("iss")); }
private JwsPayload ExtractOPENIDTokenPayload() { var token = ExtractAuthorizationValue(); if (string.IsNullOrWhiteSpace(token)) { return(null); } var isJwsToken = _jwtParser.IsJwsToken(token); if (!isJwsToken) { return(null); } return(_jwtParser.Unsign(token, _umaHostOptions.OpenIdJsonWebKeySignature)); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (client.Secrets == null) { throw new ArgumentNullException(nameof(client.Secrets)); } var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, clientSecret.Value).ConfigureAwait(false); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false); if (payload == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer)); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (string.IsNullOrWhiteSpace(client.ClientSecret)) { throw new OAuthException(errorCode, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, client.ClientSecret, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } JwsPayload payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode); if (payload == null) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode)); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (!isJwsToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var jwsPayload = _jwsGenerator.ExtractPayload(clientAssertion); if (jwsPayload == null) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = jwsPayload.GetIssuer(); JwsPayload payload; try { payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } if (payload == null) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode)); }
private async Task <JwsPayload> Extract(string accessToken) { var isJwe = _jwtParser.IsJweToken(accessToken); var isJws = _jwtParser.IsJwsToken(accessToken); if (!isJwe && !isJws) { return(null); } var jws = accessToken; if (isJwe) { jws = await _jwtParser.Decrypt(accessToken); } return(await _jwtParser.Unsign(jws)); }
protected async Task <JwsPayload> ExtractHint(string tokenHint, CancellationToken cancellationToken) { if (!_jwtParser.IsJwsToken(tokenHint) && !_jwtParser.IsJweToken(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } if (_jwtParser.IsJweToken(tokenHint)) { tokenHint = await _jwtParser.Decrypt(tokenHint, cancellationToken); if (string.IsNullOrWhiteSpace(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } } return(await _jwtParser.Unsign(tokenHint, cancellationToken)); }
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT) { if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } JwsPayload jwsPayload; try { jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } return(new RequestObjectValidatorResult(jwsPayload, header)); }
public Task <ClaimTokenFormatFetcherResult> Fetch(HandlerContext context) { var claimToken = context.Request.RequestData.GetClaimToken(); if (!_jwtParser.IsJwsToken(claimToken)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, UMAErrorMessages.BAD_CLAIM_TOKEN); } var payload = _jwtParser.Unsign(claimToken, _umaHostOptions.OpenIdJsonWebKeySignature); if (payload == null) { return(null); } var sub = payload.First(c => c.Key == GetSubjectName()); return(Task.FromResult(new ClaimTokenFormatFetcherResult(sub.Value.ToString(), payload))); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (!isJwsToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var jwsPayload = _jwsGenerator.ExtractPayload(clientAssertion); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = jwsPayload.GetIssuer(); var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false); if (payload == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, "")); }
protected async Task <bool> CheckRequest(HandlerContext context, string request) { var openidClient = (OpenIdClient)context.Client; if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if ( (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) || (string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME) ) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG); } var jwsPayload = await _jwtParser.Unsign(jws, context.Client); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest())) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } context.Request.SetData(JObject.FromObject(jwsPayload)); return(true); }
private async Task ProcessIdTokenHint( ActionResult actionResult, AuthorizationParameter authorizationParameter, ICollection <PromptParameter> prompts, ClaimsPrincipal claimsPrincipal, string issuerName) { if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) && prompts.Contains(PromptParameter.none) && actionResult.Type == TypeActionResult.RedirectToCallBackUrl) { var token = authorizationParameter.IdTokenHint; if (!_jwtParser.IsJweToken(token) && !_jwtParser.IsJwsToken(token)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken, authorizationParameter.State); } string jwsToken; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token); if (string.IsNullOrWhiteSpace(jwsToken)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted, authorizationParameter.State); } } else { jwsToken = token; } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken); if (jwsPayload == null) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked, authorizationParameter.State); } if (jwsPayload.Audiences == null || !jwsPayload.Audiences.Any() || !jwsPayload.Audiences.Contains(issuerName)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience, authorizationParameter.State); } var currentSubject = string.Empty; var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated()) { currentSubject = claimsPrincipal.GetSubject(); } if (currentSubject != expectedSubject) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken, authorizationParameter.State); } } }
private async Task ExtractSoftwareStatement(JObject jObj) { var softwareStatement = jObj.GetSoftwareStatement(); if (string.IsNullOrWhiteSpace(softwareStatement)) { return; } if (!_jwtParser.IsJwsToken(softwareStatement)) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } SimpleIdServer.Jwt.Jws.JwsPayload jwsPayload; SimpleIdServer.Jwt.Jws.JwsHeader header; try { jwsPayload = _jwtParser.ExtractJwsPayload(softwareStatement); header = _jwtParser.ExtractJwsHeader(softwareStatement); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } } catch { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } var issuer = jwsPayload.GetIssuer(); var trustedParty = OauthHostOptions.SoftwareStatementTrustedParties.FirstOrDefault(s => s.Iss == issuer); if (trustedParty == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_ISSUER_SOFTWARE_STATEMENT); } using (var httpClient = _httpClientFactory.GetHttpClient()) { var json = await httpClient.GetStringAsync(trustedParty.JwksUrl); var keysJson = JObject.Parse(json)["keys"].ToString(); var jsonWebKeys = JsonConvert.DeserializeObject <JArray>(keysJson).Select(k => SimpleIdServer.Jwt.JsonWebKey.Deserialize(k.ToString())); var jsonWebKey = jsonWebKeys.FirstOrDefault(j => j.Kid == header.Kid); jwsPayload = _jwtParser.Unsign(softwareStatement, jsonWebKey); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_SOFTWARE_STATEMENT_SIGNATURE); } foreach (var kvp in jwsPayload) { if (jObj.ContainsKey(kvp.Key)) { jObj.Remove(kvp.Key); } jObj.Add(kvp.Key, JToken.FromObject(kvp.Value)); } } }