/// <summary>
/// Serializes this <see cref="Token"/> instance as a string that can be
/// included as part of a return_to variable in a querystring.
/// This string is cryptographically signed to protect against tampering.
/// </summary>
public string Serialize(INonceStore store) {
using (MemoryStream dataStream = new MemoryStream()) {
if (!persistSignature(store)) {
Debug.Assert(!persistNonce(Endpoint, store), "Without a signature, a nonce is meaningless.");
dataStream.WriteByte(0); // there will be NO signature.
StreamWriter writer = new StreamWriter(dataStream);
Endpoint.Serialize(writer);
writer.Flush();
return Convert.ToBase64String(dataStream.ToArray());
} else {
using (HashAlgorithm shaHash = createHashAlgorithm(store))
using (CryptoStream shaStream = new CryptoStream(dataStream, shaHash, CryptoStreamMode.Write)) {
StreamWriter writer = new StreamWriter(shaStream);
Endpoint.Serialize(writer);
if (persistNonce(Endpoint, store))
writer.WriteLine(Nonce.Code);
writer.Flush();
shaStream.Flush();
shaStream.FlushFinalBlock();
byte[] hash = shaHash.Hash;
byte[] data = new byte[1 + hash.Length + dataStream.Length];
data[0] = 1; // there is a signature
Buffer.BlockCopy(hash, 0, data, 1, hash.Length);
Buffer.BlockCopy(dataStream.ToArray(), 0, data, 1 + hash.Length, (int)dataStream.Length);
return Convert.ToBase64String(data);
}
}
}
}
private OpenIdRelyingParty(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IHostFactories hostFactories)
{
// If we are a smart-mode RP (supporting associations), then we MUST also be
// capable of storing nonces to prevent replay attacks.
// If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays.
Requires.That(cryptoKeyStore == null || nonceStore != null, null, OpenIdStrings.AssociationStoreRequiresNonceStore);
this.securitySettings = OpenIdElement.Configuration.RelyingParty.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.RelyingParty.Behaviors.CreateInstances(false, null))
{
this.behaviors.Add(behavior);
}
// Without a nonce store, we must rely on the Provider to protect against
// replay attacks. But only 2.0+ Providers can be expected to provide
// replay protection.
if (nonceStore == null &&
this.SecuritySettings.ProtectDownlevelReplayAttacks &&
this.SecuritySettings.MinimumRequiredOpenIdVersion < ProtocolVersion.V20)
{
Logger.OpenId.Warn("Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks.");
this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
}
this.channel = new OpenIdRelyingPartyChannel(cryptoKeyStore, nonceStore, this.SecuritySettings, hostFactories);
var associationStore = cryptoKeyStore != null ? new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore) : null;
this.AssociationManager = new AssociationManager(this.Channel, associationStore, this.SecuritySettings);
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, cryptoKeyStore, nonceStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdChannel"/> class
/// for use by a Relying Party.
/// </summary>
/// <param name="associationStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings, nonVerifying))
{
Contract.Requires <ArgumentNullException>(messageTypeProvider != null);
Contract.Requires <ArgumentNullException>(securitySettings != null);
Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
/// <summary>
/// Records the feature and dependency use.
/// </summary>
/// <param name="value">The consumer or service provider.</param>
/// <param name="service">The service.</param>
/// <param name="tokenManager">The token manager.</param>
/// <param name="nonceStore">The nonce store.</param>
internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderHostDescription service, ITokenManager tokenManager, INonceStore nonceStore) {
Requires.NotNull(value, "value");
Requires.NotNull(service, "service");
Requires.NotNull(tokenManager, "tokenManager");
// In release builds, just quietly return.
if (value == null || service == null || tokenManager == null) {
return;
}
if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) {
StringBuilder builder = new StringBuilder();
builder.Append(value.GetType().Name);
builder.Append(" ");
builder.Append(tokenManager.GetType().Name);
if (nonceStore != null) {
builder.Append(" ");
builder.Append(nonceStore.GetType().Name);
}
builder.Append(" ");
builder.Append(service.UserAuthorizationEndpoint != null ? service.UserAuthorizationEndpoint.Location.AbsoluteUri : string.Empty);
Reporting.ObservedFeatures.Add(builder.ToString());
Reporting.Touch();
}
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
/// </summary>
/// <param name="signingBindingElement">The binding element to use for signing.</param>
/// <param name="store">The web application store to use for nonces.</param>
/// <param name="tokenManager">The token manager instance to use.</param>
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager)
: this(
signingBindingElement,
store,
tokenManager,
new OAuthServiceProviderMessageFactory(tokenManager)) {
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The store where nonces will be persisted and checked.</param>
/// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param>
internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces)
{
ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
this.nonceStore = nonceStore;
this.AllowZeroLengthNonce = allowEmptyNonces;
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
/// </summary>
/// <param name="signingBindingElement">The binding element to use for signing.</param>
/// <param name="store">The web application store to use for nonces.</param>
/// <param name="tokenManager">The token manager instance to use.</param>
/// <param name="isConsumer">A value indicating whether this channel is being constructed for a Consumer (as opposed to a Service Provider).</param>
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, bool isConsumer)
: this(signingBindingElement,
store,
tokenManager,
isConsumer ? (IMessageFactory)new OAuthConsumerMessageFactory() : new OAuthServiceProviderMessageFactory(tokenManager))
{
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The store where nonces will be persisted and checked.</param>
/// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param>
internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces)
{
Requires.NotNull(nonceStore, "nonceStore");
this.nonceStore = nonceStore;
this.AllowZeroLengthNonce = allowEmptyNonces;
}
public AuthorizationServerHost(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IClientRepository clientRepository, IUserRepository userRepository)
{
_cryptoKeyStore = cryptoKeyStore;
_nonceStore = nonceStore;
_clientRepository = clientRepository;
_userRepository = userRepository;
}
/// <summary>
/// Records the feature and dependency use.
/// </summary>
/// <param name="value">The consumer or service provider.</param>
/// <param name="service">The service.</param>
/// <param name="tokenManager">The token manager.</param>
/// <param name="nonceStore">The nonce store.</param>
internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderDescription service, ITokenManager tokenManager, INonceStore nonceStore) {
Contract.Requires(value != null);
Contract.Requires(service != null);
Contract.Requires(tokenManager != null);
// In release builds, just quietly return.
if (value == null || service == null || tokenManager == null) {
return;
}
if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) {
StringBuilder builder = new StringBuilder();
builder.Append(value.GetType().Name);
builder.Append(" ");
builder.Append(tokenManager.GetType().Name);
if (nonceStore != null) {
builder.Append(" ");
builder.Append(nonceStore.GetType().Name);
}
builder.Append(" ");
builder.Append(service.Version);
builder.Append(" ");
builder.Append(service.UserAuthorizationEndpoint);
Reporting.ObservedFeatures.Add(builder.ToString());
Reporting.Touch();
}
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The store where nonces will be persisted and checked.</param>
/// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param>
internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces)
{
ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
this.nonceStore = nonceStore;
this.AllowZeroLengthNonce = allowEmptyNonces;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings to apply.</param>
/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
private OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying))
{
Requires.NotNull(messageTypeProvider, "messageTypeProvider");
Requires.NotNull(securitySettings, "securitySettings");
Requires.True(!nonVerifying || securitySettings is RelyingPartySecuritySettings);
}
public override void SetUp() {
base.SetUp();
this.signingElement = new RsaSha1ServiceProviderSigningBindingElement(new InMemoryTokenManager());
this.nonceStore = new MemoryNonceStore(StandardExpirationBindingElement.MaximumMessageAge);
this.channel = new OAuthServiceProviderChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), this.serviceProviderSecuritySettings, new TestMessageFactory(), this.HostFactories);
}
/// <summary>
/// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The store where nonces will be persisted and checked.</param>
/// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param>
internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces)
{
Contract.Requires <ArgumentNullException>(nonceStore != null);
this.nonceStore = nonceStore;
this.AllowZeroLengthNonce = allowEmptyNonces;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) {
Contract.Requires<ArgumentNullException>(nonceStore != null);
Contract.Requires<ArgumentNullException>(securitySettings != null);
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
public DefaultRequestValidationService(IAccountService accountService, INonceStore nonceStore,
ILogger <DefaultRequestValidationService> logger)
{
_accountService = accountService;
_nonceStore = nonceStore;
_logger = logger;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProviderChannel"/> class.
/// </summary>
/// <param name="cryptoKeyStore">The association store to use.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
/// <param name="securitySettings">The security settings.</param>
private OpenIdProviderChannel(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, ProviderSecuritySettings securitySettings)
: base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings))
{
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNull(messageTypeProvider, "messageTypeProvider");
Requires.NotNull(securitySettings, "securitySettings");
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) {
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(securitySettings, "securitySettings");
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
public override void SetUp()
{
base.SetUp();
this.signingElement = new RsaSha1ServiceProviderSigningBindingElement(new InMemoryTokenManager());
this.nonceStore = new MemoryNonceStore(StandardExpirationBindingElement.MaximumMessageAge);
this.channel = new OAuthServiceProviderChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), this.serviceProviderSecuritySettings, new TestMessageFactory(), this.HostFactories);
}
/// <summary>
/// Nonce store inspector
/// </summary>
/// <param name="nonceStore">The nonce store.</param>
public NonceStoreInspector(INonceStore nonceStore)
{
if (nonceStore == null)
{
throw new ArgumentNullException("nonceStore");
}
_nonceStore = nonceStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class.
/// </summary>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
{
this.signed = signed;
this.maximumAge = maximumAge;
this.decodeOnceOnly = decodeOnceOnly;
this.encrypted = encrypted;
this.compressed = compressed;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
{
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(securitySettings, "securitySettings");
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings of the RP.</param>
internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
{
Contract.Requires <ArgumentNullException>(nonceStore != null);
Contract.Requires <ArgumentNullException>(securitySettings != null);
this.nonceStore = nonceStore;
this.securitySettings = securitySettings;
}
/// <summary>
/// Initializes a new instance of the <see cref="WsseRequestInterceptor"/> class.
/// </summary>
/// <param name="provider">The provider.</param>
/// <param name="realm">The realm.</param>
/// <param name="timestampRangevalidator">The timestamp rangevalidator.</param>
/// <param name="nonceStore">The nonce store.</param>
public WsseRequestInterceptor(IPasswordProvider provider, string realm, ITimestampRangeValidator timestampRangevalidator, INonceStore nonceStore)
: base(false)
{
TimestampRangeValidator = timestampRangevalidator;
NonceStore = nonceStore;
Provider = provider;
Realm = realm;
}
public override void SetUp() {
base.SetUp();
this.webRequestHandler = new TestWebRequestHandler();
this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager());
this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge);
this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), new TestMessageFactory());
this.channel.WebRequestHandler = this.webRequestHandler;
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
/// </summary>
/// <param name="signingBindingElement">The binding element to use for signing.</param>
/// <param name="store">The web application store to use for nonces.</param>
/// <param name="tokenManager">The ITokenManager instance to use.</param>
/// <param name="messageTypeProvider">
/// An injected message type provider instance.
/// Except for mock testing, this should always be one of
/// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.
/// </param>
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider)
: base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager)) {
Contract.Requires<ArgumentNullException>(tokenManager != null);
Contract.Requires<ArgumentNullException>(signingBindingElement != null);
Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
this.TokenManager = tokenManager;
signingBindingElement.SignatureCallback = this.SignatureCallback;
}
public LockingNonceStore(INonceStore decorated, ILockFactory lockFactory)
{
if (lockFactory == null)
{
throw new ArgumentNullException(nameof(lockFactory));
}
_decorated = decorated ?? throw new ArgumentNullException(nameof(decorated));
_lock = lockFactory.CreateLock();
}
public override void SetUp() {
base.SetUp();
this.webRequestHandler = new TestWebRequestHandler();
this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager());
this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge);
this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), this.serviceProviderSecuritySettings, new TestMessageFactory());
this.channel.WebRequestHandler = this.webRequestHandler;
}
public OAuthHandlerBase(CredentialsVerifier auth)
{
Authenticator = auth;
ConsumerStore = new RainyConsumerStore ();
NonceStore = new TestNonceStore ();
// initialize those classes that are not persisted
// TODO request tokens should be persisted in the future
RequestTokens = new SimpleTokenRepository<RequestToken> ();
}
public override void SetUp() {
base.SetUp();
this.protocol = Protocol.Default;
this.nonceStore = new NonceMemoryStore(TimeSpan.FromHours(3));
this.nonceElement = new StandardReplayProtectionBindingElement(this.nonceStore);
this.nonceElement.Channel = new Mocks.TestChannel();
this.message = new TestReplayProtectedMessage();
this.message.UtcCreationDate = DateTime.UtcNow;
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
/// </summary>
/// <param name="signingBindingElement">The binding element to use for signing.</param>
/// <param name="store">The web application store to use for nonces.</param>
/// <param name="tokenManager">The ITokenManager instance to use.</param>
/// <param name="messageTypeProvider">
/// An injected message type provider instance.
/// Except for mock testing, this should always be one of
/// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.
/// </param>
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider)
: base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager))
{
ErrorUtilities.VerifyArgumentNotNull(tokenManager, "tokenManager");
this.TokenManager = tokenManager;
ErrorUtilities.VerifyArgumentNamed(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
signingBindingElement.SignatureCallback = this.SignatureCallback;
}
public OAuthHandlerBase(CredentialsVerifier auth)
{
Authenticator = auth;
ConsumerStore = new RainyConsumerStore();
NonceStore = new TestNonceStore();
// initialize those classes that are not persisted
// TODO request tokens should be persisted in the future
RequestTokens = new SimpleTokenRepository <RequestToken> ();
}
/// <summary>
/// OAuth authorization service provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
public OAuthAuthorizationServer(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore)
{
_cryptoKeyStoreTranslate = new CryptoKeyStoreTranslate(tokenStore, consumerStore, nonceStore);
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
// Create a new instance of the absent parameter list.
ParametersAbsent = new List <string>();
}
public override void SetUp() {
base.SetUp();
this.webRequestHandler = new TestWebRequestHandler();
this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager());
this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge);
this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), new TestMessageFactory());
this.accessor = OAuthChannel_Accessor.AttachShadow(this.channel);
this.channel.WebRequestHandler = this.webRequestHandler;
}
internal OAuthServiceProviderChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings, IMessageFactory messageTypeProvider = null)
: base(
signingBindingElement,
tokenManager,
securitySettings,
messageTypeProvider ?? new OAuthServiceProviderMessageFactory(tokenManager),
InitializeBindingElements(signingBindingElement, store, tokenManager, securitySettings)) {
Requires.NotNull(tokenManager, "tokenManager");
Requires.NotNull(securitySettings, "securitySettings");
Requires.NotNull(signingBindingElement, "signingBindingElement");
}
/// <summary>
/// Initializes the binding elements for the OAuth channel.
/// </summary>
/// <param name="signingBindingElement">The signing binding element.</param>
/// <param name="store">The nonce store.</param>
/// <param name="tokenManager">The token manager.</param>
/// <param name="securitySettings">The security settings.</param>
/// <returns>
/// An array of binding elements used to initialize the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings) {
Requires.NotNull(securitySettings, "securitySettings");
var bindingElements = OAuthChannel.InitializeBindingElements(signingBindingElement, store);
var spTokenManager = tokenManager as IServiceProviderTokenManager;
var serviceProviderSecuritySettings = securitySettings as ServiceProviderSecuritySettings;
bindingElements.Insert(0, new TokenHandlingBindingElement(spTokenManager, serviceProviderSecuritySettings));
return bindingElements.ToArray();
}
protected OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings, IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements)
: base(messageTypeProvider, bindingElements) {
Requires.NotNull(tokenManager, "tokenManager");
Requires.NotNull(securitySettings, "securitySettings");
Requires.NotNull(signingBindingElement, "signingBindingElement");
Requires.True(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
Requires.NotNull(bindingElements, "bindingElements");
this.TokenManager = tokenManager;
signingBindingElement.SignatureCallback = this.SignatureCallback;
}
public override void SetUp()
{
base.SetUp();
this.protocol = Protocol.Default;
this.nonceStore = new NonceMemoryStore(TimeSpan.FromHours(3));
this.nonceElement = new StandardReplayProtectionBindingElement(this.nonceStore);
this.nonceElement.Channel = new Mocks.TestChannel();
this.message = new TestReplayProtectedMessage();
this.message.UtcCreationDate = DateTime.UtcNow;
}
/// <summary>
/// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class.
/// </summary>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
{
Requires.True(signed || decodeOnceOnly == null, null);
Requires.True(maximumAge.HasValue || decodeOnceOnly == null, null);
this.signed = signed;
this.maximumAge = maximumAge;
this.decodeOnceOnly = decodeOnceOnly;
this.encrypted = encrypted;
this.compressed = compressed;
}
/// <summary>
/// OAuth resource provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
public AuthResource(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore)
{
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
ValidateEx();
// Create the resource provider.
_resourceServer = new ResourceServer();
}
IIdSiteSyncCallbackHandler IIdSiteSyncCallbackHandler.SetNonceStore(INonceStore nonceStore)
{
if (nonceStore == null)
{
throw new ArgumentNullException(nameof(nonceStore));
}
this.nonceStore = nonceStore;
return(this);
}
IIdSiteSyncCallbackHandler IIdSiteSyncCallbackHandler.SetNonceStore(INonceStore nonceStore)
{
if (nonceStore == null)
{
throw new ArgumentNullException(nameof(nonceStore));
}
this.nonceStore = nonceStore;
return this;
}
/// <summary>
/// OAuth provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
/// <param name="inspectors">The collection of validation inspectors.</param>
public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore, params IContextInspector[] inspectors)
{
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
ValidateEx();
// Create a new OAuth provider.
_oAuthProvider = new OAuthProvider(tokenStore, inspectors);
}
internal OAuthConsumerChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager, ConsumerSecuritySettings securitySettings, IMessageFactory messageFactory = null)
: base(
signingBindingElement,
tokenManager,
securitySettings,
messageFactory ?? new OAuthConsumerMessageFactory(),
InitializeBindingElements(signingBindingElement, store)) {
Requires.NotNull(tokenManager, "tokenManager");
Requires.NotNull(securitySettings, "securitySettings");
Requires.NotNull(signingBindingElement, "signingBindingElement");
}
/// <summary>
/// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class.
/// </summary>
/// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param>
/// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param>
/// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param>
/// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param>
/// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param>
private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null)
{
Requires.That(signed || decodeOnceOnly == null, "decodeOnceOnly", "Nonce only valid with signing.");
Requires.That(maximumAge.HasValue || decodeOnceOnly == null, "decodeOnceOnly", "Nonce requires a maximum message age.");
this.signed = signed;
this.maximumAge = maximumAge;
this.decodeOnceOnly = decodeOnceOnly;
this.encrypted = encrypted;
this.compressed = compressed;
}
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings)
: this(
signingBindingElement,
store,
tokenManager,
securitySettings,
new OAuthServiceProviderMessageFactory(tokenManager)) {
Contract.Requires<ArgumentNullException>(tokenManager != null);
Contract.Requires<ArgumentNullException>(securitySettings != null);
Contract.Requires<ArgumentNullException>(signingBindingElement != null);
Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
/// </summary>
/// <param name="signingBindingElement">The binding element to use for signing.</param>
/// <param name="store">The web application store to use for nonces.</param>
/// <param name="tokenManager">The ITokenManager instance to use.</param>
/// <param name="messageTypeProvider">
/// An injected message type provider instance.
/// Except for mock testing, this should always be one of
/// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.
/// </param>
/// <remarks>
/// This overload for testing purposes only.
/// </remarks>
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider)
: base(messageTypeProvider, new OAuthHttpMethodBindingElement(), signingBindingElement, new StandardExpirationBindingElement(), new StandardReplayProtectionBindingElement(store))
{
if (tokenManager == null) {
throw new ArgumentNullException("tokenManager");
}
this.TokenManager = tokenManager;
ErrorUtilities.VerifyArgumentNamed(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
signingBindingElement.SignatureCallback = this.SignatureCallback;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
/// </summary>
/// <param name="associationStore">The association store to use. Cannot be null.</param>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore)
{
Contract.Requires(associationStore != null);
Contract.Requires(nonceStore != null);
Contract.Ensures(this.AssociationStore == associationStore);
Contract.Ensures(this.SecuritySettings != null);
Contract.Ensures(this.Channel != null);
ErrorUtilities.VerifyArgumentNotNull(associationStore, "associationStore");
ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");
this.AssociationStore = associationStore;
this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
}
/// <summary>
/// OAuth provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
public AuthResource(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore)
{
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
ValidateEx();
// Create a new OAuth provider.
_oAuthProvider = new OAuthProvider(tokenStore,
new SignatureValidationInspector(consumerStore),
new NonceStoreInspector(nonceStore),
new TimestampRangeInspector(new TimeSpan(1, 0, 0)),
new ConsumerValidationInspector(consumerStore));
}
public SecretController(
IJwtTokenService tokenService,
INonceStore nonceStore,
IDeviceAttestation deviceAttestation,
IConfiguration configuration
)
{
m_tokenService = tokenService;
m_nonceStore = nonceStore;
m_attestationService = deviceAttestation;
m_configuration = configuration;
attestSecret = configuration.GetValue <string>("JwtSettings:Secret");
jwtSecret = configuration.GetValue <string>("JwtSettings:Secret");
JwtAudience = configuration.GetValue <string>("JwtSettings:Audience");
JwtIssuer = configuration.GetValue <string>("JwtSettings:Issuer");
}
/// <summary>
/// OAuth provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore)
{
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
ValidateEx();
// Create a new OAuth provider.
_oAuthProvider = new OAuthProvider(tokenStore,
new SignatureValidationInspector(consumerStore),
new NonceStoreInspector(nonceStore),
new TimestampRangeInspector(new TimeSpan(1, 0, 0)),
new ConsumerValidationInspector(consumerStore),
new XAuthValidationInspector(ValidateXAuthMode, AuthenticateXAuthUsernameAndPassword));
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
/// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param>
private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore) {
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false)) {
this.behaviors.Add(behavior);
}
this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
this.CryptoKeyStore = cryptoKeyStore;
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
}
public DefaultIdSiteSyncCallbackHandler(IInternalDataStore internalDataStore, IHttpRequest httpRequest)
{
if (internalDataStore == null)
{
throw new ArgumentNullException(nameof(internalDataStore));
}
if (httpRequest == null)
{
throw new ArgumentNullException(nameof(httpRequest));
}
this.internalDataStore = internalDataStore;
this.jwtResponse = HandlerShared.GetJwtResponse(httpRequest);
this.nonceStore = new DefaultNonceStore(internalDataStore.CacheResolver);
this.syncNonceStore = this.nonceStore as ISynchronousNonceStore;
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
/// </summary>
/// <param name="associationStore">The association store to use. Cannot be null.</param>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore) {
Contract.Requires<ArgumentNullException>(associationStore != null);
Contract.Requires<ArgumentNullException>(nonceStore != null);
Contract.Ensures(this.AssociationStore == associationStore);
Contract.Ensures(this.SecuritySettings != null);
Contract.Ensures(this.Channel != null);
this.AssociationStore = associationStore;
this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in DotNetOpenAuthSection.Configuration.OpenId.Provider.Behaviors.CreateInstances(false)) {
this.behaviors.Add(behavior);
}
this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
Reporting.RecordFeatureAndDependencyUse(this, associationStore, nonceStore);
}
/// <summary>
/// OAuth provider.
/// </summary>
/// <param name="tokenStore">The token store</param>
/// <param name="consumerStore">The consumer store</param>
/// <param name="nonceStore">The nonce store.</param>
public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore)
{
_tokenStore = tokenStore;
_consumerStore = consumerStore;
_nonceStore = nonceStore;
ValidateEx();
// Create a new client authenticator
List <ClientAuthenticationModule> clientAuth = new List <ClientAuthenticationModule>()
{
new ClientAuthentication(tokenStore, consumerStore, nonceStore)
};
// Create the OAuth servers.
_oAuthAuthorizationServer = new OAuthAuthorizationServer(tokenStore, consumerStore, nonceStore);
_authorizationServer = new AuthorizationServer(_oAuthAuthorizationServer, clientAuth);
}
public DefaultIdSiteSyncCallbackHandler(IInternalDataStore internalDataStore, IHttpRequest httpRequest)
{
if (internalDataStore == null)
{
throw new ArgumentNullException(nameof(internalDataStore));
}
if (httpRequest == null)
{
throw new ArgumentNullException(nameof(httpRequest));
}
this.internalDataStore = internalDataStore;
this.jwtResponse = HandlerShared.GetJwtResponse(httpRequest);
this.nonceStore = new DefaultNonceStore(internalDataStore.CacheResolver);
this.syncNonceStore = this.nonceStore as ISynchronousNonceStore;
}
/// <summary>
/// Initializes the binding elements.
/// </summary>
/// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param>
/// <param name="nonceStore">The nonce store to use.</param>
/// <param name="securitySettings">The security settings to apply. Must be an instance of either RelyingPartySecuritySettings or ProviderSecuritySettings.</param>
/// <returns>
/// An array of binding elements which may be used to construct the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) {
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
Requires.NotNull(securitySettings, "securitySettings");
Requires.NotNull(nonceStore, "nonceStore");
SigningBindingElement signingElement;
signingElement = new ProviderSigningBindingElement(cryptoKeyStore, securitySettings);
var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration();
List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8);
elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings, true));
elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true));
elements.Add(new StandardExpirationBindingElement());
elements.Add(signingElement);
return elements.ToArray();
}
/// <summary>
/// Deserializes a token returned to us from the provider and verifies its integrity.
/// </summary>
/// <remarks>
/// As part of deserialization, the signature is verified to check
/// for tampering, and the nonce (if included by the RP) is also checked.
/// If no signature is present (due to stateless mode), the endpoint is verified
/// by discovery (slow but secure).
/// </remarks>
public static Token Deserialize(string token, INonceStore store)
{
byte[] tok = Convert.FromBase64String(token);
if (tok.Length < 1) throw new OpenIdException(Strings.InvalidSignature);
bool signaturePresent = tok[0] == 1;
bool signatureVerified = false;
MemoryStream dataStream;
if (signaturePresent) {
if (persistSignature(store)) {
// Verify the signature to guarantee that our state hasn't been
// tampered with in transit or on the provider.
HashAlgorithm hmac = createHashAlgorithm(store);
int signatureLength = hmac.HashSize / 8;
dataStream = new MemoryStream(tok, 1 + signatureLength, tok.Length - 1 - signatureLength);
byte[] newSig = hmac.ComputeHash(dataStream);
dataStream.Position = 0;
if (tok.Length - 1 < newSig.Length)
throw new OpenIdException(Strings.InvalidSignature);
for (int i = 0; i < newSig.Length; i++)
if (tok[i + 1] != newSig[i])
throw new OpenIdException(Strings.InvalidSignature);
signatureVerified = true;
} else {
// Oops, we have no application state, so we have no way of validating the signature.
throw new OpenIdException(Strings.InconsistentAppState);
}
} else {
dataStream = new MemoryStream(tok, 1, tok.Length - 1);
}
StreamReader reader = new StreamReader(dataStream);
ServiceEndpoint endpoint = ServiceEndpoint.Deserialize(reader);
Nonce nonce = null;
if (signatureVerified && persistNonce(endpoint, store)) {
nonce = new Nonce(reader.ReadLine(), false);
nonce.Consume(store);
}
if (!signatureVerified) {
verifyEndpointByDiscovery(endpoint);
}
return new Token(nonce, endpoint);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdProvider" /> class.
/// </summary>
/// <param name="nonceStore">The nonce store to use. Cannot be null.</param>
/// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param>
/// <param name="hostFactories">The host factories.</param>
private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore, IHostFactories hostFactories)
{
Requires.NotNull(nonceStore, "nonceStore");
Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");
this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false, null))
{
this.behaviors.Add(behavior);
}
this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings, hostFactories);
this.CryptoKeyStore = cryptoKeyStore;
this.discoveryServices = new IdentifierDiscoveryServices(this);
Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingParty"/> class.
/// </summary>
/// <param name="associationStore">The association store. If null, the relying party will always operate in "dumb mode".</param>
/// <param name="nonceStore">The nonce store to use. If null, the relying party will always operate in "dumb mode".</param>
private OpenIdRelyingParty(IAssociationStore <Uri> associationStore, INonceStore nonceStore)
{
// If we are a smart-mode RP (supporting associations), then we MUST also be
// capable of storing nonces to prevent replay attacks.
// If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays.
ErrorUtilities.VerifyArgument(associationStore == null || nonceStore != null, OpenIdStrings.AssociationStoreRequiresNonceStore);
this.securitySettings = DotNetOpenAuthSection.Configuration.OpenId.RelyingParty.SecuritySettings.CreateSecuritySettings();
// Without a nonce store, we must rely on the Provider to protect against
// replay attacks. But only 2.0+ Providers can be expected to provide
// replay protection.
if (nonceStore == null)
{
this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
}
this.channel = new OpenIdChannel(associationStore, nonceStore, this.SecuritySettings);
this.AssociationManager = new AssociationManager(this.Channel, associationStore, this.SecuritySettings);
}
