public static string EncodeJWT(JWTSecurityToken jwt) { // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); return jwtOnTheWire; }
public static void ValidateToken(OpenIdConnectToken token, OpenIdConnectTokenValidationParameters validationParams) { JWTSecurityToken securityToken = new JWTSecurityToken(token.IdToken); if (validationParams.ValidateIssuer) { if (securityToken.Issuer != validationParams.ValidIssuer) { throw new ApplicationException("The audience is not valid"); } } if (validationParams.ValidateNotBefore) { if (securityToken.ValidFrom > DateTime.UtcNow) { throw new ApplicationException("The token is not currently valid"); } } if (validationParams.ValidateExpiration) { DateTime currentTime = DateTime.UtcNow; if ((securityToken.ValidTo.ToUniversalTime() <= currentTime) || (currentTime> securityToken.ValidFrom.ToUniversalTime().Add(new TimeSpan(0,0,token.ExpiresIn)))) { throw new ApplicationException("The token is not valid anymore"); } } }
public void TestSessionToken() { var tokenString = _client.CreateUserSessionToken("user"); var tok = new JWTSecurityToken(tokenString); object actualUserID; Assert.True(tok.Payload.TryGetValue("user_id", out actualUserID)); Assert.AreEqual("user", (string)actualUserID); var extra = new Dictionary <string, object>() { { "client", "dotnet" }, { "testing", true } }; tokenString = _client.CreateUserSessionToken("user2", extra); tok = new JWTSecurityToken(tokenString); object data; Assert.True(tok.Payload.TryGetValue("user_id", out data)); Assert.AreEqual("user2", (string)data); Assert.True(tok.Payload.TryGetValue("client", out data)); Assert.AreEqual("dotnet", (string)data); Assert.True(tok.Payload.TryGetValue("testing", out data)); Assert.AreEqual(true, (bool)data); Assert.False(tok.Payload.ContainsKey("missing")); }
public ActionResult Register() { if (Request.IsAuthenticated) { using (var client = new HttpClient()) { BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext; JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken; string rawToken = jwt.RawData; string api = ConfigurationManager.AppSettings["fa:APIEndPoint"]; client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", "Bearer " + rawToken); var productDetailUrl = new Uri(api + "customer/5"); var model = client .GetAsync(productDetailUrl) .Result .Content.ReadAsAsync <Customer>().Result; //ViewBag.role = model.Email; return(View()); } } else { ViewBag.MetaDataScript = ConfigurationManager.AppSettings["fa:LoginProviders"]; return(View("~/Views/Account/Login.cshtml")); } }
public HttpResponseMessage SignInCallBack(string callback) { diagnostics.WriteInformationTrace(TraceEventId.InboundParameters, "Client callback uri:{0}", callback); ClaimsPrincipal principal = this.User as ClaimsPrincipal; BootstrapContext context = principal.Identities.First().BootstrapContext as BootstrapContext; JWTSecurityToken jwtToken = context.SecurityToken as JWTSecurityToken; UriBuilder builder = new UriBuilder(new Uri(callback)); TimeSpan span = jwtToken.ValidTo.Subtract(jwtToken.ValidFrom); double seconds = span.TotalSeconds; string queryparam = string.Format("{0}={1}&{2}={3}", Constants.JWTCOOKIETOKEN_PARAM, HttpUtility.UrlEncode(jwtToken.RawData), Constants.JWTCOOKIETOKEN_VALIDTO_PARAM, HttpUtility.UrlEncode(seconds.ToString())); builder.Query = queryparam; var response = Request.CreateResponse(HttpStatusCode.Moved); response.Headers.Location = builder.Uri; diagnostics.WriteVerboseTrace(TraceEventId.OutboundParameters, "Redirect Uri post authentication process:{0}", response.Headers.Location); return(response); }
public static string EncodeJWT(JWTSecurityToken jwt) { // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); return(jwtOnTheWire); }
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires) { DateTime issuedAt = DateTime.UtcNow; // Create a simple JWT claim set IList<Claim> claims = new List<Claim>() { new Claim("sub", subject), new Claim("iat", ToUnixTime(issuedAt).ToString()) }; // Create a JWT with signing credentials and lifetime of 12 hours JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires); return jwt; }
public ActionResult Token(OpenIdConnectTokenRequest tokenRequest) { if (MvcApplication.codesGenerated.ContainsKey(tokenRequest.code) && (tokenRequest.grant_type == "authorization_code")) { if (!MvcApplication.codesGenerated[tokenRequest.code]) { //you used it, now you flag it MvcApplication.codesGenerated[tokenRequest.code] = true; string issuer = Config.SERVER_ADDRESS; string audience = MvcApplication.registeredAuthorizations.SingleOrDefault(x => x.Code == tokenRequest.code).ClientIdentifier; //By decision, the signature will not be included //byte[] signature = AlhambraJwtTokenManager.GenerateSymmetricKeyForHmacSha256(); string subject = User.Identity.Name; DateTime issuedAt = DateTime.UtcNow; DateTime expires = DateTime.UtcNow.AddMinutes(2); JWTSecurityToken jwt = AlhambraJwtTokenManager.GenerateJwtToken(issuer, subject, audience, expires); string jwtReadyToBeSent = AlhambraJwtTokenManager.EncodeJWT(jwt); OpenIdConnectToken token = new OpenIdConnectToken(); Guid newAccessToken = Guid.NewGuid(); Guid newRefreshToken = Guid.NewGuid(); MvcApplication.tokensGenerated.Add(newAccessToken, newRefreshToken); token.access_token = newAccessToken.ToString(); token.expires_in = "120"; token.refresh_token = newRefreshToken.ToString(); token.id_token = jwtReadyToBeSent; token.token_type = "Bearer"; string result = JsonConvert.SerializeObject(token); return(Content(result, "application/json")); } else { throw new HttpException((int)HttpStatusCode.Unauthorized, "This code has already been used"); } } else { throw new HttpException((int)HttpStatusCode.BadRequest, "The request is not valid"); } }
public static string DecodeJWT(JWTSecurityToken jwt) { // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); // Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>) JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken; return parsedJwt.ToString(); }
public static string DecodeJWT(JWTSecurityToken jwt) { // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); // Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>) JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken; return(parsedJwt.ToString()); }
/// <summary> /// Auth Controller /// </summary> public AuthController ( IOptions <JWTSecurityToken> jwtSettings, UserManager <ApplicationUser> userManager, SignInManager <ApplicationUser> signInManager, IConfiguration configuration, IEmailService emailService ) { _jwtSettings = jwtSettings.Value; _userManager = userManager; _signInManager = signInManager; _configuration = configuration; _emailService = emailService; }
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) { Check.IsNotNull(jwt, "jwt"); Check.IsNotNull(validationParameters, "validationParameters"); diagnostics.WriteInformationTrace(TraceEventId.InboundParameters, "JWT token details from ACS: {0}, {1}, {2}, {3}", jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData); string audienceUrl; if (this.Configuration != null) { audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString(); } else { audienceUrl = validationParameters.AllowedAudience; } // set up valid issuers if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { List <string> issuers = new List <string>(); issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' })); validationParameters.ValidIssuers = issuers; } // setup signing token. if (validationParameters.SigningToken == null) { var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; if (resolver.SecurityKeys != null) { List <SecurityKey> skeys; if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys)) { var tok = new NamedKeySecurityToken(audienceUrl, skeys); validationParameters.SigningToken = tok; } } } diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS"); return(base.ValidateToken(jwt, validationParameters)); }
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires) { DateTime issuedAt = DateTime.UtcNow; // Create a simple JWT claim set IList <Claim> claims = new List <Claim>() { new Claim("sub", subject), new Claim("iat", ToUnixTime(issuedAt).ToString()) }; // Create a JWT with signing credentials and lifetime of 12 hours JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires); return(jwt); }
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) { Check.IsNotNull(jwt, "jwt"); Check.IsNotNull(validationParameters, "validationParameters"); diagnostics.WriteInformationTrace(TraceEventId.InboundParameters, "JWT token details from ACS: {0}, {1}, {2}, {3}", jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData); string audienceUrl; if (this.Configuration != null) { audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString(); } else { audienceUrl = validationParameters.AllowedAudience; } // set up valid issuers if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { List<string> issuers = new List<string>(); issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' })); validationParameters.ValidIssuers = issuers; } // setup signing token. if (validationParameters.SigningToken == null) { var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver; if (resolver.SecurityKeys != null) { List<SecurityKey> skeys; if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys)) { var tok = new NamedKeySecurityToken(audienceUrl, skeys); validationParameters.SigningToken = tok; } } } diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS"); return base.ValidateToken(jwt, validationParameters); }
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) { if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any())) { //validationParameters.ValidIssuers = new List<string>(((ValidatingIssuerNameRegistry)Configuration.IssuerNameRegistry).IssuingAuthorities.First().Issuers); validationParameters.ValidIssuers = new List <string> { ((ConfigurationBasedIssuerNameRegistry)Configuration.IssuerNameRegistry).ConfiguredTrustedIssuers.First().Value }; } if (validationParameters.SigningToken == null) { validationParameters.SigningToken = new X509SecurityToken(new X509Certificate2( GetSigningCertificate(ConfigurationManager.AppSettings["ida:FederationMetadataLocation"]))); } return(base.ValidateToken(jwt, validationParameters)); }
/// <summary> /// Returns the OpenID token already serialized to be sent to the client /// </summary> /// <param name="tokenRequest"></param> /// <returns></returns> public static OpenIdConnectTokenRequestResponse GenerateOpenIdConnectToken(string issuer, string audience, string subject, string code, string scopes, int expiresIn=0) { if (string.IsNullOrEmpty(issuer) || string.IsNullOrEmpty(audience) || string.IsNullOrEmpty(subject) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(scopes) || expiresIn<0) { throw new ApplicationException("The parameters provided are not valid"); } DateTime issuedAt = DateTime.UtcNow; DateTime expires = DateTime.UtcNow.AddMinutes(2); JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Create a simple JWT claim set IList<Claim> claims = new List<Claim>() { new Claim("sub", subject), new Claim("iat", ToUnixTime(issuedAt).ToString()) }; JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires); OpenIdConnectTokenRequestResponse tokenResponse = new OpenIdConnectTokenRequestResponse(); string newAccessToken = GenerateOpenIdConnectToken(); string newRefreshToken = GenerateOpenIdConnectToken(); string jwtReadyToBeSent = jwtHandler.WriteToken(jwt); tokenResponse.access_token = newAccessToken; tokenResponse.expires_in = expiresIn.ToString(); if (scopes.Contains("offline_access")) { tokenResponse.refresh_token = newRefreshToken.ToString(); } else { tokenResponse.refresh_token = null; } tokenResponse.id_token = jwtReadyToBeSent; tokenResponse.token_type = "Bearer"; //string serializedResponse = JsonConvert.SerializeObject(tokenResponse); return tokenResponse; }
public JsonResult AddCustomer(Customer customer) { using (var client = new HttpClient()) { BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext; JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken; string rawToken = jwt.RawData; client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", "Bearer " + rawToken); string api = ConfigurationManager.AppSettings["fa:APIEndPoint"]; var productDetailUrl = api + "customer"; var response = client.PostAsJsonAsync(productDetailUrl, customer).Result; string message = response.IsSuccessStatusCode ? "OK": "Failed"; return(Json(new { message })); } }
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature) { bool result = false; // Create token validation parameters for the signed JWT // This object will be used to verify the cryptographic signature of the received JWT TokenValidationParameters validationParams = new TokenValidationParameters() { AllowedAudience = audience, ValidIssuer = issuer, ValidateExpiration = true, ValidateNotBefore = false, ValidateIssuer = true, ValidateSignature = true, //SigningToken = null SigningToken = new BinarySecretSecurityToken(signature) }; // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); try { // Validate the token signature (we provide the shared symmetric key in `validationParams`) // This will throw if the signature does not validate // jwtHandler.ValidateToken(jwtOnTheWire, validationParams); jwtHandler.ValidateToken(jwt, validationParams); result = true; } catch { result = false; } return(result); }
public ActionResult About() { BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext; JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken; string rawToken = jwt.RawData; string api = ConfigurationManager.AppSettings["fa:APIEndPoint"]; HttpWebRequest request = WebRequest.Create(api + "values/1") as HttpWebRequest; request.Method = "POST"; request.Headers["Authorization"] = "Bearer " + rawToken; //request.ContentType = "application/json"; string postData = "=Short test..."; byte[] byteArray = Encoding.UTF8.GetBytes(postData); request.ContentType = "application/x-www-form-urlencoded"; request.ContentLength = byteArray.Length; Stream dataStream = request.GetRequestStream(); dataStream.Write(byteArray, 0, byteArray.Length); dataStream.Close(); string responseTxt = String.Empty; using (HttpWebResponse response = request.GetResponse() as HttpWebResponse) { if (response.StatusCode == HttpStatusCode.NoContent) { return(RedirectToAction("Register", "Account")); } var reader = new StreamReader(response.GetResponseStream()); responseTxt = reader.ReadToEnd(); response.Close(); } ViewBag.Message = api + " : " + responseTxt; return(View()); }
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires, byte[] signature) { DateTime issuedAt = DateTime.UtcNow; // Create signing credentials for the signed JWT. // This object is used to cryptographically sign the JWT by the issuer. SigningCredentials signingCredentials = new SigningCredentials( new InMemorySymmetricSecurityKey(signature), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); // Create a simple JWT claim set IList<Claim> claims = new List<Claim>() { new Claim("sub", subject), new Claim("iat", ToUnixTime(issuedAt).ToString()) }; // Create a JWT with signing credentials and lifetime of 12 hours JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, signingCredentials, issuedAt, expires); return jwt; }
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires, byte[] signature) { DateTime issuedAt = DateTime.UtcNow; // Create signing credentials for the signed JWT. // This object is used to cryptographically sign the JWT by the issuer. SigningCredentials signingCredentials = new SigningCredentials( new InMemorySymmetricSecurityKey(signature), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); // Create a simple JWT claim set IList <Claim> claims = new List <Claim>() { new Claim("sub", subject), new Claim("iat", ToUnixTime(issuedAt).ToString()) }; // Create a JWT with signing credentials and lifetime of 12 hours JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, signingCredentials, issuedAt, expires); return(jwt); }
// [Authorize] public ActionResult AlhambraCallback(AlhambraCallbackInput input) { //System.Web.HttpContext.Current.Application["Authorization"] = (AuthorizationState) client.ProcessUserAuthorization(this.Request); //AuthorizationState auth = (AuthorizationState)client.ProcessUserAuthorization(this.Request); // System.Web.HttpContext.Current.Application["Authorization"] = auth; // CurrentAuthorizationState = auth; //string code = Request.QueryString["code"]; //System.Web.HttpContext.Current.Application.Add("Code",Request.QueryString["code"]); //string accessToken = Request.QueryString["access_token"]; //authorizationState = client.ProcessUserAuthorization(this.Request); var tokenInfoUrl = Config.SERVER_ADDRESS + "/OAuth2/Token"; var httpClient = new HttpClient(); string decodedNetworkCredentials = string.Format("{0}:{1}", ConfigurationManager.AppSettings["alhambraIdentifier"], ConfigurationManager.AppSettings["alhambraSecret"]); string encodedNetworkCredentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(decodedNetworkCredentials)); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", encodedNetworkCredentials); Dictionary<string, string> formVals = new Dictionary<string, string>(); formVals.Add("grant_type", "authorization_code"); formVals.Add("code", input.code); formVals.Add("redirect_uri", Config.CLIENT_ADDRESS + "/OpenIdConnect/AlhambraCallback"); HttpRequestMessage postRequest = new HttpRequestMessage(HttpMethod.Post, tokenInfoUrl); postRequest.Content = new FormUrlEncodedContent(formVals); HttpResponseMessage postResponse = httpClient.SendAsync(postRequest).Result; //in the form of an actionresult instead of a function //because the httpclient provides the authorization header //by the time it performs the request //string tokenInfo = httpClient.GetAsync(tokenInfoUrl).Result.Content.ReadAsStringAsync().Result; // System.Web.HttpContext.Current.Application["Token"]= tokenInfo; //var tv = new AlhambraTokenValidator(); //tv.ValidateToken(tokenInfo, "NATURE"); // string userInfoUrl = CLIENT_ADDRESS + "/UserInfo"; // OAuth2Graph userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsAsync<OAuth2Graph>().Result; // string userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsStringAsync().Result; // OAuth2Graph userinfo = client.GetUserInfo(auth.AccessToken); //string result = JsonConvert.SerializeObject(userinfo); OpenIdConnectToken result = postResponse.Content.ReadAsAsync<OpenIdConnectToken>().Result; JWTSecurityToken token = new JWTSecurityToken(result.id_token); string jwtDecoded = AlhambraJwtTokenManager.DecodeJWT(token); return Content("access_token: " + result.access_token + "<br/>refresh_token: " + result.refresh_token + "<br/>expires_in: " + result.expires_in + "<br/>id_token: " + result.id_token + "<br/>issuer: " + token.Issuer + "<br/>Audience: " + token.Audience + "<br/>Valid From: " + token.ValidFrom.ToString("yyyy-MM-ddThh:mm:ssZ") + "<br/>Valid To: " + token.ValidTo.ToString("yyyy-MM-ddThh:mm:ssZ")); }
protected override string NameIdentifierClaimType(JWTSecurityToken jwt) { return(ClaimTypes.GivenName); }
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature) { bool result = false; // Create token validation parameters for the signed JWT // This object will be used to verify the cryptographic signature of the received JWT TokenValidationParameters validationParams = new TokenValidationParameters() { AllowedAudience = audience, ValidIssuer = issuer, ValidateExpiration = true, ValidateNotBefore = false, ValidateIssuer = true, ValidateSignature = true, //SigningToken = null SigningToken = new BinarySecretSecurityToken(signature) }; // Create JWT handler // This object is used to write/sign/decode/validate JWTs JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler(); // Serialize the JWT // This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature> string jwtOnTheWire = jwtHandler.WriteToken(jwt); try { // Validate the token signature (we provide the shared symmetric key in `validationParams`) // This will throw if the signature does not validate // jwtHandler.ValidateToken(jwtOnTheWire, validationParams); jwtHandler.ValidateToken(jwt, validationParams); result = true; } catch { result = false; } return result; }
/// <summary> /// Processes the request based on the path. /// </summary> /// <param name="context">Contains the request and response.</param> public void ProcessRequest(HttpContext context) { // Get the code from the request POST body. string accessToken = context.Request.Params["access_token"]; string idToken = context.Request.Params["id_token"]; // Validate the ID token if (idToken != null) { JWTSecurityToken token = new JWTSecurityToken(idToken); JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler(); // Configure validation Byte[][] certBytes = getCertBytes(); for (int i = 0; i < certBytes.Length; i++) { X509Certificate2 certificate = new X509Certificate2(certBytes[i]); X509SecurityToken certToken = new X509SecurityToken(certificate); // Set up token validation TokenValidationParameters tvp = new TokenValidationParameters(); tvp.AllowedAudience = CLIENT_ID; tvp.SigningToken = certToken; tvp.ValidIssuer = "accounts.google.com"; // Enable / disable tests tvp.ValidateNotBefore = false; tvp.ValidateExpiration = true; tvp.ValidateSignature = true; tvp.ValidateIssuer = true; // Account for clock skew. Look at current time when getting the message // "The token is expired" in try/catch block. // This is relative to GMT, for example, GMT-8 is: tvp.ClockSkewInSeconds = 3600 * 13; try { // Validate using the provider ClaimsPrincipal cp = jwt.ValidateToken(token, tvp); if (cp != null) { its.valid = true; its.message = "Valid ID Token."; } } catch (Exception e) { // Multiple certificates are tested. if (its.valid != true) { its.message = "Invalid ID Token."; } if (e.Message.IndexOf("The token is expired") > 0) { // TODO: Check current time in the exception for clock skew. } } } // Get the Google+ id for this user from the "sub" claim. Claim[] claims = token.Claims.ToArray<Claim>(); for (int i = 0; i < claims.Length; i++) { if (claims[i].Type.Equals("sub")) { its.gplus_id = claims[i].Value; } } } // Use Tokeninfo to validate the user and the client. var tokeninfo_request = new Oauth2Service().Tokeninfo(); tokeninfo_request.Access_token = accessToken; // Use Google as a trusted provider to validate the token. // Invalid values, including expired tokens, return 400 Tokeninfo tokeninfo = null; try { tokeninfo = tokeninfo_request.Fetch(); if (tokeninfo.Issued_to != CLIENT_ID){ ats.message = "Access Token not meant for this app."; }else{ ats.valid = true; ats.message = "Valid Access Token."; ats.gplus_id = tokeninfo.User_id; } } catch (Exception stve) { ats.message = "Invalid Access Token."; } // Use the wrapper to return JSON token_status_wrapper tsr = new token_status_wrapper(); tsr.id_token_status = its; tsr.access_token_status = ats; context.Response.StatusCode = 200; context.Response.ContentType = "text/json"; context.Response.Write(JsonConvert.SerializeObject(tsr)); }
// [Authorize] public ActionResult AlhambraCallback(AlhambraCallbackInput input) { //System.Web.HttpContext.Current.Application["Authorization"] = (AuthorizationState) client.ProcessUserAuthorization(this.Request); //AuthorizationState auth = (AuthorizationState)client.ProcessUserAuthorization(this.Request); // System.Web.HttpContext.Current.Application["Authorization"] = auth; // CurrentAuthorizationState = auth; //string code = Request.QueryString["code"]; //System.Web.HttpContext.Current.Application.Add("Code",Request.QueryString["code"]); //string accessToken = Request.QueryString["access_token"]; //authorizationState = client.ProcessUserAuthorization(this.Request); var tokenInfoUrl = Config.SERVER_ADDRESS + "/OAuth2/Token"; var httpClient = new HttpClient(); string decodedNetworkCredentials = string.Format("{0}:{1}", ConfigurationManager.AppSettings["alhambraIdentifier"], ConfigurationManager.AppSettings["alhambraSecret"]); string encodedNetworkCredentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(decodedNetworkCredentials)); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", encodedNetworkCredentials); Dictionary <string, string> formVals = new Dictionary <string, string>(); formVals.Add("grant_type", "authorization_code"); formVals.Add("code", input.code); formVals.Add("redirect_uri", Config.CLIENT_ADDRESS + "/OpenIdConnect/AlhambraCallback"); HttpRequestMessage postRequest = new HttpRequestMessage(HttpMethod.Post, tokenInfoUrl); postRequest.Content = new FormUrlEncodedContent(formVals); HttpResponseMessage postResponse = httpClient.SendAsync(postRequest).Result; //in the form of an actionresult instead of a function //because the httpclient provides the authorization header //by the time it performs the request //string tokenInfo = httpClient.GetAsync(tokenInfoUrl).Result.Content.ReadAsStringAsync().Result; // System.Web.HttpContext.Current.Application["Token"]= tokenInfo; //var tv = new AlhambraTokenValidator(); //tv.ValidateToken(tokenInfo, "NATURE"); // string userInfoUrl = CLIENT_ADDRESS + "/UserInfo"; // OAuth2Graph userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsAsync<OAuth2Graph>().Result; // string userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsStringAsync().Result; // OAuth2Graph userinfo = client.GetUserInfo(auth.AccessToken); //string result = JsonConvert.SerializeObject(userinfo); OpenIdConnectToken result = postResponse.Content.ReadAsAsync <OpenIdConnectToken>().Result; JWTSecurityToken token = new JWTSecurityToken(result.id_token); string jwtDecoded = AlhambraJwtTokenManager.DecodeJWT(token); return(Content("access_token: " + result.access_token + "<br/>refresh_token: " + result.refresh_token + "<br/>expires_in: " + result.expires_in + "<br/>id_token: " + result.id_token + "<br/>issuer: " + token.Issuer + "<br/>Audience: " + token.Audience + "<br/>Valid From: " + token.ValidFrom.ToString("yyyy-MM-ddThh:mm:ssZ") + "<br/>Valid To: " + token.ValidTo.ToString("yyyy-MM-ddThh:mm:ssZ"))); }
/// <summary> /// Processes the request based on the path. /// </summary> /// <param name="context">Contains the request and response.</param> public async Task <WebApplication.Api.Controllers.AccountController.GoogleUserViewModel> VerifyGoogleAccessToken(string accessToken, string idToken) { // Validate the ID token if (idToken != null) { JWTSecurityToken token = new JWTSecurityToken(idToken); JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler(); // Configure validation Byte[][] certBytes = getCertBytes(); for (int i = 0; i < certBytes.Length; i++) { X509Certificate2 certificate = new X509Certificate2(certBytes[i]); X509SecurityToken certToken = new X509SecurityToken(certificate); // Set up token validation TokenValidationParameters tvp = new TokenValidationParameters(); tvp.AllowedAudience = CLIENT_ID; tvp.SigningToken = certToken; tvp.ValidIssuer = "accounts.google.com"; // Enable / disable tests tvp.ValidateNotBefore = false; tvp.ValidateExpiration = true; tvp.ValidateSignature = true; tvp.ValidateIssuer = true; // Account for clock skew. Look at current time when getting the message // "The token is expired" in try/catch block. // This is relative to GMT, for example, GMT-8 is: tvp.ClockSkewInSeconds = 3600 * 13; try { // Validate using the provider ClaimsPrincipal cp = jwt.ValidateToken(token, tvp); if (cp != null) { its.valid = true; its.message = "Valid ID Token."; its.aud = cp.FindFirst("aud").Value; its.azp = cp.FindFirst("azp").Value; its.email = cp.FindFirst("email").Value; its.sub = cp.FindFirst("sub").Value; } } catch (Exception e) { // Multiple certificates are tested. if (its.valid != true) { its.message = "Invalid ID Token."; } if (e.Message.IndexOf("The token is expired") > 0) { // TODO: Check current time in the exception for clock skew. } } } // Get the Google+ id for this user from the "gplus_id" claim. Claim[] claims = token.Claims.ToArray <Claim>(); for (int i = 0; i < claims.Length; i++) { if (claims[i].Type.Equals("gplus_id")) { its.gplus_id = claims[i].Value; } } } // Use the wrapper to return JSON token_status_wrapper tsr = new token_status_wrapper(); tsr.id_token_status = its; tsr.access_token_status = ats; if (its.valid) { WebApplication.Api.Controllers.AccountController.GoogleUserViewModel fbUser = new Api.Controllers.AccountController.GoogleUserViewModel(); fbUser.Email = its.email; fbUser.aud = its.aud; fbUser.azp = its.azp; fbUser.gplus_id = its.gplus_id; fbUser.sub = its.sub; return(fbUser); } return(null); }