public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return jwtOnTheWire;
}
public static void ValidateToken(OpenIdConnectToken token, OpenIdConnectTokenValidationParameters validationParams)
{
JWTSecurityToken securityToken = new JWTSecurityToken(token.IdToken);
if (validationParams.ValidateIssuer)
{
if (securityToken.Issuer != validationParams.ValidIssuer)
{
throw new ApplicationException("The audience is not valid");
}
}
if (validationParams.ValidateNotBefore)
{
if (securityToken.ValidFrom > DateTime.UtcNow)
{
throw new ApplicationException("The token is not currently valid");
}
}
if (validationParams.ValidateExpiration)
{
DateTime currentTime = DateTime.UtcNow;
if ((securityToken.ValidTo.ToUniversalTime() <= currentTime) || (currentTime> securityToken.ValidFrom.ToUniversalTime().Add(new TimeSpan(0,0,token.ExpiresIn))))
{
throw new ApplicationException("The token is not valid anymore");
}
}
}
public void TestSessionToken()
{
var tokenString = _client.CreateUserSessionToken("user");
var tok = new JWTSecurityToken(tokenString);
object actualUserID;
Assert.True(tok.Payload.TryGetValue("user_id", out actualUserID));
Assert.AreEqual("user", (string)actualUserID);
var extra = new Dictionary <string, object>()
{
{ "client", "dotnet" },
{ "testing", true }
};
tokenString = _client.CreateUserSessionToken("user2", extra);
tok = new JWTSecurityToken(tokenString);
object data;
Assert.True(tok.Payload.TryGetValue("user_id", out data));
Assert.AreEqual("user2", (string)data);
Assert.True(tok.Payload.TryGetValue("client", out data));
Assert.AreEqual("dotnet", (string)data);
Assert.True(tok.Payload.TryGetValue("testing", out data));
Assert.AreEqual(true, (bool)data);
Assert.False(tok.Payload.ContainsKey("missing"));
}
public ActionResult Register()
{
if (Request.IsAuthenticated)
{
using (var client = new HttpClient())
{
BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken;
string rawToken = jwt.RawData;
string api = ConfigurationManager.AppSettings["fa:APIEndPoint"];
client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", "Bearer " + rawToken);
var productDetailUrl = new Uri(api + "customer/5");
var model = client
.GetAsync(productDetailUrl)
.Result
.Content.ReadAsAsync <Customer>().Result;
//ViewBag.role = model.Email;
return(View());
}
}
else
{
ViewBag.MetaDataScript = ConfigurationManager.AppSettings["fa:LoginProviders"];
return(View("~/Views/Account/Login.cshtml"));
}
}
public HttpResponseMessage SignInCallBack(string callback)
{
diagnostics.WriteInformationTrace(TraceEventId.InboundParameters,
"Client callback uri:{0}", callback);
ClaimsPrincipal principal = this.User as ClaimsPrincipal;
BootstrapContext context = principal.Identities.First().BootstrapContext as BootstrapContext;
JWTSecurityToken jwtToken = context.SecurityToken as JWTSecurityToken;
UriBuilder builder = new UriBuilder(new Uri(callback));
TimeSpan span = jwtToken.ValidTo.Subtract(jwtToken.ValidFrom);
double seconds = span.TotalSeconds;
string queryparam = string.Format("{0}={1}&{2}={3}", Constants.JWTCOOKIETOKEN_PARAM, HttpUtility.UrlEncode(jwtToken.RawData), Constants.JWTCOOKIETOKEN_VALIDTO_PARAM, HttpUtility.UrlEncode(seconds.ToString()));
builder.Query = queryparam;
var response = Request.CreateResponse(HttpStatusCode.Moved);
response.Headers.Location = builder.Uri;
diagnostics.WriteVerboseTrace(TraceEventId.OutboundParameters,
"Redirect Uri post authentication process:{0}",
response.Headers.Location);
return(response);
}
public static string EncodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
return(jwtOnTheWire);
}
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires)
{
DateTime issuedAt = DateTime.UtcNow;
// Create a simple JWT claim set
IList<Claim> claims = new List<Claim>() {
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString()) };
// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires);
return jwt;
}
public ActionResult Token(OpenIdConnectTokenRequest tokenRequest)
{
if (MvcApplication.codesGenerated.ContainsKey(tokenRequest.code) && (tokenRequest.grant_type == "authorization_code"))
{
if (!MvcApplication.codesGenerated[tokenRequest.code])
{
//you used it, now you flag it
MvcApplication.codesGenerated[tokenRequest.code] = true;
string issuer = Config.SERVER_ADDRESS;
string audience = MvcApplication.registeredAuthorizations.SingleOrDefault(x => x.Code == tokenRequest.code).ClientIdentifier;
//By decision, the signature will not be included
//byte[] signature = AlhambraJwtTokenManager.GenerateSymmetricKeyForHmacSha256();
string subject = User.Identity.Name;
DateTime issuedAt = DateTime.UtcNow;
DateTime expires = DateTime.UtcNow.AddMinutes(2);
JWTSecurityToken jwt = AlhambraJwtTokenManager.GenerateJwtToken(issuer, subject, audience, expires);
string jwtReadyToBeSent = AlhambraJwtTokenManager.EncodeJWT(jwt);
OpenIdConnectToken token = new OpenIdConnectToken();
Guid newAccessToken = Guid.NewGuid();
Guid newRefreshToken = Guid.NewGuid();
MvcApplication.tokensGenerated.Add(newAccessToken, newRefreshToken);
token.access_token = newAccessToken.ToString();
token.expires_in = "120";
token.refresh_token = newRefreshToken.ToString();
token.id_token = jwtReadyToBeSent;
token.token_type = "Bearer";
string result = JsonConvert.SerializeObject(token);
return(Content(result, "application/json"));
}
else
{
throw new HttpException((int)HttpStatusCode.Unauthorized, "This code has already been used");
}
}
else
{
throw new HttpException((int)HttpStatusCode.BadRequest, "The request is not valid");
}
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return parsedJwt.ToString();
}
public static string DecodeJWT(JWTSecurityToken jwt)
{
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
// Parse JWT from the Base64UrlEncoded wire form (<Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>)
JWTSecurityToken parsedJwt = jwtHandler.ReadToken(jwtOnTheWire) as JWTSecurityToken;
return(parsedJwt.ToString());
}
/// <summary>
/// Auth Controller
/// </summary>
public AuthController
(
IOptions <JWTSecurityToken> jwtSettings,
UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IConfiguration configuration,
IEmailService emailService
)
{
_jwtSettings = jwtSettings.Value;
_userManager = userManager;
_signInManager = signInManager;
_configuration = configuration;
_emailService = emailService;
}
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
Check.IsNotNull(jwt, "jwt");
Check.IsNotNull(validationParameters, "validationParameters");
diagnostics.WriteInformationTrace(TraceEventId.InboundParameters,
"JWT token details from ACS: {0}, {1}, {2}, {3}",
jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData);
string audienceUrl;
if (this.Configuration != null)
{
audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString();
}
else
{
audienceUrl = validationParameters.AllowedAudience;
}
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
List <string> issuers = new List <string>();
issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' }));
validationParameters.ValidIssuers = issuers;
}
// setup signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
List <SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys))
{
var tok = new NamedKeySecurityToken(audienceUrl, skeys);
validationParameters.SigningToken = tok;
}
}
}
diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS");
return(base.ValidateToken(jwt, validationParameters));
}
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires)
{
DateTime issuedAt = DateTime.UtcNow;
// Create a simple JWT claim set
IList <Claim> claims = new List <Claim>()
{
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString())
};
// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires);
return(jwt);
}
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
Check.IsNotNull(jwt, "jwt");
Check.IsNotNull(validationParameters, "validationParameters");
diagnostics.WriteInformationTrace(TraceEventId.InboundParameters,
"JWT token details from ACS: {0}, {1}, {2}, {3}",
jwt.Issuer, jwt.ValidFrom, jwt.ValidTo, jwt.RawData);
string audienceUrl;
if (this.Configuration != null)
{
audienceUrl = this.Configuration.AudienceRestriction.AllowedAudienceUris[0].ToString();
}
else
{
audienceUrl = validationParameters.AllowedAudience;
}
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
List<string> issuers = new List<string>();
issuers.AddRange(ConfigurationManager.AppSettings["Issuers"].Split(new[] { ',' }));
validationParameters.ValidIssuers = issuers;
}
// setup signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
List<SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(audienceUrl, out skeys))
{
var tok = new NamedKeySecurityToken(audienceUrl, skeys);
validationParameters.SigningToken = tok;
}
}
}
diagnostics.WriteInformationTrace(TraceEventId.Flow, "Successfully validated JWT token from ACS");
return base.ValidateToken(jwt, validationParameters);
}
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
if ((validationParameters.ValidIssuer == null) && (validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
//validationParameters.ValidIssuers = new List<string>(((ValidatingIssuerNameRegistry)Configuration.IssuerNameRegistry).IssuingAuthorities.First().Issuers);
validationParameters.ValidIssuers = new List <string> {
((ConfigurationBasedIssuerNameRegistry)Configuration.IssuerNameRegistry).ConfiguredTrustedIssuers.First().Value
};
}
if (validationParameters.SigningToken == null)
{
validationParameters.SigningToken = new X509SecurityToken(new X509Certificate2(
GetSigningCertificate(ConfigurationManager.AppSettings["ida:FederationMetadataLocation"])));
}
return(base.ValidateToken(jwt, validationParameters));
}
/// <summary>
/// Returns the OpenID token already serialized to be sent to the client
/// </summary>
/// <param name="tokenRequest"></param>
/// <returns></returns>
public static OpenIdConnectTokenRequestResponse GenerateOpenIdConnectToken(string issuer, string audience, string subject, string code, string scopes, int expiresIn=0)
{
if (string.IsNullOrEmpty(issuer) || string.IsNullOrEmpty(audience) || string.IsNullOrEmpty(subject) || string.IsNullOrEmpty(code) || string.IsNullOrEmpty(scopes) || expiresIn<0)
{
throw new ApplicationException("The parameters provided are not valid");
}
DateTime issuedAt = DateTime.UtcNow;
DateTime expires = DateTime.UtcNow.AddMinutes(2);
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Create a simple JWT claim set
IList<Claim> claims = new List<Claim>() {
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString()) };
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, null, issuedAt, expires);
OpenIdConnectTokenRequestResponse tokenResponse = new OpenIdConnectTokenRequestResponse();
string newAccessToken = GenerateOpenIdConnectToken();
string newRefreshToken = GenerateOpenIdConnectToken();
string jwtReadyToBeSent = jwtHandler.WriteToken(jwt);
tokenResponse.access_token = newAccessToken;
tokenResponse.expires_in = expiresIn.ToString();
if (scopes.Contains("offline_access"))
{
tokenResponse.refresh_token = newRefreshToken.ToString();
}
else
{
tokenResponse.refresh_token = null;
}
tokenResponse.id_token = jwtReadyToBeSent;
tokenResponse.token_type = "Bearer";
//string serializedResponse = JsonConvert.SerializeObject(tokenResponse);
return tokenResponse;
}
public JsonResult AddCustomer(Customer customer)
{
using (var client = new HttpClient())
{
BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken;
string rawToken = jwt.RawData;
client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", "Bearer " + rawToken);
string api = ConfigurationManager.AppSettings["fa:APIEndPoint"];
var productDetailUrl = api + "customer";
var response = client.PostAsJsonAsync(productDetailUrl, customer).Result;
string message = response.IsSuccessStatusCode ? "OK": "Failed";
return(Json(new { message }));
}
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return(result);
}
public ActionResult About()
{
BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
JWTSecurityToken jwt = bc.SecurityToken as JWTSecurityToken;
string rawToken = jwt.RawData;
string api = ConfigurationManager.AppSettings["fa:APIEndPoint"];
HttpWebRequest request = WebRequest.Create(api + "values/1") as HttpWebRequest;
request.Method = "POST";
request.Headers["Authorization"] = "Bearer " + rawToken;
//request.ContentType = "application/json";
string postData = "=Short test...";
byte[] byteArray = Encoding.UTF8.GetBytes(postData);
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = byteArray.Length;
Stream dataStream = request.GetRequestStream();
dataStream.Write(byteArray, 0, byteArray.Length);
dataStream.Close();
string responseTxt = String.Empty;
using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)
{
if (response.StatusCode == HttpStatusCode.NoContent)
{
return(RedirectToAction("Register", "Account"));
}
var reader = new StreamReader(response.GetResponseStream());
responseTxt = reader.ReadToEnd();
response.Close();
}
ViewBag.Message = api + " : " + responseTxt;
return(View());
}
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires, byte[] signature)
{
DateTime issuedAt = DateTime.UtcNow;
// Create signing credentials for the signed JWT.
// This object is used to cryptographically sign the JWT by the issuer.
SigningCredentials signingCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(signature),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
// Create a simple JWT claim set
IList<Claim> claims = new List<Claim>() {
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString()) };
// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, signingCredentials, issuedAt, expires);
return jwt;
}
public static JWTSecurityToken GenerateJwtToken(string issuer, string subject, string audience, DateTime expires, byte[] signature)
{
DateTime issuedAt = DateTime.UtcNow;
// Create signing credentials for the signed JWT.
// This object is used to cryptographically sign the JWT by the issuer.
SigningCredentials signingCredentials = new SigningCredentials(
new InMemorySymmetricSecurityKey(signature),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256");
// Create a simple JWT claim set
IList <Claim> claims = new List <Claim>()
{
new Claim("sub", subject),
new Claim("iat", ToUnixTime(issuedAt).ToString())
};
// Create a JWT with signing credentials and lifetime of 12 hours
JWTSecurityToken jwt = new JWTSecurityToken(issuer, audience, claims, signingCredentials, issuedAt, expires);
return(jwt);
}
// [Authorize]
public ActionResult AlhambraCallback(AlhambraCallbackInput input)
{
//System.Web.HttpContext.Current.Application["Authorization"] = (AuthorizationState) client.ProcessUserAuthorization(this.Request);
//AuthorizationState auth = (AuthorizationState)client.ProcessUserAuthorization(this.Request);
// System.Web.HttpContext.Current.Application["Authorization"] = auth;
// CurrentAuthorizationState = auth;
//string code = Request.QueryString["code"];
//System.Web.HttpContext.Current.Application.Add("Code",Request.QueryString["code"]);
//string accessToken = Request.QueryString["access_token"];
//authorizationState = client.ProcessUserAuthorization(this.Request);
var tokenInfoUrl = Config.SERVER_ADDRESS + "/OAuth2/Token";
var httpClient = new HttpClient();
string decodedNetworkCredentials = string.Format("{0}:{1}", ConfigurationManager.AppSettings["alhambraIdentifier"], ConfigurationManager.AppSettings["alhambraSecret"]);
string encodedNetworkCredentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(decodedNetworkCredentials));
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", encodedNetworkCredentials);
Dictionary<string, string> formVals = new Dictionary<string, string>();
formVals.Add("grant_type", "authorization_code");
formVals.Add("code", input.code);
formVals.Add("redirect_uri", Config.CLIENT_ADDRESS + "/OpenIdConnect/AlhambraCallback");
HttpRequestMessage postRequest = new HttpRequestMessage(HttpMethod.Post, tokenInfoUrl);
postRequest.Content = new FormUrlEncodedContent(formVals);
HttpResponseMessage postResponse = httpClient.SendAsync(postRequest).Result;
//in the form of an actionresult instead of a function
//because the httpclient provides the authorization header
//by the time it performs the request
//string tokenInfo = httpClient.GetAsync(tokenInfoUrl).Result.Content.ReadAsStringAsync().Result;
// System.Web.HttpContext.Current.Application["Token"]= tokenInfo;
//var tv = new AlhambraTokenValidator();
//tv.ValidateToken(tokenInfo, "NATURE");
// string userInfoUrl = CLIENT_ADDRESS + "/UserInfo";
// OAuth2Graph userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsAsync<OAuth2Graph>().Result;
// string userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsStringAsync().Result;
// OAuth2Graph userinfo = client.GetUserInfo(auth.AccessToken);
//string result = JsonConvert.SerializeObject(userinfo);
OpenIdConnectToken result = postResponse.Content.ReadAsAsync<OpenIdConnectToken>().Result;
JWTSecurityToken token = new JWTSecurityToken(result.id_token);
string jwtDecoded = AlhambraJwtTokenManager.DecodeJWT(token);
return Content("access_token: " + result.access_token +
"<br/>refresh_token: " + result.refresh_token +
"<br/>expires_in: " + result.expires_in +
"<br/>id_token: " + result.id_token +
"<br/>issuer: " + token.Issuer +
"<br/>Audience: " + token.Audience +
"<br/>Valid From: " + token.ValidFrom.ToString("yyyy-MM-ddThh:mm:ssZ") +
"<br/>Valid To: " + token.ValidTo.ToString("yyyy-MM-ddThh:mm:ssZ"));
}
protected override string NameIdentifierClaimType(JWTSecurityToken jwt)
{
return(ClaimTypes.GivenName);
}
public static bool IsTokenValid(JWTSecurityToken jwt, string audience, string issuer, byte[] signature)
{
bool result = false;
// Create token validation parameters for the signed JWT
// This object will be used to verify the cryptographic signature of the received JWT
TokenValidationParameters validationParams =
new TokenValidationParameters()
{
AllowedAudience = audience,
ValidIssuer = issuer,
ValidateExpiration = true,
ValidateNotBefore = false,
ValidateIssuer = true,
ValidateSignature = true,
//SigningToken = null
SigningToken = new BinarySecretSecurityToken(signature)
};
// Create JWT handler
// This object is used to write/sign/decode/validate JWTs
JWTSecurityTokenHandler jwtHandler = new JWTSecurityTokenHandler();
// Serialize the JWT
// This is how our JWT looks on the wire: <Base64UrlEncoded header>.<Base64UrlEncoded body>.<signature>
string jwtOnTheWire = jwtHandler.WriteToken(jwt);
try
{
// Validate the token signature (we provide the shared symmetric key in `validationParams`)
// This will throw if the signature does not validate
// jwtHandler.ValidateToken(jwtOnTheWire, validationParams);
jwtHandler.ValidateToken(jwt, validationParams);
result = true;
}
catch
{
result = false;
}
return result;
}
/// <summary>
/// Processes the request based on the path.
/// </summary>
/// <param name="context">Contains the request and response.</param>
public void ProcessRequest(HttpContext context)
{
// Get the code from the request POST body.
string accessToken = context.Request.Params["access_token"];
string idToken = context.Request.Params["id_token"];
// Validate the ID token
if (idToken != null)
{
JWTSecurityToken token = new JWTSecurityToken(idToken);
JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler();
// Configure validation
Byte[][] certBytes = getCertBytes();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
X509SecurityToken certToken = new X509SecurityToken(certificate);
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters();
tvp.AllowedAudience = CLIENT_ID;
tvp.SigningToken = certToken;
tvp.ValidIssuer = "accounts.google.com";
// Enable / disable tests
tvp.ValidateNotBefore = false;
tvp.ValidateExpiration = true;
tvp.ValidateSignature = true;
tvp.ValidateIssuer = true;
// Account for clock skew. Look at current time when getting the message
// "The token is expired" in try/catch block.
// This is relative to GMT, for example, GMT-8 is:
tvp.ClockSkewInSeconds = 3600 * 13;
try
{
// Validate using the provider
ClaimsPrincipal cp = jwt.ValidateToken(token, tvp);
if (cp != null)
{
its.valid = true;
its.message = "Valid ID Token.";
}
}
catch (Exception e)
{
// Multiple certificates are tested.
if (its.valid != true)
{
its.message = "Invalid ID Token.";
}
if (e.Message.IndexOf("The token is expired") > 0)
{
// TODO: Check current time in the exception for clock skew.
}
}
}
// Get the Google+ id for this user from the "sub" claim.
Claim[] claims = token.Claims.ToArray<Claim>();
for (int i = 0; i < claims.Length; i++)
{
if (claims[i].Type.Equals("sub"))
{
its.gplus_id = claims[i].Value;
}
}
}
// Use Tokeninfo to validate the user and the client.
var tokeninfo_request = new Oauth2Service().Tokeninfo();
tokeninfo_request.Access_token = accessToken;
// Use Google as a trusted provider to validate the token.
// Invalid values, including expired tokens, return 400
Tokeninfo tokeninfo = null;
try
{
tokeninfo = tokeninfo_request.Fetch();
if (tokeninfo.Issued_to != CLIENT_ID){
ats.message = "Access Token not meant for this app.";
}else{
ats.valid = true;
ats.message = "Valid Access Token.";
ats.gplus_id = tokeninfo.User_id;
}
}
catch (Exception stve)
{
ats.message = "Invalid Access Token.";
}
// Use the wrapper to return JSON
token_status_wrapper tsr = new token_status_wrapper();
tsr.id_token_status = its;
tsr.access_token_status = ats;
context.Response.StatusCode = 200;
context.Response.ContentType = "text/json";
context.Response.Write(JsonConvert.SerializeObject(tsr));
}
// [Authorize]
public ActionResult AlhambraCallback(AlhambraCallbackInput input)
{
//System.Web.HttpContext.Current.Application["Authorization"] = (AuthorizationState) client.ProcessUserAuthorization(this.Request);
//AuthorizationState auth = (AuthorizationState)client.ProcessUserAuthorization(this.Request);
// System.Web.HttpContext.Current.Application["Authorization"] = auth;
// CurrentAuthorizationState = auth;
//string code = Request.QueryString["code"];
//System.Web.HttpContext.Current.Application.Add("Code",Request.QueryString["code"]);
//string accessToken = Request.QueryString["access_token"];
//authorizationState = client.ProcessUserAuthorization(this.Request);
var tokenInfoUrl = Config.SERVER_ADDRESS + "/OAuth2/Token";
var httpClient = new HttpClient();
string decodedNetworkCredentials = string.Format("{0}:{1}", ConfigurationManager.AppSettings["alhambraIdentifier"], ConfigurationManager.AppSettings["alhambraSecret"]);
string encodedNetworkCredentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(decodedNetworkCredentials));
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", encodedNetworkCredentials);
Dictionary <string, string> formVals = new Dictionary <string, string>();
formVals.Add("grant_type", "authorization_code");
formVals.Add("code", input.code);
formVals.Add("redirect_uri", Config.CLIENT_ADDRESS + "/OpenIdConnect/AlhambraCallback");
HttpRequestMessage postRequest = new HttpRequestMessage(HttpMethod.Post, tokenInfoUrl);
postRequest.Content = new FormUrlEncodedContent(formVals);
HttpResponseMessage postResponse = httpClient.SendAsync(postRequest).Result;
//in the form of an actionresult instead of a function
//because the httpclient provides the authorization header
//by the time it performs the request
//string tokenInfo = httpClient.GetAsync(tokenInfoUrl).Result.Content.ReadAsStringAsync().Result;
// System.Web.HttpContext.Current.Application["Token"]= tokenInfo;
//var tv = new AlhambraTokenValidator();
//tv.ValidateToken(tokenInfo, "NATURE");
// string userInfoUrl = CLIENT_ADDRESS + "/UserInfo";
// OAuth2Graph userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsAsync<OAuth2Graph>().Result;
// string userInfo = httpClient.GetAsync(userInfoUrl).Result.Content.ReadAsStringAsync().Result;
// OAuth2Graph userinfo = client.GetUserInfo(auth.AccessToken);
//string result = JsonConvert.SerializeObject(userinfo);
OpenIdConnectToken result = postResponse.Content.ReadAsAsync <OpenIdConnectToken>().Result;
JWTSecurityToken token = new JWTSecurityToken(result.id_token);
string jwtDecoded = AlhambraJwtTokenManager.DecodeJWT(token);
return(Content("access_token: " + result.access_token +
"<br/>refresh_token: " + result.refresh_token +
"<br/>expires_in: " + result.expires_in +
"<br/>id_token: " + result.id_token +
"<br/>issuer: " + token.Issuer +
"<br/>Audience: " + token.Audience +
"<br/>Valid From: " + token.ValidFrom.ToString("yyyy-MM-ddThh:mm:ssZ") +
"<br/>Valid To: " + token.ValidTo.ToString("yyyy-MM-ddThh:mm:ssZ")));
}
/// <summary>
/// Processes the request based on the path.
/// </summary>
/// <param name="context">Contains the request and response.</param>
public async Task <WebApplication.Api.Controllers.AccountController.GoogleUserViewModel> VerifyGoogleAccessToken(string accessToken, string idToken)
{
// Validate the ID token
if (idToken != null)
{
JWTSecurityToken token = new JWTSecurityToken(idToken);
JWTSecurityTokenHandler jwt = new JWTSecurityTokenHandler();
// Configure validation
Byte[][] certBytes = getCertBytes();
for (int i = 0; i < certBytes.Length; i++)
{
X509Certificate2 certificate = new X509Certificate2(certBytes[i]);
X509SecurityToken certToken = new X509SecurityToken(certificate);
// Set up token validation
TokenValidationParameters tvp = new TokenValidationParameters();
tvp.AllowedAudience = CLIENT_ID;
tvp.SigningToken = certToken;
tvp.ValidIssuer = "accounts.google.com";
// Enable / disable tests
tvp.ValidateNotBefore = false;
tvp.ValidateExpiration = true;
tvp.ValidateSignature = true;
tvp.ValidateIssuer = true;
// Account for clock skew. Look at current time when getting the message
// "The token is expired" in try/catch block.
// This is relative to GMT, for example, GMT-8 is:
tvp.ClockSkewInSeconds = 3600 * 13;
try
{
// Validate using the provider
ClaimsPrincipal cp = jwt.ValidateToken(token, tvp);
if (cp != null)
{
its.valid = true;
its.message = "Valid ID Token.";
its.aud = cp.FindFirst("aud").Value;
its.azp = cp.FindFirst("azp").Value;
its.email = cp.FindFirst("email").Value;
its.sub = cp.FindFirst("sub").Value;
}
}
catch (Exception e)
{
// Multiple certificates are tested.
if (its.valid != true)
{
its.message = "Invalid ID Token.";
}
if (e.Message.IndexOf("The token is expired") > 0)
{
// TODO: Check current time in the exception for clock skew.
}
}
}
// Get the Google+ id for this user from the "gplus_id" claim.
Claim[] claims = token.Claims.ToArray <Claim>();
for (int i = 0; i < claims.Length; i++)
{
if (claims[i].Type.Equals("gplus_id"))
{
its.gplus_id = claims[i].Value;
}
}
}
// Use the wrapper to return JSON
token_status_wrapper tsr = new token_status_wrapper();
tsr.id_token_status = its;
tsr.access_token_status = ats;
if (its.valid)
{
WebApplication.Api.Controllers.AccountController.GoogleUserViewModel fbUser = new Api.Controllers.AccountController.GoogleUserViewModel();
fbUser.Email = its.email;
fbUser.aud = its.aud;
fbUser.azp = its.azp;
fbUser.gplus_id = its.gplus_id;
fbUser.sub = its.sub;
return(fbUser);
}
return(null);
}
