public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var ipToken = context.Ticket.Properties.Dictionary["UserIp"];
var ipRequest = context.Request.RemoteIpAddress;
if (!ipToken.Equals(ipRequest))
{
context.Rejected();
context.SetError("MENSAJE_ERROR_TOKEN_IP_INVALIDA");
return(Task.FromResult <object>(null));
}
if (context.Request.Headers.ContainsKey("Authorization"))
{
var tokenRequest = context.Request.Headers["Authorization"].Replace("Bearer ", "").Trim();
var strIdUsuario = context.Ticket.Properties.Dictionary["IdUsuario"];
//var tokenTaskHelper = TokenTaskHelper.GetInstance();
var tokenUsuario = TokenTaskHelper.GetToken(strIdUsuario);
if (tokenUsuario == null || !tokenUsuario.Equals(tokenRequest))
{
var login = new LoginController();
var idUsuario = Int64.Parse(strIdUsuario);
var tokenAux = login.GetTokenUsuario(idUsuario);
tokenUsuario = TokenTaskHelper.SetToken(strIdUsuario, tokenAux);
}
if (!tokenUsuario.Equals(tokenRequest))
{
context.Rejected();
context.SetError("MENSAJE_ERROR_TOKEN_USUAIRO_INCONSISTENTE");
return(Task.FromResult <object>(null));
}
}
return(base.ValidateIdentity(context));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims.Count() == 0)
{
context.Rejected();
}
else if (context.Ticket.Identity.Claims.All(c => c.Issuer == ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
System.Security.Claims.Claim claim = context.Ticket.Identity.Claims.Where(x => x.Type == "userGetwayIP" && x.Value.ToString() == HttpContext.Current.Request.UserHostAddress.ToString()).FirstOrDefault();
if (claim == null)
{
context.SetError("Inform that you are a good boy :) don't try this step again");
context.Rejected();
context.Response.StatusCode = 400;
}
else if (checkInjection(context))
{
context.SetError("Not acceptable input");
context.Rejected();
context.Response.StatusCode = 406;
}
return(Task.FromResult <object>(null));
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (!string.IsNullOrEmpty(token))
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
ValidAudience = "all",
IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String("KJiuweUH2234KJBJbkjk234234fgdfc56566")),
ValidIssuer = "http://vcdbpoc-staging.azurewebsites.net"
};
try
{
SecurityToken securityToken;
var claimsPrinciple = tokenHandler.ValidateToken(token, validationParameters, out securityToken);
context.Validated(new ClaimsIdentity(claimsPrinciple.Claims, OAuthDefaults.AuthenticationType));
return(Task.FromResult(0));
}
catch (Exception ex)
{
context.Rejected();
return(Task.FromResult(0));
}
//var notPadded = token.Split('.')[1];
//var padded = notPadded.PadRight(notPadded.Length + (4 - notPadded.Length % 4) % 4, '=');
//var urlUnescaped = padded.Replace('-', '+').Replace('_', '/');
//var claimsPart = Convert.FromBase64String(urlUnescaped);
//var obj = JObject.Parse(Encoding.UTF8.GetString(claimsPart, 0, claimsPart.Length));
//// simple, not handling specific types, arrays, etc.
//foreach (var prop in obj.Properties().AsJEnumerable())
//{
// if (!context.Ticket.Identity.HasClaim(prop.Name, prop.Value.Value<string>()))
// {
// context.Ticket.Identity.AddClaim(new Claim(prop.Name, prop.Value.Value<string>()));
// }
//}
}
context.Rejected();
return(Task.FromResult(0));
}
public async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims.Count() == 0)
{
context.Rejected();
}
else if (context.Ticket.Identity.Claims.All(c => c.Issuer == ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
else
{
var accessToken = context.Ticket.Identity.FindFirst(Security.ClaimTypes.AccessToken);
if (accessToken != null && !string.IsNullOrEmpty(accessToken.Value))
{
try
{
var response = await "https://www.googleapis.com/oauth2/v3/tokeninfo"
.SetQueryParam("access_token", accessToken.Value)
.GetAsync();
if (!response.IsSuccessStatusCode)
{
context.Rejected();
}
else
{
context.Validated();
}
}
catch (FlurlHttpException ex)
{
context.Rejected();
}
}
else
{
context.Rejected();
}
}
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var claims = context.Ticket.Identity.Claims;
if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "Twitter" && claim.Issuer != "LOCAL_AUTHORITY"))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
// This validates the identity based on the issuer of the claim.
// The issuer is set in the API endpoint that logs the user in
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
IEnumerable <Claim> claims = context.Ticket.Identity.Claims;
if (null == claims || 0 == claims.Count() || claims.Any(claim => claim.Issuer.ToString() != "Facebook" && claim.Issuer.ToString() != "Google" && claim.Issuer.ToString() != "LOCAL_AUTHORITY"))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var identity = context.Ticket?.Identity;
var masterIdClaim = identity?.Claims.FirstOrDefault(x => x.Type == "masterId");
if (masterIdClaim == null)
{
context.Rejected();
}
else
{
var storedIdentity = this.principalStorage[masterIdClaim.Value];
if (storedIdentity == null)
{
context.Rejected();
}
}
return(base.ValidateIdentity(context));
}
// This validates the identity based on the issuer of the claim.
// The issuer is set in the API endpoint that logs the user in
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
IEnumerable <Claim> claims = context.Ticket.Identity.Claims;
if (!claims.Any() || claims.Any(claim => claim.Type != "GoogleAccessToken")) // modify claim name
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
// This validates the identity based on the issuer of the claim.
// The issuer is set in the API endpoint that logs the user in
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var claims = context.Ticket.Identity.Claims;
var enumerable = claims as Claim[] ?? claims.ToArray();
if (!enumerable.Any() || enumerable.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "LOCAL_AUTHORITY"))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var identity = context.Ticket?.Identity;
var userIdClaim = identity?.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
if (userIdClaim == null)
{
context.Rejected();
}
return(base.ValidateIdentity(context));
}
public override System.Threading.Tasks.Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims.Any(c => c.Issuer != ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var claims = context.Ticket.Identity.Claims;
var enumerable = claims as IList <Claim> ?? claims.ToList();
if (!enumerable.Any() || enumerable.Any(claim => claim.Issuer != ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context.Ticket.Properties.ExpiresUtc < DateTime.UtcNow)
{
context.SetError("invalid_grant", "Access Token has expired.");
context.Rejected();
return(ThreadingExtensions.NoResult);
}
var userId = context.Ticket.Identity.GetUserGuid();
var issuedGuid = context.Ticket.Properties
.GetIssuedGuid();
if (!_authKeyRepository.ValidateAuthKey(userId, issuedGuid))
{
context.SetError("invalid_token", "Access Token has not been properly set or has been invalidated.");
context.Rejected();
return(ThreadingExtensions.NoResult);
}
context.Validated();
return(ThreadingExtensions.NoResult);
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
// if token valid
var userGuid = context.Ticket.Identity.Claims.Where(c => c.Type == "UserGuid").First().Value;
if (!memCache.Contains(userGuid, null))
{
context.Rejected(); // if i want to reject the token
return(null);
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
ClaimsIdentity claimIdentity = context.Ticket.Identity;
var claims = claimIdentity.Claims;
var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
var user = userManager.FindByName(claimIdentity.Name);
var sts = userManager.GetSecurityStamp(user.Id);
var owin = HttpContext.Current.GetOwinContext();
var stsid = claims.Where(c => c.Type == "sts:id").Select(c => c.Value).SingleOrDefault();
var stsdata = claims.Where(c => c.Type == "sts:ds").Select(c => c.Value).SingleOrDefault();
if (string.IsNullOrEmpty(sts) || string.IsNullOrEmpty(stsid) || string.IsNullOrEmpty(stsdata))
{
context.Rejected();
}
else if (stsdata != CryptographService.CreateMacCode(sts, stsid))
{
context.Rejected();
}
return(base.ValidateIdentity(context));
}
// This validates the identity based on the issuer of the claim.
// The issuer is set in the API endpoint that logs the user in
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
UserManager <ApplicationUser> userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
var user = userManager.FindById(context.Ticket.Identity.GetUserId());
var claims = context.Ticket.Identity.Claims;
if (user == null || (claims.FirstOrDefault(claim => claim.Type == "AspNet.Identity.SecurityStamp") == null || claims.Any(claim => claim.Type == "AspNet.Identity.SecurityStamp" && !claim.Value.Equals(user.SecurityStamp))))
{
// Client could not be validated.
context.SetError("invalid_token", "Client token is invalid.");
context.Rejected();
}
return(Task.FromResult <object>(null));
//return Simple.FromResult(0);
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
// code to invalidate multiple login by comparing security stamp claim and its current value in DB
//var path = HttpContext.Current.Server.MapPath(string.Format("~/{0}", "Log.txt"));
//File.AppendAllText(path, Environment.NewLine);
//File.AppendAllText(path, "Requested fro ValidateIdentity at : " + DateTime.Now);
//var securityStampClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == Constants.DefaultSecurityStampClaimType);
//var userIdClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
//if (securityStampClaim == null || userIdClaim == null)
//{
// context.Rejected();
//}
//using (var manager = new IdentityManager<TUser>())
//{
// var user = manager.ApplicationUserManager.Users.FirstOrDefault(x => x.Id == new Guid(userIdClaim.Value));
// if (!string.Equals(user.SecurityStamp, securityStampClaim.Value, StringComparison.CurrentCultureIgnoreCase))
// {
// context.Rejected();
// //context.SetError("Multiple login is not allowed.");
// File.AppendAllText(path, "Request rejected ........");
// File.AppendAllText(path, Environment.NewLine);
// }
//}
if (context.Ticket.Identity.Claims.Any(c => c.Issuer != ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
bool validated = false;
base.ValidateIdentity(context);
ApplicationDbContext dbContext = context.OwinContext.Get <ApplicationDbContext>();
ApplicationUserManager userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
if (context.Ticket != null && context.Ticket.Identity != null)
{
if (context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthClientCredentialsGrantKey) != null)
{
Guid clientId = new Guid(context.Ticket.Identity.Name);
if (dbContext.OAuthClients.SingleOrDefault(oac => oac.ClientId == clientId && oac.Enabled == true) != null)
{
validated = true;
context.Validated();
}
}
else
{
Claim oauthSessionId = context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthSessionClaimKey);
if (oauthSessionId != null)
{
OAuthSession oauthSession = dbContext.OAuthSessions.SingleOrDefault(oas => oas.Id.ToString() == oauthSessionId.Value);
if (oauthSession != null)
{
validated = true;
context.Validated();
}
}
}
}
if (!validated)
{
context.SetError("Invalid Token", "The Access Token is invalid.");
context.Rejected();
}
return(Task.FromResult <object>(null));
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
context.Rejected();
Guid userSessionToken;
if (JwtHelper.TryGetUserSessionToken(context.Ticket.Identity, out userSessionToken))
{
using (var container = UnityConfig.GetContainer().CreateChildContainer())
{
var userSessionBusinessLogic = (IUserSessionBusinessLogic)container.Resolve(typeof(IUserSessionBusinessLogic));
var isValid = userSessionBusinessLogic.GetIsUserSessionValid(userSessionToken);
if (isValid)
{
context.Validated();
}
}
}
return(Task.CompletedTask);
}
public override async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var owinContext = context.OwinContext;
var ticket = context.Ticket;
var identity = ticket?.Identity;
if (identity == null || owinContext == null)
{
context.Rejected();
return;
}
var claimClientId = identity.FindFirst(IntersectClaimTypes.ClientId);
if (!Guid.TryParse(claimClientId?.Value, out var clientId))
{
context.SetError("invalid_token_client");
return;
}
var claimUserId = identity.FindFirst(IntersectClaimTypes.UserId);
if (!Guid.TryParse(claimUserId?.Value, out var userId))
{
context.SetError("invalid_token_user");
return;
}
var claimTicketId = identity.FindFirst(IntersectClaimTypes.TicketId);
if (!Guid.TryParse(claimTicketId?.Value, out var ticketId))
{
context.SetError("invalid_ticket_id");
return;
}
var refreshToken = RefreshToken.FindForTicket(ticketId);
if (refreshToken == null)
{
context.Rejected();
return;
}
if (ticket.Properties?.ExpiresUtc < DateTime.UtcNow)
{
context.SetError("access_token_expired");
return;
}
if (refreshToken.ClientId != clientId || refreshToken.UserId != userId)
{
RefreshToken.Remove(refreshToken.Id, true);
context.Rejected();
return;
}
owinContext.Set("refresh_token", refreshToken);
context.Validated();
}
public override async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
try
{
await base.ValidateIdentity(context);
// token validate, only one valid token, diffrent jti to diffrent ticket
// one time one valid token
#region Claims vlidate
var nameClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
if (nameClaim == null)
{
_log.Error("subject is not in ticket");
context.SetError("subject is not in ticket");
context.OwinContext.Set("error", "subject is not in ticket.");
context.Rejected();
return;
}
var projectClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "iss");
if (projectClaim == null)
{
_log.Error("iss is not in ticket");
context.SetError("iss is not in ticket");
context.OwinContext.Set("error", "iss is not in ticket.");
context.Rejected();
return;
}
var audClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "aud");
if (audClaim == null)
{
_log.Error("client_id is not in ticket");
context.SetError("client_id is not in ticket");
context.OwinContext.Set("error", "client_id is not in ticket.");
context.Rejected();
return;
}
var jtiClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "jti");
if (jtiClaim == null)
{
_log.Error("jti is not in ticket");
context.SetError("jti is not in ticket");
context.OwinContext.Set("error", "jti is not in ticket.");
context.Rejected();
return;
}
#endregion
var projectId = projectClaim.Value;
var registerUser = nameClaim.Value;
var clientId = audClaim.Value;
var jti = jtiClaim.Value;
if (string.IsNullOrEmpty(clientId))
{
_log.Error("client_id is null");
context.SetError("client_id is null");
context.OwinContext.Set("error", "client_id is null.");
context.Rejected();
return;
}
//var refreshTokens = await Task.Run(() => _authServices.GetAllRefreshTokens(clientId));
//if (refreshTokens == null || refreshTokens.Count == 0)
//{
// _log.Error("ticket is missing");
// context.SetError("ticket is missing");
// context.OwinContext.Set("error", "ticket is missing.");
// context.Rejected();
// return;
//}
//if (!refreshTokens.Any(x => (x.ProjectId == projectId && x.Subject == registerUser)))
//{
// _log.Error("ticket is not valid");
// context.SetError("ticket is not valid");
// context.OwinContext.Set("error", "ticket is not valid.");
// context.Rejected();
// return;
//}
//var rft = refreshTokens.First(x => (x.ProjectId == projectId && x.Subject == registerUser));
// validate ticket jti&server jti
//var serverJti = rft.TokenId;
//if (!serverJti.Equals(jti))
//{
// _log.Error("jti is not valid");
// context.SetError("jti is not valid");
// context.OwinContext.Set("error", "Token已更新,请使用最新的Token。");
// context.Rejected();
// return;
//}
#region IP validate
var ip = context.Request.RemoteIpAddress;
_log.Info($"request ip({ip}) is validating...");
// find allowed ips & validate ip
//var client = _authServices.FindClient(clientId);
//if (client != null)
//{
// if (!projectId.Equals(client.ProjectId))
// {
// _log.Error("client's projectId is not valid.");
// context.SetError("client's projectId is not valid.");
// context.OwinContext.Set("error", "client's projectId is not valid.");
// return;
// }
// var allowedIPs = client.AllowedIPs;
// if (string.IsNullOrEmpty(allowedIPs))
// {
// _log.Error($"IP({ip}) is not allowed in this client.");
// context.SetError($"IP({ip}) is not allowed in this client.");
// context.OwinContext.Set("error", $"IP({ip}) is not allowed in this client.");
// return;
// }
// if (allowedIPs != "*")
// {
// var detailIPs = allowedIPs.Split(';');
// if (detailIPs.All(x => x != ip))
// {
// _log.Error($"IP({ip}) is not allowed in this client.");
// context.OwinContext.Set("error", $"IP({ip}) is not allowed in this client.");
// context.Rejected();
// }
// }
//}
#endregion
}
catch (Exception ex)
{
_log.Error(ex.Message);
_log.Error(ex.StackTrace);
context.Rejected();
}
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var authorizationBearerToken = context.Request.Headers["Authorization"];
if (string.IsNullOrWhiteSpace(authorizationBearerToken))
{
context.Rejected();
return(Task.FromResult(false));
}
else
{
var authorizationBearerTokenParts = authorizationBearerToken
.Split(' ');
var accessToken = authorizationBearerTokenParts
.LastOrDefault();
var claims = new List <Claim>();
StuntmanUser user = null;
if (authorizationBearerTokenParts.Count() != 2 ||
string.IsNullOrWhiteSpace(accessToken))
{
context.Response.StatusCode = 400;
context.Response.ReasonPhrase = "Authorization header is not in correct format.";
context.Rejected();
return(Task.FromResult(false));
}
else
{
user = options.Users
.Where(x => x.AccessToken == accessToken)
.FirstOrDefault();
if (user == null)
{
if (!options.AllowBearerTokenPassthrough)
{
context.Response.StatusCode = 403;
context.Response.ReasonPhrase =
$"options provided does not include the requested '{accessToken}' user.";
context.Rejected();
}
return(Task.FromResult(false));
}
else
{
claims.Add(new Claim("access_token", accessToken));
}
}
claims.Add(new Claim(ClaimTypes.Name, user.Name));
claims.AddRange(user.Claims);
var identity = new ClaimsIdentity(claims, Constants.StuntmanAuthenticationType, user.NameClaimType, user.RoleClaimType);
context.Validated(identity);
var authManager = context.OwinContext.Authentication;
authManager.SignIn(identity);
if (options.AfterBearerValidateIdentity != null)
{
options.AfterBearerValidateIdentity(context);
}
return(Task.FromResult(true));
}
}
