public string CreateToken(SecurityTokenRequest request) { var tokenHandler = new JwtSecurityTokenHandler(); var identity = CreateIdentity(request); var symmetricKey = Options.Security.SecretKey; var tokenDescriptor = new SecurityTokenDescriptor { Subject = identity, Issuer = Options.Security.Issuer, IssuedAt = DateTime.UtcNow, NotBefore = DateTime.UtcNow, Expires = DateTime.UtcNow.AddSeconds(request.Duration ?? Options.Security.Duration), // Create Signing Credentials // Param 1 : signing key // Param 2 : signature algorithm // Param 3 : digest algorithm SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(symmetricKey)), Options.Security.Algorithm) }; var token = tokenHandler.CreateToken(tokenDescriptor); return(tokenHandler.WriteToken(token)); }
public ClaimsPrincipal CreateSystemPrincipal(Guid siteId) { var request = new SecurityTokenRequest { Name = "system", SiteId = siteId }; var identity = CreateIdentity(request); return(new ClaimsPrincipal(identity)); }
private ClaimsIdentity CreateIdentity(SecurityTokenRequest request) { var claims = new List <Claim>(); if (!string.IsNullOrEmpty(request.Name)) { claims.Add(new Claim(ClaimTypes.Name, request.Name, ClaimValueTypes.String)); } if (request.Id != null) { claims.Add(new Claim("userId", request.Id.ToString(), ClaimValueTypes.String)); } if (request.PersonId != null) { claims.Add(new Claim("personId", request.PersonId.ToString(), ClaimValueTypes.String)); } if (request.SiteId != null) { claims.Add(new Claim("siteId", request.SiteId.ToString(), ClaimValueTypes.String)); } if (request.SuperUser) { claims.Add(new Claim("superUser", request.SuperUser.ToString(), ClaimValueTypes.Boolean)); } if (request.Roles != null) { foreach (var role in request.Roles) { claims.Add(new Claim("roleId", role.ToString(), ClaimValueTypes.String)); } } return(new ClaimsIdentity(claims, "PIPware")); }
public async Task <ClaimsPrincipal> CreatePrincipalAsync(Guid userId) { var user = await DataContext.Users .Include(x => x.Person) .FirstOrDefaultAsync(x => x.Id == userId); if (user == null) { return(null); } var request = new SecurityTokenRequest { Id = user.Id, Name = user.Person.Name, PersonId = user.PersonId, //Roles = user.Person. }; var identity = CreateIdentity(request); return(new ClaimsPrincipal(identity)); }
public async Task <AuthenticateResponse> AuthenticateAsync(AuthenticateRequest request) { var criteria = new UserCriteria { UserName = request.Email, Deleted = false }; var user = await DataContext.Users.Query(criteria) .Include(x => x.Person) .FirstOrDefaultAsync(); // User does not exist if (user == null) { await CreateLoginHistory(null, request.Email, request.DomainName, request.SuperUser, LoginResults.InvalidUserName); throw new AuthenticateException { UserName = request.Email, Reason = AuthenticateFailureReason.InvalidCredentials }; } // User is flagged as a system account if (user.Flags.HasFlag(UserFlags.SystemAccount)) { await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.SystemAccount); throw new AuthenticateException { UserName = request.Email, Reason = AuthenticateFailureReason.SystemAccount }; } // User is flagged as disabled if (user.Flags.HasFlag(UserFlags.Disabled)) { await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.Disabled); throw new AuthenticateException { UserName = request.Email, Reason = AuthenticateFailureReason.Disabled }; } if (user.Password == null || user.PasswordSalt == null) { await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.PasswordNotSet); throw new AuthenticateException { UserName = request.Email, Reason = AuthenticateFailureReason.InvalidCredentials }; } var hasPasswordBug = user.Flags.HasFlag(UserFlags.PasswordBug); if (request.Password == null) { request.Password = ""; } var checkPassword = PasswordHelper.EncryptPassword(request.Password, user.PasswordSalt, hasPasswordBug); if (user.Password != checkPassword) { await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.InvalidPassword); await ProcessFailedLoginAttemptAsync(user); throw new AuthenticateException { UserName = request.Email, Reason = AuthenticateFailureReason.InvalidCredentials }; } // Check if the account is locked out if (user.Flags.HasFlag(UserFlags.Locked)) { await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.LockedOut); var locked = CheckLockoutDurationAsync(user); if (locked) { throw new AuthenticateException { UserName = user.UserName, Reason = AuthenticateFailureReason.LockedOut }; } } // Set values for successful authentication user.LastLoginDate = DateTime.UtcNow; user.FailedPasswordCount = 0; user.Flags &= ~UserFlags.Locked; user.LockoutDate = null; await DataContext.SaveChangesAsync(); // Get the person roles var roles = await DataContext.PersonRoles .AsNoTracking() .Where(x => x.PersonId == user.PersonId && !x.Deleted && !x.Role.Deleted) .Select(x => x.Role) .ToArrayAsync(); var tokenRequest = new SecurityTokenRequest { Id = user.Id, PersonId = user.PersonId, Name = user.UserName, SuperUser = request.SuperUser, Roles = roles.Select(r => r.Id).Distinct().ToArray() }; var token = SecurityProvider.CreateToken(tokenRequest); // Get the list of permissions IEnumerable <string> permissions = new List <string>(); foreach (var role in roles) { var rolePermissions = JsonConvert.DeserializeObject <string[]>(role.Permissions); permissions = permissions.Union(rolePermissions); } // Convert roles to string array var roleValues = roles.Select(x => x.Id.ToString()).ToArray(); return(new AuthenticateResponse { UserId = user.Id, PersonId = user.PersonId, Name = user.UserName, DisplayName = user.Person?.Name, PersonPositionName = "", Token = token, Roles = roleValues, Permissions = permissions.ToArray(), }); }