/// <summary>
/// Get and validate claims for the system user from the SuperID web service
/// </summary>
/// <param name="userToken">System user token, not yet signed</param>
/// <param name="contextIdentifier">Context identifier of the customer</param>
/// <returns>Token with claims</returns>
private static SuperIdToken GetSystemUserToken(string userToken, string contextIdentifier)
{
var systemToken = new SystemToken(userToken);
// Get certificate
var certificatePath = CertificatePath;
// sign the system user token
var signedSystemToken = systemToken.Sign(privateKey: File.ReadAllText(certificatePath));
// Call the web service to exchange signed system user token with claims for the system user
var federationGateway = ConfigurationManager.AppSettings["SoFederationGateway"];
var returnedToken = systemToken.AuthenticateWithSignedSystemToken(federationGateway, signedSystemToken,
ConfigFile.Services.ApplicationToken, contextIdentifier, TokenType.Saml);
// Validate and return SuperId token for the system user
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.IssuerTokenResolver =
new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
System.Web.HttpContext.Current.Server.MapPath("~/App_Data")
);
tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
return(tokenHandler.ValidateToken(returnedToken, TokenType.Saml));
}
private static SuperIdToken GetSystemUserToken(string systemTokenString, string contextIdentifier)
{
// Grab hold of the system user token
var systemToken = new SystemToken(systemTokenString);
// Get certificate
var certificatePath = ConfigManager.ApplicationKeyFile;
if (!Path.IsPathRooted(certificatePath))
{
certificatePath = Path.Combine(HostingEnvironment.MapPath(@"~"), certificatePath);
}
// sign the system user token
var signedSystemToken = systemToken.Sign(privateKey: File.ReadAllText(certificatePath));
// Call the web service to exchange signed system user token with claims for the system user
var federationGateway = ConfigManager.SoFederationGateway;
var returnedToken = systemToken.AuthenticateWithSignedSystemToken(federationGateway, signedSystemToken,
ConfigFile.Services.ApplicationToken, contextIdentifier, TokenType.Jwt);
// Validate SuperId token for the system user
var systemUserTokenHandler = new SuperIdTokenHandler();
var systemUserToken = systemUserTokenHandler.ValidateToken(returnedToken, TokenType.Jwt);
return(systemUserToken);
}
public static SuperIdToken GetSystemUserToken(string userToken, string contextIdentifier,
string privateKey, string federationGateway, string applicationToken, string certificateString)
{
var tokenType = SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Jwt;
var systemToken = new SystemToken(userToken);
// Get certificate
// sign the system user ticket
var signedSystemToken = systemToken.Sign(privateKey);
// Call the web service to exchange signed system user ticket with claims for the system user
var returnedToken = systemToken.AuthenticateWithSignedSystemToken(federationGateway, signedSystemToken,
applicationToken, contextIdentifier, tokenType);
if (returnedToken != null)
{
// Validate and return SuperId ticket for the system user
var tokenHandler = new SuperIdTokenHandler();
var certificateResolverPath = AppDomain.CurrentDomain.BaseDirectory + "Certificates";
if (tokenType == SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)
{
tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
tokenHandler.IssuerTokenResolver = new CertificateFileCertificateStoreTokenResolver(certificateResolverPath);
}
else
{
// byte[] bytes = System.Convert.FromBase64String(certificateString);
byte[] bytes = Encoding.ASCII.GetBytes(certificateString);
tokenHandler.JwtIssuerSigningCertificate =
new System.Security.Cryptography.X509Certificates.X509Certificate2(bytes);
}
tokenHandler.ValidateAudience = false;
SuperIdToken superToken = null;
try
{
superToken = tokenHandler.ValidateToken(returnedToken, tokenType);
}
catch (Exception e)
{
Console.WriteLine(e);
}
return(superToken);
}
return(null);
}
public static SuperIdToken ValidateToken(string token)
{
var path = System.Web.Hosting.HostingEnvironment.MapPath("~/App_Data/") + "SOD_SuperOfficeFederatedLogin.crt";
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(path);
tokenHandler.CertificateValidator = X509CertificateValidator.ChainTrust;
tokenHandler.ValidIssuer = "https://sod.superoffice.com";
return(tokenHandler.ValidateToken(token, TokenType.Jwt));
}
public static SuperIdToken ValidateToken(HttpServerUtilityBase server, string token)
{
var path = server.MapPath("~/App_Data/") + "SOD_SuperOfficeFederatedLogin.crt";
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(path);
tokenHandler.CertificateValidator = X509CertificateValidator.ChainTrust;
tokenHandler.ValidIssuer = "https://sod.superoffice.com";
return(tokenHandler.ValidateToken(token, TokenType.Jwt));
}
private void btLogin_Click(object sender, EventArgs e)
{
btDoStuff.Enabled = false;
_netServerUrl.Text = string.Empty;
_claims.Items.Clear();
SuperOffice.Configuration.ConfigFile.Services.ApplicationToken = _applicationToken.Text;
var login = new LoginHelper();
var uri = new UriBuilder(_environmentLogin.Text).Uri;
var response = login.TryFederatedLogin(uri, new AuthenticationRequest()
{
ApplicationId = _applicationId.Text,
ApplicationTitle = "Testing win-forms login in demo app",
CustomerContext = string.Empty, // don't cara about which customer in this context
});
if (response.IsSuccessful)
{
var saml = GetClaim(response, "saml");
//var jwt = GetClaim(response, "jwt");
// Validate and parse saml with user authentication
var userTokenHandler = new SuperIdTokenHandler();
_userToken = userTokenHandler.ValidateToken(saml, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml);
foreach (var claim in _userToken.Claims)
{
var lvi = new ListViewItem(claim.ClaimType);
lvi.SubItems.Add(claim.Resource as string);
_claims.Items.Add(lvi);
}
_netServerUrl.Text = _userToken.NetserverUrl;
ConfigFile.WebServices.RemoteBaseURL = _userToken.NetserverUrl;
try
{
_session = SoSession.Authenticate(new SoCredentials()
{
Ticket = _userToken.Ticket
});
}
catch (Exception)
{
}
}
btDoStuff.Enabled = _session != null;
}
/// <summary>
/// Used by Online
/// </summary>
/// <param name="token">Saml or JWT token</param>
public static bool TryLogin(string token, string tokenType, OidcModel oidcModel, out string errorReason)
{
errorReason = String.Empty;
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.ValidIssuer = oidcModel == null ? "SuperOffice AS" : "https://sod.superoffice.com"; // required for OIDC vs. Old Federated Auth...
var useAppData = Convert.ToBoolean(ConfigurationManager.AppSettings["CertificatesInAppDataFolder"]);
var typedTokenType = (SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType)
Enum.Parse(typeof(SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType), tokenType);
if (useAppData && typedTokenType == SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)
{
tokenHandler.IssuerTokenResolver =
new CertificateFileCertificateStoreTokenResolver(
HttpContext.Current.Server.MapPath("~/App_Data"));
tokenHandler.CertificateValidator = X509CertificateValidator.None;
}
else if (useAppData && typedTokenType == SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Jwt)
{
tokenHandler.JwtIssuerSigningCertificate =
new System.Security.Cryptography.X509Certificates.X509Certificate2(
HttpContext.Current.Server.MapPath("~/App_Data/") + "SuperOfficeFederatedLogin.crt");
}
else
{
tokenHandler.CertificateValidator = X509CertificateValidator.PeerTrust;
}
tokenHandler.ValidateAudience = false;
var superIdClaims = tokenHandler.ValidateToken(token, typedTokenType);
var context = new SuperOfficeContext
{
Ticket = superIdClaims.Ticket,
Email = superIdClaims.Email,
ContextIdentifier = superIdClaims.ContextIdentifier,
NetServerUrl = superIdClaims.NetserverUrl,
SystemToken = superIdClaims.SystemToken,
CustomerKey = String.Empty,
IsOnSiteCustomer = false,
AccessToken = oidcModel?.AccessToken,
IdToken = oidcModel?.IdToken,
RefreshToken = oidcModel?.RefreshToken
};
return(TryLogin(context, out errorReason));
}
/// <summary>
/// Get and validate claims for the system user from the SuperID web service
/// </summary>
/// <param name="userToken">System user token, not yet signed</param>
/// <param name="contextIdentifier">Context identifier of the customer</param>
/// <returns>Token with claims</returns>
private static SuperIdToken GetSystemUserToken(string userToken, string contextIdentifier)
{
var tokenType = SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Jwt;
var systemToken = new SystemToken(userToken);
// Get certificate
var certificatePath = ConfigurationManager.AppSettings["SystemTokenCertificatePath"];
// sign the system user token
var signedSystemToken = systemToken.Sign(File.ReadAllText(certificatePath));
// Call the web service to exchange signed system user token with claims for the system user
var federationGateway = ConfigurationManager.AppSettings["SoFederationGateway"];
var returnedToken = systemToken.AuthenticateWithSignedSystemToken(federationGateway, signedSystemToken,
ConfigFile.Services.ApplicationToken, contextIdentifier, tokenType);
if (returnedToken != null)
{
// Validate and return SuperId token for the system user
var tokenHandler = new SuperIdTokenHandler();
var certificateResolverPath = AppDomain.CurrentDomain.BaseDirectory + "Certificates";
if (tokenType == SuperID.Contracts.SystemUser.V1.TokenType.Saml)
{
tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
tokenHandler.IssuerTokenResolver = new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(certificateResolverPath);
}
else
{
tokenHandler.JwtIssuerSigningCertificate =
new System.Security.Cryptography.X509Certificates.X509Certificate2(
certificateResolverPath + "\\SODSuperOfficeFederatedLogin.crt");
}
tokenHandler.ValidateAudience = false;
return(tokenHandler.ValidateToken(returnedToken, tokenType));
}
return(null);
}
/// <summary>
///
/// </summary>
/// <param name="token">Saml or JWT token</param>
public static bool TryLogin(string token, string tokenType)
{
var tokenHandler = new SuperIdTokenHandler();
var typedTokenType = (SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType)
Enum.Parse(typeof(SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType), tokenType);
var certificatePath = ConfigManager.SuperOfficeFederatedLogin;
if (!String.IsNullOrWhiteSpace(certificatePath))
{
if (!Path.IsPathRooted(certificatePath))
{
certificatePath = Path.Combine(HostingEnvironment.MapPath(@"~"), certificatePath);
}
tokenHandler.JwtIssuerSigningCertificate =
new System.Security.Cryptography.X509Certificates.X509Certificate2(certificatePath);
}
else
{
tokenHandler.CertificateValidator = X509CertificateValidator.PeerTrust;
}
//tokenHandler.ValidateAudience = false;
var superIdClaims = tokenHandler.ValidateToken(token, typedTokenType);
var context = new SuperOfficeContext
{
Ticket = superIdClaims.Ticket,
Email = superIdClaims.Email,
ContextIdentifier = superIdClaims.ContextIdentifier,
NetServerUrl = superIdClaims.NetserverUrl,
SystemToken = superIdClaims.SystemToken,
};
Context = context;
// Use forms authentication - this is optional
var soFormsTicket = new FormsAuthenticationTicket(superIdClaims.Email, false, 3600);
var soFormsTicketEncrypted = FormsAuthentication.Encrypt(soFormsTicket);
var httpContext = HttpContext.Current;
httpContext.Session[ConfigManager.SoAuthCookie] = soFormsTicketEncrypted;
httpContext.Response.Cookies.Add(new HttpCookie(ConfigManager.SoAuthCookie, soFormsTicketEncrypted));
try
{
// If request is not authenticated, and a controller with the
// SuperOfficeAuthorize attribute is accessed, the called controller
// will continue to send the user to SuperID. If already authenticated there
// this user will always return here and be stuck in an endless loop.
// Therefore, it is important to authenticate with NetServer, and allow the
// context provider to store the current session. Thus, the SuperOfficeAuthorize
// attibute will be able to locate the session and proceed unimpeded
//Authenticate with NetServer using web services if necessary.
SoSession session = SoSession.Authenticate(new SoCredentials()
{
Ticket = context.Ticket
});
var principal = SoContext.CurrentPrincipal;
var contact = new ContactAgent().GetContact(principal.ContactId);
context.Company = contact.FullName;
context.Name = principal.FullName;
context.Username = principal.Associate;
context.AssociateId = principal.AssociateId;
return(true);
}
catch (Exception ex)
{
SuperOfficeAuthHelper.Logout();
return(false);
}
}
