public async Task ReceiveAsync(AuthenticationTokenReceiveContext context) { try { var hashedTokenId = HashHelper.GetHash(context.Token); using (AuthRepository authService = new AuthRepository()) { var refreshToken = authService.FindRefreshToken(hashedTokenId); if (refreshToken != null) { //Get protectedTicket from refreshToken class context.DeserializeTicket(refreshToken.ProtectedTicket); //remove token from db var result = authService.RemoveRefreshToken(hashedTokenId); } } } catch (Exception ex) { Logger.Error("Error receiving token: " + ex.InnerException); } }
/// <summary> /// Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are /// present on the request. If the web application accepts Basic authentication credentials, /// context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web /// application accepts "client_id" and "client_secret" as form encoded POST parameters, /// context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body. /// If context.Validated is not called the request will not proceed further. /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns> /// Task to enable asynchronous execution /// </returns> public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { string clientId = string.Empty; string clientSecret = string.Empty; AuthorizedClient authorizedClient = null; if (!context.TryGetBasicCredentials(out clientId, out clientSecret)) { context.TryGetFormCredentials(out clientId, out clientSecret); } if (context.ClientId == null) { context.SetError("invalid_clientId", "ClientId should be sent."); return Task.FromResult<object>(null); } using (var repo = new AuthRepository()) authorizedClient = repo.FindAuthorizedClient(context.ClientId); if (authorizedClient == null) { context.SetError("invalid_clientId", string.Format("Client '{0}' is not registered in the system.", context.ClientId)); return Task.FromResult<object>(null); } if (authorizedClient.ApplicationType == ApplicationTypes.NativeConfidential) { if (string.IsNullOrWhiteSpace(clientSecret)) { context.SetError("invalid_clientId", "Client secret should be sent."); return Task.FromResult<object>(null); } else { if (authorizedClient.Secret != HashHelper.GetHash(clientSecret)) { context.SetError("invalid_clientId", "Client secret is invalid."); return Task.FromResult<object>(null); } } } if (!authorizedClient.Active) { context.SetError("invalid_clientId", "Client is inactive."); return Task.FromResult<object>(null); } context.OwinContext.Set<string>("as:clientAllowedOrigin", authorizedClient.AllowedOrigin); context.OwinContext.Set<string>("as:clientRefreshTokenLifeTime", authorizedClient.RefreshTokenLifeTime.ToString()); context.Validated(); return Task.FromResult<object>(null); }
public async Task CreateAsync(AuthenticationTokenCreateContext context) { try { var clientid = context.Ticket.Properties.Dictionary["as:client_id"]; if (string.IsNullOrEmpty(clientid)) { return; } var refreshTokenId = Guid.NewGuid().ToString("n"); var refreshTokenLifeTime = context.OwinContext.Get<string>("as:clientRefreshTokenLifeTime"); var token = new RefreshToken() { Id = HashHelper.GetHash(refreshTokenId), ClientId = clientid, Subject = context.Ticket.Identity.Name, IssuedUtc = DateTime.UtcNow, ExpiresUtc = DateTime.UtcNow.AddMinutes(Convert.ToDouble(refreshTokenLifeTime)) }; context.Ticket.Properties.IssuedUtc = token.IssuedUtc; context.Ticket.Properties.ExpiresUtc = token.ExpiresUtc; token.ProtectedTicket = context.SerializeTicket(); bool result; using (AuthRepository authService = new AuthRepository()) { result = authService.AddRefreshToken(token); } if (result) { context.SetToken(refreshTokenId); } } catch (Exception ex) { Logger.Error("Error creating token: " + ex.InnerException); } }
public RefreshTokensController() { // _authRepository = authRepository; _repo = new AuthRepository(); }
public AccountService(AuthRepository authRepository) { _authRepository = authRepository; }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password /// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and /// optional "refresh_token". If the web application supports the /// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an /// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated /// with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. /// The default behavior is to reject this grant type. /// See also http://tools.ietf.org/html/rfc6749#section-4.3.2 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns> /// Task to enable asynchronous execution /// </returns> public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var identity = new ClaimsIdentity(context.Options.AuthenticationType); AppUser user = new AppUser(); using (AuthRepository repo = new AuthRepository()) { user = repo.FindUser(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } user.UserRoles = repo.GetUserRoles(user.Id); if (user.Enabled == false) { context.SetError("invalid_grant", "The account is disabled."); return; } } identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName)); identity.AddClaim(new Claim("sub", context.UserName)); foreach (string role in user.UserRoles) { identity.AddClaim(new Claim(ClaimTypes.Role, role)); } var props = new AuthenticationProperties(new Dictionary<string, string> { { "as:client_id", context.ClientId ?? string.Empty }, { "displayName", user.Firstname + ' ' + user.Lastname }, { "userName", user.UserName }, { "userRoles", string.Join(",",identity.Claims.Where(c=> c.Type == ClaimTypes.Role).Select(c => c.Value).ToArray()) } }); var ticket = new AuthenticationTicket(identity, props); context.Validated(ticket); }