public async Task CreateAsync(AuthenticationTokenCreateContext context) {
var clientIdValue = context.Ticket.Properties.Dictionary["as:client_id"];
if (string.IsNullOrWhiteSpace(clientIdValue)) {
return;
}
int clientId = 0;
if (!int.TryParse(clientIdValue, out clientId)) {
return;
}
var token = Guid.NewGuid().ToString("n");
var refreshTokenLifeTime = context.OwinContext.Get<string>("as:clientRefreshTokenLifeTime");
var issuedUtc = DateTime.UtcNow;
var expiresUtc = DateTime.UtcNow.AddMinutes(Convert.ToDouble(refreshTokenLifeTime));
context.Ticket.Properties.IssuedUtc = issuedUtc;
context.Ticket.Properties.ExpiresUtc = expiresUtc;
var client = new AuthenticationClient();
var result = await client.SaveRefreshToken(new SaveRefreshTokenRequest {
HashedToken = PasswordHelper.HashToken(token),
ClientId = clientId,
Username = context.Ticket.Properties.Dictionary["userName"],
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.AddMinutes(Convert.ToDouble(refreshTokenLifeTime)),
ProtectedTicket = context.SerializeTicket()
});
if (result.IsSuccess) {
context.SetToken(token);
}
}
public async Task ReceiveAsync(AuthenticationTokenReceiveContext context) {
var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin");
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
string hashedToken = PasswordHelper.HashToken(context.Token);
var authenticationClient = new AuthenticationClient();
var response = await authenticationClient.GetRefreshToken(new GetRefreshTokenRequest { HashedToken = hashedToken });
if (response.RefreshToken != null) {
context.DeserializeTicket(response.RefreshToken.ProtectedTicket);
await authenticationClient.DeleteRefreshToken(new DeleteRefreshTokenRequest { HashedToken = hashedToken });
}
}
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) {
string clientIdValue = string.Empty;
string clientSecret = string.Empty;
int clientId = 0;
if (!context.TryGetBasicCredentials(out clientIdValue, out clientSecret)) {
context.TryGetFormCredentials(out clientIdValue, out clientSecret);
}
if (string.IsNullOrWhiteSpace(clientIdValue)) {
context.SetError("invalid_clientId", "Client id should be sent");
return;
}
if (!int.TryParse(clientIdValue, out clientId)) {
context.SetError("invalid_clientId", "Client id is invalid");
return;
}
var authenticationClient = new AuthenticationClient();
var client = await authenticationClient.GetClient(new GetClientRequest { ClientId = clientId });
if (client == null || !client.IsSuccess || client.Client == null) {
context.SetError("invalid_clientId", string.Format("Client '{0}' is not registered in the system", clientId));
return;
}
if (client.Client.ApplicationType == ApplicationType.NativeConfidential) {
if (string.IsNullOrWhiteSpace(clientSecret)) {
context.SetError("invalid_clientId", "Client secret should be sent");
return;
} else if (!PasswordHelper.VerifyPassword(clientSecret, client.Client.Secret)) {
context.SetError("invalid_clientId", "Client secret is invalid");
return;
}
if (!client.Client.Active) {
context.SetError("invalid_cliendId", "Client is inactive");
return;
}
}
context.OwinContext.Set<string>("as:clientAllowedOrigin", client.Client.AllowedOrigin);
context.OwinContext.Set<string>("as:clientRefreshTokenLifeTime", client.Client.RefreshTokenLifeTime.ToString());
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) {
var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin");
if (string.IsNullOrWhiteSpace(allowedOrigin)) {
allowedOrigin = "*";
}
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var authenticationClient = new AuthenticationClient();
var response = await authenticationClient.Authenticate(new AuthenticateRequest { Username = context.UserName });
var authenticated = response.IsSuccess && response.AuthenticatedUser != null && PasswordHelper.VerifyPassword(context.Password, response.AuthenticatedUser.HashedPassword);
if (!authenticated) {
context.SetError("invalid_grant", "The email or password is incorrect");
return;
}
var claims = new[] {
new Claim("sub", context.UserName),
new Claim("role", response.AuthenticatedUser.RoleName),
new Claim("user_id", response.AuthenticatedUser.Id.ToString())
};
var identity = new ClaimsIdentity(claims, context.Options.AuthenticationType);
if (response.AuthenticatedUser.RoleName == "user") {
context.SetError("invalid_grant", "The user does not have permissions for this service");
return;
}
var props = new AuthenticationProperties(new Dictionary<string, string> {
{ "as:client_id", context.ClientId == null ? string.Empty : context.ClientId },
{ "userName", context.UserName },
{ "role", response.AuthenticatedUser.RoleName },
{ "photo", response.AuthenticatedUser.Photo }
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
