public void GetAccessTokenWithTotallyFakeToken() {
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer foobar" },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
Assert.That(() => resourceServer.GetAccessToken(request), Throws.InstanceOf<ProtocolException>());
}
public void GetAccessTokenWithCorruptedToken() {
var accessToken = this.ObtainValidAccessToken();
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer " + accessToken.Substring(0, accessToken.Length - 1) + "zzz" },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
Assert.That(() => resourceServer.GetAccessToken(request), Throws.InstanceOf<ProtocolException>());
}
public void GetAccessTokenWithValidToken() {
var accessToken = this.ObtainValidAccessToken();
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));
var requestHeaders = new NameValueCollection {
{ "Authorization", "Bearer " + accessToken },
};
var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
var resourceServerDecodedToken = resourceServer.GetAccessToken(request);
Assert.That(resourceServerDecodedToken, Is.Not.Null);
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = false;
try
{
HttpRequestBase request = httpContext.Request;
if (!string.IsNullOrEmpty(request.Headers["Authorization"]))
{
if (request.Headers["Authorization"].StartsWith("Bearer "))
{
RSACryptoServiceProvider authorizationServerSigningPublicKey = AuthorizationServerHost.CreateRsaCryptoServiceProvider(AuthorizationServerHost.AuthorizationServerSigningPublicKey);
RSACryptoServiceProvider resourceServerEncryptionPrivateKey = AuthorizationServerHost.CreateRsaCryptoServiceProvider(AuthorizationServerHost.ResourceServerEncryptionPrivateKey);
StandardAccessTokenAnalyzer tokenAnalyzer = new StandardAccessTokenAnalyzer(authorizationServerSigningPublicKey, resourceServerEncryptionPrivateKey);
ResourceServer resourceServer = new ResourceServer(tokenAnalyzer);
IPrincipal principal = resourceServer.GetPrincipal(request);
if (principal.Identity.IsAuthenticated)
{
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
isAuthorized = true;
}
var _token = resourceServer.GetAccessToken(request);
if (this.RequiredScopes.Any())
{
var token = resourceServer.GetAccessToken(request, this.RequiredScopes);
}
}
}
}
catch
{
isAuthorized = false;
}
return isAuthorized;
}
