protected virtual void EnsureClientExists(TokenRequestMessage message) { var clientId = message.Parameters[OAuthConstants.ClientId]; if (!this.ClientStore.ClientExists(clientId)) { throw new OAuthException(OAuthErrorCodes.InvalidClient, string.Format("The client_id '{0}' is not registered", clientId)); } }
public override bool CanValidateMessage(TokenRequestMessage message) { if (message.Type == RequestGrantType.Assertion) { return(true); } return(false); }
private string CreateAccessToken(TokenRequestMessage message, NameValueCollection additionalInfo) { var scope = message.Parameters["scope"]; var validity = TimeSpan.FromSeconds(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.TokenExpirationInSeconds); var swt = CreateSimpleWebToken(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.IssuerIdentifier, scope, validity, additionalInfo); var accessToken = SerializeToken(swt, this.serviceConfig.SecurityTokenHandlers); return(accessToken); }
public TokenResponseMessage CreateResponse(TokenRequestMessage message, NameValueCollection additionalInfo) { TokenResponseMessage response = new TokenResponseMessage(); response.AccessToken = this.CreateAccessToken(message, additionalInfo); response.RefreshToken = this.CreateRefreshToken(); response.AccessTokenExpiresIn = TimeSpan.FromSeconds(this.serviceConfig.SimpleWebTokenHandlerConfiguration.Issuer.TokenExpirationInSeconds); return(response); }
public NameValueCollection Validate(TokenRequestMessage message) { if (message == null) { throw new ArgumentNullException("message"); } foreach (OAuthMessageHandler handler in this) { if (handler.CanValidateMessage(message)) { return(handler.Validate(message)); } } return(null); }
public override NameValueCollection Validate(TokenRequestMessage message) { string clientId = message.Parameters[OAuthConstants.ClientId]; string clientSecret = message.Parameters[OAuthConstants.ClientSecret]; if (string.IsNullOrEmpty(clientId) || string.IsNullOrEmpty(clientSecret)) { throw new InvalidOperationException("client_id and client_secret must be present for this profile"); } bool valid = this.ClientStore.ValidateClient(clientId, clientSecret); if (!valid) { throw new InvalidOperationException("client_id is not registered or client_secret is invalid"); } message.Parameters.Remove(OAuthConstants.ClientSecret); return(message.Parameters); }
public virtual TokenRequestMessage ReadMessage(StreamReader reader) { NameValueCollection requestParameters; string requestString; requestString = reader.ReadToEnd(); reader.Close(); requestParameters = HttpUtility.ParseQueryString(requestString); var message = new TokenRequestMessage(); foreach (string key in requestParameters.AllKeys) { if (key == OAuthConstants.GrantType) { message.Type = requestParameters[key]; requestParameters.Remove(key); } message.Parameters = requestParameters; } return(message); }
public override NameValueCollection Validate(TokenRequestMessage message) { if (!this.CanValidateMessage(message)) { throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "This handler cannot validate this message."); } if (!message.Parameters[OAuthConstants.AssertionType].Equals("saml", StringComparison.OrdinalIgnoreCase)) { throw new OAuthException(OAuthErrorCodes.InvalidRequest, string.Format("Assertion format '{0}' not supported. Only Saml Supported", message.Parameters[OAuthConstants.AssertionType])); } string assertion = message.Parameters[OAuthConstants.Assertion]; if (assertion == null) { throw new OAuthException(OAuthErrorCodes.InvalidRequest, "Parameter 'assertion' is mandatory"); } this.EnsureClientExists(message); SecurityToken token = null; SecurityToken xtoken = null; using (var stringReader = new StringReader(assertion)) { var reader = XmlReader.Create(stringReader); if (!ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader)) { throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "No Token handler defined can read this assertion"); } // TODO: this should be changed to be in config // CHANGE: matias: read decryption cert from servicecertificate instead of hardcoding localhost using (var xprovider = new X509SecurityTokenProvider(ServiceConfiguration.ServiceCertificate)) { xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1)); } var outOfBandTokens = new Collection <SecurityToken>(); outOfBandTokens.Add(xtoken); // CHANGED: matias, don't validate certificate (should be read from service config) ServiceConfiguration.CertificateValidator = X509CertificateValidator.None; // encryptedtoken handler is 6 . Add the X509TOken which has the key to decrypt this token ServiceConfiguration.SecurityTokenHandlers[6].Configuration.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false); token = ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader); } ClaimsIdentityCollection cc; try { cc = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); } catch (SecurityTokenException ex) { throw new OAuthException(OAuthErrorCodes.InvalidGrant, ex.Message, ex); } // CHANGE: matias: add CAM in order to be able to tranform claims IClaimsPrincipal principal = new ClaimsPrincipal(cc); if (ServiceConfiguration.ClaimsAuthenticationManager != null) { principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate("replace", principal); } var collection = new NameValueCollection(); foreach (Claim claim in cc[0].Claims) { collection.Add(claim.ClaimType, claim.Value); } return(collection); }
public abstract NameValueCollection Validate(TokenRequestMessage message);
public virtual bool CanValidateMessage(TokenRequestMessage message) { return(false); }