/// <summary>
/// Try to get the client id from the HTTP body or HTTP header.
/// </summary>
/// <param name="instruction">Authentication instruction</param>
/// <returns>Client id</returns>
private static string?TryGettingClientId(AuthenticateInstruction instruction)
{
var clientId = ClientAssertionAuthentication.GetClientId(instruction);
if (!string.IsNullOrWhiteSpace(clientId))
{
return(clientId);
}
clientId = instruction.ClientIdFromAuthorizationHeader;
return(!string.IsNullOrWhiteSpace(clientId)
? clientId
: instruction.ClientIdFromHttpRequestBody);
}
public static Client?AuthenticateClient(AuthenticateInstruction instruction, Client client)
{
var clientSecret = client.Secrets?.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
return(null);
}
var sameSecret = string.Compare(clientSecret.Value,
instruction.ClientSecretFromHttpRequestBody,
StringComparison.CurrentCultureIgnoreCase) == 0;
return(sameSecret ? client : null);
}
private static Client?AuthenticateTlsClient(AuthenticateInstruction instruction, Client client)
{
var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint);
var name = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name);
if (thumbPrint == null || name == null || instruction.Certificate == null)
{
return(null);
}
var certificate = instruction.Certificate;
var isSameThumbPrint = thumbPrint.Value == certificate.Thumbprint;
var isSameName = name.Value == certificate.SubjectName.Name;
return(isSameName && isSameThumbPrint ? client : null);
}
public static Client?AuthenticateClient(this AuthenticateInstruction instruction, Client client)
{
var clientSecrets = client.Secrets?.Where(s => s.Type == ClientSecretTypes.SharedSecret).ToArray();
if (clientSecrets == null || clientSecrets.Length == 0)
{
return(null);
}
var sameSecret = clientSecrets.Any(
clientSecret => string.Equals(
clientSecret.Value,
instruction.ClientSecretFromAuthorizationHeader,
StringComparison.CurrentCulture));
return(sameSecret ? client : null);
}
/// <summary>
/// Authenticates the specified instruction.
/// </summary>
/// <param name="instruction">The instruction.</param>
/// <param name="issuerName">Name of the issuer.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns></returns>
/// <exception cref="ArgumentNullException">instruction</exception>
public async Task <AuthenticationResult> Authenticate(
AuthenticateInstruction instruction,
string issuerName,
CancellationToken cancellationToken)
{
Client?client = null;
// First we try to fetch the client_id
// The different client authentication mechanisms are described here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
var clientId = TryGettingClientId(instruction);
if (!string.IsNullOrWhiteSpace(clientId))
{
client = await _clientRepository.GetById(clientId, cancellationToken).ConfigureAwait(false);
}
if (client == null)
{
return(new AuthenticationResult(null, SharedStrings.TheClientDoesntExist));
}
var errorMessage = string.Empty;
switch (client.TokenEndPointAuthMethod)
{
case TokenEndPointAuthenticationMethods.ClientSecretBasic:
client = instruction.AuthenticateClient(client);
if (client == null)
{
errorMessage = Strings.TheClientCannotBeAuthenticatedWithSecretBasic;
}
break;
case TokenEndPointAuthenticationMethods.ClientSecretPost:
client = ClientSecretPostAuthentication.AuthenticateClient(instruction, client);
if (client == null)
{
errorMessage = Strings.TheClientCannotBeAuthenticatedWithSecretPost;
}
break;
case TokenEndPointAuthenticationMethods.ClientSecretJwt:
if (client.Secrets.All(s => s.Type != ClientSecretTypes.SharedSecret))
{
errorMessage = string.Format(
Strings.TheClientDoesntContainASharedSecret,
client.ClientId);
break;
}
return(await _clientAssertionAuthentication.AuthenticateClientWithClientSecretJwt(instruction, cancellationToken)
.ConfigureAwait(false));
case TokenEndPointAuthenticationMethods.PrivateKeyJwt:
return(await _clientAssertionAuthentication
.AuthenticateClientWithPrivateKeyJwt(instruction, issuerName, cancellationToken)
.ConfigureAwait(false));
case TokenEndPointAuthenticationMethods.TlsClientAuth:
client = AuthenticateTlsClient(instruction, client);
if (client == null)
{
errorMessage = Strings.TheClientCannotBeAuthenticatedWithTls;
}
break;
}
return(new AuthenticationResult(client, errorMessage));
}