public ActionResult Callback() { string input; using (var reader = new StreamReader(Request.InputStream)) { input = reader.ReadToEnd(); } string locationBase = string.Format("{0}/auth/broker/end", Request.Url.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped)); var inputInQueryStringUri = new Uri(locationBase + "?" + input); NameValueCollection tokenValues = inputInQueryStringUri.ParseQueryString(); string tokenData = tokenValues["wresult"]; //Validate SWT token var tokenSerializer = new WSTrustFeb2005ResponseSerializer(); RequestSecurityTokenResponse requestSecrityTokenResponse = tokenSerializer.ReadXml(new XmlTextReader(new StringReader(tokenData)), new WSTrustSerializationContext()); var simpleWebTokenHandler = new SimpleWebTokenHandler("https://" + _registrationService.ServiceNamespace + ".accesscontrol.windows.net/", _swtSigningKey); var securityToken = simpleWebTokenHandler.ReadToken(requestSecrityTokenResponse.RequestedSecurityToken.SecurityTokenXml.InnerText) as SimpleWebToken; simpleWebTokenHandler.ValidateToken(securityToken, _acsRealm); //Create delegation in ACS var authServerIdentifier = securityToken.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier); var authServerIdentity = new AuthorizationServerIdentity { NameIdentifier = authServerIdentifier.Value, IdentityProvider = authServerIdentifier.Issuer }; //todo: Check if we can add some claims (role claims) to the scope string code = _registrationService.GetAuthorizationCode(_clientId, authServerIdentity, "scope"); //todo: use OAuth parameter names in the return URL //return the token string location = string.Format("{0}?acsToken={1}", locationBase, code); Response.StatusCode = (int)HttpStatusCode.Redirect; Response.Headers.Add("Location", location); Response.End(); return null; }
/// <summary> /// This method parses the incoming token and validates it. /// </summary> /// <param name="accessToken">The incoming access token.</param> /// <param name="error">This out paramter is set if any error occurs.</param> /// <returns>True on success, False on error.</returns> protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error) { bool tokenValid = false; error = null; SecurityToken token = null; ClaimsIdentityCollection claimsIdentityCollection = null; try { var handler = new SimpleWebTokenHandler(_issuer, _tokenSigningKey); // read the token token = handler.ReadToken(accessToken); // validate the token claimsIdentityCollection = handler.ValidateToken(token, _realm); // create a claims Principal from the token var claimsPrincipal = ClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection); if (claimsPrincipal != null) { tokenValid = true; // push it through the pipeline foreach (var step in authenticationPipeline) { claimsPrincipal = step.Authenticate(token, claimsPrincipal); } // assign to threads if (HttpContext.Current != null) { HttpContext.Current.User = claimsPrincipal; } Thread.CurrentPrincipal = claimsPrincipal; } } catch (InvalidTokenReceivedException ex) { error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription); } catch (ExpiredTokenReceivedException ex) { error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription); } catch (Exception) { error = new ResourceAccessErrorResponse(_realm, "SWT401", "Token validation failed"); } return tokenValid; }