public string GenerateAccessToken(AccessTokenPayload tokenPayload) { var sign = HashSignatureProvider.CreateHS256(secret); var jwt = new JsonWebToken <AccessTokenPayload>(tokenPayload, sign); var str = jwt.ToEncodedString(); return(str); }
private static (byte[], string) CreateToken(AccessTokenPayload payload, string prefix = "") { var salt = SecurityUtils.GenerateRandomSalt(32); var infoBytes = Encoding.Default.GetBytes(JsonConvert.SerializeObject(payload, _serializerSettings)); var infoStringSignature = SecurityUtils.HashStringHex(infoBytes, salt); return(salt, prefix + Convert.ToHexString(infoBytes) + "." + infoStringSignature); }
public async Task PostRenewCertificateTest() { try { AccessTokenPayload accessTokenPayload = new AccessTokenPayload { keyVaultAccessToken = string.Empty }; List <CertificateResponse> certificateResponses = await _certificateService .PostCertificateRenewalAsync(false); Assert.AreEqual(0, certificateResponses.Count); } catch (Exception ex) { string err = ex.Message; Assert.Fail(); } }
public IActionResult Login([FromBody] LoginInputData loginInputData) { _logger.Info("Login endpoint...", new { loginInputData }); if (loginInputData != null && loginInputData.IsValid()) { var foundUser = _userRepository.GetUser(null, loginInputData.EMailAddress); if (foundUser != null) { if (foundUser.Password == loginInputData.Password) { var tokenPayload = new AccessTokenPayload(foundUser); var at = _accessTokenHelper.GenerateAccessToken(tokenPayload); var loginResult = new { tokenPayload.UserId, DepartmendId = tokenPayload.DepartmentId, tokenPayload.LastName, tokenPayload.FirstName, tokenPayload.ExpirationDate, tokenPayload.IsManager, tokenPayload.IsAdmin, AccessToken = at }; _logger.Info("Login endpoint successful!", new { tokenPayload }); return(Ok(loginResult)); } return(Unauthorized()); } return(Unauthorized()); } return(BadRequest()); }
public LoginResult SetupConfig(SetupData data) { const string cmd = "[spInitialize]"; var param = new DynamicParameters(new { initUserFirstName = data.FirstName, initUserLastName = data.LastName, initUserMail = data.MailAddress ?? $"{data.FirstName}.{data.LastName}@example.com", initUserPassword = data.Password, initDepartmentName = data.DepartmentName, defaultDayCount = data.DefaultDayCount ?? 28 }); param.Add("@isCreated", direction: ParameterDirection.ReturnValue); using (var con = _dbHelper.GetConnection()) { var initialUser = con.QueryFirstOrDefault <User>(cmd, param, commandType: CommandType.StoredProcedure); if (param.Get <int?>("@isCreated") != 1) { return(null); } var tokenPayload = new AccessTokenPayload(initialUser); var at = _accessTokenHelper.GenerateAccessToken(tokenPayload); return(new LoginResult() { UserId = tokenPayload.UserId, DepartmentId = tokenPayload.DepartmentId, LastName = tokenPayload.LastName, FirstName = tokenPayload.FirstName, ExpirationDate = tokenPayload.ExpirationDate, IsManager = tokenPayload.IsManager, IsAdmin = tokenPayload.IsAdmin, AccessToken = at }); } }
/// <summary> /// Add default Blazor.Auth0 authentication. /// </summary> /// <param name="services">The <see cref="IServiceCollection"/> instance.</param> public static void AddDefaultBlazorAuth0Authentication(this IServiceCollection services) { // TODO: This method is too convulted, it should be separeted into smaller pieces if (services is null) { throw new ArgumentNullException(nameof(services)); } ClientOptions clientOptions = services.BuildServiceProvider().GetRequiredService <ClientOptions>(); Utils.ValidateObject(clientOptions); services.Configure <CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential cookies is needed for a given request. options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(60); options.SlidingExpiration = clientOptions.SlidingExpiration; }) .AddBlazorAuth0() .AddOpenIdConnect(clientOptions.ClaimsIssuer, options => { // Set the authority to your Auth0 domain options.Authority = $"https://{clientOptions.Domain}"; options.RequireHttpsMetadata = false; // Configure the Auth0 Client ID and Client Secret options.ClientId = clientOptions.ClientId; options.ClientSecret = clientOptions.ClientSecret; options.ResponseType = CommonAuthentication.ParseResponseType(clientOptions.ResponseType); string[] scopes = clientOptions.Scope.Trim().ToLowerInvariant().Split(","); options.Scope.Clear(); foreach (string scope in scopes) { options.Scope.Add(scope); } if (clientOptions.ResponseType == Models.Enumerations.ResponseTypes.Code && !string.IsNullOrEmpty(clientOptions.ClientSecret)) { options.Scope.Add("offline_access"); } options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce", "iat", "c_hash"); options.GetClaimsFromUserInfoEndpoint = true; options.SaveTokens = true; options.CallbackPath = new PathString(clientOptions.CallbackPath); options.RemoteSignOutPath = new PathString(clientOptions.RemoteSignOutPath); options.SignedOutRedirectUri = clientOptions.RedirectUri; options.ClaimsIssuer = clientOptions.ClaimsIssuer; options.UseTokenLifetime = !clientOptions.SlidingExpiration; options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name", RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", RequireSignedTokens = true, RequireExpirationTime = true, ValidateTokenReplay = true, ValidIssuers = new string[] { options.Authority, }, ValidateLifetime = true, ValidateIssuerSigningKey = true, }; if (!string.IsNullOrEmpty(clientOptions.Audience)) { options.TokenValidationParameters.ValidAudiences = new string[] { clientOptions.Audience, $"{options.Authority}/userinfo", }; } options.Events = new OpenIdConnectEvents { OnRedirectToIdentityProvider = context => { if (!string.IsNullOrEmpty(clientOptions.Audience)) { context.ProtocolMessage.SetParameter("audience", clientOptions.Audience); HttpRequest request = context.Request; var errorUri = request.Scheme + "://" + request.Host + request.PathBase; context.ProtocolMessage.SetParameter("error_uri", errorUri); } return(Task.FromResult(0)); }, OnRemoteSignOut = (context) => { Authentication.ClearAspNetCookies(context.HttpContext); string redirectUri = context.Request.Query .Where(x => x.Key.ToLowerInvariant() == "redirect_uri") .Select(x => x.Value) .FirstOrDefault(); if (string.IsNullOrEmpty(redirectUri)) { HttpRequest request = context.Request; redirectUri = request.Scheme + "://" + request.Host + request.PathBase; } string logoutUri = CommonAuthentication.BuildLogoutUrl(clientOptions.Domain, clientOptions.ClientId, redirectUri); context.Response.Redirect(logoutUri); context.HandleResponse(); return(Task.CompletedTask); }, // handle the logout redirection OnRedirectToIdentityProviderForSignOut = (context) => { string logoutUri = CommonAuthentication.BuildLogoutUrl(clientOptions.Domain, clientOptions.ClientId); string postLogoutUri = context.Properties.RedirectUri; if (!string.IsNullOrEmpty(postLogoutUri)) { if (postLogoutUri.StartsWith("/")) { // transform to absolute HttpRequest request = context.Request; postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri; } logoutUri += $"&returnTo={Uri.EscapeDataString(postLogoutUri)}"; } context.Response.Redirect(logoutUri); context.HandleResponse(); return(Task.CompletedTask); }, OnTokenValidated = (u) => { if (!string.IsNullOrEmpty(clientOptions.Audience)) { string accessToken = u.TokenEndpointResponse.AccessToken; AccessTokenPayload parsedAccessToken = !string.IsNullOrEmpty(accessToken) ? CommonAuthentication.DecodeTokenPayload <AccessTokenPayload>(accessToken) : default; List <string> permissions = parsedAccessToken?.Permissions ?? new List <string>(); if (permissions.Any()) { string name = u.Principal.Claims.Where(x => x.Type == "name").FirstOrDefault()?.Value; name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.GivenName).FirstOrDefault()?.Value; name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.Name).FirstOrDefault()?.Value; name ??= u.Principal.Claims.Where(x => x.Type == "nickname").FirstOrDefault()?.Value; name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.Email).FirstOrDefault()?.Value; GenericIdentity identity = new GenericIdentity(name, "JWT"); identity.AddClaims(u.Principal.Claims); identity.AddClaims(permissions.Select(permission => new Claim("permissions", permission, "permissions"))); identity.AddClaim(new Claim("exp", parsedAccessToken.Exp.ToString(), ClaimValueTypes.Integer64)); ClaimsPrincipal user = new ClaimsPrincipal(identity); u.Principal = user; } } return(Task.CompletedTask); }, OnAccessDenied = (u) => { return(Task.CompletedTask); }, OnAuthenticationFailed = (u) => { return(Task.CompletedTask); }, OnRemoteFailure = (context) => { context.Response.Redirect("/"); context.HandleResponse(); return(Task.CompletedTask); }, }; });