public string GenerateAccessToken(AccessTokenPayload tokenPayload)
{
var sign = HashSignatureProvider.CreateHS256(secret);
var jwt = new JsonWebToken <AccessTokenPayload>(tokenPayload, sign);
var str = jwt.ToEncodedString();
return(str);
}
private static (byte[], string) CreateToken(AccessTokenPayload payload, string prefix = "")
{
var salt = SecurityUtils.GenerateRandomSalt(32);
var infoBytes = Encoding.Default.GetBytes(JsonConvert.SerializeObject(payload, _serializerSettings));
var infoStringSignature = SecurityUtils.HashStringHex(infoBytes, salt);
return(salt, prefix + Convert.ToHexString(infoBytes) + "." + infoStringSignature);
}
public async Task PostRenewCertificateTest()
{
try
{
AccessTokenPayload accessTokenPayload = new AccessTokenPayload
{
keyVaultAccessToken = string.Empty
};
List <CertificateResponse> certificateResponses = await _certificateService
.PostCertificateRenewalAsync(false);
Assert.AreEqual(0, certificateResponses.Count);
}
catch (Exception ex)
{
string err = ex.Message;
Assert.Fail();
}
}
public IActionResult Login([FromBody] LoginInputData loginInputData)
{
_logger.Info("Login endpoint...", new { loginInputData });
if (loginInputData != null && loginInputData.IsValid())
{
var foundUser = _userRepository.GetUser(null, loginInputData.EMailAddress);
if (foundUser != null)
{
if (foundUser.Password == loginInputData.Password)
{
var tokenPayload = new AccessTokenPayload(foundUser);
var at = _accessTokenHelper.GenerateAccessToken(tokenPayload);
var loginResult = new
{
tokenPayload.UserId,
DepartmendId = tokenPayload.DepartmentId,
tokenPayload.LastName,
tokenPayload.FirstName,
tokenPayload.ExpirationDate,
tokenPayload.IsManager,
tokenPayload.IsAdmin,
AccessToken = at
};
_logger.Info("Login endpoint successful!", new { tokenPayload });
return(Ok(loginResult));
}
return(Unauthorized());
}
return(Unauthorized());
}
return(BadRequest());
}
public LoginResult SetupConfig(SetupData data)
{
const string cmd = "[spInitialize]";
var param = new DynamicParameters(new
{
initUserFirstName = data.FirstName,
initUserLastName = data.LastName,
initUserMail = data.MailAddress ?? $"{data.FirstName}.{data.LastName}@example.com",
initUserPassword = data.Password,
initDepartmentName = data.DepartmentName,
defaultDayCount = data.DefaultDayCount ?? 28
});
param.Add("@isCreated", direction: ParameterDirection.ReturnValue);
using (var con = _dbHelper.GetConnection())
{
var initialUser = con.QueryFirstOrDefault <User>(cmd, param, commandType: CommandType.StoredProcedure);
if (param.Get <int?>("@isCreated") != 1)
{
return(null);
}
var tokenPayload = new AccessTokenPayload(initialUser);
var at = _accessTokenHelper.GenerateAccessToken(tokenPayload);
return(new LoginResult()
{
UserId = tokenPayload.UserId,
DepartmentId = tokenPayload.DepartmentId,
LastName = tokenPayload.LastName,
FirstName = tokenPayload.FirstName,
ExpirationDate = tokenPayload.ExpirationDate,
IsManager = tokenPayload.IsManager,
IsAdmin = tokenPayload.IsAdmin,
AccessToken = at
});
}
}
/// <summary>
/// Add default Blazor.Auth0 authentication.
/// </summary>
/// <param name="services">The <see cref="IServiceCollection"/> instance.</param>
public static void AddDefaultBlazorAuth0Authentication(this IServiceCollection services)
{
// TODO: This method is too convulted, it should be separeted into smaller pieces
if (services is null)
{
throw new ArgumentNullException(nameof(services));
}
ClientOptions clientOptions = services.BuildServiceProvider().GetRequiredService <ClientOptions>();
Utils.ValidateObject(clientOptions);
services.Configure <CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.SlidingExpiration = clientOptions.SlidingExpiration;
})
.AddBlazorAuth0()
.AddOpenIdConnect(clientOptions.ClaimsIssuer, options =>
{
// Set the authority to your Auth0 domain
options.Authority = $"https://{clientOptions.Domain}";
options.RequireHttpsMetadata = false;
// Configure the Auth0 Client ID and Client Secret
options.ClientId = clientOptions.ClientId;
options.ClientSecret = clientOptions.ClientSecret;
options.ResponseType = CommonAuthentication.ParseResponseType(clientOptions.ResponseType);
string[] scopes = clientOptions.Scope.Trim().ToLowerInvariant().Split(",");
options.Scope.Clear();
foreach (string scope in scopes)
{
options.Scope.Add(scope);
}
if (clientOptions.ResponseType == Models.Enumerations.ResponseTypes.Code && !string.IsNullOrEmpty(clientOptions.ClientSecret))
{
options.Scope.Add("offline_access");
}
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce", "iat", "c_hash");
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.CallbackPath = new PathString(clientOptions.CallbackPath);
options.RemoteSignOutPath = new PathString(clientOptions.RemoteSignOutPath);
options.SignedOutRedirectUri = clientOptions.RedirectUri;
options.ClaimsIssuer = clientOptions.ClaimsIssuer;
options.UseTokenLifetime = !clientOptions.SlidingExpiration;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateTokenReplay = true,
ValidIssuers = new string[]
{
options.Authority,
},
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
};
if (!string.IsNullOrEmpty(clientOptions.Audience))
{
options.TokenValidationParameters.ValidAudiences = new string[] {
clientOptions.Audience,
$"{options.Authority}/userinfo",
};
}
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
if (!string.IsNullOrEmpty(clientOptions.Audience))
{
context.ProtocolMessage.SetParameter("audience", clientOptions.Audience);
HttpRequest request = context.Request;
var errorUri = request.Scheme + "://" + request.Host + request.PathBase;
context.ProtocolMessage.SetParameter("error_uri", errorUri);
}
return(Task.FromResult(0));
},
OnRemoteSignOut = (context) =>
{
Authentication.ClearAspNetCookies(context.HttpContext);
string redirectUri = context.Request.Query
.Where(x => x.Key.ToLowerInvariant() == "redirect_uri")
.Select(x => x.Value)
.FirstOrDefault();
if (string.IsNullOrEmpty(redirectUri))
{
HttpRequest request = context.Request;
redirectUri = request.Scheme + "://" + request.Host + request.PathBase;
}
string logoutUri = CommonAuthentication.BuildLogoutUrl(clientOptions.Domain, clientOptions.ClientId, redirectUri);
context.Response.Redirect(logoutUri);
context.HandleResponse();
return(Task.CompletedTask);
},
// handle the logout redirection
OnRedirectToIdentityProviderForSignOut = (context) =>
{
string logoutUri = CommonAuthentication.BuildLogoutUrl(clientOptions.Domain, clientOptions.ClientId);
string postLogoutUri = context.Properties.RedirectUri;
if (!string.IsNullOrEmpty(postLogoutUri))
{
if (postLogoutUri.StartsWith("/"))
{
// transform to absolute
HttpRequest request = context.Request;
postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
}
logoutUri += $"&returnTo={Uri.EscapeDataString(postLogoutUri)}";
}
context.Response.Redirect(logoutUri);
context.HandleResponse();
return(Task.CompletedTask);
},
OnTokenValidated = (u) =>
{
if (!string.IsNullOrEmpty(clientOptions.Audience))
{
string accessToken = u.TokenEndpointResponse.AccessToken;
AccessTokenPayload parsedAccessToken = !string.IsNullOrEmpty(accessToken) ? CommonAuthentication.DecodeTokenPayload <AccessTokenPayload>(accessToken) : default;
List <string> permissions = parsedAccessToken?.Permissions ?? new List <string>();
if (permissions.Any())
{
string name = u.Principal.Claims.Where(x => x.Type == "name").FirstOrDefault()?.Value;
name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.GivenName).FirstOrDefault()?.Value;
name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.Name).FirstOrDefault()?.Value;
name ??= u.Principal.Claims.Where(x => x.Type == "nickname").FirstOrDefault()?.Value;
name ??= u.Principal.Claims.Where(x => x.Type == ClaimTypes.Email).FirstOrDefault()?.Value;
GenericIdentity identity = new GenericIdentity(name, "JWT");
identity.AddClaims(u.Principal.Claims);
identity.AddClaims(permissions.Select(permission => new Claim("permissions", permission, "permissions")));
identity.AddClaim(new Claim("exp", parsedAccessToken.Exp.ToString(), ClaimValueTypes.Integer64));
ClaimsPrincipal user = new ClaimsPrincipal(identity);
u.Principal = user;
}
}
return(Task.CompletedTask);
},
OnAccessDenied = (u) =>
{
return(Task.CompletedTask);
},
OnAuthenticationFailed = (u) =>
{
return(Task.CompletedTask);
},
OnRemoteFailure = (context) =>
{
context.Response.Redirect("/");
context.HandleResponse();
return(Task.CompletedTask);
},
};
});
