public static string GetJwtToken(this IRequest req) { var jwtAuthProvider = AuthenticateService.GetJwtAuthProvider(); if (jwtAuthProvider != null) { if (jwtAuthProvider.AllowInFormData) { var jwt = req.FormData[Keywords.TokenCookie]; if (!string.IsNullOrEmpty(jwt)) { return(jwt); } } if (jwtAuthProvider.AllowInQueryString) { var jwt = req.QueryString[Keywords.TokenCookie]; if (!string.IsNullOrEmpty(jwt)) { return(jwt); } } } return(req.GetBearerToken() ?? req.GetCookieValue(Keywords.TokenCookie)); }
public object Any(GetJsonWebKeySet request) { var jwtProvider = AuthenticateService.GetJwtAuthProvider(); if (!JwtAuthProviderReader.RsaSignAlgorithms.ContainsKey(jwtProvider.HashAlgorithm)) { return(HttpError.MethodNotAllowed("Non RSA algorithms are not supported")); } var keys = new List <JsonWebKey>(); var publicKey = jwtProvider.GetPublicKey(Request); var alg = jwtProvider.HashAlgorithm; var fallbackKeys = jwtProvider.GetFallbackPublicKeys(Request); if (publicKey != null) { keys.Add(CreateJWKey(publicKey.Value, alg, jwtProvider.GetKeyId(Request))); } keys.AddRange(fallbackKeys.Select(key => CreateJWKey(key, alg))); return(new JsonWebKeySetResponse { Keys = keys }); }
public void Requires_full_Signature_to_Authenticate() { var client = GetClientWithBasicAuthCredentials(); var authResponse = client.Post(new Authenticate()); Assert.That(authResponse.BearerToken, Is.Not.Null); var jwtProvider = (JwtAuthProvider)AuthenticateService.GetJwtAuthProvider(); // Ensure minimum signature example // jwtProvider.ValidateToken = (js,req) => // req.GetJwtToken().LastRightPart('.').FromBase64UrlSafe().Length >= 32; var req = new BasicHttpRequest { Headers = { [HttpHeaders.Authorization] = "Bearer " + authResponse.BearerToken } }; Assert.That(jwtProvider.IsJwtValid(req)); var startSigPos = authResponse.BearerToken.LastIndexOf('.') + 1; for (var i = startSigPos; i < authResponse.BearerToken.Length; i++) { req.Headers[HttpHeaders.Authorization] = "Bearer " + authResponse.BearerToken.Substring(0, i); Assert.That(jwtProvider.IsJwtValid(req), Is.False); } }
public object Any(GetOpenIdDiscoveryDocument request) { var jwtProvider = AuthenticateService.GetJwtAuthProvider(); return(new OpenIdDiscoveryDocument { JwksUri = new GetJsonWebKeySet().ToAbsoluteUri(Request), Issuer = jwtProvider.Issuer }); }
public void Does_not_validate_invalid_token() { var expiredJwt = CreateExpiredToken(); var jwtProvider = AuthenticateService.GetJwtAuthProvider(); Assert.That(jwtProvider.IsJwtValid(expiredJwt), Is.False); Assert.That(jwtProvider.GetValidJwtPayload(expiredJwt), Is.Null); }
public void Register(IAppHost appHost) { JwtAuthProvider = AuthenticateService.GetJwtAuthProvider(); if (JwtAuthProvider is JwtAuthProvider) { appHost.RegisterService(typeof(JwksService)); } else if (JwtAuthProvider != null) { var keySet = RetrieveKeySet(); LoadKeySet(keySet); } }
public void Can_validate_valid_token() { var authClient = GetClient(); var jwt = authClient.Send(new Authenticate { provider = "credentials", UserName = Username, Password = Password, }).BearerToken; var jwtProvider = AuthenticateService.GetJwtAuthProvider(); Assert.That(jwtProvider.IsJwtValid(jwt)); var jwtPayload = jwtProvider.GetValidJwtPayload(jwt); Assert.That(jwtPayload, Is.Not.Null); Assert.That(jwtPayload["preferred_username"], Is.EqualTo(Username)); }
public override void Execute(IRequest request, IResponse response, object requestDto) { var jwtProvider = AuthenticateService.GetJwtAuthProvider(); var userSession = request.GetSession(); string jwt = request.GetJwtToken(); if (jwt == null) { response.ReturnAuthRequired(); return; } var payload = jwtProvider.GetValidJwtPayload(jwt); // !! make the user_auth key dynamic at some point // Will likely require putting the actual behavior of this attribute into an action filter. See here: https://cuttingedge.it/blogs/steven/pivot/entry.php?id=98 var user_authorization = payload.FirstOrDefault(k => k.Key == "urn://user_authorization"); if (!user_authorization.Equals(default(KeyValuePair <string, string>))) { var authorization = user_authorization.Value.FromJson <UserAuthorization>(); authorization.Scopes = payload.Get("scope").Split(' '); if (authorization.Roles == null && authorization.Permissions == null) { response.ReturnAuthRequired(); } if (authorization.Permissions.Length > 0) { if (userSession.Permissions == null) { userSession.Permissions = new List <string>(authorization.Permissions); } else { userSession.Permissions.AddRange(authorization.Permissions); } } if (authorization.Roles.Length > 0) { if (userSession.Roles == null) { userSession.Roles = new List <string>(authorization.Roles); } else { userSession.Roles.AddRange(authorization.Roles); } } } var perms = payload.Get("scope").Split(' '); var claims = perms; if (claims == null) { response.ReturnAuthRequired(); return; } request.SaveSession(userSession); return; }