public async Task <Uri> ExecuteAsync( AcquireTokenCommonParameters commonParameters, GetAuthorizationRequestUrlParameters authorizationRequestUrlParameters, CancellationToken cancellationToken) // TODO: propagate cancellation token { var requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId); var requestParameters = _confidentialClientApplication.CreateRequestParameters( commonParameters, requestContext, _confidentialClientApplication.UserTokenCacheInternal); requestParameters.Account = authorizationRequestUrlParameters.Account; requestParameters.LoginHint = authorizationRequestUrlParameters.LoginHint; if (!string.IsNullOrWhiteSpace(authorizationRequestUrlParameters.RedirectUri)) { requestParameters.RedirectUri = new Uri(authorizationRequestUrlParameters.RedirectUri); } await AuthorityEndpoints.UpdateAuthorityEndpointsAsync(requestParameters).ConfigureAwait(false); var handler = new AuthCodeRequestComponent( requestParameters, authorizationRequestUrlParameters.ToInteractiveParameters()); return(handler.GetAuthorizationUriWithoutPkce()); }
public static Dictionary <string, string> CreateClientCredentialBodyParameters( ICoreLogger logger, ICryptographyManager cryptographyManager, ClientCredentialWrapper clientCredential, string clientId, AuthorityEndpoints endpoints, bool sendX5C) { Dictionary <string, string> parameters = new Dictionary <string, string>(); if (clientCredential != null) { if (clientCredential.AuthenticationType == ConfidentialClientAuthenticationType.ClientSecret) { parameters[OAuth2Parameter.ClientSecret] = clientCredential.Secret; } else { if ((clientCredential.CachedAssertion == null || clientCredential.ValidTo != 0) && clientCredential.AuthenticationType != ConfidentialClientAuthenticationType.SignedClientAssertion) { if (!ValidateClientAssertion(clientCredential, endpoints.SelfSignedJwtAudience, sendX5C)) { logger.Info(LogMessages.ClientAssertionDoesNotExistOrNearExpiry); JsonWebToken jwtToken; if (clientCredential.AuthenticationType == ConfidentialClientAuthenticationType.ClientCertificateWithClaims) { jwtToken = new JsonWebToken(cryptographyManager, clientId, endpoints.SelfSignedJwtAudience, clientCredential.ClaimsToSign, clientCredential.AppendDefaultClaims); } else { jwtToken = new JsonWebToken(cryptographyManager, clientId, endpoints.SelfSignedJwtAudience); } clientCredential.CachedAssertion = jwtToken.Sign(clientCredential, sendX5C); clientCredential.ValidTo = jwtToken.ValidTo; clientCredential.ContainsX5C = sendX5C; clientCredential.Audience = endpoints.SelfSignedJwtAudience; } else { logger.Info(LogMessages.ReusingTheUnexpiredClientAssertion); } } parameters[OAuth2Parameter.ClientAssertionType] = OAuth2AssertionType.JwtBearer; if (clientCredential.AuthenticationType == ConfidentialClientAuthenticationType.SignedClientAssertion) { parameters[OAuth2Parameter.ClientAssertion] = clientCredential.SignedAssertion; } else { parameters[OAuth2Parameter.ClientAssertion] = clientCredential.CachedAssertion; } } } return(parameters); }
private async Task <MsalTokenResponse> RefreshAccessTokenAsync(MsalRefreshTokenCacheItem msalRefreshTokenItem, CancellationToken cancellationToken) { AuthenticationRequestParameters.RequestContext.Logger.Verbose("Refreshing access token..."); await AuthorityEndpoints.UpdateAuthorityEndpointsAsync(AuthenticationRequestParameters) .ConfigureAwait(false); var msalTokenResponse = await _silentRequest.SendTokenRequestAsync(GetBodyParameters(msalRefreshTokenItem.Secret), cancellationToken) .ConfigureAwait(false); if (msalTokenResponse.RefreshToken == null) { msalTokenResponse.RefreshToken = msalRefreshTokenItem.Secret; AuthenticationRequestParameters.RequestContext.Logger.Info( "Refresh token was missing from the token refresh response, so the refresh token in the request is returned instead"); } return(msalTokenResponse); }
public static Dictionary <string, string> CreateClientCredentialBodyParameters( ICoreLogger logger, ICryptographyManager cryptographyManager, ClientCredentialWrapper clientCredential, string clientId, AuthorityEndpoints endpoints, bool sendX5C) { Dictionary <string, string> parameters = new Dictionary <string, string>(); if (clientCredential != null) { if (!string.IsNullOrEmpty(clientCredential.Secret)) { parameters[OAuth2Parameter.ClientSecret] = clientCredential.Secret; } else { if (clientCredential.Assertion == null || clientCredential.ValidTo != 0) { if (!ValidateClientAssertion(clientCredential, endpoints, sendX5C)) { logger.Info("Client Assertion does not exist or near expiry."); var jwtToken = new JsonWebToken(cryptographyManager, clientId, endpoints?.SelfSignedJwtAudience); clientCredential.Assertion = jwtToken.Sign(clientCredential.Certificate, sendX5C); clientCredential.ValidTo = jwtToken.Payload.ValidTo; clientCredential.ContainsX5C = sendX5C; clientCredential.Audience = endpoints?.SelfSignedJwtAudience; } else { logger.Info("Reusing the unexpired Client Assertion..."); } } parameters[OAuth2Parameter.ClientAssertionType] = OAuth2AssertionType.JwtBearer; parameters[OAuth2Parameter.ClientAssertion] = clientCredential.Assertion; } } return(parameters); }
protected async Task ResolveAuthorityEndpointsAsync() { await AuthorityEndpoints.UpdateAuthorityEndpointsAsync(AuthenticationRequestParameters) .ConfigureAwait(false); }
/// <summary> /// Determines whether or not the cached client assertion can be used again for the next authentication request by /// checking it's /// values against incoming request parameters. /// </summary> /// <returns>Returns true if the previously cached client assertion is valid</returns> public static bool ValidateClientAssertion(ClientCredentialWrapper clientCredential, AuthorityEndpoints endpoints, bool sendX5C) { if (clientCredential == null) { throw new ArgumentNullException(nameof(clientCredential)); } else if (string.IsNullOrWhiteSpace(clientCredential.Assertion)) { return(false); } //Check if all current client assertion values match incoming parameters and expiration time //The clientCredential object contains the previously used values in the cached client assertion string bool expired = clientCredential.ValidTo <= JsonWebToken.ConvertToTimeT( DateTime.UtcNow + TimeSpan.FromMinutes(Constants.ExpirationMarginInMinutes)); bool parametersMatch = clientCredential.Audience == endpoints?.SelfSignedJwtAudience && clientCredential.ContainsX5C == sendX5C; return(!expired && parametersMatch); }