public async Task CreateAsync(AuthenticationTokenCreateContext context)
{
var clientId = context.Ticket.Properties.Dictionary["as:client_id"];
if (string.IsNullOrWhiteSpace(clientId))
{
return;
}
var refreshTokenId = Guid.NewGuid().ToString("N");
var refreshTokenLifetime = context.OwinContext.Get <string>("as:clientRefreshTokenLifetime");
var token = new RefreshToken
{
Id = AuthorizationHelpers.GetHash(refreshTokenId),
ClientApplicationId = clientId,
Subject = context.Ticket.Identity.Name,
IssuedAt = DateTime.UtcNow,
ExpiresAt = DateTime.UtcNow.AddMinutes(Convert.ToDouble(refreshTokenLifetime))
};
context.Ticket.Properties.IssuedUtc = token.IssuedAt;
context.Ticket.Properties.ExpiresUtc = token.ExpiresAt;
token.ProtectedTicket = context.SerializeTicket();
if (await _userRepository.TryAddRefreshTokenAsync(token))
{
context.SetToken(refreshTokenId);
}
}
public async Task <bool> TryCreateClientAsync(ClientApplication clientApplication)
{
var existingClient = await _context.ClientApplications.FindAsync(clientApplication.Id);
if (existingClient != null)
{
return(false);
}
clientApplication.Secret = AuthorizationHelpers.GetHash(clientApplication.Secret ?? string.Empty);
_context.ClientApplications.Add(clientApplication);
return(await _context.SaveChangesAsync() > 0);
}
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId, clientSecret;
if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
{
context.TryGetFormCredentials(out clientId, out clientSecret);
}
if (clientId == null)
{
context.SetError("client_id_not_found", "ClientID should be sent.");
return;
}
var clientApplication = await _userRepository.FindClientAsync(clientId);
if (clientApplication == null)
{
context.SetError("invalid_client_id", string.Format("Client '{0}' is not registered in the system.", clientId));
return;
}
// Only native apps are supposed to contain a secret
// Javascript apps cannot store the secret safely anyway
if (clientApplication.ApplicationType == ApplicationType.NativeConfidential)
{
if (string.IsNullOrWhiteSpace(clientSecret))
{
context.SetError("client_secret_not_found", "Client secret should be sent.");
return;
}
if (clientApplication.Secret != AuthorizationHelpers.GetHash(clientSecret))
{
context.SetError("invalid_client_secret", "Client secret is invalid");
return;
}
}
if (!clientApplication.IsActive)
{
context.SetError("client_inactive", "Client is inactive");
return;
}
context.OwinContext.Set("as:clientAllowedOrigin", clientApplication.AllowedOrigin);
context.OwinContext.Set("as:clientRefreshTokenLifetime", clientApplication.RefreshTokenLifeTime.ToString());
context.Validated();
}
public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
{
var allowedOrigin = context.OwinContext.Get <string>("as:clientAllowedOrigin");
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var hashedTokenId = AuthorizationHelpers.GetHash(context.Token);
var refreshToken = await _userRepository.FindRefreshTokenAsync(hashedTokenId);
if (refreshToken != null)
{
context.DeserializeTicket(refreshToken.ProtectedTicket);
await _userRepository.TryRemoveRefreshTokenAsync(hashedTokenId);
}
}