protected DataModels.Approval Approve(DataModels.Client Client, DataModels.ResourceOwner Owner, string Scope)
{
DataModels.Approval approval = ApprovalModel.GetApproval(Client, Owner);
if (approval == null || TokenHelper.MissingScopesArray(Scope, approval.scope).Length != 0)
{
string apprUrl = Request.GetApplicationUrl();
if (!apprUrl.EndsWith("/"))
{
apprUrl += '/';
}
UriBuilder bldr = new UriBuilder(apprUrl);
bldr.Path += "approval";
string query = "client_id=" + Client.id + "&redirect=" + Request.AbsoluteUri.UrlEncode();
if (Scope != null)
{
query += "&scope=" + Scope.UrlEncode();
}
bldr.Query = query;
Response.AddHeader("Location", bldr.ToString());
Response.StatusCode = (int)System.Net.HttpStatusCode.Redirect;
return(null);
}
return(approval);
}
protected void HandleRefreshTokenGrant(ITokenRequest TokenRequest, DataModels.Client Client)
{
if (Client.type == DataModels.ClientTypes.user_agent_based_application || string.IsNullOrWhiteSpace(Client.secret))
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.unauthorized_client, "Only secure clients are supported for refreshing tokens");
}
string redirectURI = GetRedirectURI(TokenRequest, Client);
if (string.IsNullOrWhiteSpace(redirectURI))
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.invalid_request, "No Redirect URI provided and no Registered Redirect URI available");
}
DataModels.TokenResponse res = RefreshTokenGrantHandler.Exchange <DataModels.TokenResponse>(TokenRequest.refresh_token, Client.id);
if (res == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.server_error, "Unknown Error refreshing token");
}
res.state = TokenRequest.state;
UriBuilder bldr = new UriBuilder(redirectURI);
bldr.Query = res.ToURIString();
Response.StatusCode = (int)System.Net.HttpStatusCode.Redirect;
Response.AddHeader("Location", bldr.ToString());
}
protected void HandleCodeExchange(ITokenRequest TokenRequest, DataModels.Client Client)
{
DataModels.TokenResponse res = CodeGrantHanldler.Exchange <DataModels.TokenResponse>(TokenRequest, Client);
if (res == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.server_error, "Unknown error exchanging code");
}
res.state = TokenRequest.state;
string uri = GetRedirectURI(TokenRequest, Client);
if (string.IsNullOrWhiteSpace(uri))
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.invalid_request, "No Redirect URI provided and no Registered Redirect URI available");
}
UriBuilder bldr = new UriBuilder(uri);
bldr.Query = res.ToURIString();
Response.StatusCode = (int)System.Net.HttpStatusCode.Redirect;
Response.AddHeader("Location", bldr.ToString());
return;
}
public Approval GetApprovalByRefreshToken(DataModels.Client Client, string RefreshToken)
{
if (Client == null)
{
throw new ArgumentNullException("Client");
}
return(GetApprovalByRefreshToken(Client.id, RefreshToken));
}
public object Get(ApprovalRequest ApprovalRequest)
{
Uri redirectURI = null;
Uri current = new Uri(Request.AbsoluteUri);
ApprovalData data = new ApprovalData();
if (!Uri.TryCreate(ApprovalRequest.redirect, UriKind.RelativeOrAbsolute, out redirectURI) || (redirectURI.IsAbsoluteUri && redirectURI.Host != current.Host))
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Redirect URI", data);
}
data.Redirect = ApprovalRequest.redirect;
DataModels.ResourceOwner user = Session.Get <DataModels.ResourceOwner>("AuthResourceOwner");
if (user == null)
{
UriBuilder bldr = new UriBuilder(Request.GetApplicationUrl());
bldr.Path += "/auth/login";
bldr.Query = "redirect=" + Request.AbsoluteUri.UrlEncode();
return(new HttpResult(data)
{
Headers = { { "Location", bldr.ToString() } },
StatusCode = System.Net.HttpStatusCode.Redirect,
});
}
data.User = user;
DataModels.Client client = ClientModel.GetClientByID(ApprovalRequest.client_id);
if (client == null)
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Client ID", data);
}
if (!string.IsNullOrWhiteSpace(client.owned_by))
{
data.Owner = ResourceOwnerModel.GetByID(client.owned_by);
}
data.Client = client;
string[] scopes = ApprovalRequest.scope == null ? new string[] {} : ApprovalRequest.scope.Split(new char[] { ' ', ';', ',' }, StringSplitOptions.RemoveEmptyEntries);
List <DataModels.Scope> scopeDetails = ScopeModel.GetScopeDetails(scopes).ToList();
if (scopeDetails.Count != scopes.Length)
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_scope, "Invalid Scope(s) requested", data);
}
data.RequestedScopes = scopeDetails;
return((IApprovalData)data);
}
protected void HandleCodeGrant(ITokenRequest TokenRequest, DataModels.Client Client)
{
if (Client.type == DataModels.ClientTypes.user_agent_based_application || string.IsNullOrWhiteSpace(Client.secret))
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.unauthorized_client, "Only secure clients are supported for code grants");
}
DataModels.ResourceOwner owner = Authenticate();
if (owner == null)
{
return;
}
DataModels.Approval approval = Approve(Client, owner, TokenRequest.scope);
if (approval == null)
{
return;
}
DataModel.AuthorizationCode code = CodeGrantHanldler.Authorize(TokenRequest, approval, Client, owner);
if (code == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.server_error, "Unknown server error");
}
string redirect = GetRedirectURI(TokenRequest, Client);
UriBuilder bldr = new UriBuilder(redirect);
string queryParms = "code=" + code.authorization_code;
if (!string.IsNullOrWhiteSpace(code.scope))
{
queryParms += "&scope=" + code.scope.UrlEncode();
}
if (TokenRequest.state != null)
{
queryParms += "&state=" + TokenRequest.state.UrlEncode();
}
bldr.Query = queryParms;
Response.StatusCode = (int)System.Net.HttpStatusCode.Redirect;
Response.AddHeader("Location", bldr.ToString());
return;
}
protected void HandleTokenGrant(ITokenRequest TokenRequest, DataModels.Client Client)
{
DataModels.ResourceOwner owner = Authenticate();
if (owner == null)
{
return;
}
DataModels.Approval approval = Approve(Client, owner, TokenRequest.scope);
if (approval == null)
{
return;
}
DataModels.TokenResponse token = TokenGrantHandler.Authorize <DataModels.TokenResponse>(Client, owner, approval.scope);
token.state = TokenRequest.state.UrlEncode();
string toRedirect = GetRedirectURI(TokenRequest, Client);
if (toRedirect == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.invalid_request, "No Registerd Redirect URI");
}
UriBuilder bldr = new UriBuilder(toRedirect);
if (Client.type == DataModels.ClientTypes.web_application)
{
bldr.Query += token.ToURIString();
}
else
{
if (!string.IsNullOrWhiteSpace(bldr.Fragment))
{
bldr.Fragment = bldr.Fragment.SafeSubstring(1, bldr.Fragment.Length - 1) + '?' + token.ToURIString();
}
else
{
bldr.Fragment = token.ToURIString();
}
}
Response.StatusCode = (int)System.Net.HttpStatusCode.Redirect;
Response.AddHeader("Location", bldr.ToString());
return;
}
protected string GetRedirectURI(ITokenRequest request, DataModels.Client Client)
{
Uri clientURI = null;
Uri.TryCreate(Client.redirect_uri, UriKind.RelativeOrAbsolute, out clientURI);
if (request.redirect_uri != null && request.redirect_uri.IsAbsoluteUri)
{
return(request.redirect_uri.ToString());
}
if (clientURI != null && clientURI.IsAbsoluteUri)
{
return(clientURI.ToString());
}
return(null);
}
public T Exchange <T>(DataModels.ITokenRequest Request, DataModels.Client Client)
where T : DataModels.Token, new()
{
Server.DataModel.AuthorizationCode code = AuthorizationCodeModel.GetAuthorizationCode(Request.code, Client.id, Request.redirect_uri != null ? Request.redirect_uri.ToString() : null);
if (code == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.invalid_request, "Invalid token");
}
DataModels.Approval Approval = ApprovalModel.GetApproval(Client.id, code.resource_owner_id);
if (!AuthorizationCodeModel.DeleteAuthorizationCode(code.authorization_code, code.client_id, code.redirect_uri))
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.access_denied, "Code already used");
}
return(TokenModel.InsertToken <T>(
Extension.TokenHelper.CreateAccessToken(), DataModels.TokenTypes.bearer, 3600, DateTime.Now.GetTotalSeconds(), Client.id, Approval.scope, Approval.resource_owner_id, Approval.refresh_token));
}
public Server.DataModel.AuthorizationCode InsertAuthorizationCode(string AuthorizationCode, DataModels.Client Client, DataModels.ResourceOwner ResourceOwner, long IssueTime, string Scope = "", string RedirectURI = null)
{
return(InsertAuthorizationCode(AuthorizationCode, Client.id, ResourceOwner.id, IssueTime, Scope, RedirectURI));
}
public Server.DataModel.AuthorizationCode InsertAuthorizationCode(string AuthorizationCode, DataModels.Client Client, DataModels.ResourceOwner ResourceOwner, long IssueTime, List <DataModels.Scope> Scope, Uri RedirectURI)
{
return(InsertAuthorizationCode(AuthorizationCode, Client, ResourceOwner, IssueTime, Scope, (RedirectURI != null) ? RedirectURI.ToString() : null));
}
public Server.DataModel.AuthorizationCode InsertAuthorizationCode(string AuthorizationCode, DataModels.Client Client, DataModels.ResourceOwner ResourceOwner, long IssueTime, List <DataModels.Scope> Scope, string RedirectURI)
{
string scope = "";
if (Scope != null)
{
foreach (DataModels.Scope scopeDesc in Scope)
{
scope += scopeDesc.scope_name + " ";
}
scope = scope.Trim();
}
return(InsertAuthorizationCode(AuthorizationCode, Client, ResourceOwner, IssueTime, scope, RedirectURI));
}
public Server.DataModel.AuthorizationCode Authorize(DataModels.ITokenRequest Request, DataModels.Approval Approval, DataModels.Client Client, DataModels.ResourceOwner Owner)
{
Server.DataModel.AuthorizationCode code = AuthorizationCodeModel.InsertAuthorizationCode(
Extension.TokenHelper.CreateAccessToken(), Client, Owner, DateTime.Now.GetTotalSeconds(), Approval.scope, Request.redirect_uri);
if (code == null)
{
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.server_error, "Error storing access code");
}
if (string.IsNullOrWhiteSpace(Approval.refresh_token))
{
Approval.refresh_token = Extension.TokenHelper.CreateAccessToken();
if (!ApprovalModel.AddOrUpdateApproval(Approval))
{
AuthorizationCodeModel.DeleteAuthorizationCode(code.authorization_code, code.client_id, code.redirect_uri);
throw new DataModels.TokenRequestError(DataModels.ErrorCodes.server_error, "Error updating approval");
}
}
return(code);
}
public T InsertToken <T>(string AccessToken, DataModels.TokenTypes TokenType, long ExpiresIn, long IssuedTime, DataModels.Client Client, string Scope = "", DataModels.ResourceOwner ResourceOwner = null, string RefreshToken = null)
where T : DataModels.Token, new()
{
return(InsertToken <T>(AccessToken, TokenType, ExpiresIn, IssuedTime, Client.id, Scope, ResourceOwner.id, RefreshToken));
}
public object Post(ApprovalResponse ApprovalResponse)
{
ApprovalData data = new ApprovalData();
data.User = Session.Get <DataModels.ResourceOwner>("AuthResourceOwner");
Request.Items.Add("Model", data);
data.Redirect = ApprovalResponse.redirect;
Uri referrerURI = Request.GetReferrerURI();
Uri current = new Uri(Request.AbsoluteUri);
//CRSF protection
if (!referrerURI.SchemeHostPathMatch(current))
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Request", ApprovalResponse);
}
Uri redirectURI = null;
if (!Uri.TryCreate(ApprovalResponse.redirect, UriKind.RelativeOrAbsolute, out redirectURI) ||
(redirectURI.IsAbsoluteUri && redirectURI.Host != current.Host))
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Redirect URI", data);
}
data.Redirect = redirectURI.ToString();
DataModels.ResourceOwner owner = Session.Get <DataModels.ResourceOwner>("AuthResourceOwner");
if (owner == null)
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.access_denied, "Not Authenticated", data);
}
data.Owner = owner;
DataModels.Client client = ClientModel.GetClientByID(ApprovalResponse.client_id);
if (client == null)
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Client ID", data);
}
data.Client = client;
List <DataModels.Scope> scopes = ScopeModel.GetScopeDetails(ApprovalResponse.approved_scopes).ToList();
string scope = "";
if (scopes != null)
{
scopes.ForEach((cur) => scope += cur.scope_name + " ");
}
data.RequestedScopes = scopes;
DataModels.Approval approval = new DataModels.Approval()
{
client_id = client.id,
resource_owner_id = owner.id,
type = DataModels.ApprovalTypes.user_granted,
scope = scope,
};
if (!ApprovalModel.AddOrUpdateApproval(approval))
{
throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.server_error, "Error storing approval", data);
}
return(new HttpResult(data)
{
StatusCode = System.Net.HttpStatusCode.Redirect,
Location = ApprovalResponse.redirect
});
}
public T InsertToken <T>(string AccessToken, DataModels.TokenTypes TokenType, long ExpiresIn, long IssuedTime, DataModels.Client Client, IEnumerable <DataModels.Scope> Scope, DataModels.ResourceOwner ResourceOwner = null, string RefreshToken = null)
where T : DataModels.Token, new()
{
string scope = "";
if (Scope != null)
{
foreach (DataModels.Scope scopeDetails in Scope)
{
scope += scopeDetails.scope_name + " ";
}
scope = scope.Trim();
}
return(InsertToken <T>(AccessToken, TokenType, ExpiresIn, IssuedTime, Client.id, scope, ResourceOwner.id, RefreshToken));
}
protected DataModels.TokenResponse HandleClientCredentialsGrant(ITokenRequest Request, DataModels.Client Client)
{
DataModels.TokenResponse res = ClientGrantHanlder.Authorize <DataModels.TokenResponse>(Request, Client);
res.state = Request.state;
Response.StatusCode = (int)System.Net.HttpStatusCode.Created;
return(res);
}
