public async Task <Option <GrantedToken> > GetTokenByTicketId( GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue?authenticationHeaderValue, X509Certificate2?certificate, string issuerName, CancellationToken cancellationToken) { if (string.IsNullOrWhiteSpace(parameter.Ticket)) { _logger.LogError("Ticket is null or empty"); return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidRequest, Detail = string.Format(Strings.MissingParameter, UmaConstants.RptClaims.Ticket) }); } var instruction = authenticationHeaderValue.GetAuthenticateInstruction(parameter, certificate); var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken) .ConfigureAwait(false); var client = authResult.Client; if (client == null) { _logger.LogError("Client not found."); return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidClient, Detail = authResult.ErrorMessage ! });
private AuthenticateInstruction CreateAuthenticateInstruction(GetTokenViaTicketIdParameter authorizationCodeGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue) { var result = _authenticateInstructionGenerator.GetAuthenticateInstruction(authenticationHeaderValue); result.ClientAssertion = authorizationCodeGrantTypeParameter.ClientAssertion; result.ClientAssertionType = authorizationCodeGrantTypeParameter.ClientAssertionType; result.ClientIdFromHttpRequestBody = authorizationCodeGrantTypeParameter.ClientId; result.ClientSecretFromHttpRequestBody = authorizationCodeGrantTypeParameter.ClientSecret; return(result); }
public Task <GetTokenByTicketIdResponse> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName) { return(_getTokenByTicketIdAction.Execute(parameter, openidProvider, issuerName)); }
public Task <GrantedToken> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue) { return(_getTokenByTicketIdAction.Execute(parameter, authenticationHeaderValue)); }
public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } // 2. Try to authenticate the client. var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName); var client = authResult.Client; if (client == null) { throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage); } if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket)) { throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket)); } // 3. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 4. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter); if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.RequestIsNotAuthorized(json); throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(grantedToken); }
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } // 2. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 3. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false); if (!authorizationResult.IsValid) { _umaServerEventSource.RequestIsNotAuthorized(json); return(new GetTokenByTicketIdResponse { IsValid = false, ResourceValidationResult = authorizationResult }); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(new GetTokenByTicketIdResponse { IsValid = true, GrantedToken = grantedToken }); }
public Task <GrantedToken> GetTokenByTicketId(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { return(_getTokenByTicketIdAction.Execute(parameter, authenticationHeaderValue, certificate, issuerName)); }