public async Task <IActionResult> VerifyAuthorize(OAuthActorModel model) { if (!string.IsNullOrWhiteSpace(model.Deny)) { return(_buildRedir(model.RedirectUri, model.ResponseType, $"error=access_denied&state={model.State}")); } var userId = User.FindFirstValue(ClaimTypes.NameIdentifier); var actor = await _entityStore.GetEntity(model.ActorID, false); var hasAccess = await _connection.ExecuteScalarAsync <bool>("select exists(select 1 from \"UserActorPermissions\" where \"UserId\" = @UserId and \"ActorId\" = @ActorId)", new { UserId = userId, ActorId = actor.DbId }); model.Actor = actor; if (!hasAccess || !ModelState.IsValid) { return(View("ChooseActorOAuth", model)); } var exp = TimeSpan.FromSeconds(model.Expiry); if (exp > _tokenSettings.ExpiryTime) { exp = _tokenSettings.ExpiryTime; } var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Sub, User.FindFirstValue(ClaimTypes.NameIdentifier)), new Claim(JwtTokenSettings.ActorClaim, model.ActorID) }; var jwt = new JwtSecurityToken( issuer: _tokenSettings.Issuer, audience: _tokenSettings.Audience, claims: claims, notBefore: DateTime.UtcNow, expires: DateTime.UtcNow.Add(exp), signingCredentials: _tokenSettings.Credentials ); var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt); if (model.ResponseType == "token") { return(_buildRedir(model.RedirectUri, model.ResponseType, $"access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State ?? "")}")); } else if (model.ResponseType == "code") { encodedJwt = _dataProtector.Protect(encodedJwt); return(_buildRedir(model.RedirectUri, model.ResponseType, $"code={Uri.EscapeDataString(encodedJwt)}&state={Uri.EscapeDataString(model.State ?? "")}")); } return(StatusCode(500)); }
public async Task <IActionResult> DoChooseActorOAuth(OAuthActorModel model) { var userId = User.FindFirstValue(ClaimTypes.NameIdentifier); var actor = await _entityStore.GetEntity(model.ActorID, false); var hasAccess = await _context.UserActorPermissions.AnyAsync(a => a.UserId == userId && a.ActorId == model.ActorID); model.Actor = actor; if (!hasAccess || !ModelState.IsValid) { return(View("ChooseActorOAuth", model)); } var exp = TimeSpan.FromSeconds(model.Expiry); if (exp > _tokenSettings.ExpiryTime) { exp = _tokenSettings.ExpiryTime; } if (!string.IsNullOrWhiteSpace(model.Deny)) { if (model.ResponseType == "token") { if (model.RedirectUri.Contains("#")) { return(RedirectPermanent(model.RedirectUri + "&error=access_denied&state=" + Uri.EscapeDataString(model.State))); } else { return(RedirectPermanent(model.RedirectUri + "#error=access_denied&state=" + Uri.EscapeDataString(model.State))); } } else { return(RedirectPermanent(_appendToUri(model.RedirectUri, "error=access_denied&state=" + Uri.EscapeDataString(model.State)))); } } var claims = new Claim[] { new Claim(JwtRegisteredClaimNames.Sub, User.FindFirstValue(ClaimTypes.NameIdentifier)), new Claim(JwtTokenSettings.ActorClaim, model.ActorID) }; var jwt = new JwtSecurityToken( issuer: _tokenSettings.Issuer, audience: _tokenSettings.Audience, claims: claims, notBefore: DateTime.UtcNow, expires: DateTime.UtcNow.Add(exp), signingCredentials: _tokenSettings.Credentials ); var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt); if (model.ResponseType == "token") { if (model.RedirectUri.Contains("#")) { return(RedirectPermanent(model.RedirectUri + $"&access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State)}")); } else { return(RedirectPermanent(model.RedirectUri + $"#access_token={encodedJwt}&token_type=bearer&expires_in={(int) exp.TotalSeconds}&state={Uri.EscapeDataString(model.State)}")); } } else if (model.ResponseType == "code") { encodedJwt = _dataProtector.Protect(encodedJwt); return(RedirectPermanent(_appendToUri(model.RedirectUri, $"code={Uri.EscapeDataString(encodedJwt)}&state={Uri.EscapeDataString(model.State)}"))); } return(StatusCode(500)); }