コード例 #1
0
        public ActionResult Route()
        {
            string       userName       = Request["userName"];
            string       passWord       = Request["passWord"];
            string       authnlogin_but = Request["authnlogin_but"];
            string       oidclogin_but  = Request["oidclogin_but"];
            string       oidc_but       = Request["oidc_but"];
            string       location       = Request["location"];
            string       myStatus       = null;
            string       myStateToken;
            string       mySessionToken;
            string       myRelayState = null;
            string       myOktaId     = null;
            AuthResponse userAuthClientRsp;

            // set relayState
            //string relayState = Request["relayState"];
            //if (string.IsNullOrEmpty(relayState) && Request.QueryString["RelayState"] != null)
            //{
            //    relayState = Request.QueryString["RelayState"];
            //}
            //else if (string.IsNullOrEmpty(relayState) && TempData["relayState"] != null)
            //{
            //    relayState = (string)TempData["relayState"];
            //}
            //TempData["relayState"] = relayState;

            if (authnlogin_but == "Authn Sign In")
            {
                OktaClient oktaClient = new OktaClient(MvcApplication.apiToken, MvcApplication.apiUrl);
                try
                {
                    var usersClient = oktaClient.GetUsersClient();
                    var authClient  = oktaClient.GetAuthClient();
                    userAuthClientRsp = authClient.Authenticate(username: userName, password: passWord, relayState: myRelayState);
                    logger.Debug("thisAuth status " + userAuthClientRsp.Status);
                    myStatus       = userAuthClientRsp.Status;
                    myStateToken   = userAuthClientRsp.StateToken;
                    mySessionToken = userAuthClientRsp.SessionToken;
                    if (userAuthClientRsp.Embedded.User != null)
                    {
                        myOktaId = userAuthClientRsp.Embedded.User.Id;
                    }
                }
                catch (OktaException ex)
                {
                    if (ex.ErrorCode == "E0000004")
                    {
                        logger.Debug("Invalid Credentials for User: "******"errMessage"] = "Invalid Credentials for User: "******"E0000085")
                    {
                        logger.Debug("Access Denied by Polciy for User: "******"errMessage"] = "Access Denied by Polciy for User: "******"errMessage"] = appSettings["aicpa.DeniedNoteText"];
                    }
                    else
                    {
                        logger.Error(userName + " = " + ex.ErrorCode + ":" + ex.ErrorSummary);
                        // generic failure
                        TempData["errMessage"] = "Sign in process failed!";
                    }
                    TempData["userName"] = userName;
                    return(RedirectToAction("Login"));
                }

                switch (myStatus)
                {
                case "PASSWORD_WARN":      //password about to expire
                    logger.Debug("PASSWORD_WARN ");
                    //no action required
                    break;

                case "PASSWORD_EXPIRED":      //password has expired
                    logger.Debug("PASSWORD_EXPIRED ");
                    break;

                case "RECOVERY":      //user has requested a recovery token
                    logger.Debug("RECOVERY ");
                    //find which recovery mode sms, email is being used
                    //POST to next link
                    break;

                case "RECOVERY_CHALLENGE":      //user must verify factor specific recovery challenge
                    logger.Debug("RECOVERY_CHALLENGE ");
                    //verify the recovery factor
                    //POST to verify link
                    break;

                case "PASSWORD_RESET":         //user satified recovery and must now set password
                    logger.Debug("PASSWORD_RESET ");

                    //reset users password
                    //POST to next link
                    break;

                case "LOCKED_OUT":      //user account is locked, unlock required
                    logger.Debug("LOCKED_OUT ");
                    break;

                case "MFA_ENROLL":       //user must select and enroll an available factor
                    logger.Debug("MFA_ENROLL ");
                    break;

                case "MFA_ENROLL_ACTIVATE":       //user must activate the factor to complete enrollment
                    logger.Debug("MFA_ENROLL_ACTIVATE ");
                    //user must activate the factor
                    //POST to next link
                    break;

                case "MFA_REQUIRED":        //user must provide second factor with previously enrolled factor
                    logger.Debug("MFA_REQUIRED ");
                    break;

                case "MFA_CHALLENGE":          //use must verify factor specifc challenge
                    logger.Debug("MFA_CHALLENGE ");
                    break;

                case "SUCCESS":          //authentication is complete
                    logger.Debug("SUCCESS");
                    TempData["errMessage"] = "Authn Login Successful ";
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    string landingPage = null;
                    landingPage = location + "/AltLanding/UnprotectedLanding";
                    //if (string.IsNullOrEmpty(relayState))
                    //{
                    //    landingPage = location + "/AltLanding/UnprotectedLanding";
                    //}
                    //else
                    //{
                    //    landingPage = relayState;
                    //}


                    //option 1
                    //string redirectUrl = oktaSessionMgmt.SetSessionCookie(mySessionToken,landingPage);
                    //return Redirect(redirectUrl);

                    //option 2 - build redirectURL
                    //System.Text.StringBuilder redirectUrl = new System.Text.StringBuilder();
                    //string destLink = location + "/AltLanding/UnprotectedLanding";
                    //redirectUrl.Append(MvcApplication.apiUrl);
                    ////redirectUrl.Append("/login/sessionCookieRedirect?token=" + mySessionToken);
                    //redirectUrl.Append("/login/sessionCookieRedirect?checkAccountSetupComplete=true&token=" + mySessionToken);
                    //string encodedURL = HttpUtility.UrlEncode(destLink);
                    //redirectUrl.Append("&redirectUrl=" + encodedURL);
                    //return Redirect(redirectUrl.ToString());

                    //option 3 get session first, then set cookie
                    Session oktaSession = new Okta.Core.Models.Session();
                    oktaSession = oktaSessionMgmt.CreateSession(mySessionToken);
                    string cookieToken = oktaSession.CookieToken;
                    logger.Debug("session Id " + oktaSession.Id + " for User " + userName);
                    string redirectUrl = oktaSessionMgmt.SetSessionCookie(cookieToken, landingPage);
                    return(Redirect(redirectUrl));


                // break;
                default:
                    logger.Debug("Status: " + myStatus);
                    TempData["errMessage"] = "Status: " + myStatus;
                    break;
                }//end of switch
            }


            if (oidc_but == "Initiate Auth OIDC")
            {
                //version using Custom Authorization Server
                logger.Debug("Initiate OIDC Auth Code without Session");
                Random random    = new Random();
                string stateCode = random.Next(99999, 1000000).ToString();
                string oauthUrl  = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=code&response_mode=query&client_id=" + appSettings["oidc.spintweb.clientId"] + "&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintweb.RedirectUri"];
                return(Redirect(oauthUrl));
            }

            if (oidc_but == "Initiate Implicit OIDC")
            {
                //version using Custom  Authorization Server
                logger.Debug("Initiate OIDC Implicit without Session");
                Random random    = new Random();
                string stateCode = random.Next(99999, 1000000).ToString();
                //string stateCode = "myStateInfo";
                string oauthUrl = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=id_token token&response_mode=form_post&client_id=" + appSettings["oidc.spintnative.clientId"] + "&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintnative.RedirectUri"];
                //string oauthUrl = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=id_token token&response_mode=form_post&client_id=6788997876556&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintnative.RedirectUri"];
                return(Redirect(oauthUrl));
            }



            if (oidc_but == "Initiate ResourceOwner OIDC")
            {
                string error                = null;
                string error_description    = null;
                string token_type           = null;
                string scope                = null;
                string id_token_status      = null;
                string idToken              = null;
                string access_token_status  = null;
                string accessToken          = null;
                string refresh_token_status = null;
                string refreshToken         = null;
                string jsonPayload          = null;


                IRestResponse <TokenRequestResponse> response = null;
                OidcIdTokenMin  oidcIdToken     = new OidcIdTokenMin();
                OidcAccessToken oidcAccessToken = new OidcAccessToken();
                string          basicAuth       = appSettings["oidc.spintnative.clientId"] + ":" + appSettings["oidc.spintnative.clientSecret"];

                var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
                string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);

                try
                {
                    var client = new RestClient(appSettings["oidc.AuthServer"] + "/v1/token");
                    //var client = new RestClient(MvcApplication.apiUrl + "/oauth2/aus90h4gyj2Hc8QOy0h7/v1/token");
                    var request = new RestRequest(Method.POST);
                    request.AddHeader("Accept", "application/json");
                    request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                    request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                    request.AddQueryParameter("grant_type", "password");
                    request.AddQueryParameter("username", userName);
                    request.AddQueryParameter("password", passWord);
                    request.AddQueryParameter("scope", appSettings["oidc.scopes"]);
                    request.AddQueryParameter("redirect_uri", appSettings["oidc.spintnative.RedirectUri"]);
                    response          = client.Execute <TokenRequestResponse>(request);
                    error             = response.Data.error;
                    error_description = response.Data.error_description;
                    token_type        = response.Data.token_type;
                    scope             = response.Data.scope;

                    if (response.Data.id_token != null)
                    {
                        idToken             = response.Data.id_token;
                        id_token_status     = "id_token present";
                        TempData["idToken"] = response.Data.id_token;
                        string clientId = appSettings["oidc.spintnative.clientId"];
                        string issuer   = appSettings["oidc.Issuer"];
                        string audience = appSettings["oidc.spintnative.clientId"];
                        jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(idToken, clientId, issuer, audience);
                        if (jsonPayload.Contains("Failure"))
                        {
                            TempData["errMessage"] = "Invalid ID Token!";
                        }
                        else
                        {
                            // TempData["errMessage"] = jsonPayload;
                            System.IdentityModel.Tokens.JwtSecurityToken tokenReceived = new System.IdentityModel.Tokens.JwtSecurityToken(idToken);
                            oidcIdToken = Newtonsoft.Json.JsonConvert.DeserializeObject <OidcIdTokenMin>(jsonPayload);
                        }
                    }
                    else
                    {
                        id_token_status = "id_token NOT present";
                    }

                    if (response.Data.access_token != null)
                    {
                        accessToken             = response.Data.access_token;
                        access_token_status     = "access_token present";
                        TempData["accessToken"] = response.Data.access_token;
                        System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                    }
                    else
                    {
                        access_token_status = "access_token NOT present";
                    }

                    if (response.Data.refresh_token != null)
                    {
                        refreshToken         = response.Data.refresh_token;
                        refresh_token_status = "refresh_token present";
                    }
                    else
                    {
                        refresh_token_status = "refresh_token NOT present";
                    }
                }
                catch (Exception ex)
                {
                    logger.Error(ex.ToString());
                }
                if (accessToken != null || idToken != null)
                {
                    TempData["errMessage"] = "OIDC_Get Oauth Resource Owner SUCCESS token_type = " + token_type + " scope = " + scope + " : " + id_token_status + " : " + access_token_status + " oktaId = " + oidcIdToken.sub;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;

                    return(View("../AltLanding/ResOwnerLanding", oidcIdToken));
                }
                else
                {
                    TempData["errMessage"] = "OIDC_Get Oauth Resource Owner error " + error_description;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    return(View("../AltLanding/UnprotectedLanding"));
                }
            }// end handle resource owner workflow



            if (oidc_but == "Client Credential Flow")
            {
                //this is available with Custom Authorization Server
                logger.Debug("Client Credential Flow");
                string error               = null;
                string error_description   = null;
                string token_type          = null;
                string scope               = null;
                string access_token_status = null;
                string accessToken         = null;
                string id_token_status     = null;
                string idToken             = null;
                System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = null;
                System.IdentityModel.Tokens.JwtSecurityToken tokenReceived3 = null;
                string expires = null;
                IRestResponse <TokenRequestResponse> response = null;
                OidcIdToken     oidcIdToken     = new OidcIdToken();
                OidcAccessToken oidcAccessToken = new OidcAccessToken();
                string          basicAuth       = appSettings["oidc.clientcredservice.clientId"] + ":" + appSettings["oidc.clientcredservice.clientSecret"];

                var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
                string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);


                var client  = new RestClient(appSettings["oidc.AuthServer"] + "/v1/token");
                var request = new RestRequest(Method.POST);
                // request.AddHeader("cache-control", "no-cache");
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "client_credentials");
                request.AddQueryParameter("scope", "clientCred_scope");
                response = client.Execute <TokenRequestResponse>(request);
                //error = response.Data.error;
                //error_description = response.Data.error_description;
                token_type = response.Data.token_type;
                scope      = response.Data.scope;
                expires    = response.Data.expires_in;

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = response.Data.access_token;
                    tokenReceived2          = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.id_token != null)
                {
                    idToken             = response.Data.id_token;
                    id_token_status     = "id_token present";
                    TempData["idToken"] = response.Data.id_token;
                    tokenReceived3      = new System.IdentityModel.Tokens.JwtSecurityToken(idToken);
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (accessToken != null)
                {
                    TempData["errMessage"] = "Oauth Client Credentials SUCCESS token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    //GetInfoResponse getInfoResponse = new GetInfoResponse();
                    return(View("../AltLanding/ClientCredLanding"));
                }
                else
                {
                    TempData["errMessage"] = "Oauth Client Credentials Error token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    return(View("../AltLanding/UnprotectedLanding"));
                }
            }



            TempData["userName"] = userName;
            TempData["passWord"] = passWord;
            //return View("Login");
            return(RedirectToAction("UnprotectedLanding", "AltLanding"));
        }
コード例 #2
0
        public ActionResult ValidationEndpoint(string code, string state)
        {
            //use this for auth code workflow
            logger.Debug("Get OIDC for auth code workflow");


            logger.Debug(" code = " + code + " state " + state);

            string error                = null;
            string error_description    = null;
            string token_type           = null;
            string scope                = null;
            string id_token_status      = null;
            string idToken              = null;
            string access_token_status  = null;
            string accessToken          = null;
            string refresh_token_status = null;
            string refreshToken         = null;

            System.Security.Claims.ClaimsPrincipal jsonPayload = null;
            IRestResponse <TokenRequestResponse>   response    = null;
            OidcIdToken     oidcIdToken     = new OidcIdToken();
            OidcAccessToken oidcAccessToken = new OidcAccessToken();
            string          basicAuth       = appSettings["oidc.spintweb.clientId"] + ":" + appSettings["oidc.spintweb.clientSecret"];

            var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
            string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);


            try
            {
                //var client = new RestClient(MvcApplication.apiUrl + "/oauth2/v1/token");
                var client  = new RestClient(appSettings["oidc.authServer"] + "/v1/token");
                var request = new RestRequest(Method.POST);
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "authorization_code");
                request.AddQueryParameter("code", code);
                request.AddQueryParameter("redirect_uri", appSettings["oidc.spintweb.RedirectUri"]);
                response = client.Execute <TokenRequestResponse>(request);
                if (response.Data != null)
                {
                    error             = response.Data.error;
                    error_description = response.Data.error_description;
                    token_type        = response.Data.token_type;
                    scope             = response.Data.scope;
                }

                if (response.Data.id_token != null)
                {
                    id_token_status = "id_token present";
                    idToken         = response.Data.id_token;

                    string issuer   = appSettings["oidc.issuer"];
                    string audience = appSettings["oidc.spintweb.clientId"];
                    //jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(idToken, clientId, issuer, audience);
                    jsonPayload = oktaOidcHelper.ValidateIdToken(idToken, issuer, audience);
                    if (jsonPayload.Identity.IsAuthenticated)
                    {
                        TempData["errMessage"] = jsonPayload.ToString();
                        //System.IdentityModel.Tokens.Jwt.JwtSecurityToken tokenReceived = new System.IdentityModel.Tokens.Jwt.JwtSecurityToken(idToken);
                        //oidcIdToken = Newtonsoft.Json.JsonConvert.DeserializeObject<OidcIdToken>(idToken);
                    }
                    else
                    {
                        TempData["errMessage"] = "Invalid ID Token!";
                    }
                    TempData["idToken"] = idToken;
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = response.Data.access_token;
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.refresh_token != null)
                {
                    refreshToken             = response.Data.refresh_token;
                    refresh_token_status     = "refresh_token present";
                    TempData["refreshToken"] = response.Data.refresh_token;
                }
                else
                {
                    refresh_token_status = "refresh_token NOT present";
                }
            }
            catch (Exception ex)
            {
                logger.Error(ex.ToString());
            }

            if (error != null)
            {
                TempData["errMessage"] = "Error " + error_description;
                TempData["oktaOrg"]    = apiUrl;
                return(RedirectToAction("UnprotectedLanding", "AltLanding"));
            }
            else
            {
                TempData["errMessage"] = "SUCCESS token_type = " + token_type + " scope = " + scope + " : " + id_token_status + " : " + access_token_status + " oktaId = " + oidcIdToken.sub;
                TempData["oktaOrg"]    = apiUrl;
                return(RedirectToAction("AuthCodeLanding", "AltLanding"));
            }
        }
コード例 #3
0
        public ActionResult Endpoint_AuthCode(string code, string state)
        {
            //use this for auth code workflow
            logger.Debug("Get OIDC Endpoint_AuthCode");

            logger.Debug(" code = " + code + " state " + state);

            string error                = null;
            string error_description    = null;
            string token_type           = null;
            string scope                = null;
            string id_token_status      = null;
            string idToken              = null;
            string access_token_status  = null;
            string accessToken          = null;
            string refresh_token_status = null;
            string refreshToken         = null;

            System.Security.Claims.ClaimsPrincipal newIdentity = null;
            IRestResponse <TokenRequestResponse>   response    = null;

            OidcAccessToken oidcAccessToken = new OidcAccessToken();
            string          basicAuth       = appSettings["oidc.spintweb.clientId"] + ":" + appSettings["oidc.spintweb.clientSecret"];

            var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
            string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);


            try
            {
                var client  = new RestClient(primaryOrgUrl + "/oauth2/v1/token");
                var request = new RestRequest(Method.POST);
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "authorization_code");
                request.AddQueryParameter("code", code);
                request.AddQueryParameter("redirect_uri", appSettings["oidc.spintweb.RedirectUri_AuthCode"]);
                response = client.Execute <TokenRequestResponse>(request);
                if (response.Data.error != null)
                {
                    error             = response.Data.error;
                    error_description = response.Data.error_description;
                }

                token_type = response.Data.token_type;
                scope      = response.Data.scope;

                if (response.Data.id_token != null)
                {
                    id_token_status = "id_token present";
                    idToken         = response.Data.id_token;
                    string issuer   = appSettings["oidc.issuer"];
                    string audience = appSettings["oidc.spintweb.clientId"];
                    newIdentity = oktaOidcHelper.ValidateIdToken(idToken, issuer, audience);
                    if (newIdentity.Identity.IsAuthenticated)
                    {
                        TempData["errMessage"] = "ID Token Valid!";
                    }
                    else
                    {
                        TempData["errMessage"] = "Invalid ID Token!";
                    }
                    TempData["idToken"] = idToken;
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (response.Data.access_token != null)
                {
                    accessToken         = response.Data.access_token;
                    access_token_status = "access_token present";
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.refresh_token != null)
                {
                    refreshToken         = response.Data.refresh_token;
                    refresh_token_status = "refresh_token present";
                }
                else
                {
                    refresh_token_status = "refresh_token NOT present";
                }
            }
            catch (Exception ex)
            {
                logger.Error(ex.ToString());
            }

            if (error != null)
            {
                TempData["oktaOrg"] = primaryOrgUrl;
                return(RedirectToAction("UnprotectedLanding", "AltLanding"));
            }
            else
            {
                TempData["oktaOrg"] = primaryOrgUrl;
                return(RedirectToAction("AuthCodeLanding", "AltLanding"));
            }
        }
コード例 #4
0
        public ActionResult Endpoint_Web(string code, string state)
        {
            //use this for auth code workflow
            logger.Debug("Get OIDC Endpoint_Web");
            // set parameters
            string relayState = Request["relayState"];

            if (string.IsNullOrEmpty(relayState) && Request.QueryString["RelayState"] != null)
            {
                relayState = Request.QueryString["RelayState"];
            }
            else if (string.IsNullOrEmpty(relayState) && Request.QueryString["fromURI"] != null)
            {
                relayState = Request.QueryString["fromURI"];
            }
            else if (string.IsNullOrEmpty(relayState) && TempData["relayState"] != null)
            {
                relayState = (string)TempData["relayState"];
            }
            TempData["relayState"] = relayState;

            logger.Debug(" code = " + code + " state " + state);

            string error                = null;
            string error_description    = null;
            string token_type           = null;
            string scope                = null;
            string id_token_status      = null;
            string idToken              = null;
            string access_token_status  = null;
            string accessToken          = null;
            string refresh_token_status = null;
            string refreshToken         = null;
            string jsonPayload          = null;
            IRestResponse <TokenRequestResponse> response = null;
            OidcIdToken     oidcIdToken     = new OidcIdToken();
            OidcAccessToken oidcAccessToken = new OidcAccessToken();
            string          basicAuth       = appSettings["oidc.spintweb.clientId"] + ":" + appSettings["oidc.spintweb.clientSecret"];

            var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
            string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);


            try
            {
                //var client = new RestClient(MvcApplication.apiUrl + "/oauth2/v1/token");
                var client  = new RestClient(appSettings["oidc.AuthServer"] + "/v1/token");
                var request = new RestRequest(Method.POST);
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "authorization_code");
                request.AddQueryParameter("code", code);
                request.AddQueryParameter("redirect_uri", appSettings["oidc.spintweb.RedirectUri"]);
                response          = client.Execute <TokenRequestResponse>(request);
                error             = response.Data.error;
                error_description = response.Data.error_description;
                token_type        = response.Data.token_type;
                scope             = response.Data.scope;

                if (response.Data.id_token != null)
                {
                    id_token_status     = "id_token present";
                    idToken             = response.Data.id_token;
                    TempData["idToken"] = idToken;
                    string clientId = appSettings["oidc.spintweb.clientId"];
                    string issuer   = appSettings["oidc.Issuer"];
                    string audience = appSettings["oidc.spintweb.clientId"];
                    jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(idToken, clientId, issuer, audience);
                    if (jsonPayload.Contains("Failure"))
                    {
                        TempData["errMessage"] = "Invalid ID Token!";
                    }
                    else
                    {
                        // TempData["errMessage"] = jsonPayload;
                        System.IdentityModel.Tokens.JwtSecurityToken tokenReceived = new System.IdentityModel.Tokens.JwtSecurityToken(idToken);
                        oidcIdToken = Newtonsoft.Json.JsonConvert.DeserializeObject <OidcIdToken>(jsonPayload);
                    }
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = response.Data.access_token;
                    string clientId = appSettings["oidc.spintweb.clientId"];
                    string issuer   = appSettings["oidc.Issuer"];
                    //audience if different when custom Authorization Server
                    string audience = null;
                    if (appSettings["oidc.chooseAuthServer"] == "default")
                    {
                        audience = appSettings["oidc.Issuer"];
                    }
                    else
                    {
                        audience = appSettings["oidc.customAuthServer.RedirectUri"];
                    }
                    jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(accessToken, clientId, issuer, audience);

                    System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.refresh_token != null)
                {
                    refreshToken             = response.Data.refresh_token;
                    refresh_token_status     = "refresh_token present";
                    TempData["refreshToken"] = response.Data.refresh_token;
                }
                else
                {
                    refresh_token_status = "refresh_token NOT present";
                }
            }
            catch (Exception ex)
            {
                logger.Error(ex.ToString());
            }

            if (error != null)
            {
                TempData["errMessage"] = "OIDC_Get Oauth Endpoint_Web error " + error_description;
                TempData["oktaOrg"]    = MvcApplication.apiUrl;
                //TempData["token"] = MvcApplication.apiToken;
                return(RedirectToAction("UnprotectedLanding", "AltLanding"));
            }
            else
            {
                TempData["errMessage"] = "OIDC_Get Oauth Endpoint_Web SUCCESS token_type = " + token_type + " scope = " + scope + " : " + id_token_status + " : " + access_token_status + " oktaId = " + oidcIdToken.sub;
                TempData["oktaOrg"]    = MvcApplication.apiUrl;
                //TempData["token"] = MvcApplication.apiToken;
                return(RedirectToAction("AuthCodeLanding", "AltLanding"));
            }
        }
コード例 #5
0
        public ActionResult ClientCredRoute()
        {
            string location = Request["location"];
            // set relayState
            string relayState = Request["relayState"];

            TempData["relayState"] = relayState;

            //this is available with Custom Authorization Server
            logger.Debug("Client Credential Flow");
            string error               = null;
            string error_description   = null;
            string token_type          = null;
            string scope               = null;
            string access_token_status = null;
            string accessToken         = null;
            string expires             = null;
            IRestResponse <TokenRequestResponse> response = null;
            OidcIdToken     oidcIdToken      = new OidcIdToken();
            OidcAccessToken oidcAccessToken  = new OidcAccessToken();
            string          basicAuth        = appSettings["oidc.clientcredservice.clientId"] + ":" + appSettings["oidc.clientcredservice.clientSecret"];
            var             bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
            string          encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);

            var client  = new RestClient(appSettings["oidc.authServer"] + "/v1/token");
            var request = new RestRequest(Method.POST);

            request.AddHeader("Accept", "application/json");
            request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
            request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
            request.AddQueryParameter("grant_type", "client_credentials");
            request.AddQueryParameter("scope", appSettings["oidc.clientcredservice.scopes"]);
            //for inline hooks
            request.AddQueryParameter("extra_param", "F0384685-userInfo-2058AC5655A7");

            response = client.Execute <TokenRequestResponse>(request);
            if (response.Data != null)
            {
                error             = response.Data.error;
                error_description = response.Data.error_description;
                token_type        = response.Data.token_type;
                scope             = response.Data.scope;
                expires           = response.Data.expires_in;
            }

            if (response.Data.access_token != null)
            {
                accessToken             = response.Data.access_token;
                access_token_status     = "access_token present";
                TempData["accessToken"] = response.Data.access_token;
            }
            else
            {
                access_token_status = "access_token NOT present";
            }

            if (accessToken != null)
            {
                TempData["errMessage"] = "Oauth Client Credentials SUCCESS token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                TempData["oktaOrg"]    = apiUrl;

                return(View("../AltLanding/ClientCredLanding"));
            }
            else
            {
                TempData["errMessage"] = "Oauth Client Credentials Error token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                TempData["oktaOrg"]    = apiUrl;
                return(View("../AltLanding/UnprotectedLanding"));
            }
        }
コード例 #6
0
        public ActionResult ResourceOwnerRoute()
        {
            string userName = Request["userName"];
            string passWord = Request["passWord"];
            //string authnlogin_but = Request["authnlogin_but"];
            //string oidclogin_but = Request["oidclogin_but"];
            //string oidc_but = Request["oidc_but"];
            string location = Request["location"];
            // set relayState
            string relayState = Request["relayState"];

            TempData["relayState"] = relayState;

            string error                = null;
            string error_description    = null;
            string token_type           = null;
            string scope                = null;
            string id_token_status      = null;
            string idToken              = null;
            string access_token_status  = null;
            string accessToken          = null;
            string refresh_token_status = null;
            string refreshToken         = null;

            System.Security.Claims.ClaimsPrincipal jsonPayload = null;


            IRestResponse <TokenRequestResponse> response = null;
            OidcIdTokenMin  oidcIdToken     = new OidcIdTokenMin();
            OidcAccessToken oidcAccessToken = new OidcAccessToken();
            string          basicAuth       = appSettings["oidc.spintnative.clientId"] + ":" + appSettings["oidc.spintnative.clientSecret"];

            var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
            string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);

            try
            {
                var client  = new RestClient(appSettings["oidc.authServer"] + "/v1/token");
                var request = new RestRequest(Method.POST);
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "password");
                request.AddQueryParameter("username", userName);
                request.AddQueryParameter("password", passWord);
                request.AddQueryParameter("scope", appSettings["oidc.scopes"]);
                response = client.Execute <TokenRequestResponse>(request);
                if (response.Data != null)
                {
                    error             = response.Data.error;
                    error_description = response.Data.error_description;
                    token_type        = response.Data.token_type;
                    scope             = response.Data.scope;
                }

                if (response.Data.id_token != null)
                {
                    idToken             = response.Data.id_token;
                    id_token_status     = "id_token present";
                    TempData["idToken"] = response.Data.id_token;
                    string issuer   = appSettings["oidc.issuer"];
                    string audience = appSettings["oidc.spintnative.clientId"];
                    //jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(idToken, clientId, issuer, audience);
                    jsonPayload = oktaOidcHelper.ValidateIdToken(idToken, issuer, audience);
                    if (jsonPayload.Identity.IsAuthenticated)
                    {
                        TempData["errMessage"] = jsonPayload.ToString();
                        //System.IdentityModel.Tokens.Jwt.JwtSecurityToken tokenReceived = new System.IdentityModel.Tokens.Jwt.JwtSecurityToken(idToken);
                        //oidcIdToken = Newtonsoft.Json.JsonConvert.DeserializeObject<OidcIdToken>(tokenReceived.ToString());
                    }
                    else
                    {
                        TempData["errMessage"] = "Invalid ID Token!";
                    }
                    TempData["idToken"] = idToken;
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = response.Data.access_token;
                    //System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.refresh_token != null)
                {
                    refreshToken         = response.Data.refresh_token;
                    refresh_token_status = "refresh_token present";
                }
                else
                {
                    refresh_token_status = "refresh_token NOT present";
                }
            }
            catch (Exception ex)
            {
                logger.Error(ex.ToString());
            }
            if (accessToken != null || idToken != null)
            {
                TempData["errMessage"] = "OIDC_Get Oauth Resource Owner SUCCESS token_type = " + token_type + " scope = " + scope + " : " + id_token_status + " : " + access_token_status + " oktaId = " + oidcIdToken.sub;
                TempData["oktaOrg"]    = apiUrl;


                return(View("../AltLanding/ResOwnerLanding", oidcIdToken));
            }
            else
            {
                TempData["errMessage"] = "OIDC_Get Oauth Resource Owner error " + error_description;
                TempData["oktaOrg"]    = apiUrl;
                return(View("../AltLanding/UnprotectedLanding"));
            }
        }//end resource owner workflow
コード例 #7
0
        public ActionResult Endpoint_PKCE(string code, string state)
        {
            //use this for auth code with PKCE workflow
            logger.Debug("Get OIDC Endpoint_Code");

            logger.Debug(" code = " + code + " state " + state);

            string error                = null;
            string error_description    = null;
            string token_type           = null;
            string scope                = null;
            string id_token_status      = null;
            string idToken              = null;
            string access_token_status  = null;
            string accessToken          = null;
            string refresh_token_status = null;
            string refreshToken         = null;

            System.Security.Claims.ClaimsPrincipal jsonPayload = null;
            IRestResponse <TokenRequestResponse>   response    = null;

            OidcAccessToken oidcAccessToken = new OidcAccessToken();
            string          codeVerifier    = cacheService.GetPasscode("myKey");

            try
            {
                var client  = new RestClient(appSettings["oidc.authServer"] + "/oauth2/v1/token");
                var request = new RestRequest(Method.POST);
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddQueryParameter("grant_type", "authorization_code");
                request.AddQueryParameter("code", code);
                request.AddQueryParameter("code_verifier", codeVerifier);
                request.AddQueryParameter("redirect_uri", appSettings["oidc.spintnative.RedirectUri_PKCE"]);
                request.AddQueryParameter("client_id", appSettings["oidc.spintnative.clientId"]);
                response          = client.Execute <TokenRequestResponse>(request);
                error             = response.Data.error;
                error_description = response.Data.error_description;
                token_type        = response.Data.token_type;
                scope             = response.Data.scope;

                if (response.Data.id_token != null)
                {
                    id_token_status = "id_token present";
                    idToken         = response.Data.id_token;
                    string issuer   = appSettings["oidc.issuer"];
                    string audience = appSettings["oidc.spintweb.clientId"];
                    jsonPayload = oktaOidcHelper.ValidateIdToken(idToken, issuer, audience);
                    if (jsonPayload.Identity.IsAuthenticated)
                    {
                        TempData["errMessage"] = jsonPayload.ToString();
                    }
                    else
                    {
                        TempData["errMessage"] = "Invalid ID Token!";
                    }
                    TempData["idToken"] = idToken;
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = accessToken;
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.refresh_token != null)
                {
                    refreshToken             = response.Data.refresh_token;
                    refresh_token_status     = "refresh_token present";
                    TempData["refreshToken"] = refreshToken;
                }
                else
                {
                    refresh_token_status = "refresh_token NOT present";
                }
            }
            catch (Exception ex)
            {
                logger.Error(ex.ToString());
            }

            if (error != null)
            {
                TempData["errMessage"] = "OIDC_Get Oauth Endpoint_Web error " + error_description;
                TempData["oktaOrg"]    = apiUrl;
                return(RedirectToAction("UnprotectedLanding", "AltLanding"));
            }
            else
            {
                TempData["errMessage"] = "OIDC_Get Oauth Endpoint_Web SUCCESS = " + id_token_status + " : " + access_token_status;
                TempData["oktaOrg"]    = apiUrl;
                return(RedirectToAction("AuthCodeLanding", "AltLanding"));
            }
        }