public SimpleWebToken ValidateToken(string token) { if (token == null) throw new HttpException(401, "SWT not found"); var swt = new SimpleWebToken(token); var securityKey = Convert.FromBase64String(this.SharedKeyBase64); if (securityKey == null) throw new HttpException(401, "Missing shared key"); if (!IsHMACValid(swt.RawToken, securityKey)) throw new HttpException(401, "Invalid signature"); if (swt.IsExpired) throw new HttpException(401, "Token expired"); if (this.AllowedAudiences != null && this.AllowedAudiences.Count > 0) { var swtAudienceUri = default(Uri); if (!Uri.TryCreate(swt.Audience, UriKind.RelativeOrAbsolute, out swtAudienceUri)) throw new HttpException(401, "Invalid audience"); if (!this.AllowedAudiences.Any(uri => uri == swtAudienceUri)) throw new HttpException(401, "Audience not found"); } if (!string.IsNullOrEmpty(this.AllowedIssuer)) { if (!this.AllowedIssuer.Equals(swt.Issuer, StringComparison.Ordinal)) throw new HttpException(401, "Invalid issuer"); } return swt; }
public static IPrincipalInitializer GetInitializerFromToken(SimpleWebToken token) { IPrincipalInitializer initializer = null; var identityProviderClaim = token.Claims[IdentityProviderClaimType]; if(!String.IsNullOrEmpty(identityProviderClaim)) { switch (identityProviderClaim) { case MSFTFederation: initializer = new MicrosoftADFSPrincipalInitializer(); break; default: initializer = new PrincipalInitializer(); break; // if all else fails, return the default PrincipalInitializer } } return initializer; }
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { if (String.IsNullOrEmpty(_sharedKeyBase64)) throw new ApplicationException("You need to pass in your shared symmetric token signing key."); // Validate the existence of the Authorization header string authHeader = String.Empty; try { authHeader = request.Headers.GetValues("Authorization").First(); } catch (InvalidOperationException) { throw new HttpException(400, "Missing Authorization header"); } // Validate the Authorization header string header = "OAuth "; string token = string.Empty; if (string.CompareOrdinal(authHeader, 0, header, 0, header.Length) == 0) { token = authHeader.Remove(0, header.Length); } else { throw new HttpException(401, "The authorization header was invalid"); } // Validate the token var validator = new SimpleWebTokenValidator { SharedKeyBase64 = _sharedKeyBase64 }; // Validate the token, throws HttpResponseExceptions if validation fails var swt = validator.ValidateToken(token); var swtToken = new SimpleWebToken(token); // Determine the identity provider and use a principal initializer accordingly IPrincipalInitializer principalInitalizer = PrincipalInitializerFactory.GetInitializerFromToken(swtToken); principalInitalizer.InitializeCurrentPrincipalFromToken(swtToken); return base.SendAsync(request, cancellationToken); }
public virtual void InitializeCurrentPrincipalFromToken(SimpleWebToken swtToken) { ClaimsIdentity identity = new ClaimsIdentity("Federation"); foreach (var pair in swtToken.Claims) { if (!IsReservedKeyName(pair.Key) && !string.IsNullOrEmpty(pair.Value)) { identity.AddClaim(new Claim(pair.Key, pair.Value, ClaimValueTypes.String, swtToken.Issuer)); if (pair.Key == AcsNameClaimType) { // add a default name claim from the Name identifier claim. identity.AddClaim(new Claim(DefaultNameClaimType, pair.Value, ClaimValueTypes.String, swtToken.Issuer)); } } } var principal = new ClaimsPrincipal(new List<ClaimsIdentity> { identity }); Thread.CurrentPrincipal = principal; }
public override void InitializeCurrentPrincipalFromToken(SimpleWebToken swtToken) { ClaimsIdentity identity = new ClaimsIdentity("Federation"); string firstName = String.Empty; string lastName = String.Empty; foreach (var pair in swtToken.Claims) { if (!IsReservedKeyName(pair.Key) && !string.IsNullOrEmpty(pair.Value)) { // Add the claim identity.AddClaim(new Claim(pair.Key, pair.Value, ClaimValueTypes.Email, swtToken.Issuer)); // The email address is unique, set it as the "Name" identitifier accessible at User.Identity.Name if (pair.Key == EmailAddressClaimType) identity.AddClaim(new Claim(DefaultNameClaimType, pair.Value, ClaimValueTypes.String, swtToken.Issuer)); } } var principal = new ClaimsPrincipal(identity); Thread.CurrentPrincipal = principal; }