public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
//Cors
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
//Validate the User
using (var authRepository = new AuthorizationRepository())
{
var user = await authRepository.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The username or password is incorrect");
return;
}
else
{
var token = new ClaimsIdentity(context.Options.AuthenticationType);
token.AddClaim(new Claim("sub", context.UserName));
token.AddClaim(new Claim("role", "user"));
context.Validated(token);
}
}
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Try get the useraccount by provided username
var userAccount = _uow.UserAccountRepository.Get(context.UserName);
// If the useraccount was not found, reject the token request
if (userAccount == null)
{
context.Rejected();
return;
}
// If password is invalid, reject the token request
if (!PasswordHelper.Verify(userAccount.Password, userAccount.Salt, context.Password))
{
context.Rejected();
return;
}
// Create identity which will be included in the token
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
// All claims added here will be written to the token. Thus claims should
// be added with moderation
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "administrator"));
// Validate the reqeust and return a token
context.Validated(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (AuthRepository _repo = new AuthRepository())
{
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "user"));
identity.AddClaim(new Claim("sub", context.UserName));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{
"as:client_id", context.ClientId ?? string.Empty
},
{
"userName", context.UserName
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var user = userRepository.Get(w => w.UserName == context.UserName && w.Password == context.Password);
//var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
//ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
if (user.Roles.Count() > 0)
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, user.Roles.FirstOrDefault().Name));
}
//ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
// OAuthDefaults.AuthenticationType);
//ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
// CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
public bool Validate(string userName, string password, out ClaimsIdentity oAuthIdentity, out ClaimsIdentity cookiesIdentity)
{
using (var ctx = new PrincipalContext(ContextType.Domain, DomainName))
{
bool isValid = ctx.ValidateCredentials(userName, password);
if (isValid)
{
oAuthIdentity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
cookiesIdentity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationType);
var groups=GetUserGroups(userName);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, userName));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Name, userName));
if (groups.Contains("BD"))
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "BD"));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Role, "BD"));
}
else
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, string.Join(",", groups)));
cookiesIdentity.AddClaim(new Claim(ClaimTypes.Role, string.Join(",", groups)));
}
}
else
{
oAuthIdentity = null;
cookiesIdentity = null;
}
return isValid;
}
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
try
{
var user = _service.Authenticate(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "E-mail ou senha inválidos.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, user.Email));
identity.AddClaim(new Claim(ClaimTypes.GivenName, user.Name));
GenericPrincipal principal = new GenericPrincipal(identity, null);
Thread.CurrentPrincipal = principal;
context.Validated(identity);
}
catch (Exception)
{
context.SetError("invalid_grant", "E-mail ou senha inválidos.");
}
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
string userId;
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (AuctionDbRepository repo = new AuctionDbRepository())
{
IdentityUser user = await repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
userId = user.Id;
}
//Use this in test propose
//using (UserManager<ApplicationUser> manager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new AuctionDb())))
//{
// var ident = manager.Find(context.UserName, context.Password);
// var userIdentity = await manager.CreateIdentityAsync(ident, "Bearer");
// context.Validated(userIdentity);
//}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("userIdString", userId));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
try
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
Usuario user = _usuarioAppService.Get(el => el.Login == context.UserName && el.Senha == context.Password);
if (user == null)
{
context.SetError("invalid_grant", "Usuário ou Senha inválidos.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, user.NomeUsuario));
var roles = new List<string>();
roles.Add("User");
foreach (var item in roles)
identity.AddClaim(new Claim(ClaimTypes.Role, item));
GenericPrincipal principal = new GenericPrincipal(identity, roles.ToArray());
Thread.CurrentPrincipal = principal;
context.Validated(identity);
}
catch (Exception ex)
{
context.SetError("invalid_grant", ex.Message);
return;
}
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
/// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
/// optional "refresh_token". If the web application supports the
/// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
/// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>
/// Task to enable asynchronous execution
/// </returns>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {"*"});
string actorType;
using (var repo = new AuthorisationRepository())
{
var user = await repo.FindUser(context.UserName, context.Password); //actual authentication here
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
actorType = user.Claims.First(x => x.ClaimType == ClaimTypes.Actor).ClaimValue;
context.OwinContext.Set("user_type", actorType);
//determine if it's a buyer or a seller
}
//useful info to include in the token here
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
identity.AddClaim(new Claim("actor", actorType));
context.Validated(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
// SharePoint...
using (ClientContext ctx = new ClientContext(Constants.SPURL))
{
ctx.Credentials = new NetworkCredential(context.UserName, context.Password);
var u = ctx.Web.CurrentUser;
ctx.Load(u, _ => _.Title);
try
{
ctx.ExecuteQuery();
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("user", u.Title));
identity.AddClaim(new Claim("login", EncryptionHelper.Encrypt(context.UserName)));
identity.AddClaim(new Claim("pw", EncryptionHelper.Encrypt(context.Password)));
context.Validated(identity);
}
catch (Exception ex)
{
context.SetError("invalid_grant", "Invalid UserName or Password");
}
}
}
public TokenBuilder(string userId, string username, string role)
{
this.Identity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
Identity.AddClaim(new Claim(ClaimTypes.Name, username));
Identity.AddClaim(new Claim("role", role));
Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userId));
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password".
/// This occurs when the user has provided name and password credentials directly into the
/// client application's user interface, and the client application is using those to acquire an
/// "access_token" and optional "refresh_token". If the web application supports the resource owner
/// credentials grant type it must validate the context.Username and context.Password as appropriate.
/// To issue an access token the context.Validated must be called with a new ticket containing the
/// claims about the resource owner which should be associated with the access token.
/// The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
/// The default behavior is to reject this grant type. See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Content-Type" });
if (context.UserName == "Pussy" && context.Password == "Cat")
{
// create identity
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", "test"));
identity.AddClaim(new Claim("role", "user"));
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
// create metadata to pass on to refresh token provider
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{ "as:client_id", context.ClientId }
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
//context.Validated(identity);
return;
}
context.Rejected();
}
public void DefaultUniqueClaimTypes_NotPresent_SerializesAllClaimTypes()
{
var identity = new ClaimsIdentity();
identity.AddClaim(new Claim(ClaimTypes.Email, "*****@*****.**"));
identity.AddClaim(new Claim(ClaimTypes.GivenName, "some"));
identity.AddClaim(new Claim(ClaimTypes.Surname, "one"));
#if DNX451
// CoreCLR doesn't support an 'empty' name
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, string.Empty));
#endif
// Arrange
var claimsIdentity = (ClaimsIdentity)identity;
// Act
var identiferParameters = DefaultClaimUidExtractor.GetUniqueIdentifierParameters(claimsIdentity)
.ToArray();
var claims = claimsIdentity.Claims.ToList();
claims.Sort((a, b) => string.Compare(a.Type, b.Type, StringComparison.Ordinal));
// Assert
int index = 0;
foreach (var claim in claims)
{
Assert.Equal(identiferParameters[index++], claim.Type);
Assert.Equal(identiferParameters[index++], claim.Value);
}
}
public override Task HandleTokenRequest(HandleTokenRequestContext context) {
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType()) {
var user = new { Id = "users-123", UserName = "******", Password = "******" };
if (!string.Equals(context.Request.Username, user.UserName, StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, user.Password, StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return Task.FromResult(0);
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
context.Validate(new ClaimsPrincipal(identity));
}
return Task.FromResult(0);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
try
{ //context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (AuthService _repo = new AuthService())
{
var user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
catch (Exception exp)
{}
}
public async Task <IActionResult> VerifyLoginToken([FromBody] VerifyLoginTokenModel model)
{
var result = await _db.VerifyLoginToken(model.TokenID, model.Token);
if (result.Success)
{
var identity = new System.Security.Claims.ClaimsIdentity("LoginToken");
identity.AddClaim(new Claim(ClaimTypes.Name, result.PersonID));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, result.PersonID));
identity.AddClaim(new Claim(ClaimTypes.Email, result.EmailAddress));
var principal = new System.Security.Claims.ClaimsPrincipal(identity);
await this.HttpContext.Authentication.SignInAsync(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme, principal, new Microsoft.AspNetCore.Http.Authentication.AuthenticationProperties()
{
IsPersistent = false,
AllowRefresh = true,
IssuedUtc = DateTimeOffset.Now,
ExpiresUtc = DateTimeOffset.Now.AddMinutes(90)
});
return(this.Ok(new
{
PersonID = result.PersonID,
EmailAddress = result.EmailAddress
}));
}
return(this.BadRequest());
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Allow CORS on the token middleware provider
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
//TODO
// Usually this would be done via dependency injection
// But I haven't got it to work with the OWIN startup class yet
AppDBContext _ctx = new AppDBContext();
UserRepository _repo = new UserRepository(_ctx);
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
//allow CORS specfically for OAuth and Authenticate
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
//Find User Base on Username and Password in Auth Repository
using (var authorizationRepository = new AuthorizationRepository())
{
var user = await authorizationRepository.FindUser(context.UserName, context.Password);
//throw error if no user found
if (user == null )
{
context.SetError("invalid_grant", "username or password is incorrect");
}
else
{
// creat a token and add some claims
var token = new ClaimsIdentity(context.Options.AuthenticationType);
token.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
token.AddClaim(new Claim(ClaimTypes.Role, "user"));
context.Validated(token);
}
}
}
public override async System.Threading.Tasks.Task GrantCustomExtension(OAuthGrantCustomExtensionContext context)
{
if(context.GrantType.ToLower() == "facebook")
{
var fbClient = new FacebookClient(context.Parameters.Get("accesstoken"));
dynamic mainDataResponse = await fbClient.GetTaskAsync("me", new { fields = "first_name, last_name, picture" });
dynamic friendListResponse = await fbClient.GetTaskAsync("me/friends");
var friendsResult = (IDictionary<string, object>)friendListResponse;
var friendsData = (IEnumerable<object>)friendsResult["data"];
var friendsIdList = new List<string>();
foreach (var item in friendsData)
{
var friend = (IDictionary<string, object>)item;
friendsIdList.Add((string)friend["id"]);
}
User user = await CreateOrUpdateUser(mainDataResponse.id, mainDataResponse.first_name, mainDataResponse.last_name, mainDataResponse.picture.data.url, friendsIdList);
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(_fbIdKey, mainDataResponse.id));
identity.AddClaim(new Claim(_idKey, user.Id.ToString()));
await base.GrantCustomExtension(context);
context.Validated(identity);
}
return;
}
public ClaimsIdentity ProcessClientCertificate(X509Certificate2 cert, string ipAddress)
{
using (var per = PersistenceFactory())
{
var hash = cert.GetCertHash();
var client = per.ClientGetByCertificateHash(hash);
// not found? add to pending certificates list
if (client == null)
{
TraceSource.TraceInformation("Pending certificate:\n{0} ({1})", ByteArrayHelper.ByteArrayToString(hash), ipAddress);
per.PendingCertificateAddOrUpdate(hash, ipAddress);
per.Save();
}
// build identity
var identity = new ClaimsIdentity("ClientAuthentication");
identity.AddClaim(new Claim(CertificateHashClaimType, ByteArrayHelper.ByteArrayToString(hash), ClaimValueTypes.HexBinary, ClaimIssuer));
identity.AddClaim(new Claim(IsKnownClaimType, client == null ? "false" : "true", ClaimValueTypes.Boolean, ClaimIssuer)); // known client?
// add details only if authenticated
if (client != null)
{
identity.AddClaim(new Claim(identity.NameClaimType, client.Name, ClaimValueTypes.String, ClaimIssuer)); // nick name
identity.AddClaim(new Claim(ClientIdClaimType, client.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer)); // ID
identity.AddClaims(client.ClientGroups.Select(group => new Claim(identity.RoleClaimType, group.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer))); // assigned groups
identity.AddClaims(client.ClientGroups.Select(group => new Claim(RoleNameClaimType, group.Name, ClaimValueTypes.String, ClaimIssuer))); // assigned groups (names - informative)
}
return identity;
}
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (var projectContext = new ProjectContext())
{
using (var unitOfWork = new UnitOfWork(projectContext))
{
IdentityUser user = await unitOfWork.Users.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {"*"});
var identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
var userManager = Startup.UserManagerFactory();
var user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
identity.AddClaim(new Claim("id", user.StaffId.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
var listOfRoles = await userManager.GetRolesAsync(user.Id);
if (listOfRoles.Contains("admin"))
{
identity.AddClaim(new Claim("role", "admin"));
}
else
{
identity.AddClaim(new Claim("role", "user"));
}
context.Validated(identity);
var ctx = HttpContext.Current.GetOwinContext();
var authManager = ctx.Authentication;
authManager.SignIn(identity);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {"*"});
try
{
using (var userManager = new UserManager<User>(new UserStore<User>(new ElearningDbContext())))
{
var user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invaild_grant", "The user name or password is incorrect");
return;
}
}
}
catch (Exception ex)
{
var a = ex;
throw;
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "user"));
var properties = new AuthenticationProperties(new Dictionary<string, string>
{
{
"audience", context.ClientId ?? string.Empty
}
});
var ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
List<string> roles = new List<string>();
IdentityUser user = new IdentityUser();
using (AuthRepository _repo = new AuthRepository())
{
user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "Потребителското име или паролата не са верни.");
return;
}
else
{
roles = await _repo.GetRolesForUser(user.Id);
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
foreach (var item in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, item));
}
context.Validated(identity);
context.Response.Headers.Add("UserRoles", roles.ToArray());
}
public override async Task Invoke(IOwinContext context)
{
if (context.Request.Method == "POST" && context.Request.Path.Value.ToLower().EndsWith("/account/login"))
{
var form = await context.Request.ReadFormAsync();
var userName = form["username"];
var password = form["password"];
if (!string.IsNullOrWhiteSpace(userName))
{
var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, userName));
if (userName == "admin")
identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));
context.Authentication.SignIn(identity);
context.Response.StatusCode = 200;
context.Response.ReasonPhrase = "Authorized";
}
else
{
context.Authentication.SignOut();
context.Response.StatusCode = 401;
context.Response.ReasonPhrase = "Unauthorized";
}
return;
}
await Next.Invoke(context);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (AuthRepository _repo = new AuthRepository())
{
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
var roles = await _repo.FindUserRoles(user.Id);
foreach (var r in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, r));
}
//identity.AddClaim(new Claim("sub", context.UserName));
context.Validated(identity);
}
}
private ClaimsIdentity BuildIdentity(CasAuthenticationOptions options, string username, XElement successNode)
{
var identity = new ClaimsIdentity(options.AuthenticationType, options.NameClaimType, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Name, username, "http://www.w3.org/2001/XMLSchema#string", options.AuthenticationType));
var attributesNode = successNode.Element(_ns + "attributes");
if (attributesNode != null)
{
foreach (var element in attributesNode.Elements())
{
identity.AddClaim(new Claim(element.Name.LocalName, element.Value));
}
}
string identityValue = username;
if (options.NameIdentifierAttribute != null && attributesNode != null)
{
var identityAttribute = attributesNode.Elements().FirstOrDefault(x => x.Name.LocalName == options.NameIdentifierAttribute);
if (identityAttribute == null)
throw new ApplicationException(string.Format("Identity attribute [{0}] not found for user: {1}", options.NameIdentifierAttribute, username));
identityValue = identityAttribute.Value;
}
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identityValue, "http://www.w3.org/2001/XMLSchema#string", options.AuthenticationType));
return identity;
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
//context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
IdentityUser user;
using (var _repo = new AuthRepository())
{
user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("userId", user.Id));
if (user.Id == "c417fc8e-5bae-410f-b2ee-463afe2fdeaa")
identity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{
"userId", user.Id
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin") ?? "*";
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var user = await _userRepository.FindUserAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The username or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
var authenticationProperties = new AuthenticationProperties(new Dictionary<string, string>
{
{ "as:client_id", context.ClientId ?? string.Empty },
{ "username", context.UserName }
});
var ticket = new AuthenticationTicket(identity, authenticationProperties);
context.Validated(ticket);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var allowedOrigin = "*";
ApplicationUser appUser = null;
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
using (AuthRepository _repo = new AuthRepository())
{
appUser = await _repo.FindUser(context.UserName, context.Password);
if (appUser == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "User"));
identity.AddClaim(new Claim("PSK", appUser.PSK));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{
"userName", context.UserName
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
// Dummy check here, you need to do your DB checks against membership system http://bit.ly/SPAAuthCode
if (context.UserName != context.Password)
{
context.SetError("invalid_grant", "The user name or password is incorrect");
//return;
return Task.FromResult<object>(null);
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "Manager"));
identity.AddClaim(new Claim(ClaimTypes.Role, "Supervisor"));
var props =
new AuthenticationProperties(
new Dictionary<string, string>
{
{
"audience",
context.ClientId ?? string.Empty
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
return Task.FromResult<object>(null);
}
private static System.Security.Claims.ClaimsIdentity SetClaimsIdentity(OAuthGrantResourceOwnerCredentialsContext context, IdentityUser user)
{
var identity = new System.Security.Claims.ClaimsIdentity();
identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Name, context.UserName));
identity.AddClaim(new System.Security.Claims.Claim("sub", context.UserName));
var userRoles = context.OwinContext.Get <BookUserManager>().GetRoles(user.Id);
foreach (var role in userRoles)
{
identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, role));
}
return(identity);
}
public async Task <IActionResult> PcoLoginCallback(string code)
{
var redirectUrl = this.Url.Action("PcoLoginCallback", "Home", null, "https");
var client = new System.Net.Http.HttpClient();
var tokenRequest = new
{
grant_type = "authorization_code",
code = code,
client_id = _pcoApp.ClientID,
client_secret = _pcoApp.ClientSecret,
redirect_uri = redirectUrl
};
var tokenRequestJson = Newtonsoft.Json.JsonConvert.SerializeObject(tokenRequest);
var callbackResponse = await client.PostAsync(_pcoAuthOptions.AuthTokenUrl, new StringContent(tokenRequestJson, System.Text.Encoding.UTF8, "application/json"));
var token = await callbackResponse.Content.ReadJsonAsync <PcoAuthTokenResponse>();
var pcoClient = new PcoApiClient.PcoApiClient(client, new PcoApiOptions()
{
AuthenticationMethod = "Bearer",
Password = token.AccessToken
});
var myInfo = await pcoClient.Get <PcoPeoplePerson>("people/v2/me");
var ident = new System.Security.Claims.ClaimsIdentity("PCO");
ident.AddClaim(new Claim(ClaimTypes.NameIdentifier, myInfo.Data.ID));
ident.AddClaim(new Claim(ClaimTypes.Name, myInfo.Data.Attributes.Name));
ident.AddClaim(new Claim(ClaimsExtensions.OrganizationID, myInfo.Meta.Parent.ID.ToString()));
ident.AddClaim(new Claim(ClaimsExtensions.AccessToken, token.AccessToken));
ident.AddClaim(new Claim(ClaimsExtensions.RefreshToken, token.RefreshToken));
var principal = new System.Security.Claims.ClaimsPrincipal(ident);
await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties()
{
ExpiresUtc = DateTimeOffset.UtcNow.AddHours(1),
AllowRefresh = true,
IsPersistent = true
});
return(RedirectToAction("Index"));
}
public async Task SignIn(User user)
{
var identity = new System.Security.Claims.ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.UserID.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Name, user.FirstName));
identity.AddClaim(new Claim(ClaimTypes.Email, user.Email));
identity.AddClaim(new Claim(ClaimTypes.Role, user.Role.ToString()));
var principal = new ClaimsPrincipal(identity);
var authProperties = new AuthenticationProperties
{
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(60),
IsPersistent = true,
IssuedUtc = DateTimeOffset.UtcNow
};
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, authProperties);
//WebUser.SetUser(user);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var identity = new System.Security.Claims.ClaimsIdentity(context.Options.AuthenticationType);
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (var db = new TestModel())
{
if (db != null)
{
IQueryable <USER_MASTER> rtn = from temp in db.USER_MASTER select temp;
var user = rtn.ToList();
//var empl = db.Employees.ToList();
//var user = db.USER_MASTER;
if (user != null)
{
if (!string.IsNullOrEmpty(user.Where(u => u.Email == context.UserName && u.Password == context.Password).FirstOrDefault().Email))
{
identity.AddClaim(new Claim("Age", "16"));
var props = new AuthenticationProperties(new Dictionary <string, string>
{
{
"userdisplayname", context.UserName
},
{
"role", "admin"
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
else
{
context.SetError("invalid_grant", "Provided username and password is incorrect");
context.Rejected();
}
}
}
else
{
context.SetError("invalid_grant", "Provided username and password is incorrect");
context.Rejected();
}
return;
}
}
/// <summary>
/// This static method is setup as a delegate in Startup.Auth and will be called each time a userIdentity is created
/// </summary>
/// <param name="userIdentity">the ClaimsIdentity created from CRM</param>
/// <param name="manager">the user manager used to add claims in the CRM storage</param>
public static async Task AddCustomUserClaims(System.Security.Claims.ClaimsIdentity userIdentity, UserManager <CrmIdentityUser <string>, string> manager)
{
// Here you can add your custom claims to the userIdentity
// Below is an example of how to add a custom claim:
// Check if the customClaim has been retrieved from CRM storage
if (!userIdentity.HasClaim("MyClaimType", "MyClaimValue"))
{
// Add the claim to the CRM Claim storage
System.Security.Claims.Claim customClaim = new Claim("MyClaimType", "MyClaimValue");
IdentityResult result = await manager.AddClaimAsync(userIdentity.GetUserId(), customClaim);
// If all goes well, add the claim to the userIdentity. Next time the user logs in
if (result.Succeeded)
{
userIdentity.AddClaim(customClaim);
}
else
{
// Handle the error
}
}
}
public JsonResult Escoger(int AgenciaId)
{
try {
var authenticationManager = HttpContext.GetOwinContext().Authentication;
var identity = new System.Security.Claims.ClaimsIdentity(User.Identity);
var Claim = identity.FindFirst(Lib.DataFilters.MustHaveAgencyParam);
if (Claim != null)
{
identity.RemoveClaim(identity.FindFirst(Lib.DataFilters.MustHaveAgencyParam));
}
identity.AddClaim(new System.Security.Claims.Claim(Lib.DataFilters.MustHaveAgencyParam, AgenciaId.ToString()));
authenticationManager.AuthenticationResponseGrant =
new AuthenticationResponseGrant(
new ClaimsPrincipal(identity),
new AuthenticationProperties {
IsPersistent = true
}
);
return(Json(new { success = true }));
} catch (Exception ex) {
return(Json(new { success = false, errors = ex.Message }));
}
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Error");
}
app.Map("/login", builder => builder.Use(next =>
{
return(async(context) =>
{
var claimIdentity = new System.Security.Claims.ClaimsIdentity("Custom");
claimIdentity.AddClaim(new System.Security.Claims.Claim(ClaimTypes.Name, "jim"));
await context.SignInAsync("myScheme", new ClaimsPrincipal(claimIdentity));
});
}));
// 退出
app.Map("/logout", builder => builder.Use(next =>
{
return(async(context) =>
{
await context.SignOutAsync("myScheme");
});
}));
// 认证
app.Use(next =>
{
return(async(context) =>
{
var result = await context.AuthenticateAsync("myScheme");
if (result?.Principal != null)
{
context.User = result.Principal;
}
await next(context);
});
});
// 授权
app.Use(async(context, next) =>
{
var user = context.User;
if (user?.Identity?.IsAuthenticated ?? false)
{
if (user.Identity.Name != "jim")
{
await context.ForbidAsync("myScheme");
}
else
{
await next();
}
}
else
{
await context.ChallengeAsync("myScheme");
}
});
// 访问受保护资源
app.Map("/resource", builder => builder.Run(async(context) => await context.Response.WriteAsync("Hello, ASP.NET Core!")));
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller}/{action=Index}/{id?}");
});
}
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Uncomment the following lines to enable logging in with third party login providers
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
//app.UseFacebookAuthentication(
// appId: "",
// appSecret: "");
#region ServerOAuth
app.UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions
()
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
AuthenticationType = "Emad",
Realm = "EHM" //anything
});
var options = new Microsoft.Owin.Security.OAuth.OAuthAuthorizationServerOptions();
options.TokenEndpointPath = new PathString("/account/token");
options.AuthorizeEndpointPath = new PathString("/account/auth");
options.AllowInsecureHttp = true; //Don't do that!! always be on secure scheme, this is set to "true" for demo purposes
var provider = new OAuthAuthorizationServerProvider();
provider.OnValidateClientRedirectUri = (context) =>
{
return(Task.Run(() =>
{
//Caution: this is not to validate that the uri is valid syntax wise, this is to validate it business wise. If this uri is not
//valid syntax wise this entry will not be hit in the first place, and your authentication process will not work!
context.Validated();
}));
};
provider.OnValidateAuthorizeRequest = (context) =>
{
return(Task.Run(() =>
{
//Authorization validation here
//Somewhere in the request you should create the identity and sign in with it, I put it here, it could be a page on your app?
context.OwinContext.Authentication.SignIn(new System.Security.Claims.ClaimsIdentity("Bearer"));
context.Validated();
}));
};
provider.OnAuthorizeEndpoint = (context) =>
{
return(Task.Run(() =>
{
//This is the last chance to alter the request, you can either end it here using RequestCompleted and start resonding,
//or you can let it go through to the subsequent middleware,
//except that you have to make sure the response returns a 200, otherwise the whole thing will not work
context.RequestCompleted();
var str = context.Options.AccessTokenFormat;
}));
};
provider.OnValidateClientAuthentication = (context) =>
{
return(Task.Run(() =>
{
//Client validation here
context.Validated();
}));
};
options.Provider = provider;
AuthenticationTokenProvider authTokenProvider = new AuthenticationTokenProvider();
authTokenProvider.OnCreate = (context) =>
{
//create a dummy token
context.SetToken("MyTokenblablabla");
};
//This is called when a client is requesting with Authorization header and passing the token, like this "Authorization: Bearer jdksjkld"
authTokenProvider.OnReceive = (context) =>
{
//create dummy identity regardless of the validty of the token :)
var claimsIdentity = new System.Security.Claims.ClaimsIdentity("Bearer");
claimsIdentity.AddClaim(new Claim("something", "Ahmad")); //This claim type "something" is used for protection from anti-forgery...
//Check the Global.asax for "AntiForgeryConfig.UniqueClaimTypeIdentifier = "something";"
//you can avoid setting this, but you have to use the default claims type. check http://bartwullems.blogspot.com.au/2013/09/aspnet-mvc-4-error-when-using-anti.html
context.SetTicket(new Microsoft.Owin.Security.AuthenticationTicket(claimsIdentity,
new Microsoft.Owin.Security.AuthenticationProperties
{
ExpiresUtc = new System.DateTimeOffset(2015, 3, 1, 1, 1, 1, new System.TimeSpan()),
}
));
};
options.AuthorizationCodeProvider = authTokenProvider;
options.RefreshTokenProvider = authTokenProvider;
options.AccessTokenProvider = authTokenProvider;
app.UseOAuthBearerTokens(options);
#endregion
//app.UseGoogleAuthentication();
}
public static void ReplaceClaim(this ClaimsIdentity identity, string type, string value)
{
identity.TryRemoveClaim(identity.Claims.FirstOrDefault(c => c.Type == type));
identity.AddClaim(new Claim(type, value));
}
public static void MakeAttendee(this ClaimsIdentity identity) => identity.AddClaim(new Claim(AuthConstants.IsAttendee, AuthConstants.TrueValue));
