|
public AddClaims ( IEnumerable |
||
| claims | IEnumerable |
Enumeration of claims to add. |
| return | void | |
public ClaimsIdentity ProcessClientCertificate(X509Certificate2 cert, string ipAddress)
{
using (var per = PersistenceFactory())
{
var hash = cert.GetCertHash();
var client = per.ClientGetByCertificateHash(hash);
// not found? add to pending certificates list
if (client == null)
{
TraceSource.TraceInformation("Pending certificate:\n{0} ({1})", ByteArrayHelper.ByteArrayToString(hash), ipAddress);
per.PendingCertificateAddOrUpdate(hash, ipAddress);
per.Save();
}
// build identity
var identity = new ClaimsIdentity("ClientAuthentication");
identity.AddClaim(new Claim(CertificateHashClaimType, ByteArrayHelper.ByteArrayToString(hash), ClaimValueTypes.HexBinary, ClaimIssuer));
identity.AddClaim(new Claim(IsKnownClaimType, client == null ? "false" : "true", ClaimValueTypes.Boolean, ClaimIssuer)); // known client?
// add details only if authenticated
if (client != null)
{
identity.AddClaim(new Claim(identity.NameClaimType, client.Name, ClaimValueTypes.String, ClaimIssuer)); // nick name
identity.AddClaim(new Claim(ClientIdClaimType, client.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer)); // ID
identity.AddClaims(client.ClientGroups.Select(group => new Claim(identity.RoleClaimType, group.Id.ToString(), ClaimValueTypes.Integer, ClaimIssuer))); // assigned groups
identity.AddClaims(client.ClientGroups.Select(group => new Claim(RoleNameClaimType, group.Name, ClaimValueTypes.String, ClaimIssuer))); // assigned groups (names - informative)
}
return identity;
}
}
public void ConfigureOAuth(IAppBuilder app)
{
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
Provider = new OAuthAuthorizationServerProvider
{
OnValidateClientAuthentication = async c=>c.Validated(),
OnGrantResourceOwnerCredentials = async c =>
{
using (var repo = new AuthRepository())
{
var user = await repo.FindUser(c.UserName, c.Password);
if (user == null)
{
c.Rejected();
throw new ApiException("User not existed or wrong password.");
}
}
var identity = new ClaimsIdentity(c.Options.AuthenticationType);
identity.AddClaims(new[] {new Claim(ClaimTypes.Name, c.UserName), new Claim(ClaimTypes.Role, "user")});
if (string.Equals(c.UserName, AppConfig.Manager, StringComparison.InvariantCultureIgnoreCase))
identity.AddClaims(new[] {new Claim(ClaimTypes.Name, c.UserName), new Claim(ClaimTypes.Role, "manager")});
c.Validated(identity);
}
},
});
}
public Task<ClaimsIdentity> CreateIdentityAsync(User user, string authenticationType, ClaimsIdentity externalIdentity)
{
var identity = new ClaimsIdentity(authenticationType, ClaimTypes.Name, ClaimTypes.Role);
identity.AddClaims(externalIdentity.Claims);
identity.AddClaim(new Claim(ClaimTypes.Name, user.Name, ClaimValueTypes.String));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id.ToString(), ClaimValueTypes.String));
if (user.IsAdmin)
{
identity.AddClaim(new Claim(ClaimTypes.Role, "admin", ClaimValueTypes.String));
}
if (externalIdentity.HasClaim(claim => claim.Type == "urn:reddit:moderator_of"))
{
identity.AddClaim(new Claim(ClaimTypes.Role, "moderator", ClaimValueTypes.String));
}
if (user.IsBanned)
{
identity.AddClaim(new Claim(ClaimTypes.Role, "banned", ClaimValueTypes.String));
}
return Task.FromResult(identity);
}
//http://blog.asteropesystems.com/securing-web-api-requests-with-json-web-tokens/
public string GetToken(string username, List<ActivityClaim> activityClaims)
{
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var claims = new ClaimsIdentity(new[]
{
new Claim( ClaimTypes.UserData, "IsValid", ClaimValueTypes.String ),
new Claim( ClaimTypes.Name, username, ClaimValueTypes.String )
});
claims.AddClaims(activityClaims.Select(c => new Claim(ClaimTypes.UserData, c.ToString(), ClaimValueTypes.String)));
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = claims,
TokenIssuerName = "self",
AppliesToAddress = "https://api.knowthyshelf.com",
Lifetime = new Lifetime(now, now.AddYears(10)),
SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(TOKEN_SECURITY_KEY),
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return tokenString;
}
/// <summary>
/// Initializes a new instance of the <see cref="CustomGrantValidationResult"/> class.
/// </summary>
/// <param name="subject">The subject claim used to uniquely identifier the user.</param>
/// <param name="authenticationMethod">The authentication method which describes the custom grant type.</param>
/// <param name="claims">Additional claims that will be maintained in the principal.</param>
/// <param name="identityProvider">The identity provider.</param>
public CustomGrantValidationResult(
string subject,
string authenticationMethod,
IEnumerable<Claim> claims = null,
string identityProvider = Constants.BuiltInIdentityProvider)
{
var resultClaims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, subject),
new Claim(Constants.ClaimTypes.AuthenticationMethod, authenticationMethod),
new Claim(Constants.ClaimTypes.IdentityProvider, identityProvider),
new Claim(Constants.ClaimTypes.AuthenticationTime, DateTimeOffsetHelper.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer)
};
if (claims != null && claims.Any())
{
resultClaims.AddRange(claims.Where(x => !Constants.OidcProtocolClaimTypes.Contains(x.Type)));
}
var id = new ClaimsIdentity(authenticationMethod);
id.AddClaims(resultClaims.Distinct(new ClaimComparer()));
Principal = new ClaimsPrincipal(id);
IsError = false;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
IEnumerable<Claim> outputClaims;
if (this.scopeModel.UseClaimsPolicyEngine)
{
IClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(PolicyStoreFactory.Instance);
outputClaims = evaluator.Evaluate(new Uri(scope.AppliesToAddress), ((ClaimsIdentity)principal.Identity).Claims);
}
else
{
outputClaims = ((ClaimsIdentity)principal.Identity).Claims;
}
outputIdentity.AddClaims(outputClaims);
if (outputIdentity.Name == null && outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier) != null)
outputIdentity.AddClaim(new Claim(ClaimTypes.Name, outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier).Value));
var isPersistent =
((ClaimsIdentity)principal.Identity).Claims.SingleOrDefault(c => c.Type == ClaimTypes.IsPersistent);
if (isPersistent != null)
{
outputIdentity.AddClaim(new Claim(ClaimTypes.IsPersistent, isPersistent.Value));
}
return outputIdentity;
}
public async Task<IActionResult> Unauthorized(string returnUrl = null)
{
const string Issuer = "https://contoso.com";
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, "barry", ClaimValueTypes.String, Issuer));
claims.Add(new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String, Issuer));
claims.Add(new Claim("EmployeeId", "123", ClaimValueTypes.String, Issuer));
claims.Add(new Claim(ClaimTypes.DateOfBirth, "1970-06-08", ClaimValueTypes.Date));
claims.Add(new Claim("BadgeNumber", "123456", ClaimValueTypes.String, Issuer));
//claims.Add(new Claim("TemporaryBadgeExpiry", DateTime.Now.AddDays(1).ToString(), ClaimValueTypes.String, Issuer));
//claims.Add(new Claim("TemporaryBadgeExpiry", DateTime.Now.AddDays(-1).ToString(), ClaimValueTypes.String, Issuer));
var userIdentity = new ClaimsIdentity("SuperSecureLogin");
userIdentity.AddClaims(claims);
var userPrincipal = new ClaimsPrincipal(userIdentity);
await HttpContext.Authentication.SignInAsync("Cookie", userPrincipal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(20),
IsPersistent = false,
AllowRefresh = false
});
return RedirectToLocal(returnUrl);
}
public async Task<ActionResult> Index(string code)
{
var ctx = Request.GetOwinContext();
var user = await ctx.Environment.GetIdentityServerPartialLoginAsync();
if (user == null)
{
return View("Error");
}
var id = user.FindFirst("sub").Value;
if (!(await this.userMgr.VerifyTwoFactorTokenAsync(id, "sms", code)))
{
ViewData["message"] = "Incorrect code";
return View("Index");
}
var resumeUrl = user.FindFirst(Constants.ClaimTypes.PartialLoginReturnUrl).Value;
var newUser = new ClaimsIdentity(user.AuthenticationType);
var claims = user.Claims.Where(c => c.Type != "amr").ToList();
claims.Add(new Claim("amr", "2fa"));
newUser.AddClaims(claims);
Request.GetOwinContext().Authentication.SignIn(newUser);
return Redirect(resumeUrl);
}
private Task<ClaimsPrincipal> TransformClaims(ClaimsPrincipal incoming)
{
if (!incoming.Identity.IsAuthenticated)
{
return Task.FromResult<ClaimsPrincipal>(incoming);
}
// parse incoming claims - create new principal with app claims
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "foo"),
new Claim(ClaimTypes.Role, "bar")
};
var nameId = incoming.FindFirst(ClaimTypes.NameIdentifier);
if (nameId != null)
{
claims.Add(nameId);
}
var thumbprint = incoming.FindFirst(ClaimTypes.Thumbprint);
if (thumbprint != null)
{
claims.Add(thumbprint);
}
var id = new ClaimsIdentity("Application");
id.AddClaims(claims);
return Task.FromResult<ClaimsPrincipal>(new ClaimsPrincipal(id));
}
private static ClaimsIdentity GetClaimsIdentity()
{
var claimsIdentity = new ClaimsIdentity(AuthenticationTypes.Password);
claimsIdentity.AddClaims(GetClaims());
return claimsIdentity;
}
public void Configuration(IAppBuilder app) {
AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.Map("/identity", idsrvApp => {
idsrvApp.UseIdentityServer(new IdentityServerOptions {
SiteName = "Embedded IdentityServer",
SigningCertificate = LoadCertificate(),
Factory = InMemoryFactory.Create(
users: Users.Get(),
clients: Clients.Get(),
scopes: Scopes.Get())
});
});
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {
Authority = "https://localhost:44301/identity",
ClientId = "mvc",
Scope = "openid profile roles",
RedirectUri = "https://localhost:44301/",
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications {
SecurityTokenValidated = async n => {
var id = n.AuthenticationTicket.Identity;
// we want to keep first name, last name, subject and roles
var givenName = id.FindFirst(Constants.ClaimTypes.GivenName);
var familyName = id.FindFirst(Constants.ClaimTypes.FamilyName);
var sub = id.FindFirst(Constants.ClaimTypes.Subject);
var roles = id.FindAll(Constants.ClaimTypes.Role);
// create new identity and set name and role claim type
var nid = new ClaimsIdentity(
id.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
nid.AddClaim(givenName);
nid.AddClaim(familyName);
nid.AddClaim(sub);
nid.AddClaims(roles);
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
}
}
});
}
/// <summary>
/// Returns a ClaimsIdentity instance given a userId
/// </summary>
/// <param name="userId">The user's id</param>
/// <returns></returns>
public ClaimsIdentity FindByUserId(string userId)
{
ClaimsIdentity claimsIdentity = new ClaimsIdentity();
string commandText = "Select * from userclaims where UserId = @UserId";
Dictionary<string, object> parameters = new Dictionary<string, object>() { { "@UserId", userId } };
var claims = _database.ExecuteReader(commandText, parameters, this.ReadClaim);
claimsIdentity.AddClaims(claims);
return claimsIdentity;
}
/// <summary>
/// 当客户端Id与客户端密钥验证通过后,生成在线票据令牌
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override Task GrantClientCredentials(OAuthGrantClientCredentialsContext context)
{
ClaimsIdentity identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.ClientId));
identity.AddClaims(context.Scope.Select(m => new Claim("urn:oauth:scope", m)));
AuthenticationProperties properties = new AuthenticationProperties(
new Dictionary<string, string>() { { "as:client_id", context.ClientId } });
AuthenticationTicket ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
return Task.FromResult(0);
}
public ClaimsIdentity FindClaimsByUserId(string userId)
{
var result = _database.QuerySql(
"SELECT * FROM AspNetUserClaims WHERE UserId = @userId",
new { userId });
var claims = new ClaimsIdentity();
claims.AddClaims(
result.Select(x => new Claim(x["ClaimType"].ToString(), x["ClaimValue"].ToString()))
.ToList());
return claims;
}
protected override ClaimsIdentity GetOutputClaimsIdentity( ClaimsPrincipal principal, RequestSecurityToken request, Scope scope )
{
ClaimsIdentity outgoingIdentity = new ClaimsIdentity();
outgoingIdentity.AddClaims(principal.Claims);
List<Role> roles = (List<Role>)HttpContext.Current.Session["User_Roles_" + principal.Identity.Name];
RBACHelper rbacHelper = new RBACHelper();
Permission[] permissions = rbacHelper.GetUserPermissions(Factory.Session(Factory.User(principal.Identity.Name), roles.ToArray()));
outgoingIdentity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/permissions", Serialize(permissions)));
return outgoingIdentity;
}
public ClaimsPrincipal ValidateUser(string token)
{
try
{
//Claims don't deserialize :(
//var jwttoken = JsonWebToken.DecodeToObject<JwtToken>(token, configProvider.GetAppSetting("securekey"));
var decodedtoken = JsonWebToken.DecodeToObject(token, _configProvider.GetAppSetting("securekey")) as Dictionary<string, object>;
if (decodedtoken == null)
return null;
var jwttoken = new JwtToken()
{
Audience = (string)decodedtoken["Audience"],
Issuer = (string)decodedtoken["Issuer"],
Expiry = DateTime.Parse(decodedtoken["Expiry"].ToString()),
};
if (decodedtoken.ContainsKey("Claims"))
{
var claims = new List<Claim>();
for (int i = 0; i < ((ArrayList)decodedtoken["Claims"]).Count; i++)
{
var type = ((Dictionary<string, object>)((ArrayList)decodedtoken["Claims"])[i])["Type"].ToString();
var value = ((Dictionary<string, object>)((ArrayList)decodedtoken["Claims"])[i])["Value"].ToString();
claims.Add(new Claim(type, value));
}
jwttoken.Claims = claims;
}
if (jwttoken.Expiry < DateTime.UtcNow)
{
return null;
}
//TODO Tidy on 3.8 Mono release
var claimsPrincipal = new ClaimsPrincipal();
var claimsIdentity = new ClaimsIdentity("Token");
claimsIdentity.AddClaims(jwttoken.Claims);
claimsPrincipal.AddIdentity(claimsIdentity);
return claimsPrincipal;
}
catch (Exception)
{
return null;
}
}
private ClaimsPrincipal GetClaimsPrincipal(TicketEntity signUpTicket)
{
ClaimsIdentity userIdentity = new ClaimsIdentity("SuperSecureLogin");
List<Claim> claims = new List<Claim>
{
new Claim(ClaimTypes.Country, signUpTicket.Culture, ApplicationSettings.Name),
new Claim(ClaimTypes.Name, signUpTicket.Name, ClaimValueTypes.String, ApplicationSettings.Name),
new Claim(ClaimTypes.NameIdentifier, signUpTicket.Key.ToString(), ClaimValueTypes.String, ApplicationSettings.Name)
};
userIdentity.AddClaims(claims);
return new ClaimsPrincipal(userIdentity);
}
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
OpenIdConnectAuthenticationOptions options = new OpenIdConnectAuthenticationOptions
{
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenValidated = message =>
{
IdToken = message.ProtocolMessage.IdToken;
var newJwt = new JwtSecurityTokenHandler().ReadToken(IdToken) as JwtSecurityToken;
ClaimsIdentity claimsIdentity = new ClaimsIdentity();
claimsIdentity.AddClaims(newJwt.Claims);
message.OwinContext.Response.Context.Authentication.AuthenticationResponseGrant = new AuthenticationResponseGrant(claimsIdentity, new AuthenticationProperties());
message.OwinContext.Response.Context.Authentication.User = new ClaimsPrincipal(claimsIdentity);
// message.AuthenticationTicket = new AuthenticationTicket(claimsIdentity, new AuthenticationProperties() {RedirectUri = "/Home/Claims/"});
return Task.FromResult(newJwt);
}
},
Scope = "openid profile address",
ResponseType = "id_token",
// The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
// endpoints from the OpenID Connect metadata endpoint. It is included in the PolicyAuthHelpers folder.
// The first parameter is the metadata URL of your B2C directory
// The second parameter is an array of the policies that your app will use.
ConfigurationManager = new PolicyConfigurationManager(
String.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OIDCMetadataSuffix),
new string[] { SignUpPolicyId, SignInPolicyId, ProfilePolicyId }),
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
},
};
app.UseOpenIdConnectAuthentication(options);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() {AuthenticationType = "Cookie"});
}
private ClaimsPrincipal CreateUser()
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "gee"),
new Claim(ClaimTypes.Surname, "foo_surname"),
new Claim(ClaimTypes.Name, "foo"),
new Claim(ClaimTypes.HomePhone, "foo_phone"),
new Claim(ClaimTypes.Role, "gee_2")
};
var id = new ClaimsIdentity("Application", "claimTypeHere", "admin");
id.AddClaims(claims);
return new ClaimsPrincipal(id);
}
public ActionResult Login(LoginModel model)
{
if(model.Username.Equals("wahid", StringComparison.OrdinalIgnoreCase) &&
model.Password.Equals("password", StringComparison.OrdinalIgnoreCase))
{
var identity = new ClaimsIdentity("ApplicationCookie");
identity.AddClaims(new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, model.Username),
new Claim(ClaimTypes.Name, model.Username)
});
HttpContext.GetOwinContext().Authentication.SignIn(identity);
}
return View(model);
}
public async Task<GetUserInfoResponse> GetUserInfo(ClaimsIdentity claimsIdentity)
{
bool isAzureActiveDirectoryUser = false;
var hasIssClaim = claimsIdentity.FindFirst("iss");
if (hasIssClaim != null)
{
if (hasIssClaim.Value.Contains("sts.windows.net"))
{
isAzureActiveDirectoryUser = true;
}
}
var userName = claimsIdentity.GetUserName();
var userInfo = await _databaseRepository.GetUserInfo(userName);
// if the user is unknown, we store it in our own database.
if (userInfo == null && isAzureActiveDirectoryUser)
{
var firstName = claimsIdentity.Claims.Where(x => x.Type == System.IdentityModel.Claims.ClaimTypes.GivenName).Select(x => x.Value).FirstOrDefault();
var lastName = claimsIdentity.Claims.Where(x => x.Type == System.IdentityModel.Claims.ClaimTypes.Surname).Select(x => x.Value).FirstOrDefault();
var user = await _userService.Create(userName, userName, firstName, lastName);
await _databaseRepository.AddToUserList(user.Id, user.UserName, user.FirstName, user.LastName);
userInfo = await _databaseRepository.GetUserInfo(userName);
}
var roleClaims = new List<Claim>();
foreach (var userRole in userInfo.Roles)
{
roleClaims.Add(new Claim(ClaimTypes.Role, userRole));
}
var localClaimsIdentity = new ClaimsIdentity(
new List<Claim>
{
new Claim(ClaimTypes.Name, userInfo.UserName),
new Claim(ClaimTypes.GivenName, userInfo.Profile.FirstName),
new Claim(ClaimTypes.Surname, userInfo.Profile.LastName),
new Claim(ClaimTypes.NameIdentifier, userInfo.Id.ToString())
});
localClaimsIdentity.AddClaims(roleClaims);
var token = localClaimsIdentity.GenerateToken(_configurationService.LocalAuthentication.AudienceId, _configurationService.LocalAuthentication.AudienceSecret, _configurationService.LocalAuthentication.Issuer, DateTime.UtcNow.AddHours(-1), DateTime.UtcNow.AddDays(10));
userInfo.UserToken = token;
return userInfo;
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
if (context.UserName == "admin" && context.Password == "p@ssw0rd")
{
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaims(new[]
{
new Claim(ClaimTypes.GivenName, context.UserName)
});
context.Validated(identity);
}
else
{
context.Rejected();
}
return Task.FromResult(0);
}
public void Security_X509CertificateTokenVerificationFact()
{
var issuer = "http://katanatesting.com/";
var sentIdentity = new ClaimsIdentity("CustomJwt", "MyNameClaimType", "MyRoleClaimType");
sentIdentity.AddClaims(new Claim[] { new Claim("MyNameClaimType", "TestUser"), new Claim("MyRoleClaimType", "Administrator") });
for (int i = 0; i < 5; i++)
{
sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString()));
}
var authProperties = new AuthenticationProperties();
var sentTicket = new AuthenticationTicket(sentIdentity, authProperties);
var signingCertificate = GetACertificateWithPrivateKey();
var signingCredentials = new X509SigningCredentials(signingCertificate);
var tokenValidationParameters = new TokenValidationParameters() { ValidAudience = issuer, SaveSigninToken = true, AuthenticationType = sentIdentity.AuthenticationType };
var formatter = new JwtFormat(tokenValidationParameters, new X509CertificateSecurityTokenProvider(issuer, signingCertificate));
formatter.TokenHandler = new JwtSecurityTokenHandler();
var protectedtext = SecurityUtils.CreateJwtToken(sentTicket, issuer, signingCredentials);
//Receive part
var receivedTicket = formatter.Unprotect(protectedtext);
var receivedClaims = receivedTicket.Identity.Claims;
Assert.Equal<string>("CustomJwt", receivedTicket.Identity.AuthenticationType);
Assert.Equal<string>(ClaimsIdentity.DefaultNameClaimType, receivedTicket.Identity.NameClaimType);
Assert.Equal<string>(ClaimsIdentity.DefaultRoleClaimType, receivedTicket.Identity.RoleClaimType);
Assert.NotNull(receivedTicket.Identity.BootstrapContext);
Assert.NotNull(((BootstrapContext)receivedTicket.Identity.BootstrapContext).Token);
Assert.Equal<string>(issuer, receivedClaims.Where<Claim>(claim => claim.Type == "iss").FirstOrDefault().Value);
Assert.Equal<string>(issuer, receivedClaims.Where<Claim>(claim => claim.Type == "aud").FirstOrDefault().Value);
Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "exp").FirstOrDefault().Value);
for (int i = 0; i < 5; i++)
{
sentIdentity.AddClaim(new Claim("ClaimId" + i.ToString(), i.ToString()));
Assert.Equal<string>(i.ToString(), receivedClaims.Where<Claim>(claim => claim.Type == "ClaimId" + i.ToString()).FirstOrDefault().Value);
}
Assert.Equal<string>("TestUser", receivedClaims.Where<Claim>(claim => claim.Type == ClaimsIdentity.DefaultNameClaimType).FirstOrDefault().Value);
Assert.Equal<string>("Administrator", receivedClaims.Where<Claim>(claim => claim.Type == ClaimsIdentity.DefaultRoleClaimType).FirstOrDefault().Value);
Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "iat").FirstOrDefault().Value);
Assert.NotEmpty(receivedClaims.Where<Claim>(claim => claim.Type == "jti").FirstOrDefault().Value);
}
private async Task<ClaimsPrincipal> Transformation(ClaimsPrincipal incoming)
{
if (!incoming.Identity.IsAuthenticated)
{
return incoming;
}
var name = incoming.Identity.Name;
// got to datastore and check adn valdiate
var claims = new List<Claim> {
new Claim(ClaimTypes.NameIdentifier,name),
new Claim(ClaimTypes.Role,"test"),
new Claim(ClaimTypes.Email,"*****@*****.**")
};
var id = new ClaimsIdentity("Windows");
id.AddClaims(claims);
return new ClaimsPrincipal(id);
}
public static void SignIn(AuthenticationManager authenticationManager, User user)
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Email, user.EMail, ClaimValueTypes.String, Issuer),
new Claim(ClaimTypes.UserData, user.Id.ToString(), ClaimValueTypes.Integer32, Issuer)
};
var userIdentity = new ClaimsIdentity("Email");
userIdentity.AddClaims(claims);
var userPrincipal = new ClaimsPrincipal(userIdentity);
authenticationManager.SignInAsync(AuthenticationSchema, userPrincipal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(20),
IsPersistent = false,
AllowRefresh = true
}).Wait();
}
public async Task<IActionResult> Unauthorized(string returnUrl = null)
{
const string Issuer = "https://contoso.com";
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, "barry", ClaimValueTypes.String, Issuer));
var userIdentity = new ClaimsIdentity("SuperSecureLogin");
userIdentity.AddClaims(claims);
var userPrincipal = new ClaimsPrincipal(userIdentity);
await HttpContext.Authentication.SignInAsync("Cookie", userPrincipal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(20),
IsPersistent = false,
AllowRefresh = false
});
return RedirectToLocal(returnUrl);
}
public static string CreateJwtToken(AuthenticationTicket data, string issuer, SigningCredentials signingCredentials)
{
string audience = issuer;
// As JWT doesn't have a mechanism of passing metadata about what claim should be the name/subject the JWT handler
// users the default Name claim type. If the identity has another claim type as the name type we need to
// switch it to the DefaultNameClaimType.
var identity = new ClaimsIdentity(data.Identity);
if (identity.NameClaimType != ClaimsIdentity.DefaultNameClaimType && !string.IsNullOrWhiteSpace(identity.Name))
{
identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, identity.Name));
identity.RemoveClaim(identity.Claims.First(c => c.Type == identity.NameClaimType));
}
// And now do the same for roles.
List<Claim> roleClaims = identity.Claims.Where(c => c.Type == identity.RoleClaimType).ToList();
if (identity.RoleClaimType != ClaimsIdentity.DefaultRoleClaimType && roleClaims.Any())
{
foreach (var roleClaim in roleClaims)
{
identity.RemoveClaim(roleClaim);
identity.AddClaim(new Claim(ClaimsIdentity.DefaultRoleClaimType, roleClaim.Value, roleClaim.ValueType, roleClaim.Issuer, roleClaim.OriginalIssuer));
}
}
identity.AddClaims(new[]
{
new Claim("iat", GetEpocTimeStamp()),
new Claim("jti", Guid.NewGuid().ToString("N"))
});
Lifetime lifetime = new Lifetime(null, null);
if (data.Properties.IssuedUtc != null || data.Properties.ExpiresUtc != null)
{
lifetime = new Lifetime(data.Properties.IssuedUtc != null ? (DateTime?)((DateTimeOffset)data.Properties.IssuedUtc).UtcDateTime : null, data.Properties.ExpiresUtc != null ? (DateTime?)((DateTimeOffset)data.Properties.ExpiresUtc).UtcDateTime : null);
}
var handler = new JwtSecurityTokenHandler();
return handler.CreateToken(issuer, audience, identity, lifetime.Created, lifetime.Expires, signingCredentials).RawData;
}
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// 認証ロジックを書く
if (context.UserName == "admin" && context.Password == "p@ssw0rd")
{
// context.Options.AuthenticationTypeを使ってClaimsIdentityを作る
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
// 必要なClaimを追加しておく。
identity.AddClaims(new[]
{
new Claim(ClaimTypes.GivenName, context.UserName),
new Claim(ClaimTypes.Role, "User"),
new Claim(ClaimTypes.Role, "Admin")
});
context.Validated(identity);
}
else
{
context.Rejected();
}
return Task.FromResult(0);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
IEnumerable<ClaimModel> claims = GetClaimModels(context);
if (claims == null) return;
string clientId = context.ClientId ?? context.OwinContext.Get<string>("as:client_id");
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaims(claims.Select(c => new Claim(c.ClaimType, c.ClaimValue)));
identity.AddClaim(new Claim("ClientId", clientId));
identity.AddClaim(new Claim("RefreshToken", Guid.NewGuid().ToString()));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{"as:client_id", clientId},
{"as:type", context.OwinContext.Get<string>("as:type")}
});
var ticket = new AuthenticationTicket(identity, props);
if (context.OwinContext.Get<string>("as:type") == string.Empty)
{
var createUserDevice = new CreateUserDevice()
{
ClientId = clientId,
UserId = Convert.ToInt32(identity.Claims.Where(c => c.Type == "UserId")
.Select(c => c.Value)
.FirstOrDefault())
};
this.commandBus.Send(createUserDevice);
}
context.Validated(ticket);
}
public ClaimsPrincipal Get(string userName)
{
var user = (_users.FirstOrDefault(u => u.UserName.ToUpperInvariant() == userName.ToUpperInvariant()));
if (user == null)
{
return null;
}
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, userName, ClaimValueTypes.String, Constants.Issuer));
claims.Add(new Claim(Constants.CompanyClaimType, user.Company, ClaimValueTypes.String, Constants.Issuer));
if (!string.IsNullOrWhiteSpace(user.Role))
{
claims.Add(new Claim(ClaimTypes.Role, user.Role, ClaimValueTypes.String, Constants.Issuer));
}
var userIdentity = new ClaimsIdentity("AuthorizationLab");
userIdentity.AddClaims(claims);
var userPrincipal = new ClaimsPrincipal(userIdentity);
return userPrincipal;
}
ClaimsPrincipal ISecurityTokenValidator.ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
//try
//{
//Default
//tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
//validatedToken = new JwtSecurityToken("jwtEncodedString");
// var clienturl = "";
// clienturl = Request.Headers["myOrigin"];
// //read key from db
// var customerdata = (from ev in _objdb.TbGeCustomer
// where ev.Url == clienturl.ToString()
// select ev).ToList();
// key = customerdata[0].EncryptKey;
//Custom Check For AuthToken
// string tokenData = GlobalESS.Globalfunction.DecryptToken(securityToken, true, this.key);
// GlobalESS.TokenData _tokenData = GlobalESS.Globalfunction.GetTokenDataNotUseJWT(tokenData);
// double expireTime = this.expiretimespan;
// DateTime issueDate = _tokenData.TicketExpireDate.AddMinutes(-expireTime);
// DateTime NowDate = System.DateTime.UtcNow;
// if (issueDate > NowDate || _tokenData.TicketExpireDate < NowDate)
// {
// throw new ArgumentException("Token Expire");
// }
// }
// catch (Exception ex)
// {
// System.Console.WriteLine(ex.Message);
// //throw;
// }
ClaimsPrincipal principal = null;
// SecurityToken validToken = null;
validatedToken = null;
System.Collections.Generic.List <System.Security.Claims.Claim> ls =
new System.Collections.Generic.List <System.Security.Claims.Claim>();
ls.Add(
new System.Security.Claims.Claim(
System.Security.Claims.ClaimTypes.Name, "Globalwave"
, System.Security.Claims.ClaimValueTypes.String
)
);
//
System.Security.Claims.ClaimsIdentity id = new System.Security.Claims.ClaimsIdentity("authenticationType");
id.AddClaims(ls);
principal = new System.Security.Claims.ClaimsPrincipal(id);
return(principal);
throw new NotImplementedException();
}
