/// <summary>
/// Returns the string representation of the bewit, which is a base64 URL encoded string of format
/// id\exp\mac\ext, where id is the user identifier, exp is the UNIX time until which bewit is
/// valid, mac is the HMAC of the bewit to protect integrity, and ext is the application specific data.
/// </summary>
public string ToBewitString()
{
if (request.Method != HttpMethod.Get) // Not supporting HEAD
throw new InvalidOperationException("Bewit not allowed for methods other than GET");
ulong now = utcNow.ToUnixTime() + Convert.ToUInt64(this.localOffset);
var artifacts = new ArtifactsContainer()
{
Id = credential.Id,
Timestamp = now + (ulong)lifeSeconds,
Nonce = String.Empty,
ApplicationSpecificData = this.applicationSpecificData ?? String.Empty
};
var normalizedRequest = new NormalizedRequest(request, artifacts) { IsBewit = true };
var crypto = new Cryptographer(normalizedRequest, artifacts, credential);
// Sign the request
crypto.Sign(); // Bewit is for GET and GET must have no request body
// bewit: id\exp\mac\ext
string bewit = String.Format(@"{0}\{1}\{2}\{3}",
credential.Id,
artifacts.Timestamp,
artifacts.Mac.ToBase64String(),
artifacts.ApplicationSpecificData);
return bewit.ToBytesFromUtf8().ToBase64UrlString();
}
/// <summary>
/// Returns the string representation of the bewit, which is a base64 URL encoded string of format
/// id\exp\mac\ext, where id is the user identifier, exp is the UNIX time until which bewit is
/// valid, mac is the HMAC of the bewit to protect integrity, and ext is the application specific data.
/// </summary>
public string ToBewitString()
{
if (request.Method != HttpMethod.Get) // Not supporting HEAD
{
throw new InvalidOperationException("Bewit not allowed for methods other than GET");
}
ulong now = utcNow.ToUnixTime() + Convert.ToUInt64(this.localOffset);
var artifacts = new ArtifactsContainer()
{
Id = credential.Id,
Timestamp = now + (ulong)lifeSeconds,
Nonce = String.Empty,
ApplicationSpecificData = this.applicationSpecificData ?? String.Empty
};
var normalizedRequest = new NormalizedRequest(request, artifacts)
{
IsBewit = true
};
var crypto = new Cryptographer(normalizedRequest, artifacts, credential);
// Sign the request
crypto.Sign(); // Bewit is for GET and GET must have no request body
// bewit: id\exp\mac\ext
string bewit = String.Format(@"{0}\{1}\{2}\{3}",
credential.Id,
artifacts.Timestamp,
artifacts.Mac.ToBase64String(),
artifacts.ApplicationSpecificData);
return(bewit.ToBytesFromUtf8().ToBase64UrlString());
}
/// <summary>
/// Returns the name of the response header (WWW-Authenticate or Server-Authorization) and the corresponding
/// value, respectively for an unauthorized and a successful request.
/// </summary>
public async Task <Tuple <string, string> > CreateServerAuthorizationAsync(IResponseMessage response)
{
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
string challenge = String.Format(" {0}", request.ChallengeParameter ?? String.Empty);
string headerValue = HawkConstants.Scheme + challenge.TrimEnd(' ');
return(new Tuple <string, string>(HawkConstants.WwwAuthenticateHeaderName, headerValue));
}
else
{
// No Server-Authorization header for the following:
// (1) There is no result or failed authentication.
// (2) The credential is a bewit.
// (3) The server is configured to not send the header.
bool createHeader = this.result != null &&
this.result.IsAuthentic &&
(!this.isBewitRequest) &&
options.EnableServerAuthorization;
if (createHeader)
{
if (options.NormalizationCallback != null)
{
this.result.Artifacts.ApplicationSpecificData = options.NormalizationCallback(response);
}
// Sign the response
var normalizedRequest = new NormalizedRequest(request, this.result.Artifacts)
{
IsServerAuthorization = true
};
var crypto = new Cryptographer(normalizedRequest, this.result.Artifacts, this.result.Credential);
// Response body is needed only if payload hash must be included in the response MAC.
string body = null;
if (options.ResponsePayloadHashabilityCallback != null &&
options.ResponsePayloadHashabilityCallback(this.request))
{
body = await response.ReadBodyAsStringAsync();
}
crypto.Sign(body, response.ContentType);
string authorization = this.result.Artifacts.ToServerAuthorizationHeaderParameter();
if (!String.IsNullOrWhiteSpace(authorization))
{
return(new Tuple <string, string>(HawkConstants.ServerAuthorizationHeaderName,
String.Format("{0} {1}", HawkConstants.Scheme, authorization)));
}
}
}
return(null);
}
/// <summary>
/// Returns the name of the response header (WWW-Authenticate or Server-Authorization) and the corresponding
/// value, respectively for an unauthorized and a successful request.
/// </summary>
public async Task<Tuple<string, string>> CreateServerAuthorizationAsync(IResponseMessage response)
{
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
string challenge = String.Format(" {0}", request.ChallengeParameter ?? String.Empty);
string headerValue = HawkConstants.Scheme + challenge.TrimEnd(' ');
return new Tuple<string, string>(HawkConstants.WwwAuthenticateHeaderName, headerValue);
}
else
{
// No Server-Authorization header for the following:
// (1) There is no result or failed authentication.
// (2) The credential is a bewit.
// (3) The server is configured to not send the header.
bool createHeader = this.result != null
&& this.result.IsAuthentic
&& (!this.isBewitRequest)
&& options.EnableServerAuthorization;
if (createHeader)
{
if (options.NormalizationCallback != null)
this.result.Artifacts.ApplicationSpecificData = options.NormalizationCallback(response);
// Sign the response
var normalizedRequest = new NormalizedRequest(request, this.result.Artifacts);
var crypto = new Cryptographer(normalizedRequest, this.result.Artifacts, this.result.Credential);
// Response body is needed only if payload hash must be included in the response MAC.
string body = null;
if (options.ResponsePayloadHashabilityCallback != null &&
options.ResponsePayloadHashabilityCallback(this.request))
{
body = await response.ReadBodyAsStringAsync();
}
crypto.Sign(body, response.ContentType);
string authorization = this.result.Artifacts.ToServerAuthorizationHeaderParameter();
if (!String.IsNullOrWhiteSpace(authorization))
{
return new Tuple<string, string>(HawkConstants.ServerAuthorizationHeaderName,
String.Format("{0} {1}", HawkConstants.Scheme, authorization));
}
}
}
return null;
}
/// <summary>
/// Creates the HTTP Authorization header in hawk scheme.
/// </summary>
internal async Task CreateClientAuthorizationInternalAsync(IRequestMessage request, DateTime utcNow)
{
var credential = options.CredentialsCallback();
this.artifacts = new ArtifactsContainer()
{
Id = credential.Id,
Timestamp = utcNow.AddSeconds(HawkClient.CompensatorySeconds).ToUnixTime(),
Nonce = NonceGenerator.Generate()
};
if (options.NormalizationCallback != null)
this.artifacts.ApplicationSpecificData = options.NormalizationCallback(request);
var normalizedRequest = new NormalizedRequest(request, this.artifacts);
this.crypto = new Cryptographer(normalizedRequest, this.artifacts, credential);
// Sign the request
bool includePayloadHash = options.RequestPayloadHashabilityCallback != null &&
options.RequestPayloadHashabilityCallback(request);
string payload = includePayloadHash ? await request.ReadBodyAsStringAsync() : null;
crypto.Sign(payload, request.ContentType);
request.Authorization = new AuthenticationHeaderValue(HawkConstants.Scheme,
this.artifacts.ToAuthorizationHeaderParameter());
}