public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) { if (authorizationRequest == null) { throw new ArgumentNullException("authorizationRequest"); } // NEVER issue an auto-approval to a client that would end up getting an access token immediately // (without a client secret), as that would allow arbitrary clients to masquarade as an approved client // and obtain unauthorized access to user data. if (authorizationRequest.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) { // Never issue auto-approval if the client secret is blank, since that too makes it easy to spoof // a client's identity and obtain unauthorized access. var db = new OAuthEntities(); var requestingClient = db.oauth_client.First(c => c.ClientIdentifier == authorizationRequest.ClientIdentifier); if (!string.IsNullOrEmpty(requestingClient.ClientSecret)) { return this.IsAuthorizationValid( authorizationRequest.Scope, authorizationRequest.ClientIdentifier, DateTime.UtcNow, "zhangsan" //HttpContext.Current.User.Identity.Name ); } } // Default to not auto-approving. return false; }
public ActionResult Authorize() { var pendingRequest = this.authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } var db = new OAuthEntities(); var requestingClient = db.oauth_client.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); // Consider auto-approving if safe to do so. if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest)) { var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name); return this.authorizationServer.Channel.PrepareResponse(approval).AsActionResult(); } var model = new AccountAuthorizeModel { ClientApp = requestingClient.Name, Scope = pendingRequest.Scope, AuthorizationRequest = pendingRequest, }; return View(model); }
public void RemoveKey(string bucket, string handle) { var db = new OAuthEntities(); var match = db.oauth_symmetriccryptokey.FirstOrDefault(k => k.Bucket == bucket && k.Handle == handle); if (match != null) { db.oauth_symmetriccryptokey.DeleteObject(match); } }
public CryptoKey GetKey(string bucket, string handle) { //var db = new OAuthEntities(); //var _db = db.symmetriccryptokeys.Where(k => k.Bucket == bucket && k.Handle == handle).ToList(); //// Perform a case senstive match //var matches = from key in _db // where string.Equals(key.Bucket, bucket, StringComparison.Ordinal) && // string.Equals(key.Handle, handle, StringComparison.Ordinal) // select new CryptoKey(key.Secret, key.ExpiresUtc.AsUtc()); //return matches.FirstOrDefault(); var db = new OAuthEntities(); var cryptoKey = db.oauth_symmetriccryptokey.Where(c => c.Bucket == bucket && c.Handle == handle).OrderByDescending(c => c.ExpiresUtc).FirstOrDefault(); return new CryptoKey(cryptoKey.Secret, cryptoKey.ExpiresUtc.AsUtc()); }
public ActionResult AuthorizeResponse(bool isApproved) { var pendingRequest = this.authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } IDirectedProtocolMessage response; if (isApproved) { // The authorization we file in our database lasts until the user explicitly revokes it. // You can cause the authorization to expire by setting the ExpirationDateUTC // property in the below created ClientAuthorization. var db = new OAuthEntities(); var client = db.oauth_client.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); var username = "******";//HttpContext.User.Identity.Name; var user = db.sys_user.FirstOrDefault(c => c.Username == username); db.oauth_clientauthorization.AddObject(new oauth_clientauthorization { UserId = user.ID, ClientId = client.ClientId, CreatedOnUtc = DateTime.UtcNow, Scope = OAuthUtilities.JoinScopes(pendingRequest.Scope), ExpirationDateUtc = DateTime.UtcNow.AddMinutes(1) }); db.SaveChanges(); // submit now so that this new row can be retrieved later in this same HTTP request // In this simple sample, the user either agrees to the entire scope requested by the client or none of it. // But in a real app, you could grant a reduced scope of access to the client by passing a scope parameter to this method. response = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, username); } else { response = this.authorizationServer.PrepareRejectAuthorizationRequest(pendingRequest); } var a = this.authorizationServer.Channel.PrepareResponse(response); return a.AsActionResult(); }
public IEnumerable<KeyValuePair<string, CryptoKey>> GetKeys(string bucket) { var db = new OAuthEntities(); //return from key in db.symmetriccryptokeys // where key.Bucket == bucket // orderby key.ExpiresUtc descending // select new KeyValuePair<string, CryptoKey>(key.Handle, new CryptoKey(key.Secret, key.ExpiresUtc.AsUtc())); //var db = new OAuthEntities(); //var cryptoKey = db.symmetriccryptokeys.Where(c => c.Bucket == bucket).OrderByDescending(c => c.ExpiresUtc); //return cryptoKey.Select(c => new KeyValuePair<string, CryptoKey>(c.Handle, new CryptoKey(c.Secret, c.ExpiresUtc.AsUtc()))); var matches = from key in db.oauth_symmetriccryptokey where key.Bucket == bucket orderby key.ExpiresUtc descending select key; List<KeyValuePair<string, CryptoKey>> en = new List<KeyValuePair<string, CryptoKey>>(); foreach (var key in matches) en.Add(new KeyValuePair<string, CryptoKey>(key.Handle, new CryptoKey(key.Secret, key.ExpiresUtc.AsUtc()))); return en.AsEnumerable<KeyValuePair<string, CryptoKey>>(); }
public void StoreKey(string bucket, string handle, CryptoKey key) { var keyRow = new oauth_symmetriccryptokey() { Bucket = bucket, Handle = handle, Secret = key.Key, ExpiresUtc = key.ExpiresUtc, }; var db = new OAuthEntities(); db.oauth_symmetriccryptokey.AddObject(keyRow); db.SaveChanges(); }
/// <summary> /// Stores a given nonce and timestamp. /// </summary> /// <param name="context">The context, or namespace, within which the /// <paramref name="nonce"/> must be unique. /// The context SHOULD be treated as case-sensitive. /// The value will never be <c>null</c> but may be the empty string.</param> /// <param name="nonce">A series of random characters.</param> /// <param name="timestampUtc">The UTC timestamp that together with the nonce string make it unique /// within the given <paramref name="context"/>. /// The timestamp may also be used by the data store to clear out old nonces.</param> /// <returns> /// True if the context+nonce+timestamp (combination) was not previously in the database. /// False if the nonce was stored previously with the same timestamp and context. /// </returns> /// <remarks> /// The nonce must be stored for no less than the maximum time window a message may /// be processed within before being discarded as an expired message. /// This maximum message age can be looked up via the /// <see cref="DotNetOpenAuth.Configuration.MessagingElement.MaximumMessageLifetime"/> /// property, accessible via the <see cref="Configuration"/> /// property. /// </remarks> public bool StoreNonce(string context, string nonce, DateTime timestampUtc) { var db = new OAuthEntities(); db.oauth_nonce.AddObject(new oauth_nonce() { Context = context, Code = nonce, Timestamp = timestampUtc }); try { db.SaveChanges(); return true; } catch (SqlException) { return false; } }
private bool IsAuthorizationValid(HashSet<string> requestedScopes, string clientIdentifier, DateTime issuedUtc, string username) { // If db precision exceeds token time precision (which is common), the following query would // often disregard a token that is minted immediately after the authorization record is stored in the db. // To compensate for this, we'll increase the timestamp on the token's issue date by 1 second. issuedUtc += TimeSpan.FromSeconds(1); var db = new OAuthEntities(); var now = DateTime.UtcNow; var client = db.oauth_client.FirstOrDefault(c => c.ClientIdentifier == clientIdentifier); if (!string.IsNullOrEmpty(username)) { var user = db.sys_user.FirstOrDefault(c => c.Username == username); //if (user != null) //部署到IIS下可用 //HttpContext.Current.Response.Headers.Add("userid", user.ID.ToString()); } //如果是内部客户端,直接返回 if (client != null && client.ClientType == (int)ClientType.Public) return true; var grantedScopeStrings = db.sys_user.Join(db.oauth_clientauthorization, c => c.ID, a => a.UserId, (u, ca) => new { u, ca }) .Join(db.oauth_client, c => c.ca.ClientId, c => c.ClientId, (uca, c) => new { uca.u, uca.ca, c, }) .Where( c => c.c.ClientIdentifier == clientIdentifier && c.ca.CreatedOnUtc <= issuedUtc && (c.ca.ExpirationDateUtc == null || c.ca.ExpirationDateUtc >= now) && c.u.Username == username).Select(c => c.ca.Scope); if (!grantedScopeStrings.Any()) { // No granted authorizations prior to the issuance of this token, so it must have been revoked. // Even if later authorizations restore this client's ability to call in, we can't allow // access tokens issued before the re-authorization because the revoked authorization should // effectively and permanently revoke all access and refresh tokens. return false; } var grantedScopes = new HashSet<string>(OAuthUtilities.ScopeStringComparer); foreach (string scope in grantedScopeStrings) { grantedScopes.UnionWith(OAuthUtilities.SplitScopes(scope)); } return requestedScopes.IsSubsetOf(grantedScopes); }
public IClientDescription GetClient(string clientIdentifier) { var db = new OAuthEntities(); var consumerRow = db.oauth_client.SingleOrDefault( consumerCandidate => consumerCandidate.ClientIdentifier == clientIdentifier); if (consumerRow == null) { throw new ArgumentOutOfRangeException("clientIdentifier"); } return consumerRow; }
/// <summary> /// password授权 /// </summary> /// <param name="userName"></param> /// <param name="password"></param> /// <param name="accessRequest"></param> /// <returns></returns> public AutomatedUserAuthorizationCheckResponse CheckAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest) { var db = new OAuthEntities(); var md5PWD = password.ToMd5(); var user = db.sys_user.FirstOrDefault(u => u.Username == userName && u.Password == md5PWD); if (user == null) { return new AutomatedUserAuthorizationCheckResponse(accessRequest, false, userName); } //返回userid,部署到IIS下可用 //HttpContext.Current.Response.Headers.Add("userid", user.ID.ToString()); var client = db.oauth_client.FirstOrDefault(c => c.ClientIdentifier == accessRequest.ClientIdentifier); //如果是内部客户端,直接返回 if (client != null && client.ClientType == (int)ClientType.Public) return new AutomatedUserAuthorizationCheckResponse(accessRequest, true, userName); var userAuthorizationForClient = user.oauth_clientauthorization.FirstOrDefault(a => a.oauth_client.ClientIdentifier == accessRequest.ClientIdentifier && (a.ExpirationDateUtc == null || a.ExpirationDateUtc >= DateTime.UtcNow)); if (userAuthorizationForClient == null) { return new AutomatedUserAuthorizationCheckResponse(accessRequest, false, userName); } var isApproved = RequestedScopeIsValid(accessRequest.Scope, OAuthUtilities.SplitScopes(userAuthorizationForClient.Scope)); return new AutomatedUserAuthorizationCheckResponse(accessRequest, isApproved, userName); }