public static string GetJwtToken(this IRequest req)
{
var jwtAuthProvider = AuthenticateService.GetJwtAuthProvider();
if (jwtAuthProvider != null)
{
if (jwtAuthProvider.AllowInFormData)
{
var jwt = req.FormData[Keywords.TokenCookie];
if (!string.IsNullOrEmpty(jwt))
{
return(jwt);
}
}
if (jwtAuthProvider.AllowInQueryString)
{
var jwt = req.QueryString[Keywords.TokenCookie];
if (!string.IsNullOrEmpty(jwt))
{
return(jwt);
}
}
}
return(req.GetBearerToken() ??
req.GetCookieValue(Keywords.TokenCookie));
}
public object Any(GetJsonWebKeySet request)
{
var jwtProvider = AuthenticateService.GetJwtAuthProvider();
if (!JwtAuthProviderReader.RsaSignAlgorithms.ContainsKey(jwtProvider.HashAlgorithm))
{
return(HttpError.MethodNotAllowed("Non RSA algorithms are not supported"));
}
var keys = new List <JsonWebKey>();
var publicKey = jwtProvider.GetPublicKey(Request);
var alg = jwtProvider.HashAlgorithm;
var fallbackKeys = jwtProvider.GetFallbackPublicKeys(Request);
if (publicKey != null)
{
keys.Add(CreateJWKey(publicKey.Value, alg, jwtProvider.GetKeyId(Request)));
}
keys.AddRange(fallbackKeys.Select(key => CreateJWKey(key, alg)));
return(new JsonWebKeySetResponse {
Keys = keys
});
}
public void Requires_full_Signature_to_Authenticate()
{
var client = GetClientWithBasicAuthCredentials();
var authResponse = client.Post(new Authenticate());
Assert.That(authResponse.BearerToken, Is.Not.Null);
var jwtProvider = (JwtAuthProvider)AuthenticateService.GetJwtAuthProvider();
// Ensure minimum signature example
// jwtProvider.ValidateToken = (js,req) =>
// req.GetJwtToken().LastRightPart('.').FromBase64UrlSafe().Length >= 32;
var req = new BasicHttpRequest {
Headers = { [HttpHeaders.Authorization] = "Bearer " + authResponse.BearerToken }
};
Assert.That(jwtProvider.IsJwtValid(req));
var startSigPos = authResponse.BearerToken.LastIndexOf('.') + 1;
for (var i = startSigPos; i < authResponse.BearerToken.Length; i++)
{
req.Headers[HttpHeaders.Authorization] = "Bearer " + authResponse.BearerToken.Substring(0, i);
Assert.That(jwtProvider.IsJwtValid(req), Is.False);
}
}
public object Any(GetOpenIdDiscoveryDocument request)
{
var jwtProvider = AuthenticateService.GetJwtAuthProvider();
return(new OpenIdDiscoveryDocument {
JwksUri = new GetJsonWebKeySet().ToAbsoluteUri(Request),
Issuer = jwtProvider.Issuer
});
}
public void Does_not_validate_invalid_token()
{
var expiredJwt = CreateExpiredToken();
var jwtProvider = AuthenticateService.GetJwtAuthProvider();
Assert.That(jwtProvider.IsJwtValid(expiredJwt), Is.False);
Assert.That(jwtProvider.GetValidJwtPayload(expiredJwt), Is.Null);
}
public void Register(IAppHost appHost)
{
JwtAuthProvider = AuthenticateService.GetJwtAuthProvider();
if (JwtAuthProvider is JwtAuthProvider)
{
appHost.RegisterService(typeof(JwksService));
}
else if (JwtAuthProvider != null)
{
var keySet = RetrieveKeySet();
LoadKeySet(keySet);
}
}
public void Can_validate_valid_token()
{
var authClient = GetClient();
var jwt = authClient.Send(new Authenticate
{
provider = "credentials",
UserName = Username,
Password = Password,
}).BearerToken;
var jwtProvider = AuthenticateService.GetJwtAuthProvider();
Assert.That(jwtProvider.IsJwtValid(jwt));
var jwtPayload = jwtProvider.GetValidJwtPayload(jwt);
Assert.That(jwtPayload, Is.Not.Null);
Assert.That(jwtPayload["preferred_username"], Is.EqualTo(Username));
}
public override void Execute(IRequest request, IResponse response, object requestDto)
{
var jwtProvider = AuthenticateService.GetJwtAuthProvider();
var userSession = request.GetSession();
string jwt = request.GetJwtToken();
if (jwt == null)
{
response.ReturnAuthRequired();
return;
}
var payload = jwtProvider.GetValidJwtPayload(jwt);
// !! make the user_auth key dynamic at some point
// Will likely require putting the actual behavior of this attribute into an action filter. See here: https://cuttingedge.it/blogs/steven/pivot/entry.php?id=98
var user_authorization = payload.FirstOrDefault(k => k.Key == "urn://user_authorization");
if (!user_authorization.Equals(default(KeyValuePair <string, string>)))
{
var authorization = user_authorization.Value.FromJson <UserAuthorization>();
authorization.Scopes = payload.Get("scope").Split(' ');
if (authorization.Roles == null && authorization.Permissions == null)
{
response.ReturnAuthRequired();
}
if (authorization.Permissions.Length > 0)
{
if (userSession.Permissions == null)
{
userSession.Permissions = new List <string>(authorization.Permissions);
}
else
{
userSession.Permissions.AddRange(authorization.Permissions);
}
}
if (authorization.Roles.Length > 0)
{
if (userSession.Roles == null)
{
userSession.Roles = new List <string>(authorization.Roles);
}
else
{
userSession.Roles.AddRange(authorization.Roles);
}
}
}
var perms = payload.Get("scope").Split(' ');
var claims = perms;
if (claims == null)
{
response.ReturnAuthRequired();
return;
}
request.SaveSession(userSession);
return;
}
