protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context) { string authority = GetRequestAuthority(message.Request); string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource"); if (scope != null) { scope = scope + "/.default"; } else { scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope"); } if (scope is null) { if (_scopeCache.TryGetValue(authority, out _scope)) { return(false); } } else { _scope = new AuthorityScope(authority, new string[] { scope }); _scopeCache[authority] = _scope; } context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId); return(true); }
protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async) { // Once we're here, we've completed Step 1. // Step 2: Parse challenge string to retrieve serviceName and scope, where scope is the ACR Scope var service = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "service"); var scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope"); string acrAccessToken = string.Empty; if (async) { // Step 3: Exchange AAD Access Token for ACR Refresh Token string acrRefreshToken = await ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, true).ConfigureAwait(false); // Step 4: Send in acrRefreshToken and get back acrAccessToken acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, true, message.CancellationToken).ConfigureAwait(false); } else { // Step 3: Exchange AAD Access Token for ACR Refresh Token string acrRefreshToken = ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, false).EnsureCompleted(); // Step 4: Send in acrRefreshToken and get back acrAccessToken acrAccessToken = ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, false, message.CancellationToken).EnsureCompleted(); } // Step 5 - Authorize Request. Note, we don't use SetAuthorizationHeader here, because it // sets an AAD access token header, and at this point we're done with AAD and using an ACR access token. message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {acrAccessToken}"); return(true); }
private async ValueTask <bool> AuthorizeRequestOnChallengeInternalAsync(HttpMessage message, bool async) { try { var authUri = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "authorization_uri"); // tenantId should be the guid as seen in this example: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize tenantId = new Uri(authUri).Segments[1].Trim('/'); string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource_id"); if (scope != null) { scope += Constants.DefaultScope; _scopes = new string[] { scope }; } TokenRequestContext context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, tenantId: tenantId); if (async) { await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false); } else { AuthenticateAndAuthorizeRequest(message, context); } return(true); } catch { return(default);
protected override bool AuthorizeRequestOnChallenge(HttpMessage message) { var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims"); if (challenge == null) { return(false); } string claimsChallenge = Base64Url.DecodeString(challenge); var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, claimsChallenge); AuthenticateAndAuthorizeRequest(message, context); return(true); }
protected override async ValueTask <bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async) { var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims"); if (challenge == null) { return(false); } string claimsChallenge = Base64Url.DecodeString(challenge.ToString()); var context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge); await SetAuthorizationHeader(message, context, async); return(true); }
protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context) { context = default; var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims"); if (challenge == null) { return(false); } string claimsChallenge = Base64Url.DecodeString(challenge.ToString()); context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge); return(true); }
private async ValueTask <bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, bool async) { if (message.Request.Content == null && message.TryGetProperty(KeyVaultStashedContentKey, out var content)) { message.Request.Content = content as RequestContent; } string authority = GetRequestAuthority(message.Request); string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource"); if (scope != null) { scope = scope + "/.default"; } else { scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope"); } if (scope is null) { if (_scopeCache.TryGetValue(authority, out _scope)) { return(false); } } else { _scope = new AuthorityScope(authority, new string[] { scope }); _scopeCache[authority] = _scope; } var context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId); if (async) { await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false); } else { AuthenticateAndAuthorizeRequest(message, context); } return(true); }