public void Initiazlize() { CfCacheIndex.Initialize(); CfPerfCache.Initialize(); var cIdentity = new ClaimsIdentity(new List<Claim>() { new Claim("http://climbfind.com/claims/userid",jsk.ToString()) }); var ids = new ClaimsIdentityCollection(new List<ClaimsIdentity>() { cIdentity }); CfIdentity.Inject(new ClaimsPrincipal(ids)); }
IClaimsPrincipal AuthenticateSecurityToken(string endpoint, SecurityToken token) { ClaimsIdentityCollection claims = _handlers.ValidateToken(token); IClaimsPrincipal principal = ClaimsPrincipal.CreateFromIdentities(claims); return(CustomSecurityTokenServiceConfiguration.Current.ClaimsAuthenticationManager.Authenticate(endpoint, principal)); }
public override ClaimsIdentityCollection ValidateToken(SecurityToken token) { ClaimsIdentityCollection idColl = new ClaimsIdentityCollection(); IClaimsIdentity id = new ClaimsIdentity((token as MyCustomToken).Claims); idColl.Add(id); return(idColl); }
private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.SecurityToken token, bool isActorToken) { JsonWebSecurityToken jsonWebSecurityToken = token as JsonWebSecurityToken; if (jsonWebSecurityToken == null) { return(base.ValidateToken(token)); } if (base.Configuration == null) { throw new System.InvalidOperationException("No configuration."); } if (base.Configuration.IssuerNameRegistry == null) { throw new System.InvalidOperationException("No issuername registry configured."); } this.ValidateLifetime(jsonWebSecurityToken); this.ValidateAudience(jsonWebSecurityToken); System.IdentityModel.Tokens.X509SecurityToken x509SecurityToken = jsonWebSecurityToken.IssuerToken as System.IdentityModel.Tokens.X509SecurityToken; if (x509SecurityToken != null) { base.Configuration.CertificateValidator.Validate(x509SecurityToken.Certificate); } ClaimsIdentityCollection claimsIdentityCollection = new ClaimsIdentityCollection(); ClaimsIdentity claimsIdentity = new ClaimsIdentity("Federation"); if (!isActorToken && jsonWebSecurityToken.ActorToken != null) { ValidateActorTokenForAppOnly(jsonWebSecurityToken.ActorToken); ClaimsIdentityCollection claimsIdentityCollection2 = this.ValidateActorToken(jsonWebSecurityToken.ActorToken); if (claimsIdentityCollection2.Count > 1) { throw new System.IdentityModel.Tokens.SecurityTokenException("Invalid JWT token. Actor has multiple identities."); } claimsIdentity.Actor = claimsIdentityCollection2[0]; } string issuerName = this.GetIssuerName(jsonWebSecurityToken); foreach (JsonWebTokenClaim current in jsonWebSecurityToken.Claims) { if (claimsIdentity.Actor == null || !System.StringComparer.Ordinal.Equals("actortoken", current.ClaimType)) { string text = current.Value; if (text == null) { text = "NULL"; } claimsIdentity.Claims.Add(new Claim(current.ClaimType, text, "http://www.w3.org/2001/XMLSchema#string", issuerName)); } } if (!isActorToken && base.Configuration.SaveBootstrapTokens) { claimsIdentity.BootstrapToken = token; } claimsIdentityCollection.Add(claimsIdentity); return(claimsIdentityCollection); }
/// <summary> /// Validate the token received and create a ClaimsPrincipal accordingly. /// </summary> IClaimsPrincipal AuthenticateSecurityToken(string endpoint, SecurityToken token) { ClaimsIdentityCollection claims = _serviceConfiguration.SecurityTokenHandlers.ValidateToken(token); IClaimsPrincipal principal = ClaimsPrincipal.CreateFromIdentities(claims); // // the ClaimsAuthenticationManager may be provided to adjust the claims received specifically for this RP // return(_serviceConfiguration.ClaimsAuthenticationManager.Authenticate(endpoint, principal)); }
/// <summary> /// This method parses the incoming token and validates it. /// </summary> /// <param name="accessToken">The incoming access token.</param> /// <param name="error">This out paramter is set if any error occurs.</param> /// <returns>True on success, False on error.</returns> protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error) { bool tokenValid = false; error = null; SecurityToken token = null; ClaimsIdentityCollection claimsIdentityCollection = null; try { var handler = new SimpleWebTokenHandler(_issuer, _tokenSigningKey); // read the token token = handler.ReadToken(accessToken); // validate the token claimsIdentityCollection = handler.ValidateToken(token, _realm); // create a claims Principal from the token var claimsPrincipal = ClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection); if (claimsPrincipal != null) { tokenValid = true; // push it through the pipeline foreach (var step in authenticationPipeline) { claimsPrincipal = step.Authenticate(token, claimsPrincipal); } // assign to threads if (HttpContext.Current != null) { HttpContext.Current.User = claimsPrincipal; } Thread.CurrentPrincipal = claimsPrincipal; } } catch (InvalidTokenReceivedException ex) { error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription); } catch (ExpiredTokenReceivedException ex) { error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription); } catch (Exception) { error = new ResourceAccessErrorResponse(_realm, "SWT401", "Token validation failed"); } return(tokenValid); }
/// <summary> /// Validates the token. /// </summary> /// <param name="token">The token.</param> /// <returns>Collection of identity claims</returns> public override ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token) { UserNameSecurityToken userNameSecurityToken = token as UserNameSecurityToken; MembershipProvider provider = Membership.Provider; bool isValidated = provider.ValidateUser(userNameSecurityToken.UserName, userNameSecurityToken.Password); ClaimsIdentity claimsIdentity = new ClaimsIdentity(new Claim[] { new Claim(System.IdentityModel.Claims.ClaimTypes.Name, userNameSecurityToken.UserName) }); ClaimsIdentityCollection claimIdentityCollection = new ClaimsIdentityCollection(new IClaimsIdentity[] { claimsIdentity }); return(claimIdentityCollection); }
public override IClaimsIdentity ProcessSignInResponse(string realm, string originalUrl, HttpContextBase httpContext) { var token = FederatedAuthentication.WSFederationAuthenticationModule.GetSecurityToken(HttpContext.Current.Request); FederatedAuthentication.ServiceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(this.MultiProtocolIssuer.Identifier); FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None; FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.IssuerNameRegistry = new SimpleIssuerNameRegistry(this.signingKeyThumbprint); ClaimsIdentityCollection identities = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); return(identities[0]); }
public void TestThatIssueAppendsClaimsToCallingClaimsPrincipal(string trustedUri, string identityCertificate, string mailAddress, int expectedAppendedClaims) { var fixture = new Fixture(); var identifyMock = MockRepository.GenerateMock <IIdentity>(); identifyMock.Expect(m => m.Name) .Return(fixture.Create <string>()) .Repeat.Any(); identifyMock.Expect(m => m.IsAuthenticated) .Return(true) .Repeat.Any(); var claimsIdentityMock = MockRepository.GenerateMock <IClaimsIdentity>(); var claimsCollection = new ClaimCollection(claimsIdentityMock) { new Claim(ClaimTypes.Email, mailAddress) }; claimsIdentityMock.Stub(m => m.Claims) .Return(claimsCollection) .Repeat.Any(); var claimsIdentityCollection = new ClaimsIdentityCollection(new List <IClaimsIdentity> { claimsIdentityMock }); var claimPrincipalMock = MockRepository.GenerateMock <IClaimsPrincipal>(); claimPrincipalMock.Stub(m => m.Identity) .Return(identifyMock) .Repeat.Any(); claimPrincipalMock.Stub(m => m.Identities) .Return(claimsIdentityCollection) .Repeat.Any(); var basicSecurityTokenService = new BasicSecurityTokenService(new BasicSecurityTokenServiceConfiguration()); Assert.That(basicSecurityTokenService, Is.Not.Null); var request = new RequestSecurityToken { AppliesTo = new EndpointAddress(new Uri(trustedUri), new X509CertificateEndpointIdentity(TestHelper.GetCertificate(identityCertificate)), new AddressHeaderCollection()) }; var response = basicSecurityTokenService.Issue(claimPrincipalMock, request); Assert.That(response, Is.Not.Null); Assert.That(claimsCollection.Count, Is.EqualTo(1 + expectedAppendedClaims)); }
public override IClaimsIdentity ProcessSignInResponse(string realm, string originalUrl, HttpContextBase httpContext) { string localAuthorityRealm = realmFormat .Replace("{tenantId}", tenantId) .Replace("{appPrincipalId}", appPrincipalId); var token = FederatedAuthentication.WSFederationAuthenticationModule.GetSecurityToken(HttpContext.Current.Request); FederatedAuthentication.ServiceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(localAuthorityRealm)); FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None; FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.IssuerNameRegistry = new SimpleIssuerNameRegistry(this.signingKeyThumbprint); ClaimsIdentityCollection identities = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); return(identities[0]); }
public void Initiazlize() { CfCacheIndex.Initialize(); CfPerfCache.Initialize(); var cIdentity = new ClaimsIdentity(new List <Claim>() { new Claim("http://climbfind.com/claims/userid", jsk.ToString()) }); var ids = new ClaimsIdentityCollection(new List <ClaimsIdentity>() { cIdentity }); CfIdentity.Inject(new ClaimsPrincipal(ids)); }
protected override void EstablishContext() { claimsIdentity = mocks.Stub<IClaimsIdentity>(); suppliedClaims = GetDefaultClaims(IncludeLeaClaim(), IncludeLeaCodeClaim()); suppliedClaimsCollect = new ClaimCollection(claimsIdentity); suppliedClaimsCollect.AddRange(suppliedClaims); identityCollection = new ClaimsIdentityCollection(Enumerable.Repeat(claimsIdentity, 1)); Expect.Call(claimsIdentity.Claims).Return(suppliedClaimsCollect); principal = mocks.Stub<IClaimsPrincipal>(); Expect.Call(principal.Identity).Return(claimsIdentity); Expect.Call(principal.Identities).Return(identityCollection); }
/// <summary> /// This method parses the incoming token and validates it. /// </summary> /// <param name="accessToken">The incoming access token.</param> /// <param name="error">This out paramter is set if any error occurs.</param> /// <returns>True on success, False on error.</returns> protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error) { bool tokenValid = false; error = null; SecurityToken token = null; ClaimsIdentityCollection claimsIdentityCollection = null; try { SimpleWebTokenHandler handler = new SimpleWebTokenHandler(); // read the token token = handler.ReadToken(accessToken); // validate the token claimsIdentityCollection = handler.ValidateToken(token); // create a claims Principal from the token IClaimsPrincipal authenticatedClaimsPrincipal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate( HttpContext.Current.Request.Url.AbsoluteUri, new ClaimsPrincipal(claimsIdentityCollection)); if (authenticatedClaimsPrincipal != null) { tokenValid = true; // Set the ClaimsPrincipal so that it is accessible to the application SetPrincipal(authenticatedClaimsPrincipal); } } catch (InvalidTokenReceivedException ex) { error = new ResourceAccessErrorResponse(realm, ex.ErrorCode, ex.ErrorDescription); } catch (ExpiredTokenReceivedException ex) { error = new ResourceAccessErrorResponse(realm, ex.ErrorCode, ex.ErrorDescription); } catch (Exception) { error = new ResourceAccessErrorResponse(realm, OAuthConstants.ErrorCode.InvalidToken, "Token validation failed"); } return(tokenValid); }
/// <summary> /// This methos validates the Simple Web Token. /// </summary> /// <param name="token">A simple web token.</param> /// <returns>A Claims Collection which contains all the claims from the token.</returns> public ClaimsIdentityCollection ValidateToken(SecurityToken token, string key) { SimpleWebToken realToken = token as SimpleWebToken; if (realToken == null) { throw new InvalidTokenReceivedException("The received token is of incorrect token type.Expected SimpleWebToken"); } if (realToken.AudienceUri != OAuthConfiguration.Configuration.ServiceSettings.Realm) { throw new InvalidTokenReceivedException("The Audience Uri of the incoming token is not expected. Expected AudienceUri is " + OAuthConfiguration.Configuration.ServiceSettings.Realm); } if (StringComparer.OrdinalIgnoreCase.Compare(realToken.Issuer, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString()) != 0) { throw new InvalidTokenReceivedException("The Issuer of the token is not trusted. Trusted issuer is " + OAuthConfiguration.Configuration.StsSettings.IssuerUri); } if (!realToken.SignVerify(Convert.FromBase64String(key))) { throw new InvalidTokenReceivedException("Signature verification of the incoming token failed."); } if (DateTime.Compare(realToken.ValidTo, DateTime.UtcNow) <= 0) { throw new ExpiredTokenReceivedException("The incoming token has expired. Get a new access token from the Authorization Server."); } ClaimsIdentityCollection identities = new ClaimsIdentityCollection(); ClaimsIdentity identity = new ClaimsIdentity(); foreach (var claim in realToken.Claims) { identity.Claims.Add(claim); } identities.Add(identity); return(identities); }
/// <summary> /// Get Claims Principal from incoming response. /// </summary> /// <param name="rstr"></param> /// <returns></returns> private static IClaimsPrincipal GetClaimsIdentity(RequestSecurityTokenResponse rstr) { var rstrXml = rstr.RequestedSecurityToken.SecurityTokenXml; if (rstrXml.OwnerDocument != null) { var xnm = new XmlNamespaceManager(rstrXml.OwnerDocument.NameTable); xnm.AddNamespace(Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Prefix, Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Namespace); } XNamespace ast = "urn:oasis:names:tc:SAML:2.0:assertion"; var xElement = ToXElement(rstrXml); var xElement1 = xElement.Element(ast + "Assertion"); if (xElement1 != null) { var attributeStatement1 = xElement1.Element(ast + "AttributeStatement"); if (attributeStatement1 != null) { var attributes1 = attributeStatement1.Elements(ast + "Attribute"); IClaimsIdentity claimsIdentity1 = new ClaimsIdentity(); foreach (var element in attributes1) { var claimType = element.Attribute("NameFormat") + "/" + element.Attribute("Name"); var value = element.Value; var xAttribute = element.Attribute("Name"); if (xAttribute != null && xAttribute.Value == "urn:FirstName") { claimsIdentity1.Claims.Add(new Claim(ClaimTypes.Name, element.Value)); } claimsIdentity1.Claims.Add(new Claim(claimType, value)); } var claimsIdentitycol = new ClaimsIdentityCollection(new[] { claimsIdentity1 }); return(ClaimsPrincipal.CreateFromIdentities(claimsIdentitycol)); } } return(null); }
public override ClaimsIdentityCollection ValidateToken(SecurityToken token) { UserNameSecurityToken unToken = token as UserNameSecurityToken; if (unToken == null) { throw new ArgumentException("token"); } // replace with proper password validation! if (!(unToken.UserName == "demouser" && unToken.Password == "demouser")) { throw new SecurityTokenValidationException(); } ClaimsIdentity id = new ClaimsIdentity(new List<Claim> { new Claim(WSIdentityConstants.ClaimTypes.Name, unToken.UserName) }, "UserName"); var ids = new ClaimsIdentityCollection(); ids.Add(id); return ids; }
private ClaimDescriptionList ValidateToken(string authToken) { ClaimDescriptionList claimList = new ClaimDescriptionList(); ClaimsIdentityCollection claimsResult = this.dstsManager.ValidateToken(authToken); List <ClaimDescription> claims = new List <ClaimDescription>(); for (int i = 0; i < claimsResult.Count; i++) { IClaimsIdentity claimIdentity = claimsResult[i]; foreach (Claim claim in claimIdentity.Claims) { ClaimDescription claimDescription = new ClaimDescription( claim.ClaimType, claim.Issuer, claim.OriginalIssuer, claim.Subject.ToString(), claim.Value, claim.ValueType); claims.Add(claimDescription); } } claimList.AddClaims(claims); return(claimList); }
protected R22ClaimsPrincipal(ClaimsIdentityCollection identityCollection, JsonWebToken token, string encryptedToken) : base(identityCollection) { Token = token; EncryptedToken = encryptedToken; }
/// <summary> /// Issues security token. /// </summary> /// <param name="requestParameters"> /// The request containing all information required to issue security token /// according to OAuth v2 specification. /// </param> /// <returns>Issued token.</returns> private Stream Issue(string requestParameters) { // That is not real issuer. Big idea here is to accept // REST token request (OAuth has nothing in common with WSTrust) // perform necessary validations/transformations, call real // issuer and than make transformations again to form response. var parameters = HttpUtility.ParseQueryString(requestParameters); var grantType = GetParameterOrThrow(parameters, OAuthParameters.GrantType); // Creating security token depending on grant type. var securityToken = GetSecurityToken(parameters, grantType); var wifConfiguration = ((OAuthIssuerServiceHost)OperationContext.Current.Host).Configuration; ClaimsIdentityCollection identities = null; try { // WIF would do this automatically but in RESTful case we are on our own. identities = wifConfiguration.SecurityTokenHandlerCollectionManager[GetTokenUsage()].ValidateToken(securityToken); } catch (AudienceUriValidationFailedException) { throw new OAuthWebException(OAuthError.InvalidScope); } catch (SecurityTokenValidationException) { throw new OAuthWebException(OAuthError.InvalidGrant); } catch (Exception) { throw new OAuthWebException(HttpStatusCode.InternalServerError); } // Making things look like client called real issuer directly. RequestSecurityTokenResponse rstr = null; try { var rst = new RequestSecurityToken(RequestTypes.Issue) { TokenType = TokenTypeIdentifier, AppliesTo = ContainsKey(parameters, OAuthParameters.Scope) ? new EndpointAddress(parameters[OAuthParameters.Scope]) : null }; PrepareRequestSecurityToken(rst); var securityTokenService = wifConfiguration.CreateSecurityTokenService(); rstr = securityTokenService.Issue(new ClaimsPrincipal(identities), rst); } catch (InvalidRequestException) { throw new OAuthWebException(OAuthError.InvalidScope); } catch (Exception) { throw new OAuthWebException(OAuthError.InvalidClient, "Failed to issue security token"); } // Transforming issued token back to form that is expected by client. var token = GetResponse(rstr.RequestedSecurityToken.SecurityToken); if (token == null || !token.Validate()) { throw new OAuthWebException(HttpStatusCode.InternalServerError); } var tokenString = JsonConvert.SerializeObject(token); return(new MemoryStream(Encoding.ASCII.GetBytes(tokenString))); }
/// <summary> /// /// </summary> /// <param name="token"></param> /// <returns></returns> public override ClaimsIdentityCollection ValidateToken(SecurityToken token) { if (null == token) throw new ArgumentNullException("token"); SimpleWebToken webToken = token as SimpleWebToken; if (null == webToken) throw new SecurityTokenException("The token provided to ValidateToken must be a SimpleWebToken."); if (false == webToken.IsSignatureValid()) throw new SecurityTokenException("Signature is invalid."); if (webToken.ValidTo < DateTime.Now) throw new SecurityTokenException("Token is expired"); if (false == IsIssuerTrusted(webToken)) throw new SecurityTokenException("Issuer not trusted"); if (false == IsAudienceTrusted(webToken)) throw new SecurityTokenException("Invalid audience"); ClaimsIdentityCollection identities = new ClaimsIdentityCollection(); identities.Add(CreateClaims(webToken.Values)); return identities; }
private ClaimsIdentityCollection GetIdentitiesFromClaim(IClaimsPrincipal incomingPrincipal, string claimType, string claimValue) { ClaimsIdentityCollection ids = new ClaimsIdentityCollection(); foreach ( IClaimsIdentity identity in incomingPrincipal.Identities ) { foreach (Claim c in identity.Claims) { if (c.ClaimType == claimType && c.Value == claimValue) { ids.Add(identity); } } } return ids; }
/// <summary> /// This methos validates the Simple Web Token. /// </summary> /// <param name="token">A simple web token.</param> /// <returns>A Claims Collection which contains all the claims from the token.</returns> public ClaimsIdentityCollection ValidateToken(SecurityToken token, string key) { SimpleWebToken realToken = token as SimpleWebToken; if (realToken == null) { throw new InvalidTokenReceivedException("The received token is of incorrect token type.Expected SimpleWebToken"); } if (realToken.AudienceUri != OAuthConfiguration.Configuration.ServiceSettings.Realm) { throw new InvalidTokenReceivedException("The Audience Uri of the incoming token is not expected. Expected AudienceUri is " + OAuthConfiguration.Configuration.ServiceSettings.Realm); } if (StringComparer.OrdinalIgnoreCase.Compare(realToken.Issuer, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString()) != 0) { throw new InvalidTokenReceivedException("The Issuer of the token is not trusted. Trusted issuer is " + OAuthConfiguration.Configuration.StsSettings.IssuerUri); } if (!realToken.SignVerify(Convert.FromBase64String(key))) { throw new InvalidTokenReceivedException("Signature verification of the incoming token failed."); } if (DateTime.Compare(realToken.ValidTo, DateTime.UtcNow) <= 0) { throw new ExpiredTokenReceivedException("The incoming token has expired. Get a new access token from the Authorization Server."); } ClaimsIdentityCollection identities = new ClaimsIdentityCollection(); ClaimsIdentity identity = new ClaimsIdentity(); foreach (var claim in realToken.Claims) { identity.Claims.Add(claim); } identities.Add(identity); return identities; }
public ActionResult Authenticate(string ReturnUrl) { if (Request.Form.Get(WSFederationConstants.Parameters.Result) != null) { var settings = this.SettingsService.Retrieve(); // Parse sign-in response SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(System.Web.HttpContext.Current.Request) as SignInResponseMessage; XmlTextReader xmlReader = new XmlTextReader( new StringReader(message.Result)); XDocument xDoc = XDocument.Load(xmlReader); XNamespace xNs = "http://schemas.xmlsoap.org/ws/2005/02/trust"; var rst = xDoc.Descendants(xNs + "RequestedSecurityToken").FirstOrDefault(); if (rst == null) { throw new ApplicationException("No RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued."); } var rstDesc = rst.Descendants().FirstOrDefault(); if (rstDesc == null) { throw new ApplicationException("No valid RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued."); } var config = new SecurityTokenHandlerConfiguration(); config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(settings.AudienceUrl)); config.CertificateValidator = X509CertificateValidator.None; config.IssuerNameRegistry = new AccessControlServiceIssuerRegistry( settings.StsIssuerUrl, settings.X509CertificateThumbprint); var securityTokenHandlers = new SecurityTokenHandlerCollection(config); securityTokenHandlers.Add(new Saml11SecurityTokenHandler()); securityTokenHandlers.Add(new Saml2SecurityTokenHandler()); securityTokenHandlers.Add(new EncryptedSecurityTokenHandler()); var token = securityTokenHandlers.ReadToken(rstDesc.CreateReader()); ClaimsIdentityCollection claims = securityTokenHandlers.ValidateToken(token); IPrincipal principal = new ClaimsPrincipal(claims); // Map claims to local users string roleClaimValue = ""; string usernameClaimValue = ""; string emailClaimValue = ""; foreach (var claimsIdentity in claims) { foreach (var claim in claimsIdentity.Claims) { if (claim.ClaimType == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" && settings.TranslateClaimsToOrchardRoles) { roleClaimValue = claim.Value; } else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" && settings.TranslateClaimsToOrchardUserProperties) { emailClaimValue = claim.Value; } else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name") { usernameClaimValue = claim.Value; } else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" && string.IsNullOrEmpty(usernameClaimValue)) { usernameClaimValue = claim.Value; } } } if (string.IsNullOrEmpty(usernameClaimValue)) { throw new SecurityException("Could not determine username from input claims. Ensure a \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" or \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" claim is issued by the STS."); } IUser user = MembershipService.GetUser(settings.FederatedUsernamePrefix + usernameClaimValue); if (user == null) { user = MembershipService.CreateUser(new CreateUserParams(settings.FederatedUsernamePrefix + usernameClaimValue, Guid.NewGuid().ToString(), emailClaimValue, Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), true)); } AuthenticationService.SignIn(user, false); if (!string.IsNullOrEmpty(roleClaimValue)) { var role = RoleService.GetRoleByName(roleClaimValue); if (role != null) { UserRolesPartRecord currentRole = UserRolesRepository.Get(r => r.UserId == user.Id && r.Role == role); if (currentRole == null) { UserRolesRepository.Create(new UserRolesPartRecord { UserId = user.Id, Role = role }); } } } } return(new RedirectResult(ReturnUrl)); }
public CustomerClaimsPrincipal(ClaimsIdentityCollection identityCollection, JsonWebToken token, string encryptedToken) : base(identityCollection, token, encryptedToken) { }
/// <summary> /// Override this method to return the content of the issued token. The content is represented as a set of /// IClaimIdentity instances. Each instance corresponds to a single issued token. /// </summary> /// <param name="scope">The scope that was previously returned by GetScope</param> /// <param name="principal">The caller's principal</param> /// <param name="request">The incoming RST, actual token request</param> /// <returns>A collection of ClaimsIdentity that contain claims so that they can be sent back inside the issued token</returns> protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope) { IClaimsIdentity callerIdentity = principal.Identity as IClaimsIdentity; List <Claim> claims = new List <Claim>(); Claim nameValue = new Claim(ClaimTypes.Name, callerIdentity.Name); claims.Add(nameValue); // // Find the authentication method claim. // string authenticationMethod = GetAuthStrengthClaim(callerIdentity); // // If no authentication method claim was found, use the AuthenticationType that was set on the caller's identity. // if (String.IsNullOrEmpty(authenticationMethod)) { authenticationMethod = callerIdentity.AuthenticationType; } // // Add an authentication method claim if found. // if (!String.IsNullOrEmpty(authenticationMethod)) { // // Propagate the original authentication method claim. This may be used at the RP to verify authentication strength. // claims.Add(new Claim(ClaimTypes.AuthenticationMethod, authenticationMethod)); } // // Add an authentication instant claim. // claims.Add(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.Now.ToUniversalTime(), "yyyy-MM-ddTHH:mm:ss.fffZ"))); // // We send back high assurance claims only when the authentication method is X509. // The authenticationMethod value dictates whether high assurance claims need to be sent or not. // if (authenticationMethod == AuthenticationMethods.X509) { // // Date of Birth claim // Claim dobClaim = new Claim(ClaimTypes.DateOfBirth, "Jan 01, 1980"); claims.Add(dobClaim); // // Resident zip code claim // Claim zipClaim = new Claim(ClaimTypes.PostalCode, "98052"); claims.Add(zipClaim); // // Phone number claim // Claim phoneClaim = new Claim(ClaimTypes.MobilePhone, "425-123-0000"); claims.Add(phoneClaim); } ClaimsIdentityCollection collection = new ClaimsIdentityCollection(); ClaimsIdentity outputIdentity = new ClaimsIdentity(claims); return(outputIdentity); }
/// <summary> /// Get Claims Principal from incoming response. /// </summary> /// <param name="rstr"></param> /// <returns></returns> private static IClaimsPrincipal GetClaimsIdentity(RequestSecurityTokenResponse rstr) { var rstrXml = rstr.RequestedSecurityToken.SecurityTokenXml; if (rstrXml.OwnerDocument != null) { var xnm = new XmlNamespaceManager(rstrXml.OwnerDocument.NameTable); xnm.AddNamespace(Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Prefix, Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Namespace); } XNamespace ast = "urn:oasis:names:tc:SAML:2.0:assertion"; var xElement = ToXElement(rstrXml); var xElement1 = xElement.Element(ast + "Assertion"); if (xElement1 != null) { var attributeStatement1 = xElement1.Element(ast + "AttributeStatement"); if (attributeStatement1 != null) { var attributes1 = attributeStatement1.Elements(ast + "Attribute"); IClaimsIdentity claimsIdentity1 = new ClaimsIdentity(); foreach (var element in attributes1) { var claimType = element.Attribute("NameFormat") + "/" + element.Attribute("Name"); var value = element.Value; var xAttribute = element.Attribute("Name"); if (xAttribute != null && xAttribute.Value == "urn:FirstName") claimsIdentity1.Claims.Add(new Claim(ClaimTypes.Name, element.Value)); claimsIdentity1.Claims.Add(new Claim(claimType, value)); } var claimsIdentitycol = new ClaimsIdentityCollection(new[] { claimsIdentity1 }); return ClaimsPrincipal.CreateFromIdentities(claimsIdentitycol); } } return null; }
public override ClaimsIdentityCollection ValidateToken(SecurityToken token) { CustomTextTraceSource ts = new CustomTextTraceSource("IdpSts.CustomUserNameSecurityTokenHandler.ValidateToken", "MyTraceSource", SourceLevels.Information); //StackTracer.TraceStack(ts); UserNameSecurityToken usernameToken = token as UserNameSecurityToken; if (usernameToken == null) { throw new ArgumentException("usernameToken", "The security token is not a valid username security token."); } // will throw if fails UsernameCredentialStore.AuthenticateUser(usernameToken.UserName, usernameToken.Password); ClaimsIdentityCollection identities = new ClaimsIdentityCollection(); IClaimsIdentity claimsIdentity = new ClaimsIdentity("CustomUserNameSecurityTokenHandler"); claimsIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, usernameToken.UserName)); identities.Add(claimsIdentity); return identities; }