private JwsPayload ExtractOPENIDTokenPayload()
{
var token = ExtractAuthorizationValue();
if (string.IsNullOrWhiteSpace(token))
{
return(null);
}
var isJwsToken = _jwtParser.IsJwsToken(token);
if (!isJwsToken)
{
return(null);
}
return(_jwtParser.Unsign(token, _umaHostOptions.OpenIdJsonWebKeySignature));
}
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (client.Secrets == null)
{
throw new ArgumentNullException(nameof(client.Secrets));
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.NO_CLIENT_SECRET);
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
if (!isJweToken)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = authenticateInstruction.ClientIdFromHttpRequestBody;
var jws = await _jwtParser.Decrypt(clientAssertion, clientId, clientSecret.Value).ConfigureAwait(false);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION);
}
var isJwsToken = _jwtParser.IsJwsToken(jws);
if (!isJwsToken)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false);
if (payload == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, expectedIssuer));
}
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (string.IsNullOrWhiteSpace(client.ClientSecret))
{
throw new OAuthException(errorCode, ErrorMessages.NO_CLIENT_SECRET);
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
if (!isJweToken)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = authenticateInstruction.ClientIdFromHttpRequestBody;
var jws = await _jwtParser.Decrypt(clientAssertion, clientId, client.ClientSecret, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION);
}
var isJwsToken = _jwtParser.IsJwsToken(jws);
if (!isJwsToken)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
JwsPayload payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode);
if (payload == null)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode));
}
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJwsToken = _jwtParser.IsJwsToken(clientAssertion);
if (!isJwsToken)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var jwsPayload = _jwsGenerator.ExtractPayload(clientAssertion);
if (jwsPayload == null)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = jwsPayload.GetIssuer();
JwsPayload payload;
try
{
payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode);
}
catch (JwtException ex)
{
throw new OAuthException(errorCode, ex.Message);
}
if (payload == null)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode));
}
private async Task <JwsPayload> Extract(string accessToken)
{
var isJwe = _jwtParser.IsJweToken(accessToken);
var isJws = _jwtParser.IsJwsToken(accessToken);
if (!isJwe && !isJws)
{
return(null);
}
var jws = accessToken;
if (isJwe)
{
jws = await _jwtParser.Decrypt(accessToken);
}
return(await _jwtParser.Unsign(jws));
}
protected async Task <JwsPayload> ExtractHint(string tokenHint, CancellationToken cancellationToken)
{
if (!_jwtParser.IsJwsToken(tokenHint) && !_jwtParser.IsJweToken(tokenHint))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT);
}
if (_jwtParser.IsJweToken(tokenHint))
{
tokenHint = await _jwtParser.Decrypt(tokenHint, cancellationToken);
if (string.IsNullOrWhiteSpace(tokenHint))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT);
}
}
return(await _jwtParser.Unsign(tokenHint, cancellationToken));
}
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT)
{
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
JwsPayload jwsPayload;
try
{
jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode);
}
catch (JwtException ex)
{
throw new OAuthException(errorCode, ex.Message);
}
return(new RequestObjectValidatorResult(jwsPayload, header));
}
public Task <ClaimTokenFormatFetcherResult> Fetch(HandlerContext context)
{
var claimToken = context.Request.RequestData.GetClaimToken();
if (!_jwtParser.IsJwsToken(claimToken))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, UMAErrorMessages.BAD_CLAIM_TOKEN);
}
var payload = _jwtParser.Unsign(claimToken, _umaHostOptions.OpenIdJsonWebKeySignature);
if (payload == null)
{
return(null);
}
var sub = payload.First(c => c.Key == GetSubjectName());
return(Task.FromResult(new ClaimTokenFormatFetcherResult(sub.Value.ToString(), payload)));
}
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJwsToken = _jwtParser.IsJwsToken(clientAssertion);
if (!isJwsToken)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var jwsPayload = _jwsGenerator.ExtractPayload(clientAssertion);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = jwsPayload.GetIssuer();
var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false);
if (payload == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, ""));
}
protected async Task <bool> CheckRequest(HandlerContext context, string request)
{
var openidClient = (OpenIdClient)context.Client;
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (
(!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) ||
(string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME)
)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG);
}
var jwsPayload = await _jwtParser.Unsign(jws, context.Client);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest()))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
context.Request.SetData(JObject.FromObject(jwsPayload));
return(true);
}
private async Task ExtractSoftwareStatement(JObject jObj)
{
var softwareStatement = jObj.GetSoftwareStatement();
if (string.IsNullOrWhiteSpace(softwareStatement))
{
return;
}
if (!_jwtParser.IsJwsToken(softwareStatement))
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
SimpleIdServer.Jwt.Jws.JwsPayload jwsPayload;
SimpleIdServer.Jwt.Jws.JwsHeader header;
try
{
jwsPayload = _jwtParser.ExtractJwsPayload(softwareStatement);
header = _jwtParser.ExtractJwsHeader(softwareStatement);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
}
catch
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
var issuer = jwsPayload.GetIssuer();
var trustedParty = OauthHostOptions.SoftwareStatementTrustedParties.FirstOrDefault(s => s.Iss == issuer);
if (trustedParty == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_ISSUER_SOFTWARE_STATEMENT);
}
using (var httpClient = _httpClientFactory.GetHttpClient())
{
var json = await httpClient.GetStringAsync(trustedParty.JwksUrl);
var keysJson = JObject.Parse(json)["keys"].ToString();
var jsonWebKeys = JsonConvert.DeserializeObject <JArray>(keysJson).Select(k => SimpleIdServer.Jwt.JsonWebKey.Deserialize(k.ToString()));
var jsonWebKey = jsonWebKeys.FirstOrDefault(j => j.Kid == header.Kid);
jwsPayload = _jwtParser.Unsign(softwareStatement, jsonWebKey);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_SOFTWARE_STATEMENT_SIGNATURE);
}
foreach (var kvp in jwsPayload)
{
if (jObj.ContainsKey(kvp.Key))
{
jObj.Remove(kvp.Key);
}
jObj.Add(kvp.Key, JToken.FromObject(kvp.Value));
}
}
}