public static string CreateJsonWebToken(string jsonPayload, ISigningAlgorithm sign)
{
string jsonHeader = string.Format(@"{{""alg"":""{0}"",""typ"":""JWT""}}", sign.AlgorithmName);
string claim = Base64Utility.UTF8UrlEncode(jsonHeader) + "." + Base64Utility.UTF8UrlEncode(jsonPayload);
string signature = sign.Sign(claim);
return claim + "." + signature;
}
/// <summary>
/// Initializes a new instance of the <see cref="GatewayController"/>
/// class.
/// </summary>
/// <param name="indexerDatabaseContext">
/// An injected instance of the database.
/// </param>
/// <param name="signingAlgorithm">
/// An injected instance of the signing algorithm.
/// </param>
/// <remarks>
/// Refactor friendly - needs support for additional signing
/// algorithms.
/// </remarks>
public GatewayController(
IIndexerDatabaseContext indexerDatabaseContext,
ISigningAlgorithm signingAlgorithm)
{
this._indexerDatabaseContext = indexerDatabaseContext;
this._signingAlgorithm = signingAlgorithm;
}
public HmacAuthenticationOptions(ISigningAlgorithm algorithm, ISecretRepository secretRepository, string signInAsAuthenticationType = Schemas.HMAC)
: base(Schemas.HMAC)
{
Algorithm = algorithm;
SecretRepository = secretRepository;
SignInAsAuthenticationType = signInAsAuthenticationType;
}
/// <summary>
/// Initializes a new instance of the <see cref="GatewayJWT"/>
/// class.
/// </summary>
/// <param name="header">The header of the JWT.</param>
/// <param name="body">The body of the JWT.</param>
/// <param name="algorithm">The signing algorithm.</param>
/// <remarks>
/// Refactor friendly: move signing algorithm out, turn into
/// JsonConverter.
/// </remarks>
public GatewayJWT(
GatewayJWTHeader header,
GatewayJWTBody body,
ISigningAlgorithm algorithm)
{
this.Header = header;
this.Body = body;
this._algorithm = algorithm;
}
public HmacAuthenticationService(
IAppSecretRepository appSecretProvider,
ISigningAlgorithm algorithm,
IHmacRequestDateValidator dateValidator,
IHmacSignatureContentResolver signatureContentResolver)
{
this.appSecretProvider = appSecretProvider;
this.algorithm = algorithm;
this.dateValidator = dateValidator;
this.signatureContentResolver = signatureContentResolver;
}
public HmacServerHandler(
ISecretRepository secretRepository,
ISigningAlgorithm signingAlgorithm,
TimeSpan?clockSkew = null,
ITime time = null)
{
this.secretRepository = secretRepository;
this.signingAlgorithm = signingAlgorithm;
this.clockSkew = clockSkew ?? Constants.DefaultClockSkew;
this.time = time ?? SystemTime.Instance;
}
public HMACServerHandler(
HttpMessageHandler innerHandler,
IAppSecretRepository appSecretRepository,
ISigningAlgorithm signingAlgorithm,
TimeSpan?tolerance = null,
ITime time = null)
: base(innerHandler)
{
this.appSecretRepository = appSecretRepository;
this.signingAlgorithm = signingAlgorithm;
this.tolerance = tolerance ?? Constants.DefaultTolerance;
this.time = time ?? SystemTime.Instance;
}
public HmacServerHandler(
IAppSecretRepository appSecretRepository,
ISigningAlgorithm signingAlgorithm,
bool mixedAuthMode = false,
TimeSpan?tolerance = null,
ITime time = null)
{
this.appSecretRepository = appSecretRepository;
this.signingAlgorithm = signingAlgorithm;
this.mixedAuthMode = mixedAuthMode;
this.tolerance = tolerance ?? Constants.DefaultTolerance;
this.time = time ?? SystemTime.Instance;
}
// for service collection
public HmacClientHandler(
string appId,
SecureString secret,
ISigningAlgorithm signingAlgorithm = null,
INonceGenerator nonceGenerator = null,
ITime time = null)
{
this.appId = appId;
this.secret = secret;
this.signingAlgorithm = signingAlgorithm ?? HmacSigningAlgorithm.Default;
this.nonceGenerator = nonceGenerator ?? GuidNonceGenerator.Instance;
this.time = time ?? SystemTime.Instance;
}
public HmacClientHandler(
string client,
SecureString secret,
ISigningAlgorithm signingAlgorithm,
INonceGenerator nonceGenerator = null,
ITime time = null)
{
this.client = client;
this.secret = secret;
this.signingAlgorithm = signingAlgorithm;
this.nonceGenerator = nonceGenerator ?? GuidNonceGenerator.Instance;
this.time = time ?? SystemTime.Instance;
}
public HMACMiddleware(
OwinMiddleware next,
IAppSecretRepository appSecretRepository,
ISigningAlgorithm signingAlgorithm,
TimeSpan?tolerance = null,
ITime time = null)
: base(next)
{
this.appSecretRepository = appSecretRepository;
this.signingAlgorithm = signingAlgorithm;
this.tolerance = tolerance ?? Constants.DefaultTolerance;
this.time = time ?? SystemTime.Instance;
}
internal static bool Validate(IOwinRequest req, ISigningAlgorithm algorithm, ISecretRepository secretRepository, ITime time, TimeSpan clockSkew)
{
var h = req.Headers;
var client = GetClient(req);
var nonce = GetNonce(req);
var auth = h.Get(Headers.Authorization)?.Split(' ');
var scheme = auth?.Length == 2 ? auth[0] : null;
var token = auth?.Length == 2 ? auth[1] : null;
DateTimeOffset date =
DateTimeOffset.TryParse(h.Get(Headers.Date), out date)
? date
: DateTimeOffset.MinValue;
if (client != null &&
nonce != null &&
scheme == Schemas.Bearer &&
token != null &&
time.UtcNow - date <= clockSkew)
{
var contentMd5 = h.Get(Headers.ContentMD5);
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
client,
req.Method,
req.ContentType,
req.Accept.Split(','),
contentMd5 == null ? null : Convert.FromBase64String(contentMd5),
date,
req.Uri);
SecureString secret = secretRepository.GetSecret(client);
if (secret != null)
{
var isTokenValid = algorithm.Verify(
secret,
Encoding.UTF8.GetBytes(content),
Convert.FromBase64String(token));
if (isTokenValid)
{
return(true);
}
}
}
return(false);
}
public HmacClientHandler(
HttpMessageHandler innerHandler,
string appId,
SecureString secret,
ISigningAlgorithm signingAlgorithm,
INonceGenerator nonceGenerator = null,
ITime time = null)
: base(innerHandler)
{
this.appId = appId;
this.secret = secret;
this.signingAlgorithm = signingAlgorithm;
this.nonceGenerator = nonceGenerator ?? GuidNonceGenerator.Instance;
this.time = time ?? SystemTime.Instance;
}
internal static bool Validate(IOwinRequest req, ISigningAlgorithm algorithm, IAppSecretRepository appSecretRepository, ITime time, TimeSpan tolerance)
{
var h = req.Headers;
var appId = GetAppId(req);
var nonce = GetNonce(req);
var auth = h.Get(Headers.Authorization)?.Split(' ');
var authSchema = auth?.Length == 2 ? auth[0] : null;
var authValue = auth?.Length == 2 ? auth[1] : null;
DateTimeOffset date =
DateTimeOffset.TryParse(h.Get(Headers.Date), out date)
? date
: DateTimeOffset.MinValue;
if (appId != null &&
authSchema == Schemas.HMAC &&
authValue != null &&
time.UtcNow - date <= tolerance)
{
var contentMd5 = h.Get(Headers.ContentMD5);
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
appId,
req.Method,
req.ContentType,
req.Accept,
contentMd5 == null ? null : Convert.FromBase64String(contentMd5),
date,
req.Uri);
SecureString secret;
if (content != null && (secret = appSecretRepository.GetSecret(appId)) != null)
{
var signature = algorithm.Sign(secret, content);
if (authValue == signature)
{
return(true);
}
}
}
return(false);
}
public HmacMiddlewareOptions(IAppSecretRepository appSecretRepository, ISigningAlgorithm algorithm)
{
AppSecretRepository = appSecretRepository;
Algorithm = algorithm;
}
public HmacMiddlewareOptions(ISecretRepository secretRepository, ISigningAlgorithm algorithm)
{
SecretRepository = secretRepository;
Algorithm = algorithm;
}
public HMACMiddlewareSettings(IAppSecretRepository appSecretRepository, ISigningAlgorithm signingAlgorithm)
{
AppSecretRepository = appSecretRepository;
SigningAlgorithm = signingAlgorithm;
}
