protected async Task <HttpResponseMessage> CreateItemAsync <TValidator>(HttpRequestMessage httpRequestMessage) where TValidator : AbstractValidator <T>, new() { _ = httpRequestMessage ?? throw new ArgumentNullException(nameof(httpRequestMessage)); var claimsPrincipal = await tokenValidator.ValidateTokenAsync(httpRequestMessage.Headers.Authorization); if (claimsPrincipal == null) { return(new HttpResponseMessage(HttpStatusCode.Unauthorized)); } var jsonValidationResult = await jsonHttpContentValidator.ValidateJsonAsync <T, TValidator>(httpRequestMessage.Content); if (!jsonValidationResult.IsValid) { return(jsonValidationResult.Message); } var createdItem = await dataRepository.CreateItemAsync(jsonValidationResult.Item); var content = new StringContent(JsonSerializer.Serialize(createdItem), Encoding.UTF8, ContentTypes.Application.Json); return(new HttpResponseMessage(HttpStatusCode.Created) { Content = content }); }
public async Task <HttpResponseMessage> CreateCustomer([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "customers")] HttpRequestMessage req, ILogger log) { _ = req ?? throw new ArgumentNullException(nameof(req)); log.LogInformation(CustomerDataResources.CreateCustomerStartLog); var claimsPrincipal = await tokenValidator.ValidateTokenAsync(req.Headers.Authorization); if (claimsPrincipal == null) { return(new HttpResponseMessage(HttpStatusCode.Unauthorized)); } var jsonValidationResult = await jsonHttpContentValidator.ValidateJsonAsync <Customer, CustomerValidator>(req.Content); if (!jsonValidationResult.IsValid) { return(jsonValidationResult.Message); } var customer = await customerRepository.CreateItemAsync(jsonValidationResult.Item); var content = new StringContent(JsonSerializer.Serialize(customer), Encoding.UTF8, ContentTypes.Application.Json); log.LogInformation(CustomerDataResources.CreateCustomerEndLog); return(new HttpResponseMessage(HttpStatusCode.Created) { Content = content }); }
public async Task <HttpResponseMessage> CreateConferenceCall([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "calls")] HttpRequestMessage req, ILogger log) { _ = req ?? throw new ArgumentNullException(nameof(req)); var claimsPrincipal = await tokenValidator.ValidateTokenAsync(req.Headers.Authorization); if (claimsPrincipal == null) { return(new HttpResponseMessage(HttpStatusCode.Unauthorized)); } log.LogInformation("Creating call"); var contentStream = await req.Content.ReadAsStreamAsync(); var jsonResult = await jsonTextSerializer.DeserializeObjectAsync <User>(contentStream); var onlineMeeting = await microsoftGraphRepository.CreateOnlineMeetingAsync(req.Headers.Authorization); jsonResult.MeetingUrl = onlineMeeting.JoinWebUrl; var content = new StringContent(JsonSerializer.Serialize(jsonResult), Encoding.UTF8, "application/json"); log.LogInformation("Created call"); return(new HttpResponseMessage(HttpStatusCode.Created) { Content = content });; }
public Task <List <KeyValuePair <string, string> > > ProcessAsync(ref TokenExchangeRequest tokenExchangeRequest) { var header = new JwtHeader(); var handler = new JwtSecurityTokenHandler(); foreach (var tokenWithScheme in tokenExchangeRequest.Tokens) { var principal = _tokenValidator.ValidateTokenAsync(new TokenDescriptor { TokenScheme = tokenWithScheme.TokenScheme, Token = tokenWithScheme.Token }).GetAwaiter().GetResult(); var token = handler.ReadJwtToken(tokenWithScheme.Token); var unsignedSecurityToken = new JwtSecurityToken(header, token.Payload); tokenWithScheme.Token = handler.WriteToken(unsignedSecurityToken); } return(Task.FromResult(new List <KeyValuePair <string, string> >())); }
public async Task <HttpResponseMessage> CheckAccess([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "checkAccess")] HttpRequestMessage req, ILogger log) { _ = req ?? throw new ArgumentNullException(nameof(req)); log.LogInformation(PolicyManagerResources.CheckAccessStartLog); var claimsPrincipal = await tokenValidator.ValidateTokenAsync(req.Headers.Authorization); if (claimsPrincipal == null) { return(new HttpResponseMessage(HttpStatusCode.Unauthorized)); } var jsonValidationResult = await jsonHttpContentValidator.ValidateJsonAsync <CheckAccessRequest, CheckAccessRequestValidator>(req.Content); if (!jsonValidationResult.IsValid) { return(jsonValidationResult.Message); } var groups = await microsoftGraphRepository.FetchMyGroupsAsync(req.Headers.Authorization); var initialState = new InitialState <Group>() { ClaimsPrincipal = claimsPrincipal, Identifier = jsonValidationResult.Item.RequestIdentifier, Groups = groups, }; var policyResults = await authorizationRepository.EvaluateAsync(req.Headers.Authorization, initialState); log.LogInformation(PolicyManagerResources.CheckAccessEndLog); var content = new StringContent(JsonSerializer.Serialize(policyResults), Encoding.UTF8, ContentTypes.Application.Json); return(new HttpResponseMessage(HttpStatusCode.OK) { Content = content }); }
public async Task <List <TokenExchangeResponse> > ProcessExchangeAsync(TokenExchangeRequest tokenExchangeRequest) { if (tokenExchangeRequest.Extras == null || tokenExchangeRequest.Extras.Count == 0) { throw new Exception($"{Name}: We require that extras be populated!"); } List <ValidatedToken> validatedIdentityTokens = new List <ValidatedToken>(); foreach (var item in tokenExchangeRequest.Tokens) { var prince = await _tokenValidator.ValidateTokenAsync(new TokenDescriptor { TokenScheme = item.TokenScheme, Token = item.Token }); var sub = prince.GetSubjectFromPincipal(); if (string.IsNullOrEmpty(sub)) { _summaryLogger.Add("subject", "A subject was not found in the ClaimsPrincipal object!"); throw new Exception("A subject was not found in the ClaimsPrincipal object!"); } validatedIdentityTokens.Add(new ValidatedToken { Token = item.Token, TokenScheme = item.TokenScheme, Principal = prince }); } // for this demo, lets assume all the extras are roles. var roles = tokenExchangeRequest.Extras; roles.Add("user"); ResourceOwnerTokenRequest resourceOwnerTokenRequest = new ResourceOwnerTokenRequest() { AccessTokenLifetime = 3600, ArbitraryClaims = new Dictionary <string, List <string> >() { { "role", roles } }, Scope = "offline_access graphQLPlay", Subject = validatedIdentityTokens[0].Principal.GetSubjectFromPincipal(), ClientId = "arbitrary-resource-owner-client" }; var response = await _tokenMintingService.MintResourceOwnerTokenAsync(resourceOwnerTokenRequest); if (response.IsError) { throw new Exception(response.Error); } var tokenExchangeResponse = new TokenExchangeResponse() { accessToken = new AccessTokenResponse() { access_token = response.AccessToken, refresh_token = response.RefreshToken, expires_in = response.ExpiresIn, token_type = response.TokenType, authority = $"{_httpContextAssessor.HttpContext.Request.Scheme}://{_httpContextAssessor.HttpContext.Request.Host}", HttpHeaders = new List <HttpHeader> { new HttpHeader() { Name = "x-authScheme", Value = response.Scheme } } } }; return(new List <TokenExchangeResponse> { tokenExchangeResponse }); }
public async Task IssueAsync(OioIdwsMatchEndpointContext context) { if (string.IsNullOrEmpty(context.Request.ContentType)) { SetInvalidRequest(context, "No content type was specified"); return; } var ct = new System.Net.Mime.ContentType(context.Request.ContentType); var validContentType = "application/x-www-form-urlencoded"; if (!ct.MediaType.Equals(validContentType, StringComparison.InvariantCultureIgnoreCase)) { SetInvalidRequest(context, $"Content type '{validContentType}' is required."); return; } var form = await context.Request.ReadFormAsync(); var tokenValueBase64 = form["saml-token"]; if (string.IsNullOrEmpty(tokenValueBase64)) { SetInvalidRequest(context, "saml-token was missing"); return; } string tokenValue; try { var bytes = Convert.FromBase64String(tokenValueBase64); using (var stream = new MemoryStream(bytes)) { using (var reader = new StreamReader(stream)) { tokenValue = await reader.ReadToEndAsync(); } } } catch (Exception) { SetInvalidRequest(context, "saml-token must be in base64"); return; } var clientCertificate = context.ClientCertificate(); _logger.WriteEntry(Log.StartingTokenValidation()); var samlTokenValidation = await _tokenValidator.ValidateTokenAsync(tokenValue, clientCertificate, context.Options); if (!samlTokenValidation.Success) { _logger.WriteEntry(Log.IssuingTokenDenied(samlTokenValidation.ErrorDescription, samlTokenValidation.ValidationException)); // Scheme is mandatory and Holder-Of-Key is currently the only supportede scheme at NemLog-in STS. Hence, we specify Holder-Of-Key. context.Response.SetAuthenticationFailed(AccessTokenType.HolderOfKey, AuthenticationErrorCodes.InvalidToken, samlTokenValidation.ErrorDescription); context.RequestCompleted(); return; } _logger.WriteEntry(Log.TokenValidationCompleted()); var expiresIn = context.Options.AccessTokenExpiration; int requestedExpiration; if (int.TryParse(form["should-expire-in"], out requestedExpiration)) { var tmp = TimeSpan.FromSeconds(requestedExpiration); if (tmp < expiresIn) { //if the client wants a lower expiration, that's ok. Never to increase it. expiresIn = tmp; } } var storedToken = new OioIdwsToken { CertificateThumbprint = samlTokenValidation.AccessTokenType == AccessTokenType.HolderOfKey ? clientCertificate?.Thumbprint?.ToLowerInvariant() : null, Type = samlTokenValidation.AccessTokenType, ExpiresUtc = context.Options.SystemClock.UtcNow + expiresIn, Claims = samlTokenValidation.ClaimsIdentity.Claims.Select(x => new OioIdwsClaim { Type = x.Type, Value = x.Value, Issuer = x.Issuer, ValueType = x.ValueType }).ToList(), }; var accessToken = await GenerateAccessTokenAsync(context, storedToken); await WriteAccessTokenAsync(context.Response, accessToken, samlTokenValidation.AccessTokenType, expiresIn); _logger.WriteEntry(Log.TokenIssuedWithExpiration(accessToken, expiresIn)); context.RequestCompleted(); }
public async Task <JsonResult> ValidateToken([FromBody] TokenValidationRequest request) { return(Json(await authenticator.ValidateTokenAsync(request.token))); }