private OAuthBearerAuthenticationProvider CreateOAuthBearerAuthenticationProvider() { var tokenProvider = new OAuthBearerAuthenticationProvider { OnRequestToken = context => { // get the request from the context. var request = context.Request; // if the header collection contains an X-ACCESS-TOKEN key. // this is a hack because I couldn't set the Authorization header from angularjs. if (request.Headers.ContainsKey("X-ACCESS-TOKEN")) { // set the token from the X-ACCESS-TOKEN header. context.Token = request.Headers["X-ACCESS-TOKEN"]; // exit out of the method. If this header is set no more token discovery is perfomed. return(Task.FromResult <object>(null)); } if (request.Headers.ContainsKey("Authorization")) { context.Token = request.Headers["Authorization"]; } else if (request.Cookies["access_token"] != null) { context.Token = request.Cookies["access_token"]; } else { var value = request.Query.Get("access_token"); if (!string.IsNullOrEmpty(value)) { context.Token = value; } } return(Task.FromResult <object>(null)); } }; return(tokenProvider); }
public async Task Token_From_QueryString() { var provider = new OAuthBearerAuthenticationProvider { OnRequestToken = c => { var qs = c.OwinContext.Request.Query; c.Token = qs.Get("access_token"); return(Task.FromResult(0)); } }; _options.TokenProvider = provider; var client = PipelineFactory.CreateHttpClient(_options); var token = TokenFactory.CreateTokenString(TokenFactory.CreateToken()); var result = await client.GetAsync("http://test?access_token=" + token); result.StatusCode.Should().Be(HttpStatusCode.OK); }
public async Task Valid_Token_With_ValidatingIdentity_Deny_Access() { var provider = new OAuthBearerAuthenticationProvider { OnValidateIdentity = c => { c.Rejected(); return(Task.FromResult(0)); } }; _options.TokenProvider = provider; var client = PipelineFactory.CreateHttpClient(_options); var token = TokenFactory.CreateTokenString(TokenFactory.CreateToken()); client.SetBearerToken(token); var result = await client.GetAsync("http://test"); result.StatusCode.Should().Be(HttpStatusCode.Unauthorized); }
public static IAppBuilder UseJsonWebToken(this IAppBuilder app, string issuer, string audience, X509Certificate2 signingKey, OAuthBearerAuthenticationProvider location = null) { if (app == null) { throw new ArgumentNullException("app"); } var options = new JwtBearerAuthenticationOptions { AllowedAudiences = new[] { audience }, IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider( issuer, signingKey) } }; if (location != null) { options.Provider = location; } app.UseJwtBearerAuthentication(options); return(app); }
public static IAppBuilder UseJsonWebToken(this IAppBuilder app, string issuer, string audience, string signingKey, string type = null, OAuthBearerAuthenticationProvider location = null) { if (app == null) { throw new ArgumentNullException("app"); } var options = new JwtBearerAuthenticationOptions { AllowedAudiences = new[] { audience }, IssuerSecurityTokenProviders = new[] { new SymmetricKeyIssuerSecurityTokenProvider( issuer, signingKey) } }; if (!string.IsNullOrEmpty(type)) { options.AuthenticationType = type; } if (location != null) { options.Provider = location; } app.UseJwtBearerAuthentication(options); return(app); }
public static void ConfigureHmacBearerTokenAuthentication(this IAppBuilder appBuilder, string[] authenticatedPaths) { appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { Provider = new OAuthBearerAuthenticationProvider { //This is the first callback made when OWIN starts //to process the request, here we need to set the token //to null if we don't want it to be processed - basically //this is where we need to: // * check the current request URL to see if we should auth the request (only deploy end points) OnRequestToken = context => { var umbPath = GlobalSettings.UmbracoMvcArea; var applicationBasePath = (context.Request.PathBase.HasValue ? context.Request.PathBase.Value : string.Empty).EnsureEndsWith('/'); var requestPath = context.Request.Uri.CleanPathAndQuery(); //Only authenticated endpoints to be authenticated and these must have the projectid //and memberid headers in the request if (authenticatedPaths.Any(s => requestPath.StartsWith($"{applicationBasePath}{umbPath}/{s}", StringComparison.InvariantCultureIgnoreCase)) && EnsureHeaderValues(context, ProjectAuthConstants.ProjectIdHeader, ProjectAuthConstants.MemberIdHeader)) { return(Task.FromResult(0)); } context.Token = null; return(Task.FromResult(0)); } }, AccessTokenProvider = new AuthenticationTokenProvider { //Callback used to parse the token in the request, //if the token parses correctly then we should assign a ticket //to the request, this is the "User" that will get assigned to //the request with Claims. //If the token is invalid, then don't assign a ticket and OWIN //will take care of the rest (not authenticated) OnReceive = context => { var requestPath = context.Request.Uri.CleanPathAndQuery(); if (!TryGetHeaderValue(context, ProjectAuthConstants.ProjectIdHeader, out var projectId)) { throw new InvalidOperationException("No project Id found in request"); // this will never happen } if (!TryGetHeaderValue(context, ProjectAuthConstants.MemberIdHeader, out var memberId)) { throw new InvalidOperationException("No member Id found in request"); // this will never happen } var umbracoHelper = new Umbraco.Web.UmbracoHelper(Umbraco.Web.UmbracoContext.Current); var project = umbracoHelper.TypedContent(projectId); if (project.GetPropertyValue <int>("owner") != memberId) { throw new InvalidOperationException("The user does not have owner permissions of the package"); // we generate the key ourselves, so would only happen if people edited the key themselves } //Get the stored auth key for this project and member var tokenService = new ProjectAuthKeyService(ApplicationContext.Current.DatabaseContext); var authKeys = tokenService.GetAllAuthKeysForProject(projectId); var timestamp = new DateTime(); if (authKeys.Any(authKey => HMACAuthentication.ValidateToken(context.Token, requestPath, authKey, out timestamp))) { //If ok, create a ticket here with the Claims we need to check for in AuthZ var ticket = new AuthenticationTicket( new ClaimsIdentity( new List <Claim> { new Claim(ProjectAuthConstants.BearerTokenClaimType, ProjectAuthConstants.BearerTokenClaimValue), new Claim(ProjectAuthConstants.ProjectIdClaim, projectId.ToInvariantString()), new Claim(ProjectAuthConstants.MemberIdClaim, memberId.ToInvariantString()), }, //The authentication type = this is important, if not set //then the ticket's IsAuthenticated property will be false authenticationType: ProjectAuthConstants.BearerTokenAuthenticationType), new AuthenticationProperties { //Expires after 5 minutes in case there are some long running operations ExpiresUtc = timestamp.AddMinutes(5) }); context.SetTicket(ticket); } else { throw new InvalidOperationException("Token validation failed"); } } } });