예제 #1
0
        public void FailValidationForIncorrectSecret()
        {
            var client  = CreateClient();
            var builder = new StateTokenBuilder(client, new ClientApiKeyConfiguration(id: "foo", secret: "notTheCorrectSecret987"));

            builder.Path = "/hello";

            var result = builder.ToString();
            var parser = new StateTokenParser(client, GetApiKey(), result, null);

            parser.Valid.Should().BeFalse();
            parser.Path.Should().BeNull();
        }
        protected override async Task <bool> GetAsync(IOwinEnvironment context, IClient client, ContentNegotiationResult contentNegotiationResult,
                                                      CancellationToken cancellationToken)
        {
            var application = await client.GetApplicationAsync(_configuration.Application.Href, cancellationToken);

            var queryString    = QueryStringParser.Parse(context.Request.QueryString, _logger);
            var stormpathToken = queryString.GetString("jwtResponse");

            if (string.IsNullOrEmpty(stormpathToken))
            {
                throw new ArgumentNullException(nameof(stormpathToken), "Token was null."); // TODO json response, for now
            }

            // TODO: Use StormpathAssertionAuthenticator at SDK level (when it's ready) to locally validate token

            try
            {
                var parsedJwt = client.NewJwtParser()
                                .SetSigningKey(_configuration.Client.ApiKey.Secret, Encoding.UTF8)
                                .Parse(stormpathToken);

                object tokenType;
                parsedJwt.Header.TryGetValue("stt", out tokenType);
                if (tokenType == null || !tokenType.ToString().Equals("assertion"))
                {
                    throw new InvalidJwtException("The token is not of the correct type");
                }

                // Verify state token for authenticity
                string stateToken = null;
                if (parsedJwt.Body.ContainsClaim("state"))
                {
                    stateToken = parsedJwt.Body.GetClaim("state").ToString();
                }

                var parsedStateToken = new StateTokenParser(client, _configuration.Client.ApiKey, stateToken, _logger);
                if (!parsedStateToken.Valid)
                {
                    // Note: IsNullOrEmpty is considered invalid automatically
                    _logger.Warn("State token was invalid", nameof(StormpathCallbackRoute));
                    throw new InvalidOperationException("State token was invalid"); // TODO json response, for now
                }

                return(await HandleCallbackAsync(context, client, application, parsedJwt, parsedStateToken.Path, cancellationToken));
            }
            catch (InvalidJwtException ije)
            {
                _logger.Error(ije, message: "JWT failed validation", source: nameof(StormpathCallbackRoute));
                throw; // TODO json response
            }
        }
예제 #3
0
        public void RoundtripTokenWithPath()
        {
            var client  = CreateClient();
            var builder = new StateTokenBuilder(client, GetApiKey());

            builder.Path = "/foo/bar/9";

            var result = builder.ToString();
            var parser = new StateTokenParser(client, GetApiKey(), result, null);

            parser.Valid.Should().BeTrue();
            parser.Path.Should().Be("/foo/bar/9");
            parser.State.Should().NotBeNullOrEmpty();
        }