private ReadAuthorizationRequest ( System.Web.HttpRequestBase request = null ) : DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationRequest | ||
request | System.Web.HttpRequestBase | |
리턴 | DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationRequest |
public ActionResult Authorise() { using (var server = (new OAuth2AuthorizationServer(new X509Certificate2(_absolutePathToPfx, _certificatePassword), new X509Certificate2(_absolutePathToCertificate)))) { var authorizationServer = new AuthorizationServer(server); var pendingRequest = authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } var requestingClient = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); // Consider auto-approving if safe to do so. if (((OAuth2AuthorizationServer)authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest)) { var approval = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name); return authorizationServer.Channel.PrepareResponse(approval).AsActionResult(); } var model = new AccountAuthorizeModel { ClientApp = requestingClient.Name, Scope = pendingRequest.Scope, AuthorizationRequest = pendingRequest, }; return View(model); } }
public ActionResult Authorize() { // Have DotNetOpenAuth read the info we need out of the request EndUserAuthorizationRequest pendingRequest = _authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Missing authorization request."); } // Make sure the client is one we recognize Client requestingClient = _clientRepository.GetById(pendingRequest.ClientIdentifier); if (requestingClient == null) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Invalid request"); } // Ensure client is allowed to use the requested scopes if (!pendingRequest.Scope.IsSubsetOf(requestingClient.SupportedScopes)) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Invalid request"); } // Consider auto-approving if safe, so user doesn't have to authorize repeatedly. // Leaving this step out for now // Show user the authorization page by which they can authorize this client to access their // data within the resource determined by the requested scopes var model = new AccountAuthorizeModel { Client = requestingClient, Scopes = requestingClient.Scopes.Where(x => pendingRequest.Scope.Contains(x.Identifier)).ToList(), AuthorizationRequest = pendingRequest }; return(View(model)); }
public ActionResult AuthoriseResponse(bool isApproved) { using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]), new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"])))) { AuthorizationServer authorizationServer = new AuthorizationServer(server); var pendingRequest = authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request."); } IDirectedProtocolMessage response; if (isApproved) { // The authorization we file in our database lasts until the user explicitly revokes it. // You can cause the authorization to expire by setting the ExpirationDateUTC // property in the below created ClientAuthorization. var client = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier); client.ClientAuthorizations.Add( new ClientAuthorization { Scope = OAuthUtilities.JoinScopes(pendingRequest.Scope), User = MvcApplication.DataContext.Users.FirstOrDefault(u => u.Username == System.Web.HttpContext.Current.User.Identity.Name), CreatedOnUtc = DateTime.UtcNow, }); MvcApplication.DataContext.SaveChanges(); // submit now so that this new row can be retrieved later in this same HTTP request // In this simple sample, the user either agrees to the entire scope requested by the client or none of it. // But in a real app, you could grant a reduced scope of access to the client by passing a scope parameter to this method. response = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, User.Identity.Name); } else { response = authorizationServer.PrepareRejectAuthorizationRequest(pendingRequest); } return authorizationServer.Channel.PrepareResponse(response).AsActionResult(); } }
protected override bool AuthorizeCore(HttpContextBase httpContext) { // Figure out what resource the request is intending to access to see if the // user has already authenticated to with it EndUserAuthorizationRequest pendingRequest = _authorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Missing authorization request."); } try { _targetResource = _resourceRepository.FindWithSupportedScopes(pendingRequest.Scope); // Above will return null if no resource supports all of the requested scopes if (_targetResource == null) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Bad authorization request."); } } catch (Exception) { throw new HttpException(Convert.ToInt32(HttpStatusCode.BadRequest), "Bad authorization request."); } // User is considered authorized if in possession of token that originated from the resource's login page, // Name of token is determined by the resource configuration string tokenName = _targetResource.AuthenticationTokenName; string encryptedToken = httpContext.Request[tokenName]; //could be in cookie if previously logged in, or querystring if just logged in if (string.IsNullOrWhiteSpace(encryptedToken)) { // No token, so unauthorized return(false); } // Validate this thing came from us via shared secret with the resource's login page // The implementation here ideally could be generalized a bit better or standardized string encryptionKey = _targetResource.AuthenticationKey; string decryptedToken = EncodingUtility.Decode(encryptedToken, encryptionKey); string[] tokenContentParts = decryptedToken.Split(';'); string name = tokenContentParts[0]; DateTime loginDate = DateTime.Parse(tokenContentParts[1]); bool storeCookie = bool.Parse(tokenContentParts[2]); if ((DateTime.Now.Subtract(loginDate) > TimeSpan.FromDays(7))) { // Expired, remove cookie if present and flag user as unauthorized httpContext.Response.Cookies.Remove(tokenName); return(false); } // Things look good. // Set principal for the authorization server IIdentity identity = new GenericIdentity(name); httpContext.User = new GenericPrincipal(identity, null); // If desired, persist cookie so user doesn't have to authenticate with the resource over and over var cookie = new HttpCookie(tokenName, encryptedToken); if (storeCookie) { cookie.Expires = DateTime.Now.AddDays(7); // could parameterize lifetime } httpContext.Response.AppendCookie(cookie); return(true); }