[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking public async Task<ActionResult> Authorize() { var authServer = new AuthorizationServer(new AuthorizationServerHost()); var authRequest = await authServer.ReadAuthorizationRequestAsync(this.Request); this.ViewData["scope"] = authRequest.Scope; this.ViewData["request"] = this.Request.Url; return View(); }
public async Task ImplicitGrant() { var coordinatorClient = new UserAgentClient(AuthorizationServerDescription); coordinatorClient.ClientCredentialApplicator = null; // implicit grant clients don't need a secret. Handle(AuthorizationServerDescription.AuthorizationEndpoint).By( async (req, ct) => { var server = new AuthorizationServer(AuthorizationServerMock); var request = await server.ReadAuthorizationRequestAsync(req, ct); Assert.That(request, Is.Not.Null); IAccessTokenRequest accessTokenRequest = (EndUserAuthorizationImplicitRequest)request; Assert.That(accessTokenRequest.ClientAuthenticated, Is.False); var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername); return await server.Channel.PrepareResponseAsync(response, ct); }); { var client = new UserAgentClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories); var authState = new AuthorizationState(TestScopes) { Callback = ClientCallback, }; var request = client.PrepareRequestUserAuthorization(authState, implicitResponseType: true); Assert.That(request.ResponseType, Is.EqualTo(EndUserAuthorizationResponseType.AccessToken)); var authRequestRedirect = await client.Channel.PrepareResponseAsync(request); Uri authRequestResponse; this.HostFactories.AllowAutoRedirects = false; using (var httpClient = this.HostFactories.CreateHttpClient()) { using (var httpResponse = await httpClient.GetAsync(authRequestRedirect.Headers.Location)) { authRequestResponse = httpResponse.Headers.Location; } } var incoming = await client.Channel.ReadFromRequestAsync(new HttpRequestMessage(HttpMethod.Get, authRequestResponse), CancellationToken.None); var result = await client.ProcessUserAuthorizationAsync(authState, incoming, CancellationToken.None); Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty); Assert.That(result.RefreshToken, Is.Null); } }
public async Task<ActionResult> Authorize(string username = null, string password = null) { if (username != null) { if (password != null) { var entities = new AzurenEntities(); User u; u = username.Contains("@") ? entities.Users.SingleOrDefault(m => m.Email == username) : entities.Users.SingleOrDefault(m => m.Username == username); if (u == null || StringHelper.CalcPassword(password, u.Salt) != u.Password) { return RedirectToAction("Authorize", new { redirect_uri = Request.Params["redirect_uri"], client_id = Request.Params["client_id"], scope = Request.Params["scope"], error = true }); } FormsAuthentication.SetAuthCookie(u.Username, true); System.Web.HttpContext.Current.User = new RolePrincipal(new MyIdentity(u.Username, "Forms", true)); } } if (!User.Identity.IsAuthenticated) { return Content("You must loggin first"); } var authServer = new AuthorizationServer(new AuthorizationServerHost()); var authRequest = await authServer.ReadAuthorizationRequestAsync(Request); var grantedResponse = authServer.PrepareApproveAuthorizationRequest( authRequest, this.User.Identity.Name, authRequest.Scope); IProtocolMessage responseMessage = grantedResponse; var response = await authServer.Channel.PrepareResponseAsync(responseMessage); return response.AsActionResult(); }
public async Task<ActionResult> Respond(string request, bool approval) { var authServer = new AuthorizationServer(new AuthorizationServerHost()); var authRequest = await authServer.ReadAuthorizationRequestAsync(new Uri(request)); IProtocolMessage responseMessage; if (approval) { var grantedResponse = authServer.PrepareApproveAuthorizationRequest( authRequest, this.User.Identity.Name, authRequest.Scope); responseMessage = grantedResponse; } else { var rejectionResponse = authServer.PrepareRejectAuthorizationRequest(authRequest); rejectionResponse.Error = Protocol.EndUserAuthorizationRequestErrorCodes.AccessDenied; responseMessage = rejectionResponse; } var response = await authServer.Channel.PrepareResponseAsync(responseMessage); return response.AsActionResult(); }
public async Task DecodeRefreshToken() { var refreshTokenSource = new TaskCompletionSource<string>(); Handle(AuthorizationServerDescription.AuthorizationEndpoint).By( async (req, ct) => { var server = new AuthorizationServer(AuthorizationServerMock); var request = await server.ReadAuthorizationRequestAsync(req, ct); Assert.That(request, Is.Not.Null); var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername); return await server.Channel.PrepareResponseAsync(response); }); Handle(AuthorizationServerDescription.TokenEndpoint).By( async (req, ct) => { var server = new AuthorizationServer(AuthorizationServerMock); var response = await server.HandleTokenRequestAsync(req, ct); var authorization = server.DecodeRefreshToken(refreshTokenSource.Task.Result); Assert.That(authorization, Is.Not.Null); Assert.That(authorization.User, Is.EqualTo(ResourceOwnerUsername)); return response; }); var client = new WebServerClient(AuthorizationServerDescription); try { var authState = new AuthorizationState(TestScopes) { Callback = ClientCallback, }; var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState); this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback); Uri authCompleteUri; using (var httpClient = this.HostFactories.CreateHttpClient()) { using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) { response.EnsureSuccessStatusCode(); authCompleteUri = response.Headers.Location; } } var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri); this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest); var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest); Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty); Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty); refreshTokenSource.SetResult(result.RefreshToken); } catch { refreshTokenSource.TrySetCanceled(); } }
public async Task AuthorizationCodeGrant() { Handle(AuthorizationServerDescription.AuthorizationEndpoint).By( async (req, ct) => { var server = new AuthorizationServer(AuthorizationServerMock); var request = await server.ReadAuthorizationRequestAsync(req, ct); Assert.That(request, Is.Not.Null); var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername); return await server.Channel.PrepareResponseAsync(response, ct); }); Handle(AuthorizationServerDescription.TokenEndpoint).By( async (req, ct) => { var server = new AuthorizationServer(AuthorizationServerMock); return await server.HandleTokenRequestAsync(req, ct); }); var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories); var authState = new AuthorizationState(TestScopes) { Callback = ClientCallback, }; var authRequestRedirect = await client.PrepareRequestUserAuthorizationAsync(authState); this.HostFactories.CookieContainer.SetCookies(authRequestRedirect, ClientCallback); Uri authRequestResponse; this.HostFactories.AllowAutoRedirects = false; using (var httpClient = this.HostFactories.CreateHttpClient()) { using (var httpResponse = await httpClient.GetAsync(authRequestRedirect.Headers.Location)) { Assert.That(httpResponse.StatusCode, Is.EqualTo(HttpStatusCode.Redirect)); authRequestResponse = httpResponse.Headers.Location; } } var authorizationResponse = new HttpRequestMessage(HttpMethod.Get, authRequestResponse); this.HostFactories.CookieContainer.ApplyCookies(authorizationResponse); var result = await client.ProcessUserAuthorizationAsync(authorizationResponse, CancellationToken.None); Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty); Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty); }