[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public async Task<ActionResult> Authorize() {
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(this.Request);
this.ViewData["scope"] = authRequest.Scope;
this.ViewData["request"] = this.Request.Url;
return View();
}
public async Task ImplicitGrant() {
var coordinatorClient = new UserAgentClient(AuthorizationServerDescription);
coordinatorClient.ClientCredentialApplicator = null; // implicit grant clients don't need a secret.
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async (req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
IAccessTokenRequest accessTokenRequest = (EndUserAuthorizationImplicitRequest)request;
Assert.That(accessTokenRequest.ClientAuthenticated, Is.False);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return await server.Channel.PrepareResponseAsync(response, ct);
});
{
var client = new UserAgentClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = new AuthorizationState(TestScopes) { Callback = ClientCallback, };
var request = client.PrepareRequestUserAuthorization(authState, implicitResponseType: true);
Assert.That(request.ResponseType, Is.EqualTo(EndUserAuthorizationResponseType.AccessToken));
var authRequestRedirect = await client.Channel.PrepareResponseAsync(request);
Uri authRequestResponse;
this.HostFactories.AllowAutoRedirects = false;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var httpResponse = await httpClient.GetAsync(authRequestRedirect.Headers.Location)) {
authRequestResponse = httpResponse.Headers.Location;
}
}
var incoming =
await client.Channel.ReadFromRequestAsync(new HttpRequestMessage(HttpMethod.Get, authRequestResponse), CancellationToken.None);
var result = await client.ProcessUserAuthorizationAsync(authState, incoming, CancellationToken.None);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Null);
}
}
public async Task<ActionResult> Authorize(string username = null, string password = null)
{
if (username != null)
{
if (password != null)
{
var entities = new AzurenEntities();
User u;
u = username.Contains("@") ? entities.Users.SingleOrDefault(m => m.Email == username) : entities.Users.SingleOrDefault(m => m.Username == username);
if (u == null || StringHelper.CalcPassword(password, u.Salt) != u.Password)
{
return RedirectToAction("Authorize", new { redirect_uri = Request.Params["redirect_uri"], client_id = Request.Params["client_id"], scope = Request.Params["scope"], error = true });
}
FormsAuthentication.SetAuthCookie(u.Username, true);
System.Web.HttpContext.Current.User = new RolePrincipal(new MyIdentity(u.Username, "Forms", true));
}
}
if (!User.Identity.IsAuthenticated)
{
return Content("You must loggin first");
}
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(Request);
var grantedResponse = authServer.PrepareApproveAuthorizationRequest(
authRequest, this.User.Identity.Name, authRequest.Scope);
IProtocolMessage responseMessage = grantedResponse;
var response = await authServer.Channel.PrepareResponseAsync(responseMessage);
return response.AsActionResult();
}
public async Task<ActionResult> Respond(string request, bool approval) {
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(new Uri(request));
IProtocolMessage responseMessage;
if (approval) {
var grantedResponse = authServer.PrepareApproveAuthorizationRequest(
authRequest, this.User.Identity.Name, authRequest.Scope);
responseMessage = grantedResponse;
} else {
var rejectionResponse = authServer.PrepareRejectAuthorizationRequest(authRequest);
rejectionResponse.Error = Protocol.EndUserAuthorizationRequestErrorCodes.AccessDenied;
responseMessage = rejectionResponse;
}
var response = await authServer.Channel.PrepareResponseAsync(responseMessage);
return response.AsActionResult();
}
public async Task DecodeRefreshToken() {
var refreshTokenSource = new TaskCompletionSource<string>();
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async (req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return await server.Channel.PrepareResponseAsync(response);
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async (req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var response = await server.HandleTokenRequestAsync(req, ct);
var authorization = server.DecodeRefreshToken(refreshTokenSource.Task.Result);
Assert.That(authorization, Is.Not.Null);
Assert.That(authorization.User, Is.EqualTo(ResourceOwnerUsername));
return response;
});
var client = new WebServerClient(AuthorizationServerDescription);
try {
var authState = new AuthorizationState(TestScopes) { Callback = ClientCallback, };
var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback);
Uri authCompleteUri;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) {
response.EnsureSuccessStatusCode();
authCompleteUri = response.Headers.Location;
}
}
var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri);
this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest);
var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
refreshTokenSource.SetResult(result.RefreshToken);
} catch {
refreshTokenSource.TrySetCanceled();
}
}
public async Task AuthorizationCodeGrant() {
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async (req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return await server.Channel.PrepareResponseAsync(response, ct);
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async (req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
return await server.HandleTokenRequestAsync(req, ct);
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = new AuthorizationState(TestScopes) {
Callback = ClientCallback,
};
var authRequestRedirect = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRequestRedirect, ClientCallback);
Uri authRequestResponse;
this.HostFactories.AllowAutoRedirects = false;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var httpResponse = await httpClient.GetAsync(authRequestRedirect.Headers.Location)) {
Assert.That(httpResponse.StatusCode, Is.EqualTo(HttpStatusCode.Redirect));
authRequestResponse = httpResponse.Headers.Location;
}
}
var authorizationResponse = new HttpRequestMessage(HttpMethod.Get, authRequestResponse);
this.HostFactories.CookieContainer.ApplyCookies(authorizationResponse);
var result = await client.ProcessUserAuthorizationAsync(authorizationResponse, CancellationToken.None);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
}
