public void GetAccessTokenWithTotallyFakeToken() { var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null)); var requestHeaders = new NameValueCollection { { "Authorization", "Bearer foobar" }, }; var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders); Assert.That(() => resourceServer.GetAccessTokenAsync(request).GetAwaiter().GetResult(), Throws.InstanceOf<ProtocolException>()); }
public async Task GetAccessTokenWithCorruptedToken() { var accessToken = await this.ObtainValidAccessTokenAsync(); var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null)); var requestHeaders = new NameValueCollection { { "Authorization", "Bearer " + accessToken.Substring(0, accessToken.Length - 1) + "zzz" }, }; var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders); Assert.That(() => resourceServer.GetAccessTokenAsync(request).GetAwaiter().GetResult(), Throws.InstanceOf<ProtocolException>()); }
public async Task GetAccessTokenWithValidToken() { var accessToken = await this.ObtainValidAccessTokenAsync(); var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null)); var requestHeaders = new NameValueCollection { { "Authorization", "Bearer " + accessToken }, }; var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders); var resourceServerDecodedToken = await resourceServer.GetAccessTokenAsync(request); Assert.That(resourceServerDecodedToken, Is.Not.Null); }
public override async void OnActionExecuting(HttpActionContext actionContext) { // we must have either WWW-Authorize header or access_token parameter to proceed if (actionContext.Request.Headers.Authorization == null && !actionContext.Request.Properties.ContainsKey("access_token")) { actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.BadRequest); } else { try { var resourceServer = new ResourceServer( new StandardAccessTokenAnalyzer(OAuth2AuthorizationServerHost.HardCodedCryptoKeyStore)); // validate token againt a revocation list var accessToken = await resourceServer.GetAccessTokenAsync(actionContext.Request); var lastRevoke = OAuth2AuthorizationServerHost.ClientRevokes .Where(c => c.ClientIdentifier == accessToken.ClientIdentifier) .OrderByDescending(t => t.RevokeTime) .FirstOrDefault(); if (lastRevoke != null && lastRevoke.RevokeTime > accessToken.UtcIssued) { actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.Unauthorized, "invalid_token", "The access token has been revoked"); } else { // get principal var principal = await resourceServer.GetPrincipalAsync(actionContext.Request); HttpContext.Current.User = principal; Thread.CurrentPrincipal = principal; } } catch (ProtocolException pe) { actionContext.Response = BearerHttpResponseMessageError(pe); } catch (Exception) // need to handle all exceptions to ensure resource isn't returned { actionContext.Response = BuildBearerAuthorizeResponse(HttpStatusCode.InternalServerError); } } base.OnActionExecuting(actionContext); }