public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client) { if (instruction == null) { throw new ArgumentNullException(nameof(instruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (instruction.Certificate == null || client.Secrets == null) { return(null); } var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint); var name = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name); if (thumbPrint == null || name == null) { return(null); } var certificate = instruction.Certificate; var isSameThumbPrint = thumbPrint == null || thumbPrint != null && thumbPrint.Value == certificate.Thumbprint; var isSameName = name == null || name != null && name.Value == certificate.SubjectName.Name; return(isSameName && isSameThumbPrint ? client : null); }
/// <summary> /// Try to get the client id. /// </summary> /// <param name="instruction"></param> /// <returns></returns> public string GetClientId(AuthenticateInstruction instruction) { if (instruction.ClientAssertionType != Dtos.Constants.ClientAssertionTypes.JwtBearer || string.IsNullOrWhiteSpace(instruction.ClientAssertion)) { return(string.Empty); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (isJweToken && isJwsToken) { return(string.Empty); } // It's a JWE token then return the client_id from the HTTP body if (isJweToken) { return(instruction.ClientIdFromHttpRequestBody); } // It's a JWS token then return the client_id from the token. var payload = _jwsParser.GetPayload(clientAssertion); if (payload == null) { return(string.Empty); } return(payload.Issuer); }
public string GetClientId(AuthenticateInstruction instruction) { if (instruction == null) { throw new ArgumentNullException("the instruction cannot be null"); } return(instruction.ClientIdFromAuthorizationHeader); }
public string GetClientId(AuthenticateInstruction instruction) { if (instruction == null) { throw new ArgumentNullException("the instruction parameter cannot be null"); } return(instruction.ClientIdFromHttpRequestBody); }
public AuthenticateInstruction GetAuthenticateInstruction(AuthenticationHeaderValue authenticationHeaderValue) { var result = new AuthenticateInstruction(); if (authenticationHeaderValue != null && !string.IsNullOrWhiteSpace(authenticationHeaderValue.Parameter)) { var parameters = GetParameters(authenticationHeaderValue.Parameter); if (parameters != null && parameters.Count() == 2) { result.ClientIdFromAuthorizationHeader = parameters[0]; result.ClientSecretFromAuthorizationHeader = parameters[1]; } } return(result); }
/// <summary> /// Try to get the client id from the HTTP body or HTTP header. /// </summary> /// <param name="instruction">Authentication instruction</param> /// <returns>Client id</returns> private string TryGettingClientId(AuthenticateInstruction instruction) { var clientId = _clientAssertionAuthentication.GetClientId(instruction); if (!string.IsNullOrWhiteSpace(clientId)) { return(clientId); } clientId = _clientSecretBasicAuthentication.GetClientId(instruction); if (!string.IsNullOrWhiteSpace(clientId)) { return(clientId); } return(_clientSecretPostAuthentication.GetClientId(instruction)); }
public Client AuthenticateClient(AuthenticateInstruction instruction, Client client) { if (client == null || instruction == null) { throw new ArgumentNullException("the client or instruction cannot be null"); } if (client.Secrets == null) { return(null); } var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { return(null); } var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromAuthorizationHeader), StringComparison.CurrentCultureIgnoreCase) == 0; return(sameSecret ? client : null); }
public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client) { if (instruction == null || client == null) { throw new ArgumentNullException("the instruction or client parameter cannot be null"); } if (client.Secrets == null) { return(null); } var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { return(null); } var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromHttpRequestBody), StringComparison.CurrentCultureIgnoreCase) == 0; return(sameSecret ? client : null); }
public async Task <AuthenticationResult> AuthenticateClientWithPrivateKeyJwtAsync(AuthenticateInstruction instruction, string expectedIssuer) { if (instruction == null) { throw new ArgumentNullException("instruction"); } var clientAssertion = instruction.ClientAssertion; var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (!isJwsToken) { return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken)); } var jws = instruction.ClientAssertion; var jwsPayload = _jwsParser.GetPayload(jws); if (jwsPayload == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted)); } var clientId = jwsPayload.Issuer; var payload = await _jwtParser.UnSignAsync(jws, clientId); if (payload == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheSignatureIsNotCorrect)); } return(await ValidateJwsPayLoad(payload, expectedIssuer)); }
public async Task <AuthenticationResult> AuthenticateClientWithClientSecretJwtAsync(AuthenticateInstruction instruction, string clientSecret, string expectedIssuer) { if (instruction == null) { throw new ArgumentNullException(nameof(instruction)); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJweToken)); } var jwe = instruction.ClientAssertion; var clientId = instruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.DecryptWithPasswordAsync(jwe, clientId, clientSecret); if (string.IsNullOrWhiteSpace(jws)) { return(new AuthenticationResult(null, ErrorDescriptions.TheJweTokenCannotBeDecrypted)); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { return(new AuthenticationResult(null, ErrorDescriptions.TheClientAssertionIsNotAJwsToken)); } var jwsPayload = await _jwtParser.UnSignAsync(jws, clientId); if (jwsPayload == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheJwsPayloadCannotBeExtracted)); } return(await ValidateJwsPayLoad(jwsPayload, expectedIssuer)); }
public async Task <AuthenticationResult> AuthenticateAsync(AuthenticateInstruction instruction, string issuerName, bool isAuthorizationCodeGrantType = false) { if (instruction == null) { throw new ArgumentNullException(nameof(instruction)); } Client client = null; // First we try to fetch the client_id // The different client authentication mechanisms are described here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication var clientId = TryGettingClientId(instruction); if (!string.IsNullOrWhiteSpace(clientId)) { client = await _clientRepository.GetClientByIdAsync(clientId).ConfigureAwait(false); } if (client == null) { return(new AuthenticationResult(null, ErrorDescriptions.TheClientDoesntExist)); } if (isAuthorizationCodeGrantType && client.RequirePkce) { return(new AuthenticationResult(client, string.Empty)); } var tokenEndPointAuthMethod = client.TokenEndPointAuthMethod; var authenticationType = Enum.GetName(typeof(TokenEndPointAuthenticationMethods), tokenEndPointAuthMethod); _oauthEventSource.StartToAuthenticateTheClient(client.ClientId, authenticationType); var errorMessage = string.Empty; switch (tokenEndPointAuthMethod) { case TokenEndPointAuthenticationMethods.client_secret_basic: client = _clientSecretBasicAuthentication.AuthenticateClient(instruction, client); if (client == null) { errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretBasic; } break; case TokenEndPointAuthenticationMethods.client_secret_post: client = _clientSecretPostAuthentication.AuthenticateClient(instruction, client); if (client == null) { errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithSecretPost; } break; case TokenEndPointAuthenticationMethods.client_secret_jwt: if (client.Secrets == null || !client.Secrets.Any(s => s.Type == ClientSecretTypes.SharedSecret)) { errorMessage = string.Format(ErrorDescriptions.TheClientDoesntContainASharedSecret, client.ClientId); break; } return(await _clientAssertionAuthentication.AuthenticateClientWithClientSecretJwtAsync(instruction, client.Secrets.First(s => s.Type == ClientSecretTypes.SharedSecret).Value, issuerName).ConfigureAwait(false)); case TokenEndPointAuthenticationMethods.private_key_jwt: return(await _clientAssertionAuthentication.AuthenticateClientWithPrivateKeyJwtAsync(instruction, issuerName).ConfigureAwait(false)); case TokenEndPointAuthenticationMethods.tls_client_auth: client = _clientTlsAuthentication.AuthenticateClient(instruction, client); if (client == null) { errorMessage = ErrorDescriptions.TheClientCannotBeAuthenticatedWithTls; } break; } if (client != null) { _oauthEventSource.FinishToAuthenticateTheClient(client.ClientId, authenticationType); } return(new AuthenticationResult(client, errorMessage)); }