예제 #1
0
 protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
 {
     ClaimsIdentity sourceIdentity = principal.Identities.First();
     ClaimsIdentity destinationIndentity = new ClaimsIdentity("Sample");
     CopyClaim(sourceIdentity, destinationIndentity);
     return destinationIndentity;
 }
예제 #2
0
 protected override System.Security.Claims.ClaimsIdentity GetOutputClaimsIdentity(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
 {
     ClaimsIdentity outgoingIdentity = new ClaimsIdentity();
     outgoingIdentity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Student"));
     return outgoingIdentity;
     
 }
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            // Validate the AppliesTo address
            ValidateAppliesTo( request.AppliesTo );

            // Create the scope using the request AppliesTo address and the RP identity
            Scope scope = new Scope( request.AppliesTo.Uri.AbsoluteUri, _signingCreds );

            if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
            {
                if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
                    scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
                else
                    scope.ReplyToAddress = request.ReplyTo;
            }
            else
            {
                Uri resultUri = null;
                if (Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri))
                    scope.ReplyToAddress = resultUri.AbsoluteUri;
                else
                    scope.ReplyToAddress = request.AppliesTo.Uri.ToString() ;
            }

            // Note: In this sample app only a single RP identity is shown, which is localhost, and the certificate of that RP is
            // populated as _encryptingCreds
            // If you have multiple RPs for the STS you would select the certificate that is specific to
            // the RP that requests the token and then use that for _encryptingCreds
            scope.EncryptingCredentials = _encryptingCreds;

            return scope;
        }
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            if (null == principal)
            {
                throw new ArgumentNullException("principal");
            }

            var outputIdentity = new ClaimsIdentity();
            IEnumerable<Claim> outputClaims;

            if (this.scopeModel.UseClaimsPolicyEngine)
            {
                IClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(PolicyStoreFactory.Instance);
                outputClaims = evaluator.Evaluate(new Uri(scope.AppliesToAddress), ((ClaimsIdentity)principal.Identity).Claims);
            }
            else
            {
                outputClaims = ((ClaimsIdentity)principal.Identity).Claims;
            }

            outputIdentity.AddClaims(outputClaims);
            if (outputIdentity.Name == null && outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier) != null)
                outputIdentity.AddClaim(new Claim(ClaimTypes.Name, outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier).Value));

            var isPersistent =
                ((ClaimsIdentity)principal.Identity).Claims.SingleOrDefault(c => c.Type == ClaimTypes.IsPersistent);
            if (isPersistent != null)
            {
                outputIdentity.AddClaim(new Claim(ClaimTypes.IsPersistent, isPersistent.Value));
            }

            return outputIdentity;
        }
예제 #5
0
 protected override Scope GetScope(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request)
 {
     Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri);
     scope.TokenEncryptionRequired = false;
     scope.SymmetricKeyEncryptionRequired = false;
     return scope;
 }
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            //
            // TODO: Limit use of STS (via RequestSecurityToken.AppliesTo property) and add encryption in this method.
            //

            ValidateAppliesTo(request.AppliesTo);

            var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);

            if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["EncryptionCertificate"]))
            {
                // Important note on setting the encrypting credentials.
                // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
                // You can examine the 'request' to obtain information to determine the certificate to use.

                var encryptingCertificate = GetCertificate(ConfigurationManager.AppSettings["EncryptionCertificate"]);
                var encryptingCredentials = new X509EncryptingCredentials(encryptingCertificate);
                scope.EncryptingCredentials = encryptingCredentials;
            }
            else
            {
                // If there is no encryption certificate specified, the STS will not perform encryption.
                // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
                scope.TokenEncryptionRequired = false;
            }

            // Specify where the user will be redirected to, upon posting the form.
            scope.ReplyToAddress = request.ReplyTo;

            return scope;
        }
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            if (principal == null)
            {
                throw new InvalidRequestException("The caller's principal is null.");
            }

            // check github
            string ak = principal.FindFirst(Constants.CLAIM_TYPE_GITHUB_AK).Value;
            string openid = Utility.GetOpenId(ak);

            // check account
            ADAccountInfo info = AccountHelper.GetHelper().GetAccount(openid);

            if (info == null)
            {
                throw new InvalidRequestException("wrong github login or not binded, cannot login.");
            }

            var claims = new[]
            {
                new Claim(Constants.CLAIM_TYPE_PRIMARY_SID, info.primarysid),
                new Claim(System.IdentityModel.Claims.ClaimTypes.Upn, info.upnUpper),
                new Claim(System.IdentityModel.Claims.ClaimTypes.Upn, info.upnLower),
                new Claim(System.IdentityModel.Claims.ClaimTypes.Name, info.name),
            };

            var id = new ClaimsIdentity(claims);

            return id;
        }
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            ValidateAppliesTo(request.AppliesTo);

            var scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials);

            if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
            {
                if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
                    scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
                else
                    scope.ReplyToAddress = request.ReplyTo;
            }
            else
            {
                Uri resultUri = null;
                if (Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri))
                    scope.ReplyToAddress = resultUri.AbsoluteUri;
                else
                    scope.ReplyToAddress = request.AppliesTo.Uri.ToString();
            }

            scope.TokenEncryptionRequired = false;
            scope.SymmetricKeyEncryptionRequired = false;

            return scope;
        }
 protected override Scope GetScope(ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request)
 {
     var s = new Scope();
     s.SigningCredentials = SecurityTokenServiceConfiguration.SigningCredentials;
     s.TokenEncryptionRequired = false;
     s.SymmetricKeyEncryptionRequired = false;
     s.ReplyToAddress = request.ReplyTo;
     s.AppliesToAddress = request.AppliesTo.Uri.ToString();
     return s;
 }
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            var config = ClaimsConfiguration.ConfigurationFactory();
            var realm = request.AppliesTo.Uri.AbsoluteUri;
            var claims = new List<Claim>();

            claims.AddRange(GetClaimsForRealm("common", config));
            claims.AddRange(GetClaimsForRealm(realm,config));

            return new ClaimsIdentity(claims);
        }
 protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
 {
     var scope = new Scope(request.AppliesTo.Uri.AbsoluteUri,
         this.SecurityTokenServiceConfiguration.SigningCredentials)
                 {
                     TokenEncryptionRequired = false
                 };
     scope.ReplyToAddress = string.IsNullOrWhiteSpace(request.ReplyTo)
         ? scope.AppliesToAddress
         : scope.ReplyToAddress;
     return scope;
 }
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            var claims = new[]
                {
                    new Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name),
                    new Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, principal.Identity.Name),
                };

            var identity = new ClaimsIdentity(claims);

            return identity;
        }
예제 #13
0
 protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
 {
     var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials)
     {
         ReplyToAddress = request.ReplyTo,
         TokenEncryptionRequired = false,
     };
     if (_encryptingCredentials != null)
     {
         scope.EncryptingCredentials = _encryptingCredentials;
     }
     return scope;
 }
        protected override ClaimsIdentity GetOutputClaimsIdentity( ClaimsPrincipal principal, RequestSecurityToken request, Scope scope )
        {
            ClaimsIdentity outgoingIdentity = new ClaimsIdentity();
            outgoingIdentity.AddClaims(principal.Claims);

            List<Role> roles = (List<Role>)HttpContext.Current.Session["User_Roles_" + principal.Identity.Name];

            RBACHelper rbacHelper = new RBACHelper();
            Permission[] permissions = rbacHelper.GetUserPermissions(Factory.Session(Factory.User(principal.Identity.Name), roles.ToArray()));

            outgoingIdentity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/permissions", Serialize(permissions)));

            return outgoingIdentity;
        }
예제 #15
0
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            var claims = new[]
                {
                    new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name),
                    new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, principal.Identity.Name),
                    new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.PostalCode, "92110"),
                    new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.Country, "France"),
                    new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, "Admin"),
                };

            var identity = new ClaimsIdentity(claims);

            return identity;
        }
        protected override Scope GetScope(ClaimsPrincipal claimsPrincipal, RequestSecurityToken requestSecurityToken)
        {
            if (requestSecurityToken.AppliesTo == null)
            {
                throw new InvalidRequestException("Request for security token does not have a realm.");
            }
            var scope = new Scope(requestSecurityToken.AppliesTo.Uri.AbsoluteUri,
                this.securityTokenServiceConfiguration.SigningCredentials)
                {TokenEncryptionRequired = false,
                    ReplyToAddress = requestSecurityToken.AppliesTo.Uri.AbsoluteUri};

            requestSecurityToken.TokenType = SamlTwoTokenType;

            return scope;
        }
예제 #17
0
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            Scope scope = new Scope(request.AppliesTo.Uri.ToString(), _signingCredentials);

            if (_encryptingCredentials != null)
            {
                scope.EncryptingCredentials = _encryptingCredentials;
            }
            else
            {
                scope.TokenEncryptionRequired = false;
            }

            if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
            {
                if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
                {
                    scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
                }
                else
                {
                    scope.ReplyToAddress = request.ReplyTo;
                }
            }
            else
            {
                Uri resulturi = null;
                if (Uri.TryCreate(request.AppliesTo.Uri.AbsoluteUri, UriKind.Absolute, out resulturi))
                {
                    scope.ReplyToAddress = resulturi.AbsoluteUri;
                }
                else
                {
                    scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
                }
            }

            return scope;
        }
예제 #18
0
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            ClaimsIdentity userIdentity = principal?.Identities?.First();
            if (userIdentity == null)
                throw new Exception("User Identity not found.");
            var inheritedClaims =
                userIdentity.Claims.Where(i => !i.Type.In(ClaimTypes.AuthenticationInstant, ClaimTypes.AuthenticationMethod))
                .Select(c => new Claim(c.Type, c.Value));

            var relyingParty = (scope as RequestScope).RelyingParty;

            var outputIdentity = new ClaimsIdentity(relyingParty.IssuerName);
            // We also have the ClaimTypes.AuthenticationMethod that shows which was the original authenticator
            outputIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant, 
                DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss'Z'"), 
                ClaimValueTypes.DateTime, relyingParty.IssuerName));
            outputIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod, 
                relyingParty.AuthenticationUrl, 
                ClaimValueTypes.String, relyingParty.IssuerName));

            outputIdentity.AddClaims(inheritedClaims);

            return outputIdentity;
        }
예제 #19
0
 protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
 {
     var id = principal.Claims.First(x => x.Type == ClaimTypes.NameIdentifier).Value;
     var availableProviders =
         ConfigurationManager.AppSettings["AuthenticationProviders"].Split(',')
             .Select(x => x.Trim())
             .Where(x => !string.IsNullOrEmpty(x))
             .ToArray();
     var user = AsyncRunner.RunNoSynchronizationContext(() => _userStore.FindByIdAsync(id));
     var connectedProviders = AsyncRunner.RunNoSynchronizationContext(() => _userStore.GetLoginsAsync(user)).Select(x => x.LoginProvider).ToList();
     var loginClaims = connectedProviders.Select(x => new Claim(Consts.ManagementConnectedAccountType, x)).Concat(
         availableProviders.Except(connectedProviders).Select(x => new Claim(Consts.ManagementDisconnectedAccountType, x))).ToList();
     var hasLocalAccount = !string.IsNullOrWhiteSpace(user.PasswordHash);
     loginClaims.Add(new Claim(hasLocalAccount ? Consts.ManagementConnectedAccountType : Consts.ManagementDisconnectedAccountType, "Local"));
     var serviceClaims = AsyncRunner.RunNoSynchronizationContext(() => _userStore.GetServicesAsync(user)).Select(x => new Claim(Consts.RegisteredServiceType, x));
     var claims = new[]
     {
         new Claim(ClaimTypes.Name, id),
         new Claim(ClaimTypes.NameIdentifier, id),
         new Claim(ClaimTypes.Email, principal.Identity.Name),
         new Claim(Consts.ManagementUrlType, System.Web.HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path) + "?action=[action]&data=[data]"), 
     };
     return new ClaimsIdentity(claims.Concat(loginClaims).Concat(serviceClaims));
 }
예제 #20
0
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            this.ValidateAppliesTo(request.AppliesTo);
            Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);

            scope.TokenEncryptionRequired = false;
            scope.SymmetricKeyEncryptionRequired = false;

            if (string.IsNullOrEmpty(request.ReplyTo))
            {
                scope.ReplyToAddress = scope.AppliesToAddress;
            }
            else
            {
                scope.ReplyToAddress = request.ReplyTo;
            }

            return scope;
        }
예제 #21
0
 protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
 {
     return m_claims;
 }
예제 #22
0
        /// <summary>
        ///     Produces the output identity that gets transformed into a token
        /// </summary>
        /// <param name="principal">The principal.</param>
        /// <param name="request">The request.</param>
        /// <param name="scope">The scope.</param>
        /// <returns>An IClaimsIdentity describing the subject</returns>
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal,
            RequestSecurityToken request, Scope scope)
        {
            var requestDetails = (scope as RequestDetailsScope).RequestDetails;

            // externally authenticated user
            if (
                principal.HasClaim(
                    c => c.Type == Constants.Claims.IdentityProvider && c.Issuer == Constants.InternalIssuer))
            {
                Tracing.Information("Issuing a token for an external user.");
                return GetExternalOutputClaims(principal, requestDetails);
            }

            var userClaims = GetOutputClaims(principal, requestDetails, ClaimsRepository);
            var outputIdentity = new ClaimsIdentity(userClaims, "IdSrv");

            if (requestDetails.IsActAsRequest)
            {
                Tracing.Information("Issuing act as token");
                return GetActAsClaimsIdentity(outputIdentity, requestDetails);
            }
            Tracing.Information("Issuing identity token");
            return outputIdentity;
        }
 protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
 {
     return principal.Identity as ClaimsIdentity;
 }
예제 #24
0
 protected override System.Security.Claims.ClaimsIdentity GetOutputClaimsIdentity(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
 {
     throw new NotImplementedException();
 }
 /// <summary>
 /// Begins async call for GetOutputSubjects routine. Default implementation will throw a NotImplementedExcetion.
 /// Refer MSDN articles on Using an AsyncCallback Delegate to End an Asynchronous Operation.
 /// </summary>
 /// <param name="principal">The authorization context that represents the identity of the requestor.</param>
 /// <param name="request">The token request parameters that arrived in the call.</param>
 /// <param name="scope">The scope information about the Relying Party.</param>
 /// <param name="callback">The callback to be invoked when the user Asynchronous operation completed.</param>
 /// <param name="state">The state object.</param>
 /// <returns>IAsyncResult. Represents the status of an asynchronous operation. This will be passed into 
 /// EndGetOutputClaimsIdentity.</returns>
 protected virtual IAsyncResult BeginGetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope, AsyncCallback callback, object state)
 {
     throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID2081)));
 }
 /// <summary>
 /// When overridden in a derived class, this method should return a collection of output subjects to be included in the issued token.
 /// </summary>
 /// <param name="principal">The ClaimsPrincipal that represents the identity of the requestor.</param>
 /// <param name="request">The token request parameters that arrived in the call.</param>
 /// <param name="scope">The scope information about the Relying Party.</param>
 /// <returns>The ClaimsIdentity representing the collection of claims that will be placed in the issued security token.</returns>
 protected abstract ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope);
        /// <summary>
        /// Gets the proof token.
        /// </summary>
        /// <param name="request">The incoming token request.</param>
        /// <param name="scope">The scope instance encapsulating information about the relying party.</param>
        /// <returns>The newly created proof decriptor that could be either asymmetric proof descriptor or symmetric proof descriptor or null in the bearer token case.</returns>
        protected virtual ProofDescriptor GetProofToken(RST request, Scope scope)
        {
            if (request == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
            }

            if (scope == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("scope");
            }

            EncryptingCredentials requestorWrappingCredentials = GetRequestorProofEncryptingCredentials(request);

            if (scope.EncryptingCredentials != null &&
                  !(scope.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                    new SecurityTokenException(SR.GetString(SR.ID4179)));
            }

            EncryptingCredentials targetWrappingCredentials = scope.EncryptingCredentials;

            //
            // Generate the proof key
            //
            string keyType = (string.IsNullOrEmpty(request.KeyType)) ? KeyTypes.Symmetric : request.KeyType;
            ProofDescriptor result = null;

            if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Asymmetric))
            {
                //
                // Asymmetric is only supported with UseKey
                //
                if (request.UseKey == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidRequestException(SR.GetString(SR.ID3091)));
                }

                result = new AsymmetricProofDescriptor(request.UseKey.SecurityKeyIdentifier);
            }
            else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Symmetric))
            {
                //
                // Only support PSHA1. Overwrite STS to support custom key algorithm
                //
                if (request.ComputedKeyAlgorithm != null && !StringComparer.Ordinal.Equals(request.ComputedKeyAlgorithm, ComputedKeyAlgorithms.Psha1))
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2011, request.ComputedKeyAlgorithm)));
                }
                //
                // We must wrap the symmetric key inside the security token
                //
                if (targetWrappingCredentials == null && scope.SymmetricKeyEncryptionRequired)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID4007)));
                }

                //
                // We are encrypting the proof token or the server entropy using client's encrypting credential if present,
                // which will be used to encrypt the key during serialization.
                // Otherwise, we can only send back the key in plain text. However, the current implementation of 
                // WSTrustServiceContract sets the rst.ProofEncryption = null by default. Therefore, the server entropy
                // or the proof token will be sent in plain text no matter the client's entropy is sent encrypted or unencrypted.
                //
                if (request.KeySizeInBits.HasValue)
                {
                    if (request.Entropy != null)
                    {
                        result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials, requestorWrappingCredentials,
                                                               request.Entropy.GetKeyBytes(), request.EncryptWith);
                    }
                    else
                    {
                        result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials,
                                                               requestorWrappingCredentials, request.EncryptWith);
                    }
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2059)));
                }
            }
            else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Bearer))
            {
                //
                // Intentionally empty, no proofDescriptor
                //
            }

            return result;
        }
예제 #28
0
        protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
        {
            if (principal == null)
            {
                throw new InvalidRequestException("The caller's principal is null.");
            }

            var claimsIdentity = principal.Identity as ClaimsIdentity;
            if (claimsIdentity == null)
            {
                throw new InvalidRequestException("The caller's identity is invalid.");
            }

            return claimsIdentity;
        }
예제 #29
0
        protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
        {
            if (request.AppliesTo == null)
            {
                throw new InvalidRequestException("The AppliesTo is null.");
            }

            var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials)
            {
                TokenEncryptionRequired = false,
                SymmetricKeyEncryptionRequired = false
            };

            scope.ReplyToAddress = string.IsNullOrEmpty(request.ReplyTo) ? scope.AppliesToAddress : request.ReplyTo;

            return scope;
        }
        /// <summary>
        /// Creates an instance of a <see cref="SecurityTokenDescriptor"/>.
        /// </summary>
        /// <param name="request">The incoming token request.</param>
        /// <param name="scope">The <see cref="Scope"/> object returned from <see cref="SecurityTokenService.GetScope"/>.</param>
        /// <returns>The <see cref="SecurityTokenDescriptor"/>.</returns>
        /// <remarks>Invoked during token issuance after <see cref="SecurityTokenService.GetScope"/>.</remarks>
        protected virtual SecurityTokenDescriptor CreateSecurityTokenDescriptor(RST request, Scope scope)
        {
            if (request == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
            }

            if (scope == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("scope");
            }

            SecurityTokenDescriptor d = new SecurityTokenDescriptor();
            d.AppliesToAddress = scope.AppliesToAddress;
            d.ReplyToAddress = scope.ReplyToAddress;
            d.SigningCredentials = scope.SigningCredentials;
            if (null == d.SigningCredentials)
            {
                d.SigningCredentials = this.SecurityTokenServiceConfiguration.SigningCredentials;
            }



            //
            // The encrypting credentials specified on the Scope object
            // are invariant relative to a specific RP. Allowing the STS to 
            // cache the Scope for each RP.
            // Our default implementation will generate the symmetric bulk 
            // encryption key on the fly.
            //
            if (scope.EncryptingCredentials != null &&
                 scope.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey
                 )
            {
                if ((request.EncryptionAlgorithm == null || request.EncryptionAlgorithm == SecurityAlgorithms.Aes256Encryption) &&
                    (request.SecondaryParameters == null || request.SecondaryParameters.EncryptionAlgorithm == null || request.SecondaryParameters.EncryptionAlgorithm == SecurityAlgorithms.Aes256Encryption)
                    )
                {
                    d.EncryptingCredentials = new EncryptedKeyEncryptingCredentials(scope.EncryptingCredentials, 256, SecurityAlgorithms.Aes256Encryption);
                }
            }

            return d;
        }