// POST /token
public HttpResponseMessage AccessToken(HttpRequestMessage request)
{
var authServer = new AuthorizationServer(new OAuth2AuthorizationServer());
var message = authServer.HandleTokenRequest(request);
return(message.AsHttpResponseMessage());
}
public async Task <ActionResult> Respond(string request, bool approval)
{
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(new Uri(request));
IProtocolMessage responseMessage;
if (approval)
{
var grantedResponse = authServer.PrepareApproveAuthorizationRequest(
authRequest, this.User.Identity.Name, authRequest.Scope);
responseMessage = grantedResponse;
}
else
{
var rejectionResponse = authServer.PrepareRejectAuthorizationRequest(authRequest);
rejectionResponse.Error = Protocol.EndUserAuthorizationRequestErrorCodes.AccessDenied;
responseMessage = rejectionResponse;
}
var response = await authServer.Channel.PrepareResponseAsync(responseMessage);
Response.ContentType = response.Content.Headers.ContentType.ToString();
return(response.AsActionResult());
}
public async Task ResourceOwnerPasswordCredentialGrant(bool anonymousClient)
{
var authHostMock = CreateAuthorizationServerMock();
if (anonymousClient)
{
authHostMock.Setup(
m =>
m.IsAuthorizationValid(
It.Is <IAuthorizationDescription>(
d =>
d.ClientIdentifier == null && d.User == ResourceOwnerUsername &&
MessagingUtilities.AreEquivalent(d.Scope, TestScopes)))).Returns(true);
}
Handle(AuthorizationServerDescription.TokenEndpoint).By(async(req, ct) => {
var server = new AuthorizationServer(authHostMock.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
if (anonymousClient)
{
client.ClientIdentifier = null;
}
var authState = await client.ExchangeUserCredentialForTokenAsync(ResourceOwnerUsername, ResourceOwnerPassword, TestScopes);
Assert.That(authState.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(authState.RefreshToken, Is.Not.Null.And.Not.Empty);
}
public AuthorizationContext GetContext(IUser user, SecurityIdentifier resourceDomain, AuthorizationContextDomainDetails domainDetails)
{
AuthorizationServer server = domainDetails.GetServer(false);
Exception lastException = null;
HashSet <string> attemptedServers = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
while (attemptedServers.Add(server.Name))
{
try
{
this.logger.LogTrace("Attempting to create AuthorizationContext against server {server} in domain {domain} for user {user} requesting access to resource in domain {domain} ", server.Name, domainDetails.DomainDnsName, user.MsDsPrincipalName, resourceDomain);
return(new AuthorizationContext(user.Sid, server.Name, domainDetails.Mapping.DoNotRequireS4U ? AuthzInitFlags.Default : AuthzInitFlags.RequireS4ULogon));
}
catch (AuthorizationContextException ex) when(ex.InnerException is Win32Exception we && we.HResult == -2147467259) //RPC_NOT_AVAILABLE
{
lastException = ex;
this.logger.LogWarning(EventIDs.AuthZContextServerCantConnect, ex, "Unable to connect to server {server}", server.Name);
server = domainDetails.GetServer(true);
}
catch (Exception ex)
{
lastException = ex;
this.logger.LogError(EventIDs.AuthZContextCreateError, ex, "Unable to create AuthorizationContext against server {server} in domain {domain}", server.Name, domainDetails.DomainDnsName);
}
}
throw lastException ?? new Exception("Unable to create authorization context");
}
protected void Page_Load(object sender, EventArgs e)
{
if (!Request.IsSecureConnection)
{
throw new HttpException((int)HttpStatusCode.Forbidden, "Authorization requests MUST be on a secure channel");
}
if (String.IsNullOrEmpty(Request.PathInfo))
{
AuthorizationServer authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer());
OutgoingWebResponse wr = authorizationServer.HandleTokenRequest();
Response.Clear();
Response.ContentType = "application/json; charset=utf-8";
Response.Write(wr.Body);
Response.End();
}
else
{
using (OAuthServiceCall service = new OAuthServiceCall(Request))
{
Response.Clear();
Response.ContentType = service.ContentType;
service.Execute(Response.OutputStream);
Response.End();
}
}
}
public ActionResult Issue()
{
var authorizationServer = new AuthorizationServer(new AuthorizationServerHost());
var response = authorizationServer.HandleTokenRequest(Request).AsActionResult();
return(response);
}
public async Task ResourceOwnerScopeOverride()
{
var clientRequestedScopes = new[] { "scope1", "scope2" };
var serverOverriddenScopes = new[] { "scope1", "differentScope" };
var authServerMock = CreateAuthorizationServerMock();
authServerMock
.Setup(a => a.CheckAuthorizeResourceOwnerCredentialGrant(ResourceOwnerUsername, ResourceOwnerPassword, It.IsAny <IAccessTokenRequest>()))
.Returns <string, string, IAccessTokenRequest>((un, pw, req) => {
var response = new AutomatedUserAuthorizationCheckResponse(req, true, ResourceOwnerUsername);
response.ApprovedScope.Clear();
response.ApprovedScope.UnionWith(serverOverriddenScopes);
return(response);
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, hostFactories: this.HostFactories);
var result = await client.ExchangeUserCredentialForTokenAsync(ResourceOwnerUsername, ResourceOwnerPassword, clientRequestedScopes);
Assert.That(result.Scope, Is.EquivalentTo(serverOverriddenScopes));
}
//[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public ActionResult Authorise()
{
using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]),
new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"]))))
{
AuthorizationServer authorizationServer = new AuthorizationServer(server);
var pendingRequest = authorizationServer.ReadAuthorizationRequest();
if (pendingRequest == null)
{
throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
}
var requestingClient = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier);
// Consider auto-approving if safe to do so.
if (((OAuth2AuthorizationServer)authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
{
var approval = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
return(authorizationServer.Channel.PrepareResponse(approval).AsActionResult());
}
var model = new AccountAuthorizeModel
{
ClientApp = requestingClient.Name,
Scope = pendingRequest.Scope,
AuthorizationRequest = pendingRequest,
};
return(View(model));
}
}
//[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public ActionResult Authorise()
{
var authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServerHost());
var pendingRequest = authorizationServer.ReadAuthorizationRequest();
if (pendingRequest == null)
{
throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
}
var service = ServiceFactory.GetOAuth2AuthService();
var requestingClient = service.GetOAuthClient(pendingRequest.ClientIdentifier);
// Consider auto-approving if safe to do so.
if (((OAuth2AuthorizationServerHost)authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
{
var approval = authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
return(authorizationServer.Channel.PrepareResponse(approval).AsActionResultMvc5());
}
var model = new OAuthAccountAuthorizeViewModel
{
ClientApp = requestingClient.Name,
Scope = pendingRequest.Scope,
AuthorizationRequest = pendingRequest,
};
return(View(model));
}
public async Task ClientCredentialScopeOverride()
{
var clientRequestedScopes = new[] { "scope1", "scope2" };
var serverOverriddenScopes = new[] { "scope1", "differentScope" };
var authServerMock = CreateAuthorizationServerMock();
authServerMock
.Setup(a => a.CheckAuthorizeClientCredentialsGrant(It.IsAny <IAccessTokenRequest>()))
.Returns <IAccessTokenRequest>(req => {
var response = new AutomatedAuthorizationCheckResponse(req, true);
response.ApprovedScope.Clear();
response.ApprovedScope.UnionWith(serverOverriddenScopes);
return(response);
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var result = await client.GetClientAccessTokenAsync(clientRequestedScopes);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.Scope, Is.EquivalentTo(serverOverriddenScopes));
}
private async Task <string> ObtainValidAccessTokenAsync()
{
string accessToken = null;
var authServer = CreateAuthorizationServerMock();
authServer.Setup(
a => a.IsAuthorizationValid(It.Is <IAuthorizationDescription>(d => d.User == null && d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns(true);
authServer.Setup(
a => a.CheckAuthorizeClientCredentialsGrant(It.Is <IAccessTokenRequest>(d => d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns <IAccessTokenRequest>(req => new AutomatedAuthorizationCheckResponse(req, true));
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServer.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = await client.GetClientAccessTokenAsync(TestScopes);
Assert.That(authState.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(authState.RefreshToken, Is.Null);
accessToken = authState.AccessToken;
return(accessToken);
}
public async Task ListAuthorizationServerKeys()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
try
{
var authorizationServerKeys = await createdAuthorizationServer.ListKeys().ToListAsync();
authorizationServerKeys.Should().NotBeNull();
authorizationServerKeys.Count.Should().BeGreaterThan(0);
}
finally
{
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public async Task ListCreatedAuthorizationServer()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
try
{
var authorizationServerIds = await testClient.AuthorizationServers.ListAuthorizationServers().Select(server => server.Id).ToHashSetAsync();
authorizationServerIds.Should().Contain(createdAuthorizationServer.Id);
}
finally
{
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public async Task CreateOAuth2Scope()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var testOAuthScope = new OAuth2Scope
{
Name = $"{SdkPrefix}:{nameof(CreateOAuth2Scope)}:TestOAuth2Scope({TestClient.RandomString(4)})",
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
var createdOAuthScope = await createdAuthorizationServer.CreateOAuth2ScopeAsync(testOAuthScope);
try
{
createdOAuthScope.Should().NotBeNull();
createdOAuthScope.Name.Should().Be(testOAuthScope.Name);
}
finally
{
await createdAuthorizationServer.DeleteOAuth2ScopeAsync(createdOAuthScope.Id);
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public async Task GetClientAccessTokenReturnsApprovedScope()
{
string[] approvedScopes = new[] { "Scope2", "Scope3" };
var authServer = CreateAuthorizationServerMock();
authServer.Setup(
a => a.IsAuthorizationValid(It.Is <IAuthorizationDescription>(d => d.User == null && d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns(true);
authServer.Setup(
a => a.CheckAuthorizeClientCredentialsGrant(It.Is <IAccessTokenRequest>(d => d.ClientIdentifier == ClientId && MessagingUtilities.AreEquivalent(d.Scope, TestScopes))))
.Returns <IAccessTokenRequest>(req => {
var response = new AutomatedAuthorizationCheckResponse(req, true);
response.ApprovedScope.ResetContents(approvedScopes);
return(response);
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServer.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = await client.GetClientAccessTokenAsync(TestScopes);
Assert.That(authState.Scope, Is.EquivalentTo(approvedScopes));
}
public async Task ActivateAuthorizationServer()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
try
{
createdAuthorizationServer.Should().NotBeNull();
createdAuthorizationServer.Status.Should().Be("ACTIVE");
await testClient.AuthorizationServers.DeactivateAuthorizationServerAsync(createdAuthorizationServer.Id);
await testClient.AuthorizationServers.ActivateAuthorizationServerAsync(createdAuthorizationServer.Id);
var retrievedDeactivatedAuthorizationServer = await testClient.AuthorizationServers.GetAuthorizationServerAsync(createdAuthorizationServer.Id);
retrievedDeactivatedAuthorizationServer.Status.Should().Be("ACTIVE");
}
finally
{
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public async Task DeleteAuthorizationServer()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
createdAuthorizationServer.Should().NotBeNull();
var retrievedAuthorizationServer = await testClient.AuthorizationServers.GetAuthorizationServerAsync(createdAuthorizationServer.Id);
retrievedAuthorizationServer.Should().NotBeNull();
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
var ex = await Assert.ThrowsAsync <OktaApiException>(() => testClient.AuthorizationServers.GetAuthorizationServerAsync(createdAuthorizationServer.Id));
ex.StatusCode.Should().Be(404);
}
public OAuthController(AuthorizationServer authorizationServer, IRepository <Client> clientRep,
IRepository <User> userRep, IRepository <ClientAuthorization> clientAuthRep)
{
m_AuthorizationServer = authorizationServer;
m_ClientRep = clientRep;
m_UserRep = userRep;
m_ClientAuthRep = clientAuthRep;
}
[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public async Task <ActionResult> Authorize()
{
var authServer = new AuthorizationServer(new AuthorizationServerHost());
var authRequest = await authServer.ReadAuthorizationRequestAsync(this.Request);
this.ViewData["scope"] = authRequest.Scope;
this.ViewData["request"] = this.Request.Url;
return(View());
}
/// <summary>
/// The OAuth 2.0 token endpoint.
/// </summary>
/// <returns>The response to the Client.</returns>
public ActionResult Token()
{
using (OAuth2AuthorizationServer server = (new OAuth2AuthorizationServer(new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToPfx"], ConfigurationManager.AppSettings["CertificatePassword"]),
new X509Certificate2(ConfigurationManager.AppSettings["AbsolutePathToCertificate"]))))
{
AuthorizationServer authorizationServer = new AuthorizationServer(server);
OutgoingWebResponse response = authorizationServer.HandleTokenRequest(this.Request);
return(response.AsActionResult());
}
}
public async Task GetAuthorizationServerPolicy()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var testPolicy = new Policy
{
Type = PolicyType.OAuthAuthorizationPolicy,
Status = "ACTIVE",
Name = "Test Policy",
Description = "Test policy",
Priority = 1,
Conditions = new PolicyRuleConditions
{
Clients = new ClientPolicyCondition
{
Include = new List <string> {
"ALL_CLIENTS"
},
},
},
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
var createdPolicy = await createdAuthorizationServer.CreatePolicyAsync(testPolicy);
try
{
createdAuthorizationServer.Should().NotBeNull();
createdPolicy.Should().NotBeNull();
var retrievedPolicy = await createdAuthorizationServer.GetPolicyAsync(createdPolicy.Id);
retrievedPolicy.Should().NotBeNull();
retrievedPolicy.Id.Should().Be(createdPolicy.Id);
retrievedPolicy.Name.Should().Be(createdPolicy.Name);
retrievedPolicy.Description.Should().Be(createdPolicy.Description);
}
finally
{
await createdAuthorizationServer.DeletePolicyAsync(createdPolicy.Id);
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public OAuth2Controller()
{
// In this example, we're just newing up an auth server. A real implementation would use an IOC container
// to resolve the dependencies and inject the auth server into our controller.
var authServerKeys = CryptoKeyPair.LoadCertificate(HostingEnvironment.MapPath("~/bin/Certificates/auth-server.pfx"), "p@ssw0rd");
var dataServerKeys = CryptoKeyPair.LoadCertificate(HostingEnvironment.MapPath("~/bin/Certificates/data-server.pfx"), "p@ssw0rd");
var exampleAuthServer = new ExampleAuthorizationServer(new FakeCryptoKeyStore(),
authServerKeys, dataServerKeys, new FakeOAuth2ClientStore(), new FakeUserStore());
this.authServer = new AuthorizationServer(exampleAuthServer);
}
private OutgoingWebResponse GetResponse(IRequest request, CreateAccessToken jsonRequest)
{
var authZServer = new AuthorizationServer(OAuthorizationServer);
if (request.ContentType == MimeTypes.Json)
{
// Request is coming from A JSON client
return(authZServer.HandleTokenRequest(ConvertJsonRequestToFormRequest(request, jsonRequest)));
}
// Request is likely coming from DNOA client
return(authZServer.HandleTokenRequest((HttpRequestBase)request.OriginalRequest));
}
public OAuthController(AuthorizationServer authorizationServer, string primaryTableName, string emailTableName, string cloudConfigurationName)
{
Requires.NotNull(authorizationServer, "authorizationServer");
Requires.NotNullOrEmpty(cloudConfigurationName, "cloudConfigurationName");
this.authorizationServer = authorizationServer;
this.HttpClient = new HttpClient();
var storage = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings[cloudConfigurationName].ConnectionString);
var tableClient = storage.CreateCloudTableClient();
this.ClientTable = new AddressBookContext(tableClient, primaryTableName, emailTableName);
}
public async Task UpdateOAuth2Claim()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var testOAuthClaim = new OAuth2Claim
{
Name = $"{SdkPrefix}_{nameof(UpdateOAuth2Claim)}_TestOAuth2Claim_{TestClient.RandomString(4)}",
Status = "INACTIVE",
ClaimType = "RESOURCE",
ValueType = "EXPRESSION",
Value = "\"driving!\"",
};
var testUpdatedOAuthClaim = new OAuth2Claim
{
Name = $"{SdkPrefix}_{nameof(UpdateOAuth2Claim)}_TestOAuth2Claim_Updated_{TestClient.RandomString(4)}",
Status = "INACTIVE",
ClaimType = "RESOURCE",
ValueType = "EXPRESSION",
Value = "\"driving!\"",
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
var createdOAuthClaim = await createdAuthorizationServer.CreateOAuth2ClaimAsync(testOAuthClaim);
try
{
createdAuthorizationServer.Should().NotBeNull();
createdOAuthClaim.Should().NotBeNull();
createdOAuthClaim.Name.Should().Be(testOAuthClaim.Name);
var updatedOAuthScope = await createdAuthorizationServer.UpdateOAuth2ClaimAsync(testUpdatedOAuthClaim, createdOAuthClaim.Id);
updatedOAuthScope.Should().NotBeNull();
updatedOAuthScope.Name.Should().Be(testUpdatedOAuthClaim.Name);
}
finally
{
await createdAuthorizationServer.DeleteOAuth2ClaimAsync(createdOAuthClaim.Id);
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
public async Task CreateAccessTokenSeesAuthorizingUserAuthorizationCodeGrant()
{
var authServerMock = CreateAuthorizationServerMock();
authServerMock
.Setup(a => a.IsAuthorizationValid(It.IsAny <IAuthorizationDescription>()))
.Returns <IAuthorizationDescription>(req => {
Assert.That(req.User, Is.EqualTo(ResourceOwnerUsername));
return(true);
});
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return(await server.Channel.PrepareResponseAsync(response));
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(authServerMock.Object);
return(await server.HandleTokenRequestAsync(req, ct));
});
var client = new WebServerClient(AuthorizationServerDescription, ClientId, ClientSecret, this.HostFactories);
var authState = new AuthorizationState(TestScopes)
{
Callback = ClientCallback,
};
var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback);
Uri authCompleteUri;
this.HostFactories.AllowAutoRedirects = false;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) {
Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.Redirect));
authCompleteUri = response.Headers.Location;
}
}
var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri);
this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest);
var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
}
public async Task DecodeRefreshToken()
{
var refreshTokenSource = new TaskCompletionSource <string>();
Handle(AuthorizationServerDescription.AuthorizationEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var request = await server.ReadAuthorizationRequestAsync(req, ct);
Assert.That(request, Is.Not.Null);
var response = server.PrepareApproveAuthorizationRequest(request, ResourceOwnerUsername);
return(await server.Channel.PrepareResponseAsync(response));
});
Handle(AuthorizationServerDescription.TokenEndpoint).By(
async(req, ct) => {
var server = new AuthorizationServer(AuthorizationServerMock);
var response = await server.HandleTokenRequestAsync(req, ct);
var authorization = server.DecodeRefreshToken(refreshTokenSource.Task.Result);
Assert.That(authorization, Is.Not.Null);
Assert.That(authorization.User, Is.EqualTo(ResourceOwnerUsername));
return(response);
});
var client = new WebServerClient(AuthorizationServerDescription);
try {
var authState = new AuthorizationState(TestScopes)
{
Callback = ClientCallback,
};
var authRedirectResponse = await client.PrepareRequestUserAuthorizationAsync(authState);
this.HostFactories.CookieContainer.SetCookies(authRedirectResponse, ClientCallback);
Uri authCompleteUri;
using (var httpClient = this.HostFactories.CreateHttpClient()) {
using (var response = await httpClient.GetAsync(authRedirectResponse.Headers.Location)) {
response.EnsureSuccessStatusCode();
authCompleteUri = response.Headers.Location;
}
}
var authCompleteRequest = new HttpRequestMessage(HttpMethod.Get, authCompleteUri);
this.HostFactories.CookieContainer.ApplyCookies(authCompleteRequest);
var result = await client.ProcessUserAuthorizationAsync(authCompleteRequest);
Assert.That(result.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(result.RefreshToken, Is.Not.Null.And.Not.Empty);
refreshTokenSource.SetResult(result.RefreshToken);
} catch {
refreshTokenSource.TrySetCanceled();
}
}
public async Task ListAuthorizationServerPolicies()
{
var testClient = TestClient.Create();
var testAuthorizationServerName = $"{SdkPrefix}:Test AuthZ Server ({TestClient.RandomString(4)})";
var testAuthorizationServer = new AuthorizationServer
{
Name = testAuthorizationServerName,
Description = "Test Authorization Server",
Audiences = new string[] { "api://default" },
};
var testPolicy = new Policy
{
Type = PolicyType.OAuthAuthorizationPolicy,
Status = "ACTIVE",
Name = "Test Policy",
Description = "Test policy",
Priority = 1,
Conditions = new PolicyRuleConditions
{
Clients = new ClientPolicyCondition
{
Include = new List <string> {
"ALL_CLIENTS"
},
},
},
};
var createdAuthorizationServer = await testClient.AuthorizationServers.CreateAuthorizationServerAsync(testAuthorizationServer);
var createdPolicy = await createdAuthorizationServer.CreatePolicyAsync(testPolicy);
try
{
var policies = await createdAuthorizationServer.ListPolicies().ToListAsync();
policies.Should().NotBeNull();
policies.Count.Should().BeGreaterThan(0);
policies.Select(p => p.Id).ToHashSet().Should().Contain(createdPolicy.Id);
}
finally
{
await createdAuthorizationServer.DeletePolicyAsync(createdPolicy.Id);
await createdAuthorizationServer.DeactivateAsync();
await testClient.AuthorizationServers.DeleteAuthorizationServerAsync(createdAuthorizationServer.Id);
}
}
internal override void Run()
{
var authServer = new AuthorizationServer(this.authServerHost);
var rpCoordinatingChannel = new CoordinatingOAuth2ClientChannel(this.client.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);
var opCoordinatingChannel = new CoordinatingOAuth2AuthServerChannel(authServer.Channel, this.IncomingMessageFilter, this.OutgoingMessageFilter);
rpCoordinatingChannel.RemoteChannel = opCoordinatingChannel;
opCoordinatingChannel.RemoteChannel = rpCoordinatingChannel;
this.client.Channel = rpCoordinatingChannel;
authServer.Channel = opCoordinatingChannel;
this.RunCore(this.client, authServer);
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
if (!Request.IsSecureConnection)
{
throw new HttpException((int)HttpStatusCode.Forbidden, "Authorization requests MUST be on a secure channel");
}
if (String.IsNullOrEmpty(Request.PathInfo))
{
AuthorizationServer authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer());
OutgoingWebResponse wr = authorizationServer.HandleTokenRequest();
Response.Clear();
Response.ContentType = "application/json; charset=utf-8";
Response.Write(wr.Body);
Response.End();
}
else
{
using (OAuthServiceCall service = new OAuthServiceCall(Request))
{
Response.Clear();
Response.ContentType = service.ContentType;
service.Execute(Response.OutputStream);
Response.End();
}
}
}
catch (Exception ex)
{
var o = Request.Params["dbg"];
if (o != null)
{
Response.Clear();
Response.ContentType = "text/plain";
Response.ContentEncoding = System.Text.Encoding.UTF8;
Response.Write("Error: " + ex.Message + "\r\n");
Response.Write(ex.ToStringDescriptive() + "\r\n");
Response.Flush();
Response.End();
}
else
{
throw;
}
}
}
