public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
// Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks
// of access tokens that are used over standard HTTP.
// But this is just the lifetime of the access token. The client can still renew it using their refresh token until
// the authorization itself expires.
accessToken.Lifetime = TimeSpan.FromMinutes(2);
// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
// to account for that if necessary.
//// TODO: code here
// For this sample, we assume just one resource server.
// If this authorization server needs to mint access tokens for more than one resource server,
// we'd look at the request message passed to us and decide which public key to return.
accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider();
accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
accessToken.AccessTokenSigningKey = CreateRSA();
var result = new AccessTokenResult(accessToken);
return(result);
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
// Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks
// of access tokens that are used over standard HTTP.
// But this is just the lifetime of the access token. The client can still renew it using their refresh token until
// the authorization itself expires.
var accessToken = new AuthorizationServerAccessToken()
{
Lifetime = TimeSpan.FromDays(14)
};
// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
// to account for that if necessary.
//// TODO: code here
// For this sample, we assume just one resource server.
// If this authorization server needs to mint access tokens for more than one resource server,
// we'd look at the request message passed to us and decide which public key to return.
// accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider();
accessToken.ResourceServerEncryptionKey = CreateRSA();
// string szPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC32W+vIY9eZYY13Z0TqONE5LG3BHH6x4EWgb/LSEV674eFRw/AOvxphM7FjvoS4auZ1Yom4G6oFjDCR917gttma2b+7IuEhV5XdHM3lbH0dSrglASKtM6uHR0qjW0FPQR6rCKMHC1xSytAudI46nr/OkpcPM8KeXgJYvp+BYE0E6gjbwydcrgULCtcC0A3mZABixshjSaxzxUWCxA9RC7hSKPp9JptEcHcrJddaWzVORZHW+lUiNcFqXsm1K4CxoXE/KHenaz7d9GtA2vAvk1miueA6tsH1UOmZUY9rNVTKLoig5kKtYePSaa9/CZTEFYnhPkQtHZNZDoiN/e327ld [email protected]";
// accessToken.ResourceServerEncryptionKey.ImportCspBlob(System.Text.Encoding.ASCII.GetBytes(szPubKey));
// accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
accessToken.AccessTokenSigningKey = CreateRSA();
var result = new AccessTokenResult(accessToken);
return(result);
}
/// <summary>
/// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a
/// client.
/// </summary>
/// <param name="accessTokenRequestMessage">
/// Details regarding the resources that the access token will grant access to, and the identity of the client
/// that will receive that access.
/// Based on this information the receiving resource server can be determined and the lifetime of the access
/// token can be set based on the sensitivity of the resources.
/// </param>
/// <returns>A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.</returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
TimeSpan clientApplicationLifetime = GetClientLifetime(accessTokenRequestMessage);
var accessToken = new AuthorizationServerAccessToken
{
// Note: all other fields are assigned by IsAuthorizationValid() (i.e. ClientIdentifier, Scope, User and UtcIssued)
// Set the crypto keys for accessing the secured services (assume there is only one secured service)
AccessTokenSigningKey =
CryptoKeyProvider.GetCryptoKey(CryptoKeyType.AuthZServer).PrivateEncryptionKey,
ResourceServerEncryptionKey = GetRequestedSecureResourceCryptoKey(),
// Set the limited lifetime of the token
Lifetime = (clientApplicationLifetime != TimeSpan.Zero)
? clientApplicationLifetime
: TimeSpan.FromMinutes(DefaultLifetime),
};
// Insert user specific information
string username = GetUserFromAccessTokenRequest(accessTokenRequestMessage);
if (username.HasValue())
{
IUserAuthInfo user = GetUserAuthInfo(username);
if (user != null)
{
accessToken.ExtraData.Add(new KeyValuePair <string, string>(
RequireAuthorizationAttribute.ExtraDataRoles, String.Join(@",", user.Roles)));
}
}
return(new AccessTokenResult(accessToken));
}
/// <summary>
/// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client.
/// </summary>
/// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client
/// that will receive that access.
/// Based on this information the receiving resource server can be determined and the lifetime of the access
/// token can be set based on the sensitivity of the resources.</param>
/// <returns>
/// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.
/// </returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
accessToken.Lifetime = TimeSpan.FromHours(1);
accessToken.ResourceServerEncryptionKey = EncryptionKeys.GetResourceServerEncryptionPublicKey();
accessToken.AccessTokenSigningKey = EncryptionKeys.GetAuthorizationServerSigningPrivateKey();
return(new AccessTokenResult(accessToken));
}
/// <summary>
/// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client.
/// </summary>
/// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client
/// that will receive that access.
/// Based on this information the receiving resource server can be determined and the lifetime of the access
/// token can be set based on the sensitivity of the resources.</param>
/// <returns>
/// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.
/// </returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
// If your resource server and authorization server are different web apps,
// consider using asymmetric keys instead of symmetric ones by setting different
// properties on the access token below.
var accessToken = new AuthorizationServerAccessToken {
Lifetime = TimeSpan.FromHours(1),
SymmetricKeyStore = this.CryptoKeyStore,
};
var result = new AccessTokenResult(accessToken);
return(result);
}
/// <summary>
/// Acquires the access token and related parameters that go into the formulation of the token endpoint's response to a client.
/// </summary>
/// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client that will receive that access.
/// Based on this information the receiving resource server can be determined and the lifetime of the access token can be set based on the sensitivity of the resources.
/// </param>
/// <returns>A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.</returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
AuthorizationServerAccessToken accessToken = new AuthorizationServerAccessToken();
accessToken.Lifetime = TimeSpan.FromMinutes(5);
accessToken.ExtraData.Add("userIdentity", "{ user: \"some identity\" }");
//accessToken.Lifetime = TimeSpan.FromSeconds(20);
accessToken.ResourceServerEncryptionKey = CreateRsaCryptoServiceProvider(ResourceServerEncryptionPublicKey);
accessToken.AccessTokenSigningKey = CreateRsaCryptoServiceProvider(AuthorizationServerSigningPrivateKey);
return(new AccessTokenResult(accessToken));
}
/// <summary>
/// Obtains parameters to go into the formulation of an access token.
/// </summary>
/// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client
/// that will receive that access.
/// Based on this information the receiving resource server can be determined and the lifetime of the access
/// token can be set based on the sensitivity of the resources.</param>
/// <returns>
/// A non-null parameters instance that DotNetOpenAuth will dispose after it has been used.
/// </returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken()
{
// For this sample, we assume just one resource server.
// If this authorization server needs to mint access tokens for more than one resource server,
// we'd look at the request message passed to us and decide which public key to return.
ResourceServerEncryptionKey = OAuthResourceServer.CreateRSA(),
};
var result = new AccessTokenResult(accessToken);
return(result);
}
// Generate an access token, given parameters in request that tell use what scopes to include,
// and thus what resource's encryption key to use in addition to the authroization server key
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken {
Lifetime = TimeSpan.FromMinutes(10)
}; // could parameterize lifetime
var targetResource = _resourceRepository.FindWithSupportedScopes(accessTokenRequestMessage.Scope);
accessToken.ResourceServerEncryptionKey = targetResource.PublicTokenEncrypter;
accessToken.AccessTokenSigningKey = _tokenSigner.GetSigner();
var result = new AccessTokenResult(accessToken);
return(result);
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var rsa = new RSACryptoServiceProvider();
rsa.ImportCspBlob(Convert.FromBase64String(ConfigurationManager.AppSettings["PrivateAsymmetricKey"]));
var accessToken = new AuthorizationServerAccessToken()
{
AccessTokenSigningKey = rsa,
ResourceServerEncryptionKey = rsa,
};
var result = new AccessTokenResult(accessToken);
result.AllowRefreshToken = false;
return(result);
}
/// <summary>
/// Token创建
/// </summary>
/// <param name="accessTokenRequestMessage"></param>
/// <returns></returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
accessToken.Lifetime = _configuration.TokenLifetime;//设置Token的有效时间
// 设置加密公钥
accessToken.ResourceServerEncryptionKey =
(RSACryptoServiceProvider)_configuration.EncryptionCertificate.PublicKey.Key;
// 设置签名私钥
accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)_configuration.SigningCertificate.PrivateKey;
var result = new AccessTokenResult(accessToken);
return(result);
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
accessToken.Lifetime = TimeSpan.FromMinutes(2);
// Using the certificate of our one and only resource server blindly
accessToken.ResourceServerEncryptionKey =
(RSACryptoServiceProvider)WebApiApplication.EncryptionCertificate.PublicKey.Key;
accessToken.AccessTokenSigningKey =
(RSACryptoServiceProvider)WebApiApplication.SigningCertificate.PrivateKey;
var result = new AccessTokenResult(accessToken);
return(result);
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
//Default to a lifespan of one hours for all tokens.
var accessToken = new AuthorizationServerAccessToken
{
Lifetime = TimeSpan.FromHours(1),
};
//Provide both signing and encryption keys for the token (the private/public relationships will be reversed
//when the resource server digests the token
accessToken.AccessTokenSigningKey =
(RSACryptoServiceProvider)AuthorizationServerCertificate.PrivateKey;
accessToken.ResourceServerEncryptionKey =
(RSACryptoServiceProvider)ResourceServerCertificate.PublicKey.Key;
//Return an access token result.
var result = new AccessTokenResult(accessToken);
return(result);
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
// TODO: work out and implement appropriate lifespan for access tokens based on your specific application requirements
accessToken.Lifetime = TimeSpan.FromSeconds(_tokenLifetime);
// TODO: artificially shorten the access token's lifetime if the original authorization is due to expire sooner than the default lifespan.
// (i.e. don't give out 7-day access tokens to somebody who has only granted your app access for 24 hours)
// TODO: choose the appropriate signing keys for the specific resource server being used.
// If you need to support multiple resource servers, there's two options.
// 1) Use the same RSA key pair on every resource server.
// 2) Select the appropriate key pair based on the requested scope (this assumes each scope maps to exactly one resource server)
accessToken.ResourceServerEncryptionKey = _dataServerKeys.PublicSigningKey;
accessToken.AccessTokenSigningKey = _authServerKeys.PrivateEncryptionKey;
return(new AccessTokenResult(accessToken));
}
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage)
{
var accessToken = new AuthorizationServerAccessToken();
// Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks
// of access tokens that are used over standard HTTP.
// But this is just the lifetime of the access token. The client can still renew it using their refresh token until
// the authorization itself expires.
accessToken.Lifetime = TimeSpan.FromMinutes(20);
// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
// to account for that if necessary.
//// TODO: code here
PublicEncryptionKey = (RSACryptoServiceProvider)EncryptionCertificate.PublicKey.Key;
accessToken.ResourceServerEncryptionKey = PublicEncryptionKey;
PrivateSigningKey = (RSACryptoServiceProvider)SigningCertificate.PrivateKey;
accessToken.AccessTokenSigningKey = PrivateSigningKey;
return(new AccessTokenResult(accessToken));
}
public AccessTokenResult CreateAccessToken(
IAccessTokenRequest accessTokenRequestMessage)
{
var token = new AuthorizationServerAccessToken();
token.Lifetime = TimeSpan.FromMinutes(10);
var signCert = LoadCert(Config.STS_CERT);
token.AccessTokenSigningKey =
(RSACryptoServiceProvider)signCert.PrivateKey;
var encryptCert = LoadCert(Config.SERVICE_CERT);
token.ResourceServerEncryptionKey =
(RSACryptoServiceProvider)encryptCert.PublicKey.Key;
var result = new AccessTokenResult(token);
return(result);
}
public AccessTokenResult CreateAccessToken(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)
{
var token = new AuthorizationServerAccessToken();
token.Lifetime = TimeSpan.FromMinutes(2);
token.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
foreach (string s in accessTokenRequestMessage.Scope)
{
token.Scope.Add(s);
}
token.User = accessTokenRequestMessage.UserName;
// token.ExtraData.Add("id_token","thisisthejwt");
var signCert = LoadCert(Config.ALHAMBRA_AUTHORIZATION);
token.AccessTokenSigningKey = (RSACryptoServiceProvider)signCert.PrivateKey;
var encryptCert = LoadCert(Config.ALHAMBRA_RESOURCES);
token.ResourceServerEncryptionKey = (RSACryptoServiceProvider)encryptCert.PublicKey.Key;
var accessTokenResult = new AccessTokenResult(token);
accessTokenResult.AccessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
//Page 13 on draft 26 - Open Id Connect Basic Client Profile
//if (token.Scope.Contains("offline_access"))
//{
// accessTokenResult.AllowRefreshToken = true;
//}
accessTokenResult.AllowRefreshToken = true;
return(accessTokenResult);
}
/// <summary>
/// Create an access token using xAuth.
/// </summary>
/// <param name="accessTokenRequestMessage">A request from a client that should be responded to directly with an access token.</param>
/// <param name="nonce">The nonce data.</param>
/// <returns>Describes the parameters to be fed into creating a response to an access token request.</returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage, string nonce)
{
// Get the client for the consumer key
var client = GetSpecificClient(accessTokenRequestMessage.ClientIdentifier);
if (client != null)
{
// Make sure then client has been authenticated.
if (accessTokenRequestMessage.ClientAuthenticated)
{
long clientID = client.ClientID;
// Get the file store of the certificate to
// return the private key for use in signing
// the access token.
var cryptoKey = new Nequeo.DataAccess.CloudInteraction.Data.Extension.SymmetricCryptoKey().Select.SelectDataEntity(u => u.ClientID == clientID);
X509Certificate2 certificate = base.GetConsumerX509Certificate(client.ClientIdentifier);
var accessToken = new AuthorizationServerAccessToken();
long oAuthConsumerID = 0;
// Get the specific nonce
var nonceData = GetSpecificNonce(nonce);
if (nonceData != null)
{
oAuthConsumerID = nonceData.OAuthConsumerID;
accessToken.Nonce = System.Text.Encoding.Default.GetBytes(nonce);
accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
}
else
{
throw new Exception("Could not insert token; Internal database exception.");
}
// Insert the access token.
if (!InsertAccessToken(oAuthConsumerID, accessToken, client.Callback, accessTokenRequestMessage.Version.ToString(), AccessTokenLifetime))
{
throw new Exception("Could not insert token; Internal database exception.");
}
// If the certificate exists.
if (certificate != null)
{
// This can be useful to mitigate the security risks
// of access tokens that are used over standard HTTP.
// But this is just the lifetime of the access token.
// The client can still renew it using their refresh
// token until the authorization itself expires.
accessToken.Lifetime = TimeSpan.FromMinutes(AccessTokenLifetime);
accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
// For this sample, we assume just one resource server.
// If this authorization server needs to mint access tokens for more than one resource server,
// we'd look at the request message passed to us and decide which public key to return.
accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)certificate.PublicKey.Key;
accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)certificate.PrivateKey;
}
// Create the access token result.
var result = new AccessTokenResult(accessToken);
// Return the new access token data.
return(result);
}
else
{
throw new Exception("The client has not been authenticated.");
}
}
else
{
throw new Exception("The client for consumer key : " + accessTokenRequestMessage.ClientIdentifier + " does not exist.");
}
}
public AccessTokenResult(AuthorizationServerAccessToken accessToken)
{
this.AllowRefreshToken = true;
this.AccessToken = accessToken;
}
