public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
// 2. Try to authenticate the client.
var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket));
}
// 3. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 4. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter);
if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied);
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(grantedToken);
}
public async Task <IEnumerable <AuthorizationResponse> > Execute(IEnumerable <GetAuthorizationActionParameter> parameters, string clientId)
{
var result = new List <AuthorizationResponse>();
var rptLifeTime = await _configurationService.GetRptLifeTime();
// 1. Check parameters.
if (parameters == null)
{
throw new ArgumentNullException(nameof(parameters));
}
if (string.IsNullOrWhiteSpace(clientId))
{
throw new ArgumentNullException(nameof(clientId));
}
// 2. Retrieve the tickets.
_umaServerEventSource.StartGettingAuthorization(JsonConvert.SerializeObject(parameters));
var tickets = await _ticketRepository.Get(parameters.Select(p => p.TicketId));
var rptLst = new List <Rpt>();
// 3. Check parameters.
foreach (var parameter in parameters)
{
var json = JsonConvert.SerializeObject(parameter);
if (string.IsNullOrWhiteSpace(parameter.TicketId))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
var ticket = tickets.FirstOrDefault(t => t.Id == parameter.TicketId);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket,
string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.TicketId));
}
if (ticket.ClientId != clientId)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, ErrorDescriptions.TheTicketIssuerIsDifferentFromTheClient);
}
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, clientId, parameter.ClaimTokenParameters);
if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
result.Add(new AuthorizationResponse
{
AuthorizationPolicyResult = authorizationResult.Type,
ErrorDetails = authorizationResult.ErrorDetails
});
continue;
}
var rpt = new Rpt
{
Value = Guid.NewGuid().ToString(),
TicketId = ticket.Id,
ResourceSetId = ticket.ResourceSetId,
CreateDateTime = DateTime.UtcNow,
ExpirationDateTime = DateTime.UtcNow.AddSeconds(rptLifeTime)
};
rptLst.Add(rpt);
result.Add(new AuthorizationResponse
{
AuthorizationPolicyResult = AuthorizationPolicyResultEnum.Authorized,
Rpt = rpt.Value
});
_umaServerEventSource.RequestIsAuthorized(json);
}
// 4. Persist the RPTs.
if (rptLst.Any())
{
await _repositoryExceptionHelper.HandleException(
ErrorDescriptions.TheRptCannotBeInserted,
() => _rptRepository.Insert(rptLst));
}
return(result);
}
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
// 2. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 3. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false);
if (!authorizationResult.IsValid)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
return(new GetTokenByTicketIdResponse
{
IsValid = false,
ResourceValidationResult = authorizationResult
});
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(new GetTokenByTicketIdResponse
{
IsValid = true,
GrantedToken = grantedToken
});
}
