Exemplo n.º 1
0
        protected override Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
        {
            string aToken = GetAccessTokenFromRequest(request);
            if (ValidateToken(aToken))
            {
                var aPrincipal = new OAuthPrincipal("testUser", null);
                SetPrincipal(aPrincipal);

                return base.SendAsync(request, cancellationToken);
            }
            else
            {
                var response = new HttpResponseMessage(HttpStatusCode.Forbidden);
                var tsc = new TaskCompletionSource<HttpResponseMessage>();
                tsc.SetResult(response);
                return tsc.Task;
            }
        }
Exemplo n.º 2
0
		public virtual OutgoingWebResponse VerifyAccess(HttpRequestBase httpRequestInfo, out IPrincipal principal) {
			AccessToken accessToken;
			var result = this.VerifyAccess(httpRequestInfo, out accessToken);
			if (result == null) {
				// Mitigates attacks on this approach of differentiating clients from resource owners
				// by checking that a username doesn't look suspiciously engineered to appear like the other type.
				ErrorUtilities.VerifyProtocol(accessToken.User == null || string.IsNullOrEmpty(this.ClientPrincipalPrefix) || !accessToken.User.StartsWith(this.ClientPrincipalPrefix, StringComparison.OrdinalIgnoreCase), OAuth2Strings.ResourceOwnerNameLooksLikeClientIdentifier);
				ErrorUtilities.VerifyProtocol(accessToken.ClientIdentifier == null || string.IsNullOrEmpty(this.ResourceOwnerPrincipalPrefix) || !accessToken.ClientIdentifier.StartsWith(this.ResourceOwnerPrincipalPrefix, StringComparison.OrdinalIgnoreCase), OAuth2Strings.ClientIdentifierLooksLikeResourceOwnerName);

				string principalUserName = !string.IsNullOrEmpty(accessToken.User)
					? this.ResourceOwnerPrincipalPrefix + accessToken.User
					: this.ClientPrincipalPrefix + accessToken.ClientIdentifier;
				string[] principalScope = accessToken.Scope != null ? accessToken.Scope.ToArray() : new string[0];
				principal = new OAuthPrincipal(principalUserName, principalScope);
			} else {
				principal = null;
			}

			return result;
		}
		/// <summary>
		/// Initializes a new instance of the <see cref="OAuthPrincipalAuthorizationPolicy"/> class.
		/// </summary>
		/// <param name="principal">The principal.</param>
		public OAuthPrincipalAuthorizationPolicy(OAuthPrincipal principal) {
			this.principal = principal;
		}
Exemplo n.º 4
0
		/// <summary>
		/// Discovers what access the client should have considering the access token in the current request.
		/// </summary>
		/// <param name="httpRequestInfo">The HTTP request info.</param>
		/// <param name="requiredScopes">The set of scopes required to approve this request.</param>
		/// <returns>
		/// The principal that contains the user and roles that the access token is authorized for.  Never <c>null</c>.
		/// </returns>
		/// <exception cref="ProtocolFaultResponseException">
		/// Thrown when the client is not authorized.  This exception should be caught and the
		/// <see cref="ProtocolFaultResponseException.ErrorResponseMessage"/> message should be returned to the client.
		/// </exception>
		public virtual IPrincipal GetPrincipal(HttpRequestBase httpRequestInfo = null, params string[] requiredScopes) {
			AccessToken accessToken = this.GetAccessToken(httpRequestInfo, requiredScopes);

			// Mitigates attacks on this approach of differentiating clients from resource owners
			// by checking that a username doesn't look suspiciously engineered to appear like the other type.
			ErrorUtilities.VerifyProtocol(accessToken.User == null || string.IsNullOrEmpty(this.ClientPrincipalPrefix) || !accessToken.User.StartsWith(this.ClientPrincipalPrefix, StringComparison.OrdinalIgnoreCase), ResourceServerStrings.ResourceOwnerNameLooksLikeClientIdentifier);
			ErrorUtilities.VerifyProtocol(accessToken.ClientIdentifier == null || string.IsNullOrEmpty(this.ResourceOwnerPrincipalPrefix) || !accessToken.ClientIdentifier.StartsWith(this.ResourceOwnerPrincipalPrefix, StringComparison.OrdinalIgnoreCase), ResourceServerStrings.ClientIdentifierLooksLikeResourceOwnerName);

			string principalUserName = !string.IsNullOrEmpty(accessToken.User)
				? this.ResourceOwnerPrincipalPrefix + accessToken.User
				: this.ClientPrincipalPrefix + accessToken.ClientIdentifier;
			string[] principalScope = accessToken.Scope != null ? accessToken.Scope.ToArray() : new string[0];
			var principal = new OAuthPrincipal(principalUserName, principalScope);

			return principal;
		}