public void RespondWithChallenge(IHttpContext context) { var challengeData = new Dictionary <string, string> { { OAuthHelper.Keys.ChallengeTimestamp, OAuthServerHelper.DateTimeToString(SystemTime.UtcNow) }, { OAuthHelper.Keys.ChallengeSalt, OAuthHelper.BytesToString(OAuthServerHelper.RandomBytes(OAuthHelper.Keys.ChallengeSaltLength)) } }; var responseData = new Dictionary <string, string> { { OAuthHelper.Keys.RSAExponent, OAuthServerHelper.RSAExponent }, { OAuthHelper.Keys.RSAModulus, OAuthServerHelper.RSAModulus }, { OAuthHelper.Keys.Challenge, OAuthServerHelper.EncryptSymmetric(OAuthHelper.DictionaryToString(challengeData)) } }; context.SetStatusToPreconditionFailed(); context.Response.AddHeader("WWW-Authenticate", OAuthHelper.Keys.WWWAuthenticateHeaderKey + " " + OAuthHelper.DictionaryToString(responseData)); }
public override void Respond(IHttpContext context) { if (context.Request.ContentLength > MaxOAuthContentLength) { context.SetStatusToBadRequest(); context.WriteJson(new { error = "invalid_request", error_description = "Content length should not be over " + MaxOAuthContentLength + " bytes" }); return; } if (context.Request.ContentLength == 0) { RespondWithChallenge(context); return; } string requestContents; using (var reader = new StreamReader(context.Request.InputStream)) requestContents = reader.ReadToEnd(); var requestContentsDictionary = OAuthHelper.ParseDictionary(requestContents); var rsaExponent = requestContentsDictionary.GetOrDefault(OAuthHelper.Keys.RSAExponent); var rsaModulus = requestContentsDictionary.GetOrDefault(OAuthHelper.Keys.RSAModulus); if (rsaExponent == null || rsaModulus == null || !rsaExponent.SequenceEqual(OAuthServerHelper.RSAExponent) || !rsaModulus.SequenceEqual(OAuthServerHelper.RSAModulus)) { RespondWithChallenge(context); return; } var encryptedData = requestContentsDictionary.GetOrDefault(OAuthHelper.Keys.EncryptedData); if (string.IsNullOrEmpty(encryptedData)) { RespondWithChallenge(context); return; } var challengeDictionary = OAuthHelper.ParseDictionary(OAuthServerHelper.DecryptAsymmetric(encryptedData)); var apiKeyName = challengeDictionary.GetOrDefault(OAuthHelper.Keys.APIKeyName); var challenge = challengeDictionary.GetOrDefault(OAuthHelper.Keys.Challenge); var response = challengeDictionary.GetOrDefault(OAuthHelper.Keys.Response); if (string.IsNullOrEmpty(apiKeyName) || string.IsNullOrEmpty(challenge) || string.IsNullOrEmpty(response)) { RespondWithChallenge(context); return; } var challengeData = OAuthHelper.ParseDictionary(OAuthServerHelper.DecryptSymmetric(challenge)); var timestampStr = challengeData.GetOrDefault(OAuthHelper.Keys.ChallengeTimestamp); if (string.IsNullOrEmpty(timestampStr)) { RespondWithChallenge(context); return; } var challengeTimestamp = OAuthServerHelper.ParseDateTime(timestampStr); if (challengeTimestamp + MaxChallengeAge < SystemTime.UtcNow || challengeTimestamp > SystemTime.UtcNow) { // The challenge is either old or from the future RespondWithChallenge(context); return; } var apiKeyTuple = GetApiKeySecret(apiKeyName); if (apiKeyTuple == null) { context.SetStatusToUnauthorized(); context.WriteJson(new { error = "unauthorized_client", error_description = "Unknown API Key" }); return; } var apiSecret = apiKeyTuple.Item1; if (string.IsNullOrEmpty(apiKeyName)) { context.SetStatusToUnauthorized(); context.WriteJson(new { error = "unauthorized_client", error_description = "Invalid API Key" }); return; } var expectedResponse = OAuthHelper.Hash(string.Format(OAuthHelper.Keys.ResponseFormat, challenge, apiSecret)); if (response != expectedResponse) { context.SetStatusToUnauthorized(); context.WriteJson(new { error = "unauthorized_client", error_description = "Invalid challenge response" }); return; } var token = apiKeyTuple.Item2; context.Write(token.Serialize()); }