public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (client.Secrets == null) { throw new ArgumentNullException(nameof(client.Secrets)); } var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, clientSecret.Value).ConfigureAwait(false); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false); if (payload == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer)); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (string.IsNullOrWhiteSpace(client.ClientSecret)) { throw new OAuthException(errorCode, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, client.ClientSecret, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } JwsPayload payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode); if (payload == null) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode)); }
private async Task <JwsPayload> Extract(string accessToken) { var isJwe = _jwtParser.IsJweToken(accessToken); var isJws = _jwtParser.IsJwsToken(accessToken); if (!isJwe && !isJws) { return(null); } var jws = accessToken; if (isJwe) { jws = await _jwtParser.Decrypt(accessToken); } return(await _jwtParser.Unsign(jws)); }
protected async Task <JwsPayload> ExtractHint(string tokenHint, CancellationToken cancellationToken) { if (!_jwtParser.IsJwsToken(tokenHint) && !_jwtParser.IsJweToken(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } if (_jwtParser.IsJweToken(tokenHint)) { tokenHint = await _jwtParser.Decrypt(tokenHint, cancellationToken); if (string.IsNullOrWhiteSpace(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } } return(await _jwtParser.Unsign(tokenHint, cancellationToken)); }
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT) { if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } JwsPayload jwsPayload; try { jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } return(new RequestObjectValidatorResult(jwsPayload, header)); }
private async Task <JwsPayload> ExtractPATTokenPayload(CancellationToken cancellationToken) { var token = ExtractAuthorizationValue(); if (string.IsNullOrWhiteSpace(token)) { return(null); } var isJweToken = _jwtParser.IsJweToken(token); var isJwsToken = _jwtParser.IsJwsToken(token); if (isJweToken && isJwsToken) { return(null); } if (isJweToken) { token = await _jwtParser.Decrypt(token, cancellationToken); } return(await _jwtParser.Unsign(token, cancellationToken)); }
protected async Task <bool> CheckRequest(HandlerContext context, string request) { var openidClient = (OpenIdClient)context.Client; if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if ( (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) || (string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME) ) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG); } var jwsPayload = await _jwtParser.Unsign(jws, context.Client); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest())) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } context.Request.SetData(JObject.FromObject(jwsPayload)); return(true); }