/// <summary> /// Serializes this <see cref="Token"/> instance as a string that can be /// included as part of a return_to variable in a querystring. /// This string is cryptographically signed to protect against tampering. /// </summary> public string Serialize(INonceStore store) { using (MemoryStream dataStream = new MemoryStream()) { if (!persistSignature(store)) { Debug.Assert(!persistNonce(Endpoint, store), "Without a signature, a nonce is meaningless."); dataStream.WriteByte(0); // there will be NO signature. StreamWriter writer = new StreamWriter(dataStream); Endpoint.Serialize(writer); writer.Flush(); return Convert.ToBase64String(dataStream.ToArray()); } else { using (HashAlgorithm shaHash = createHashAlgorithm(store)) using (CryptoStream shaStream = new CryptoStream(dataStream, shaHash, CryptoStreamMode.Write)) { StreamWriter writer = new StreamWriter(shaStream); Endpoint.Serialize(writer); if (persistNonce(Endpoint, store)) writer.WriteLine(Nonce.Code); writer.Flush(); shaStream.Flush(); shaStream.FlushFinalBlock(); byte[] hash = shaHash.Hash; byte[] data = new byte[1 + hash.Length + dataStream.Length]; data[0] = 1; // there is a signature Buffer.BlockCopy(hash, 0, data, 1, hash.Length); Buffer.BlockCopy(dataStream.ToArray(), 0, data, 1 + hash.Length, (int)dataStream.Length); return Convert.ToBase64String(data); } } } }
private OpenIdRelyingParty(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IHostFactories hostFactories) { // If we are a smart-mode RP (supporting associations), then we MUST also be // capable of storing nonces to prevent replay attacks. // If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays. Requires.That(cryptoKeyStore == null || nonceStore != null, null, OpenIdStrings.AssociationStoreRequiresNonceStore); this.securitySettings = OpenIdElement.Configuration.RelyingParty.SecuritySettings.CreateSecuritySettings(); this.behaviors.CollectionChanged += this.OnBehaviorsChanged; foreach (var behavior in OpenIdElement.Configuration.RelyingParty.Behaviors.CreateInstances(false, null)) { this.behaviors.Add(behavior); } // Without a nonce store, we must rely on the Provider to protect against // replay attacks. But only 2.0+ Providers can be expected to provide // replay protection. if (nonceStore == null && this.SecuritySettings.ProtectDownlevelReplayAttacks && this.SecuritySettings.MinimumRequiredOpenIdVersion < ProtocolVersion.V20) { Logger.OpenId.Warn("Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks."); this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20; } this.channel = new OpenIdRelyingPartyChannel(cryptoKeyStore, nonceStore, this.SecuritySettings, hostFactories); var associationStore = cryptoKeyStore != null ? new CryptoKeyStoreAsRelyingPartyAssociationStore(cryptoKeyStore) : null; this.AssociationManager = new AssociationManager(this.Channel, associationStore, this.SecuritySettings); this.discoveryServices = new IdentifierDiscoveryServices(this); Reporting.RecordFeatureAndDependencyUse(this, cryptoKeyStore, nonceStore); }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdChannel"/> class /// for use by a Relying Party. /// </summary> /// <param name="associationStore">The association store to use.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param> /// <param name="securitySettings">The security settings to apply.</param> /// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param> private OpenIdChannel(IAssociationStore <Uri> associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) : this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings, nonVerifying)) { Contract.Requires <ArgumentNullException>(messageTypeProvider != null); Contract.Requires <ArgumentNullException>(securitySettings != null); Contract.Requires <ArgumentException>(!nonVerifying || securitySettings is RelyingPartySecuritySettings); }
/// <summary> /// Records the feature and dependency use. /// </summary> /// <param name="value">The consumer or service provider.</param> /// <param name="service">The service.</param> /// <param name="tokenManager">The token manager.</param> /// <param name="nonceStore">The nonce store.</param> internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderHostDescription service, ITokenManager tokenManager, INonceStore nonceStore) { Requires.NotNull(value, "value"); Requires.NotNull(service, "service"); Requires.NotNull(tokenManager, "tokenManager"); // In release builds, just quietly return. if (value == null || service == null || tokenManager == null) { return; } if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) { StringBuilder builder = new StringBuilder(); builder.Append(value.GetType().Name); builder.Append(" "); builder.Append(tokenManager.GetType().Name); if (nonceStore != null) { builder.Append(" "); builder.Append(nonceStore.GetType().Name); } builder.Append(" "); builder.Append(service.UserAuthorizationEndpoint != null ? service.UserAuthorizationEndpoint.Location.AbsoluteUri : string.Empty); Reporting.ObservedFeatures.Add(builder.ToString()); Reporting.Touch(); } }
/// <summary> /// Initializes a new instance of the <see cref="OAuthChannel"/> class. /// </summary> /// <param name="signingBindingElement">The binding element to use for signing.</param> /// <param name="store">The web application store to use for nonces.</param> /// <param name="tokenManager">The token manager instance to use.</param> internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager) : this( signingBindingElement, store, tokenManager, new OAuthServiceProviderMessageFactory(tokenManager)) { }
/// <summary> /// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class. /// </summary> /// <param name="nonceStore">The store where nonces will be persisted and checked.</param> /// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param> internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces) { ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore"); this.nonceStore = nonceStore; this.AllowZeroLengthNonce = allowEmptyNonces; }
/// <summary> /// Initializes a new instance of the <see cref="OAuthChannel"/> class. /// </summary> /// <param name="signingBindingElement">The binding element to use for signing.</param> /// <param name="store">The web application store to use for nonces.</param> /// <param name="tokenManager">The token manager instance to use.</param> /// <param name="isConsumer">A value indicating whether this channel is being constructed for a Consumer (as opposed to a Service Provider).</param> internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, bool isConsumer) : this(signingBindingElement, store, tokenManager, isConsumer ? (IMessageFactory)new OAuthConsumerMessageFactory() : new OAuthServiceProviderMessageFactory(tokenManager)) { }
/// <summary> /// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class. /// </summary> /// <param name="nonceStore">The store where nonces will be persisted and checked.</param> /// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param> internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces) { Requires.NotNull(nonceStore, "nonceStore"); this.nonceStore = nonceStore; this.AllowZeroLengthNonce = allowEmptyNonces; }
public AuthorizationServerHost(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IClientRepository clientRepository, IUserRepository userRepository) { _cryptoKeyStore = cryptoKeyStore; _nonceStore = nonceStore; _clientRepository = clientRepository; _userRepository = userRepository; }
/// <summary> /// Records the feature and dependency use. /// </summary> /// <param name="value">The consumer or service provider.</param> /// <param name="service">The service.</param> /// <param name="tokenManager">The token manager.</param> /// <param name="nonceStore">The nonce store.</param> internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderDescription service, ITokenManager tokenManager, INonceStore nonceStore) { Contract.Requires(value != null); Contract.Requires(service != null); Contract.Requires(tokenManager != null); // In release builds, just quietly return. if (value == null || service == null || tokenManager == null) { return; } if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) { StringBuilder builder = new StringBuilder(); builder.Append(value.GetType().Name); builder.Append(" "); builder.Append(tokenManager.GetType().Name); if (nonceStore != null) { builder.Append(" "); builder.Append(nonceStore.GetType().Name); } builder.Append(" "); builder.Append(service.Version); builder.Append(" "); builder.Append(service.UserAuthorizationEndpoint); Reporting.ObservedFeatures.Add(builder.ToString()); Reporting.Touch(); } }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdRelyingPartyChannel"/> class. /// </summary> /// <param name="cryptoKeyStore">The association store to use.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param> /// <param name="securitySettings">The security settings to apply.</param> /// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param> private OpenIdRelyingPartyChannel(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) : base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings, nonVerifying)) { Requires.NotNull(messageTypeProvider, "messageTypeProvider"); Requires.NotNull(securitySettings, "securitySettings"); Requires.True(!nonVerifying || securitySettings is RelyingPartySecuritySettings); }
public override void SetUp() { base.SetUp(); this.signingElement = new RsaSha1ServiceProviderSigningBindingElement(new InMemoryTokenManager()); this.nonceStore = new MemoryNonceStore(StandardExpirationBindingElement.MaximumMessageAge); this.channel = new OAuthServiceProviderChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), this.serviceProviderSecuritySettings, new TestMessageFactory(), this.HostFactories); }
/// <summary> /// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class. /// </summary> /// <param name="nonceStore">The store where nonces will be persisted and checked.</param> /// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param> internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces) { Contract.Requires <ArgumentNullException>(nonceStore != null); this.nonceStore = nonceStore; this.AllowZeroLengthNonce = allowEmptyNonces; }
/// <summary> /// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class. /// </summary> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings of the RP.</param> internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) { Contract.Requires<ArgumentNullException>(nonceStore != null); Contract.Requires<ArgumentNullException>(securitySettings != null); this.nonceStore = nonceStore; this.securitySettings = securitySettings; }
public DefaultRequestValidationService(IAccountService accountService, INonceStore nonceStore, ILogger <DefaultRequestValidationService> logger) { _accountService = accountService; _nonceStore = nonceStore; _logger = logger; }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdProviderChannel"/> class. /// </summary> /// <param name="cryptoKeyStore">The association store to use.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param> /// <param name="securitySettings">The security settings.</param> private OpenIdProviderChannel(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, ProviderSecuritySettings securitySettings) : base(messageTypeProvider, InitializeBindingElements(cryptoKeyStore, nonceStore, securitySettings)) { Requires.NotNull(cryptoKeyStore, "cryptoKeyStore"); Requires.NotNull(messageTypeProvider, "messageTypeProvider"); Requires.NotNull(securitySettings, "securitySettings"); }
/// <summary> /// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class. /// </summary> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings of the RP.</param> internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) { Requires.NotNull(nonceStore, "nonceStore"); Requires.NotNull(securitySettings, "securitySettings"); this.nonceStore = nonceStore; this.securitySettings = securitySettings; }
/// <summary> /// Nonce store inspector /// </summary> /// <param name="nonceStore">The nonce store.</param> public NonceStoreInspector(INonceStore nonceStore) { if (nonceStore == null) { throw new ArgumentNullException("nonceStore"); } _nonceStore = nonceStore; }
/// <summary> /// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class. /// </summary> /// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param> /// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param> /// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param> /// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param> /// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param> private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null) { this.signed = signed; this.maximumAge = maximumAge; this.decodeOnceOnly = decodeOnceOnly; this.encrypted = encrypted; this.compressed = compressed; }
/// <summary> /// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class. /// </summary> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings of the RP.</param> internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) { Contract.Requires <ArgumentNullException>(nonceStore != null); Contract.Requires <ArgumentNullException>(securitySettings != null); this.nonceStore = nonceStore; this.securitySettings = securitySettings; }
/// <summary> /// Initializes a new instance of the <see cref="WsseRequestInterceptor"/> class. /// </summary> /// <param name="provider">The provider.</param> /// <param name="realm">The realm.</param> /// <param name="timestampRangevalidator">The timestamp rangevalidator.</param> /// <param name="nonceStore">The nonce store.</param> public WsseRequestInterceptor(IPasswordProvider provider, string realm, ITimestampRangeValidator timestampRangevalidator, INonceStore nonceStore) : base(false) { TimestampRangeValidator = timestampRangevalidator; NonceStore = nonceStore; Provider = provider; Realm = realm; }
public override void SetUp() { base.SetUp(); this.webRequestHandler = new TestWebRequestHandler(); this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager()); this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge); this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), new TestMessageFactory()); this.channel.WebRequestHandler = this.webRequestHandler; }
/// <summary> /// Initializes a new instance of the <see cref="OAuthChannel"/> class. /// </summary> /// <param name="signingBindingElement">The binding element to use for signing.</param> /// <param name="store">The web application store to use for nonces.</param> /// <param name="tokenManager">The ITokenManager instance to use.</param> /// <param name="messageTypeProvider"> /// An injected message type provider instance. /// Except for mock testing, this should always be one of /// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>. /// </param> internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider) : base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager)) { Contract.Requires<ArgumentNullException>(tokenManager != null); Contract.Requires<ArgumentNullException>(signingBindingElement != null); Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel); this.TokenManager = tokenManager; signingBindingElement.SignatureCallback = this.SignatureCallback; }
public LockingNonceStore(INonceStore decorated, ILockFactory lockFactory) { if (lockFactory == null) { throw new ArgumentNullException(nameof(lockFactory)); } _decorated = decorated ?? throw new ArgumentNullException(nameof(decorated)); _lock = lockFactory.CreateLock(); }
public override void SetUp() { base.SetUp(); this.webRequestHandler = new TestWebRequestHandler(); this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager()); this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge); this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), this.serviceProviderSecuritySettings, new TestMessageFactory()); this.channel.WebRequestHandler = this.webRequestHandler; }
public OAuthHandlerBase(CredentialsVerifier auth) { Authenticator = auth; ConsumerStore = new RainyConsumerStore (); NonceStore = new TestNonceStore (); // initialize those classes that are not persisted // TODO request tokens should be persisted in the future RequestTokens = new SimpleTokenRepository<RequestToken> (); }
public override void SetUp() { base.SetUp(); this.protocol = Protocol.Default; this.nonceStore = new NonceMemoryStore(TimeSpan.FromHours(3)); this.nonceElement = new StandardReplayProtectionBindingElement(this.nonceStore); this.nonceElement.Channel = new Mocks.TestChannel(); this.message = new TestReplayProtectedMessage(); this.message.UtcCreationDate = DateTime.UtcNow; }
/// <summary> /// Initializes a new instance of the <see cref="OAuthChannel"/> class. /// </summary> /// <param name="signingBindingElement">The binding element to use for signing.</param> /// <param name="store">The web application store to use for nonces.</param> /// <param name="tokenManager">The ITokenManager instance to use.</param> /// <param name="messageTypeProvider"> /// An injected message type provider instance. /// Except for mock testing, this should always be one of /// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>. /// </param> internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider) : base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager)) { ErrorUtilities.VerifyArgumentNotNull(tokenManager, "tokenManager"); this.TokenManager = tokenManager; ErrorUtilities.VerifyArgumentNamed(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel); signingBindingElement.SignatureCallback = this.SignatureCallback; }
public OAuthHandlerBase(CredentialsVerifier auth) { Authenticator = auth; ConsumerStore = new RainyConsumerStore(); NonceStore = new TestNonceStore(); // initialize those classes that are not persisted // TODO request tokens should be persisted in the future RequestTokens = new SimpleTokenRepository <RequestToken> (); }
/// <summary> /// OAuth authorization service provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> public OAuthAuthorizationServer(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore) { _cryptoKeyStoreTranslate = new CryptoKeyStoreTranslate(tokenStore, consumerStore, nonceStore); _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; // Create a new instance of the absent parameter list. ParametersAbsent = new List <string>(); }
public override void SetUp() { base.SetUp(); this.webRequestHandler = new TestWebRequestHandler(); this.signingElement = new RsaSha1SigningBindingElement(new InMemoryTokenManager()); this.nonceStore = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge); this.channel = new OAuthChannel(this.signingElement, this.nonceStore, new InMemoryTokenManager(), new TestMessageFactory()); this.accessor = OAuthChannel_Accessor.AttachShadow(this.channel); this.channel.WebRequestHandler = this.webRequestHandler; }
internal OAuthServiceProviderChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings, IMessageFactory messageTypeProvider = null) : base( signingBindingElement, tokenManager, securitySettings, messageTypeProvider ?? new OAuthServiceProviderMessageFactory(tokenManager), InitializeBindingElements(signingBindingElement, store, tokenManager, securitySettings)) { Requires.NotNull(tokenManager, "tokenManager"); Requires.NotNull(securitySettings, "securitySettings"); Requires.NotNull(signingBindingElement, "signingBindingElement"); }
/// <summary> /// Initializes the binding elements for the OAuth channel. /// </summary> /// <param name="signingBindingElement">The signing binding element.</param> /// <param name="store">The nonce store.</param> /// <param name="tokenManager">The token manager.</param> /// <param name="securitySettings">The security settings.</param> /// <returns> /// An array of binding elements used to initialize the channel. /// </returns> private static IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings) { Requires.NotNull(securitySettings, "securitySettings"); var bindingElements = OAuthChannel.InitializeBindingElements(signingBindingElement, store); var spTokenManager = tokenManager as IServiceProviderTokenManager; var serviceProviderSecuritySettings = securitySettings as ServiceProviderSecuritySettings; bindingElements.Insert(0, new TokenHandlingBindingElement(spTokenManager, serviceProviderSecuritySettings)); return bindingElements.ToArray(); }
protected OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings, IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements) : base(messageTypeProvider, bindingElements) { Requires.NotNull(tokenManager, "tokenManager"); Requires.NotNull(securitySettings, "securitySettings"); Requires.NotNull(signingBindingElement, "signingBindingElement"); Requires.True(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel); Requires.NotNull(bindingElements, "bindingElements"); this.TokenManager = tokenManager; signingBindingElement.SignatureCallback = this.SignatureCallback; }
/// <summary> /// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class. /// </summary> /// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param> /// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param> /// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param> /// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param> /// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param> private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null) { Requires.True(signed || decodeOnceOnly == null, null); Requires.True(maximumAge.HasValue || decodeOnceOnly == null, null); this.signed = signed; this.maximumAge = maximumAge; this.decodeOnceOnly = decodeOnceOnly; this.encrypted = encrypted; this.compressed = compressed; }
/// <summary> /// OAuth resource provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> public AuthResource(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore) { _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; ValidateEx(); // Create the resource provider. _resourceServer = new ResourceServer(); }
IIdSiteSyncCallbackHandler IIdSiteSyncCallbackHandler.SetNonceStore(INonceStore nonceStore) { if (nonceStore == null) { throw new ArgumentNullException(nameof(nonceStore)); } this.nonceStore = nonceStore; return(this); }
IIdSiteSyncCallbackHandler IIdSiteSyncCallbackHandler.SetNonceStore(INonceStore nonceStore) { if (nonceStore == null) { throw new ArgumentNullException(nameof(nonceStore)); } this.nonceStore = nonceStore; return this; }
/// <summary> /// OAuth provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> /// <param name="inspectors">The collection of validation inspectors.</param> public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore, params IContextInspector[] inspectors) { _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; ValidateEx(); // Create a new OAuth provider. _oAuthProvider = new OAuthProvider(tokenStore, inspectors); }
internal OAuthConsumerChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager, ConsumerSecuritySettings securitySettings, IMessageFactory messageFactory = null) : base( signingBindingElement, tokenManager, securitySettings, messageFactory ?? new OAuthConsumerMessageFactory(), InitializeBindingElements(signingBindingElement, store)) { Requires.NotNull(tokenManager, "tokenManager"); Requires.NotNull(securitySettings, "securitySettings"); Requires.NotNull(signingBindingElement, "signingBindingElement"); }
/// <summary> /// Initializes a new instance of the <see cref="DataBagFormatterBase<T>"/> class. /// </summary> /// <param name="signed">A value indicating whether the data in this instance will be protected against tampering.</param> /// <param name="encrypted">A value indicating whether the data in this instance will be protected against eavesdropping.</param> /// <param name="compressed">A value indicating whether the data in this instance will be GZip'd.</param> /// <param name="maximumAge">The maximum age of a token that can be decoded; useful only when <paramref name="decodeOnceOnly"/> is <c>true</c>.</param> /// <param name="decodeOnceOnly">The nonce store to use to ensure that this instance is only decoded once.</param> private DataBagFormatterBase(bool signed = false, bool encrypted = false, bool compressed = false, TimeSpan?maximumAge = null, INonceStore decodeOnceOnly = null) { Requires.That(signed || decodeOnceOnly == null, "decodeOnceOnly", "Nonce only valid with signing."); Requires.That(maximumAge.HasValue || decodeOnceOnly == null, "decodeOnceOnly", "Nonce requires a maximum message age."); this.signed = signed; this.maximumAge = maximumAge; this.decodeOnceOnly = decodeOnceOnly; this.encrypted = encrypted; this.compressed = compressed; }
internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings) : this( signingBindingElement, store, tokenManager, securitySettings, new OAuthServiceProviderMessageFactory(tokenManager)) { Contract.Requires<ArgumentNullException>(tokenManager != null); Contract.Requires<ArgumentNullException>(securitySettings != null); Contract.Requires<ArgumentNullException>(signingBindingElement != null); Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel); }
/// <summary> /// Initializes a new instance of the <see cref="OAuthChannel"/> class. /// </summary> /// <param name="signingBindingElement">The binding element to use for signing.</param> /// <param name="store">The web application store to use for nonces.</param> /// <param name="tokenManager">The ITokenManager instance to use.</param> /// <param name="messageTypeProvider"> /// An injected message type provider instance. /// Except for mock testing, this should always be one of /// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>. /// </param> /// <remarks> /// This overload for testing purposes only. /// </remarks> internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider) : base(messageTypeProvider, new OAuthHttpMethodBindingElement(), signingBindingElement, new StandardExpirationBindingElement(), new StandardReplayProtectionBindingElement(store)) { if (tokenManager == null) { throw new ArgumentNullException("tokenManager"); } this.TokenManager = tokenManager; ErrorUtilities.VerifyArgumentNamed(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel); signingBindingElement.SignatureCallback = this.SignatureCallback; }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdProvider"/> class. /// </summary> /// <param name="associationStore">The association store to use. Cannot be null.</param> /// <param name="nonceStore">The nonce store to use. Cannot be null.</param> private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore) { Contract.Requires(associationStore != null); Contract.Requires(nonceStore != null); Contract.Ensures(this.AssociationStore == associationStore); Contract.Ensures(this.SecuritySettings != null); Contract.Ensures(this.Channel != null); ErrorUtilities.VerifyArgumentNotNull(associationStore, "associationStore"); ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore"); this.AssociationStore = associationStore; this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings(); this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings); }
/// <summary> /// OAuth provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> public AuthResource(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore) { _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; ValidateEx(); // Create a new OAuth provider. _oAuthProvider = new OAuthProvider(tokenStore, new SignatureValidationInspector(consumerStore), new NonceStoreInspector(nonceStore), new TimestampRangeInspector(new TimeSpan(1, 0, 0)), new ConsumerValidationInspector(consumerStore)); }
public SecretController( IJwtTokenService tokenService, INonceStore nonceStore, IDeviceAttestation deviceAttestation, IConfiguration configuration ) { m_tokenService = tokenService; m_nonceStore = nonceStore; m_attestationService = deviceAttestation; m_configuration = configuration; attestSecret = configuration.GetValue <string>("JwtSettings:Secret"); jwtSecret = configuration.GetValue <string>("JwtSettings:Secret"); JwtAudience = configuration.GetValue <string>("JwtSettings:Audience"); JwtIssuer = configuration.GetValue <string>("JwtSettings:Issuer"); }
/// <summary> /// OAuth provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore) { _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; ValidateEx(); // Create a new OAuth provider. _oAuthProvider = new OAuthProvider(tokenStore, new SignatureValidationInspector(consumerStore), new NonceStoreInspector(nonceStore), new TimestampRangeInspector(new TimeSpan(1, 0, 0)), new ConsumerValidationInspector(consumerStore), new XAuthValidationInspector(ValidateXAuthMode, AuthenticateXAuthUsernameAndPassword)); }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdProvider"/> class. /// </summary> /// <param name="nonceStore">The nonce store to use. Cannot be null.</param> /// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param> private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore) { Requires.NotNull(nonceStore, "nonceStore"); Requires.NotNull(cryptoKeyStore, "cryptoKeyStore"); this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings(); this.behaviors.CollectionChanged += this.OnBehaviorsChanged; foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false)) { this.behaviors.Add(behavior); } this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings); this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings); this.CryptoKeyStore = cryptoKeyStore; this.discoveryServices = new IdentifierDiscoveryServices(this); Reporting.RecordFeatureAndDependencyUse(this, nonceStore); }
public DefaultIdSiteSyncCallbackHandler(IInternalDataStore internalDataStore, IHttpRequest httpRequest) { if (internalDataStore == null) { throw new ArgumentNullException(nameof(internalDataStore)); } if (httpRequest == null) { throw new ArgumentNullException(nameof(httpRequest)); } this.internalDataStore = internalDataStore; this.jwtResponse = HandlerShared.GetJwtResponse(httpRequest); this.nonceStore = new DefaultNonceStore(internalDataStore.CacheResolver); this.syncNonceStore = this.nonceStore as ISynchronousNonceStore; }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdProvider"/> class. /// </summary> /// <param name="associationStore">The association store to use. Cannot be null.</param> /// <param name="nonceStore">The nonce store to use. Cannot be null.</param> private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore) { Contract.Requires<ArgumentNullException>(associationStore != null); Contract.Requires<ArgumentNullException>(nonceStore != null); Contract.Ensures(this.AssociationStore == associationStore); Contract.Ensures(this.SecuritySettings != null); Contract.Ensures(this.Channel != null); this.AssociationStore = associationStore; this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings(); this.behaviors.CollectionChanged += this.OnBehaviorsChanged; foreach (var behavior in DotNetOpenAuthSection.Configuration.OpenId.Provider.Behaviors.CreateInstances(false)) { this.behaviors.Add(behavior); } this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings); Reporting.RecordFeatureAndDependencyUse(this, associationStore, nonceStore); }
/// <summary> /// OAuth provider. /// </summary> /// <param name="tokenStore">The token store</param> /// <param name="consumerStore">The consumer store</param> /// <param name="nonceStore">The nonce store.</param> public AuthProvider(ITokenStore tokenStore, IConsumerStore consumerStore, INonceStore nonceStore) { _tokenStore = tokenStore; _consumerStore = consumerStore; _nonceStore = nonceStore; ValidateEx(); // Create a new client authenticator List <ClientAuthenticationModule> clientAuth = new List <ClientAuthenticationModule>() { new ClientAuthentication(tokenStore, consumerStore, nonceStore) }; // Create the OAuth servers. _oAuthAuthorizationServer = new OAuthAuthorizationServer(tokenStore, consumerStore, nonceStore); _authorizationServer = new AuthorizationServer(_oAuthAuthorizationServer, clientAuth); }
/// <summary> /// Initializes the binding elements. /// </summary> /// <param name="cryptoKeyStore">The OpenID Provider's crypto key store.</param> /// <param name="nonceStore">The nonce store to use.</param> /// <param name="securitySettings">The security settings to apply. Must be an instance of either RelyingPartySecuritySettings or ProviderSecuritySettings.</param> /// <returns> /// An array of binding elements which may be used to construct the channel. /// </returns> private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore cryptoKeyStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) { Requires.NotNull(cryptoKeyStore, "cryptoKeyStore"); Requires.NotNull(securitySettings, "securitySettings"); Requires.NotNull(nonceStore, "nonceStore"); SigningBindingElement signingElement; signingElement = new ProviderSigningBindingElement(cryptoKeyStore, securitySettings); var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration(); List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8); elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings, true)); elements.Add(new StandardReplayProtectionBindingElement(nonceStore, true)); elements.Add(new StandardExpirationBindingElement()); elements.Add(signingElement); return elements.ToArray(); }
/// <summary> /// Deserializes a token returned to us from the provider and verifies its integrity. /// </summary> /// <remarks> /// As part of deserialization, the signature is verified to check /// for tampering, and the nonce (if included by the RP) is also checked. /// If no signature is present (due to stateless mode), the endpoint is verified /// by discovery (slow but secure). /// </remarks> public static Token Deserialize(string token, INonceStore store) { byte[] tok = Convert.FromBase64String(token); if (tok.Length < 1) throw new OpenIdException(Strings.InvalidSignature); bool signaturePresent = tok[0] == 1; bool signatureVerified = false; MemoryStream dataStream; if (signaturePresent) { if (persistSignature(store)) { // Verify the signature to guarantee that our state hasn't been // tampered with in transit or on the provider. HashAlgorithm hmac = createHashAlgorithm(store); int signatureLength = hmac.HashSize / 8; dataStream = new MemoryStream(tok, 1 + signatureLength, tok.Length - 1 - signatureLength); byte[] newSig = hmac.ComputeHash(dataStream); dataStream.Position = 0; if (tok.Length - 1 < newSig.Length) throw new OpenIdException(Strings.InvalidSignature); for (int i = 0; i < newSig.Length; i++) if (tok[i + 1] != newSig[i]) throw new OpenIdException(Strings.InvalidSignature); signatureVerified = true; } else { // Oops, we have no application state, so we have no way of validating the signature. throw new OpenIdException(Strings.InconsistentAppState); } } else { dataStream = new MemoryStream(tok, 1, tok.Length - 1); } StreamReader reader = new StreamReader(dataStream); ServiceEndpoint endpoint = ServiceEndpoint.Deserialize(reader); Nonce nonce = null; if (signatureVerified && persistNonce(endpoint, store)) { nonce = new Nonce(reader.ReadLine(), false); nonce.Consume(store); } if (!signatureVerified) { verifyEndpointByDiscovery(endpoint); } return new Token(nonce, endpoint); }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdProvider" /> class. /// </summary> /// <param name="nonceStore">The nonce store to use. Cannot be null.</param> /// <param name="cryptoKeyStore">The crypto key store. Cannot be null.</param> /// <param name="hostFactories">The host factories.</param> private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore, IHostFactories hostFactories) { Requires.NotNull(nonceStore, "nonceStore"); Requires.NotNull(cryptoKeyStore, "cryptoKeyStore"); this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings(); this.behaviors.CollectionChanged += this.OnBehaviorsChanged; foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false, null)) { this.behaviors.Add(behavior); } this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings); this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings, hostFactories); this.CryptoKeyStore = cryptoKeyStore; this.discoveryServices = new IdentifierDiscoveryServices(this); Reporting.RecordFeatureAndDependencyUse(this, nonceStore); }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdRelyingParty"/> class. /// </summary> /// <param name="associationStore">The association store. If null, the relying party will always operate in "dumb mode".</param> /// <param name="nonceStore">The nonce store to use. If null, the relying party will always operate in "dumb mode".</param> private OpenIdRelyingParty(IAssociationStore <Uri> associationStore, INonceStore nonceStore) { // If we are a smart-mode RP (supporting associations), then we MUST also be // capable of storing nonces to prevent replay attacks. // If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays. ErrorUtilities.VerifyArgument(associationStore == null || nonceStore != null, OpenIdStrings.AssociationStoreRequiresNonceStore); this.securitySettings = DotNetOpenAuthSection.Configuration.OpenId.RelyingParty.SecuritySettings.CreateSecuritySettings(); // Without a nonce store, we must rely on the Provider to protect against // replay attacks. But only 2.0+ Providers can be expected to provide // replay protection. if (nonceStore == null) { this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20; } this.channel = new OpenIdChannel(associationStore, nonceStore, this.SecuritySettings); this.AssociationManager = new AssociationManager(this.Channel, associationStore, this.SecuritySettings); }