public virtual IToken ExchangeRequestTokenForAccessToken(IOAuthContext context)
{
var token = _tokenStore.GetToken(context);
if (token != null)
{
context.TokenSecret = token.TokenSecret;
}
InspectRequest(context);
_tokenStore.ConsumeRequestToken(context);
switch (_tokenStore.GetStatusOfRequestForAccess(context))
{
case RequestForAccessStatus.Granted:
break;
case RequestForAccessStatus.Unknown:
throw Error.ConsumerHasNotBeenGrantedAccessYet(context);
default:
throw Error.ConsumerHasBeenDeniedAccess(context);
}
return(_tokenStore.GetAccessTokenAssociatedWithRequestToken(context));
}
protected async override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var tokenCredential = _tokenStore.GetToken(_tokenIdentifier);
AssignAuthenticationHeader(request, tokenCredential);
var response = await base.SendAsync(request, cancellationToken);
return(await PreHandleResponseMessage(response, request, cancellationToken));
}
public async Task <GrantedToken> GetValidGrantedTokenAsync(string scopes, string clientId, JwsPayload idTokenJwsPayload = null, JwsPayload userInfoJwsPayload = null)
{
if (string.IsNullOrWhiteSpace(scopes))
{
throw new ArgumentNullException(nameof(scopes));
}
if (string.IsNullOrWhiteSpace(clientId))
{
throw new ArgumentNullException(nameof(clientId));
}
var token = await _tokenStore.GetToken(scopes, clientId, idTokenJwsPayload, userInfoJwsPayload);
if (token == null)
{
return(null);
}
if (!_grantedTokenValidator.CheckGrantedToken(token).IsValid)
{
await _tokenStore.RemoveAccessToken(token.AccessToken);
return(null);
}
return(token);
}
public static async Task <GrantedToken?> GetValidGrantedToken(
this ITokenStore tokenStore,
IJwksStore jwksStore,
string scopes,
string clientId,
CancellationToken cancellationToken = default,
JwtPayload?idTokenJwsPayload = null,
JwtPayload?userInfoJwsPayload = null)
{
var token = await tokenStore.GetToken(scopes, clientId, idTokenJwsPayload, userInfoJwsPayload, cancellationToken)
.ConfigureAwait(false);
if (token == null)
{
return(null);
}
if ((await token.CheckGrantedToken(jwksStore, cancellationToken).ConfigureAwait(false)).IsValid)
{
return(token);
}
await tokenStore.RemoveAccessToken(token.AccessToken, cancellationToken).ConfigureAwait(false);
return(null);
}
private async Task <string> GetTokenForRequest(HttpRequestMessage requestMessage, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
if (requestMessage.Headers.TryGetValues("x-impersonate-userId", out var userIdHeaderValues) &&
requestMessage.Headers.TryGetValues("x-impersonate-audience", out var audienceHeaderValues))
{
var userId = userIdHeaderValues.First();
var audience = audienceHeaderValues.First();
return(await userTokenStore.GetUserToken(userId, audience, cancellationToken));
}
return(await tokenStore.GetToken(cancellationToken));
}
public override IMessage Invoke(IMessage msg)
{
try
{
AccessToken token = null;
if (_tokenStore != null)
{
token = _tokenStore.GetToken(_applicationId);
}
return(InvokeRecursive(msg, true, token));
}
catch (Exception exception)
{
return(new ReturnMessage(exception, (IMethodCallMessage)msg));
}
}
public Task Invoke(IOwinContext context, Func <Task> next)
{
var request = context.Request;
var accessToken = request.Headers["api-token"];
if (string.IsNullOrEmpty(accessToken))
{
throw new HttpException((int)HttpStatusCode.Forbidden, "No API token found in the request");
}
var token = _tokenStore.GetToken("api", accessToken);
if (token.Status != TokenStatus.Allowed)
{
throw new HttpException((int)HttpStatusCode.Forbidden, "This API token is not valid at this time");
}
return(next());
}
public void Should_allow_default_tokens_for_any_identity_and_purpose()
{
const string tokenType = "session";
var sessionToken = _tokenStore.CreateToken(tokenType);
var token = _tokenStore.GetToken(tokenType, sessionToken);
Assert.IsNotNull(token);
Assert.AreEqual(sessionToken, token.Value);
Assert.IsTrue(string.IsNullOrEmpty(token.Identity));
Assert.IsTrue(string.IsNullOrEmpty(token.Purpose));
Assert.AreEqual(TokenStatus.Allowed, token.Status);
const string identity = "urn:user:431";
const string purpose = "login";
token = _tokenStore.GetToken(tokenType, sessionToken, purpose, identity);
Assert.IsNotNull(token);
Assert.AreEqual(sessionToken, token.Value);
Assert.AreEqual(purpose, token.Purpose);
Assert.AreEqual(identity, token.Identity);
Assert.AreEqual(TokenStatus.Allowed, token.Status);
}
public async Task When_No_Access_Token_Exists_Then_Null_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_stubStorage.Setup(s => s.TryGetValueAsync <List <GrantedToken> >("granted_tokens")).Returns(Task.FromResult((List <GrantedToken>)null));
// ACT
var result = await _tokenStore.GetToken("scope", "clientid", null, null).ConfigureAwait(false);
// ASSERT
Assert.Null(result);
}
private void ResetPassword(IOwinContext context, Identification identification)
{
var form = context.Request.ReadFormAsync().Result;
var userName = form["username"];
var resetToken = form["reset-token"];
var newPassword = form["new-password"];
var failed = false;
if (resetToken == null)
{
SetOutcome(context, identification, "No password reset token provided");
failed = true;
}
else if (userName == null)
{
SetOutcome(context, identification, "No username provided");
failed = true;
}
else if (newPassword == null)
{
SetOutcome(context, identification, "No new password provided");
failed = true;
}
ICredential credential = null;
if (!failed)
{
credential = _identityStore.GetUsernameCredential(userName);
if (credential == null)
{
SetOutcome(context, identification, "Invalid username provided");
failed = true;
}
}
if (!failed)
{
var token = _tokenStore.GetToken("passwordReset", resetToken, "ResetPassword", userName);
if (token.Status == TokenStatus.Allowed)
{
try
{
if (_identityStore.ChangePassword(credential, form["new-password"]))
{
SetOutcome(context, identification, "Password succesfully reset");
identification.Identity = credential.Identity;
identification.Claims = _identityDirectory.GetClaims(credential.Identity);
context.Response.Cookies.Append(IdentityCookie, credential.Identity);
context.Response.Cookies.Delete(RememberMeCookie);
context.Response.Redirect(SecureHomePage);
}
else
{
SetOutcome(context, identification, "Password reset failed");
}
}
catch (InvalidPasswordException e)
{
SetOutcome(context, identification,
"Invalid password. " + e.Message
+ ". You will need to get a new password reset token to try again.");
}
}
else
{
SetOutcome(context, identification, "This password reset token has been used before");
}
}
GoHome(context, identification);
}