public async override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
var formData = await context.Request.ReadFormAsync();
if (!formData.Any())
{
context.Response.RenderEmbeddedResource("WispCloud.Templates.Files.OAuth2AuthorizationForm.html");
context.RequestCompleted();
return;
}
var login = formData["login"];
var password = formData["password"];
var user = context.GetWispContext().Data.Accounts.FirstOrDefault(x => x.Login == login && x.Active);
Try.Condition(user != null && user.ComparePasword(password), "The user name or password is incorrect;");
var authentication = context.OwinContext.Authentication;
authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
authentication.SignIn(GetBearerIdentity(user));
context.RequestCompleted();
return;
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private void HandleImplicitGrant(OAuthAuthorizeEndpointContext context, OauClient client, string redirectUri)
{
var oAuthIdentity = new ClaimsIdentity("Bearer");
context.OwinContext.Authentication.SignIn(oAuthIdentity);
context.RequestCompleted();
}
/// <summary>
/// 生成授权码
/// 生成 authorization_code(authorization code 授权方式)、生成 access_token (implicit 授权模式)
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.AuthorizeRequest.IsImplicitGrantType)
{
//implicit 授权方式(简化模式)
var identity = new ClaimsIdentity("Bearer");
context.OwinContext.Authentication.SignIn(identity);
context.RequestCompleted();
}
else if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
//authorization code 授权方式(授权码)
var redirectUri = context.Request.Query["redirect_uri"];
var clientId = context.Request.Query["client_id"];
var identity = new ClaimsIdentity(new GenericIdentity(clientId, OAuthDefaults.AuthenticationType));
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(
identity,
new AuthenticationProperties(new Dictionary <string, string> {
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
context.Response.Redirect(redirectUri + "?Code=" + Uri.EscapeDataString(authorizeCodeContext.Token));
context.RequestCompleted();
}
}
public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
context.RequestCompleted();
return(Task.FromResult(0));
//return base.AuthorizeEndpoint(context);
}
// /oauth/authorize
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.Request.User != null && context.Request.User.Identity.IsAuthenticated)
{
// si l'utilisateur est loggé,
// on crée un ticket d'authent, on crée un authorization code et on fait le redirect
var redirectUri = context.Request.Query["redirect_uri"];
var clientId = context.Request.Query["client_id"];
var authorizeCodeContext = new Microsoft.Owin.Security.Infrastructure.AuthenticationTokenCreateContext(context.OwinContext, context.Options.AuthorizationCodeFormat,
new Microsoft.Owin.Security.AuthenticationTicket((ClaimsIdentity)context.Request.User.Identity, new Microsoft.Owin.Security.AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
// clear cookies
var cookies = context.Request.Cookies.ToList();
foreach (var c in cookies)
{
context.Response.Cookies.Delete(c.Key, new Microsoft.Owin.CookieOptions());
}
context.Response.Redirect(redirectUri + "?code=" + Uri.EscapeDataString(authorizeCodeContext.Token));
}
else
{
// si on n'est pas loggé, on redirige vers la page de login
context.Response.Redirect("/account/login?returnUrl=" + Uri.EscapeDataString(context.Request.Uri.ToString()));
}
context.RequestCompleted();
}
/// <summary>
/// 第四步:完成认证,跳转到重定向URI
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
var redirectUri = context.AuthorizeRequest.RedirectUri;
var clientId = context.AuthorizeRequest.ClientId;
var identity = new ClaimsIdentity(new GenericIdentity(clientId, OAuthDefaults.AuthenticationType));
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(identity,
new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
})
);
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
//为了测试方便,直接打印出code
context.Response.Write(Uri.EscapeDataString(authorizeCodeContext.Token));
//正常使用时是把code加在重定向网址后面
//context.Response.Redirect(redirectUri + "?code=" + Uri.EscapeDataString(authorizeCodeContext.Token));
context.RequestCompleted();
}
public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.AuthorizeRequest.IsImplicitGrantType)
{
//implicit 授權方式
var identity = new ClaimsIdentity("Bearer");
context.OwinContext.Authentication.SignIn(identity);
context.RequestCompleted();
}
return(Task.FromResult <object>(null));
}
/// <summary>
/// Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
/// responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
/// response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
/// Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
/// context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
/// to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
/// appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
//string uri = context.Request.Uri.ToString();
//string rawJwt = await TryGetRawJwtTokenAsync(context);
//if (string.IsNullOrWhiteSpace(rawJwt))
//{
// context.OwinContext.Authentication.Challenge(new AuthenticationProperties { RedirectUri = uri });
// return;
//}
//var tokenValidator = new TokenValidator();
//ClaimsPrincipal principal = tokenValidator.Validate(rawJwt, _options.JwtOptions);
//if (!principal.Identity.IsAuthenticated)
//{
// Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user, unauthenticated");
// return;
//}
//ClaimsIdentity claimsIdentity = await _options.TransformPrincipal(principal);
//if (!claimsIdentity.Claims.Any())
//{
// Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user");
// return;
//}
//ConsentAnswer consentAnswer = await TryGetConsentAnswerAsync(context.Request);
//if (consentAnswer == ConsentAnswer.Rejected)
//{
// Error(context, OAuthImplicitFlowError.AccessDenied, "resource owner denied request");
// return;
//}
//if (consentAnswer == ConsentAnswer.Missing)
//{
// Error(context, OAuthImplicitFlowError.ServerError,
// "missing consent answer");
// return;
//}
//if (!(consentAnswer == ConsentAnswer.Accepted || consentAnswer == ConsentAnswer.Implicit))
//{
// Error(context, OAuthImplicitFlowError.ServerError,
// string.Format("invalid consent answer '{0}'", consentAnswer.Display));
// return;
//}
await base.AuthorizeEndpoint(context);
}
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
var authentication = context.OwinContext.Authentication;
var ticket = authentication.AuthenticateAsync("Application").Result;
ClaimsIdentity identity = ticket != null ? ticket.Identity : null;
if (identity == null)
{
authentication.Challenge("Application");
//return Task.FromResult(0);
}
if (context.AuthorizeRequest.IsImplicitGrantType)
{
var identity1 = new ClaimsIdentity(context.Options.AuthenticationType);
context.OwinContext.Authentication.SignIn(identity1);
context.RequestCompleted();
}
else if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
var redirectUri = context.Request.Query["redirect_uri"];
var clientId = context.Request.Query["client_id"];
var identity3 = new ClaimsIdentity(new GenericIdentity(
clientId, OAuthDefaults.AuthenticationType));
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(
identity,
new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
context.Response.Redirect(redirectUri + "?code=" + "Uri.EscapeDataString(authorizeCodeContext.Token)");
context.RequestCompleted();
}
//return Task.FromResult<object>(null);
}
/// <summary>
/// AuthorizationCode and ImplicitGrantType
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
var owinContext = context.OwinContext;
context.OwinContext.Set(_asResponseType, context.AuthorizeRequest.ResponseType);
if (context.Request.User?.Identity != null && context.Request.User.Identity.IsAuthenticated)
{
var userService = EngineContext.Current.Resolve <UserService>();
var user = userService.GetUserByName((context.Request.User.Identity.Name));
if (user == null)
{
return;
}
var clientID = context.AuthorizeRequest.ClientId;
var isTemporaryAuthorization = TicketStore.Remove("TemporaryAuthorization" +
clientID
+ "$" + user.UserID.ToString());
//可信应用不需要用户授权
if (!isTemporaryAuthorization && !context.OwinContext.Get <App>(_asClientData).IsCredible)
{
return;
}
ClaimsIdentity oAuthIdentity = ClaimsIdentityCreate.GenerateUserIdentity(user, OAuthDefaults.AuthenticationType);
if (context.AuthorizeRequest.Scope.Any(t => t.Equals(_scopeAll, StringComparison.OrdinalIgnoreCase)))
{
oAuthIdentity.AddRole(RoleConfig.AppUserAllRole);
}
else
{
oAuthIdentity.AddRole(RoleConfig.AppUserBaseRole);
}
context.OwinContext.Set(_asClientID, clientID);
context.OwinContext.Set(_asUserID, user.UserID.ToString());
context.OwinContext.Set(_asUserName, user.Name);
AuthenticationProperties properties = CreateProperties(user.Name);
properties.RedirectUri = context.AuthorizeRequest.RedirectUri;
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
owinContext.Authentication.SignIn(oAuthIdentity);
context.RequestCompleted();
}
await base.AuthorizeEndpoint(context);
}
/// <summary>
/// 生成 authorization_code(authorization code 授权方式)、生成 access_token (implicit 授权模式)
/// </summary>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.AuthorizeRequest.IsImplicitGrantType)
{
//implicit 授权方式
var identity = new ClaimsIdentity("Bearer");
context.OwinContext.Authentication.SignIn(identity);
context.RequestCompleted();
}
else if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
//authorization code 授权方式
var state = context.Request.Query["state"] ?? string.Empty;
var redirectUri = context.Request.Query["redirect_uri"] ?? "/code";
var clientId = context.Request.Query["client_id"];
var identity = new ClaimsIdentity(new GenericIdentity(
clientId, OAuthDefaults.AuthenticationType));
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(
identity,
new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
var url = redirectUri + "?code=" + authorizeCodeContext.Token;
if (!string.IsNullOrWhiteSpace(state))
{
url += $"&state={state}";
}
context.Response.Redirect(url);
context.RequestCompleted();
}
}
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
if (!HttpContext.Current.Request.IsAuthenticated)
{
context.OwinContext.Authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie);
}
else
{
var redirectUri = context.AuthorizeRequest.RedirectUri;
var clientId = context.AuthorizeRequest.ClientId;
var state = context.AuthorizeRequest.State;
var sb = new StringBuilder();
foreach (var scope in context.AuthorizeRequest.Scope)
{
sb.Append($"{scope},");
}
var scopes = sb.ToString().Trim(',');
var identity = context.Request.User.Identity as ClaimsIdentity;
var client = await _clientManager.FindClientByIdAsync(clientId).ConfigureAwait(false);
var authorisationCodeContext = new AuthenticationTokenCreateContext(context.OwinContext, context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(identity,
new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri },
{ "response_type", context.AuthorizeRequest.ResponseType },
{ "state", state },
{ "user_id", identity.GetUserId() },
{ "scopes", scopes }
})
{
IssuedUtc = DateTimeOffset.Now,
ExpiresUtc = DateTimeOffset.Now.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorisationCodeContext);
AuthenticateClient(context.OwinContext, identity, client);
}
}
}
/// <summary>
///
/// </summary>
/// <param name="context"></param>
/// <param name="client"></param>
/// <param name="redirectUri"></param>
/// <returns></returns>
private async Task HandleAuthorizationCodeGrant(OAuthAuthorizeEndpointContext context
, OauClient client, string redirectUri)
{
#region Settin Token
context.OwinContext.Set(OAuthKeys.ClientId, client.AppId);
context.OwinContext.Set(OAuthKeys.Prefix + "client_secret", client.AppSecret);
var oAuthIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, Guid.NewGuid().ToString("n")));
var oauthProps = new AuthenticationProperties(new Dictionary <string, string>
{
{
OAuthKeys.AuthPropClientId, client.AppId
}
})
{
// Gets or sets the time at which the authentication ticket was issued.
IssuedUtc = DateTime.UtcNow,
// Gets or sets the time at which the authentication ticket expires.
ExpiresUtc = DateTime.UtcNow.AddMinutes(client.RefreshTokenLifeTime),
// Gets or sets the full path or absolute URI to be used as an http redirect response
RedirectUri = redirectUri
};
//替换此上下文中的票据信息,并将其标记为已验证
var ticket = new AuthenticationTicket(oAuthIdentity, oauthProps);
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
ticket);
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
#endregion Setting Token
string token = authorizeCodeContext.Token ?? string.Empty; //由于获取的token与设置的token不一致
//string token = authorizeCodeContext.OwinContext.Get<string>(OAuthKeys.AuthorizeCodeToken) ?? string.Empty;
var url = redirectUri + "?code=" + Uri.EscapeDataString(token);
logger.Debug("AuthorizeEndpoint,authorization_code,url:" + url);
context.Response.Redirect(url);
context.RequestCompleted();
}
async Task <string> TryGetRawJwtTokenAsync(OAuthAuthorizeEndpointContext context)
{
string jwt;
if (context.Request.IsPost())
{
IFormCollection formCollection = await context.Request.ReadFormAsync();
jwt = formCollection.Get(_options.JwtOptions.JwtTokenParameterName);
}
else if (context.Request.IsGet())
{
jwt = context.Request.Query.Get(_options.JwtOptions.JwtTokenParameterName);
}
else
{
jwt = "";
}
return(jwt);
}
private async Task AuthEndPoint(OAuthAuthorizeEndpointContext context)
{
var authentication = context.OwinContext.Authentication;
var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
//if (authentication.AuthenticateAsync(DefaultAuthenticationTypes.ApplicationCookie).Result?.Identity == null)
if (!context.Request.User.Identity.IsAuthenticated)
{
authentication.Challenge(DefaultAuthenticationTypes.ApplicationCookie);
context.RequestCompleted();
return;
}
//Since we also do OAuth, we have to sign in the OAuth Identification Type as well
var user = userManager.FindByName(context.Request.User?.Identity?.Name);
ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user, OAuthDefaults.AuthenticationType);
authentication.SignIn(oAuthIdentity);
context.RequestCompleted();
return;
}
/// <summary>
/// 生成 authorization_code(authorization code 授权方式)、生成 access_token (implicit 授权模式)
/// </summary>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
string redirectUri = string.Empty, clientId = string.Empty, clientSecret = string.Empty;
IFormCollection formColls = await context.Request.ReadFormAsync();
//form类型的参数
if (formColls != null && formColls.Count() > 0)
{
redirectUri = formColls["redirect_uri"];
clientId = formColls["client_id"];
clientSecret = formColls["client_secret"];
}
else
{
//url类型的参数
redirectUri = context.Request.Query["redirect_uri"];
clientId = context.Request.Query["client_id"];
clientSecret = context.Request.Query["client_secret"];
}
OauClient client = Clients.ApiClients.FirstOrDefault(a => a.AppId == clientId && a.AppSecret == clientSecret);
if (context.AuthorizeRequest.IsImplicitGrantType)
{
logger.Debug("AuthorizeEndpoint,implicit");
//implicit 授权方式
HandleImplicitGrant(context, client, redirectUri);
}
else if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
//authorization code 授权方式
if (client != null)
{
await HandleAuthorizationCodeGrant(context, client, redirectUri);
}
}
}
void Error(OAuthAuthorizeEndpointContext context, OAuthImplicitFlowError error, string errorDescription)
{
var builder = new UriBuilder(context.AuthorizeRequest.RedirectUri);
var fragmentBuilder = new StringBuilder();
fragmentBuilder.AppendFormat("error={0}", Uri.EscapeDataString(error.InvariantName));
if (!string.IsNullOrWhiteSpace(errorDescription))
{
fragmentBuilder.AppendFormat("&error_description={0}", Uri.EscapeDataString(errorDescription));
}
if (!string.IsNullOrWhiteSpace(context.AuthorizeRequest.State))
{
fragmentBuilder.AppendFormat("&state={0}", Uri.EscapeDataString(context.AuthorizeRequest.State));
}
builder.Fragment = fragmentBuilder.ToString();
string redirectUriWithFragments = builder.Uri.ToString();
context.Response.Redirect(redirectUriWithFragments);
context.RequestCompleted();
}
/// <summary>
/// 生成 authorization_code(authorization code 授权方式)、生成 access_token (implicit 授权模式)
/// </summary>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
if (context.AuthorizeRequest.IsImplicitGrantType)
{
//implicit 授权方式
var identity = new ClaimsIdentity("Bearer");
context.OwinContext.Authentication.SignIn(identity);
context.RequestCompleted();
}
else if (context.AuthorizeRequest.IsAuthorizationCodeGrantType)
{
//authorization code 授权方式
var redirectUri = context.Request.Query["redirect_uri"];
var clientId = context.Request.Query["client_id"];
string hostId = context.Request.Query["hostId"] + "";
/*
* 这儿添加了对应的账号密码,sessionId等信息,额外保存起来.
* 其他传递的参数自行处理
*/
string account = context.Request.Query["account"] + "";
string pwd = context.Request.Query["pwd"] + "";
string sessionId = context.Request.Query["sessionId"] + "";
var identity = new ClaimsIdentity(new GenericIdentity(
clientId, OAuthDefaults.AuthenticationType));
var authorizeCodeContext = new AuthenticationTokenCreateContext(
context.OwinContext,
context.Options.AuthorizationCodeFormat,
new AuthenticationTicket(
identity,
new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", clientId },
{ "redirect_uri", redirectUri }
})
{
IssuedUtc = DateTimeOffset.UtcNow,
ExpiresUtc = DateTimeOffset.UtcNow.Add(context.Options.AuthorizationCodeExpireTimeSpan)
}));
await context.Options.AuthorizationCodeProvider.CreateAsync(authorizeCodeContext);
var ResUrl = redirectUri;
if (redirectUri.Contains("?"))
{
ResUrl += "&code=" + Uri.EscapeDataString(authorizeCodeContext.Token);
}
else
{
ResUrl += "?code=" + Uri.EscapeDataString(authorizeCodeContext.Token);
}
string code = authorizeCodeContext.Token;
CacheData.SetFirstAuthCache(code, new Models.FirstAuthCacheModel()
{
AccountId = account,
ClientId = clientId,
Password = pwd,
SessionId = sessionId,
SessionCacheTime = DateTime.Now,
HostId = hostId
});
context.Response.Redirect(ResUrl);
context.RequestCompleted();
}
}
/// <summary>
/// 3
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
return(base.AuthorizeEndpoint(context));
//这一步后去生成授权码,并作缓存
}
public Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
throw new NotImplementedException();
}
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
string uri = context.Request.Uri.ToString();
}
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
string uri = context.Request.Uri.ToString();
if (string.IsNullOrWhiteSpace(_options.JwtOptions.SupportedScope))
{
Error(context, OAuthImplicitFlowError.ServerError, "no supported scope defined");
return;
}
if (!HasSupportedScope(context, _options.JwtOptions.SupportedScope))
{
string errorDescription = string.Format("only {0} scope is supported",
_options.JwtOptions.SupportedScope);
Error(context, OAuthImplicitFlowError.Scope, errorDescription);
return;
}
string rawJwt = await TryGetRawJwtTokenAsync(context);
if (string.IsNullOrWhiteSpace(rawJwt))
{
context.OwinContext.Authentication.Challenge(new AuthenticationProperties {
RedirectUri = uri
});
return;
}
var tokenValidator = new TokenValidator();
ClaimsPrincipal principal = tokenValidator.Validate(rawJwt, _options.JwtOptions);
if (!principal.Identity.IsAuthenticated)
{
Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user, unauthenticated");
return;
}
ClaimsIdentity claimsIdentity = await _options.TransformPrincipal(principal);
if (!claimsIdentity.Claims.Any())
{
Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user");
return;
}
ConsentAnswer consentAnswer = await TryGetConsentAnswerAsync(context.Request);
if (consentAnswer == ConsentAnswer.Rejected)
{
Error(context, OAuthImplicitFlowError.AccessDenied, "resource owner denied request");
return;
}
if (consentAnswer == ConsentAnswer.Missing)
{
Error(context, OAuthImplicitFlowError.ServerError,
"missing consent answer");
return;
}
if (!(consentAnswer == ConsentAnswer.Accepted || consentAnswer == ConsentAnswer.Implicit))
{
Error(context, OAuthImplicitFlowError.ServerError,
string.Format("invalid consent answer '{0}'", consentAnswer.Display));
return;
}
string appJwtTokenAsBase64 =
JwtTokenHelper.CreateSecurityTokenDescriptor(claimsIdentity.Claims, _options.JwtOptions)
.CreateTokenAsBase64();
var builder = new UriBuilder(context.AuthorizeRequest.RedirectUri);
const string tokenType = "bearer";
var fragmentStringBuilder = new StringBuilder();
fragmentStringBuilder.AppendFormat("access_token={0}&token_type={1}&state={2}&scope={3}",
Uri.EscapeDataString(appJwtTokenAsBase64), Uri.EscapeDataString(tokenType),
Uri.EscapeDataString(context.AuthorizeRequest.State ?? ""),
Uri.EscapeDataString(_options.JwtOptions.SupportedScope));
if (consentAnswer == ConsentAnswer.Implicit)
{
fragmentStringBuilder.AppendFormat("&consent_type={0}", Uri.EscapeDataString(consentAnswer.Invariant));
}
builder.Fragment = fragmentStringBuilder.ToString();
string redirectUri = builder.Uri.ToString();
context.Response.Redirect(redirectUri);
context.RequestCompleted();
}
bool HasSupportedScope(OAuthAuthorizeEndpointContext context, string supportedScope)
{
return(!context.AuthorizeRequest.Scope.Any() ||
context.AuthorizeRequest.Scope.Any(scope => scope.Equals(supportedScope)));
}
private async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
await Task.FromResult(0);
}
public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
return(base.AuthorizeEndpoint(context));
}
/**
*
* 第一次请求授权服务(获取 authorization_code),请求地址/authorize
* 需要的参数:
* grant_type:必选,授权模式,值为 "authorization_code"。
* response_type:必选,授权类型,值固定为 "code"。
* client_id:必选,客户端 ID。
* redirect_uri:必选,重定向 URI,URL 中会包含 authorization_code。 (关联到client 配置到数据库中)
* scope:可选,申请的权限范围,比如微博授权服务值为 follow_app_official_microblog。
* state:可选,客户端的当前状态,可以指定任意值,授权服务器会原封不动地返回这个值,比如微博授权服务值为 weibo。
*
* 第二次请求授权服务(获取 access_token),需要的参数:
* grant_type:必选,授权模式,值为 "authorization_code"。
* code:必选,授权码,值为上面请求返回的 authorization_code。
* redirect_uri:必选,重定向 URI,必须和上面请求的 redirect_uri 值一样。
* client_id:必选,客户端 ID。
*
* 第二次请求授权服务(获取 access_token),返回的参数:
* access_token:访问令牌.
* token_type:令牌类型,值一般为 "bearer"。
* expires_in:过期时间,单位为秒。
* refresh_token:更新令牌,用来获取下一次的访问令牌。
* scope:权限范围。
*
**/
/// <summary>
/// 生成code
/// 此处只处理登录授权
/// </summary>
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
await base.AuthorizeEndpoint(context);
}
