public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
bool validated = false;
base.ValidateIdentity(context);
ApplicationDbContext dbContext = context.OwinContext.Get <ApplicationDbContext>();
ApplicationUserManager userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
if (context.Ticket != null && context.Ticket.Identity != null)
{
if (context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthClientCredentialsGrantKey) != null)
{
Guid clientId = new Guid(context.Ticket.Identity.Name);
if (dbContext.OAuthClients.SingleOrDefault(oac => oac.ClientId == clientId && oac.Enabled == true) != null)
{
validated = true;
context.Validated();
}
}
else
{
Claim oauthSessionId = context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthSessionClaimKey);
if (oauthSessionId != null)
{
OAuthSession oauthSession = dbContext.OAuthSessions.SingleOrDefault(oas => oas.Id.ToString() == oauthSessionId.Value);
if (oauthSession != null)
{
validated = true;
context.Validated();
}
}
}
}
if (!validated)
{
context.SetError("Invalid Token", "The Access Token is invalid.");
context.Rejected();
}
return(Task.FromResult <object>(null));
}
/// <summary>
/// Handles validating the identity produced from an OAuth bearer token.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public virtual Task ValidateIdentity(OAuthValidateIdentityContext context)
{
try
{
if (!context.Request.Headers.ContainsKey("Authorization"))
{
return(Task.FromResult <object>(null));
}
// Retrieve the JWT token in Authorization Header
var jwt = context.Request.Headers["Authorization"].Replace("Bearer ", string.Empty);
var handler = new JwtSecurityTokenHandler();
var token = new JwtSecurityToken(jwt);
var claimIdentity = new ClaimsIdentity(token.Claims, DefaultAuthenticationTypes.ExternalBearer);
var param = new TokenValidationParameters
{
ValidateAudience = true, // Make this false if token was generated without clientId
ValidAudience = "8ebd73587a354f948ec-93260410010c", //Replace with Client Id Registered on CRM. Token should have been fetched with the same clientId.
ValidateIssuer = true,
IssuerSigningKey = _signingKey,
IssuerValidator = (issuer, securityToken, parameters) =>
{
var allowed = GetAllowedPortal().Trim().ToLowerInvariant();
if (issuer.ToLowerInvariant().Equals(allowed))
{
return(issuer);
}
throw new Exception("Token Issuer is not a known Portal");
}
};
SecurityToken validatedToken = null;
handler.ValidateToken(token.RawData, param, out validatedToken);
var claimPrincipal = new ClaimsPrincipal(claimIdentity);
context.Response.Context.Authentication.User = claimPrincipal;
context.Validated(claimIdentity);
}
catch (Exception exception)
{
System.Diagnostics.Debug.WriteLine(exception);
return(null);
}
return(Task.FromResult <object>(null));
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var wispContext = context.GetWispContext();
wispContext.SetIdentity(context);
if (wispContext.CurrentUser == null || !wispContext.CurrentUser.Active)
{
throw new WispHttpException(System.Net.HttpStatusCode.Unauthorized);
}
context.Validated();
return(Task.FromResult(0));
}
public async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (context.Ticket.Identity.Claims.Count() == 0)
{
context.Rejected();
}
else if (context.Ticket.Identity.Claims.All(c => c.Issuer == ClaimsIdentity.DefaultIssuer))
{
context.Rejected();
}
else
{
var accessToken = context.Ticket.Identity.FindFirst(Security.ClaimTypes.AccessToken);
if (accessToken != null && !string.IsNullOrEmpty(accessToken.Value))
{
try
{
var response = await "https://www.googleapis.com/oauth2/v3/tokeninfo"
.SetQueryParam("access_token", accessToken.Value)
.GetAsync();
if (!response.IsSuccessStatusCode)
{
context.Rejected();
}
else
{
context.Validated();
}
}
catch (FlurlHttpException ex)
{
context.Rejected();
}
}
else
{
context.Rejected();
}
}
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (!string.IsNullOrEmpty(token))
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters()
{
ValidAudience = "all",
IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String("KJiuweUH2234KJBJbkjk234234fgdfc56566")),
ValidIssuer = "http://vcdbpoc-staging.azurewebsites.net"
};
try
{
SecurityToken securityToken;
var claimsPrinciple = tokenHandler.ValidateToken(token, validationParameters, out securityToken);
context.Validated(new ClaimsIdentity(claimsPrinciple.Claims, OAuthDefaults.AuthenticationType));
return(Task.FromResult(0));
}
catch (Exception ex)
{
context.Rejected();
return(Task.FromResult(0));
}
//var notPadded = token.Split('.')[1];
//var padded = notPadded.PadRight(notPadded.Length + (4 - notPadded.Length % 4) % 4, '=');
//var urlUnescaped = padded.Replace('-', '+').Replace('_', '/');
//var claimsPart = Convert.FromBase64String(urlUnescaped);
//var obj = JObject.Parse(Encoding.UTF8.GetString(claimsPart, 0, claimsPart.Length));
//// simple, not handling specific types, arrays, etc.
//foreach (var prop in obj.Properties().AsJEnumerable())
//{
// if (!context.Ticket.Identity.HasClaim(prop.Name, prop.Value.Value<string>()))
// {
// context.Ticket.Identity.AddClaim(new Claim(prop.Name, prop.Value.Value<string>()));
// }
//}
}
context.Rejected();
return(Task.FromResult(0));
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
context.Rejected();
Guid userSessionToken;
if (JwtHelper.TryGetUserSessionToken(context.Ticket.Identity, out userSessionToken))
{
using (var container = UnityConfig.GetContainer().CreateChildContainer())
{
var userSessionBusinessLogic = (IUserSessionBusinessLogic)container.Resolve(typeof(IUserSessionBusinessLogic));
var isValid = userSessionBusinessLogic.GetIsUserSessionValid(userSessionToken);
if (isValid)
{
context.Validated();
}
}
}
return(Task.CompletedTask);
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
if (context.Ticket.Properties.ExpiresUtc < DateTime.UtcNow)
{
context.SetError("invalid_grant", "Access Token has expired.");
context.Rejected();
return(ThreadingExtensions.NoResult);
}
var userId = context.Ticket.Identity.GetUserGuid();
var issuedGuid = context.Ticket.Properties
.GetIssuedGuid();
if (!_authKeyRepository.ValidateAuthKey(userId, issuedGuid))
{
context.SetError("invalid_token", "Access Token has not been properly set or has been invalidated.");
context.Rejected();
return(ThreadingExtensions.NoResult);
}
context.Validated();
return(ThreadingExtensions.NoResult);
}
public override async Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var owinContext = context.OwinContext;
var ticket = context.Ticket;
var identity = ticket?.Identity;
if (identity == null || owinContext == null)
{
context.Rejected();
return;
}
var claimClientId = identity.FindFirst(IntersectClaimTypes.ClientId);
if (!Guid.TryParse(claimClientId?.Value, out var clientId))
{
context.SetError("invalid_token_client");
return;
}
var claimUserId = identity.FindFirst(IntersectClaimTypes.UserId);
if (!Guid.TryParse(claimUserId?.Value, out var userId))
{
context.SetError("invalid_token_user");
return;
}
var claimTicketId = identity.FindFirst(IntersectClaimTypes.TicketId);
if (!Guid.TryParse(claimTicketId?.Value, out var ticketId))
{
context.SetError("invalid_ticket_id");
return;
}
var refreshToken = RefreshToken.FindForTicket(ticketId);
if (refreshToken == null)
{
context.Rejected();
return;
}
if (ticket.Properties?.ExpiresUtc < DateTime.UtcNow)
{
context.SetError("access_token_expired");
return;
}
if (refreshToken.ClientId != clientId || refreshToken.UserId != userId)
{
RefreshToken.Remove(refreshToken.Id, true);
context.Rejected();
return;
}
owinContext.Set("refresh_token", refreshToken);
context.Validated();
}
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
var authorizationBearerToken = context.Request.Headers["Authorization"];
if (string.IsNullOrWhiteSpace(authorizationBearerToken))
{
context.Rejected();
return(Task.FromResult(false));
}
else
{
var authorizationBearerTokenParts = authorizationBearerToken
.Split(' ');
var accessToken = authorizationBearerTokenParts
.LastOrDefault();
var claims = new List <Claim>();
StuntmanUser user = null;
if (authorizationBearerTokenParts.Count() != 2 ||
string.IsNullOrWhiteSpace(accessToken))
{
context.Response.StatusCode = 400;
context.Response.ReasonPhrase = "Authorization header is not in correct format.";
context.Rejected();
return(Task.FromResult(false));
}
else
{
user = options.Users
.Where(x => x.AccessToken == accessToken)
.FirstOrDefault();
if (user == null)
{
if (!options.AllowBearerTokenPassthrough)
{
context.Response.StatusCode = 403;
context.Response.ReasonPhrase =
$"options provided does not include the requested '{accessToken}' user.";
context.Rejected();
}
return(Task.FromResult(false));
}
else
{
claims.Add(new Claim("access_token", accessToken));
}
}
claims.Add(new Claim(ClaimTypes.Name, user.Name));
claims.AddRange(user.Claims);
var identity = new ClaimsIdentity(claims, Constants.StuntmanAuthenticationType, user.NameClaimType, user.RoleClaimType);
context.Validated(identity);
var authManager = context.OwinContext.Authentication;
authManager.SignIn(identity);
if (options.AfterBearerValidateIdentity != null)
{
options.AfterBearerValidateIdentity(context);
}
return(Task.FromResult(true));
}
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
try
{
// Find token in default location
string requestToken = null;
string authorization = Request.Headers.Get("Authorization");
if (!string.IsNullOrEmpty(authorization))
{
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
requestToken = authorization.Substring("Bearer ".Length).Trim();
}
}
// Give application opportunity to find from a different location, adjust, or reject token
var requestTokenContext = new OAuthRequestTokenContext(Context, requestToken);
await Options.Provider.RequestToken(requestTokenContext);
// If no token found, no further work possible
if (string.IsNullOrEmpty(requestTokenContext.Token))
{
return(null);
}
// Call provider to process the token into data
var tokenReceiveContext = new AuthenticationTokenReceiveContext(
Context,
Options.AccessTokenFormat,
requestTokenContext.Token);
await Options.AccessTokenProvider.ReceiveAsync(tokenReceiveContext);
if (tokenReceiveContext.Ticket == null)
{
tokenReceiveContext.DeserializeTicket(tokenReceiveContext.Token);
}
AuthenticationTicket ticket = tokenReceiveContext.Ticket;
if (ticket == null)
{
_logger.WriteWarning("invalid bearer token received");
Context.Set("oauth.token_invalid", true);
return(null);
}
// Validate expiration time if present
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc.Value < currentUtc)
{
_logger.WriteWarning("expired bearer token received");
Context.Set("oauth.token_expired", true);
return(null);
}
// Give application final opportunity to override results
var context = new OAuthValidateIdentityContext(Context, Options, ticket);
if (ticket != null &&
ticket.Identity != null &&
ticket.Identity.IsAuthenticated)
{
// bearer token with identity starts validated
context.Validated();
}
if (Options.Provider != null)
{
await Options.Provider.ValidateIdentity(context);
}
if (!context.IsValidated)
{
return(null);
}
// resulting identity values go back to caller
return(context.Ticket);
}
catch (Exception ex)
{
_logger.WriteError("Authentication failed", ex);
return(null);
}
}
private static Task HandleOnValidateIdentity(OAuthValidateIdentityContext context)
{
context.Validated();
return(Task.CompletedTask);
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
context.Validated();
return(Task.FromResult(0));
}
