protected virtual void AnalyzeOperationContext(RequestDetails details) { // determine if this is a WCF call if (OperationContext.Current != null) { details.IsActive = true; Tracing.Information("Active request"); } else { Tracing.Information("Passive request"); } }
public SamlTokenServiceConfiguration(string issuerName) { Tracing.Information("Configuring token service"); Container.Current.SatisfyImportsOnce(this); SecurityTokenService = typeof(SamlTokenService); DefaultTokenLifetime = TimeSpan.FromHours(ConfigurationRepository.Global.DefaultTokenLifetime); MaximumTokenLifetime = TimeSpan.FromDays(ConfigurationRepository.Global.MaximumTokenLifetime); DefaultTokenType = ConfigurationRepository.Global.DefaultWSTokenType; TokenIssuerName = issuerName; SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate); }
protected virtual void AnalyzeTokenType(RequestSecurityToken rst, RequestDetails details) { if (string.IsNullOrWhiteSpace(rst.TokenType)) { details.TokenType = _configuration.Global.DefaultWSTokenType; Tracing.Information("Token Type: not specified, falling back to default token type"); } else { Tracing.Information("Token Type: " + rst.TokenType); details.TokenType = rst.TokenType; } }
private HttpResponseMessage ProcessRefreshTokenRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing refresh token request"); var tokenService = new OidcTokenService( ServerConfiguration.Global.IssuerUri, ServerConfiguration.Keys.SigningCertificate); var response = tokenService.CreateTokenResponse(validatedRequest.Grant, validatedRequest.Client.AccessTokenLifetime); response.RefreshToken = validatedRequest.Grant.GrantId; return(Request.CreateTokenResponse(response)); }
public virtual void SignIn(User user, bool isPersistant = false) { Tracing.Information(String.Format("[ClaimsBasedAuthenticationService.Signin] called: {0}", user.Username)); if (String.IsNullOrWhiteSpace(user.Username)) { throw new ArgumentException("username"); } // gather claims var claims = new List <Claim>(); foreach (UserClaim uc in user.Claims) { claims.Add(new Claim(uc.Type, uc.Value)); } if (!String.IsNullOrWhiteSpace(user.Email)) { claims.Insert(0, new Claim(ClaimTypes.Email, user.Email)); } claims.Insert(0, new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password)); claims.Insert(0, new Claim(ClaimTypes.AuthenticationInstant, DateTime.UtcNow.ToString("s"))); claims.Insert(0, new Claim(ClaimTypes.Name, user.Username)); claims.Insert(0, new Claim(ClaimTypes.NameIdentifier, user.Username)); // create principal/identity var id = new ClaimsIdentity(claims, "Forms"); var cp = new ClaimsPrincipal(id); // claims transform cp = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate(String.Empty, cp); // issue cookie var sam = FederatedAuthentication.SessionAuthenticationModule; if (sam == null) { throw new Exception("SessionAuthenticationModule is not configured and it needs to be."); } var token = new SessionSecurityToken(cp, isPersistant ? FormsAuthentication.Timeout : TimeSpan.FromMinutes(SessionHelpers.GetSessionTimeoutInMinutes)) { IsPersistent = isPersistant }; sam.WriteSessionTokenToCookie(token); Tracing.Verbose(String.Format("[ClaimsBasedAuthenticationService.Signin] cookie issued: {0}", claims.GetValue(ClaimTypes.NameIdentifier))); }
protected override RequestSecurityTokenResponse GetResponse(RequestSecurityToken request, SecurityTokenDescriptor tokenDescriptor) { var response = base.GetResponse(request, tokenDescriptor); if (ConfigurationRepository.Diagnostics.EnableFederationMessageTracing) { Tracing.Information(SerializeRequest(request)); Tracing.Information(SerializeResponse(response)); Tracing.Information(SerializeToken(tokenDescriptor)); } return(response); }
public HttpResponseMessage Post(TokenRequest tokenRequest) { Tracing.Information("OAuth2 endpoint called."); Client client = null; if (!ValidateClient(out client)) { Tracing.Error("Invalid client: " + ClaimsPrincipal.Current.Identity.Name); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidClient)); } Tracing.Information("Client: " + client.Name); var tokenType = ConfigurationRepository.Global.DefaultHttpTokenType; // validate scope EndpointReference appliesTo; try { appliesTo = new EndpointReference(tokenRequest.Scope); Tracing.Information("OAuth2 endpoint called for scope: " + tokenRequest.Scope); } catch { Tracing.Error("Malformed scope: " + tokenRequest.Scope); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidScope)); } // check grant type if (string.Equals(tokenRequest.Grant_Type, OAuth2Constants.GrantTypes.Password, System.StringComparison.Ordinal)) { if (ConfigurationRepository.OAuth2.EnableResourceOwnerFlow) { if (client.AllowResourceOwnerFlow) { return(ProcessResourceOwnerCredentialRequest(tokenRequest.UserName, tokenRequest.Password, appliesTo, tokenType, client)); } else { Tracing.Error("Client is not allowed to use the resource owner password flow:" + client.Name); } } } Tracing.Error("invalid grant type: " + tokenRequest.Grant_Type); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.UnsupportedGrantType)); }
public ActionResult Issue(string realm, string tokenType) { Tracing.Verbose("JSNotify endpoint called."); if (!ConfigurationRepository.Endpoints.JSNotify) { Tracing.Warning("JSNotify endpoint called, but disabled in configuration"); return(new HttpNotFoundResult()); } Tracing.Information("JSNotify endpoint called for realm: " + realm); if (tokenType == null) { tokenType = SimpleWebToken.OasisTokenProfile; } Tracing.Information("Token type: " + tokenType); Uri uri; if (!Uri.TryCreate(realm, UriKind.Absolute, out uri)) { Tracing.Error("Realm parameter is malformed."); return(new HttpStatusCodeResult(400)); } var endpoint = new EndpointAddress(uri); var auth = new AuthenticationHelper(); TokenResponse response; if (auth.TryIssueToken(endpoint, Thread.CurrentPrincipal as IClaimsPrincipal, tokenType, out response)) { var jsresponse = new AccessTokenResponse { AccessToken = response.TokenString, TokenType = response.TokenType, ExpiresIn = ConfigurationRepository.Configuration.DefaultTokenLifetime * 60 }; Tracing.Information("JSNotify issue successful for user: " + User.Identity.Name); return(new JSNotifyResult(jsresponse)); } else { return(new HttpStatusCodeResult(400)); } }
public virtual void SignOut() { Tracing.Information(String.Format("[ClaimsBasedAuthenticationService.SignOut] called: {0}", ClaimsPrincipal.Current.Claims.GetValue(ClaimTypes.NameIdentifier))); // clear cookie var sam = FederatedAuthentication.SessionAuthenticationModule; if (sam == null) { Tracing.Verbose("[ClaimsBasedAuthenticationService.Signout] SessionAuthenticationModule is not configured"); throw new Exception("SessionAuthenticationModule is not configured and it needs to be."); } sam.SignOut(); }
protected virtual void AnalyzeEncryption(RequestDetails details) { if (details.EncryptingCertificate == null) { X509Certificate2 requestCertificate; if (TryGetEncryptionCertificateFromRequest(details.Realm, out requestCertificate)) { details.EncryptingCertificate = requestCertificate; Tracing.Information("Encrypting certificate set from RST"); } } details.UsesEncryption = (details.EncryptingCertificate != null); Tracing.Information("Token encryption: " + details.UsesEncryption); }
public ActionResult HandleRequest(AuthorizeRequest request) { Tracing.Information("OAuth2 HandleRequest endpoint invoked"); // check client Client client; var error = CheckRequest(request, out client); if (error != null) { return(error); } RelyingParty rp; if (!RPRepository.TryGet(request.scope, out rp)) { Tracing.Error("RP not found for scope : " + request.scope); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state)); } if (Configuration.OAuth2.EnableConsent) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId, RefreshTokenEnabled = client.AllowRefreshToken }; return(View("ShowConsent", vm)); } else { var grantResult = PerformGrant(request, client); if (grantResult != null) { return(grantResult); } } // we don't know exactly why, so use ServerError Tracing.Error("Authorization Endpoint failed"); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.ServerError, request.response_type, request.state)); }
public HttpResponseMessage Get(HttpRequestMessage request) { Tracing.Information("Simple HTTP endpoint called."); var query = request.GetQueryNameValuePairs(); var auth = new AuthenticationHelper(); var realm = query.FirstOrDefault(p => p.Key.Equals("realm", System.StringComparison.OrdinalIgnoreCase)).Value; var tokenType = query.FirstOrDefault(p => p.Key.Equals("tokenType", System.StringComparison.OrdinalIgnoreCase)).Value; if (string.IsNullOrWhiteSpace(realm)) { return(request.CreateErrorResponse(HttpStatusCode.BadRequest, "realm parameter is missing.")); } EndpointReference appliesTo; try { appliesTo = new EndpointReference(realm); Tracing.Information("Simple HTTP endpoint called for realm: " + realm); } catch { Tracing.Error("Malformed realm: " + realm); return(request.CreateErrorResponse(HttpStatusCode.BadRequest, "malformed realm name.")); } if (string.IsNullOrWhiteSpace(tokenType)) { tokenType = ConfigurationRepository.Global.DefaultHttpTokenType; } Tracing.Verbose("Token type: " + tokenType); TokenResponse tokenResponse; var sts = new STS(); if (sts.TryIssueToken(appliesTo, ClaimsPrincipal.Current, tokenType, out tokenResponse)) { var resp = request.CreateResponse <TokenResponse>(HttpStatusCode.OK, tokenResponse); return(resp); } else { return(request.CreateErrorResponse(HttpStatusCode.BadRequest, "invalid request.")); } }
private bool IsMacValid() { byte[] data = this.normalizedRequest.ToBytes(); // data, at this point has the hash coming in over the wire and hence mac computed is // based on the hash over the wire and not over the computed hash bool isMacValid = this.hasher.IsValidMac(data, credential.Key, artifacts.Mac); if (!isMacValid) { Tracing.Information( String.Format("Invalid Mac {0} for data {1}", artifacts.Mac.ToBase64String(), Encoding.UTF8.GetString(data))); } return(isMacValid); }
private HttpResponseMessage ProcessResourceOwnerCredentialRequest(string userName, string password, EndpointReference appliesTo, string tokenType, Client client) { Tracing.Information("Starting resource owner password credential flow for client: " + client.Name); if (string.IsNullOrWhiteSpace(userName) || string.IsNullOrWhiteSpace(password)) { Tracing.Error("Invalid resource owner credentials for: " + appliesTo.Uri.AbsoluteUri); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); } var auth = new AuthenticationHelper(); ClaimsPrincipal principal; if (UserRepository.ValidateUser(userName, password)) { principal = auth.CreatePrincipal(userName, "OAuth2", new Claim[] { new Claim(Constants.Claims.Client, client.Name), new Claim(Constants.Claims.Scope, appliesTo.Uri.AbsoluteUri) }); if (!ClaimsAuthorization.CheckAccess(principal, Constants.Actions.Issue, Constants.Resources.OAuth2)) { Tracing.Error("OAuth2 endpoint authorization failed for user: "******"Resource owner credential validation failed: " + userName); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); } var sts = new STS(); TokenResponse tokenResponse; if (sts.TryIssueToken(appliesTo, principal, tokenType, out tokenResponse)) { var resp = Request.CreateResponse <TokenResponse>(HttpStatusCode.OK, tokenResponse); return(resp); } else { return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidRequest)); } }
private async Task <bool> IsHashValidAsync(HttpContent payload) { var normalizedPayload = new NormalizedPayload(payload); byte[] data = await normalizedPayload.ToBytesAsync(); bool isHashValid = this.hasher.IsValidHash(data, artifacts.PayloadHash); if (!isHashValid) { Tracing.Information( String.Format("Invalid payload hash {0} for data {1}", artifacts.PayloadHash.ToBase64String(), Encoding.UTF8.GetString(data))); } return(isHashValid); }
/// <summary> /// Returns true if the timestamp sent in by the client is fresh subject to the /// maximum allowed skew and the adjustment offset. /// </summary> private static bool IsTimestampFresh(ulong now, ArtifactsContainer artifacts, Options options) { now = now + Convert.ToUInt64(options.LocalTimeOffsetMillis); ulong shelfLife = (Convert.ToUInt64(options.ClockSkewSeconds) * 1000); var age = Math.Abs((artifacts.Timestamp * 1000.0) - now); bool isFresh = (age <= shelfLife); if (!isFresh) { Tracing.Information( String.Format("Stale Timestamp: Age {0} is more than shelf life of {1}", age, shelfLife)); } return(isFresh); }
public ClaimsPrincipal Validate(string userName, string password) { var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential); var credentials = new ClientCredentials(); credentials.UserName.UserName = userName; credentials.UserName.Password = password; GenericXmlSecurityToken genericToken; try { genericToken = WSTrustClient.Issue( new EndpointAddress(_address), new EndpointAddress(_realm), binding, credentials) as GenericXmlSecurityToken; } catch (MessageSecurityException ex) { Tracing.Error("WSTrustResourceOwnerCredentialValidation failed: " + ex.ToString()); return(null); } var config = new SecurityTokenHandlerConfiguration(); config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_realm)); config.CertificateValidationMode = X509CertificateValidationMode.None; config.CertificateValidator = X509CertificateValidator.None; var registry = new ConfigurationBasedIssuerNameRegistry(); registry.AddTrustedIssuer(_issuerThumbprint, _address); config.IssuerNameRegistry = registry; var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config); ClaimsPrincipal principal; var token = genericToken.ToSecurityToken(); principal = new ClaimsPrincipal(handler.ValidateToken(token)); Tracing.Information("Successfully requested token for user via WS-Trust"); return(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate("ResourceOwnerPasswordValidation", principal)); }
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token) { this.Configuration.IssuerNameRegistry = new ClientCertificateIssuerNameRegistry(); Tracing.Information("Beginning client certificate token validation and authentication for SOAP"); Container.Current.SatisfyImportsOnce(this); // call base class implementation for validation and claims generation var identity = base.ValidateToken(token).First(); // retrieve thumbprint var clientCert = ((X509SecurityToken)token).Certificate; Tracing.Information(String.Format("Client certificate thumbprint: {0}", clientCert.Thumbprint)); // check if mapped user exists string userName; if (!UserRepository.ValidateUser(clientCert, out userName)) { var message = String.Format("No mapped user exists for thumbprint {0}", clientCert.Thumbprint); Tracing.Error(message); throw new SecurityTokenValidationException(message); } Tracing.Information(String.Format("Mapped user found: {0}", userName)); // retrieve issuer name var issuer = identity.Claims.First().Issuer; Tracing.Information(String.Format("Certificate issuer: {0}", issuer)); // create new ClaimsIdentity for the STS issuance logic var claims = new List <Claim> { new Claim(ClaimTypes.Name, userName), new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509), new Claim(ClaimTypes.AuthenticationInstant, identity.FindFirst(ClaimTypes.AuthenticationInstant).Value) }; var id = new ClaimsIdentity(claims, "Client Certificate"); return(new List <ClaimsIdentity> { id }.AsReadOnly()); }
public void Validate(RequestDetails details) { if (details == null) { throw new ArgumentNullException("details"); } Tracing.Information("Starting policy validation"); ValidateKnownRealm(details); ValidateRelyingParty(details); ValidateReplyTo(details); ValidateEncryption(details); ValidateDelegation(details); Tracing.Information("Policy Validation succeeded"); }
private bool IsHashValid(string body, string contentType) { var normalizedPayload = new NormalizedPayload(body, contentType); byte[] data = normalizedPayload.ToBytes(); bool isHashValid = this.hasher.IsValidHash(data, artifacts.PayloadHash); if (!isHashValid) { Tracing.Information( String.Format("Invalid payload hash {0} for data {1}", artifacts.PayloadHash.ToBase64String(), Encoding.UTF8.GetString(data))); } return(isHashValid); }
private HttpResponseMessage ProcessSamlRequest(TokenRequest request) { if (string.IsNullOrEmpty(request.Assertion)) { Tracing.Error("ADFS integration SAML authentication request with empty assertion"); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); } // un-base64 saml token string string incomingSamlToken; try { incomingSamlToken = Encoding.UTF8.GetString(Convert.FromBase64String(request.Assertion)); } catch { Tracing.Error("ADFS integration SAML authentication request with malformed SAML assertion: " + request.Assertion); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); } Tracing.Information("Starting ADFS integration SAML authentication request for scope: " + request.Scope); var bridge = new AdfsBridge(ConfigurationRepository); GenericXmlSecurityToken token; try { Tracing.Verbose("ADFS integration SAML authentication request for assertion: " + request.Assertion); token = bridge.AuthenticateSaml(incomingSamlToken, request.Scope); } catch (Exception ex) { Tracing.Error("Error while communicating with ADFS: " + ex); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidRequest)); } var response = CreateTokenResponse(token, request.Scope); Tracing.Verbose("ADFS integration SAML authentication request successful"); return(response); }
private static void Trace(string source, string name, string value) { if (value == null) { Tracing.Information( "Did not find configuration setting {0} in {1}.", name, source); } else { Tracing.Information( "Found configuration setting {0} in {1} with value '{2}'.", name, source, value); } }
/// <summary> /// Produces the output identity that gets transformed into a token /// </summary> /// <param name="principal">The principal.</param> /// <param name="request">The request.</param> /// <param name="scope">The scope.</param> /// <returns>An IClaimsIdentity describing the subject</returns> protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope) { var requestDetails = (scope as RequestDetailsScope).RequestDetails; var userClaims = GetOutputClaims(principal, requestDetails, ClaimsRepository); var outputIdentity = new ClaimsIdentity(userClaims); if (requestDetails.IsActAsRequest) { Tracing.Information("Issuing act as token"); return(GetActAsClaimsIdentity(outputIdentity, requestDetails)); } else { Tracing.Information("Issuing identity token"); return(outputIdentity); } }
protected virtual void AnalyzeRequestClaims(RequestDetails details) { // check if specific claims are requested if (details.Request.Claims != null && details.Request.Claims.Count > 0) { details.ClaimsRequested = true; details.RequestClaims = details.Request.Claims; var requestClaims = new StringBuilder(20); details.RequestClaims.ToList().ForEach(rq => requestClaims.AppendFormat("{0}\n", rq.ClaimType)); Tracing.Information("Specific claims requested"); Tracing.Information(String.Format("Request claims: {0}", requestClaims)); } else { Tracing.Information("No request claims"); } }
private void LogTableStorageOperationInvoking( string tableUri, long contentLength = default(long), string storageAccountName = default(string)) { string format = "For table '{0}', begin invoking operation '{1}', individualRequestId '{2}', length '{3}', storage account '{4}'"; string message = string.Format( CultureInfo.InvariantCulture, format, tableUri, this.operationName, this.requestId, contentLength, storageAccountName); Tracing.Information(message); }
/// <summary> /// Returns a ClaimsPrincipal object with the NameIdentifier and Name claims, if the request can be /// successfully authenticated based on query string parameter bewit or HTTP Authorization header (hawk scheme). /// </summary> public async Task <ClaimsPrincipal> AuthenticateAsync() { string bewit; bool isBewit = Bewit.TryGetBewit(this.request, out bewit); if (isBewit) { Tracing.Information("Bewit Found"); } var authentication = isBewit ? Bewit.AuthenticateAsync(bewit, now, request, credentialsFunc) : HawkSchemeHeader.AuthenticateAsync(now, request, credentialsFunc); this.result = await authentication; if (result.IsAuthentic) { // At this point, authentication is successful but make sure the request parts match what is in the // application specific data 'ext' parameter by invoking the callback passing in the request object and 'ext'. // The application specific data is considered verified, if the callback is not set or it returns true. bool isAppSpecificDataVerified = this.verificationCallback == null || this.verificationCallback(request, result.ApplicationSpecificData); if (isAppSpecificDataVerified) { // Set the flag so that Server-Authorization header is not sent for bewit requests. this.isBewitRequest = isBewit; var idClaim = new Claim(ClaimTypes.NameIdentifier, result.Credential.Id); var nameClaim = new Claim(ClaimTypes.Name, result.Credential.User); var identity = new ClaimsIdentity(new[] { idClaim, nameClaim }, HawkConstants.Scheme); return(new ClaimsPrincipal(identity)); } else { Tracing.Information("Invalid Application Specific Data, though authentication is successful."); } } return(Principal.Anonymous); }
public virtual void SignIn(UserAccount account, string method, bool persistent = false) { if (account == null) { throw new ArgumentNullException("account"); } if (String.IsNullOrWhiteSpace(method)) { throw new ArgumentNullException("method"); } Tracing.Information("[AuthenticationService.SignIn] sign in called: {0}", account.ID); if (!account.IsLoginAllowed || account.IsAccountClosed) { throw new ValidationException(UserAccountService.GetValidationMessage(AppConstants.ValidationMessages.LoginNotAllowed)); } if (!account.IsAccountVerified && UserAccountService.Configuration.RequireAccountVerification) { throw new ValidationException(UserAccountService.GetValidationMessage(AppConstants.ValidationMessages.AccountNotVerified)); } // gather claims var claims = GetAllClaims(account, method); // get custom claims from properties claims.AddRange(UserAccountService.MapClaims(account)); // create principal/identity var id = new ClaimsIdentity(claims, method); var cp = new ClaimsPrincipal(id); // claims transform if (ClaimsAuthenticationManager != null) { cp = ClaimsAuthenticationManager.Authenticate(String.Empty, cp); } // issue cookie Tracing.Verbose("[AuthenticationService.SignIn] token issued: {0}", account.ID); IssueToken(cp, persistentCookie: persistent); }
private HttpResponseMessage ProcessResourceOwnerCredentialRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing resource owner credential request"); ClaimsPrincipal principal; try { principal = _rocv.Validate(validatedRequest.UserName, validatedRequest.Password); } catch (Exception ex) { Tracing.Error("Resource owner credential validation failed: " + ex.ToString()); throw; } if (principal != null && principal.Identity.IsAuthenticated) { var sts = new TokenService(this._config.GlobalConfiguration); var response = sts.CreateTokenResponse(validatedRequest, principal); // check if refresh token is enabled for the client if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken) { var handle = StoredGrant.CreateRefreshTokenHandle( principal.GetSubject(), validatedRequest.Client, validatedRequest.Application, principal.Claims, validatedRequest.Scopes, DateTime.UtcNow.AddYears(5)); _handleManager.Add(handle); response.RefreshToken = handle.GrantId; } return(Request.CreateTokenResponse(response)); } else { return(Request.CreateOAuthErrorResponse(OAuthConstants.Errors.InvalidGrant)); } }
public virtual void SetPassword(string tenant, string username, string newPassword) { Tracing.Information(String.Format("[UserAccountService.SetPassword] called: {0}, {1}", tenant, username)); if (!_settings.MultiTenant) { tenant = _settings.DefaultTenant; } if (String.IsNullOrWhiteSpace(tenant)) { throw new ValidationException("Invalid tenant."); } if (String.IsNullOrWhiteSpace(username)) { throw new ValidationException("Invalid username."); } if (String.IsNullOrWhiteSpace(newPassword)) { throw new ValidationException("Invalid newPassword."); } ValidatePassword(tenant, username, newPassword); var account = this.GetByUsername(tenant, username); if (account == null) { throw new ValidationException("Invalid tenant and/or username."); } Tracing.Information(String.Format("[UserAccountService.SetPassword] setting new password for: {0}, {1}", tenant, username)); account.SetPassword(newPassword); this.userRepository.SaveOrUpdate(account); if (this.notificationService != null) { this.notificationService.SendPasswordChangeNotice(account); } _unitOfWork.Commit(); }
private HttpResponseMessage ProcessResourceOwnerCredentialRequest(TokenRequest request, string tokenType, Client client) { Tracing.Information("Starting resource owner password credential flow for client: " + client.Name); var appliesTo = new EndpointReference(request.Scope); if (string.IsNullOrWhiteSpace(request.UserName) || string.IsNullOrWhiteSpace(request.Password)) { Tracing.Error("Invalid resource owner credentials for: " + appliesTo.Uri.AbsoluteUri); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); } if (UserRepository.ValidateUser(request.UserName, request.Password)) { return(CreateTokenResponse(request.UserName, client, appliesTo, tokenType, client.AllowRefreshToken)); } Tracing.Error("Resource owner credential validation failed: " + request.UserName); return(OAuthErrorResponseMessage(OAuth2Constants.Errors.InvalidGrant)); }