public AcquireTokenOnBehalfHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, UserAssertion userAssertion, bool callSync)
: base(authenticator, tokenCache, resource, clientKey, TokenSubjectType.UserPlusClient, callSync)
{
if (userAssertion == null)
{
throw new ArgumentNullException("userAssertion");
}
this.userAssertion = userAssertion;
this.DisplayableId = userAssertion.UserName;
this.assertionHash = PlatformSpecificHelper.CreateSha256Hash(userAssertion.Assertion);
this.SupportADFS = true;
}
private void LogReturnedToken(AuthenticationResult result)
{
if (result.AccessToken != null)
{
string accessTokenHash = PlatformSpecificHelper.CreateSha256Hash(result.AccessToken);
string logMessage;
if (result.RefreshToken != null)
{
string refreshTokenHash = PlatformSpecificHelper.CreateSha256Hash(result.RefreshToken);
logMessage = string.Format("Access Token with hash '{0}' and Refresh Token with hash '{1}' returned", accessTokenHash, refreshTokenHash);
}
else
{
logMessage = string.Format("Access Token with hash '{0}' returned", accessTokenHash);
}
Logger.Verbose(this.CallState, logMessage);
}
}
private void LogReturnedToken(AuthenticationResult result)
{
if (result.AccessToken != null)
{
string accessTokenHash = PlatformSpecificHelper.CreateSha256Hash(result.AccessToken);
string refreshTokenHash;
if (result.RefreshToken != null)
{
refreshTokenHash = PlatformSpecificHelper.CreateSha256Hash(result.RefreshToken);
}
else
{
refreshTokenHash = "[No Refresh Token]";
}
Logger.Information(this.CallState, "=== Token Acquisition finished successfully. An access token was retuned:\n\tAccess Token Hash: {0}\n\tRefresh Token Hash: {1}\n\tExpiration Time: {2}\n\tUser Hash: {3}\n\t",
accessTokenHash, refreshTokenHash, result.ExpiresOn,
result.UserInfo != null ? PlatformSpecificHelper.CreateSha256Hash(result.UserInfo.UniqueId) : "null");
}
}
protected override async Task PreTokenRequest()
{
await base.PreTokenRequest();
if (this.userAssertion == null)
{
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState);
Logger.Information(this.CallState, "User with hash '{0}' detected as '{1}'", PlatformSpecificHelper.CreateSha256Hash(this.userCredential.UserName), userRealmResponse.AccountType);
if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0)
{
if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl))
{
throw new AdalException(AdalError.MissingFederationMetadataUrl);
}
WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState);
Logger.Information(this.CallState, "WS-Trust endpoint '{0}' fetched from MEX at '{1}'", wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl);
WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState);
Logger.Information(this.CallState, "Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType);
// We assume that if the response token type is not SAML 1.1, it is SAML 2
this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer);
}
else if (string.Compare(userRealmResponse.AccountType, "managed", StringComparison.OrdinalIgnoreCase) == 0)
{
// handle password grant flow for the managed user
if (this.userCredential.PasswordToCharArray() == null)
{
throw new AdalException(AdalError.PasswordRequiredForManagedUserError);
}
}
else
{
throw new AdalException(AdalError.UnknownUserType);
}
}
}
protected override async Task PreRunAsync()
{
await base.PreRunAsync();
if (this.userCredential != null)
{
// We cannot move the following lines to UserCredential as one of these calls in async.
// It cannot be moved to constructor or property or a pure sync or async call. This is why we moved it here which is an async call already.
if (string.IsNullOrWhiteSpace(this.userCredential.UserName))
{
#if ADAL_NET
this.userCredential.UserName = PlatformSpecificHelper.GetUserPrincipalName();
#else
this.userCredential.UserName = await PlatformSpecificHelper.GetUserPrincipalNameAsync();
#endif
if (string.IsNullOrWhiteSpace(userCredential.UserName))
{
Logger.Information(this.CallState, "Could not find UPN for logged in user");
throw new AdalException(AdalError.UnknownUser);
}
Logger.Verbose(this.CallState, "Logged in user with hash '{0}' detected", PlatformSpecificHelper.CreateSha256Hash(userCredential.UserName));
}
this.DisplayableId = userCredential.UserName;
}
else if (this.userAssertion != null)
{
this.DisplayableId = userAssertion.UserName;
}
}