Пример #1
0
        public ActionResult Route()
        {
            string       userName       = Request["userName"];
            string       passWord       = Request["passWord"];
            string       authnlogin_but = Request["authnlogin_but"];
            string       oidclogin_but  = Request["oidclogin_but"];
            string       oidc_but       = Request["oidc_but"];
            string       location       = Request["location"];
            string       myStatus       = null;
            string       myStateToken;
            string       mySessionToken;
            string       myRelayState = null;
            string       myOktaId     = null;
            AuthResponse userAuthClientRsp;

            // set relayState
            //string relayState = Request["relayState"];
            //if (string.IsNullOrEmpty(relayState) && Request.QueryString["RelayState"] != null)
            //{
            //    relayState = Request.QueryString["RelayState"];
            //}
            //else if (string.IsNullOrEmpty(relayState) && TempData["relayState"] != null)
            //{
            //    relayState = (string)TempData["relayState"];
            //}
            //TempData["relayState"] = relayState;

            if (authnlogin_but == "Authn Sign In")
            {
                OktaClient oktaClient = new OktaClient(MvcApplication.apiToken, MvcApplication.apiUrl);
                try
                {
                    var usersClient = oktaClient.GetUsersClient();
                    var authClient  = oktaClient.GetAuthClient();
                    userAuthClientRsp = authClient.Authenticate(username: userName, password: passWord, relayState: myRelayState);
                    logger.Debug("thisAuth status " + userAuthClientRsp.Status);
                    myStatus       = userAuthClientRsp.Status;
                    myStateToken   = userAuthClientRsp.StateToken;
                    mySessionToken = userAuthClientRsp.SessionToken;
                    if (userAuthClientRsp.Embedded.User != null)
                    {
                        myOktaId = userAuthClientRsp.Embedded.User.Id;
                    }
                }
                catch (OktaException ex)
                {
                    if (ex.ErrorCode == "E0000004")
                    {
                        logger.Debug("Invalid Credentials for User: "******"errMessage"] = "Invalid Credentials for User: "******"E0000085")
                    {
                        logger.Debug("Access Denied by Polciy for User: "******"errMessage"] = "Access Denied by Polciy for User: "******"errMessage"] = appSettings["aicpa.DeniedNoteText"];
                    }
                    else
                    {
                        logger.Error(userName + " = " + ex.ErrorCode + ":" + ex.ErrorSummary);
                        // generic failure
                        TempData["errMessage"] = "Sign in process failed!";
                    }
                    TempData["userName"] = userName;
                    return(RedirectToAction("Login"));
                }

                switch (myStatus)
                {
                case "PASSWORD_WARN":      //password about to expire
                    logger.Debug("PASSWORD_WARN ");
                    //no action required
                    break;

                case "PASSWORD_EXPIRED":      //password has expired
                    logger.Debug("PASSWORD_EXPIRED ");
                    break;

                case "RECOVERY":      //user has requested a recovery token
                    logger.Debug("RECOVERY ");
                    //find which recovery mode sms, email is being used
                    //POST to next link
                    break;

                case "RECOVERY_CHALLENGE":      //user must verify factor specific recovery challenge
                    logger.Debug("RECOVERY_CHALLENGE ");
                    //verify the recovery factor
                    //POST to verify link
                    break;

                case "PASSWORD_RESET":         //user satified recovery and must now set password
                    logger.Debug("PASSWORD_RESET ");

                    //reset users password
                    //POST to next link
                    break;

                case "LOCKED_OUT":      //user account is locked, unlock required
                    logger.Debug("LOCKED_OUT ");
                    break;

                case "MFA_ENROLL":       //user must select and enroll an available factor
                    logger.Debug("MFA_ENROLL ");
                    break;

                case "MFA_ENROLL_ACTIVATE":       //user must activate the factor to complete enrollment
                    logger.Debug("MFA_ENROLL_ACTIVATE ");
                    //user must activate the factor
                    //POST to next link
                    break;

                case "MFA_REQUIRED":        //user must provide second factor with previously enrolled factor
                    logger.Debug("MFA_REQUIRED ");
                    break;

                case "MFA_CHALLENGE":          //use must verify factor specifc challenge
                    logger.Debug("MFA_CHALLENGE ");
                    break;

                case "SUCCESS":          //authentication is complete
                    logger.Debug("SUCCESS");
                    TempData["errMessage"] = "Authn Login Successful ";
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    string landingPage = null;
                    landingPage = location + "/AltLanding/UnprotectedLanding";
                    //if (string.IsNullOrEmpty(relayState))
                    //{
                    //    landingPage = location + "/AltLanding/UnprotectedLanding";
                    //}
                    //else
                    //{
                    //    landingPage = relayState;
                    //}


                    //option 1
                    //string redirectUrl = oktaSessionMgmt.SetSessionCookie(mySessionToken,landingPage);
                    //return Redirect(redirectUrl);

                    //option 2 - build redirectURL
                    //System.Text.StringBuilder redirectUrl = new System.Text.StringBuilder();
                    //string destLink = location + "/AltLanding/UnprotectedLanding";
                    //redirectUrl.Append(MvcApplication.apiUrl);
                    ////redirectUrl.Append("/login/sessionCookieRedirect?token=" + mySessionToken);
                    //redirectUrl.Append("/login/sessionCookieRedirect?checkAccountSetupComplete=true&token=" + mySessionToken);
                    //string encodedURL = HttpUtility.UrlEncode(destLink);
                    //redirectUrl.Append("&redirectUrl=" + encodedURL);
                    //return Redirect(redirectUrl.ToString());

                    //option 3 get session first, then set cookie
                    Session oktaSession = new Okta.Core.Models.Session();
                    oktaSession = oktaSessionMgmt.CreateSession(mySessionToken);
                    string cookieToken = oktaSession.CookieToken;
                    logger.Debug("session Id " + oktaSession.Id + " for User " + userName);
                    string redirectUrl = oktaSessionMgmt.SetSessionCookie(cookieToken, landingPage);
                    return(Redirect(redirectUrl));


                // break;
                default:
                    logger.Debug("Status: " + myStatus);
                    TempData["errMessage"] = "Status: " + myStatus;
                    break;
                }//end of switch
            }


            if (oidc_but == "Initiate Auth OIDC")
            {
                //version using Custom Authorization Server
                logger.Debug("Initiate OIDC Auth Code without Session");
                Random random    = new Random();
                string stateCode = random.Next(99999, 1000000).ToString();
                string oauthUrl  = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=code&response_mode=query&client_id=" + appSettings["oidc.spintweb.clientId"] + "&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintweb.RedirectUri"];
                return(Redirect(oauthUrl));
            }

            if (oidc_but == "Initiate Implicit OIDC")
            {
                //version using Custom  Authorization Server
                logger.Debug("Initiate OIDC Implicit without Session");
                Random random    = new Random();
                string stateCode = random.Next(99999, 1000000).ToString();
                //string stateCode = "myStateInfo";
                string oauthUrl = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=id_token token&response_mode=form_post&client_id=" + appSettings["oidc.spintnative.clientId"] + "&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintnative.RedirectUri"];
                //string oauthUrl = appSettings["oidc.AuthServer"] + "/v1/authorize?response_type=id_token token&response_mode=form_post&client_id=6788997876556&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=CWBb0zHdZ92WqBLkyIuExu&redirect_uri=" + appSettings["oidc.spintnative.RedirectUri"];
                return(Redirect(oauthUrl));
            }



            if (oidc_but == "Initiate ResourceOwner OIDC")
            {
                string error                = null;
                string error_description    = null;
                string token_type           = null;
                string scope                = null;
                string id_token_status      = null;
                string idToken              = null;
                string access_token_status  = null;
                string accessToken          = null;
                string refresh_token_status = null;
                string refreshToken         = null;
                string jsonPayload          = null;


                IRestResponse <TokenRequestResponse> response = null;
                OidcIdTokenMin  oidcIdToken     = new OidcIdTokenMin();
                OidcAccessToken oidcAccessToken = new OidcAccessToken();
                string          basicAuth       = appSettings["oidc.spintnative.clientId"] + ":" + appSettings["oidc.spintnative.clientSecret"];

                var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
                string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);

                try
                {
                    var client = new RestClient(appSettings["oidc.AuthServer"] + "/v1/token");
                    //var client = new RestClient(MvcApplication.apiUrl + "/oauth2/aus90h4gyj2Hc8QOy0h7/v1/token");
                    var request = new RestRequest(Method.POST);
                    request.AddHeader("Accept", "application/json");
                    request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                    request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                    request.AddQueryParameter("grant_type", "password");
                    request.AddQueryParameter("username", userName);
                    request.AddQueryParameter("password", passWord);
                    request.AddQueryParameter("scope", appSettings["oidc.scopes"]);
                    request.AddQueryParameter("redirect_uri", appSettings["oidc.spintnative.RedirectUri"]);
                    response          = client.Execute <TokenRequestResponse>(request);
                    error             = response.Data.error;
                    error_description = response.Data.error_description;
                    token_type        = response.Data.token_type;
                    scope             = response.Data.scope;

                    if (response.Data.id_token != null)
                    {
                        idToken             = response.Data.id_token;
                        id_token_status     = "id_token present";
                        TempData["idToken"] = response.Data.id_token;
                        string clientId = appSettings["oidc.spintnative.clientId"];
                        string issuer   = appSettings["oidc.Issuer"];
                        string audience = appSettings["oidc.spintnative.clientId"];
                        jsonPayload = oktaOidcHelper.DecodeAndValidateIdToken(idToken, clientId, issuer, audience);
                        if (jsonPayload.Contains("Failure"))
                        {
                            TempData["errMessage"] = "Invalid ID Token!";
                        }
                        else
                        {
                            // TempData["errMessage"] = jsonPayload;
                            System.IdentityModel.Tokens.JwtSecurityToken tokenReceived = new System.IdentityModel.Tokens.JwtSecurityToken(idToken);
                            oidcIdToken = Newtonsoft.Json.JsonConvert.DeserializeObject <OidcIdTokenMin>(jsonPayload);
                        }
                    }
                    else
                    {
                        id_token_status = "id_token NOT present";
                    }

                    if (response.Data.access_token != null)
                    {
                        accessToken             = response.Data.access_token;
                        access_token_status     = "access_token present";
                        TempData["accessToken"] = response.Data.access_token;
                        System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                    }
                    else
                    {
                        access_token_status = "access_token NOT present";
                    }

                    if (response.Data.refresh_token != null)
                    {
                        refreshToken         = response.Data.refresh_token;
                        refresh_token_status = "refresh_token present";
                    }
                    else
                    {
                        refresh_token_status = "refresh_token NOT present";
                    }
                }
                catch (Exception ex)
                {
                    logger.Error(ex.ToString());
                }
                if (accessToken != null || idToken != null)
                {
                    TempData["errMessage"] = "OIDC_Get Oauth Resource Owner SUCCESS token_type = " + token_type + " scope = " + scope + " : " + id_token_status + " : " + access_token_status + " oktaId = " + oidcIdToken.sub;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;

                    return(View("../AltLanding/ResOwnerLanding", oidcIdToken));
                }
                else
                {
                    TempData["errMessage"] = "OIDC_Get Oauth Resource Owner error " + error_description;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    return(View("../AltLanding/UnprotectedLanding"));
                }
            }// end handle resource owner workflow



            if (oidc_but == "Client Credential Flow")
            {
                //this is available with Custom Authorization Server
                logger.Debug("Client Credential Flow");
                string error               = null;
                string error_description   = null;
                string token_type          = null;
                string scope               = null;
                string access_token_status = null;
                string accessToken         = null;
                string id_token_status     = null;
                string idToken             = null;
                System.IdentityModel.Tokens.JwtSecurityToken tokenReceived2 = null;
                System.IdentityModel.Tokens.JwtSecurityToken tokenReceived3 = null;
                string expires = null;
                IRestResponse <TokenRequestResponse> response = null;
                OidcIdToken     oidcIdToken     = new OidcIdToken();
                OidcAccessToken oidcAccessToken = new OidcAccessToken();
                string          basicAuth       = appSettings["oidc.clientcredservice.clientId"] + ":" + appSettings["oidc.clientcredservice.clientSecret"];

                var    bytesBasicAuth   = System.Text.Encoding.UTF8.GetBytes(basicAuth);
                string encodedBasicAuth = System.Convert.ToBase64String(bytesBasicAuth);


                var client  = new RestClient(appSettings["oidc.AuthServer"] + "/v1/token");
                var request = new RestRequest(Method.POST);
                // request.AddHeader("cache-control", "no-cache");
                request.AddHeader("Accept", "application/json");
                request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
                request.AddHeader("Authorization", " Basic " + encodedBasicAuth);
                request.AddQueryParameter("grant_type", "client_credentials");
                request.AddQueryParameter("scope", "clientCred_scope");
                response = client.Execute <TokenRequestResponse>(request);
                //error = response.Data.error;
                //error_description = response.Data.error_description;
                token_type = response.Data.token_type;
                scope      = response.Data.scope;
                expires    = response.Data.expires_in;

                if (response.Data.access_token != null)
                {
                    accessToken             = response.Data.access_token;
                    access_token_status     = "access_token present";
                    TempData["accessToken"] = response.Data.access_token;
                    tokenReceived2          = new System.IdentityModel.Tokens.JwtSecurityToken(accessToken);
                }
                else
                {
                    access_token_status = "access_token NOT present";
                }

                if (response.Data.id_token != null)
                {
                    idToken             = response.Data.id_token;
                    id_token_status     = "id_token present";
                    TempData["idToken"] = response.Data.id_token;
                    tokenReceived3      = new System.IdentityModel.Tokens.JwtSecurityToken(idToken);
                }
                else
                {
                    id_token_status = "id_token NOT present";
                }

                if (accessToken != null)
                {
                    TempData["errMessage"] = "Oauth Client Credentials SUCCESS token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    //GetInfoResponse getInfoResponse = new GetInfoResponse();
                    return(View("../AltLanding/ClientCredLanding"));
                }
                else
                {
                    TempData["errMessage"] = "Oauth Client Credentials Error token_type = " + token_type + " expires " + expires + " scope = " + scope + "  : " + access_token_status;
                    TempData["oktaOrg"]    = MvcApplication.apiUrl;
                    //TempData["token"] = MvcApplication.apiToken;
                    return(View("../AltLanding/UnprotectedLanding"));
                }
            }



            TempData["userName"] = userName;
            TempData["passWord"] = passWord;
            //return View("Login");
            return(RedirectToAction("UnprotectedLanding", "AltLanding"));
        }
Пример #2
0
        public ActionResult PkceRoute()
        {
            string       userName       = Request["userName"];
            string       passWord       = Request["passWord"];
            string       authnlogin_but = Request["authnlogin_but"];
            string       oidclogin_but  = Request["oidclogin_but"];
            string       oidc_but       = Request["oidc_but"];
            string       location       = Request["location"];
            string       myStatus       = null;
            string       myStateToken;
            string       mySessionToken;
            string       myOktaId = null;
            AuthResponse userAuthClientRsp;

            // set relayState
            string relayState = Request["relayState"];

            TempData["relayState"] = relayState;

            Uri orgUri = new Uri(apiUrl);

            _orgSettings          = new OktaSettings();
            _orgSettings.ApiToken = apiToken;
            _orgSettings.BaseUri  = orgUri;

            _oktaClient  = new OktaClient(_orgSettings);
            _usersClient = new UsersClient(_orgSettings);
            _authClient  = new AuthClient(_orgSettings);
            try
            {
                userAuthClientRsp = _authClient.Authenticate(username: userName, password: passWord, relayState: relayState);
                logger.Debug("thisAuth status " + userAuthClientRsp.Status);
                myStatus       = userAuthClientRsp.Status;
                myStateToken   = userAuthClientRsp.StateToken;
                mySessionToken = userAuthClientRsp.SessionToken;
                if (userAuthClientRsp.Embedded.User != null)
                {
                    myOktaId = userAuthClientRsp.Embedded.User.Id;
                }
            }
            catch (OktaException ex)
            {
                if (ex.ErrorCode == "E0000004")
                {
                    logger.Debug("Invalid Credentials for User: "******"errMessage"] = "Invalid Credentials for User: "******"E0000085")
                {
                    logger.Debug("Access Denied by Polciy for User: "******"errMessage"] = "Access Denied by Polciy for User: "******"errMessage"] = "Access Denied by Polciy for User: "******" = " + ex.ErrorCode + ":" + ex.ErrorSummary);
                    // generic failure
                    TempData["errMessage"] = "Sign in process failed!";
                }
                TempData["userName"] = userName;
                return(RedirectToAction("Login"));
            }

            switch (myStatus)
            {
            case "PASSWORD_WARN":      //password about to expire
                logger.Debug("PASSWORD_WARN ");
                break;

            case "PASSWORD_EXPIRED":      //password has expired
                logger.Debug("PASSWORD_EXPIRED ");
                break;

            case "RECOVERY":      //user has requested a recovery token
                logger.Debug("RECOVERY ");
                break;

            case "RECOVERY_CHALLENGE":      //user must verify factor specific recovery challenge
                logger.Debug("RECOVERY_CHALLENGE ");
                break;

            case "PASSWORD_RESET":         //user satified recovery and must now set password
                logger.Debug("PASSWORD_RESET ");
                break;

            case "LOCKED_OUT":      //user account is locked, unlock required
                logger.Debug("LOCKED_OUT ");
                break;

            case "MFA_ENROLL":       //user must select and enroll an available factor
                logger.Debug("MFA_ENROLL ");
                break;

            case "MFA_ENROLL_ACTIVATE":       //user must activate the factor to complete enrollment
                logger.Debug("MFA_ENROLL_ACTIVATE ");
                break;

            case "MFA_REQUIRED":        //user must provide second factor with previously enrolled factor
                logger.Debug("MFA_REQUIRED ");
                break;

            case "MFA_CHALLENGE":          //use must verify factor specifc challenge
                logger.Debug("MFA_CHALLENGE ");
                break;

            case "SUCCESS":          //authentication is complete
                logger.Debug("SUCCESS");
                TempData["errMessage"] = "Authn Login Successful ";
                TempData["oktaOrg"]    = apiUrl;

                string landingPage = null;
                if (string.IsNullOrEmpty(relayState))
                {
                    landingPage = location + "/AltLanding/UnprotectedLanding";
                }
                else
                {
                    landingPage = relayState;
                }

                //optionaly get session Id locally
                Session oktaSession = new Okta.Core.Models.Session();
                oktaSession = oktaSessionMgmt.CreateSession(mySessionToken);
                string cookieToken = oktaSession.CookieToken;
                logger.Debug("session Id " + oktaSession.Id + " for User " + userName);
                mySessionToken = cookieToken;

                //exchange sessionToken for sessionCookie in OIDC Implicit workflow
                Random random       = new Random();
                string nonceValue   = random.Next(99999, 1000000).ToString();
                string stateCode    = "myStateInfo";
                string codeVerifier = oktaOidcHelper.CreateCodeVerifier();
                //store codeVerifier for token endpoint
                cacheService.SavePasscode("myKey", codeVerifier);
                string codeChallenge = oktaOidcHelper.CreateCodeChallenge(codeVerifier);
                string oauthUrl      = appSettings["oidc.authServer"] + "/v1/authorize?response_type=code&response_mode=query&code_challenge_method=S256&code_challenge=" + codeChallenge + "&client_id=" + appSettings["oidc.spintnative.clientId"] + "&scope=" + appSettings["oidc.scopes"] + "&state=" + stateCode + "&nonce=" + nonceValue + "&redirect_uri=" + appSettings["oidc.spintnative.RedirectUri_PKCE"] + "&sessionToken=" + mySessionToken + "&extra_param=myFavoriteData";
                return(Redirect(oauthUrl));



            //break;
            default:
                logger.Debug("Status: " + myStatus);
                TempData["errMessage"] = "Status: " + myStatus;
                break;
            }//end of switch
            TempData["userName"] = userName;

            return(RedirectToAction("UnprotectedLanding", "AltLanding"));
        }