/// <summary>
/// Refreshes an access token by expiring the existing tokens and creating a new appauthorization entry
/// TODO: allow expiration dates
/// </summary>
/// <param name="appAuth"></param>
/// <returns></returns>
public static AppAuthorization AccessTokenRefresh(AppAuthorization appAuth)
{
// expire previous token
using(AuthorizationDataContext oauthDataCtxt = new AuthorizationDataContext(System.Configuration.ConfigurationManager.ConnectionStrings["OAuthDb"].ConnectionString))
{
/// expire old auth
var oldAppAuth = oauthDataCtxt.AppAuthorizations.First( a => a.Id == appAuth.Id);
oldAppAuth.AuthTokenExpiration = DateTime.UtcNow;
oldAppAuth.RefreshTokenExpiration = DateTime.UtcNow;
// create new auth
var newAppAuth = new AppAuthorization()
{
AppId = appAuth.AppId,
UserId = appAuth.UserId,
Scope = appAuth.Scope,
AuthToken = GenerateToken(),
RefreshToken = GenerateToken(),
Created = DateTime.UtcNow
};
oauthDataCtxt.AppAuthorizations.InsertOnSubmit(newAppAuth);
oauthDataCtxt.SubmitChanges();
return newAppAuth as AppAuthorization;
}
}
public static bool ValidateAccessToken(string accessToken, HttpRequestMessage request)
{
using (AuthorizationDataContext oauthDataCtxt = new AuthorizationDataContext(System.Configuration.ConfigurationManager.ConnectionStrings["OAuthDb"].ConnectionString))
{
// First, ensure the token is valid and not expired
var appAuth = (
from appAuths in oauthDataCtxt.AppAuthorizations
where appAuths.AuthToken == accessToken && (!appAuths.AuthTokenExpiration.HasValue || appAuths.AuthTokenExpiration.Value <= DateTime.UtcNow)
select appAuths
).FirstOrDefault();
if (appAuth == null)
{ // return invalid token error message
return false;
}
// scope == role
string[] scopes = appAuth.Scope.ToLower().Split();
// TODO: do we want to deactivate the token if scopes are removed from the user?
// Next, ensure the scope is a valid scope for the delegated user
var userRoles = (from userRole in oauthDataCtxt.UserRoles
where userRole.UserId == appAuth.UserId
select userRole.Role).Where(r => scopes.Contains(r.Name.ToLower()));
if (userRoles == null || userRoles.Count() == 0)
{ // TODO: return invalid scope error message
return false;
}
List<int> userRoleIdList = new List<int>();
userRoles.ToList().ForEach( r => userRoleIdList.Add(r.Id));
// validate that request / action is contained within role
var allowedActions = from roleAction in oauthDataCtxt.RoleResourceActions
where userRoleIdList.Contains(roleAction.RoleId)
select roleAction;
if (allowedActions == null || allowedActions.Count() == 0)
{
// TODO: message of invalid roles
return false;
}
else
{
foreach (var action in allowedActions)
{
// TODO: regex pattern matching on uri
if (action.Resource.Uri.Equals(request.RequestUri.AbsolutePath, StringComparison.CurrentCultureIgnoreCase)
&& action.AllowedMethods.ToUpper().Contains(request.Method.Method.ToUpper()))
{
return true;
}
}
}
return false;
}
}
public static AppAuthorization ValidateRefreshToken(string appId, string appSecret, string refreshToken)
{
AuthorizationDataContext oauthDataCtxt = new AuthorizationDataContext(System.Configuration.ConfigurationManager.ConnectionStrings["OAuthDb"].ConnectionString);
var appAuth = from apps in oauthDataCtxt.Applications
where apps.AppPublicId == appId
&& apps.AppSecret == appSecret
select (
from authorizations in oauthDataCtxt.AppAuthorizations
where authorizations.RefreshToken == refreshToken
&& (authorizations.RefreshTokenExpiration == null || authorizations.RefreshTokenExpiration < DateTime.UtcNow)
select authorizations
).FirstOrDefault();
return appAuth as AppAuthorization;
}
