/// <summary> /// Gets the authentication client. /// </summary> /// <returns></returns> private AuthClient GetAuthClient() { if (_authClient == null) { var rockContext = new RockContext(); var authClientService = new AuthClientService(rockContext); var authClientId = PageParameter(PageParamKey.ClientId); _authClient = authClientService.GetByClientId(authClientId); } return(_authClient); }
private void AcceptAuthorization() { var owinContext = Context.GetOwinContext(); var request = owinContext.GetOpenIdConnectRequest(); // TODO: only allow valid scopes. var requestedScopes = request.GetScopes(); var authClientId = PageParameter(PageParamKey.ClientId); IDictionary <string, string> clientAllowedClaims = null; AuthClient authClient = null; IEnumerable <string> clientAllowedScopes = null; using (var rockContext = new RockContext()) { var authClientService = new AuthClientService(rockContext); authClient = authClientService.GetByClientId(authClientId); clientAllowedScopes = RockIdentityHelper.NarrowRequestedScopesToApprovedScopes(rockContext, authClientId, requestedScopes); clientAllowedClaims = RockIdentityHelper.GetAllowedClientClaims(rockContext, authClientId, clientAllowedScopes); } if (authClient == null || clientAllowedScopes == null || clientAllowedClaims == null) { // TODO: Error return; } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = RockIdentityHelper.GetRockClaimsIdentity(CurrentUser, clientAllowedClaims, authClientId); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket(identity, new AuthenticationProperties()); // We should set the scopes to the requested valid scopes. ticket.SetScopes(requestedScopes); // Set the resource servers the access token should be issued for. ticket.SetResources("resource_server"); // Returning a SignInResult will ask ASOS to serialize the specified identity // to build appropriate tokens. You should always make sure the identities // you return contain the OpenIdConnectConstants.Claims.Subject claim. In this sample, // the identity always contains the name identifier returned by the external provider. owinContext.Authentication.SignIn(ticket.Properties, identity); }
/// <summary> /// Calls when a process requests authorization. /// </summary> /// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param> public override void OnAuthorization(HttpActionContext actionContext) { // See if user is logged in var principal = System.Threading.Thread.CurrentPrincipal; if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name)) { actionContext.Request.SetUserPrincipal(principal); return; } // If check if ASOS authentication occurred. principal = actionContext.RequestContext.Principal; if (principal != null && principal.Identity != null) { var claimIdentity = principal.Identity as ClaimsIdentity; if (claimIdentity != null) { var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value; if (clientId.IsNotNullOrWhiteSpace()) { using (var rockContext = new RockContext()) { var authClientService = new AuthClientService(rockContext); var authClient = authClientService.GetByClientId(clientId); if (authClient.AllowUserApiAccess) { var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value; if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace()) { UserLogin userLogin = null; var userLoginService = new UserLoginService(rockContext); userLogin = userLoginService.GetByUserName(userName); if (userLogin != null) { var identity = new GenericIdentity(userLogin.UserName); principal = new GenericPrincipal(identity, null); actionContext.Request.SetUserPrincipal(principal); return; } } } } } } } // If not, see if there's a valid Rock APIKey token TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken); if (string.IsNullOrWhiteSpace(authToken)) { string queryString = actionContext.Request.RequestUri.Query; authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey"); } if (!string.IsNullOrWhiteSpace(authToken)) { var userLoginService = new UserLoginService(new Rock.Data.RockContext()); var userLogin = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault(); if (userLogin != null) { var identity = new GenericIdentity(userLogin.UserName); principal = new GenericPrincipal(identity, null); actionContext.Request.SetUserPrincipal(principal); return; } } // If still not successful, check for a JSON Web Token if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString)) { // If the JSON Web Token is in the header, we can determine the User from that var userLogin = JwtHelper.GetUserLoginByJSONWebToken(new RockContext(), jwtString); if (userLogin != null) { var identity = new GenericIdentity(userLogin.UserName); principal = new GenericPrincipal(identity, null); actionContext.Request.SetUserPrincipal(principal); return; } // Just in rare case the GetPersonFromJWTPersonSearchKey feature is being used, see if person can be determined this way var person = JwtHelper.GetPersonFromJWTPersonSearchKey(jwtString); if (person != null) { actionContext.Request.Properties.Add("Person", person); return; } } }
/// <summary> /// Calls when a process requests authorization. /// </summary> /// <param name="actionContext">The action context, which encapsulates information for using <see cref="T:System.Web.Http.Filters.AuthorizationFilterAttribute" />.</param> public override void OnAuthorization(HttpActionContext actionContext) { // See if user is logged in var principal = System.Threading.Thread.CurrentPrincipal; if (principal != null && principal.Identity != null && !string.IsNullOrWhiteSpace(principal.Identity.Name)) { actionContext.Request.SetUserPrincipal(principal); return; } // If check if ASOS authentication occurred. principal = actionContext.RequestContext.Principal; if (principal != null && principal.Identity != null) { var claimIdentity = principal.Identity as ClaimsIdentity; if (claimIdentity != null) { var clientId = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.ClientId)?.Value; if (clientId.IsNotNullOrWhiteSpace()) { using (var rockContext = new RockContext()) { var authClientService = new AuthClientService(rockContext); var authClient = authClientService.GetByClientId(clientId); if (authClient.AllowUserApiAccess) { var userName = claimIdentity.Claims.FirstOrDefault(c => c.Type == Claims.Username)?.Value; if (userName.IsNotNullOrWhiteSpace() && clientId.IsNotNullOrWhiteSpace()) { UserLogin userLogin = null; var userLoginService = new UserLoginService(rockContext); userLogin = userLoginService.GetByUserName(userName); if (userLogin != null) { var identity = new GenericIdentity(userLogin.UserName); principal = new GenericPrincipal(identity, null); actionContext.Request.SetUserPrincipal(principal); return; } } } } } } } // If not, see if there's a valid token TryRetrieveHeader(actionContext, HeaderTokens.AuthorizationToken, out var authToken); if (string.IsNullOrWhiteSpace(authToken)) { string queryString = actionContext.Request.RequestUri.Query; authToken = System.Web.HttpUtility.ParseQueryString(queryString).Get("apikey"); } if (!string.IsNullOrWhiteSpace(authToken)) { var userLoginService = new UserLoginService(new Rock.Data.RockContext()); var userLogin = userLoginService.Queryable().Where(u => u.ApiKey == authToken).FirstOrDefault(); if (userLogin != null) { var identity = new GenericIdentity(userLogin.UserName); principal = new GenericPrincipal(identity, null); actionContext.Request.SetUserPrincipal(principal); return; } } // If still not successful, check for a JSON Web Token if (TryRetrieveHeader(actionContext, HeaderTokens.JWT, out var jwtString)) { Person person = null; // We need to wait for the JwtHelper.GetPerson method rather than using the await keyword. The await keyword // forces this entire method to be async causing the Secured attribute to process before everything // is finished here Task.Run(async() => { person = await JwtHelper.GetPerson(jwtString); }).Wait(); if (person != null) { actionContext.Request.Properties.Add("Person", person); return; } } }