/// <summary>
/// Attempts to extract client identification/authentication information from a message.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host.</param>
/// <param name="requestMessage">The incoming message.</param>
/// <param name="clientIdentifier">Receives the client identifier, if one was found.</param>
/// <returns>The level of the extracted client information.</returns>
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier)
{
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
Requires.NotNull(requestMessage, "requestMessage");
ClientAuthenticationModule authenticator = null;
ClientAuthenticationResult result = ClientAuthenticationResult.NoAuthenticationRecognized;
clientIdentifier = null;
foreach (var candidateAuthenticator in this.authenticators)
{
string candidateClientIdentifier;
var resultCandidate = candidateAuthenticator.TryAuthenticateClient(authorizationServerHost, requestMessage, out candidateClientIdentifier);
ErrorUtilities.VerifyProtocol(
result == ClientAuthenticationResult.NoAuthenticationRecognized || resultCandidate == ClientAuthenticationResult.NoAuthenticationRecognized,
"Message rejected because multiple forms of client authentication ({0} and {1}) were detected, which is forbidden by the OAuth 2 Protocol Framework specification.",
authenticator,
candidateAuthenticator);
if (resultCandidate != ClientAuthenticationResult.NoAuthenticationRecognized)
{
authenticator = candidateAuthenticator;
result = resultCandidate;
clientIdentifier = candidateClientIdentifier;
}
}
return(result);
}
/// <summary>
/// 通过密码进行客户端验证
/// </summary>
/// <param name="authorizationServerHost"></param>
/// <param name="clientIdentifier"></param>
/// <param name="clientSecret"></param>
/// <returns></returns>
protected static ClientAuthenticationResult TryAuthenticateClientBySecret(IAuthorizationServerHost authorizationServerHost, string clientIdentifier, string clientSecret)
{
if (!string.IsNullOrEmpty(clientIdentifier))
{
var client = authorizationServerHost.GetClient(clientIdentifier);
if (client != null)
{
if (!string.IsNullOrEmpty(clientSecret))
{
if (client.IsValidClientSecret(clientSecret))
{
return(ClientAuthenticationResult.ClientAuthenticated);
}
else
{
return(ClientAuthenticationResult.ClientAuthenticationRejected);
}
}
else
{
return(ClientAuthenticationResult.ClientIdNotAuthenticated);
}
}
else
{
return(ClientAuthenticationResult.ClientAuthenticationRejected);
}
}
else
{
return(ClientAuthenticationResult.NoAuthenticationRecognized);
}
}
/// <summary>
/// Attempts to extract client identification/authentication information from a message.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host.</param>
/// <param name="requestMessage">The incoming message.</param>
/// <param name="clientIdentifier">Receives the client identifier, if one was found.</param>
/// <returns>The level of the extracted client information.</returns>
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier) {
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
Requires.NotNull(requestMessage, "requestMessage");
ClientAuthenticationModule authenticator = null;
ClientAuthenticationResult result = ClientAuthenticationResult.NoAuthenticationRecognized;
clientIdentifier = null;
foreach (var candidateAuthenticator in this.authenticators) {
string candidateClientIdentifier;
var resultCandidate = candidateAuthenticator.TryAuthenticateClient(authorizationServerHost, requestMessage, out candidateClientIdentifier);
ErrorUtilities.VerifyProtocol(
result == ClientAuthenticationResult.NoAuthenticationRecognized || resultCandidate == ClientAuthenticationResult.NoAuthenticationRecognized,
"Message rejected because multiple forms of client authentication ({0} and {1}) were detected, which is forbidden by the OAuth 2 Protocol Framework specification.",
authenticator,
candidateAuthenticator);
if (resultCandidate != ClientAuthenticationResult.NoAuthenticationRecognized) {
authenticator = candidateAuthenticator;
result = resultCandidate;
clientIdentifier = candidateClientIdentifier;
}
}
return result;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationServer"/> class.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientAuthenticationModules">The list client authentication modules.</param>
public AuthorizationServer(IAuthorizationServerHost authorizationServer, IList <ClientAuthenticationModule> clientAuthenticationModules)
{
this.aggregatingClientAuthenticationModule = new AggregatingClientCredentialReader(this.clientAuthenticationModules);
this.Channel = new OAuth2AuthorizationServerChannel(authorizationServer, this.aggregatingClientAuthenticationModule);
this.clientAuthenticationModules.AddRange(clientAuthenticationModules);
this.ScopeSatisfiedCheck = DefaultScopeSatisfiedCheck;
}
public AuthorizationServer(IAuthorizationServerHost authorizationServer)
{
this.aggregatingClientAuthenticationModule = new AggregatingClientCredentialReader(this.clientAuthenticationModules);
this.Channel = new OAuth2AuthorizationServerChannel(authorizationServer, this.aggregatingClientAuthenticationModule);
this.clientAuthenticationModules.AddRange(OAuth2AuthorizationServerSection.Configuration.ClientAuthenticationModules.CreateInstances(true, null));
this.ScopeSatisfiedCheck = DefaultScopeSatisfiedCheck;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationServer"/> class.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
public AuthorizationServer(IAuthorizationServerHost authorizationServer) {
Requires.NotNull(authorizationServer, "authorizationServer");
this.aggregatingClientAuthenticationModule = new AggregatingClientCredentialReader(this.clientAuthenticationModules);
this.Channel = new OAuth2AuthorizationServerChannel(authorizationServer, this.aggregatingClientAuthenticationModule);
this.clientAuthenticationModules.AddRange(OAuth2AuthorizationServerSection.Configuration.ClientAuthenticationModules.CreateInstances(true));
this.ScopeSatisfiedCheck = DefaultScopeSatisfiedCheck;
}
/// <summary>
/// Validates a client identifier and shared secret against the authoriation server's database.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host; cannot be <c>null</c>.</param>
/// <param name="clientIdentifier">The alleged client identifier.</param>
/// <param name="clientSecret">The alleged client secret to be verified.</param>
/// <returns>An indication as to the outcome of the validation.</returns>
protected static ClientAuthenticationResult TryAuthenticateClientBySecret(IAuthorizationServerHost authorizationServerHost, string clientIdentifier, string clientSecret)
{
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
if (!string.IsNullOrEmpty(clientIdentifier))
{
var client = authorizationServerHost.GetClient(clientIdentifier);
if (client != null)
{
if (!string.IsNullOrEmpty(clientSecret))
{
if (client.IsValidClientSecret(clientSecret))
{
return(ClientAuthenticationResult.ClientAuthenticated);
}
else // invalid client secret
{
return(ClientAuthenticationResult.ClientAuthenticationRejected);
}
}
else // no client secret provided
{
return(ClientAuthenticationResult.ClientIdNotAuthenticated);
}
}
else // The client identifier is not recognized.
{
return(ClientAuthenticationResult.ClientAuthenticationRejected);
}
}
else // no client id provided.
{
return(ClientAuthenticationResult.NoAuthenticationRecognized);
}
}
/// <summary>
/// Attempts to extract client identification/authentication information from a message.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host.</param>
/// <param name="requestMessage">The incoming message.</param>
/// <param name="clientIdentifier">Receives the client identifier, if one was found.</param>
/// <returns>The level of the extracted client information.</returns>
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier) {
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
Requires.NotNull(requestMessage, "requestMessage");
clientIdentifier = requestMessage.ClientIdentifier;
return TryAuthenticateClientBySecret(authorizationServerHost, requestMessage.ClientIdentifier, requestMessage.ClientSecret);
}
/// <summary>
/// Attempts to extract client identification/authentication information from a message.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host.</param>
/// <param name="requestMessage">The incoming message.</param>
/// <param name="clientIdentifier">Receives the client identifier, if one was found.</param>
/// <returns>The level of the extracted client information.</returns>
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier)
{
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
Requires.NotNull(requestMessage, "requestMessage");
clientIdentifier = requestMessage.ClientIdentifier;
return(TryAuthenticateClientBySecret(authorizationServerHost, requestMessage.ClientIdentifier, requestMessage.ClientSecret));
}
private static IChannelBindingElement[] InitializeBindingElements(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule)
{
var bindingElements = new List <IChannelBindingElement>();
bindingElements.Add(new MessageValidationBindingElement(clientAuthenticationModule));
bindingElements.Add(new TokenCodeSerializationBindingElement());
return(bindingElements.ToArray());
}
/// <summary>
/// Initializes the binding elements for the OAuth channel.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientAuthenticationModule">The aggregating client authentication module.</param>
/// <returns>
/// An array of binding elements used to initialize the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule)
{
var bindingElements = new List <IChannelBindingElement>();
// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.
bindingElements.Add(new MessageValidationBindingElement(clientAuthenticationModule));
bindingElements.Add(new TokenCodeSerializationBindingElement());
return(bindingElements.ToArray());
}
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier)
{
var credential = OAuthUtilities.ParseHttpBasicAuth(requestMessage.Headers);
if (credential != null)
{
clientIdentifier = credential.UserName;
return(TryAuthenticateClientBySecret(authorizationServerHost, credential.UserName, credential.Password));
}
clientIdentifier = null;
return(ClientAuthenticationResult.NoAuthenticationRecognized);
}
/// <summary>
/// Attempts to extract client identification/authentication information from a message.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host.</param>
/// <param name="requestMessage">The incoming message.</param>
/// <param name="clientIdentifier">Receives the client identifier, if one was found.</param>
/// <returns>The level of the extracted client information.</returns>
public override ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier) {
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
Requires.NotNull(requestMessage, "requestMessage");
var credential = OAuthUtilities.ParseHttpBasicAuth(requestMessage.Headers);
if (credential != null) {
clientIdentifier = credential.UserName;
return TryAuthenticateClientBySecret(authorizationServerHost, credential.UserName, credential.Password);
}
clientIdentifier = null;
return ClientAuthenticationResult.NoAuthenticationRecognized;
}
/// <summary>
/// Gets information about the client with a given identifier.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientIdentifier">The client identifier.</param>
/// <returns>The client information. Never null.</returns>
internal static IClientDescription GetClientOrThrow(this IAuthorizationServerHost authorizationServer, string clientIdentifier)
{
Requires.NotNullOrEmpty(clientIdentifier, "clientIdentifier");
try {
var result = authorizationServer.GetClient(clientIdentifier);
ErrorUtilities.VerifyHost(result != null, OAuthStrings.ResultShouldNotBeNull, authorizationServer.GetType().FullName, "GetClient(string)");
return(result);
} catch (KeyNotFoundException ex) {
throw ErrorUtilities.Wrap(ex, AuthServerStrings.ClientOrTokenSecretNotFound);
} catch (ArgumentException ex) {
throw ErrorUtilities.Wrap(ex, AuthServerStrings.ClientOrTokenSecretNotFound);
}
}
/// <summary>
/// Creates a serializer/deserializer for this type.
/// </summary>
/// <param name="authorizationServer">The authorization server that will be serializing/deserializing this authorization code. Must not be null.</param>
/// <returns>A DataBag formatter.</returns>
internal static IDataBagFormatter<AuthorizationCode> CreateFormatter(IAuthorizationServerHost authorizationServer) {
Requires.NotNull(authorizationServer, "authorizationServer");
var cryptoStore = authorizationServer.CryptoKeyStore;
ErrorUtilities.VerifyHost(cryptoStore != null, OAuthStrings.ResultShouldNotBeNull, authorizationServer.GetType(), "CryptoKeyStore");
return new UriStyleMessageFormatter<AuthorizationCode>(
cryptoStore,
AuthorizationCodeKeyBucket,
signed: true,
encrypted: true,
compressed: false,
maximumAge: MaximumMessageAge,
decodeOnceOnly: authorizationServer.NonceStore);
}
/// <summary>
/// Creates a serializer/deserializer for this type.
/// </summary>
/// <param name="authorizationServer">The authorization server that will be serializing/deserializing this authorization code. Must not be null.</param>
/// <returns>A DataBag formatter.</returns>
internal static IDataBagFormatter<AuthorizationCode> CreateFormatter(IAuthorizationServerHost authorizationServer) {
Requires.NotNull(authorizationServer, "authorizationServer");
Contract.Ensures(Contract.Result<IDataBagFormatter<AuthorizationCode>>() != null);
var cryptoStore = authorizationServer.CryptoKeyStore;
ErrorUtilities.VerifyHost(cryptoStore != null, OAuthStrings.ResultShouldNotBeNull, authorizationServer.GetType(), "CryptoKeyStore");
return new UriStyleMessageFormatter<AuthorizationCode>(
cryptoStore,
AuthorizationCodeKeyBucket,
signed: true,
encrypted: true,
compressed: false,
maximumAge: MaximumMessageAge,
decodeOnceOnly: authorizationServer.NonceStore);
}
public static IDataBagFormatter <AuthorizationCode> CreateFormatter(IAuthorizationServerHost authorizationServer)
{
var cryptoStore = authorizationServer.CryptoKeyStore;
ErrorUtilities.VerifyHost(cryptoStore != null, OAuthStrings.ResultShouldNotBeNull, authorizationServer.GetType(), "CryptoKeyStore");
return(new UriStyleMessageFormatter <AuthorizationCode>(
cryptoStore,
AuthorizationCodeKeyBucket,
signed: true,
encrypted: true,
compressed: false,
maximumAge: MaximumMessageAge,
decodeOnceOnly: authorizationServer.NonceStore
));
}
internal OAuth2Coordinator(
AuthorizationServerDescription serverDescription,
IAuthorizationServerHost authServerHost,
TClient client,
Action <TClient> clientAction,
Action <AuthorizationServer> authServerAction)
: base(clientAction, authServerAction)
{
Requires.NotNull(serverDescription, "serverDescription");
Requires.NotNull(authServerHost, "authServerHost");
Requires.NotNull(client, "client");
this.serverDescription = serverDescription;
this.authServerHost = authServerHost;
this.client = client;
this.client.ClientIdentifier = OAuth2TestBase.ClientId;
this.client.ClientCredentialApplicator = ClientCredentialApplicator.PostParameter(OAuth2TestBase.ClientSecret);
}
/// <summary>
/// Validates a client identifier and shared secret against the authoriation server's database.
/// </summary>
/// <param name="authorizationServerHost">The authorization server host; cannot be <c>null</c>.</param>
/// <param name="clientIdentifier">The alleged client identifier.</param>
/// <param name="clientSecret">The alleged client secret to be verified.</param>
/// <returns>An indication as to the outcome of the validation.</returns>
protected static ClientAuthenticationResult TryAuthenticateClientBySecret(IAuthorizationServerHost authorizationServerHost, string clientIdentifier, string clientSecret) {
Requires.NotNull(authorizationServerHost, "authorizationServerHost");
if (!string.IsNullOrEmpty(clientIdentifier)) {
var client = authorizationServerHost.GetClient(clientIdentifier);
if (client != null) {
if (!string.IsNullOrEmpty(clientSecret)) {
if (client.IsValidClientSecret(clientSecret)) {
return ClientAuthenticationResult.ClientAuthenticated;
} else { // invalid client secret
return ClientAuthenticationResult.ClientAuthenticationRejected;
}
} else { // no client secret provided
return ClientAuthenticationResult.ClientIdNotAuthenticated;
}
} else { // The client identifier is not recognized.
return ClientAuthenticationResult.ClientAuthenticationRejected;
}
} else { // no client id provided.
return ClientAuthenticationResult.NoAuthenticationRecognized;
}
}
public OAuth2AuthorizationServerChannel(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule)
: base(MessageTypes, InitializeBindingElements(authorizationServer, clientAuthenticationModule))
{
this.AuthorizationServer = authorizationServer;
}
/// <summary> /// Attempts to extract client identification/authentication information from a message. /// </summary> /// <param name="authorizationServerHost">The authorization server host.</param> /// <param name="requestMessage">The incoming message.</param> /// <param name="clientIdentifier">Receives the client identifier, if one was found.</param> /// <returns>The level of the extracted client information.</returns> public abstract ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier);
/// <summary>
/// Initializes a new instance of the <see cref="OAuth2AuthorizationServerChannel"/> class.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientAuthenticationModule">The aggregating client authentication module.</param>
protected internal OAuth2AuthorizationServerChannel(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule)
: base(MessageTypes, InitializeBindingElements(authorizationServer, clientAuthenticationModule)) {
Requires.NotNull(authorizationServer, "authorizationServer");
this.AuthorizationServer = authorizationServer;
}
/// <summary>
/// Initializes the binding elements for the OAuth channel.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientAuthenticationModule">The aggregating client authentication module.</param>
/// <returns>
/// An array of binding elements used to initialize the channel.
/// </returns>
private static IChannelBindingElement[] InitializeBindingElements(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule) {
Requires.NotNull(authorizationServer, "authorizationServer");
Requires.NotNull(clientAuthenticationModule, "clientAuthenticationModule");
var bindingElements = new List<IChannelBindingElement>();
// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.
bindingElements.Add(new MessageValidationBindingElement(clientAuthenticationModule));
bindingElements.Add(new TokenCodeSerializationBindingElement());
return bindingElements.ToArray();
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuth2AuthorizationServerChannel"/> class.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
/// <param name="clientAuthenticationModule">The aggregating client authentication module.</param>
protected internal OAuth2AuthorizationServerChannel(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationModule)
: base(MessageTypes, InitializeBindingElements(authorizationServer, clientAuthenticationModule))
{
Requires.NotNull(authorizationServer, "authorizationServer");
this.AuthorizationServer = authorizationServer;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationServer"/> class.
/// </summary>
/// <param name="authorizationServer">The authorization server.</param>
public AuthorizationServer(IAuthorizationServerHost authorizationServer) {
Requires.NotNull(authorizationServer, "authorizationServer");
this.Channel = new OAuth2AuthorizationServerChannel(authorizationServer);
}
public abstract ClientAuthenticationResult TryAuthenticateClient(IAuthorizationServerHost authorizationServerHost, AuthenticatedClientRequestBase requestMessage, out string clientIdentifier);