public static string CreateJsonWebToken(string jsonPayload, ISigningAlgorithm sign)
{
string jsonHeader = string.Format(@"{{""alg"":""{0}"",""typ"":""JWT""}}", sign.AlgorithmName);
string claim = Base64Utility.UTF8UrlEncode(jsonHeader) + "." + Base64Utility.UTF8UrlEncode(jsonPayload);
string signature = sign.Sign(claim);
return claim + "." + signature;
}
protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, CancellationToken cancellationToken)
{
var nonce = nonceGenerator.NextNonce;
var timestamp = time.UtcNow;
var content = new HmacSignatureContent
{
Nonce = nonce,
AppId = appId,
Date = timestamp,
Method = request.Method.Method,
Accepts = string.Join(", ", request.Headers.Accept),
ContentType = request.Content?.Headers?.ContentType?.ToString(),
ContentMd5 = request.Content?.Headers?.ContentMD5,
Uri = request.RequestUri
};
var signature = signingAlgorithm.Sign(secret, content.ToCanonicalString());
request.Headers.Authorization = new AuthenticationHeaderValue(Schemas.HMAC, signature);
request.Headers.Add(Headers.XAppId, appId);
request.Headers.Add(Headers.XNonce, nonce);
request.Headers.Date = timestamp;
return(request);
}
protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, CancellationToken cancellationToken)
{
var nonce = nonceGenerator.NextNonce();
var timestamp = time.UtcNow;
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
client,
request.Method.Method,
request.Content?.Headers?.ContentType?.ToString(),
request.Headers.Accept.Select(x => x.ToString()).ToArray(),
request.Content?.Headers?.ContentMD5,
timestamp,
request.RequestUri);
var signature = signingAlgorithm.Sign(secret, Encoding.UTF8.GetBytes(content));
request.Headers.Authorization = new AuthenticationHeaderValue(Schemas.Bearer, Convert.ToBase64String(signature));
request.Headers.Add(Headers.XClient, client);
request.Headers.Add(Headers.XNonce, nonce);
request.Headers.Date = timestamp;
return(request);
}
protected override HttpRequestMessage ProcessRequest(HttpRequestMessage request, CancellationToken cancellationToken)
{
var nonce = nonceGenerator.NextNonce;
var timestamp = time.UtcNow;
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
appId,
request.Method.Method,
request.Content?.Headers?.ContentType?.ToString(),
string.Join(", ", request.Headers.Accept),
request.Content?.Headers?.ContentMD5,
timestamp,
request.RequestUri);
var signature = signingAlgorithm.Sign(secret, content);
request.Headers.Authorization = new AuthenticationHeaderValue(Schemas.HMAC, signature);
request.Headers.Add(Headers.XAppId, appId);
request.Headers.Add(Headers.XNonce, nonce);
request.Headers.Date = timestamp;
return request;
}
protected override async Task <HttpResponseMessage> SendAsync(
HttpRequestMessage request,
CancellationToken cancellationToken)
{
var req = request;
var h = req.Headers;
if (mixedAuthMode && h.Authorization?.Scheme != Schemas.HMAC)
{
return(await base.SendAsync(request, cancellationToken));
}
var appId = h.Contains(Headers.XAppId)
? h.GetValues(Headers.XAppId).FirstOrDefault()
: null;
var authValue = h.Authorization?.Parameter;
var date = h.Date ?? DateTimeOffset.MinValue;
if (appId != null &&
authValue != null &&
time.UtcNow - date <= tolerance)
{
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
h.GetValues(Headers.XNonce).FirstOrDefault(),
appId,
req.Method.Method,
req.Content.Headers.ContentType?.ToString(),
string.Join(", ", req.Headers.Accept),
req.Content.Headers.ContentMD5,
date,
req.RequestUri);
SecureString secret;
if (content != null && (secret = appSecretRepository.GetSecret(appId)) != null)
{
var signature = signingAlgorithm.Sign(secret, content);
if (authValue == signature)
{
return(await base.SendAsync(request, cancellationToken));
}
}
}
return(new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Headers =
{
{ Headers.WWWAuthenticate, Schemas.HMAC }
}
});
}
public override async Task Invoke(IOwinContext context)
{
var req = context.Request;
var res = context.Response;
var h = req.Headers;
var appId = h.Get(Headers.XAppId);
var auth = h.Get(Headers.Authorization)?.Split(' ');
var authSchema = auth?.Length == 2 ? auth[0] : null;
var authValue = auth?.Length == 2 ? auth[1] : null;
DateTimeOffset date =
DateTimeOffset.TryParse(h.Get(Headers.Date), out date)
? date
: DateTimeOffset.MinValue;
if (appId != null &&
authSchema == Schemas.HMAC &&
authValue != null &&
time.UtcNow - date <= tolerance)
{
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
h.Get(Headers.XNonce),
appId,
req.Method,
req.ContentType,
req.Accept,
Convert.FromBase64String(h.Get(Headers.ContentMD5)),
date,
req.Uri);
SecureString secret;
if (content != null && (secret = appSecretRepository.GetSecret(appId)) != null)
{
var signature = signingAlgorithm.Sign(secret, content);
if (authValue == signature)
{
await Next.Invoke(context);
return;
}
}
}
res.StatusCode = 401;
res.Headers.Append(Headers.WWWAuthenticate, Schemas.HMAC);
}
internal static bool Validate(IOwinRequest req, ISigningAlgorithm algorithm, IAppSecretRepository appSecretRepository, ITime time, TimeSpan tolerance)
{
var h = req.Headers;
var appId = GetAppId(req);
var nonce = GetNonce(req);
var auth = h.Get(Headers.Authorization)?.Split(' ');
var authSchema = auth?.Length == 2 ? auth[0] : null;
var authValue = auth?.Length == 2 ? auth[1] : null;
DateTimeOffset date =
DateTimeOffset.TryParse(h.Get(Headers.Date), out date)
? date
: DateTimeOffset.MinValue;
if (appId != null &&
authSchema == Schemas.HMAC &&
authValue != null &&
time.UtcNow - date <= tolerance)
{
var contentMd5 = h.Get(Headers.ContentMD5);
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
appId,
req.Method,
req.ContentType,
req.Accept,
contentMd5 == null ? null : Convert.FromBase64String(contentMd5),
date,
req.Uri);
SecureString secret;
if (content != null && (secret = appSecretRepository.GetSecret(appId)) != null)
{
var signature = algorithm.Sign(secret, content);
if (authValue == signature)
{
return(true);
}
}
}
return(false);
}
public HmacAuthenticationResult Authenticate(HmacRequestInfo req)
{
string clientSignature = ResolveSignature(req.Headers);
HmacSignatureContent signatureContent = signatureContentResolver.Resolve(req);
dateValidator.Validate(signatureContent.Date);
SecureString secret = GetAppSecret(signatureContent.AppId);
string signatureSrc = signatureContent.ToCanonicalString();
string signature = algorithm.Sign(secret, signatureSrc);
if (signature != clientSignature)
{
throw new HmacAuthenticationException($"Signature mismatch. Signature src: '{signatureSrc}'");
}
return(new HmacAuthenticationResult(signatureContent.AppId));
}
