public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } // 2. Try to authenticate the client. var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName); var client = authResult.Client; if (client == null) { throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage); } if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket)) { throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket)); } // 3. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 4. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter); if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.RequestIsNotAuthorized(json); throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(grantedToken); }
public async Task <IEnumerable <AuthorizationResponse> > Execute(IEnumerable <GetAuthorizationActionParameter> parameters, string clientId) { var result = new List <AuthorizationResponse>(); var rptLifeTime = await _configurationService.GetRptLifeTime(); // 1. Check parameters. if (parameters == null) { throw new ArgumentNullException(nameof(parameters)); } if (string.IsNullOrWhiteSpace(clientId)) { throw new ArgumentNullException(nameof(clientId)); } // 2. Retrieve the tickets. _umaServerEventSource.StartGettingAuthorization(JsonConvert.SerializeObject(parameters)); var tickets = await _ticketRepository.Get(parameters.Select(p => p.TicketId)); var rptLst = new List <Rpt>(); // 3. Check parameters. foreach (var parameter in parameters) { var json = JsonConvert.SerializeObject(parameter); if (string.IsNullOrWhiteSpace(parameter.TicketId)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } var ticket = tickets.FirstOrDefault(t => t.Id == parameter.TicketId); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.TicketId)); } if (ticket.ClientId != clientId) { throw new BaseUmaException(ErrorCodes.InvalidTicket, ErrorDescriptions.TheTicketIssuerIsDifferentFromTheClient); } if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, clientId, parameter.ClaimTokenParameters); if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.RequestIsNotAuthorized(json); result.Add(new AuthorizationResponse { AuthorizationPolicyResult = authorizationResult.Type, ErrorDetails = authorizationResult.ErrorDetails }); continue; } var rpt = new Rpt { Value = Guid.NewGuid().ToString(), TicketId = ticket.Id, ResourceSetId = ticket.ResourceSetId, CreateDateTime = DateTime.UtcNow, ExpirationDateTime = DateTime.UtcNow.AddSeconds(rptLifeTime) }; rptLst.Add(rpt); result.Add(new AuthorizationResponse { AuthorizationPolicyResult = AuthorizationPolicyResultEnum.Authorized, Rpt = rpt.Value }); _umaServerEventSource.RequestIsAuthorized(json); } // 4. Persist the RPTs. if (rptLst.Any()) { await _repositoryExceptionHelper.HandleException( ErrorDescriptions.TheRptCannotBeInserted, () => _rptRepository.Insert(rptLst)); } return(result); }
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } // 2. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 3. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false); if (!authorizationResult.IsValid) { _umaServerEventSource.RequestIsNotAuthorized(json); return(new GetTokenByTicketIdResponse { IsValid = false, ResourceValidationResult = authorizationResult }); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(new GetTokenByTicketIdResponse { IsValid = true, GrantedToken = grantedToken }); }