public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var ipToken = context.Ticket.Properties.Dictionary["UserIp"]; var ipRequest = context.Request.RemoteIpAddress; if (!ipToken.Equals(ipRequest)) { context.Rejected(); context.SetError("MENSAJE_ERROR_TOKEN_IP_INVALIDA"); return(Task.FromResult <object>(null)); } if (context.Request.Headers.ContainsKey("Authorization")) { var tokenRequest = context.Request.Headers["Authorization"].Replace("Bearer ", "").Trim(); var strIdUsuario = context.Ticket.Properties.Dictionary["IdUsuario"]; //var tokenTaskHelper = TokenTaskHelper.GetInstance(); var tokenUsuario = TokenTaskHelper.GetToken(strIdUsuario); if (tokenUsuario == null || !tokenUsuario.Equals(tokenRequest)) { var login = new LoginController(); var idUsuario = Int64.Parse(strIdUsuario); var tokenAux = login.GetTokenUsuario(idUsuario); tokenUsuario = TokenTaskHelper.SetToken(strIdUsuario, tokenAux); } if (!tokenUsuario.Equals(tokenRequest)) { context.Rejected(); context.SetError("MENSAJE_ERROR_TOKEN_USUAIRO_INCONSISTENTE"); return(Task.FromResult <object>(null)); } } return(base.ValidateIdentity(context)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { if (context == null) { throw new ArgumentNullException("context"); } if (context.Ticket.Identity.Claims.Count() == 0) { context.Rejected(); } else if (context.Ticket.Identity.Claims.All(c => c.Issuer == ClaimsIdentity.DefaultIssuer)) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public Task ValidateIdentity(OAuthValidateIdentityContext context) { System.Security.Claims.Claim claim = context.Ticket.Identity.Claims.Where(x => x.Type == "userGetwayIP" && x.Value.ToString() == HttpContext.Current.Request.UserHostAddress.ToString()).FirstOrDefault(); if (claim == null) { context.SetError("Inform that you are a good boy :) don't try this step again"); context.Rejected(); context.Response.StatusCode = 400; } else if (checkInjection(context)) { context.SetError("Not acceptable input"); context.Rejected(); context.Response.StatusCode = 406; } return(Task.FromResult <object>(null)); }
public Task ValidateIdentity(OAuthValidateIdentityContext context) { if (!string.IsNullOrEmpty(token)) { var tokenHandler = new JwtSecurityTokenHandler(); var validationParameters = new TokenValidationParameters() { ValidAudience = "all", IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String("KJiuweUH2234KJBJbkjk234234fgdfc56566")), ValidIssuer = "http://vcdbpoc-staging.azurewebsites.net" }; try { SecurityToken securityToken; var claimsPrinciple = tokenHandler.ValidateToken(token, validationParameters, out securityToken); context.Validated(new ClaimsIdentity(claimsPrinciple.Claims, OAuthDefaults.AuthenticationType)); return(Task.FromResult(0)); } catch (Exception ex) { context.Rejected(); return(Task.FromResult(0)); } //var notPadded = token.Split('.')[1]; //var padded = notPadded.PadRight(notPadded.Length + (4 - notPadded.Length % 4) % 4, '='); //var urlUnescaped = padded.Replace('-', '+').Replace('_', '/'); //var claimsPart = Convert.FromBase64String(urlUnescaped); //var obj = JObject.Parse(Encoding.UTF8.GetString(claimsPart, 0, claimsPart.Length)); //// simple, not handling specific types, arrays, etc. //foreach (var prop in obj.Properties().AsJEnumerable()) //{ // if (!context.Ticket.Identity.HasClaim(prop.Name, prop.Value.Value<string>())) // { // context.Ticket.Identity.AddClaim(new Claim(prop.Name, prop.Value.Value<string>())); // } //} } context.Rejected(); return(Task.FromResult(0)); }
public async Task ValidateIdentity(OAuthValidateIdentityContext context) { if (context == null) { throw new ArgumentNullException("context"); } if (context.Ticket.Identity.Claims.Count() == 0) { context.Rejected(); } else if (context.Ticket.Identity.Claims.All(c => c.Issuer == ClaimsIdentity.DefaultIssuer)) { context.Rejected(); } else { var accessToken = context.Ticket.Identity.FindFirst(Security.ClaimTypes.AccessToken); if (accessToken != null && !string.IsNullOrEmpty(accessToken.Value)) { try { var response = await "https://www.googleapis.com/oauth2/v3/tokeninfo" .SetQueryParam("access_token", accessToken.Value) .GetAsync(); if (!response.IsSuccessStatusCode) { context.Rejected(); } else { context.Validated(); } } catch (FlurlHttpException ex) { context.Rejected(); } } else { context.Rejected(); } } }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var claims = context.Ticket.Identity.Claims; if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "Twitter" && claim.Issuer != "LOCAL_AUTHORITY")) { context.Rejected(); } return(Task.FromResult <object>(null)); }
// This validates the identity based on the issuer of the claim. // The issuer is set in the API endpoint that logs the user in public override Task ValidateIdentity(OAuthValidateIdentityContext context) { IEnumerable <Claim> claims = context.Ticket.Identity.Claims; if (null == claims || 0 == claims.Count() || claims.Any(claim => claim.Issuer.ToString() != "Facebook" && claim.Issuer.ToString() != "Google" && claim.Issuer.ToString() != "LOCAL_AUTHORITY")) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var identity = context.Ticket?.Identity; var masterIdClaim = identity?.Claims.FirstOrDefault(x => x.Type == "masterId"); if (masterIdClaim == null) { context.Rejected(); } else { var storedIdentity = this.principalStorage[masterIdClaim.Value]; if (storedIdentity == null) { context.Rejected(); } } return(base.ValidateIdentity(context)); }
// This validates the identity based on the issuer of the claim. // The issuer is set in the API endpoint that logs the user in public override Task ValidateIdentity(OAuthValidateIdentityContext context) { IEnumerable <Claim> claims = context.Ticket.Identity.Claims; if (!claims.Any() || claims.Any(claim => claim.Type != "GoogleAccessToken")) // modify claim name { context.Rejected(); } return(Task.FromResult <object>(null)); }
// This validates the identity based on the issuer of the claim. // The issuer is set in the API endpoint that logs the user in public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var claims = context.Ticket.Identity.Claims; var enumerable = claims as Claim[] ?? claims.ToArray(); if (!enumerable.Any() || enumerable.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "LOCAL_AUTHORITY")) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var identity = context.Ticket?.Identity; var userIdClaim = identity?.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier); if (userIdClaim == null) { context.Rejected(); } return(base.ValidateIdentity(context)); }
public override System.Threading.Tasks.Task ValidateIdentity(OAuthValidateIdentityContext context) { if (context == null) { throw new ArgumentNullException("context"); } if (context.Ticket.Identity.Claims.Any(c => c.Issuer != ClaimsIdentity.DefaultIssuer)) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var claims = context.Ticket.Identity.Claims; var enumerable = claims as IList <Claim> ?? claims.ToList(); if (!enumerable.Any() || enumerable.Any(claim => claim.Issuer != ClaimsIdentity.DefaultIssuer)) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { if (context.Ticket.Properties.ExpiresUtc < DateTime.UtcNow) { context.SetError("invalid_grant", "Access Token has expired."); context.Rejected(); return(ThreadingExtensions.NoResult); } var userId = context.Ticket.Identity.GetUserGuid(); var issuedGuid = context.Ticket.Properties .GetIssuedGuid(); if (!_authKeyRepository.ValidateAuthKey(userId, issuedGuid)) { context.SetError("invalid_token", "Access Token has not been properly set or has been invalidated."); context.Rejected(); return(ThreadingExtensions.NoResult); } context.Validated(); return(ThreadingExtensions.NoResult); }
public Task ValidateIdentity(OAuthValidateIdentityContext context) { // if token valid var userGuid = context.Ticket.Identity.Claims.Where(c => c.Type == "UserGuid").First().Value; if (!memCache.Contains(userGuid, null)) { context.Rejected(); // if i want to reject the token return(null); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { ClaimsIdentity claimIdentity = context.Ticket.Identity; var claims = claimIdentity.Claims; var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>(); var user = userManager.FindByName(claimIdentity.Name); var sts = userManager.GetSecurityStamp(user.Id); var owin = HttpContext.Current.GetOwinContext(); var stsid = claims.Where(c => c.Type == "sts:id").Select(c => c.Value).SingleOrDefault(); var stsdata = claims.Where(c => c.Type == "sts:ds").Select(c => c.Value).SingleOrDefault(); if (string.IsNullOrEmpty(sts) || string.IsNullOrEmpty(stsid) || string.IsNullOrEmpty(stsdata)) { context.Rejected(); } else if (stsdata != CryptographService.CreateMacCode(sts, stsid)) { context.Rejected(); } return(base.ValidateIdentity(context)); }
// This validates the identity based on the issuer of the claim. // The issuer is set in the API endpoint that logs the user in public override Task ValidateIdentity(OAuthValidateIdentityContext context) { UserManager <ApplicationUser> userManager = context.OwinContext.GetUserManager <ApplicationUserManager>(); var user = userManager.FindById(context.Ticket.Identity.GetUserId()); var claims = context.Ticket.Identity.Claims; if (user == null || (claims.FirstOrDefault(claim => claim.Type == "AspNet.Identity.SecurityStamp") == null || claims.Any(claim => claim.Type == "AspNet.Identity.SecurityStamp" && !claim.Value.Equals(user.SecurityStamp)))) { // Client could not be validated. context.SetError("invalid_token", "Client token is invalid."); context.Rejected(); } return(Task.FromResult <object>(null)); //return Simple.FromResult(0); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { if (context == null) { throw new ArgumentNullException("context"); } // code to invalidate multiple login by comparing security stamp claim and its current value in DB //var path = HttpContext.Current.Server.MapPath(string.Format("~/{0}", "Log.txt")); //File.AppendAllText(path, Environment.NewLine); //File.AppendAllText(path, "Requested fro ValidateIdentity at : " + DateTime.Now); //var securityStampClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == Constants.DefaultSecurityStampClaimType); //var userIdClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier); //if (securityStampClaim == null || userIdClaim == null) //{ // context.Rejected(); //} //using (var manager = new IdentityManager<TUser>()) //{ // var user = manager.ApplicationUserManager.Users.FirstOrDefault(x => x.Id == new Guid(userIdClaim.Value)); // if (!string.Equals(user.SecurityStamp, securityStampClaim.Value, StringComparison.CurrentCultureIgnoreCase)) // { // context.Rejected(); // //context.SetError("Multiple login is not allowed."); // File.AppendAllText(path, "Request rejected ........"); // File.AppendAllText(path, Environment.NewLine); // } //} if (context.Ticket.Identity.Claims.Any(c => c.Issuer != ClaimsIdentity.DefaultIssuer)) { context.Rejected(); } return(Task.FromResult <object>(null)); }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { bool validated = false; base.ValidateIdentity(context); ApplicationDbContext dbContext = context.OwinContext.Get <ApplicationDbContext>(); ApplicationUserManager userManager = context.OwinContext.GetUserManager <ApplicationUserManager>(); if (context.Ticket != null && context.Ticket.Identity != null) { if (context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthClientCredentialsGrantKey) != null) { Guid clientId = new Guid(context.Ticket.Identity.Name); if (dbContext.OAuthClients.SingleOrDefault(oac => oac.ClientId == clientId && oac.Enabled == true) != null) { validated = true; context.Validated(); } } else { Claim oauthSessionId = context.Ticket.Identity.Claims.SingleOrDefault(c => c.Type == OAuthSessionClaimKey); if (oauthSessionId != null) { OAuthSession oauthSession = dbContext.OAuthSessions.SingleOrDefault(oas => oas.Id.ToString() == oauthSessionId.Value); if (oauthSession != null) { validated = true; context.Validated(); } } } } if (!validated) { context.SetError("Invalid Token", "The Access Token is invalid."); context.Rejected(); } return(Task.FromResult <object>(null)); }
public Task ValidateIdentity(OAuthValidateIdentityContext context) { context.Rejected(); Guid userSessionToken; if (JwtHelper.TryGetUserSessionToken(context.Ticket.Identity, out userSessionToken)) { using (var container = UnityConfig.GetContainer().CreateChildContainer()) { var userSessionBusinessLogic = (IUserSessionBusinessLogic)container.Resolve(typeof(IUserSessionBusinessLogic)); var isValid = userSessionBusinessLogic.GetIsUserSessionValid(userSessionToken); if (isValid) { context.Validated(); } } } return(Task.CompletedTask); }
public override async Task ValidateIdentity(OAuthValidateIdentityContext context) { var owinContext = context.OwinContext; var ticket = context.Ticket; var identity = ticket?.Identity; if (identity == null || owinContext == null) { context.Rejected(); return; } var claimClientId = identity.FindFirst(IntersectClaimTypes.ClientId); if (!Guid.TryParse(claimClientId?.Value, out var clientId)) { context.SetError("invalid_token_client"); return; } var claimUserId = identity.FindFirst(IntersectClaimTypes.UserId); if (!Guid.TryParse(claimUserId?.Value, out var userId)) { context.SetError("invalid_token_user"); return; } var claimTicketId = identity.FindFirst(IntersectClaimTypes.TicketId); if (!Guid.TryParse(claimTicketId?.Value, out var ticketId)) { context.SetError("invalid_ticket_id"); return; } var refreshToken = RefreshToken.FindForTicket(ticketId); if (refreshToken == null) { context.Rejected(); return; } if (ticket.Properties?.ExpiresUtc < DateTime.UtcNow) { context.SetError("access_token_expired"); return; } if (refreshToken.ClientId != clientId || refreshToken.UserId != userId) { RefreshToken.Remove(refreshToken.Id, true); context.Rejected(); return; } owinContext.Set("refresh_token", refreshToken); context.Validated(); }
public override async Task ValidateIdentity(OAuthValidateIdentityContext context) { try { await base.ValidateIdentity(context); // token validate, only one valid token, diffrent jti to diffrent ticket // one time one valid token #region Claims vlidate var nameClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier); if (nameClaim == null) { _log.Error("subject is not in ticket"); context.SetError("subject is not in ticket"); context.OwinContext.Set("error", "subject is not in ticket."); context.Rejected(); return; } var projectClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "iss"); if (projectClaim == null) { _log.Error("iss is not in ticket"); context.SetError("iss is not in ticket"); context.OwinContext.Set("error", "iss is not in ticket."); context.Rejected(); return; } var audClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "aud"); if (audClaim == null) { _log.Error("client_id is not in ticket"); context.SetError("client_id is not in ticket"); context.OwinContext.Set("error", "client_id is not in ticket."); context.Rejected(); return; } var jtiClaim = context.Ticket.Identity.Claims.FirstOrDefault(x => x.Type == "jti"); if (jtiClaim == null) { _log.Error("jti is not in ticket"); context.SetError("jti is not in ticket"); context.OwinContext.Set("error", "jti is not in ticket."); context.Rejected(); return; } #endregion var projectId = projectClaim.Value; var registerUser = nameClaim.Value; var clientId = audClaim.Value; var jti = jtiClaim.Value; if (string.IsNullOrEmpty(clientId)) { _log.Error("client_id is null"); context.SetError("client_id is null"); context.OwinContext.Set("error", "client_id is null."); context.Rejected(); return; } //var refreshTokens = await Task.Run(() => _authServices.GetAllRefreshTokens(clientId)); //if (refreshTokens == null || refreshTokens.Count == 0) //{ // _log.Error("ticket is missing"); // context.SetError("ticket is missing"); // context.OwinContext.Set("error", "ticket is missing."); // context.Rejected(); // return; //} //if (!refreshTokens.Any(x => (x.ProjectId == projectId && x.Subject == registerUser))) //{ // _log.Error("ticket is not valid"); // context.SetError("ticket is not valid"); // context.OwinContext.Set("error", "ticket is not valid."); // context.Rejected(); // return; //} //var rft = refreshTokens.First(x => (x.ProjectId == projectId && x.Subject == registerUser)); // validate ticket jti&server jti //var serverJti = rft.TokenId; //if (!serverJti.Equals(jti)) //{ // _log.Error("jti is not valid"); // context.SetError("jti is not valid"); // context.OwinContext.Set("error", "Token已更新,请使用最新的Token。"); // context.Rejected(); // return; //} #region IP validate var ip = context.Request.RemoteIpAddress; _log.Info($"request ip({ip}) is validating..."); // find allowed ips & validate ip //var client = _authServices.FindClient(clientId); //if (client != null) //{ // if (!projectId.Equals(client.ProjectId)) // { // _log.Error("client's projectId is not valid."); // context.SetError("client's projectId is not valid."); // context.OwinContext.Set("error", "client's projectId is not valid."); // return; // } // var allowedIPs = client.AllowedIPs; // if (string.IsNullOrEmpty(allowedIPs)) // { // _log.Error($"IP({ip}) is not allowed in this client."); // context.SetError($"IP({ip}) is not allowed in this client."); // context.OwinContext.Set("error", $"IP({ip}) is not allowed in this client."); // return; // } // if (allowedIPs != "*") // { // var detailIPs = allowedIPs.Split(';'); // if (detailIPs.All(x => x != ip)) // { // _log.Error($"IP({ip}) is not allowed in this client."); // context.OwinContext.Set("error", $"IP({ip}) is not allowed in this client."); // context.Rejected(); // } // } //} #endregion } catch (Exception ex) { _log.Error(ex.Message); _log.Error(ex.StackTrace); context.Rejected(); } }
public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var authorizationBearerToken = context.Request.Headers["Authorization"]; if (string.IsNullOrWhiteSpace(authorizationBearerToken)) { context.Rejected(); return(Task.FromResult(false)); } else { var authorizationBearerTokenParts = authorizationBearerToken .Split(' '); var accessToken = authorizationBearerTokenParts .LastOrDefault(); var claims = new List <Claim>(); StuntmanUser user = null; if (authorizationBearerTokenParts.Count() != 2 || string.IsNullOrWhiteSpace(accessToken)) { context.Response.StatusCode = 400; context.Response.ReasonPhrase = "Authorization header is not in correct format."; context.Rejected(); return(Task.FromResult(false)); } else { user = options.Users .Where(x => x.AccessToken == accessToken) .FirstOrDefault(); if (user == null) { if (!options.AllowBearerTokenPassthrough) { context.Response.StatusCode = 403; context.Response.ReasonPhrase = $"options provided does not include the requested '{accessToken}' user."; context.Rejected(); } return(Task.FromResult(false)); } else { claims.Add(new Claim("access_token", accessToken)); } } claims.Add(new Claim(ClaimTypes.Name, user.Name)); claims.AddRange(user.Claims); var identity = new ClaimsIdentity(claims, Constants.StuntmanAuthenticationType, user.NameClaimType, user.RoleClaimType); context.Validated(identity); var authManager = context.OwinContext.Authentication; authManager.SignIn(identity); if (options.AfterBearerValidateIdentity != null) { options.AfterBearerValidateIdentity(context); } return(Task.FromResult(true)); } }