protected override SecureString GetRstsTokenInternal()
{
if (_disposed)
{
throw new ObjectDisposedException("CertificateAuthenticator");
}
string providerScope = "rsts:sts:primaryproviderid:certificate";
if (!string.IsNullOrEmpty(_provider))
{
providerScope = ResolveProviderToScope(_provider);
}
var request = new RestRequest("oauth2/token", RestSharp.Method.POST)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/json")
.AddJsonBody(new
{
grant_type = "client_credentials",
scope = providerScope
});
RstsClient.ClientCertificates = new X509Certificate2Collection()
{
_clientCertificate.Certificate
};
var response = RstsClient.Execute(request);
if (response.ResponseStatus != ResponseStatus.Completed)
{
throw new SafeguardDotNetException($"Unable to connect to RSTS service {RstsClient.BaseUrl}, Error: " +
response.ErrorMessage);
}
if (!response.IsSuccessful)
{
throw new SafeguardDotNetException(
$"Error using client_credentials grant_type with {_clientCertificate}" +
$", Error: {response.StatusCode} {response.Content}", response.StatusCode, response.Content);
}
var jObject = JObject.Parse(response.Content);
return(jObject.GetValue("access_token")?.ToString().ToSecureString());
}
protected override SecureString GetRstsTokenInternal()
{
if (_disposed)
{
throw new ObjectDisposedException("PasswordAuthenticator");
}
if (_providerScope == null)
{
ResolveProviderToScope();
}
var request = new RestRequest("oauth2/token", RestSharp.Method.POST)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/json")
.AddJsonBody(new
{
grant_type = "password",
username = _username,
// SecureString handling here basically negates the use of a secure string anyway, but when calling a Web API
// I'm not sure there is anything you can do about it.
password = _password.ToInsecureString(),
scope = _providerScope
});
var response = RstsClient.Execute(request);
if (response.ResponseStatus != ResponseStatus.Completed)
{
throw new SafeguardDotNetException($"Unable to connect to RSTS service {RstsClient.BaseUrl}, Error: " +
response.ErrorMessage);
}
if (!response.IsSuccessful)
{
throw new SafeguardDotNetException(
$"Error using password grant_type with scope {_providerScope}, Error: " +
$"{response.StatusCode} {response.Content}", response.StatusCode, response.Content);
}
var jObject = JObject.Parse(response.Content);
return(jObject.GetValue("access_token").ToString().ToSecureString());
}
protected override SecureString GetRstsTokenInternal()
{
if (_disposed)
{
throw new ObjectDisposedException("CertificateAuthenticator");
}
var request = new RestRequest("oauth2/token", RestSharp.Method.POST)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/json")
.AddJsonBody(new
{
grant_type = "client_credentials",
scope = "rsts:sts:primaryproviderid:certificate"
});
var userCert = !string.IsNullOrEmpty(_certificateThumbprint)
? CertificateUtilities.GetClientCertificateFromStore(_certificateThumbprint)
: CertificateUtilities.GetClientCertificateFromFile(_certificatePath, _certificatePassword);
RstsClient.ClientCertificates = new X509Certificate2Collection()
{
userCert
};
var response = RstsClient.Execute(request);
if (response.ResponseStatus != ResponseStatus.Completed)
{
throw new SafeguardDotNetException($"Unable to connect to RSTS service {RstsClient.BaseUrl}, Error: " +
response.ErrorMessage);
}
if (!response.IsSuccessful)
{
throw new SafeguardDotNetException("Error using client_credentials grant_type with " +
$"{(string.IsNullOrEmpty(_certificatePath) ? $"thumbprint={_certificateThumbprint}" : $"file={_certificatePath}")}" +
$", Error: {response.StatusCode} {response.Content}", response.Content);
}
private void ResolveProviderToScope()
{
try
{
IRestResponse response;
try
{
var request = new RestRequest("UserLogin/LoginController", RestSharp.Method.POST)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/x-www-form-urlencoded")
.AddParameter("response_type", "token", ParameterType.QueryString)
.AddParameter("redirect_uri", "urn:InstalledApplication", ParameterType.QueryString)
.AddParameter("loginRequestStep", 1, ParameterType.QueryString)
.AddJsonBody("RelayState=");
response = RstsClient.Execute(request);
}
catch (WebException)
{
Log.Debug("Caught exception with POST to find identity provider scopes, trying GET");
var request = new RestRequest("UserLogin/LoginController", RestSharp.Method.GET)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/x-www-form-urlencoded")
.AddParameter("response_type", "token", ParameterType.QueryString)
.AddParameter("redirect_uri", "urn:InstalledApplication", ParameterType.QueryString)
.AddParameter("loginRequestStep", 1, ParameterType.QueryString);
response = RstsClient.Execute(request);
}
if (response.ResponseStatus != ResponseStatus.Completed)
{
throw new SafeguardDotNetException(
"Unable to connect to RSTS to find identity provider scopes, Error: " +
response.ErrorMessage);
}
if (!response.IsSuccessful)
{
throw new SafeguardDotNetException(
"Error requesting identity provider scopes from RSTS, Error: " +
$"{response.StatusCode} {response.Content}", response.StatusCode, response.Content);
}
var jObject = JObject.Parse(response.Content);
var jProviders = (JArray)jObject["Providers"];
var knownScopes = jProviders.Select(s => s["Id"]).Values <string>().ToArray();
var scope = knownScopes.FirstOrDefault(s => s.EqualsNoCase(_provider));
if (scope != null)
{
_providerScope = $"rsts:sts:primaryproviderid:{scope}";
}
else
{
scope = knownScopes.FirstOrDefault(s => s.ContainsNoCase(_provider));
if (_providerScope != null)
{
_providerScope = $"rsts:sts:primaryproviderid:{scope}";
}
else
{
throw new SafeguardDotNetException(
$"Unable to find scope matching '{_provider}' in [{string.Join(",", knownScopes)}]");
}
}
}
catch (SafeguardDotNetException)
{
throw;
}
catch (Exception ex)
{
throw new SafeguardDotNetException("Unable to connect to determine identity provider", ex);
}
}