public async Task OnValidatePrincipalTestSuccess(bool isPersistent)
        {
            var user = new TestUser("test");
            var userManager = MockHelpers.MockUserManager<TestUser>();
            var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
            var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.Zero };
            var options = new Mock<IOptions<IdentityOptions>>();
            options.Setup(a => a.Options).Returns(identityOptions);
            var httpContext = new Mock<HttpContext>();
            var contextAccessor = new Mock<IHttpContextAccessor>();
            contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
            var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
                contextAccessor.Object, claimsManager.Object, options.Object, null);
            signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>(), user.Id)).ReturnsAsync(user).Verifiable();
            signInManager.Setup(s => s.SignInAsync(user, isPersistent, null)).Returns(Task.FromResult(0)).Verifiable();
            var services = new ServiceCollection();
            services.AddInstance(options.Object);
            services.AddInstance(signInManager.Object);
            services.AddInstance<ISecurityStampValidator>(new SecurityStampValidator<TestUser>());
            httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
            var id = new ClaimsIdentity(IdentityOptions.ApplicationCookieAuthenticationScheme);
            id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(id), 
                new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow, IsPersistent = isPersistent }, 
                IdentityOptions.ApplicationCookieAuthenticationScheme);
            var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
            Assert.NotNull(context.Properties);
            Assert.NotNull(context.Options);
            Assert.NotNull(context.Principal);
            await
                SecurityStampValidator.ValidatePrincipalAsync(context);
            Assert.NotNull(context.Principal);
            signInManager.VerifyAll();
        }
 public async Task<string> StoreAsync(AuthenticationTicket ticket)
 {
     var guid = Guid.NewGuid();
     var key = KeyPrefix + guid.ToString();
     await RenewAsync(key, ticket);
     return key;
 }
示例#3
0
 public static AuthenticateResult Success(AuthenticationTicket ticket)
 {
     if (ticket == null)
     {
         throw new ArgumentNullException(nameof(ticket));
     }
     return new AuthenticateResult() { Ticket = ticket };
 }
 public async Task OnValidatePrincipalThrowsWithEmptyServiceCollection()
 {
     var httpContext = new Mock<HttpContext>();
     httpContext.Setup(c => c.RequestServices).Returns(new ServiceCollection().BuildServiceProvider());
     var id = new ClaimsPrincipal(new ClaimsIdentity(IdentityOptions.ApplicationCookieAuthenticationScheme));
     var ticket = new AuthenticationTicket(id, new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow }, IdentityOptions.ApplicationCookieAuthenticationScheme);
     var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
     var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => SecurityStampValidator.ValidatePrincipalAsync(context));
     Assert.True(ex.Message.Contains("No service for type 'Microsoft.Framework.OptionsModel.IOptions"));
 }
 /// <summary>
 /// Initializes a new instance of the <see cref="TokenEndpointContext"/> class
 /// </summary>
 /// <param name="context"></param>
 /// <param name="options"></param>
 /// <param name="request"></param>
 /// <param name="ticket"></param>
 internal TokenEndpointContext(
     HttpContext context,
     OpenIdConnectServerOptions options,
     OpenIdConnectMessage request,
     AuthenticationTicket ticket)
     : base(context) {
     Options = options;
     Request = request;
     Ticket = ticket;
 }
 public SigningInContext(
     HttpContext context,
     AuthenticationTicket ticket)
     : base(context)
 {
     if (ticket != null)
     {
         Principal = ticket.Principal;
         Properties = ticket.Properties;
     }
 }
 public TicketReceivedContext(HttpContext context, RemoteAuthenticationOptions options, AuthenticationTicket ticket)
     : base(context)
 {
     Options = options;
     AuthenticationTicket = ticket;
     if (ticket != null)
     {
         Principal = ticket.Principal;
         Properties = ticket.Properties;
     }
 }
 protected ReturnEndpointContext(
     HttpContext context,
     AuthenticationTicket ticket)
     : base(context)
 {
     if (ticket != null)
     {
         Principal = ticket.Principal;
         Properties = ticket.Properties;
     }
 }
 /// <summary>
 /// Initializes a new instance of the <see cref="SerializeAccessTokenContext"/> class
 /// </summary>
 /// <param name="context"></param>
 /// <param name="options"></param>
 /// <param name="request"></param>
 /// <param name="response"></param>
 /// <param name="ticket"></param>
 internal SerializeAccessTokenContext(
     HttpContext context,
     OpenIdConnectServerOptions options,
     OpenIdConnectMessage request,
     OpenIdConnectMessage response,
     AuthenticationTicket ticket)
     : base(context) {
     Options = options;
     Request = request;
     Response = response;
     AuthenticationTicket = ticket;
 }
 /// <summary>
 /// Initializes a new instance of the <see cref="TokenEndpointResponseContext"/> class
 /// </summary>
 /// <param name="context"></param>
 /// <param name="options"></param>
 /// <param name="ticket"></param>
 /// <param name="request"></param>
 /// <param name="payload"></param>
 internal TokenEndpointResponseContext(
     HttpContext context,
     OpenIdConnectServerOptions options,
     AuthenticationTicket ticket,
     OpenIdConnectMessage request,
     JObject payload)
     : base(context) {
     Options = options;
     AuthenticationTicket = ticket;
     Request = request;
     Payload = payload;
 }
 /// <summary>
 /// Initializes a new instance of the <see cref="AuthorizationEndpointResponseContext"/> class
 /// </summary>
 /// <param name="context"></param>
 /// <param name="options"></param>
 /// <param name="ticket"></param>
 /// <param name="request"></param>
 /// <param name="response"></param>
 internal AuthorizationEndpointResponseContext(
     HttpContext context,
     OpenIdConnectServerOptions options,
     AuthenticationTicket ticket,
     OpenIdConnectMessage request,
     OpenIdConnectMessage response)
     : base(context) {
     Options = options;
     AuthenticationTicket = ticket;
     Request = request;
     Response = response;
 }
示例#12
0
        public Task RenewAsync(string key, AuthenticationTicket ticket) {
            var options = new MemoryCacheEntryOptions();
            var expiresUtc = ticket.Properties.ExpiresUtc;
            if(expiresUtc.HasValue) {
                options.SetAbsoluteExpiration(expiresUtc.Value);
            }
            options.SetSlidingExpiration(TimeSpan.FromHours(1)); // TODO: configurable.

            _cache.Set(key, ticket, options);

            return Task.FromResult(0);
        }
        public AuthenticationTokenCreateContext(HttpContext context, ISecureDataFormat<AuthenticationTicket> secureDataFormat, AuthenticationTicket ticket)
            : base(context)
        {
            if (secureDataFormat == null)
                throw new ArgumentNullException(nameof(secureDataFormat));

            if (ticket == null)
                throw new ArgumentNullException(nameof(ticket));

            _secureDataFormat = secureDataFormat;

            Ticket = ticket;
        }
        public void NullPrincipalThrows()
        {
            var properties = new AuthenticationProperties();
            properties.RedirectUri = "bye";
            var ticket = new AuthenticationTicket(properties, "Hello");

            using (var stream = new MemoryStream())
            using (var writer = new BinaryWriter(stream))
            using (var reader = new BinaryReader(stream))
            {
                Assert.Throws<ArgumentNullException>(() => TicketSerializer.Write(writer, ticket));
            }
        }
        public Task RenewAsync(string key, AuthenticationTicket ticket)
        {
            _cache.Set(key, ticket, context =>
            {
                var expiresUtc = ticket.Properties.ExpiresUtc;
                if (expiresUtc.HasValue)
                {
                    context.SetAbsoluteExpiration(expiresUtc.Value);
                }
                context.SetSlidingExpiration(TimeSpan.FromHours(1)); // TODO: configurable.

                return (AuthenticationTicket)context.State;
            });
            return Task.FromResult(0);
        }
示例#16
0
        public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
        {

                var user = us.IsValidUser(context.UserName, context.Password);
                if(user!= null)
                {


                // Validate the credentials here (e.g using ASP.NET Identity).
                // You can call Rejected() with an error code/description to reject
                // the request and return a message to the caller.

                VMUser vu = new VMUser(user);

                var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
                identity.AddClaim(ClaimTypes.NameIdentifier, user.username, "token id_token");
                identity.AddClaim("profile", JsonConvert.SerializeObject(vu), "token id_token");

                // By default, claims are not serialized in the access and identity tokens.
                // Use the overload taking a "destination" to make sure your claims
                // are correctly inserted in the appropriate tokens.
                // identity.AddClaim("urn:customclaim", "value", "token id_token");

                var ticket = new AuthenticationTicket(
                    new ClaimsPrincipal(identity),
                    new AuthenticationProperties(),
                    context.Options.AuthenticationScheme);

                // Call SetResources with the list of resource servers
                // the access token should be issued for.
                ticket.SetResources(new[] { "api" });

                // Call SetScopes with the list of scopes you want to grant
                // (specify offline_access to issue a refresh token).
                ticket.SetScopes(new[] {"api" });

                context.Validated(ticket);

            }
            else
            {
                context.Rejected();
            }
            return Task.FromResult<object>(null);
        
    }
        public void CanRoundTripEmptyPrincipal()
        {
            var properties = new AuthenticationProperties();
            properties.RedirectUri = "bye";
            var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");

            using (var stream = new MemoryStream())
            using (var writer = new BinaryWriter(stream))
            using (var reader = new BinaryReader(stream))
            {
                TicketSerializer.Write(writer, ticket);
                stream.Position = 0;
                var readTicket = TicketSerializer.Read(reader);
                readTicket.Principal.Identities.Count().ShouldBe(0);
                readTicket.Properties.RedirectUri.ShouldBe("bye");
                readTicket.AuthenticationScheme.ShouldBe("Hello");
            }
        }
        public void CanRoundTripBootstrapContext()
        {
            var serializer = new TicketSerializer();
            var properties = new AuthenticationProperties();

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
            ticket.Principal.AddIdentity(new ClaimsIdentity("misc") { BootstrapContext = "bootstrap" });

            using (var stream = new MemoryStream())
            using (var writer = new BinaryWriter(stream))
            using (var reader = new BinaryReader(stream))
            {
                serializer.Write(writer, ticket);
                stream.Position = 0;
                var readTicket = serializer.Read(reader);
                Assert.Equal(1, readTicket.Principal.Identities.Count());
                Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);
                Assert.Equal("bootstrap", readTicket.Principal.Identities.First().BootstrapContext);
            }
        }
        public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsNotification notification)
        {
            string roleType;
            if (!UserAuthenticatedSimple(notification, out roleType))
                return;

            //authenticate
            var identity = new ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme);
            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, notification.UserName));
            identity.AddClaim(new Claim(ClaimTypes.Role, roleType));

            // create metadata to pass on to refresh token provider
            var props = new AuthenticationProperties(new Dictionary<string, string>
                {
                    { "as:client_id", notification.ClientId },
                    {"userName", notification.UserName }
                });
            var principal = new ClaimsPrincipal(identity);
            var ticket = new AuthenticationTicket(principal, props, OpenIdConnectDefaults.AuthenticationScheme);
            notification.Validated(ticket);
        }
示例#20
0
        public void InteropSerializerCanReadNewTicket()
        {
            var user = new ClaimsPrincipal();
            var identity = new ClaimsIdentity("scheme");
            identity.AddClaim(new Claim("Test", "Value"));
            user.AddIdentity(identity);

            var expires = DateTime.Today;
            var issued = new DateTime(1979, 11, 11);
            var properties = new Http.Authentication.AuthenticationProperties();
            properties.IsPersistent = true;
            properties.RedirectUri = "/redirect";
            properties.Items["key"] = "value";
            properties.ExpiresUtc = expires;
            properties.IssuedUtc = issued;

            var newTicket = new AuthenticationTicket(user, properties, "scheme");
            var newSerializer = new TicketSerializer();

            var bytes = newSerializer.Serialize(newTicket);

            var interopSerializer = new AspNetTicketSerializer();
            var interopTicket = interopSerializer.Deserialize(bytes);

            Assert.NotNull(interopTicket);
            var newIdentity = interopTicket.Identity;
            Assert.NotNull(newIdentity);
            Assert.Equal("scheme", newIdentity.AuthenticationType);
            Assert.True(newIdentity.HasClaim(c => c.Type == "Test" && c.Value == "Value"));
            Assert.NotNull(interopTicket.Properties);
            Assert.True(interopTicket.Properties.IsPersistent);
            Assert.Equal("/redirect", interopTicket.Properties.RedirectUri);
            Assert.Equal("value", interopTicket.Properties.Dictionary["key"]);
            Assert.Equal(expires, interopTicket.Properties.ExpiresUtc);
            Assert.Equal(issued, interopTicket.Properties.IssuedUtc);
        }
        public void CanRoundTripActorIdentity()
        {
            var serializer = new TicketSerializer();
            var properties = new AuthenticationProperties();

            var actor = new ClaimsIdentity("actor");
            var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
            ticket.Principal.AddIdentity(new ClaimsIdentity("misc") { Actor = actor });

            using (var stream = new MemoryStream())
            using (var writer = new BinaryWriter(stream))
            using (var reader = new BinaryReader(stream))
            {
                serializer.Write(writer, ticket);
                stream.Position = 0;
                var readTicket = serializer.Read(reader);
                Assert.Equal(1, readTicket.Principal.Identities.Count());
                Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);

                var identity = (ClaimsIdentity) readTicket.Principal.Identity;
                Assert.NotNull(identity.Actor);
                Assert.Equal(identity.Actor.AuthenticationType, "actor");
            }
        }
 /// <summary>
 /// Serialize and sign the authentication ticket.
 /// Note: the <see cref="AccessToken"/> property
 /// is automatically set when this method completes.
 /// </summary>
 /// <param name="ticket">The authentication ticket to serialize.</param>
 /// <returns>The serialized and signed ticket.</returns>
 public async Task<string> SerializeTicketAsync(AuthenticationTicket ticket) {
     return AccessToken = await Serializer(ticket);
 }
        public void CanRoundTripClaimProperties()
        {
            var serializer = new TicketSerializer();
            var properties = new AuthenticationProperties();

            var claim = new Claim("type", "value", "valueType", "issuer", "original-issuer");
            claim.Properties.Add("property-1", "property-value");

            // Note: a null value MUST NOT result in a crash
            // and MUST instead be treated like an empty string.
            claim.Properties.Add("property-2", null);

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
            ticket.Principal.AddIdentity(new ClaimsIdentity(new[] { claim }, "misc"));

            using (var stream = new MemoryStream())
            using (var writer = new BinaryWriter(stream))
            using (var reader = new BinaryReader(stream))
            {
                serializer.Write(writer, ticket);
                stream.Position = 0;
                var readTicket = serializer.Read(reader);
                Assert.Equal(1, readTicket.Principal.Identities.Count());
                Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);

                var readClaim = readTicket.Principal.FindFirst("type");
                Assert.NotNull(claim);
                Assert.Equal(claim.Type, "type");
                Assert.Equal(claim.Value, "value");
                Assert.Equal(claim.ValueType, "valueType");
                Assert.Equal(claim.Issuer, "issuer");
                Assert.Equal(claim.OriginalIssuer, "original-issuer");

                var property1 = readClaim.Properties["property-1"];
                Assert.Equal(property1, "property-value");

                var property2 = readClaim.Properties["property-2"];
                Assert.Equal(property2, string.Empty);
            }
        }
 /// <summary>
 /// Serialize and sign the authentication ticket using <see cref="DataFormat"/>.
 /// Note: the <see cref="AuthorizationCode"/> property
 /// is automatically set when this method completes.
 /// </summary>
 /// <param name="ticket">The authentication ticket to serialize.</param>
 /// <returns>The serialized and signed ticket.</returns>
 public async Task<string> SerializeTicketAsync(AuthenticationTicket ticket) {
     return AuthorizationCode = await Serializer(ticket);
 }
        private async Task CreateOrUpdateUserAsync(AuthenticationTicket authenticationTicket, UserManager userManager, Tenant tenant)
        {
            Guard.ArgumentNotNull(authenticationTicket, nameof(authenticationTicket));
            Guard.ArgumentNotNull(userManager, nameof(userManager));
            Guard.ArgumentNotNull(tenant, nameof(tenant));

            var principal = authenticationTicket.Principal;
            string objectIdentifier = principal.GetObjectIdentifierValue();
            string displayName = principal.GetDisplayNameValue();
            string email = principal.GetEmailValue();

            var user = await userManager.FindByObjectIdentifier(objectIdentifier)
                .ConfigureAwait(false);
            if (user == null)
            {
                // The user isn't in our database, so add them.
                user = new User
                {
                    Created = DateTimeOffset.UtcNow,
                    ObjectId = objectIdentifier,
                    TenantId = tenant.Id,
                    DisplayName = displayName,
                    Email = email
                };

                await userManager.CreateAsync(user)
                    .ConfigureAwait(false);
            }
            else
            {
                // Since we aren't the system of record, we need to attempt to keep our display values in sync with the user store.
                // We'll do a simple form of it here.
                bool shouldSaveUser = false;
                if (!user.DisplayName.Equals(displayName, StringComparison.OrdinalIgnoreCase))
                {
                    user.DisplayName = displayName;
                    shouldSaveUser = true;
                }

                // Do a case insensitive comparison for email matching
                if (!user.Email.Equals(email, StringComparison.OrdinalIgnoreCase))
                {
                    user.Email = email;
                    shouldSaveUser = true;
                }

                if (shouldSaveUser)
                {
                    await userManager
                        .UpdateAsync(user)
                        .ConfigureAwait(false);
                }
            }

            // Add in the survey user id claim.
            principal.Identities.First().AddClaim(new Claim(SurveyClaimTypes.SurveyUserIdClaimType, user.Id.ToString()));
            // Add in the user's tenant id claim.
            principal.Identities.First().AddClaim(new Claim(SurveyClaimTypes.SurveyTenantIdClaimType, user.TenantId.ToString()));
        }
 public void SetTicket([NotNull] AuthenticationTicket ticket)
 {
     Ticket = ticket;
 }
        public async Task OnValidateIdentityDoesNotRejectsWhenNotExpired()
        {
            var user = new TestUser("test");
            var httpContext = new Mock<HttpContext>();
            var userManager = MockHelpers.MockUserManager<TestUser>();
            var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
            var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.FromDays(1) };
            var options = new Mock<IOptions<IdentityOptions>>();
            options.Setup(a => a.Options).Returns(identityOptions);
            var contextAccessor = new Mock<IHttpContextAccessor>();
            contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
            var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
                contextAccessor.Object, claimsManager.Object, options.Object, null);
            signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>(), user.Id)).Throws(new Exception("Shouldn't be called"));
            signInManager.Setup(s => s.SignInAsync(user, false, null)).Throws(new Exception("Shouldn't be called"));
            var services = new ServiceCollection();
            services.AddInstance(options.Object);
            services.AddInstance(signInManager.Object);
            services.AddInstance<ISecurityStampValidator>(new SecurityStampValidator<TestUser>());
            httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
            var id = new ClaimsIdentity(IdentityOptions.ApplicationCookieAuthenticationScheme);
            id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(id),
                new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow },
                IdentityOptions.ApplicationCookieAuthenticationScheme);
            var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
            Assert.NotNull(context.Properties);
            Assert.NotNull(context.Options);
            Assert.NotNull(context.Principal);
            await SecurityStampValidator.ValidatePrincipalAsync(context);
            Assert.NotNull(context.Principal);
        }
        public async Task OnValidateIdentityRejectsWhenNoIssuedUtc()
        {
            var user = new TestUser("test");
            var httpContext = new Mock<HttpContext>();
            var userManager = MockHelpers.MockUserManager<TestUser>();
            var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
            var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.Zero };
            var options = new Mock<IOptions<IdentityOptions>>();
            options.Setup(a => a.Value).Returns(identityOptions);
            var contextAccessor = new Mock<IHttpContextAccessor>();
            contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
            var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
                contextAccessor.Object, claimsManager.Object, options.Object, null);
            signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>(), user.Id)).ReturnsAsync(null).Verifiable();
            var services = new ServiceCollection();
            services.AddSingleton(options.Object);
            services.AddSingleton(signInManager.Object);
            services.AddSingleton<ISecurityStampValidator>(new SecurityStampValidator<TestUser>());
            httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
            var id = new ClaimsIdentity(identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
            id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(id),
                new AuthenticationProperties(),
                identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
            var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
            Assert.NotNull(context.Properties);
            Assert.NotNull(context.Options);
            Assert.NotNull(context.Principal);
            await SecurityStampValidator.ValidatePrincipalAsync(context);
            Assert.Null(context.Principal);
            signInManager.VerifyAll();
        }