/// <inheritdoc />
public TData?Unprotect(string?protectedText, string?purpose)
{
try
{
if (protectedText == null)
{
return(default(TData));
}
var protectedData = Base64UrlTextEncoder.Decode(protectedText);
if (protectedData == null)
{
return(default(TData));
}
var protector = _protector;
if (!string.IsNullOrEmpty(purpose))
{
protector = protector.CreateProtector(purpose);
}
var userData = protector.Unprotect(protectedData);
if (userData == null)
{
return(default(TData));
}
return(_serializer.Deserialize(userData));
}
catch
{
// TODO trace exception, but do not leak other information
return(default(TData));
}
}
protected virtual void GenerateCorrelationId(AuthenticationProperties properties)
{
if (properties == null)
{
throw new ArgumentNullException(nameof(properties));
}
var bytes = new byte[32];
CryptoRandom.GetBytes(bytes);
var correlationId = Base64UrlTextEncoder.Encode(bytes);
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Secure = Request.IsHttps,
Expires = properties.ExpiresUtc
};
properties.Items[CorrelationProperty] = correlationId;
var cookieName = CorrelationPrefix + Options.AuthenticationScheme + "." + correlationId;
Response.Cookies.Append(cookieName, CorrelationMarker, cookieOptions);
}
private static string GetSubjectId(OAuthTokenResponse tokens)
{
var payloadString = tokens.AccessToken.Split('.')[1];
payloadString = Encoding.UTF8.GetString(Base64UrlTextEncoder.Decode(payloadString));
var payload = JsonDocument.Parse(payloadString);
return(payload.RootElement.GetString(EsiaConstants.SbjIdUrn));
}
public string Protect(AuthenticationTicket data, string purpose)
{
byte[] plaintext = _serializer.Serialize(data);
IDataProtector dataProtector = _protector;
if (!string.IsNullOrEmpty(purpose))
{
dataProtector = dataProtector.CreateProtector(purpose);
}
return(Base64UrlTextEncoder.Encode(dataProtector.Protect(plaintext)));
}
/// <inheritdoc />
public string Protect(TData data, string?purpose)
{
var userData = _serializer.Serialize(data);
var protector = _protector;
if (!string.IsNullOrEmpty(purpose))
{
protector = protector.CreateProtector(purpose);
}
var protectedData = protector.Protect(userData);
return(Base64UrlTextEncoder.Encode(protectedData));
}
public void DataOfVariousLengthRoundTripCorrectly()
{
for (int length = 0; length != 256; ++length)
{
var data = new byte[length];
for (int index = 0; index != length; ++index)
{
data[index] = (byte)(5 + length + (index * 23));
}
string text = Base64UrlTextEncoder.Encode(data);
byte[] result = Base64UrlTextEncoder.Decode(text);
for (int index = 0; index != length; ++index)
{
Assert.Equal(data[index], result[index]);
}
}
}
public AuthenticationTicket Unprotect(string protectedText, string purpose)
{
AuthenticationTicket tdata;
try
{
if (protectedText == null)
{
tdata = default(AuthenticationTicket);
}
else
{
byte[] array = Base64UrlTextEncoder.Decode(protectedText);
if (array == null)
{
tdata = default(AuthenticationTicket);
}
else
{
IDataProtector dataProtector = _protector;
if (!string.IsNullOrEmpty(purpose))
{
dataProtector = dataProtector.CreateProtector(purpose);
}
byte[] array2 = dataProtector.Unprotect(array);
if (array2 == null)
{
tdata = default(AuthenticationTicket);
}
else
{
tdata = _serializer.Deserialize(array2);
}
}
}
}
catch
{
tdata = default(AuthenticationTicket);
}
return(tdata);
}
protected virtual void GenerateCorrelationId(AuthenticationProperties properties)
{
if (properties == null)
{
throw new ArgumentNullException(nameof(properties));
}
var bytes = new byte[32];
CryptoRandom.GetBytes(bytes);
var correlationId = Base64UrlTextEncoder.Encode(bytes);
var cookieOptions = Options.CorrelationCookie.Build(Context, Clock.UtcNow);
properties.Items[CorrelationProperty] = correlationId;
var cookieName = Options.CorrelationCookie.Name + Scheme.Name + "." + correlationId;
Response.Cookies.Append(cookieName, CorrelationMarker, cookieOptions);
}
protected override string BuildChallengeUrl([NotNull] AuthenticationProperties properties, [NotNull] string redirectUri)
{
var scopeParameter = properties.GetParameter <ICollection <string> >(OAuthChallengeProperties.ScopeKey);
var scope = scopeParameter != null?FormatScope(scopeParameter) : FormatScope();
var parameters = new Dictionary <string, string?>
{
["client_id"] = Options.ClientId,
["scope"] = scope,
["response_type"] = "code"
};
if (Options.UsePkce)
{
var bytes = new byte[32];
RandomNumberGenerator.Fill(bytes);
var codeVerifier = Base64UrlTextEncoder.Encode(bytes);
// Store this for use during the code redemption.
properties.Items.Add(OAuthConstants.CodeVerifierKey, codeVerifier);
var challengeBytes = SHA256.HashData(Encoding.UTF8.GetBytes(codeVerifier));
var codeChallenge = WebEncoders.Base64UrlEncode(challengeBytes);
parameters[OAuthConstants.CodeChallengeKey] = codeChallenge;
parameters[OAuthConstants.CodeChallengeMethodKey] = OAuthConstants.CodeChallengeMethodS256;
}
var state = Options.StateDataFormat.Protect(properties);
parameters["state"] = state;
// Mixcloud does not appear to support the `state` parameter, so have to bundle it here:
parameters["redirect_uri"] = QueryHelpers.AddQueryString(redirectUri, "state", state);
return(QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, parameters));
}
/// <inheritdoc />
protected override string BuildChallengeUrl(AuthenticationProperties properties, string redirectUri)
{
var scopeParameter = properties.GetParameter <ICollection <string> >(OAuthChallengeProperties.ScopeKey);
var scope = scopeParameter != null?FormatScope(scopeParameter) : FormatScope();
var parameters = new Dictionary <string, string>
{
{ "client_id", Options.ClientId },
{ "scope", scope },
{ "response_type", "code" },
{ "redirect_uri", redirectUri },
{ "request_credentials", Options.RequestCredentials.ToEnumString() },
{ "access_type", Options.AccessType.ToEnumString() }
};
if (Options.UsePkce)
{
var bytes = new byte[32];
CryptoRandom.GetBytes(bytes);
var codeVerifier = Base64UrlTextEncoder.Encode(bytes);
// Store this for use during the code redemption.
properties.Items.Add(OAuthConstants.CodeVerifierKey, codeVerifier);
using var sha256 = SHA256.Create();
var challengeBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(codeVerifier));
var codeChallenge = WebEncoders.Base64UrlEncode(challengeBytes);
parameters[OAuthConstants.CodeChallengeKey] = codeChallenge;
parameters[OAuthConstants.CodeChallengeMethodKey] = OAuthConstants.CodeChallengeMethodS256;
}
parameters["state"] = Options.StateDataFormat.Protect(properties);
return(QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, parameters));
}
/// <summary>
/// 生成一个较短的CorrelationId,以便解决state长度限制为128字节的问题
/// </summary>
/// <param name="properties"></param>
protected virtual void GenerateCorrelationIdX(AuthenticationProperties properties)
{
if (properties == null)//contains .redirect={redirect_uri}
{
throw new ArgumentNullException(nameof(properties));
}
var bytes = new byte[8];//32->12->8
CryptoRandom.GetBytes(bytes);
var correlationId = Base64UrlTextEncoder.Encode(bytes);
var cookieOptions = Options.CorrelationCookie.Build(Context, Clock.UtcNow);
properties.Items[CorrelationProperty] = correlationId; //need to build challenge url
var cookieName1 = BuildCorelationCookieName(correlationId);
Response.Cookies.Append(cookieName1, CorrelationMarker, cookieOptions);
var cookieName2 = BuildStateCookieName(correlationId);
Response.Cookies.Append(cookieName2, Options.StateDataFormat.Protect(properties), cookieOptions);
}
