protected AcquireTokenHandlerBase(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, TokenSubjectType subjectType, bool callSync)
{
this.Authenticator = authenticator;
this.CallState = CreateCallState(this.Authenticator.CorrelationId, callSync);
Logger.Information(this.CallState,
string.Format("=== Token Acquisition started:\n\tAuthority: {0}\n\tResource: {1}\n\tClientId: {2}\n\tCacheType: {3}\n\tAuthentication Target: {4}\n\t",
authenticator.Authority, resource, clientKey.ClientId,
(tokenCache != null) ? tokenCache.GetType().FullName + string.Format(" ({0} items)", tokenCache.Count) : "null",
subjectType));
this.tokenCache = tokenCache;
if (string.IsNullOrWhiteSpace(resource))
{
var ex = new ArgumentNullException("resource");
Logger.Error(this.CallState, ex);
throw ex;
}
this.Resource = (resource != NullResource) ? resource : null;
this.ClientKey = clientKey;
this.TokenSubjectType = subjectType;
this.LoadFromCache = (tokenCache != null);
this.StoreToCache = (tokenCache != null);
this.SupportADFS = false;
}
protected AcquireTokenHandlerBase(Authenticator authenticator, TokenCache tokenCache, string[] scope,
ClientKey clientKey, TokenSubjectType subjectType)
{
this.Authenticator = authenticator;
this.CallState = CreateCallState(this.Authenticator.CorrelationId);
PlatformPlugin.Logger.Information(this.CallState,
string.Format(
"=== accessToken Acquisition started:\n\tAuthority: {0}\n\tResource: {1}\n\tClientId: {2}\n\tCacheType: {3}\n\tAuthentication Target: {4}\n\t",
authenticator.Authority, scope, clientKey.ClientId,
(tokenCache != null)
? tokenCache.GetType().FullName + string.Format(" ({0} items)", tokenCache.Count)
: "null",
subjectType));
this.tokenCache = tokenCache;
this.ClientKey = clientKey;
this.TokenSubjectType = subjectType;
this.LoadFromCache = (tokenCache != null);
this.StoreToCache = (tokenCache != null);
this.SupportADFS = false;
if (ADALScopeHelper.IsNullOrEmpty(scope))
{
throw new ArgumentNullException("scope");
}
this.Scope = scope;
ValidateScopeInput(scope);
}
public AcquireTokenNonInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, string[] scope, string clientId, UserCredential userCredential)
: base(authenticator, tokenCache, scope, new ClientKey(clientId), TokenSubjectType.User)
{
if (userCredential == null)
{
throw new ArgumentNullException("userCredential");
}
this.userCredential = userCredential;
}
public ClientKey(ClientAssertionCertificate clientCertificate, Authenticator authenticator)
{
this.Authenticator = authenticator;
if (clientCertificate == null)
{
throw new ArgumentNullException("clientCertificate");
}
this.Certificate = clientCertificate;
this.ClientId = clientCertificate.ClientId;
this.HasCredential = true;
}
public AcquireTokenOnBehalfHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, UserAssertion userAssertion)
: base(authenticator, tokenCache, resource, clientKey, TokenSubjectType.UserPlusClient)
{
if (userAssertion == null)
{
throw new ArgumentNullException("userAssertion");
}
this.userAssertion = userAssertion;
this.DisplayableId = userAssertion.UserName;
this.SupportADFS = true;
}
public AcquireTokenSilentHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, UserIdentifier userId, bool callSync)
: base(authenticator, tokenCache, resource, clientKey, clientKey.HasCredential ? TokenSubjectType.UserPlusClient : TokenSubjectType.User, callSync)
{
if (userId == null)
{
throw new ArgumentNullException("userId", AdalErrorMessage.SpecifyAnyUser);
}
this.UniqueId = userId.UniqueId;
this.DisplayableId = userId.DisplayableId;
this.UserIdentifierType = userId.Type;
this.SupportADFS = true;
}
public AcquireTokenOnBehalfHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, UserAssertion userAssertion, bool callSync)
: base(authenticator, tokenCache, resource, clientKey, TokenSubjectType.UserPlusClient, callSync)
{
if (userAssertion == null)
{
throw new ArgumentNullException("userAssertion");
}
this.userAssertion = userAssertion;
this.DisplayableId = userAssertion.UserName;
this.assertionHash = PlatformSpecificHelper.CreateSha256Hash(userAssertion.Assertion);
this.SupportADFS = true;
}
public AcquireTokenNonInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, string resource, string clientId, UserAssertion userAssertion)
: base(authenticator, tokenCache, resource, new ClientKey(clientId), TokenSubjectType.User)
{
if (userAssertion == null)
{
throw new ArgumentNullException("userAssertion");
}
if (string.IsNullOrWhiteSpace(userAssertion.AssertionType))
{
throw new ArgumentException(AdalErrorMessage.UserCredentialAssertionTypeEmpty, "userAssertion");
}
this.userAssertion = userAssertion;
}
public AcquireTokenNonInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, string resource, string clientId, UserCredential userCredential)
: base(authenticator, tokenCache, resource, new ClientKey(clientId), TokenSubjectType.User)
{
if (userCredential == null)
{
throw new ArgumentNullException("userCredential");
}
// We enable ADFS support only when it makes sense to do so
if (authenticator.AuthorityType == AuthorityType.ADFS)
{
this.SupportADFS = true;
}
this.userCredential = userCredential;
}
// This constructor is called by ContinueAcquireTokenAsync after WAB call has returned.
public AcquireTokenInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, IWebAuthenticationBrokerContinuationEventArgs args)
: this(
authenticator,
tokenCache,
(string)args.ContinuationData[WabArgName.Resource],
(string)args.ContinuationData[WabArgName.ClientId],
GetRedirectUri((string)args.ContinuationData[WabArgName.RedirectUri]), // Issue #129 - Windows Phone cannot handle ms-app URI's so use the placeholder URI for SSO
PromptBehavior.Always, // This is simply to disable cache lookup. In fact, there is no authorize call at this point and promptBehavior is not applicable.
new UserIdentifier((string)args.ContinuationData[WabArgName.UserId],
(UserIdentifierType)((int)args.ContinuationData[WabArgName.UserIdType])),
null,
NetworkPlugin.WebUIFactory.Create(),
false)
{
CallState callState = new CallState(new Guid((string)args.ContinuationData[WabArgName.CorrelationId]), false);
this.authorizationResult = this.webUi.ProcessAuthorizationResult(args, callState);
}
public AcquireTokenInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, string[] scope,
string[] additionalScope, string clientId, Uri redirectUri, IPlatformParameters parameters,
UserIdentifier userId, string extraQueryParameters, IWebUI webUI)
: base(authenticator, tokenCache, scope, new ClientKey(clientId), TokenSubjectType.User)
{
this.redirectUri = PlatformPlugin.PlatformInformation.ValidateRedirectUri(redirectUri, this.CallState);
if (!string.IsNullOrWhiteSpace(this.redirectUri.Fragment))
{
throw new ArgumentException(AdalErrorMessage.RedirectUriContainsFragment, "redirectUri");
}
this.authorizationParameters = parameters;
if (!ADALScopeHelper.IsNullOrEmpty(additionalScope))
{
this.additionalScope = additionalScope;
}
else
{
this.additionalScope = new string[] {};
}
ValidateScopeInput(scope.Union(this.additionalScope).ToArray());
this.redirectUriRequestParameter =
PlatformPlugin.PlatformInformation.GetRedirectUriAsString(this.redirectUri, this.CallState);
if (userId == null)
{
throw new ArgumentNullException("userId", AdalErrorMessage.SpecifyAnyUser);
}
this.userId = userId;
if (!string.IsNullOrEmpty(extraQueryParameters) && extraQueryParameters[0] == '&')
{
extraQueryParameters = extraQueryParameters.Substring(1);
}
this.extraQueryParameters = extraQueryParameters;
this.webUi = webUI;
this.UniqueId = userId.UniqueId;
this.DisplayableId = userId.DisplayableId;
this.UserIdentifierType = userId.Type;
this.LoadFromCache = (tokenCache != null && parameters != null &&
PlatformPlugin.PlatformInformation.GetCacheLoadPolicy(parameters));
this.SupportADFS = false;
}
public AcquireTokenByRefreshTokenHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, string refreshToken, bool callSync)
: base(authenticator, tokenCache, resource ?? NullResource, clientKey, TokenSubjectType.UserPlusClient, callSync)
{
if (string.IsNullOrWhiteSpace(refreshToken))
{
throw new ArgumentNullException("refreshToken");
}
if (!string.IsNullOrWhiteSpace(resource) && this.Authenticator.AuthorityType != AuthorityType.AAD)
{
throw new ArgumentException(AdalErrorMessage.UnsupportedMultiRefreshToken, "resource");
}
this.refreshToken = refreshToken;
this.LoadFromCache = false;
this.StoreToCache = false;
this.SupportADFS = true;
}
public AcquireTokenInteractiveHandler(Authenticator authenticator, TokenCache tokenCache, string resource, string clientId, Uri redirectUri, PromptBehavior promptBehavior, UserIdentifier userId, string extraQueryParameters, IWebUI webUI, bool callSync)
: base(authenticator, tokenCache, resource, new ClientKey(clientId), TokenSubjectType.User, callSync)
{
if (redirectUri == null)
{
throw new ArgumentNullException("redirectUri");
}
if (!string.IsNullOrWhiteSpace(redirectUri.Fragment))
{
throw new ArgumentException(AdalErrorMessage.RedirectUriContainsFragment, "redirectUri");
}
this.redirectUri = redirectUri;
this.SetRedirectUriRequestParameter();
if (userId == null)
{
throw new ArgumentNullException("userId", AdalErrorMessage.SpecifyAnyUser);
}
this.userId = userId;
this.promptBehavior = promptBehavior;
if (!string.IsNullOrEmpty(extraQueryParameters) && extraQueryParameters[0] == '&')
{
extraQueryParameters = extraQueryParameters.Substring(1);
}
this.extraQueryParameters = extraQueryParameters;
this.webUi = webUI;
this.UniqueId = userId.UniqueId;
this.DisplayableId = userId.DisplayableId;
this.UserIdentifierType = userId.Type;
this.LoadFromCache = (tokenCache != null && this.promptBehavior != PromptBehavior.Always && this.promptBehavior != PromptBehavior.RefreshSession);
this.SupportADFS = true;
}
public AcquireTokenByAuthorizationCodeHandler(Authenticator authenticator, TokenCache tokenCache, string[] scope, ClientKey clientKey, string authorizationCode, Uri redirectUri, string extraQueryParameters)
: base(authenticator, tokenCache, scope, clientKey, TokenSubjectType.UserPlusClient)
{
if (string.IsNullOrWhiteSpace(authorizationCode))
{
throw new ArgumentNullException("authorizationCode");
}
this.authorizationCode = authorizationCode;
if (redirectUri == null)
{
throw new ArgumentNullException("redirectUri");
}
this.redirectUri = redirectUri;
this.LoadFromCache = false;
this.SupportADFS = false;
this.extraQueryParameters = extraQueryParameters;
}
protected AcquireTokenHandlerBase(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, TokenSubjectType subjectType, bool callSync)
{
this.Authenticator = authenticator;
this.tokenCache = tokenCache;
if (string.IsNullOrWhiteSpace(resource))
{
throw new ArgumentNullException("resource");
}
this.Resource = (resource != NullResource) ? resource : null;
this.ClientKey = clientKey;
this.TokenSubjectType = subjectType;
this.CallState = CreateCallState(this.Authenticator.CorrelationId, callSync);
this.LoadFromCache = (tokenCache != null);
this.StoreToCache = (tokenCache != null);
this.SupportADFS = false;
}
public AcquireTokenByAuthorizationCodeHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, string authorizationCode, Uri redirectUri, bool callSync)
: base(authenticator, tokenCache, resource ?? NullResource, clientKey, TokenSubjectType.UserPlusClient, callSync)
{
if (string.IsNullOrWhiteSpace(authorizationCode))
{
throw new ArgumentNullException("authorizationCode");
}
this.authorizationCode = authorizationCode;
if (redirectUri == null)
{
throw new ArgumentNullException("redirectUri");
}
this.redirectUri = redirectUri;
this.LoadFromCache = false;
this.SupportADFS = true;
}
public AcquireTokenForClientHandler(Authenticator authenticator, TokenCache tokenCache, string resource, ClientKey clientKey, bool callSync)
: base(authenticator, tokenCache, resource, clientKey, TokenSubjectType.Client, callSync)
{
this.SupportADFS = true;
}
private KeyValuePair <TokenCacheKey, AuthenticationResultEx>?LoadSingleItemFromCache(CacheQueryData cacheQueryData, CallState callState)
{
lock (cacheLock)
{
// First identify all potential tokens.
List <KeyValuePair <TokenCacheKey, AuthenticationResultEx> > items =
this.QueryCache(cacheQueryData.Authority, cacheQueryData.ClientId, cacheQueryData.SubjectType,
cacheQueryData.UniqueId, cacheQueryData.DisplayableId, cacheQueryData.AssertionHash);
List <KeyValuePair <TokenCacheKey, AuthenticationResultEx> > resourceSpecificItems =
items.Where(p => p.Key.ResourceEquals(cacheQueryData.Resource)).ToList();
int resourceValuesCount = resourceSpecificItems.Count();
KeyValuePair <TokenCacheKey, AuthenticationResultEx>?returnValue = null;
switch (resourceValuesCount)
{
case 1:
PlatformPlugin.Logger.Information(callState,
"An item matching the requested resource was found in the cache");
returnValue = resourceSpecificItems.First();
break;
case 0:
{
// There are no resource specific tokens. Choose any of the MRRT tokens if there are any.
List <KeyValuePair <TokenCacheKey, AuthenticationResultEx> > mrrtItems =
items.Where(p => p.Value.IsMultipleResourceRefreshToken).ToList();
if (mrrtItems.Any())
{
returnValue = mrrtItems.First();
PlatformPlugin.Logger.Information(callState,
"A Multi Resource Refresh Token for a different resource was found which can be used");
}
}
break;
default:
throw new AdalException(AdalError.MultipleTokensMatched);
}
// check for tokens issued to same client_id/user_id combination, but any tenant.
// this check only applies to user tokens. client tokens should be ignored.
if (returnValue == null && cacheQueryData.SubjectType != TokenSubjectType.Client)
{
List <KeyValuePair <TokenCacheKey, AuthenticationResultEx> > itemsForAllTenants = this.QueryCache(
null, cacheQueryData.ClientId, cacheQueryData.SubjectType, cacheQueryData.UniqueId,
cacheQueryData.DisplayableId, cacheQueryData.AssertionHash);
if (itemsForAllTenants.Count != 0)
{
returnValue = itemsForAllTenants.First();
}
// check if the token was issued by AAD
if (returnValue != null &&
Authenticator.DetectAuthorityType(returnValue.Value.Key.Authority) == AuthorityType.ADFS)
{
returnValue = null;
}
}
return(returnValue);
}
}
private AuthenticationContext(string authority, AuthorityValidationType validateAuthority, TokenCache tokenCache)
{
// If authorityType is not provided (via first constructor), we validate by default (except for ASG and Office tenants).
this.Authenticator = new Authenticator(authority, (validateAuthority != AuthorityValidationType.False));
this.TokenCache = tokenCache;
}