internal OpenIdConnectValidateClientRedirectUriContext( IOwinContext context, OpenIdConnectServerOptions options, OpenIdConnectMessage authorizationRequest) : base(context, options, authorizationRequest) { }
protected override void AddNonceToMessage(OpenIdConnectMessage message) { if (message == null) { throw new ArgumentNullException("message"); } var properties = new AuthenticationProperties(); var nonce = Options.ProtocolValidator.GenerateNonce(); properties.Dictionary.Add( NonceProperty, nonce); message.Nonce = nonce; //computing the hash of nonce and appending it to the cookie name string nonceKey = GetNonceKey(nonce); var cookieOptions = new CookieOptions { HttpOnly = true, Secure = Request.IsSecure, }; var nonceId = Convert.ToBase64String(Encoding.UTF8.GetBytes((Options.StateDataFormat.Protect(properties)))); Response.Cookies.Append( nonceKey, nonceId, cookieOptions); }
public void OpenIdConnectMessage_Defaults() { List<string> errors = new List<string>(); OpenIdConnectMessage message = new OpenIdConnectMessage(); if (message.AcrValues != null) errors.Add("message.ArcValues != null"); if (message.ClientAssertion != null) errors.Add("message.ClientAssertion != null"); if (message.ClientAssertionType != null) errors.Add("message.ClientAssertionType != null"); if (message.ClaimsLocales != null) errors.Add("message.ClaimsLocales != null"); if (message.ClientId != null) errors.Add("message.ClientId != null"); if (message.ClientSecret != null) errors.Add("message.ClientSecret != null"); if (message.Code != null) errors.Add("message.Code != null"); if (message.Display != null) errors.Add("message.Display != null"); if (message.IdTokenHint != null) errors.Add("message.IdTokenHint != null"); if (message.LoginHint != null) errors.Add("message.LoginHint != null"); if (message.MaxAge != null) errors.Add("message.MaxAge != null"); if (message.Prompt != null) errors.Add("message.Prompt != null"); if (message.RedirectUri != null) errors.Add("message.RedirectUri != null"); if (message.State != null) errors.Add("message.State != null"); if (message.UiLocales != null) errors.Add("message.UiLocales != null"); if (errors.Count > 0) { StringBuilder sb = new StringBuilder(); foreach (string error in errors) sb.AppendLine(error); Assert.Fail("OpenIdConnectMessage_Defaults *** Test Failures:\n" + sb.ToString()); } }
public OpenIdConnectTokenEndpointResponse(JObject jsonResponse) { JsonResponse = jsonResponse; Message = new OpenIdConnectMessage() { AccessToken = JsonResponse.Value<string>(OpenIdConnectParameterNames.AccessToken), IdToken = JsonResponse.Value<string>(OpenIdConnectParameterNames.IdToken), TokenType = JsonResponse.Value<string>(OpenIdConnectParameterNames.TokenType), ExpiresIn = JsonResponse.Value<string>(OpenIdConnectParameterNames.ExpiresIn) }; }
public void OpenIdConnectMessage_Constructors() { OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage(); Assert.AreEqual(openIdConnectMessage.IssuerAddress, string.Empty); openIdConnectMessage = new OpenIdConnectMessage("http://www.got.jwt.com"); Assert.AreEqual(openIdConnectMessage.IssuerAddress, "http://www.got.jwt.com"); ExpectedException expectedException = ExpectedException.ArgumentNullException("issuerAddress"); try { openIdConnectMessage = new OpenIdConnectMessage((string)null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdConnectMessage"/> class. /// </summary> /// <param name="other"> an <see cref="OpenIdConnectMessage"/> to copy.</param> /// <exception cref="ArgumentNullException"> if 'other' is null.</exception> protected OpenIdConnectMessage(OpenIdConnectMessage other) { if (other == null) { throw new ArgumentNullException("other"); } foreach (KeyValuePair<string, string> keyValue in other.Parameters) { SetParameter(keyValue.Key, keyValue.Value); } AuthorizationEndpoint = other.AuthorizationEndpoint; IssuerAddress = other.IssuerAddress; RequestType = other.RequestType; TokenEndpoint = other.TokenEndpoint; }
protected override string RetrieveNonce(OpenIdConnectMessage message) { if (message.IdToken == null) { return null; } JwtSecurityToken token = new JwtSecurityToken(message.IdToken); if (token == null) { return null; } //computing the hash of nonce and appending it to the cookie name string nonceKey = GetNonceKey(token.Payload.Nonce); string nonceCookie = Request.Cookies[nonceKey]; if (string.IsNullOrWhiteSpace(nonceCookie)) { _logger.WriteWarning("The nonce cookie was not found."); return null; } var cookieOptions = new CookieOptions { HttpOnly = true, Secure = Request.IsSecure }; Response.Cookies.Delete(nonceKey, cookieOptions); string nonce = null; AuthenticationProperties nonceProperties = Options.StateDataFormat.Unprotect(Encoding.UTF8.GetString(Convert.FromBase64String(nonceCookie))); if (nonceProperties != null) { nonceProperties.Dictionary.TryGetValue(NonceProperty, out nonce); } else { _logger.WriteWarning("Failed to un-protect the nonce cookie."); } return nonce; }
/// <summary> /// Inserts the ambient <see cref="OpenIdConnectMessage"/> response in the OWIN context. /// </summary> /// <param name="context">The OWIN context.</param> /// <param name="response">The ambient <see cref="OpenIdConnectMessage"/>.</param> public static void SetOpenIdConnectResponse(this IOwinContext context, OpenIdConnectMessage response) { context.SetOpenIdConnectMessage(OpenIdConnectConstants.Environment.Response, response); }
private static void SetOpenIdConnectMessage(this IOwinContext context, string key, OpenIdConnectMessage message) { if (context == null) { throw new ArgumentNullException("context"); } if (string.IsNullOrWhiteSpace(key)) { throw new ArgumentException("key"); } if (message == null) { context.Environment.Remove(key + OpenIdConnectConstants.Environment.Message); context.Environment.Remove(key + OpenIdConnectConstants.Environment.Parameters); return; } var parameters = new ReadOnlyDictionary<string, string[]>( message.Parameters.ToDictionary( keySelector: parameter => parameter.Key, elementSelector: parameter => new[] { parameter.Value })); context.Set(key + OpenIdConnectConstants.Environment.Message, message); context.Set(key + OpenIdConnectConstants.Environment.Parameters, parameters); }
public async Task AuthenticateCoreState(Action<OpenIdConnectAuthenticationOptions> action, OpenIdConnectMessage message) { var handler = new OpenIdConnectAuthenticationHandlerForTestingAuthenticate(); var server = CreateServer(new ConfigureOptions<OpenIdConnectAuthenticationOptions>(action), UrlEncoder.Default, handler); await server.CreateClient().PostAsync("http://localhost", new FormUrlEncodedContent(message.Parameters.Where(pair => pair.Value != null))); }
public async Task AuthenticateCore(LogLevel logLevel, int[] expectedLogIndexes, Action<OpenIdConnectAuthenticationOptions> action, OpenIdConnectMessage message) { var errors = new List<Tuple<LogEntry, LogEntry>>(); var expectedLogs = LoggingUtilities.PopulateLogEntries(expectedLogIndexes); var handler = new OpenIdConnectAuthenticationHandlerForTestingAuthenticate(); var loggerFactory = new InMemoryLoggerFactory(logLevel); var server = CreateServer(new ConfigureOptions<OpenIdConnectAuthenticationOptions>(action), UrlEncoder.Default, loggerFactory, handler); await server.CreateClient().PostAsync("http://localhost", new FormUrlEncodedContent(message.Parameters)); LoggingUtilities.CheckLogs(loggerFactory.Logger.Logs, expectedLogs, errors); Debug.WriteLine(LoggingUtilities.LoggingErrors(errors)); Assert.True(errors.Count == 0, LoggingUtilities.LoggingErrors(errors)); }
public void OpenIdConnectMessage_NullFormParameters() { List<KeyValuePair<string, string[]>> formData = new List<KeyValuePair<string, string[]>>(); formData.Add(new KeyValuePair<string, string[]>("key", new string[] { "data" })); formData.Add(new KeyValuePair<string, string[]>("nullData", new string[] { null })); formData.Add(new KeyValuePair<string, string[]>("emptyData", new string[] { string.Empty })); formData.Add(new KeyValuePair<string, string[]>(null, new string[] { null })); formData.Add(new KeyValuePair<string, string[]>(null, null)); OpenIdConnectMessage msg = new OpenIdConnectMessage(formData); Assert.IsNotNull(msg); }
public void OpenIdConnectMessage_IssuerAddressHasQuery() { List<string> errors = new List<string>(); var address = "http://gotJwt.onmicrosoft.com/?foo=bar"; var clientId = Guid.NewGuid().ToString(); var message = new OpenIdConnectMessage(address); var url = message.BuildRedirectUrl(); Report("1", errors, url, address); message.ClientId = clientId; url = message.BuildRedirectUrl(); var expected = string.Format(CultureInfo.InvariantCulture, @"{0}&client_id={1}", address, clientId); Report("2", errors, url, expected); }
public void OpenIdConnectMessage_GetSets() { OpenIdConnectMessage message = new OpenIdConnectMessage(); Type type = typeof(OpenIdConnectMessage); PropertyInfo[] properties = type.GetProperties(); if (properties.Length != 47) Assert.Fail("Number of public fields has changed from 47 to: " + properties.Length + ", adjust tests"); GetSetContext context = new GetSetContext { PropertyNamesAndSetGetValue = new List<KeyValuePair<string, List<object>>> { new KeyValuePair<string, List<object>>("IssuerAddress", new List<object>{string.Empty, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("AuthorizationEndpoint", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("AccessToken", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("AcrValues", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ClaimsLocales", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ClientAssertion", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ClientAssertionType", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ClientId", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ClientSecret", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Code", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Display", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("DomainHint", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Error", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ErrorDescription", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ErrorUri", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ExpiresIn", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("GrantType", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("IdToken", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("IdTokenHint", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("IdentityProvider", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("MaxAge", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Password", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("PostLogoutRedirectUri", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Prompt", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("RedirectUri", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("RequestUri", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ResponseMode", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("ResponseType", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Resource", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Scope", new List<object>{null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("SessionState", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("State", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("TargetLinkUri", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Token", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("TokenEndpoint", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("TokenType", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("UiLocales", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("UserId", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), new KeyValuePair<string, List<object>>("Username", new List<object>{(string)null, Guid.NewGuid().ToString(), Guid.NewGuid().ToString()}), }, Object = message, }; TestUtilities.GetSet(context); if (context.Errors.Count != 0) { StringBuilder sb = new StringBuilder(); sb.AppendLine(Environment.NewLine); foreach (string str in context.Errors) sb.AppendLine(str); Assert.Fail(sb.ToString()); } }
public void OpenIdConnectMessage_Publics() { string issuerAddress = "http://gotJwt.onmicrosoft.com"; string customParameterName = "Custom Parameter Name"; string customParameterValue = "Custom Parameter Value"; string nonce = Guid.NewGuid().ToString(); string redirectUri = "http://gotJwt.onmicrosoft.com/signedIn"; string resource = "location data"; List<string> errors = new List<string>(); // Empty string OpenIdConnectMessage message = new OpenIdConnectMessage(); string url = message.BuildRedirectUrl(); string expected = string.Format(CultureInfo.InvariantCulture, @""); Report("1", errors, url, expected); message.ResponseMode = OpenIdConnectResponseModes.FormPost; message.ResponseType = OpenIdConnectResponseTypes.CodeIdToken; message.Scope = OpenIdConnectScopes.OpenIdProfile; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"?response_mode=form_post&response_type=code+id_token&scope=openid+profile"); Report("1a", errors, url, expected); // Nonce added message.Nonce = nonce; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={0}", nonce); Report("2", errors, url, expected); // IssuerAddress only message = new OpenIdConnectMessage(issuerAddress); message.ResponseMode = OpenIdConnectResponseModes.FormPost; message.ResponseType = OpenIdConnectResponseTypes.CodeIdToken; message.Scope = OpenIdConnectScopes.OpenIdProfile; message.Nonce = nonce; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"{0}?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={1}", issuerAddress, nonce); Report("3", errors, url, expected); // IssuerAdderss and Redirect_uri message.RedirectUri = redirectUri; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"{0}?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={1}&redirect_uri={2}", issuerAddress, message.Nonce, HttpUtility.UrlEncode(redirectUri)); Report("4", errors, url, expected); // IssuerAdderss empty and Redirect_uri message.IssuerAddress = string.Empty; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={0}&redirect_uri={1}", message.Nonce, HttpUtility.UrlEncode(redirectUri)); Report("5", errors, url, expected); // IssuerAdderss, Redirect_uri, Response message = new OpenIdConnectMessage(issuerAddress); message.ResponseMode = OpenIdConnectResponseModes.FormPost; message.ResponseType = OpenIdConnectResponseTypes.CodeIdToken; message.Scope = OpenIdConnectScopes.OpenIdProfile; message.Nonce = nonce; message.RedirectUri = redirectUri; message.Resource = resource; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"{0}?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={1}&redirect_uri={2}&resource={3}", issuerAddress, message.Nonce, HttpUtility.UrlEncode(redirectUri), HttpUtility.UrlEncode(resource)); Report("6", errors, url, expected); // IssuerAdderss, Redirect_uri, Response, customParam message = new OpenIdConnectMessage(issuerAddress); message.ResponseMode = OpenIdConnectResponseModes.FormPost; message.ResponseType = OpenIdConnectResponseTypes.CodeIdToken; message.Scope = OpenIdConnectScopes.OpenIdProfile; message.Nonce = nonce; message.Parameters.Add(customParameterName, customParameterValue); message.RedirectUri = redirectUri; message.Resource = resource; url = message.BuildRedirectUrl(); expected = string.Format(CultureInfo.InvariantCulture, @"{0}?response_mode=form_post&response_type=code+id_token&scope=openid+profile&nonce={1}&{2}={3}&redirect_uri={4}&resource={5}", issuerAddress, message.Nonce, HttpUtility.UrlEncode(customParameterName), HttpUtility.UrlEncode(customParameterValue), HttpUtility.UrlEncode(redirectUri), HttpUtility.UrlEncode(resource)); Report("7", errors, url, expected); if (errors.Count != 0) { StringBuilder sb = new StringBuilder(); sb.AppendLine(Environment.NewLine); foreach (string str in errors) sb.AppendLine(str); Assert.Fail(sb.ToString()); } }
/// <summary> /// Inserts the ambient <see cref="OpenIdConnectMessage"/> request in the OWIN context. /// </summary> /// <param name="context">The OWIN context.</param> /// <param name="request">The ambient <see cref="OpenIdConnectMessage"/>.</param> public static void SetOpenIdConnectRequest(this IOwinContext context, OpenIdConnectMessage request) { context.SetOpenIdConnectMessage(OpenIdConnectConstants.Environment.Request, request); }
/// <summary> /// Initializes a new instance of the <see cref="OpenIdConnectMessage"/> class. /// </summary> /// <param name="other"> an <see cref="OpenIdConnectMessage"/> to copy.</param> /// <exception cref="ArgumentNullException"> if 'other' is null.</exception> protected OpenIdConnectMessage(OpenIdConnectMessage other) { if (other == null) { throw new ArgumentNullException("other"); } foreach (KeyValuePair<string, string> keyValue in other.Parameters) { SetParameter(keyValue.Key, keyValue.Value); } IssuerAddress = other.IssuerAddress; }
protected override async Task ApplyResponseChallengeAsync() { if (Response.StatusCode == 401) { AuthenticationResponseChallenge challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode); if (challenge == null) { return; } AuthenticationProperties properties = challenge.Properties; if (string.IsNullOrEmpty(properties.RedirectUri)) { properties.RedirectUri = CurrentUri; } if (!string.IsNullOrWhiteSpace(Options.RedirectUri)) { properties.Dictionary.Add(OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey, Options.RedirectUri); } // Enable Per-Policy Metadata Retreival string policy; if (properties.Dictionary.TryGetValue(PolicyParameter, out policy)) { B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager; _configuration = await mgr.GetConfigurationAsync(Context.Request.CallCancelled, policy); } else { throw new Exception("For B2C, you must pass a policy parameter in every challenge."); return; } OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage { ClientId = Options.ClientId, IssuerAddress = _configuration.AuthorizationEndpoint ?? string.Empty, RedirectUri = Options.RedirectUri, RequestType = OpenIdConnectRequestType.AuthenticationRequest, Resource = Options.Resource, ResponseMode = OpenIdConnectResponseModes.FormPost, ResponseType = Options.ResponseType, Scope = Options.Scope, State = AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties)), }; if (Options.ProtocolValidator.RequireNonce) { AddNonceToMessage(openIdConnectMessage); } var notification = new RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { ProtocolMessage = openIdConnectMessage }; await Options.Notifications.RedirectToIdentityProvider(notification); if (!notification.HandledResponse) { string redirectUri = notification.ProtocolMessage.CreateAuthenticationRequestUrl(); if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute)) { _logger.WriteWarning("The authenticate redirect URI is malformed: " + redirectUri); } Response.Redirect(redirectUri); } } return; }
public void OpenIdConnectMessage_Defaults() { List<string> errors = new List<string>(); OpenIdConnectMessage message = new OpenIdConnectMessage(); if (message.AcrValues != null) errors.Add("message.ArcValues != null"); if (message.ClientAssertion != null) errors.Add("message.ClientAssertion != null"); if (message.ClientAssertionType != null) errors.Add("message.ClientAssertionType != null"); if (message.ClaimsLocales != null) errors.Add("message.ClaimsLocales != null"); if (message.ClientId != null) errors.Add("message.ClientId != null"); if (message.ClientSecret != null) errors.Add("message.ClientSecret != null"); if (message.Code != null) errors.Add("message.Code != null"); if (message.Display != null) errors.Add("message.Display != null"); if (message.IdTokenHint != null) errors.Add("message.IdTokenHint != null"); if (message.LoginHint != null) errors.Add("message.LoginHint != null"); if (message.MaxAge != null) errors.Add("message.MaxAge != null"); if (string.IsNullOrWhiteSpace(message.Nonce)) errors.Add("message.Nonce was null or whitespace."); if (message.Prompt != null) errors.Add("message.Prompt != null"); if (message.RedirectUri != null) errors.Add("message.RedirectUri != null"); if (message.ResponseMode != OpenIdConnectMessage.DefaultResponseMode) errors.Add(string.Format(CultureInfo.InvariantCulture, "message.ResponseMode: '{0}' != OpenIdConnectMessage.DefaultResponseMode: '{1}'", message.ResponseMode, OpenIdConnectMessage.DefaultResponseMode)); if (message.ResponseType != OpenIdConnectMessage.DefaultResponseType) errors.Add(string.Format(CultureInfo.InvariantCulture, "message.ResponseType: '{0}' != OpenIdConnectMessage.DefaultResponseType: '{1}'", message.ResponseMode, OpenIdConnectMessage.DefaultResponseType)); if (message.Scope != OpenIdConnectMessage.DefaultScope) errors.Add(string.Format(CultureInfo.InvariantCulture, "message.Scope: '{0}' != OpenIdConnectMessage.DefaultScope: '{1}'", message.Scope, OpenIdConnectMessage.DefaultScope)); if (message.State != null) errors.Add("message.State != null"); if (message.UiLocales != null) errors.Add("message.UiLocales != null"); if (errors.Count > 0) { StringBuilder sb = new StringBuilder(); foreach (string error in errors) sb.AppendLine(error); Assert.Fail("OpenIdConnectMessage_Defaults *** Test Failures:\n" + sb.ToString()); } }
protected override async Task ApplyResponseGrantAsync() { AuthenticationResponseRevoke signout = Helper.LookupSignOut(Options.AuthenticationType, Options.AuthenticationMode); if (signout != null) { AuthenticationProperties properties = signout.Properties; // Enable Per-Policy Metadata Retreival string policy; if (properties.Dictionary.TryGetValue(PolicyParameter, out policy)) { B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager; _configuration = await mgr.GetConfigurationAsync(Context.Request.CallCancelled, policy); } else { throw new Exception("For B2C, you must pass a policy parameter in every sign out request."); } OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage() { IssuerAddress = _configuration.EndSessionEndpoint ?? string.Empty, RequestType = OpenIdConnectRequestType.LogoutRequest, }; string redirect = string.Empty; if (properties != null && !string.IsNullOrEmpty(properties.RedirectUri)) { openIdConnectMessage.PostLogoutRedirectUri = properties.RedirectUri; redirect = properties.RedirectUri; } else if (!string.IsNullOrWhiteSpace(Options.PostLogoutRedirectUri)) { openIdConnectMessage.PostLogoutRedirectUri = Options.PostLogoutRedirectUri; redirect = Options.RedirectUri; } if (string.IsNullOrWhiteSpace(openIdConnectMessage.PostLogoutRedirectUri)) { throw new Exception("For B2C, the PostLogoutRedirectUri is required."); } if (string.IsNullOrWhiteSpace(redirect)) { throw new Exception("For B2C, the RedirectUri is required."); } var notification = new RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { ProtocolMessage = openIdConnectMessage }; await Options.Notifications.RedirectToIdentityProvider(notification); if (!notification.HandledResponse) { string redirectUri = notification.ProtocolMessage.CreateLogoutRequestUrl(); redirectUri = redirectUri + "&" + OpenIdConnectParameterNames.RedirectUri + "=" + HttpUtility.UrlEncode(redirect) + "&" + OpenIdConnectParameterNames.ClientId + "=" + Options.ClientId; if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute)) { _logger.WriteWarning("The logout redirect URI is malformed: " + redirectUri); } Response.Redirect(redirectUri); } } }
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync() { if (Options.CallbackPath.HasValue && Options.CallbackPath != (Request.PathBase + Request.Path)) { return null; } OpenIdConnectMessage openIdConnectMessage = null; if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase) && !string.IsNullOrWhiteSpace(Request.ContentType) && Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase) && Request.Body.CanRead) { if (!Request.Body.CanSeek) { _logger.WriteVerbose("Buffering request body"); MemoryStream memoryStream = new MemoryStream(); await Request.Body.CopyToAsync(memoryStream); memoryStream.Seek(0, SeekOrigin.Begin); Request.Body = memoryStream; } IFormCollection form = await Request.ReadFormAsync(); Request.Body.Seek(0, SeekOrigin.Begin); openIdConnectMessage = new OpenIdConnectMessage(form); } if (openIdConnectMessage == null) { return null; } ExceptionDispatchInfo authFailedEx = null; string policy = string.Empty; try { var messageReceivedNotification = new MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { ProtocolMessage = openIdConnectMessage }; await Options.Notifications.MessageReceived(messageReceivedNotification); if (messageReceivedNotification.HandledResponse) { return GetHandledResponseTicket(); } if (messageReceivedNotification.Skipped) { return null; } AuthenticationProperties properties = GetPropertiesFromState(openIdConnectMessage.State); if (properties == null) { _logger.WriteWarning("The state field is missing or invalid."); return null; } string nonce = null; if (Options.ProtocolValidator.RequireNonce) { nonce = RetrieveNonce(openIdConnectMessage); } if (!string.IsNullOrWhiteSpace(openIdConnectMessage.Error)) { throw new OpenIdConnectProtocolException( string.Format(CultureInfo.InvariantCulture, openIdConnectMessage.Error, "", openIdConnectMessage.ErrorDescription ?? string.Empty, openIdConnectMessage.ErrorUri ?? string.Empty)); } if (string.IsNullOrWhiteSpace(openIdConnectMessage.IdToken)) { _logger.WriteWarning("The id_token is missing."); return null; } var securityTokenReceivedNotification = new SecurityTokenReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { ProtocolMessage = openIdConnectMessage, }; await Options.Notifications.SecurityTokenReceived(securityTokenReceivedNotification); if (securityTokenReceivedNotification.HandledResponse) { return GetHandledResponseTicket(); } if (securityTokenReceivedNotification.Skipped) { return null; } // Enable Per-Policy Metadata Retreival if (properties.Dictionary.TryGetValue(PolicyParameter, out policy)) { B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager; _configuration = await mgr.GetConfigurationAsync(Context.Request.CallCancelled, policy); } else { _logger.WriteWarning("No policy identifier was found in the Authentication Properties of the request."); return null; } TokenValidationParameters tvp = Options.TokenValidationParameters.Clone(); IEnumerable<string> issuers = new[] { _configuration.Issuer }; tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers)); tvp.IssuerSigningTokens = (tvp.IssuerSigningTokens == null ? _configuration.SigningTokens : tvp.IssuerSigningTokens.Concat(_configuration.SigningTokens)); SecurityToken validatedToken; ClaimsPrincipal principal = Options.SecurityTokenHandlers.ValidateToken(openIdConnectMessage.IdToken, tvp, out validatedToken); ClaimsIdentity claimsIdentity = principal.Identity as ClaimsIdentity; JwtSecurityToken jwt = validatedToken as JwtSecurityToken; AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity, properties); if (!string.IsNullOrWhiteSpace(openIdConnectMessage.SessionState)) { ticket.Properties.Dictionary[OpenIdConnectSessionProperties.SessionState] = openIdConnectMessage.SessionState; } if (!string.IsNullOrWhiteSpace(_configuration.CheckSessionIframe)) { ticket.Properties.Dictionary[OpenIdConnectSessionProperties.CheckSessionIFrame] = _configuration.CheckSessionIframe; } if (Options.UseTokenLifetime) { DateTime issued = jwt.ValidFrom; if (issued != DateTime.MinValue) { ticket.Properties.IssuedUtc = issued.ToUniversalTime(); } DateTime expires = jwt.ValidTo; if (expires != DateTime.MinValue) { ticket.Properties.ExpiresUtc = expires.ToUniversalTime(); } ticket.Properties.AllowRefresh = false; } var securityTokenValidatedNotification = new SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { AuthenticationTicket = ticket, ProtocolMessage = openIdConnectMessage, }; await Options.Notifications.SecurityTokenValidated(securityTokenValidatedNotification); if (securityTokenValidatedNotification.HandledResponse) { return GetHandledResponseTicket(); } if (securityTokenValidatedNotification.Skipped) { return null; } ticket = securityTokenValidatedNotification.AuthenticationTicket; var protocolValidationContext = new OpenIdConnectProtocolValidationContext { AuthorizationCode = openIdConnectMessage.Code, Nonce = nonce, }; Options.ProtocolValidator.Validate(jwt, protocolValidationContext); if (openIdConnectMessage.Code != null) { var authorizationCodeReceivedNotification = new AuthorizationCodeReceivedNotification(Context, Options) { AuthenticationTicket = ticket, Code = openIdConnectMessage.Code, JwtSecurityToken = jwt, ProtocolMessage = openIdConnectMessage, RedirectUri = ticket.Properties.Dictionary.ContainsKey(OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey) ? ticket.Properties.Dictionary[OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey] : string.Empty, }; await Options.Notifications.AuthorizationCodeReceived(authorizationCodeReceivedNotification); if (authorizationCodeReceivedNotification.HandledResponse) { return GetHandledResponseTicket(); } if (authorizationCodeReceivedNotification.Skipped) { return null; } ticket = authorizationCodeReceivedNotification.AuthenticationTicket; } return ticket; } catch (Exception exception) { authFailedEx = ExceptionDispatchInfo.Capture(exception); } if (authFailedEx != null) { _logger.WriteError("Exception occurred while processing message: '" + authFailedEx.ToString()); if (Options.RefreshOnIssuerKeyNotFound && authFailedEx.SourceException.GetType().Equals(typeof(SecurityTokenSignatureKeyNotFoundException))) { B2CConfigurationManager mgr = Options.ConfigurationManager as B2CConfigurationManager; mgr.RequestRefresh(policy); } var authenticationFailedNotification = new AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions>(Context, Options) { ProtocolMessage = openIdConnectMessage, Exception = authFailedEx.SourceException }; await Options.Notifications.AuthenticationFailed(authenticationFailedNotification); if (authenticationFailedNotification.HandledResponse) { return GetHandledResponseTicket(); } if (authenticationFailedNotification.Skipped) { return null; } authFailedEx.Throw(); } return null; }
protected override async Task<AuthenticationTicket> GetUserInformationAsync(AuthenticationProperties properties, OpenIdConnectMessage message, AuthenticationTicket ticket) { var claimsIdentity = (ClaimsIdentity)ticket.Principal.Identity; if (claimsIdentity == null) { claimsIdentity = new ClaimsIdentity(); } claimsIdentity.AddClaim(new Claim("test claim", "test value")); return new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), ticket.Properties, ticket.AuthenticationScheme); }