/// <summary> /// Try to get the client id from the HTTP body or HTTP header. /// </summary> /// <param name="instruction">Authentication instruction</param> /// <returns>Client id</returns> private static string?TryGettingClientId(AuthenticateInstruction instruction) { var clientId = ClientAssertionAuthentication.GetClientId(instruction); if (!string.IsNullOrWhiteSpace(clientId)) { return(clientId); } clientId = instruction.ClientIdFromAuthorizationHeader; return(!string.IsNullOrWhiteSpace(clientId) ? clientId : instruction.ClientIdFromHttpRequestBody); }
public static Client?AuthenticateClient(AuthenticateInstruction instruction, Client client) { var clientSecret = client.Secrets?.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { return(null); } var sameSecret = string.Compare(clientSecret.Value, instruction.ClientSecretFromHttpRequestBody, StringComparison.CurrentCultureIgnoreCase) == 0; return(sameSecret ? client : null); }
private static Client?AuthenticateTlsClient(AuthenticateInstruction instruction, Client client) { var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint); var name = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name); if (thumbPrint == null || name == null || instruction.Certificate == null) { return(null); } var certificate = instruction.Certificate; var isSameThumbPrint = thumbPrint.Value == certificate.Thumbprint; var isSameName = name.Value == certificate.SubjectName.Name; return(isSameName && isSameThumbPrint ? client : null); }
public static Client?AuthenticateClient(this AuthenticateInstruction instruction, Client client) { var clientSecrets = client.Secrets?.Where(s => s.Type == ClientSecretTypes.SharedSecret).ToArray(); if (clientSecrets == null || clientSecrets.Length == 0) { return(null); } var sameSecret = clientSecrets.Any( clientSecret => string.Equals( clientSecret.Value, instruction.ClientSecretFromAuthorizationHeader, StringComparison.CurrentCulture)); return(sameSecret ? client : null); }
/// <summary> /// Authenticates the specified instruction. /// </summary> /// <param name="instruction">The instruction.</param> /// <param name="issuerName">Name of the issuer.</param> /// <param name="cancellationToken">The cancellation token.</param> /// <returns></returns> /// <exception cref="ArgumentNullException">instruction</exception> public async Task <AuthenticationResult> Authenticate( AuthenticateInstruction instruction, string issuerName, CancellationToken cancellationToken) { Client?client = null; // First we try to fetch the client_id // The different client authentication mechanisms are described here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication var clientId = TryGettingClientId(instruction); if (!string.IsNullOrWhiteSpace(clientId)) { client = await _clientRepository.GetById(clientId, cancellationToken).ConfigureAwait(false); } if (client == null) { return(new AuthenticationResult(null, SharedStrings.TheClientDoesntExist)); } var errorMessage = string.Empty; switch (client.TokenEndPointAuthMethod) { case TokenEndPointAuthenticationMethods.ClientSecretBasic: client = instruction.AuthenticateClient(client); if (client == null) { errorMessage = Strings.TheClientCannotBeAuthenticatedWithSecretBasic; } break; case TokenEndPointAuthenticationMethods.ClientSecretPost: client = ClientSecretPostAuthentication.AuthenticateClient(instruction, client); if (client == null) { errorMessage = Strings.TheClientCannotBeAuthenticatedWithSecretPost; } break; case TokenEndPointAuthenticationMethods.ClientSecretJwt: if (client.Secrets.All(s => s.Type != ClientSecretTypes.SharedSecret)) { errorMessage = string.Format( Strings.TheClientDoesntContainASharedSecret, client.ClientId); break; } return(await _clientAssertionAuthentication.AuthenticateClientWithClientSecretJwt(instruction, cancellationToken) .ConfigureAwait(false)); case TokenEndPointAuthenticationMethods.PrivateKeyJwt: return(await _clientAssertionAuthentication .AuthenticateClientWithPrivateKeyJwt(instruction, issuerName, cancellationToken) .ConfigureAwait(false)); case TokenEndPointAuthenticationMethods.TlsClientAuth: client = AuthenticateTlsClient(instruction, client); if (client == null) { errorMessage = Strings.TheClientCannotBeAuthenticatedWithTls; } break; } return(new AuthenticationResult(client, errorMessage)); }