notazof
/
yavsc
1
0
Fork 0
Code Issues Pull Requests Packages Projects 1 Releases Wiki Activity

integration https://github.com/XacronDevelopment/oauth-aspnet

vnext
Paul Schneider 8 years ago
parent 46f5c107b8
commit fa34ed249b
233 changed files with 4000 additions and 1396 deletions
Show Stats Download Patch File Download Diff File

213
AuthorizationController.cs
Unescape Escape View File

@ -1,213 +0,0 @@
using System;
using System.Linq;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Extensions;
using AspNet.Security.OpenIdConnect.Server;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http.Authentication;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Mvc.Server.Models;
namespace Mvc.Server.Controllers {
public class AuthorizationController : Controller {
private readonly ApplicationContext database;
public AuthorizationController(ApplicationContext database) {
this.database = database;
}
[HttpGet("~/connect/authorize"), HttpPost("~/connect/authorize")]
public async Task<IActionResult> Authorize(CancellationToken cancellationToken) {
// Note: when a fatal error occurs during the request processing, an OpenID Connect response
// is prematurely forged and added to the ASP.NET context by OpenIdConnectServerHandler.
// You can safely remove this part and let ASOS automatically handle the unrecoverable errors
// by switching ApplicationCanDisplayErrors to false in Startup.cs.
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null) {
return View("Error", response);
}
// Extract the authorization request from the ASP.NET environment.
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
});
}
// Note: authentication could be theorically enforced at the filter level via AuthorizeAttribute
// but this authorization endpoint accepts both GET and POST requests while the cookie middleware
// only uses 302 responses to redirect the user agent to the login page, making it incompatible with POST.
// To work around this limitation, the OpenID Connect request is automatically saved in the cache and will be
// restored by the OpenID Connect server middleware after the external authentication process has been completed.
if (!User.Identities.Any(identity => identity.IsAuthenticated)) {
return Challenge(new AuthenticationProperties {
RedirectUri = Url.Action(nameof(Authorize), new {
request_id = request.GetRequestId()
})
});
}
// Note: ASOS automatically ensures that an application corresponds to the client_id specified
// in the authorization request by calling IOpenIdConnectServerProvider.ValidateAuthorizationRequest.
// In theory, this null check shouldn't be needed, but a race condition could occur if you
// manually removed the application details from the database after the initial check made by ASOS.
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
});
}
// Note: in a real world application, you'd probably prefer creating a specific view model.
return View("Authorize", Tuple.Create(request, application));
}
[Authorize, HttpPost("~/connect/authorize/accept"), ValidateAntiForgeryToken]
public async Task<IActionResult> Accept(CancellationToken cancellationToken) {
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null) {
return View("Error", response);
}
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
});
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Copy the claims retrieved from the external identity provider
// (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
foreach (var claim in HttpContext.User.Claims) {
// Allow ClaimTypes.Name to be added in the id_token.
// ClaimTypes.NameIdentifier is automatically added, even if its
// destination is not defined or doesn't include "id_token".
// The other claims won't be visible for the client application.
if (claim.Type == ClaimTypes.Name) {
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
identity.AddClaim(claim);
}
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
});
}
// Create a new ClaimsIdentity containing the claims associated with the application.
// Note: setting identity.Actor is not mandatory but can be useful to access
// the whole delegation chain from the resource server (see ResourceController.cs).
identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID);
identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: this sample always grants the "openid", "email" and "profile" scopes
// when they are requested by the client application: a real world application
// would probably display a form allowing to select the scopes to grant.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(request.GetScopes()));
// Set the resources servers the access token should be issued for.
ticket.SetResources("resource_server");
// Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
// Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
// In this sample, the identity always contains the name identifier returned by the external provider.
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
[Authorize, HttpPost("~/connect/authorize/deny"), ValidateAntiForgeryToken]
public IActionResult Deny(CancellationToken cancellationToken) {
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null) {
return View("Error", response);
}
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
});
}
// Notify ASOS that the authorization grant has been denied by the resource owner.
// Note: OpenIdConnectServerHandler will automatically take care of redirecting
// the user agent to the client application using the appropriate response_mode.
return Forbid(OpenIdConnectServerDefaults.AuthenticationScheme);
}
[HttpGet("~/connect/logout")]
public async Task<ActionResult> Logout(CancellationToken cancellationToken) {
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null) {
return View("Error", response);
}
// When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired.
// When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved
// using AuthenticateAsync or using User when the authorization server is declared as AuthenticationMode.Active.
var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
});
}
return View("Logout", Tuple.Create(request, identity));
}
[HttpPost("~/connect/logout")]
[ValidateAntiForgeryToken]
public ActionResult Logout() {
// Returning a SignOutResult will ask the cookies middleware to delete the local cookie created when
// the user agent is redirected from the external identity provider after a successful authentication flow
// and will redirect the user agent to the post_logout_redirect_uri specified by the client application.
return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme);
}
protected virtual Task<Application> GetApplicationAsync(string identifier, CancellationToken cancellationToken) {
// Retrieve the application details corresponding to the requested client_id.
return (from application in database.Applications
where application.ApplicationID == identifier
select application).SingleOrDefaultAsync(cancellationToken);
}
}
}

0
Yavsc/src/ApiController/AccountController.cs → Yavsc/ApiController/AccountController.cs
Unescape Escape View File

0
Yavsc/src/ApiController/GCMController.cs → Yavsc/ApiController/GCMController.cs
Unescape Escape View File

32
Yavsc/Auth/AuthServer/AuthenticationResponseChallenge.cs
Unescape Escape View File

@ -0,0 +1,32 @@
using Microsoft.AspNet.Http.Authentication;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Exposes the security.Challenge environment value as a strong type.
/// </summary>
public class AuthenticationResponseChallenge
{
/// <summary>
/// Initializes a new instance of the <see cref="AuthenticationResponseChallenge"/> class
/// </summary>
/// <param name="authenticationTypes"></param>
/// <param name="properties"></param>
public AuthenticationResponseChallenge(string[] authenticationTypes, AuthenticationProperties properties)
{
AuthenticationTypes = authenticationTypes;
Properties = properties ?? new AuthenticationProperties();
}
/// <summary>
/// List of the authentication types that should send a challenge in the response.
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Performance", "CA1819:PropertiesShouldNotReturnArrays", Justification = "By design")]
public string[] AuthenticationTypes { get; private set; }
/// <summary>
/// Dictionary used to store state values about the authentication session.
/// </summary>
public AuthenticationProperties Properties { get; private set; }
}
}

57
Yavsc/Auth/AuthServer/AuthenticationResponseGrant.cs
Unescape Escape View File

@ -0,0 +1,57 @@
using Microsoft.AspNet.Http.Authentication;
using System;
using System.Linq;
using System.Security.Claims;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Exposes the security.SignIn environment value as a strong type.
/// </summary>
public class AuthenticationResponseGrant
{
/// <summary>
/// Initializes a new instance of the <see cref="AuthenticationResponseGrant"/> class.
/// </summary>
/// <param name="identity"></param>
/// <param name="properties"></param>
public AuthenticationResponseGrant(ClaimsIdentity identity, AuthenticationProperties properties)
{
Principal = new ClaimsPrincipal(identity);
Identity = identity;
Properties = properties;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthenticationResponseGrant"/> class.
/// </summary>
/// <param name="principal"></param>
/// <param name="properties"></param>
public AuthenticationResponseGrant(ClaimsPrincipal principal, AuthenticationProperties properties)
{
if (principal == null)
{
throw new ArgumentNullException("principal");
}
Principal = principal;
Identity = principal.Identities.FirstOrDefault();
Properties = properties;
}
/// <summary>
/// The identity associated with the user sign in.
/// </summary>
public ClaimsIdentity Identity { get; private set; }
/// <summary>
/// The security principal associated with the user sign in.
/// </summary>
public ClaimsPrincipal Principal { get; private set; }
/// <summary>
/// Dictionary used to store state values about the authentication session.
/// </summary>
public AuthenticationProperties Properties { get; private set; }
}
}

43
Yavsc/Auth/AuthServer/AuthenticationTokenCreateContext.cs
Unescape Escape View File

@ -0,0 +1,43 @@
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Authentication;
using System;
namespace OAuth.AspNet.AuthServer
{
public class AuthenticationTokenCreateContext : BaseContext
{
private readonly ISecureDataFormat<AuthenticationTicket> _secureDataFormat;
public AuthenticationTokenCreateContext(HttpContext context, ISecureDataFormat<AuthenticationTicket> secureDataFormat, AuthenticationTicket ticket) : base(context)
{
if (secureDataFormat == null)
throw new ArgumentNullException(nameof(secureDataFormat));
if (ticket == null)
throw new ArgumentNullException(nameof(ticket));
_secureDataFormat = secureDataFormat;
Ticket = ticket;
}
public string Token { get; protected set; }
public AuthenticationTicket Ticket { get; protected set; }
public string SerializeTicket()
{
return _secureDataFormat.Protect(Ticket);
}
public void SetToken(string tokenValue)
{
if (tokenValue == null)
throw new ArgumentNullException(nameof(tokenValue));
Token = tokenValue;
}
}
}

72
Yavsc/Auth/AuthServer/AuthenticationTokenProvider.cs
Unescape Escape View File

@ -0,0 +1,72 @@
using System;
using System.Threading.Tasks;
namespace OAuth.AspNet.AuthServer
{
public class AuthenticationTokenProvider : IAuthenticationTokenProvider
{
public Action<AuthenticationTokenCreateContext> OnCreate { get; set; }
public Func<AuthenticationTokenCreateContext, Task> OnCreateAsync { get; set; }
public Action<AuthenticationTokenReceiveContext> OnReceive { get; set; }
public Func<AuthenticationTokenReceiveContext, Task> OnReceiveAsync { get; set; }
public virtual void Create(AuthenticationTokenCreateContext context)
{
if (OnCreateAsync != null && OnCreate == null)
{
throw new InvalidOperationException("Authentication token did not provide an OnCreate method.");
}
if (OnCreate != null)
{
OnCreate.Invoke(context);
}
}
public virtual async Task CreateAsync(AuthenticationTokenCreateContext context)
{
if (OnCreateAsync != null && OnCreate == null)
{
throw new InvalidOperationException("Authentication token did not provide an OnCreate method.");
}
if (OnCreateAsync != null)
{
await OnCreateAsync.Invoke(context);
}
else
{
Create(context);
}
}
public virtual void Receive(AuthenticationTokenReceiveContext context)
{
if (OnReceiveAsync != null && OnReceive == null)
{
throw new InvalidOperationException("Authentication token did not provide an OnReceive method.");
}
if (OnReceive != null)
{
OnReceive.Invoke(context);
}
}
public virtual async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
{
if (OnReceiveAsync != null && OnReceive == null)
{
throw new InvalidOperationException("Authentication token did not provide an OnReceive method.");
}
if (OnReceiveAsync != null)
{
await OnReceiveAsync.Invoke(context);
}
else
{
Receive(context);
}
}
}
}

43
Yavsc/Auth/AuthServer/AuthenticationTokenReceiveContext.cs
Unescape Escape View File

@ -0,0 +1,43 @@
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Authentication;
using System;
namespace OAuth.AspNet.AuthServer
{
public class AuthenticationTokenReceiveContext : BaseContext
{
private readonly ISecureDataFormat<AuthenticationTicket> _secureDataFormat;
public AuthenticationTokenReceiveContext(HttpContext context, ISecureDataFormat<AuthenticationTicket> secureDataFormat, string token) : base(context)
{
if (secureDataFormat == null)
throw new ArgumentNullException(nameof(secureDataFormat));
if (token == null)
throw new ArgumentNullException(nameof(token));
_secureDataFormat = secureDataFormat;
Token = token;
}
public string Token { get; protected set; }
public AuthenticationTicket Ticket { get; protected set; }
public void DeserializeTicket(string protectedData)
{
Ticket = _secureDataFormat.Unprotect(protectedData);
}
public void SetTicket(AuthenticationTicket ticket)
{
if (ticket == null)
throw new ArgumentNullException(nameof(ticket));
Ticket = ticket;
}
}
}

138
Yavsc/Auth/AuthServer/AuthorizeEndpointRequest.cs
Unescape Escape View File

@ -0,0 +1,138 @@
using Microsoft.AspNet.Http;
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object representing the information contained in the query string of an Authorize endpoint request.
/// </summary>
public class AuthorizeEndpointRequest
{
/// <summary>
/// Creates a new instance populated with values from the query string parameters.
/// </summary>
/// <param name="parameters">Query string parameters from a request.</param>
public AuthorizeEndpointRequest(IReadableStringCollection parameters)
{
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
Scope = new List<string>();
foreach (var parameter in parameters)
{
AddParameter(parameter.Key, parameters[parameter.Key]);
}
}
/// <summary>
/// The "response_type" query string parameter of the Authorize request. Known values are "code" and "token".
/// </summary>
public string ResponseType { get; set; }
/// <summary>
/// The "response_mode" query string parameter of the Authorize request. Known values are "query", "fragment" and "form_post"
/// See also, http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
/// </summary>
public string ResponseMode { get; set; }
/// <summary>
/// The "client_id" query string parameter of the Authorize request.
/// </summary>
public string ClientId { get; set; }
/// <summary>
/// The "redirect_uri" query string parameter of the Authorize request. May be absent if the server should use the
/// redirect uri known to be registered to the client id.
/// </summary>
[SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "By design")]
public string RedirectUri { get; set; }
/// <summary>
/// The "scope" query string parameter of the Authorize request. May be absent if the server should use default scopes.
/// </summary>
public IList<string> Scope { get; private set; }
/// <summary>
/// The "scope" query string parameter of the Authorize request. May be absent if the client does not require state to be
/// included when returning to the RedirectUri.
/// </summary>
public string State { get; set; }
/// <summary>
/// True if the "response_type" query string parameter is "code".
/// See also, http://tools.ietf.org/html/rfc6749#section-4.1.1
/// </summary>
public bool IsAuthorizationCodeGrantType
{
get { return ContainsGrantType(Constants.ResponseTypes.Code); }
}
/// <summary>
/// True if the "response_type" query string parameter is "token".
/// See also, http://tools.ietf.org/html/rfc6749#section-4.2.1
/// </summary>
public bool IsImplicitGrantType
{
get { return ContainsGrantType(Constants.ResponseTypes.Token); }
}
public bool IsFormPostResponseMode
{
get { return string.Equals(ResponseMode, Constants.ResponseModes.FormPost, StringComparison.Ordinal); }
}
/// <summary>
/// True if the "response_type" query string contains the passed responseType.
/// See also, http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
/// </summary>
/// <param name="responseType">The responseType that is expected within the "response_type" query string</param>
/// <returns>True if the "response_type" query string contains the passed responseType.</returns>
public bool ContainsGrantType(string responseType)
{
var parts = ResponseType.Split(' ');
foreach (var part in parts)
{
if (string.Equals(part, responseType, StringComparison.Ordinal))
{
return true;
}
}
return false;
}
private void AddParameter(string name, string value)
{
if (string.Equals(name, Constants.Parameters.ResponseType, StringComparison.Ordinal))
{
ResponseType = value;
}
else if (string.Equals(name, Constants.Parameters.ClientId, StringComparison.Ordinal))
{
ClientId = value;
}
else if (string.Equals(name, Constants.Parameters.RedirectUri, StringComparison.Ordinal))
{
RedirectUri = value;
}
else if (string.Equals(name, Constants.Parameters.Scope, StringComparison.Ordinal))
{
Scope = value.Split(' ');
}
else if (string.Equals(name, Constants.Parameters.State, StringComparison.Ordinal))
{
State = value;
}
else if (string.Equals(name, Constants.Parameters.ResponseMode, StringComparison.Ordinal))
{
ResponseMode = value;
}
}
}
}

40
Yavsc/Auth/AuthServer/BaseOAuthEndpointContext.cs
Unescape Escape View File

@ -0,0 +1,40 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Base class for OAuth server endpoint contexts
/// </summary>
public class BaseOAuthEndpointContext : BaseContext
{
#region Constructors
/// <summary>
/// Creates a new instance of <see cref="BaseOAuthEndpointContext"/>.
/// </summary>
/// <param name="context">The <see cref="HttpContext"/> to use for this endpoint context.</param>
/// <param name="options">The <see cref="OAuthAuthorizationServerOptions"/> to use for this endpoint context.</param>
public BaseOAuthEndpointContext(HttpContext context, OAuthAuthorizationServerOptions options) : base(context)
{
if (options == null)
throw new ArgumentNullException(nameof(options));
Options = options;
}
#endregion
#region Public Members
/// <summary>
/// Gets the OAuth server options.
/// </summary>
public OAuthAuthorizationServerOptions Options { get; }
#endregion
}
}

26
Yavsc/Auth/AuthServer/BaseValidatingClientContext.cs
Unescape Escape View File

@ -0,0 +1,26 @@
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Base class used for certain event contexts
/// </summary>
public abstract class BaseValidatingClientContext : BaseValidatingContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes base class used for certain event contexts
/// </summary>
protected BaseValidatingClientContext(HttpContext context, OAuthAuthorizationServerOptions options, string clientId) : base(context, options)
{
ClientId = clientId;
}
/// <summary>
/// The "client_id" parameter for the current request. The Authorization Server application is responsible for
/// validating this value identifies a registered client.
/// </summary>
public string ClientId { get; protected set; }
}
}

113
Yavsc/Auth/AuthServer/BaseValidatingContext.cs
Unescape Escape View File

@ -0,0 +1,113 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Base class used for certain event contexts
/// </summary>
public abstract class BaseValidatingContext<TOptions> : BaseContext
{
/// <summary>
/// Initializes base class used for certain event contexts
/// </summary>
protected BaseValidatingContext(HttpContext context, TOptions options) : base(context)
{
Options = options;
}
/// <summary>
/// The context options.
/// </summary>
public TOptions Options { get; private set; }
/// <summary>
/// True if application code has called any of the Validate methods on this context.
/// </summary>
public bool IsValidated { get; private set; }
/// <summary>
/// True if application code has called any of the SetError methods on this context.
/// </summary>
public bool HasError { get; private set; }
/// <summary>
/// The error argument provided when SetError was called on this context. This is eventually
/// returned to the client app as the OAuth "error" parameter.
/// </summary>
public string Error { get; private set; }
/// <summary>
/// The optional errorDescription argument provided when SetError was called on this context. This is eventually
/// returned to the client app as the OAuth "error_description" parameter.
/// </summary>
public string ErrorDescription { get; private set; }
/// <summary>
/// The optional errorUri argument provided when SetError was called on this context. This is eventually
/// returned to the client app as the OAuth "error_uri" parameter.
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "error_uri is a string value in the protocol")]
public string ErrorUri { get; private set; }
/// <summary>
/// Marks this context as validated by the application. IsValidated becomes true and HasError becomes false as a result of calling.
/// </summary>
/// <returns>True if the validation has taken effect.</returns>
public virtual bool Validated()
{
IsValidated = true;
HasError = false;
return true;
}
/// <summary>
/// Marks this context as not validated by the application. IsValidated and HasError become false as a result of calling.
/// </summary>
public virtual void Rejected()
{
IsValidated = false;
HasError = false;
}
/// <summary>
/// Marks this context as not validated by the application and assigns various error information properties.
/// HasError becomes true and IsValidated becomes false as a result of calling.
/// </summary>
/// <param name="error">Assigned to the Error property</param>
public void SetError(string error)
{
SetError(error, null);
}
/// <summary>
/// Marks this context as not validated by the application and assigns various error information properties.
/// HasError becomes true and IsValidated becomes false as a result of calling.
/// </summary>
/// <param name="error">Assigned to the Error property</param>
/// <param name="errorDescription">Assigned to the ErrorDescription property</param>
public void SetError(string error, string errorDescription)
{
SetError(error, errorDescription, null);
}
/// <summary>
/// Marks this context as not validated by the application and assigns various error information properties.
/// HasError becomes true and IsValidated becomes false as a result of calling.
/// </summary>
/// <param name="error">Assigned to the Error property</param>
/// <param name="errorDescription">Assigned to the ErrorDescription property</param>
/// <param name="errorUri">Assigned to the ErrorUri property</param>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings", MessageId = "2#", Justification = "error_uri is a string value in the protocol")]
public void SetError(string error, string errorDescription, string errorUri)
{
Error = error;
ErrorDescription = errorDescription;
ErrorUri = errorUri;
Rejected();
HasError = true;
}
}
}

54
Yavsc/Auth/AuthServer/BaseValidatingTicketContext.cs
Unescape Escape View File

@ -0,0 +1,54 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using System.Security.Claims;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Base class used for certain event contexts
/// </summary>
public abstract class BaseValidatingTicketContext<TOptions> : BaseValidatingContext<TOptions> where TOptions : AuthenticationOptions
{
/// <summary>
/// Initializes base class used for certain event contexts
/// </summary>
protected BaseValidatingTicketContext(HttpContext context, TOptions options, AuthenticationTicket ticket) : base(context, options)
{
Ticket = ticket;
}
/// <summary>
/// Contains the identity and properties for the application to authenticate. If the Validated method
/// is invoked with an AuthenticationTicket or ClaimsIdentity argument, that new value is assigned to
/// this property in addition to changing IsValidated to true.
/// </summary>
public AuthenticationTicket Ticket { get; private set; }
/// <summary>
/// Replaces the ticket information on this context and marks it as as validated by the application.
/// IsValidated becomes true and HasError becomes false as a result of calling.
/// </summary>
/// <param name="ticket">Assigned to the Ticket property</param>
/// <returns>True if the validation has taken effect.</returns>
public bool Validated(AuthenticationTicket ticket)
{
Ticket = ticket;
return Validated();
}
/// <summary>
/// Alters the ticket information on this context and marks it as as validated by the application.
/// IsValidated becomes true and HasError becomes false as a result of calling.
/// </summary>
/// <param name="principal">Assigned to the Ticket.Identity property</param>
/// <returns>True if the validation has taken effect.</returns>
public bool Validated(ClaimsPrincipal principal)
{
AuthenticationProperties properties = Ticket != null ? Ticket.Properties : new AuthenticationProperties();
return Validated(new AuthenticationTicket(principal, properties, Options.AuthenticationScheme));
}
}
}

40
Yavsc/Auth/AuthServer/DefaultBehavior.cs
Unescape Escape View File

@ -0,0 +1,40 @@
using System;
using System.Threading.Tasks;
namespace OAuth.AspNet.AuthServer
{
internal static class DefaultBehavior
{
internal static readonly Func<OAuthValidateAuthorizeRequestContext, Task> ValidateAuthorizeRequest = context =>
{
context.Validated();
return Task.FromResult<object>(null);
};
internal static readonly Func<OAuthValidateTokenRequestContext, Task> ValidateTokenRequest = context =>
{
context.Validated();
return Task.FromResult<object>(null);
};
internal static readonly Func<OAuthGrantAuthorizationCodeContext, Task> GrantAuthorizationCode = context =>
{
if (context.Ticket != null && context.Ticket.Principal != null && context.Ticket.Principal.Identity.IsAuthenticated)
{
context.Validated();
}
return Task.FromResult<object>(null);
};
internal static readonly Func<OAuthGrantRefreshTokenContext, Task> GrantRefreshToken = context =>
{
if (context.Ticket != null && context.Ticket.Principal != null && context.Ticket.Principal.Identity.IsAuthenticated)
{
context.Validated();
}
return Task.FromResult<object>(null);
};
}
}

14
Yavsc/Auth/AuthServer/IApplicationStore.cs
Unescape Escape View File

@ -0,0 +1,14 @@
public interface IApplication
{
string ApplicationID { get; set; }
string DisplayName { get; set; }
string RedirectUri { get; set; }
string LogoutRedirectUri { get; set; }
string Secret { get; set; }
}
public interface IApplicationStore
{
IApplication FindApplication(string clientId);
}

14
Yavsc/Auth/AuthServer/IAuthenticationTokenProvider.cs
Unescape Escape View File

@ -0,0 +1,14 @@
using System.Threading.Tasks;
namespace OAuth.AspNet.AuthServer
{
public interface IAuthenticationTokenProvider
{
void Create(AuthenticationTokenCreateContext context);
Task CreateAsync(AuthenticationTokenCreateContext context);
void Receive(AuthenticationTokenReceiveContext context);
Task ReceiveAsync(AuthenticationTokenReceiveContext context);
}
}

172
Yavsc/Auth/AuthServer/IOAuthAuthorizationServerProvider.cs
Unescape Escape View File

@ -0,0 +1,172 @@
using System.Threading.Tasks;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Interface for OAuthAuthorizationServerOptions.Provider property used by Authorization
/// Server to communicate with the web application while processing requests.
/// </summary>
public interface IOAuthAuthorizationServerProvider
{
/// <summary>
/// Called to determine if an incoming request is treated as an Authorize or Token
/// endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
/// are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
/// will already be true if the request path matches.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task MatchEndpoint(OAuthMatchContext context);
/// <summary>
/// Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
/// registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
/// call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
/// with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context);
/// <summary>
/// Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
/// present on the request. If the web application accepts Basic authentication credentials,
/// context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
/// application accepts "client_id" and "client_secret" as form encoded POST parameters,
/// context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context);
/// <summary>
/// Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client redirect URI, should continue processing. An application may add any additional constraints.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task ValidateAuthorizeRequest(OAuthValidateAuthorizeRequestContext context);
/// <summary>
/// Called for each request to the Token endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client credentials, should continue processing. An application may add any additional constraints.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task ValidateTokenRequest(OAuthValidateTokenRequestContext context);
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
/// endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
/// The claims and properties
/// associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
/// Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
/// AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
/// The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-4.1.3
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task GrantAuthorizationCode(OAuthGrantAuthorizationCodeContext context);
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
/// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
/// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
/// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
/// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
/// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
/// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task GrantRefreshToken(OAuthGrantRefreshTokenContext context);
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
/// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
/// optional "refresh_token". If the web application supports the
/// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
/// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers. .
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context);
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
/// application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
/// If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
/// To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task GrantClientCredentials(OAuthGrantClientCredentialsContext context);
/// <summary>
/// Called when a request to the Token andpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
/// it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
/// information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
/// included they may be added in the final TokenEndpoint call.
/// See also http://tools.ietf.org/html/rfc6749#section-4.5
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task GrantCustomExtension(OAuthGrantCustomExtensionContext context);
/// <summary>
/// Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
/// responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
/// response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
/// Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
/// context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
/// to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
/// appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context);
/// <summary>
/// Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
/// modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the Token endpoint's json response body.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task TokenEndpoint(OAuthTokenEndpointContext context);
/// <summary>
/// Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
/// token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
/// An application may implement this call in order to do any final modification of the claims being used
/// to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the authorization endpoint's response.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
Task AuthorizationEndpointResponse(OAuthAuthorizationEndpointResponseContext context);
/// <summary>
/// Called before the TokenEndpoint redirects its response to the caller.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context);
}
}

816
Yavsc/Auth/AuthServer/OAuthAuthorizationServerHandler.cs
Unescape Escape View File

@ -0,0 +1,816 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using Microsoft.AspNet.Http.Features.Authentication;
using Microsoft.AspNet.WebUtilities;
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Text;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
namespace OAuth.AspNet.AuthServer
{
public class OAuthAuthorizationServerHandler : AuthenticationHandler<OAuthAuthorizationServerOptions>
{
public OAuthAuthorizationServerHandler(IApplicationStore applicationStore)
{
ApplicationStore = applicationStore;
}
IServiceScope serviceScope;
public IApplicationStore ApplicationStore { get; private set;}
#region non-Public Members
private AuthorizeEndpointRequest _authorizeEndpointRequest;
private OAuthValidateClientRedirectUriContext _clientContext;
private Task SendErrorAsJsonAsync(BaseValidatingContext<OAuthAuthorizationServerOptions> validatingContext)
{
string error = validatingContext.HasError ? validatingContext.Error : Constants.Errors.InvalidRequest;
string errorDescription = validatingContext.HasError ? validatingContext.ErrorDescription : null;
string errorUri = validatingContext.HasError ? validatingContext.ErrorUri : null;
string body;
MemoryStream stream, memoryStream = null;
StreamWriter streamWriter = null;
try
{
stream = memoryStream = new MemoryStream();
streamWriter = new StreamWriter(memoryStream);
using (var writer = new JsonTextWriter(streamWriter))
{
memoryStream = null;
streamWriter = null;
writer.WriteStartObject();
writer.WritePropertyName(Constants.Parameters.Error);
writer.WriteValue(error);
if (!string.IsNullOrEmpty(errorDescription))
{
writer.WritePropertyName(Constants.Parameters.ErrorDescription);
writer.WriteValue(errorDescription);
}
if (!string.IsNullOrEmpty(errorUri))
{
writer.WritePropertyName(Constants.Parameters.ErrorUri);
writer.WriteValue(errorUri);
}
writer.WriteEndObject();
writer.Flush();
body = Encoding.UTF8.GetString(stream.ToArray());
}
}
finally
{
if (memoryStream != null)
memoryStream.Dispose();
}
Response.StatusCode = 400;
Response.ContentType = "application/json;charset=UTF-8";
Response.Headers["Cache-Control"] = "no-cache";
Response.Headers["Pragma"] = "no-cache";
Response.Headers["Expires"] = "-1";
Response.Headers["Content-Length"] = body.Length.ToString(CultureInfo.InvariantCulture);
return Response.WriteAsync(body, Context.RequestAborted);
}
private async Task<bool> SendErrorPageAsync(string error, string errorDescription, string errorUri)
{
Response.StatusCode = 400;
Response.Headers["Cache-Control"] = "no-cache";
Response.Headers["Pragma"] = "no-cache";
Response.Headers["Expires"] = "-1";
if (Options.ApplicationCanDisplayErrors)
{
Context.Items["oauth.Error"] = error;
Context.Items["oauth.ErrorDescription"] = errorDescription;
Context.Items["oauth.ErrorUri"] = errorUri;
// request is not handled - pass through to application for rendering
return false;
}
var memory = new MemoryStream();
string body;
using (var writer = new StreamWriter(memory))
{
writer.WriteLine("error: {0}", error);
if (!string.IsNullOrEmpty(errorDescription))
{
writer.WriteLine("error_description: {0}", errorDescription);
}
if (!string.IsNullOrEmpty(errorUri))
{
writer.WriteLine("error_uri: {0}", errorUri);
}
writer.Flush();
body = Encoding.UTF8.GetString(memory.ToArray());
}
Response.ContentType = "text/plain;charset=UTF-8";
Response.Headers["Content-Length"] = body.Length.ToString(CultureInfo.InvariantCulture);
await Response.WriteAsync(body, Context.RequestAborted);
// request is handled, does not pass on to application
return true;
}
private Task<bool> SendErrorRedirectAsync(OAuthValidateClientRedirectUriContext clientContext, BaseValidatingContext<OAuthAuthorizationServerOptions> validatingContext)
{
if (clientContext == null)
{
throw new ArgumentNullException("clientContext");
}
string error = validatingContext.HasError ? validatingContext.Error : Constants.Errors.InvalidRequest;
string errorDescription = validatingContext.HasError ? validatingContext.ErrorDescription : null;
string errorUri = validatingContext.HasError ? validatingContext.ErrorUri : null;
if (!clientContext.IsValidated)
{
// write error in response body if client_id or redirect_uri have not been validated
return SendErrorPageAsync(error, errorDescription, errorUri);
}
// redirect with error if client_id and redirect_uri have been validated
string location = QueryHelpers.AddQueryString(clientContext.RedirectUri, Constants.Parameters.Error, error);
if (!string.IsNullOrEmpty(errorDescription))
{
location = QueryHelpers.AddQueryString(location, Constants.Parameters.ErrorDescription, errorDescription);
}
if (!string.IsNullOrEmpty(errorUri))
{
location = QueryHelpers.AddQueryString(location, Constants.Parameters.ErrorUri, errorUri);
}
Response.Redirect(location);
// request is handled, does not pass on to application
return Task.FromResult(true);
}
private static AuthenticationTicket ReturnOutcome(OAuthValidateTokenRequestContext validatingContext, BaseValidatingContext<OAuthAuthorizationServerOptions> grantContext, AuthenticationTicket ticket, string defaultError)
{
if (!validatingContext.IsValidated)
return null;
if (!grantContext.IsValidated)
{
if (grantContext.HasError)
{
validatingContext.SetError(grantContext.Error, grantContext.ErrorDescription, grantContext.ErrorUri);
}
else
{
validatingContext.SetError(defaultError);
}
return null;
}
if (ticket == null)
{
validatingContext.SetError(defaultError);
return null;
}
return ticket;
}
private async Task<AuthenticationTicket> InvokeTokenEndpointAuthorizationCodeGrantAsync(OAuthValidateTokenRequestContext validatingContext, DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
var authorizationCodeContext = new AuthenticationTokenReceiveContext(Context, Options.AuthorizationCodeFormat, tokenEndpointRequest.AuthorizationCodeGrant.Code);
await Options.AuthorizationCodeProvider.ReceiveAsync(authorizationCodeContext);
AuthenticationTicket ticket = authorizationCodeContext.Ticket;
if (ticket == null)
{
Logger.LogError("invalid authorization code");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
if (!ticket.Properties.ExpiresUtc.HasValue ||
ticket.Properties.ExpiresUtc < currentUtc)
{
Logger.LogError("expired authorization code");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
string clientId;
if (!ticket.Properties.Items.TryGetValue(Constants.Extra.ClientId, out clientId) ||
!string.Equals(clientId, validatingContext.ClientContext.ClientId, StringComparison.Ordinal))
{
Logger.LogError("authorization code does not contain matching client_id");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
string redirectUri;
if (ticket.Properties.Items.TryGetValue(Constants.Extra.RedirectUri, out redirectUri))
{
ticket.Properties.Items.Remove(Constants.Extra.RedirectUri);
if (!string.Equals(redirectUri, tokenEndpointRequest.AuthorizationCodeGrant.RedirectUri, StringComparison.Ordinal))
{
Logger.LogError("authorization code does not contain matching redirect_uri");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
}
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantAuthorizationCodeContext(
Context, Options, ticket);
if (validatingContext.IsValidated)
{
await Options.Provider.GrantAuthorizationCode(grantContext);
}
return ReturnOutcome(validatingContext, grantContext, grantContext.Ticket, Constants.Errors.InvalidGrant);
}
private async Task<AuthenticationTicket> InvokeTokenEndpointResourceOwnerPasswordCredentialsGrantAsync(OAuthValidateTokenRequestContext validatingContext, DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantResourceOwnerCredentialsContext(
Context,
Options,
validatingContext.ClientContext.ClientId,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.UserName,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.Password,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.Scope
);
if (validatingContext.IsValidated)
await Options.Provider.GrantResourceOwnerCredentials(grantContext);
return ReturnOutcome(validatingContext, grantContext, grantContext.Ticket, Constants.Errors.InvalidGrant);
}
private async Task<AuthenticationTicket> InvokeTokenEndpointClientCredentialsGrantAsync(OAuthValidateTokenRequestContext validatingContext, DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
if (!validatingContext.IsValidated)
return null;
var grantContext = new OAuthGrantClientCredentialsContext(Context, Options, validatingContext.ClientContext.ClientId, tokenEndpointRequest.ClientCredentialsGrant.Scope);
await Options.Provider.GrantClientCredentials(grantContext);
return ReturnOutcome(validatingContext, grantContext, grantContext.Ticket, Constants.Errors.UnauthorizedClient);
}
private async Task<AuthenticationTicket> InvokeTokenEndpointRefreshTokenGrantAsync(OAuthValidateTokenRequestContext validatingContext, DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
var refreshTokenContext = new AuthenticationTokenReceiveContext(Context, Options.RefreshTokenFormat, tokenEndpointRequest.RefreshTokenGrant.RefreshToken);
await Options.RefreshTokenProvider.ReceiveAsync(refreshTokenContext);
AuthenticationTicket ticket = refreshTokenContext.Ticket;
if (ticket == null)
{
Logger.LogError("invalid refresh token");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
if (!ticket.Properties.ExpiresUtc.HasValue || ticket.Properties.ExpiresUtc < currentUtc)
{
Logger.LogError("expired refresh token");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return null;
}
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantRefreshTokenContext(Context, Options, ticket, validatingContext.ClientContext.ClientId);
if (validatingContext.IsValidated)
await Options.Provider.GrantRefreshToken(grantContext);
return ReturnOutcome(validatingContext, grantContext, grantContext.Ticket, Constants.Errors.InvalidGrant);
}
private async Task<AuthenticationTicket> InvokeTokenEndpointCustomGrantAsync(OAuthValidateTokenRequestContext validatingContext, DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantCustomExtensionContext(Context, Options, validatingContext.ClientContext.ClientId, tokenEndpointRequest.GrantType, tokenEndpointRequest.CustomExtensionGrant.Parameters);
if (validatingContext.IsValidated)
await Options.Provider.GrantCustomExtension(grantContext);
return ReturnOutcome(validatingContext, grantContext, grantContext.Ticket, Constants.Errors.UnsupportedGrantType);
}
private async Task<bool> InvokeAuthorizeEndpointAsync()
{
var authorizeRequest = new AuthorizeEndpointRequest(Request.Query);
var clientContext = new OAuthValidateClientRedirectUriContext(ApplicationStore,Context, Options, authorizeRequest.ClientId, authorizeRequest.RedirectUri);
if (!string.IsNullOrEmpty(authorizeRequest.RedirectUri))
{
bool acceptableUri = true;
Uri validatingUri;
if (!Uri.TryCreate(authorizeRequest.RedirectUri, UriKind.Absolute, out validatingUri))
{
// The redirection endpoint URI MUST be an absolute URI
// http://tools.ietf.org/html/rfc6749#section-3.1.2
acceptableUri = false;
}
else if (!string.IsNullOrEmpty(validatingUri.Fragment))
{
// The endpoint URI MUST NOT include a fragment component.
// http://tools.ietf.org/html/rfc6749#section-3.1.2
acceptableUri = false;
}
else if (!Options.AllowInsecureHttp && string.Equals(validatingUri.Scheme, "http", StringComparison.OrdinalIgnoreCase))
{
// The redirection endpoint SHOULD require the use of TLS
// http://tools.ietf.org/html/rfc6749#section-3.1.2.1
acceptableUri = false;
}
if (!acceptableUri)
{
clientContext.SetError(Constants.Errors.InvalidRequest);
return await SendErrorRedirectAsync(clientContext, clientContext);
}
}
await Options.Provider.ValidateClientRedirectUri(clientContext);
if (!clientContext.IsValidated)
{
Logger.LogVerbose("Unable to validate client information");
return await SendErrorRedirectAsync(clientContext, clientContext);
}
var validatingContext = new OAuthValidateAuthorizeRequestContext(Context, Options, authorizeRequest, clientContext);
if (string.IsNullOrEmpty(authorizeRequest.ResponseType))
{
Logger.LogVerbose("Authorize endpoint request missing required response_type parameter");
validatingContext.SetError(Constants.Errors.InvalidRequest);
}
else if (!authorizeRequest.IsAuthorizationCodeGrantType && !authorizeRequest.IsImplicitGrantType)
{
Logger.LogVerbose("Authorize endpoint request contains unsupported response_type parameter");
validatingContext.SetError(Constants.Errors.UnsupportedResponseType);
}
else
{
await Options.Provider.ValidateAuthorizeRequest(validatingContext);
}
if (!validatingContext.IsValidated)
{
// an invalid request is not processed further
return await SendErrorRedirectAsync(clientContext, validatingContext);
}
_clientContext = clientContext;
_authorizeEndpointRequest = authorizeRequest;
var authorizeEndpointContext = new OAuthAuthorizeEndpointContext(Context, Options, authorizeRequest);
await Options.Provider.AuthorizeEndpoint(authorizeEndpointContext);
return authorizeEndpointContext.IsRequestCompleted;
}
private async Task InvokeTokenEndpointAsync()
{
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
// remove milliseconds in case they don't round-trip
currentUtc = currentUtc.Subtract(TimeSpan.FromMilliseconds(currentUtc.Millisecond));
IFormCollection form = await Request.ReadFormAsync();
var clientContext = new OAuthValidateClientAuthenticationContext(Context, Options, form, ApplicationStore);
await Options.Provider.ValidateClientAuthentication(clientContext);
if (!clientContext.IsValidated)
{
Logger.LogError("clientID is not valid.");
if (!clientContext.HasError)
clientContext.SetError(Constants.Errors.InvalidClient);
await SendErrorAsJsonAsync(clientContext);
return;
}
var tokenEndpointRequest = new TokenEndpointRequest(form);
var validatingContext = new OAuthValidateTokenRequestContext(Context, Options, tokenEndpointRequest, clientContext);
AuthenticationTicket ticket = null;
if (tokenEndpointRequest.IsAuthorizationCodeGrantType)
{
// Authorization Code Grant http://tools.ietf.org/html/rfc6749#section-4.1
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.1.3
ticket = await InvokeTokenEndpointAuthorizationCodeGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsResourceOwnerPasswordCredentialsGrantType)
{
// Resource Owner Password Credentials Grant http://tools.ietf.org/html/rfc6749#section-4.3
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.3.2
ticket = await InvokeTokenEndpointResourceOwnerPasswordCredentialsGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsClientCredentialsGrantType)
{
// Client Credentials Grant http://tools.ietf.org/html/rfc6749#section-4.4
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.4.2
ticket = await InvokeTokenEndpointClientCredentialsGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsRefreshTokenGrantType)
{
// Refreshing an Access Token
// http://tools.ietf.org/html/rfc6749#section-6
ticket = await InvokeTokenEndpointRefreshTokenGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsCustomExtensionGrantType)
{
// Defining New Authorization Grant Types
// http://tools.ietf.org/html/rfc6749#section-8.3
ticket = await InvokeTokenEndpointCustomGrantAsync(validatingContext, currentUtc);
}
else
{
// Error Response http://tools.ietf.org/html/rfc6749#section-5.2
// The authorization grant type is not supported by the
// authorization server.
Logger.LogError("grant type is not recognized");
validatingContext.SetError(Constants.Errors.UnsupportedGrantType);
}
if (ticket == null)
{
await SendErrorAsJsonAsync(validatingContext);
return;
}
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(Options.AccessTokenExpireTimeSpan);
var tokenEndpointContext = new OAuthTokenEndpointContext(Context, Options, ticket, tokenEndpointRequest);
await Options.Provider.TokenEndpoint(tokenEndpointContext);
if (tokenEndpointContext.TokenIssued)
{
ticket = new AuthenticationTicket(tokenEndpointContext.Principal, tokenEndpointContext.Properties, tokenEndpointContext.Options.AuthenticationScheme);
}
else
{
Logger.LogError("Token was not issued to tokenEndpointContext");
validatingContext.SetError(Constants.Errors.InvalidGrant);
await SendErrorAsJsonAsync(validatingContext);
return;
}
var accessTokenContext = new AuthenticationTokenCreateContext(
Context,
Options.AccessTokenFormat,
ticket);
await Options.AccessTokenProvider.CreateAsync(accessTokenContext);
string accessToken = accessTokenContext.Token;
if (string.IsNullOrEmpty(accessToken))
{
accessToken = accessTokenContext.SerializeTicket();
}
DateTimeOffset? accessTokenExpiresUtc = ticket.Properties.ExpiresUtc;
var refreshTokenCreateContext = new AuthenticationTokenCreateContext(Context, Options.RefreshTokenFormat, accessTokenContext.Ticket);
await Options.RefreshTokenProvider.CreateAsync(refreshTokenCreateContext);
string refreshToken = refreshTokenCreateContext.Token;
var tokenEndpointResponseContext = new OAuthTokenEndpointResponseContext(Context, Options, ticket, tokenEndpointRequest, accessToken, tokenEndpointContext.AdditionalResponseParameters);
await Options.Provider.TokenEndpointResponse(tokenEndpointResponseContext);
MemoryStream stream, memoryStream = null;
string body;
try
{
stream = memoryStream = new MemoryStream();
using (var writer = new JsonTextWriter(new StreamWriter(memoryStream)))
{
memoryStream = null;
writer.WriteStartObject();
writer.WritePropertyName(Constants.Parameters.AccessToken);
writer.WriteValue(accessToken);
writer.WritePropertyName(Constants.Parameters.TokenType);
writer.WriteValue(Constants.TokenTypes.Bearer);
if (accessTokenExpiresUtc.HasValue)
{
TimeSpan? expiresTimeSpan = accessTokenExpiresUtc - currentUtc;
var expiresIn = (long)expiresTimeSpan.Value.TotalSeconds;
if (expiresIn > 0)
{
writer.WritePropertyName(Constants.Parameters.ExpiresIn);
writer.WriteValue(expiresIn);
}
}
if (!string.IsNullOrEmpty(refreshToken))
{
writer.WritePropertyName(Constants.Parameters.RefreshToken);
writer.WriteValue(refreshToken);
}
foreach (var additionalResponseParameter in tokenEndpointResponseContext.AdditionalResponseParameters)
{
writer.WritePropertyName(additionalResponseParameter.Key);
writer.WriteValue(additionalResponseParameter.Value);
}
writer.WriteEndObject();
writer.Flush();
body = Encoding.UTF8.GetString(stream.ToArray());
Response.ContentType = "application/json;charset=UTF-8";
Response.Headers["Cache-Control"] = "no-cache";
Response.Headers["Pragma"] = "no-cache";
Response.Headers["Expires"] = "-1";
Response.ContentLength = Encoding.UTF8.GetByteCount(body);
}
}
finally
{
if (memoryStream != null)
memoryStream.Dispose();
}
await Response.WriteAsync(body, Encoding.UTF8, Context.RequestAborted);
}
private class Appender
{
private readonly char _delimiter;
private readonly StringBuilder _sb;
private bool _hasDelimiter;
public Appender(string value, char delimiter)
{
_sb = new StringBuilder(value);
_delimiter = delimiter;
_hasDelimiter = value.IndexOf(delimiter) != -1;
}
public Appender Append(string name, string value)
{
_sb.Append(_hasDelimiter ? '&' : _delimiter)
.Append(Uri.EscapeDataString(name))
.Append('=')
.Append(Uri.EscapeDataString(value));
_hasDelimiter = true;
return this;
}
public override string ToString()
{
return _sb.ToString();
}
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
return Task.FromResult<AuthenticateResult>(null);
}
#endregion
#region Public Members
public override async Task<bool> HandleRequestAsync()
{
var matchRequestContext = new OAuthMatchContext(Context, Options);
if (Options.AuthorizeEndpointPath.HasValue && Options.AuthorizeEndpointPath == Request.Path)
{
matchRequestContext.MatchesAuthorizeEndpoint();
}
else if (Options.TokenEndpointPath.HasValue && Options.TokenEndpointPath == Request.Path)
{
matchRequestContext.MatchesTokenEndpoint();
}
await Options.Provider.MatchEndpoint(matchRequestContext);
if (matchRequestContext.HandledResponse)
return true;
if (matchRequestContext.Skipped)
return false;
if (matchRequestContext.IsAuthorizeEndpoint || matchRequestContext.IsTokenEndpoint)
{
if (!Options.AllowInsecureHttp && !Context.Request.IsHttps)
{
Logger.LogWarning("Authorization server ignoring http request because AllowInsecureHttp is false.");
return false;
}
if (matchRequestContext.IsAuthorizeEndpoint)
return await InvokeAuthorizeEndpointAsync();
if (matchRequestContext.IsTokenEndpoint)
{
await InvokeTokenEndpointAsync();
return true;
}
}
return false;
}
protected override async Task HandleSignInAsync(SignInContext context)
{
// only successful results of an authorize request are altered
if (_clientContext == null || _authorizeEndpointRequest == null || Response.StatusCode != 200)
return;
if (context?.Principal == null)
return;
AuthenticationResponseGrant signin = new AuthenticationResponseGrant(context.Principal, new AuthenticationProperties(context.Properties));
var returnParameter = new Dictionary<string, string>();
if (_authorizeEndpointRequest.IsAuthorizationCodeGrantType)
{
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
signin.Properties.IssuedUtc = currentUtc;
signin.Properties.ExpiresUtc = currentUtc.Add(Options.AuthorizationCodeExpireTimeSpan);
// associate client_id with all subsequent tickets
signin.Properties.Items[Constants.Extra.ClientId] = _authorizeEndpointRequest.ClientId;
if (!string.IsNullOrEmpty(_authorizeEndpointRequest.RedirectUri))
{
// keep original request parameter for later comparison
signin.Properties.Items[Constants.Extra.RedirectUri] = _authorizeEndpointRequest.RedirectUri;
}
var tokenCreationContext = new AuthenticationTokenCreateContext(Context, Options.AuthorizationCodeFormat, new AuthenticationTicket(signin.Principal, signin.Properties, signin.Identity.AuthenticationType));
await Options.AuthorizationCodeProvider.CreateAsync(tokenCreationContext);
string code = tokenCreationContext.Token;
if (string.IsNullOrEmpty(code))
{
Logger.LogError("response_type code requires an Options.AuthorizationCodeProvider implementing a single-use token.");
var errorContext = new OAuthValidateAuthorizeRequestContext(Context, Options, _authorizeEndpointRequest, _clientContext);
errorContext.SetError(Constants.Errors.UnsupportedResponseType);
await SendErrorRedirectAsync(_clientContext, errorContext);
return;
}
var authResponseContext = new OAuthAuthorizationEndpointResponseContext(Context, Options, new AuthenticationTicket(signin.Principal, signin.Properties, signin.Identity.AuthenticationType), _authorizeEndpointRequest, null, code);
await Options.Provider.AuthorizationEndpointResponse(authResponseContext);
foreach (var parameter in authResponseContext.AdditionalResponseParameters)
{
returnParameter[parameter.Key] = parameter.Value.ToString();
}
returnParameter[Constants.Parameters.Code] = code;
if (!string.IsNullOrEmpty(_authorizeEndpointRequest.State))
{
returnParameter[Constants.Parameters.State] = _authorizeEndpointRequest.State;
}
string location = string.Empty;
if (_authorizeEndpointRequest.IsFormPostResponseMode)
{
location = Options.FormPostEndpoint.ToString();
returnParameter[Constants.Parameters.RedirectUri] = _clientContext.RedirectUri;
}
else
{
location = _clientContext.RedirectUri;
}
foreach (var key in returnParameter.Keys)
{
location = QueryHelpers.AddQueryString(location, key, returnParameter[key]);
}
Response.Redirect(location);
}
else if (_authorizeEndpointRequest.IsImplicitGrantType)
{
string location = _clientContext.RedirectUri;
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
signin.Properties.IssuedUtc = currentUtc;
signin.Properties.ExpiresUtc = currentUtc.Add(Options.AccessTokenExpireTimeSpan);
// associate client_id with access token
signin.Properties.Items[Constants.Extra.ClientId] = _authorizeEndpointRequest.ClientId;
var accessTokenContext = new AuthenticationTokenCreateContext(Context, Options.AccessTokenFormat, new AuthenticationTicket(signin.Principal, signin.Properties, signin.Identity.AuthenticationType));
await Options.AccessTokenProvider.CreateAsync(accessTokenContext);
string accessToken = accessTokenContext.Token;
if (string.IsNullOrEmpty(accessToken))
{
accessToken = accessTokenContext.SerializeTicket();
}
DateTimeOffset? accessTokenExpiresUtc = accessTokenContext.Ticket.Properties.ExpiresUtc;
var appender = new Appender(location, '#');
appender.Append(Constants.Parameters.AccessToken, accessToken)
.Append(Constants.Parameters.TokenType, Constants.TokenTypes.Bearer);
if (accessTokenExpiresUtc.HasValue)
{
TimeSpan? expiresTimeSpan = accessTokenExpiresUtc - currentUtc;
var expiresIn = (long)(expiresTimeSpan.Value.TotalSeconds + .5);
appender.Append(Constants.Parameters.ExpiresIn, expiresIn.ToString(CultureInfo.InvariantCulture));
}
if (!string.IsNullOrEmpty(_authorizeEndpointRequest.State))
{
appender.Append(Constants.Parameters.State, _authorizeEndpointRequest.State);
}
var authResponseContext = new OAuthAuthorizationEndpointResponseContext(Context, Options, new AuthenticationTicket(signin.Principal, signin.Properties, signin.Identity.AuthenticationType), _authorizeEndpointRequest, accessToken, null);
await Options.Provider.AuthorizationEndpointResponse(authResponseContext);
foreach (var parameter in authResponseContext.AdditionalResponseParameters)
{
appender.Append(parameter.Key, parameter.Value.ToString());
}
Response.Redirect(appender.ToString());
}
}
#endregion
}
}

100
Yavsc/Auth/AuthServer/OAuthAuthorizationServerMiddleware.cs
Unescape Escape View File

@ -0,0 +1,100 @@

using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Builder;
using Microsoft.AspNet.DataProtection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.WebEncoders;
using Microsoft.Extensions.DependencyInjection;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Authorization Server middleware component which is added to an OWIN pipeline. This class is not
/// created by application code directly, instead it is added by calling the the IAppBuilder UseOAuthAuthorizationServer
/// extension method.
/// </summary>
public class OAuthAuthorizationServerMiddleware : AuthenticationMiddleware<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
/// called by application code directly, instead it is added by calling the the IAppBuilder UseOAuthAuthorizationServer
/// extension method.
/// </summary>
public OAuthAuthorizationServerMiddleware(
RequestDelegate next,
OAuthAuthorizationServerOptions options,
ILoggerFactory loggerFactory,
IDataProtectionProvider dataProtectionProvider,
IUrlEncoder encoder,
IApplicationStore applicationStore
) : base(next, options, loggerFactory, encoder)
{
if (applicationStore == null )
{
throw new InvalidOperationException("No application store");
}
ApplicationStore = applicationStore;
if (Options.Provider == null)
{
Options.Provider = new OAuthAuthorizationServerProvider();
}
if (Options.AuthorizationCodeFormat == null)
{
IDataProtector dataProtecter = dataProtectionProvider.CreateProtector(typeof(OAuthAuthorizationServerMiddleware).FullName, "Authentication_Code", "v1");
Options.AuthorizationCodeFormat = new TicketDataFormat(dataProtecter);
}
if (Options.RefreshTokenFormat == null)
{
IDataProtector dataProtecter = dataProtectionProvider.CreateProtector(typeof(OAuthAuthorizationServerMiddleware).FullName, "Refresh_Token", "v1");
Options.RefreshTokenFormat = new TicketDataFormat(dataProtecter);
}
if (Options.TokenDataProtector == null)
{
Options.TokenDataProtector = dataProtectionProvider.CreateProtector("OAuth.AspNet.AuthServer");
}
if (Options.AccessTokenFormat == null)
{
IDataProtector dataProtecter = Options.TokenDataProtector.CreateProtector("Access_Token", "v1");
Options.AccessTokenFormat = new TicketDataFormat(dataProtecter);
}
if (Options.AuthorizationCodeProvider == null)
{
Options.AuthorizationCodeProvider = new AuthenticationTokenProvider();
}
if (Options.AccessTokenProvider == null)
{
Options.AccessTokenProvider = new AuthenticationTokenProvider();
}
if (Options.RefreshTokenProvider == null)
{
Options.RefreshTokenProvider = new AuthenticationTokenProvider();
}
}
private IApplicationStore ApplicationStore { get; set; }
/// <summary>
/// Called by the AuthenticationMiddleware base class to create a per-request handler.
/// </summary>
/// <returns>A new instance of the request handler</returns>
protected override AuthenticationHandler<OAuthAuthorizationServerOptions> CreateHandler()
{
return new OAuthAuthorizationServerHandler(ApplicationStore);
}
}
}

136
Yavsc/Auth/AuthServer/OAuthAuthorizationServerOptions.cs
Unescape Escape View File

@ -0,0 +1,136 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.DataProtection;
using Microsoft.AspNet.Http;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Options class provides information needed to control Authorization Server middleware behavior
/// </summary>
public class OAuthAuthorizationServerOptions : AuthenticationOptions
{
/// <summary>
/// Creates an instance of authorization server options with default values.
/// </summary>
public OAuthAuthorizationServerOptions()
{
AuthenticationScheme = OAuthDefaults.AuthenticationType;
AuthorizationCodeExpireTimeSpan = TimeSpan.FromMinutes(5);
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20);
SystemClock = new SystemClock();
}
/// <summary>
/// The request path where client applications will redirect the user-agent in order to
/// obtain user consent to issue a token. Must begin with a leading slash, like "/Authorize".
/// </summary>
public PathString AuthorizeEndpointPath { get; set; }
/// <summary>
/// The request path client applications communicate with directly as part of the OAuth protocol.
/// Must begin with a leading slash, like "/Token". If the client is issued a client_secret, it must
/// be provided to this endpoint.
/// </summary>
public PathString TokenEndpointPath { get; set; }
/// <summary>
/// The object provided by the application to process events raised by the Authorization Server middleware.
/// The application may implement the interface fully, or it may create an instance of OAuthAuthorizationServerProvider
/// and assign delegates only to the events it wants to process.
/// </summary>
public IOAuthAuthorizationServerProvider Provider { get; set; }
/// <summary>
/// The data format used to protect and unprotect the information contained in the authorization code.
/// If not provided by the application the default data protection provider depends on the host server.
/// The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
/// servers will use DPAPI data protection.
/// </summary>
public ISecureDataFormat<AuthenticationTicket> AuthorizationCodeFormat { get; set; }
/// <summary>
/// The data protection provider used to protect token information.
/// </summary>
public IDataProtector TokenDataProtector { get; set; }
/// <summary>
/// The data format used to protect the information contained in the access token.
/// If not provided by the application the default data protection provider depends on the host server.
/// The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
/// servers will use DPAPI data protection. If a different access token
/// provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider
/// or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server.
/// </summary>
public ISecureDataFormat<AuthenticationTicket> AccessTokenFormat { get; set; }
/// <summary>
/// The data format used to protect and unprotect the information contained in the refresh token.
/// If not provided by the application the default data protection provider depends on the host server.
/// The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
/// servers will use DPAPI data protection.
/// </summary>
public ISecureDataFormat<AuthenticationTicket> RefreshTokenFormat { get; set; }
/// <summary>
/// The period of time the authorization code remains valid after being issued. The default is five minutes.
/// This time span must also take into account clock synchronization between servers in a web farm, so a very
/// brief value could result in unexpectedly expired tokens.
/// </summary>
public TimeSpan AuthorizationCodeExpireTimeSpan { get; set; }
/// <summary>
/// The period of time the access token remains valid after being issued. The default is twenty minutes.
/// The client application is expected to refresh or acquire a new access token after the token has expired.
/// </summary>
public TimeSpan AccessTokenExpireTimeSpan { get; set; }
/// <summary>
/// Produces a single-use authorization code to return to the client application. For the OAuth server to be secure the
/// application MUST provide an instance for AuthorizationCodeProvider where the token produced by the OnCreate or OnCreateAsync event
/// is considered valid for only one call to OnReceive or OnReceiveAsync.
/// </summary>
public IAuthenticationTokenProvider AuthorizationCodeProvider { get; set; }
/// <summary>
/// Produces a bearer token the client application will typically be providing to resource server as the authorization bearer
/// http request header. If not provided the token produced on the server's default data protection. If a different access token
/// provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider
/// or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server.
/// </summary>
public IAuthenticationTokenProvider AccessTokenProvider { get; set; }
/// <summary>
/// Produces a refresh token which may be used to produce a new access token when needed. If not provided the authorization server will
/// not return refresh tokens from the /Token endpoint.
/// </summary>
public IAuthenticationTokenProvider RefreshTokenProvider { get; set; }
/// <summary>
/// Set to true if the web application is able to render error messages on the /Authorize endpoint. This is only needed for cases where
/// the browser is not redirected back to the client application, for example, when the client_id or redirect_uri are incorrect. The
/// /Authorize endpoint should expect to see "oauth.Error", "oauth.ErrorDescription", "oauth.ErrorUri" properties added to the owin environment.
/// </summary>
public bool ApplicationCanDisplayErrors { get; set; }
/// <summary>
/// Used to know what the current clock time is when calculating or validating token expiration. When not assigned default is based on
/// DateTimeOffset.UtcNow. This is typically needed only for unit testing.
/// </summary>
public ISystemClock SystemClock { get; set; }
/// <summary>
/// True to allow authorize and token requests to arrive on http URI addresses, and to allow incoming
/// redirect_uri authorize request parameter to have http URI addresses.
/// </summary>
public bool AllowInsecureHttp { get; set; }
/// <summary>
/// Endpoint responsible for Form Post Response Mode
/// See also, http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
/// </summary>
public PathString FormPostEndpoint { get; set; }
}
}

378
Yavsc/Auth/AuthServer/OAuthAuthorizationServerProvider.cs
Unescape Escape View File

@ -0,0 +1,378 @@
using System;
using System.Threading.Tasks;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Default implementation of IOAuthAuthorizationServerProvider used by Authorization
/// Server to communicate with the web application while processing requests. OAuthAuthorizationServerProvider provides some default behavior,
/// may be used as a virtual base class, and offers delegate properties which may be used to
/// handle individual calls without declaring a new class type.
/// </summary>
public class OAuthAuthorizationServerProvider : IOAuthAuthorizationServerProvider
{
/// <summary>
/// Creates new instance of default provider behavior
/// </summary>
public OAuthAuthorizationServerProvider()
{
OnMatchEndpoint = context => Task.FromResult<object>(null);
OnValidateClientRedirectUri = context => Task.FromResult<object>(null);
OnValidateClientAuthentication = context => Task.FromResult<object>(null);
OnValidateAuthorizeRequest = DefaultBehavior.ValidateAuthorizeRequest;
OnValidateTokenRequest = DefaultBehavior.ValidateTokenRequest;
OnGrantAuthorizationCode = DefaultBehavior.GrantAuthorizationCode;
OnGrantResourceOwnerCredentials = context => Task.FromResult<object>(null);
OnGrantRefreshToken = DefaultBehavior.GrantRefreshToken;
OnGrantClientCredentials = context => Task.FromResult<object>(null);
OnGrantCustomExtension = context => Task.FromResult<object>(null);
OnAuthorizeEndpoint = context => Task.FromResult<object>(null);
OnTokenEndpoint = context => Task.FromResult<object>(null);
OnAuthorizationEndpointResponse = context => Task.FromResult<object>(null);
OnTokenEndpointResponse = context => Task.FromResult<object>(null);
}
/// <summary>
/// Called to determine if an incoming request is treated as an Authorize or Token
/// endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
/// are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
/// will already be true if the request path matches.
/// </summary>
public Func<OAuthMatchContext, Task> OnMatchEndpoint { get; set; }
/// <summary>
/// Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
/// registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
/// call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
/// with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
public Func<OAuthValidateClientRedirectUriContext, Task> OnValidateClientRedirectUri { get; set; }
/// <summary>
/// Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
/// present on the request. If the web application accepts Basic authentication credentials,
/// context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
/// application accepts "client_id" and "client_secret" as form encoded POST parameters,
/// context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
public Func<OAuthValidateClientAuthenticationContext, Task> OnValidateClientAuthentication { get; set; }
/// <summary>
/// Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client redirect URI, should continue processing. An application may add any additional constraints.
/// </summary>
public Func<OAuthValidateAuthorizeRequestContext, Task> OnValidateAuthorizeRequest { get; set; }
/// <summary>
/// Called for each request to the Token endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client credentials, should continue processing. An application may add any additional constraints.
/// </summary>
public Func<OAuthValidateTokenRequestContext, Task> OnValidateTokenRequest { get; set; }
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
/// endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
/// The claims and properties
/// associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
/// Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
/// AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
/// The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-4.1.3
/// </summary>
public Func<OAuthGrantAuthorizationCodeContext, Task> OnGrantAuthorizationCode { get; set; }
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
/// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
/// optional "refresh_token". If the web application supports the
/// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
/// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
public Func<OAuthGrantResourceOwnerCredentialsContext, Task> OnGrantResourceOwnerCredentials { get; set; }
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
/// application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
/// If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
/// To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
/// </summary>
public Func<OAuthGrantClientCredentialsContext, Task> OnGrantClientCredentials { get; set; }
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
/// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
/// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
/// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
/// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
/// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
/// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
public Func<OAuthGrantRefreshTokenContext, Task> OnGrantRefreshToken { get; set; }
/// <summary>
/// Called when a request to the Token andpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
/// it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
/// information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
/// included they may be added in the final TokenEndpoint call.
/// See also http://tools.ietf.org/html/rfc6749#section-4.5
/// </summary>
public Func<OAuthGrantCustomExtensionContext, Task> OnGrantCustomExtension { get; set; }
/// <summary>
/// Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
/// responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
/// response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
/// Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
/// context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
/// to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
/// appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
/// </summary>
public Func<OAuthAuthorizeEndpointContext, Task> OnAuthorizeEndpoint { get; set; }
/// <summary>
/// Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
/// modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the Token endpoint's json response body.
/// </summary>
public Func<OAuthTokenEndpointContext, Task> OnTokenEndpoint { get; set; }
/// <summary>
/// Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
/// token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
/// An application may implement this call in order to do any final modification of the claims being used
/// to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the authorization endpoint's response.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public Func<OAuthAuthorizationEndpointResponseContext, Task> OnAuthorizationEndpointResponse { get; set; }
/// <summary>
/// Called before the TokenEndpoint redirects its response to the caller.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public Func<OAuthTokenEndpointResponseContext, Task> OnTokenEndpointResponse { get; set; }
/// <summary>
/// Called to determine if an incoming request is treated as an Authorize or Token
/// endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
/// are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
/// will already be true if the request path matches.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task MatchEndpoint(OAuthMatchContext context)
{
return OnMatchEndpoint.Invoke(context);
}
/// <summary>
/// Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
/// registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
/// call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
/// with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
return OnValidateClientRedirectUri.Invoke(context);
}
/// <summary>
/// Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
/// present on the request. If the web application accepts Basic authentication credentials,
/// context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
/// application accepts "client_id" and "client_secret" as form encoded POST parameters,
/// context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
/// If context.Validated is not called the request will not proceed further.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
return OnValidateClientAuthentication.Invoke(context);
}
/// <summary>
/// Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client redirect URI, should continue processing. An application may add any additional constraints.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task ValidateAuthorizeRequest(OAuthValidateAuthorizeRequestContext context)
{
return OnValidateAuthorizeRequest.Invoke(context);
}
/// <summary>
/// Called for each request to the Token endpoint to determine if the request is valid and should continue.
/// The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
/// validated client credentials, should continue processing. An application may add any additional constraints.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task ValidateTokenRequest(OAuthValidateTokenRequestContext context)
{
return OnValidateTokenRequest.Invoke(context);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
/// endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
/// The claims and properties
/// associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
/// Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
/// AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
/// The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-4.1.3
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task GrantAuthorizationCode(OAuthGrantAuthorizationCodeContext context)
{
return OnGrantAuthorizationCode.Invoke(context);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
/// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
/// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
/// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
/// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
/// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
/// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task GrantRefreshToken(OAuthGrantRefreshTokenContext context)
{
return OnGrantRefreshToken.Invoke(context);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
/// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
/// optional "refresh_token". If the web application supports the
/// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
/// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
return OnGrantResourceOwnerCredentials.Invoke(context);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
/// application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
/// If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
/// To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isnt abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task GrantClientCredentials(OAuthGrantClientCredentialsContext context)
{
return OnGrantClientCredentials.Invoke(context);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
/// it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
/// information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
/// included they may be added in the final TokenEndpoint call.
/// See also http://tools.ietf.org/html/rfc6749#section-4.5
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task GrantCustomExtension(OAuthGrantCustomExtensionContext context)
{
return OnGrantCustomExtension.Invoke(context);
}
/// <summary>
/// Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
/// responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
/// response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
/// Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
/// context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
/// to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
/// appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
return OnAuthorizeEndpoint.Invoke(context);
}
/// <summary>
/// Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
/// modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the Token endpoint's json response body.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task TokenEndpoint(OAuthTokenEndpointContext context)
{
return OnTokenEndpoint.Invoke(context);
}
/// <summary>
/// Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
/// token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
/// An application may implement this call in order to do any final modification of the claims being used
/// to issue access or refresh tokens. This call may also be used in order to add additional
/// response parameters to the authorization endpoint's response.
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public virtual Task AuthorizationEndpointResponse(OAuthAuthorizationEndpointResponseContext context)
{
return OnAuthorizationEndpointResponse.Invoke(context);
}
/// <summary>
/// Called before the TokenEndpoint redirects its response to the caller.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public virtual Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context)
{
return OnTokenEndpointResponse.Invoke(context);
}
}
}

34
Yavsc/Auth/AuthServer/OAuthAuthorizeEndpointContext.cs
Unescape Escape View File

@ -0,0 +1,34 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// An event raised after the Authorization Server has processed the request, but before it is passed on to the web application.
/// Calling RequestCompleted will prevent the request from passing on to the web application.
/// </summary>
public class OAuthAuthorizeEndpointContext : BaseOAuthEndpointContext
{
/// <summary>
/// Creates an instance of this context
/// </summary>
public OAuthAuthorizeEndpointContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthorizeEndpointRequest authorizeRequest) : base(context, options)
{
AuthorizeRequest = authorizeRequest;
}
/// <summary>
/// Gets OAuth authorization request data.
/// </summary>
public AuthorizeEndpointRequest AuthorizeRequest { get; private set; }
public bool IsRequestCompleted { get; private set; }
public void RequestCompleted()
{
IsRequestCompleted = true;
}
}
}

69
Yavsc/Auth/AuthServer/OAuthAuthorizeEndpointResponseContext.cs
Unescape Escape View File

@ -0,0 +1,69 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using System;
using System.Collections.Generic;
using System.Security.Claims;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information when processing an Authorization Response
/// </summary>
public class OAuthAuthorizationEndpointResponseContext : BaseOAuthEndpointContext
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthAuthorizationEndpointResponseContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="tokenEndpointRequest"></param>
public OAuthAuthorizationEndpointResponseContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket, AuthorizeEndpointRequest authorizeEndpointRequest, string accessToken, string authorizationCode) : base(context, options)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Principal = ticket.Principal;
Properties = ticket.Properties;
AuthorizeEndpointRequest = authorizeEndpointRequest;
AdditionalResponseParameters = new Dictionary<string, object>(StringComparer.Ordinal);
AccessToken = accessToken;
AuthorizationCode = authorizationCode;
}
/// <summary>
/// Gets the identity of the resource owner.
/// </summary>
public ClaimsPrincipal Principal { get; private set; }
/// <summary>
/// Dictionary containing the state of the authentication session.
/// </summary>
public AuthenticationProperties Properties { get; private set; }
/// <summary>
/// Gets information about the authorize endpoint request.
/// </summary>
public AuthorizeEndpointRequest AuthorizeEndpointRequest { get; private set; }
/// <summary>
/// Enables additional values to be appended to the token response.
/// </summary>
public IDictionary<string, object> AdditionalResponseParameters { get; private set; }
/// <summary>
/// The serialized Access-Token. Depending on the flow, it can be null.
/// </summary>
public string AccessToken { get; private set; }
/// <summary>
/// The created Authorization-Code. Depending on the flow, it can be null.
/// </summary>
public string AuthorizationCode { get; private set; }
}
}

70
Yavsc/Auth/AuthServer/OAuthConstants.cs
Unescape Escape View File

@ -0,0 +1,70 @@
// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
namespace OAuth.AspNet.AuthServer
{
internal static class Constants
{
public static class Parameters
{
public const string ResponseType = "response_type";
public const string GrantType = "grant_type";
public const string ClientId = "client_id";
public const string ClientSecret = "client_secret";
public const string RedirectUri = "redirect_uri";
public const string Scope = "scope";
public const string State = "state";
public const string Code = "code";
public const string RefreshToken = "refresh_token";
public const string Username = "username";
public const string Password = "password";
public const string Error = "error";
public const string ErrorDescription = "error_description";
public const string ErrorUri = "error_uri";
public const string ExpiresIn = "expires_in";
public const string AccessToken = "access_token";
public const string TokenType = "token_type";
public const string ResponseMode = "response_mode";
}
public static class ResponseTypes
{
public const string Code = "code";
public const string Token = "token";
}
public static class GrantTypes
{
public const string AuthorizationCode = "authorization_code";
public const string ClientCredentials = "client_credentials";
public const string RefreshToken = "refresh_token";
public const string Password = "password";
}
public static class TokenTypes
{
public const string Bearer = "bearer";
}
public static class Errors
{
public const string InvalidRequest = "invalid_request";
public const string InvalidClient = "invalid_client";
public const string InvalidGrant = "invalid_grant";
public const string UnsupportedResponseType = "unsupported_response_type";
public const string UnsupportedGrantType = "unsupported_grant_type";
public const string UnauthorizedClient = "unauthorized_client";
}
public static class Extra
{
public const string ClientId = "client_id";
public const string RedirectUri = "redirect_uri";
}
public static class ResponseModes
{
public const string FormPost = "form_post";
}
}
}

15
Yavsc/Auth/AuthServer/OAuthDefaults.cs
Unescape Escape View File

@ -0,0 +1,15 @@

namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Default values used by authorization server and bearer authentication.
/// </summary>
public static class OAuthDefaults
{
/// <summary>
/// Default value for AuthenticationType property in the OAuthBearerAuthenticationOptions and
/// OAuthAuthorizationServerOptions.
/// </summary>
public const string AuthenticationType = "Bearer";
}
}

21
Yavsc/Auth/AuthServer/OAuthGrantAuthorizationCodeContext.cs
Unescape Escape View File

@ -0,0 +1,21 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information when handling an OAuth authorization code grant.
/// </summary>
public class OAuthGrantAuthorizationCodeContext : BaseValidatingTicketContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthGrantAuthorizationCodeContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
public OAuthGrantAuthorizationCodeContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket) : base(context, options, ticket) { }
}
}

36
Yavsc/Auth/AuthServer/OAuthGrantClientCredentialsContext.cs
Unescape Escape View File

@ -0,0 +1,36 @@
using Microsoft.AspNet.Http;
using System.Collections.Generic;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used in handling an OAuth client credentials grant.
/// </summary>
public class OAuthGrantClientCredentialsContext : BaseValidatingTicketContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthGrantClientCredentialsContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="clientId"></param>
/// <param name="scope"></param>
public OAuthGrantClientCredentialsContext(HttpContext context, OAuthAuthorizationServerOptions options, string clientId, IList<string> scope) : base(context, options, null)
{
ClientId = clientId;
Scope = scope;
}
/// <summary>
/// OAuth client id.
/// </summary>
public string ClientId { get; private set; }
/// <summary>
/// List of scopes allowed by the resource owner.
/// </summary>
public IList<string> Scope { get; private set; }
}
}

42
Yavsc/Auth/AuthServer/OAuthGrantCustomExtensionContext.cs
Unescape Escape View File

@ -0,0 +1,42 @@
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used when handling OAuth extension grant types.
/// </summary>
public class OAuthGrantCustomExtensionContext : BaseValidatingTicketContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthGrantCustomExtensionContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="clientId"></param>
/// <param name="grantType"></param>
/// <param name="parameters"></param>
public OAuthGrantCustomExtensionContext(HttpContext context, OAuthAuthorizationServerOptions options, string clientId, string grantType, IReadableStringCollection parameters) : base(context, options, null)
{
ClientId = clientId;
GrantType = grantType;
Parameters = parameters;
}
/// <summary>
/// Gets the OAuth client id.
/// </summary>
public string ClientId { get; private set; }
/// <summary>
/// Gets the name of the OAuth extension grant type.
/// </summary>
public string GrantType { get; private set; }
/// <summary>
/// Gets a list of additional parameters from the token request.
/// </summary>
public IReadableStringCollection Parameters { get; private set; }
}
}

30
Yavsc/Auth/AuthServer/OAuthGrantRefreshTokenContext.cs
Unescape Escape View File

@ -0,0 +1,30 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used when granting an OAuth refresh token.
/// </summary>
public class OAuthGrantRefreshTokenContext : BaseValidatingTicketContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthGrantRefreshTokenContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="clientId"></param>
public OAuthGrantRefreshTokenContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket, string clientId) : base(context, options, ticket)
{
ClientId = clientId;
}
/// <summary>
/// The OAuth client id.
/// </summary>
public string ClientId { get; private set; }
}
}

50
Yavsc/Auth/AuthServer/OAuthGrantResourceOwnerCredentialsContext.cs
Unescape Escape View File

@ -0,0 +1,50 @@
using Microsoft.AspNet.Http;
using System.Collections.Generic;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used in handling an OAuth resource owner grant.
/// </summary>
public class OAuthGrantResourceOwnerCredentialsContext : BaseValidatingTicketContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthGrantResourceOwnerCredentialsContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="clientId"></param>
/// <param name="userName"></param>
/// <param name="password"></param>
/// <param name="scope"></param>
public OAuthGrantResourceOwnerCredentialsContext(HttpContext context, OAuthAuthorizationServerOptions options, string clientId, string userName, string password, IList<string> scope) : base(context, options, null)
{
ClientId = clientId;
UserName = userName;
Password = password;
Scope = scope;
}
/// <summary>
/// OAuth client id.
/// </summary>
public string ClientId { get; private set; }
/// <summary>
/// Resource owner username.
/// </summary>
public string UserName { get; private set; }
/// <summary>
/// Resource owner password.
/// </summary>
public string Password { get; private set; }
/// <summary>
/// List of scopes allowed by the resource owner.
/// </summary>
public IList<string> Scope { get; private set; }
}
}

74
Yavsc/Auth/AuthServer/OAuthMatchContext.cs
Unescape Escape View File

@ -0,0 +1,74 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides notification used for determining the OAuth flow type based on the request.
/// </summary>
public class OAuthMatchContext : BaseControlContext
{
#region Constructors
/// <summary>
/// Initializes a new instance of the <see cref="OAuthMatchContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
public OAuthMatchContext(HttpContext context, OAuthAuthorizationServerOptions options) : base(context)
{
if (options == null)
throw new ArgumentNullException(nameof(options));
Options = options;
}
#endregion
#region Public Members
public OAuthAuthorizationServerOptions Options { get; }
/// <summary>
/// Gets whether or not the endpoint is an OAuth authorize endpoint.
/// </summary>
public bool IsAuthorizeEndpoint { get; private set; }
/// <summary>
/// Gets whether or not the endpoint is an OAuth token endpoint.
/// </summary>
public bool IsTokenEndpoint { get; private set; }
/// <summary>
/// Sets the endpoint type to authorize endpoint.
/// </summary>
public void MatchesAuthorizeEndpoint()
{
IsAuthorizeEndpoint = true;
IsTokenEndpoint = false;
}
/// <summary>
/// Sets the endpoint type to token endpoint.
/// </summary>
public void MatchesTokenEndpoint()
{
IsAuthorizeEndpoint = false;
IsTokenEndpoint = true;
}
/// <summary>
/// Sets the endpoint type to neither authorize nor token.
/// </summary>
public void MatchesNothing()
{
IsAuthorizeEndpoint = false;
IsTokenEndpoint = false;
}
#endregion
}
}

75
Yavsc/Auth/AuthServer/OAuthTokenEndpointContext.cs
Unescape Escape View File

@ -0,0 +1,75 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using System;
using System.Collections.Generic;
using System.Security.Claims;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used when processing an OAuth token request.
/// </summary>
public class OAuthTokenEndpointContext : BaseOAuthEndpointContext
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthTokenEndpointContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="tokenEndpointRequest"></param>
public OAuthTokenEndpointContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket, TokenEndpointRequest tokenEndpointRequest) : base(context, options)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Principal = ticket.Principal;
Properties = ticket.Properties;
TokenEndpointRequest = tokenEndpointRequest;
AdditionalResponseParameters = new Dictionary<string, object>(StringComparer.Ordinal);
TokenIssued = Principal != null;
}
/// <summary>
/// Gets the identity of the resource owner.
/// </summary>
public ClaimsPrincipal Principal { get; private set; }
/// <summary>
/// Dictionary containing the state of the authentication session.
/// </summary>
public AuthenticationProperties Properties { get; private set; }
/// <summary>
/// Gets information about the token endpoint request.
/// </summary>
public TokenEndpointRequest TokenEndpointRequest { get; set; }
/// <summary>
/// Gets whether or not the token should be issued.
/// </summary>
public bool TokenIssued { get; private set; }
/// <summary>
/// Enables additional values to be appended to the token response.
/// </summary>
public IDictionary<string, object> AdditionalResponseParameters { get; private set; }
/// <summary>
/// Issues the token.
/// </summary>
/// <param name="principal"></param>
/// <param name="properties"></param>
public void Issue(ClaimsPrincipal principal, AuthenticationProperties properties)
{
Principal = principal;
Properties = properties;
TokenIssued = true;
}
}
}

82
Yavsc/Auth/AuthServer/OAuthTokenEndpointResponseContext.cs
Unescape Escape View File

@ -0,0 +1,82 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using System;
using System.Collections.Generic;
using System.Security.Claims;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used at the end of a token-endpoint-request.
/// </summary>
public class OAuthTokenEndpointResponseContext : BaseOAuthEndpointContext
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthTokenEndpointResponseContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="tokenEndpointRequest"></param>
public OAuthTokenEndpointResponseContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket, TokenEndpointRequest tokenEndpointRequest, string accessToken, IDictionary<string, object> additionalResponseParameters) : base(context, options)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Principal = ticket.Principal;
Properties = ticket.Properties;
TokenEndpointRequest = tokenEndpointRequest;
AdditionalResponseParameters = new Dictionary<string, object>(StringComparer.Ordinal);
TokenIssued = Principal != null;
AccessToken = accessToken;
AdditionalResponseParameters = additionalResponseParameters;
}
/// <summary>
/// Gets the identity of the resource owner.
/// </summary>
public ClaimsPrincipal Principal { get; private set; }
/// <summary>
/// Dictionary containing the state of the authentication session.
/// </summary>
public AuthenticationProperties Properties { get; private set; }
/// <summary>
/// The issued Access-Token
/// </summary>
public string AccessToken { get; private set; }
/// <summary>
/// Gets information about the token endpoint request.
/// </summary>
public TokenEndpointRequest TokenEndpointRequest { get; set; }
/// <summary>
/// Gets whether or not the token should be issued.
/// </summary>
public bool TokenIssued { get; private set; }
/// <summary>
/// Enables additional values to be appended to the token response.
/// </summary>
public IDictionary<string, object> AdditionalResponseParameters { get; private set; }
/// <summary>
/// Issues the token.
/// </summary>
/// <param name="principal"></param>
/// <param name="properties"></param>
public void Issue(ClaimsPrincipal principal, AuthenticationProperties properties)
{
Principal = principal;
Properties = properties;
TokenIssued = true;
}
}
}

35
Yavsc/Auth/AuthServer/OAuthValidateAuthorizeRequestContext.cs
Unescape Escape View File

@ -0,0 +1,35 @@
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used in validating an OAuth authorization request.
/// </summary>
public class OAuthValidateAuthorizeRequestContext : BaseValidatingContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthValidateAuthorizeRequestContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="authorizeRequest"></param>
/// <param name="clientContext"></param>
public OAuthValidateAuthorizeRequestContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthorizeEndpointRequest authorizeRequest, OAuthValidateClientRedirectUriContext clientContext) : base(context, options)
{
AuthorizeRequest = authorizeRequest;
ClientContext = clientContext;
}
/// <summary>
/// Gets OAuth authorization request data.
/// </summary>
public AuthorizeEndpointRequest AuthorizeRequest { get; private set; }
/// <summary>
/// Gets data about the OAuth client.
/// </summary>
public OAuthValidateClientRedirectUriContext ClientContext { get; private set; }
}
}

108
Yavsc/Auth/AuthServer/OAuthValidateClientAuthenticationContext.cs
Unescape Escape View File

@ -0,0 +1,108 @@
using Microsoft.AspNet.Http;
using System;
using System.Text;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Contains information about the client credentials.
/// </summary>
public class OAuthValidateClientAuthenticationContext : BaseValidatingClientContext
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthValidateClientAuthenticationContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="parameters"></param>
public OAuthValidateClientAuthenticationContext(HttpContext context, OAuthAuthorizationServerOptions options, IReadableStringCollection parameters, IApplicationStore applicationStore) : base(context, options, null)
{
Parameters = parameters;
ApplicationStore = applicationStore;
}
public IApplicationStore ApplicationStore { get; private set;}
/// <summary>
/// Gets the set of form parameters from the request.
/// </summary>
public IReadableStringCollection Parameters { get; private set; }
/// <summary>
/// Sets the client id and marks the context as validated by the application.
/// </summary>
/// <param name="clientId"></param>
/// <returns></returns>
public bool Validated(string clientId)
{
ClientId = clientId;
return Validated();
}
/// <summary>
/// Extracts HTTP basic authentication credentials from the HTTP authenticate header.
/// </summary>
/// <param name="clientId"></param>
/// <param name="clientSecret"></param>
/// <returns></returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "0#", Justification = "Optimized for usage")]
public bool TryGetBasicCredentials(out string clientId, out string clientSecret)
{
// Client Authentication http://tools.ietf.org/html/rfc6749#section-2.3
// Client Authentication Password http://tools.ietf.org/html/rfc6749#section-2.3.1
string authorization = Request.Headers["Authorization"];
if (!string.IsNullOrWhiteSpace(authorization) && authorization.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
try
{
byte[] data = Convert.FromBase64String(authorization.Substring("Basic ".Length).Trim());
string text = Encoding.UTF8.GetString(data);
int delimiterIndex = text.IndexOf(':');
if (delimiterIndex >= 0)
{
clientId = text.Substring(0, delimiterIndex);
clientSecret = text.Substring(delimiterIndex + 1);
ClientId = clientId;
return true;
}
}
catch (FormatException)
{
// Bad Base64 string
}
catch (ArgumentException)
{
// Bad utf-8 string
}
}
clientId = null;
clientSecret = null;
return false;
}
/// <summary>
/// Extracts forms authentication credentials from the HTTP request body.
/// </summary>
/// <param name="clientId"></param>
/// <param name="clientSecret"></param>
/// <returns></returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "0#", Justification = "Optimized for usage")]
public bool TryGetFormCredentials(out string clientId, out string clientSecret)
{
clientId = Parameters[Constants.Parameters.ClientId];
if (!string.IsNullOrEmpty(clientId))
{
clientSecret = Parameters[Constants.Parameters.ClientSecret];
ClientId = clientId;
return true;
}
clientId = null;
clientSecret = null;
return false;
}
}
}

14
Yavsc/Auth/AuthServer/OAuthValidateClientCredentialsContext.cs
Unescape Escape View File

@ -0,0 +1,14 @@
public class OAuthValidateClientCredentialsContext { 
public OAuthValidateClientCredentialsContext(string clientId,string clientSecret,IApplicationStore applicationStore)
{
ClientId = clientId;
ClientSecret = clientSecret;
ApplicationStore = applicationStore;
}
public string ClientId { get; private set; }
public string ClientSecret { get; private set; }
public IApplicationStore ApplicationStore { get; private set; }
}

74
Yavsc/Auth/AuthServer/OAuthValidateClientRedirectUriContext.cs
Unescape Escape View File

@ -0,0 +1,74 @@
using Microsoft.AspNet.Http;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Contains data about the OAuth client redirect URI
/// </summary>
public class OAuthValidateClientRedirectUriContext : BaseValidatingClientContext
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthValidateClientRedirectUriContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="clientId"></param>
/// <param name="redirectUri"></param>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings", MessageId = "3#", Justification = "redirect_uri is a string parameter")]
public OAuthValidateClientRedirectUriContext(IApplicationStore applicationStore, HttpContext context, OAuthAuthorizationServerOptions options, string clientId, string redirectUri) : base(context, options, clientId)
{
RedirectUri = redirectUri;
ApplicationStore = applicationStore;
}
/// <summary>
/// Gets the client redirect URI
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "redirect_uri is a string parameter")]
public string RedirectUri { get; private set; }
public IApplicationStore ApplicationStore { get; private set;}
/// <summary>
/// Marks this context as validated by the application. IsValidated becomes true and HasError becomes false as a result of calling.
/// </summary>
/// <returns></returns>
public override bool Validated()
{
if (string.IsNullOrEmpty(RedirectUri))
{
// Don't allow default validation when redirect_uri not provided with request
return false;
}
return base.Validated();
}
/// <summary>
/// Checks the redirect URI to determine whether it equals <see cref="RedirectUri"/>.
/// </summary>
/// <param name="redirectUri"></param>
/// <returns></returns>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings", MessageId = "0#", Justification = "redirect_uri is a string parameter")]
public bool Validated(string redirectUri)
{
if (redirectUri == null)
{
throw new ArgumentNullException("redirectUri");
}
if (!string.IsNullOrEmpty(RedirectUri) &&
!string.Equals(RedirectUri, redirectUri, StringComparison.Ordinal))
{
// Don't allow validation to alter redirect_uri provided with request
return false;
}
RedirectUri = redirectUri;
return Validated();
}
}
}

35
Yavsc/Auth/AuthServer/OAuthValidateTokenRequestContext.cs
Unescape Escape View File

@ -0,0 +1,35 @@
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Provides context information used in validating an OAuth token request.
/// </summary>
public class OAuthValidateTokenRequestContext : BaseValidatingContext<OAuthAuthorizationServerOptions>
{
/// <summary>
/// Initializes a new instance of the <see cref="OAuthValidateTokenRequestContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="tokenRequest"></param>
/// <param name="clientContext"></param>
public OAuthValidateTokenRequestContext(HttpContext context, OAuthAuthorizationServerOptions options, TokenEndpointRequest tokenRequest, BaseValidatingClientContext clientContext) : base(context, options)
{
TokenRequest = tokenRequest;
ClientContext = clientContext;
}
/// <summary>
/// Gets the token request data.
/// </summary>
public TokenEndpointRequest TokenRequest { get; private set; }
/// <summary>
/// Gets information about the client.
/// </summary>
public BaseValidatingClientContext ClientContext { get; private set; }
}
}

160
Yavsc/Auth/AuthServer/TokenEndpointRequest.cs
Unescape Escape View File

@ -0,0 +1,160 @@
using Microsoft.AspNet.Http;
using System;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object representing the information contained in form encoded body of a Token endpoint request.
/// </summary>
public class TokenEndpointRequest
{
/// <summary>
/// Creates a new instance populated with values from the form encoded body parameters.
/// </summary>
/// <param name="parameters">Form encoded body parameters from a request.</param>
public TokenEndpointRequest(IReadableStringCollection parameters)
{
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
Parameters = parameters;
GrantType = parameters[Constants.Parameters.GrantType];
ClientId = parameters[Constants.Parameters.ClientId];
if (string.Equals(GrantType, Constants.GrantTypes.AuthorizationCode, StringComparison.Ordinal))
{
AuthorizationCodeGrant = new TokenEndpointRequestAuthorizationCode
{
Code = parameters[Constants.Parameters.Code],
RedirectUri = parameters[Constants.Parameters.RedirectUri],
};
}
else if (string.Equals(GrantType, Constants.GrantTypes.ClientCredentials, StringComparison.Ordinal))
{
ClientCredentialsGrant = new TokenEndpointRequestClientCredentials
{
Scope = ((string)parameters[Constants.Parameters.Scope] ?? string.Empty).Split(' ')
};
}
else if (string.Equals(GrantType, Constants.GrantTypes.RefreshToken, StringComparison.Ordinal))
{
RefreshTokenGrant = new TokenEndpointRequestRefreshToken
{
RefreshToken = parameters[Constants.Parameters.RefreshToken],
Scope = ((string)parameters[Constants.Parameters.Scope] ?? string.Empty).Split(' ')
};
}
else if (string.Equals(GrantType, Constants.GrantTypes.Password, StringComparison.Ordinal))
{
ResourceOwnerPasswordCredentialsGrant = new TokenEndpointRequestResourceOwnerPasswordCredentials
{
UserName = parameters[Constants.Parameters.Username],
Password = parameters[Constants.Parameters.Password],
Scope = ((string)parameters[Constants.Parameters.Scope] ?? string.Empty).Split(' ')
};
}
else if (!string.IsNullOrEmpty(GrantType))
{
CustomExtensionGrant = new TokenEndpointRequestCustomExtension
{
Parameters = parameters,
};
}
}
/// <summary>
/// The form encoded body parameters of the Token endpoint request
/// </summary>
public IReadableStringCollection Parameters { get; private set; }
/// <summary>
/// The "grant_type" parameter of the Token endpoint request. This parameter is required.
/// </summary>
public string GrantType { get; private set; }
/// <summary>
/// The "client_id" parameter of the Token endpoint request. This parameter is optional. It might not
/// be present if the request is authenticated in a different way, for example, by using basic authentication
/// credentials.
/// </summary>
public string ClientId { get; private set; }
/// <summary>
/// Data object available when the "grant_type" is "authorization_code".
/// See also http://tools.ietf.org/html/rfc6749#section-4.1.3
/// </summary>
public TokenEndpointRequestAuthorizationCode AuthorizationCodeGrant { get; private set; }
/// <summary>
/// Data object available when the "grant_type" is "client_credentials".
/// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
/// </summary>
public TokenEndpointRequestClientCredentials ClientCredentialsGrant { get; private set; }
/// <summary>
/// Data object available when the "grant_type" is "refresh_token".
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
public TokenEndpointRequestRefreshToken RefreshTokenGrant { get; private set; }
/// <summary>
/// Data object available when the "grant_type" is "password".
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
public TokenEndpointRequestResourceOwnerPasswordCredentials ResourceOwnerPasswordCredentialsGrant { get; private set; }
/// <summary>
/// Data object available when the "grant_type" is unrecognized.
/// See also http://tools.ietf.org/html/rfc6749#section-4.5
/// </summary>
public TokenEndpointRequestCustomExtension CustomExtensionGrant { get; private set; }
/// <summary>
/// True when the "grant_type" is "authorization_code".
/// See also http://tools.ietf.org/html/rfc6749#section-4.1.3
/// </summary>
public bool IsAuthorizationCodeGrantType
{
get { return AuthorizationCodeGrant != null; }
}
/// <summary>
/// True when the "grant_type" is "client_credentials".
/// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
/// </summary>
public bool IsClientCredentialsGrantType
{
get { return ClientCredentialsGrant != null; }
}
/// <summary>
/// True when the "grant_type" is "refresh_token".
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
public bool IsRefreshTokenGrantType
{
get { return RefreshTokenGrant != null; }
}
/// <summary>
/// True when the "grant_type" is "password".
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
public bool IsResourceOwnerPasswordCredentialsGrantType
{
get { return ResourceOwnerPasswordCredentialsGrant != null; }
}
/// <summary>
/// True when the "grant_type" is unrecognized.
/// See also http://tools.ietf.org/html/rfc6749#section-4.5
/// </summary>
public bool IsCustomExtensionGrantType
{
get { return CustomExtensionGrant != null; }
}
}
}

23
Yavsc/Auth/AuthServer/TokenEndpointRequestAuthorizationCode.cs
Unescape Escape View File

@ -0,0 +1,23 @@
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object used by TokenEndpointRequest when the "grant_type" is "authorization_code".
/// </summary>
public class TokenEndpointRequestAuthorizationCode
{
/// <summary>
/// The value passed to the Token endpoint in the "code" parameter
/// </summary>
public string Code { get; set; }
/// <summary>
/// The value passed to the Token endpoint in the "redirect_uri" parameter. This MUST be provided by the caller
/// if the original visit to the Authorize endpoint contained a "redirect_uri" parameter.
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "By design")]
public string RedirectUri { get; set; }
}
}

18
Yavsc/Auth/AuthServer/TokenEndpointRequestClientCredentials.cs
Unescape Escape View File

@ -0,0 +1,18 @@
using System.Collections.Generic;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object used by TokenEndpointRequest when the "grant_type" is "client_credentials".
/// </summary>
public class TokenEndpointRequestClientCredentials
{
/// <summary>
/// The value passed to the Token endpoint in the "scope" parameter
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Justification = "This class is just for passing data through.")]
public IList<string> Scope { get; set; }
}
}

17
Yavsc/Auth/AuthServer/TokenEndpointRequestCustomExtension.cs
Unescape Escape View File

@ -0,0 +1,17 @@
using Microsoft.AspNet.Http;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object used by TokenEndpointRequest which contains parameter information when the "grant_type" is unrecognized.
/// </summary>
public class TokenEndpointRequestCustomExtension
{
/// <summary>
/// The parameter information when the "grant_type" is unrecognized.
/// </summary>
public IReadableStringCollection Parameters { get; set; }
}
}

21
Yavsc/Auth/AuthServer/TokenEndpointRequestRefreshToken.cs
Unescape Escape View File

@ -0,0 +1,21 @@
using System.Collections.Generic;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object used by TokenEndpointRequest when the "grant_type" parameter is "refresh_token".
/// </summary>
public class TokenEndpointRequestRefreshToken
{
/// <summary>
/// The value passed to the Token endpoint in the "refresh_token" parameter
/// </summary>
public string RefreshToken { get; set; }
/// <summary>
/// The value passed to the Token endpoint in the "scope" parameter
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Justification = "This is just a data container object.")]
public IList<string> Scope { get; set; }
}
}

26
Yavsc/Auth/AuthServer/TokenEndpointRequestResourceOwnerPasswordCredentials.cs
Unescape Escape View File

@ -0,0 +1,26 @@
using System.Collections.Generic;
namespace OAuth.AspNet.AuthServer
{
/// <summary>
/// Data object used by TokenEndpointRequest when the "grant_type" is "password".
/// </summary>
public class TokenEndpointRequestResourceOwnerPasswordCredentials
{
/// <summary>
/// The value passed to the Token endpoint in the "username" parameter
/// </summary>
public string UserName { get; set; }
/// <summary>
/// The value passed to the Token endpoint in the "password" parameter
/// </summary>
public string Password { get; set; }
/// <summary>
/// The value passed to the Token endpoint in the "scope" parameter
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Justification = "This is just a data class.")]
public IList<string> Scope { get; set; }
}
}

93
Yavsc/Auth/AuthServer/Tokens/TicketDataFormatTokenValidator.cs
Unescape Escape View File

@ -0,0 +1,93 @@
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.DataProtection;
using System;
using System.IdentityModel.Tokens;
using System.Security.Claims;
using System.Text.RegularExpressions;
using Yavsc.Auth;
using Yavsc;
namespace OAuth.AspNet.Tokens
{
public class TicketDataFormatTokenValidator : ISecurityTokenValidator
{
#region Constructors
public TicketDataFormatTokenValidator() : this(null) { }
public TicketDataFormatTokenValidator(IDataProtectionProvider dataProtectionProvider)
{
if (dataProtectionProvider == null)
{
dataProtectionProvider = new MonoDataProtectionProvider(Constants.ApplicationName)
.CreateProtector(Constants.KeyProtectorPurpose);
}
_ticketDataFormat = new TicketDataFormat(dataProtectionProvider.CreateProtector("Access_Token", "v1"));
}
#endregion
#region non-Public Members
private TicketDataFormat _ticketDataFormat;
private const string _serializationRegex = @"^[A-Za-z0-9-_]*$";
private int _maximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
#endregion
#region Public Members
public bool CanValidateToken
{
get
{
return true;
}
}
public int MaximumTokenSizeInBytes
{
get
{
return _maximumTokenSizeInBytes;
}
set
{
if (value < 1)
throw new ArgumentOutOfRangeException(nameof(MaximumTokenSizeInBytes), "Negative or zero-sized tokens are invalid.");
_maximumTokenSizeInBytes = value;
}
}
public bool CanReadToken(string securityToken)
{
if (string.IsNullOrWhiteSpace(securityToken))
throw new ArgumentException("Security token has no value.", nameof(securityToken));
if (securityToken.Length * 2 > this.MaximumTokenSizeInBytes)
return false;
if (Regex.IsMatch(securityToken, _serializationRegex))
return true;
return false;
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
AuthenticationTicket ticket = _ticketDataFormat.Unprotect(securityToken);
validatedToken = null;
return ticket?.Principal;
}
#endregion
}
}

0
Yavsc/src/Auth/GoogleExtensions.cs → Yavsc/Auth/GoogleExtensions.cs
Unescape Escape View File

0
Yavsc/src/Auth/GoogleHandler.cs → Yavsc/Auth/GoogleHandler.cs
Unescape Escape View File

0
Yavsc/src/Auth/GoogleHelper.cs → Yavsc/Auth/GoogleHelper.cs
Unescape Escape View File

0
Yavsc/src/Auth/GoogleMiddleWare.cs → Yavsc/Auth/GoogleMiddleWare.cs
Unescape Escape View File

0
Yavsc/src/Auth/GoogleOAuthCreatingTicket.cs → Yavsc/Auth/GoogleOAuthCreatingTicket.cs
Unescape Escape View File

0
Yavsc/src/Auth/GoogleOptions.cs → Yavsc/Auth/GoogleOptions.cs
Unescape Escape View File

0
Yavsc/src/Auth/MonoDataProtectionProvider.cs → Yavsc/Auth/MonoDataProtectionProvider.cs
Unescape Escape View File

0
Yavsc/src/Auth/MonoDataProtector.cs → Yavsc/Auth/MonoDataProtector.cs
Unescape Escape View File

0
Yavsc/src/Auth/MonoJwtSecurityTokenHandler.cs → Yavsc/Auth/MonoJwtSecurityTokenHandler.cs
Unescape Escape View File

0
Yavsc/src/Auth/RSAKeyUtils.cs → Yavsc/Auth/RSAKeyUtils.cs
Unescape Escape View File

0
Yavsc/src/Auth/RequiredScopesMiddleware.cs → Yavsc/Auth/RequiredScopesMiddleware.cs
Unescape Escape View File

0
Yavsc/src/Auth/TokenAuthOptions.cs → Yavsc/Auth/TokenAuthOptions.cs
Unescape Escape View File

0
Yavsc/src/Auth/UserTokenProvider.cs → Yavsc/Auth/UserTokenProvider.cs
Unescape Escape View File

0
Yavsc/src/Auth/XmlEncryptor.cs → Yavsc/Auth/XmlEncryptor.cs
Unescape Escape View File

0
Yavsc/src/Auth/Yavsc/YavscAuthenticationHandler.cs → Yavsc/Auth/Yavsc/YavscAuthenticationHandler.cs
Unescape Escape View File

0
Yavsc/src/Auth/Yavsc/YavscAuthenticationMiddleware.cs → Yavsc/Auth/Yavsc/YavscAuthenticationMiddleware.cs
Unescape Escape View File

0
Yavsc/src/Auth/Yavsc/YavscAuthenticationMiddlewareOptions.cs → Yavsc/Auth/Yavsc/YavscAuthenticationMiddlewareOptions.cs
Unescape Escape View File

6
Yavsc/src/Constants.cs → Yavsc/Constants.cs
Unescape Escape View File

@ -39,5 +39,11 @@ namespace Yavsc
public const string CompanyClaimType = "https://schemas.pschneider.fr/identity/claims/Company"; public const string CompanyClaimType = "https://schemas.pschneider.fr/identity/claims/Company";
public const string UserNameRegExp = @"^[a-zA-Z][a-zA-Z0-9 ]*$"; public const string UserNameRegExp = @"^[a-zA-Z][a-zA-Z0-9 ]*$";
public const string AuthenticationEndPath = "/signin";
public const string TokenEndPath = "/token";
public const string KeyProtectorPurpose = "OAuth.AspNet.AuthServer";
} }
} }

0
Yavsc/src/Controllers/AccountController.cs → Yavsc/Controllers/AccountController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/ActivityController.cs → Yavsc/Controllers/ActivityController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/AdministrationController.cs → Yavsc/Controllers/AdministrationController.cs
Unescape Escape View File

1
Yavsc/src/Controllers/ApplicationController.cs → Yavsc/Controllers/ApplicationController.cs
Unescape Escape View File

@ -2,6 +2,7 @@ using System;
using System.Linq; using System.Linq;
using Microsoft.AspNet.Authorization; using Microsoft.AspNet.Authorization;
using Microsoft.AspNet.Mvc; using Microsoft.AspNet.Mvc;
using Microsoft.Data.Entity;
using Yavsc.Models; using Yavsc.Models;
namespace Yavsc.Controllers namespace Yavsc.Controllers

0
Yavsc/src/Controllers/BlogspotController.cs → Yavsc/Controllers/BlogspotController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/CircleController.cs → Yavsc/Controllers/CircleController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/CommandController.cs → Yavsc/Controllers/CommandController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/EstimateController.cs → Yavsc/Controllers/EstimateController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/FrontOfficeController.cs → Yavsc/Controllers/FrontOfficeController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/HomeController.cs → Yavsc/Controllers/HomeController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/ManageController.cs → Yavsc/Controllers/ManageController.cs
Unescape Escape View File

158
Yavsc/Controllers/OAuthController.cs
Unescape Escape View File

@ -0,0 +1,158 @@
using System;
using System.Linq;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNet.Authentication;
using Microsoft.AspNet.Authorization;
using Microsoft.AspNet.Builder;
using Microsoft.AspNet.DataProtection.KeyManagement;
using Microsoft.AspNet.Http.Authentication;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Mvc;
using Microsoft.Data.Entity;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.OptionsModel;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Yavsc.Extensions;
using Yavsc.Models;
using Yavsc.ViewModels.Account;
namespace Yavsc.Controllers
{
[AllowAnonymous]
public class OAuthController : Controller
{
ApplicationDbContext _context;
UserManager<ApplicationUser> _userManager;
SiteSettings _siteSettings;
ILogger _logger;
private readonly SignInManager<ApplicationUser> _signInManager;
private TokenAuthOptions _tokenOptions;
public OAuthController(ApplicationDbContext context, SignInManager<ApplicationUser> signInManager, IKeyManager keyManager,
IOptions<TokenAuthOptions> tokenOptions,
UserManager<ApplicationUser> userManager,
IOptions<SiteSettings> siteSettings,
ILoggerFactory loggerFactory
)
{
_siteSettings = siteSettings.Value;
_context = context;
_signInManager = signInManager;
_tokenOptions = tokenOptions.Value;
_userManager = userManager;
_logger = loggerFactory.CreateLogger<OAuthController>();
}
[HttpGet("~/signin")]
public ActionResult SignIn(string returnUrl = null)
{
_logger.LogWarning($"Singin wanted: returnUrl: {returnUrl} ");
// Note: the "returnUrl" parameter corresponds to the endpoint the user agent
// will be redirected to after a successful authentication and not
// the redirect_uri of the requesting client application.
return View("SignIn", new LoginViewModel
{
ReturnUrl = returnUrl,
ExternalProviders = HttpContext.GetExternalProviders()
});
/* Note: When using an external login provider, redirect the query :
var properties = _signInManager.ConfigureExternalAuthenticationProperties(OpenIdConnectDefaults.AuthenticationScheme, returnUrl);
return new ChallengeResult(OpenIdConnectDefaults.AuthenticationScheme, properties);
*/
}
[HttpGet("~/authenticate")]
public ActionResult Authenticate(string returnUrl = null)
{
return SignIn(returnUrl);
}
[HttpGet("~/forbidden")]
public ActionResult Forbidden(string returnUrl = null)
{
return View("Forbidden",returnUrl);
}
[HttpPost("~/signin")]
public IActionResult SignIn(string Provider, string ReturnUrl)
{
// Note: the "provider" parameter corresponds to the external
// authentication provider choosen by the user agent.
if (string.IsNullOrEmpty(Provider))
{
_logger.LogWarning("Provider not specified");
return HttpBadRequest();
}
if (!_signInManager.GetExternalAuthenticationSchemes().Any(x => x.AuthenticationScheme == Provider))
{
_logger.LogWarning($"Provider not found : {Provider}");
return HttpBadRequest();
}
// Instruct the middleware corresponding to the requested external identity
// provider to redirect the user agent to its own authorization endpoint.
// Note: the authenticationScheme parameter must match the value configured in Startup.cs
// Note: the "returnUrl" parameter corresponds to the endpoint the user agent
// will be redirected to after a successful authentication and not
// the redirect_uri of the requesting client application.
if (string.IsNullOrEmpty(ReturnUrl))
{
_logger.LogWarning("ReturnUrl not specified");
return HttpBadRequest();
}
var redirectUrl = Url.Action("ExternalLoginCallback", "Account", new { ReturnUrl = ReturnUrl });
var properties = _signInManager.ConfigureExternalAuthenticationProperties(Provider, redirectUrl);
// var properties = new AuthenticationProperties{RedirectUri=ReturnUrl};
return new ChallengeResult(Provider,properties);
}
[HttpGet("~/signout"), HttpPost("~/signout")]
public async Task SignOut()
{
// Instruct the cookies middleware to delete the local cookie created
// when the user agent is redirected from the external identity provider
// after a successful authentication flow (e.g Google or Facebook).
await HttpContext.Authentication.SignOutAsync("ServerCookie");
}
[HttpGet("~/api/getclaims"), Produces("application/json")]
public IActionResult GetClaims()
{
var identity = User.Identity as ClaimsIdentity;
var claims = from c in identity.Claims
select new
{
subject = c.Subject.Name,
type = c.Type,
value = c.Value
};
return Ok(claims);
}
protected virtual Task<Application> GetApplicationAsync(string identifier, CancellationToken cancellationToken)
{
// Retrieve the application details corresponding to the requested client_id.
return (from application in _context.Applications
where application.ApplicationID == identifier
select application).SingleOrDefaultAsync(cancellationToken);
}
}
}

0
Yavsc/src/Controllers/TokenController.cs → Yavsc/Controllers/TokenController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/UserFilesController.cs → Yavsc/Controllers/UserFilesController.cs
Unescape Escape View File

0
Yavsc/src/Controllers/ValuesController.cs → Yavsc/Controllers/ValuesController.cs
Unescape Escape View File

0
Yavsc/src/Extensions/AppBuilderExtensions.cs → Yavsc/Extensions/AppBuilderExtensions.cs
Unescape Escape View File

61
Yavsc/Extensions/OAuthAuthorizationServerExtensions.cs
Unescape Escape View File

@ -0,0 +1,61 @@
using System;
using Microsoft.AspNet.Builder;
using OAuth.AspNet.AuthServer;
namespace Microsoft.AspNet.Builder
{
/// <summary>
/// Extension methods to add Authorization Server capabilities to an OWIN pipeline
/// </summary>
public static class OAuthAuthorizationServerExtensions
{
/// <summary>
/// Adds OAuth2 Authorization Server capabilities to an OWIN web application. This middleware
/// performs the request processing for the Authorize and Token endpoints defined by the OAuth2 specification.
/// See also http://tools.ietf.org/html/rfc6749
/// </summary>
/// <param name="app">The web application builder</param>
/// <param name="options">Options which control the behavior of the Authorization Server.</param>
/// <returns>The application builder</returns>
public static IApplicationBuilder UseOAuthAuthorizationServer(this IApplicationBuilder app, OAuthAuthorizationServerOptions options)
{
if (app == null)
throw new NullReferenceException($"The extension method {nameof(OAuthAuthorizationServerExtensions.UseOAuthAuthorizationServer)} was called on a null reference to a {nameof(IApplicationBuilder)}");
if (options == null)
throw new ArgumentNullException(nameof(options));
return app.UseMiddleware<OAuthAuthorizationServerMiddleware>(options);
}
/// <summary>
/// Adds OAuth2 Authorization Server capabilities to an OWIN web application. This middleware
/// performs the request processing for the Authorize and Token endpoints defined by the OAuth2 specification.
/// See also http://tools.ietf.org/html/rfc6749
/// </summary>
/// <param name="app">The web application builder</param>
/// <param name="configureOptions">Options which control the behavior of the Authorization Server.</param>
/// <returns>The application builder</returns>
public static IApplicationBuilder UseOAuthAuthorizationServer(this IApplicationBuilder app, Action<OAuthAuthorizationServerOptions> configureOptions)
{
if (app == null)
throw new NullReferenceException($"The extension method {nameof(OAuthAuthorizationServerExtensions.UseOAuthAuthorizationServer)} was called on a null reference to a {nameof(IApplicationBuilder)}");
if (configureOptions == null)
throw new ArgumentNullException(nameof(configureOptions));
var options = new OAuthAuthorizationServerOptions();
if (configureOptions != null)
configureOptions(options);
return app.UseOAuthAuthorizationServer(options);
}
}
}

0
Yavsc/src/Extensions/SignalRBuilderExtension.cs → Yavsc/Extensions/SignalRBuilderExtension.cs
Unescape Escape View File

0
Yavsc/src/LanguageActionFilter.cs → Yavsc/Filters/LanguageActionFilter.cs
Unescape Escape View File

0
Yavsc/src/Formatters/PdfFormatter.cs → Yavsc/Formatters/PdfFormatter.cs
Unescape Escape View File

0
Yavsc/src/GoogleApis/CalendarApi.cs → Yavsc/GoogleApis/CalendarApi.cs
Unescape Escape View File

0
Yavsc/src/GoogleApis/MapTracks.cs → Yavsc/GoogleApis/MapTracks.cs
Unescape Escape View File

0
Yavsc/src/GoogleApis/PeopleApi.cs → Yavsc/GoogleApis/PeopleApi.cs
Unescape Escape View File

0
Yavsc/src/Helpers/AuthHelpers.cs → Yavsc/Helpers/AuthHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/CompanyInfoHelpers.cs → Yavsc/Helpers/CompanyInfoHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/EventHelpers.cs → Yavsc/Helpers/EventHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/FileSystemHelpers.cs → Yavsc/Helpers/FileSystemHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/GoogleHelpers.cs → Yavsc/Helpers/GoogleHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/ListItemHelpers.cs → Yavsc/Helpers/ListItemHelpers.cs
Unescape Escape View File

0
Yavsc/src/Helpers/SimpleJsonPostMethod.cs → Yavsc/Helpers/SimpleJsonPostMethod.cs
Unescape Escape View File

0
Yavsc/src/Helpers/TagHelpers.cs → Yavsc/Helpers/TagHelpers.cs
Unescape Escape View File

0
Yavsc/src/Hubs/ChatHub.cs → Yavsc/Hubs/ChatHub.cs
Unescape Escape View File

0
Yavsc/src/Interfaces/IDataStore.cs → Yavsc/Interfaces/IDataStore.cs
Unescape Escape View File

0
Yavsc/src/Interfaces/IIdentified.cs → Yavsc/Interfaces/IIdentified.cs
Unescape Escape View File

0
Yavsc/src/Interfaces/IPerformerSpecified.cs → Yavsc/Interfaces/IPerformerSpecified.cs
Unescape Escape View File

0
Yavsc/src/Interfaces/IRating.cs → Yavsc/Interfaces/IRating.cs
Unescape Escape View File

0
Yavsc/src/Interfaces/ITitle.cs → Yavsc/Interfaces/ITitle.cs
Unescape Escape View File

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…