samples/OAuth2ProtectedWebApi/Controllers/UserController.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

namespace OAuth2ProtectedWebApi.Controllers {
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Net.Http;
	using System.Security.Principal;
	using System.Threading.Tasks;
	using System.Web;
	using System.Web.Mvc;
	using System.Web.Security;
	using DotNetOpenAuth.Messaging;
	using DotNetOpenAuth.OAuth2;
	using DotNetOpenAuth.OAuth2.Messages;
	using DotNetOpenAuth.OpenId;
	using DotNetOpenAuth.OpenId.RelyingParty;
	using OAuth2ProtectedWebApi.Code;

	public class UserController : Controller {
		[Authorize]
		[HttpGet]
		[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
		public async Task<ActionResult> Authorize() {
			var authServer = new AuthorizationServer(new AuthorizationServerHost());
			var authRequest = await authServer.ReadAuthorizationRequestAsync(this.Request);
			this.ViewData["scope"] = authRequest.Scope;
			this.ViewData["request"] = this.Request.Url;
			return View();
		}

		[Authorize]
		[HttpPost, ValidateAntiForgeryToken]
		public async Task<ActionResult> Respond(string request, bool approval) {
			var authServer = new AuthorizationServer(new AuthorizationServerHost());
			var authRequest = await authServer.ReadAuthorizationRequestAsync(new Uri(request));
			IProtocolMessage responseMessage;
			if (approval) {
				responseMessage = authServer.PrepareApproveAuthorizationRequest(
					authRequest, this.User.Identity.Name, authRequest.Scope);
			} else {
				responseMessage = authServer.PrepareRejectAuthorizationRequest(authRequest);
			}

			var response = await authServer.Channel.PrepareResponseAsync(responseMessage);
			return response.AsActionResult();
		}

		public async Task<ActionResult> Login(string returnUrl) {
			var rp = new OpenIdRelyingParty(null);
			Realm officialWebSiteHome = Realm.AutoDetect;
			Uri returnTo = new Uri(this.Request.Url, this.Url.Action("Authenticate"));
			var request = await rp.CreateRequestAsync(WellKnownProviders.Google, officialWebSiteHome, returnTo);
			if (returnUrl != null) {
				request.SetUntrustedCallbackArgument("returnUrl", returnUrl);
			}

			var redirectingResponse = await request.GetRedirectingResponseAsync();
			return redirectingResponse.AsActionResult();
		}

		public async Task<ActionResult> Authenticate() {
			var rp = new OpenIdRelyingParty(null);
			var response = await rp.GetResponseAsync(this.Request);
			if (response != null) {
				if (response.Status == AuthenticationStatus.Authenticated) {
					FormsAuthentication.SetAuthCookie(response.ClaimedIdentifier, false);
					return this.Redirect(FormsAuthentication.GetRedirectUrl(response.ClaimedIdentifier, false));
				}
			}

			return this.RedirectToAction("Index", "Home");
		}
	}
}