1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
//-----------------------------------------------------------------------
// <copyright file="OpenAuthSecurityManager.cs" company="Microsoft">
// Copyright (c) Microsoft. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.AspNet {
using System;
using System.Diagnostics.CodeAnalysis;
using System.Web;
using DotNetOpenAuth.AspNet.Clients;
using DotNetOpenAuth.Messaging;
/// <summary>
/// Manage authenticating with an external OAuth or OpenID provider
/// </summary>
public class OpenAuthSecurityManager {
#region Constants and Fields
/// <summary>
/// The provider query string name.
/// </summary>
private const string ProviderQueryStringName = "__provider__";
/// <summary>
/// The _authentication provider.
/// </summary>
private readonly IAuthenticationClient authenticationProvider;
/// <summary>
/// The _data provider.
/// </summary>
private readonly IOpenAuthDataProvider dataProvider;
/// <summary>
/// The _request context.
/// </summary>
private readonly HttpContextBase requestContext;
#endregion
#region Constructors and Destructors
/// <summary>
/// Initializes a new instance of the <see cref="OpenAuthSecurityManager"/> class.
/// </summary>
/// <param name="requestContext">
/// The request context.
/// </param>
public OpenAuthSecurityManager(HttpContextBase requestContext)
: this(requestContext, provider: null, dataProvider: null) { }
/// <summary>
/// Initializes a new instance of the <see cref="OpenAuthSecurityManager"/> class.
/// </summary>
/// <param name="requestContext">
/// The request context.
/// </param>
/// <param name="provider">
/// The provider.
/// </param>
/// <param name="dataProvider">
/// The data provider.
/// </param>
public OpenAuthSecurityManager(
HttpContextBase requestContext, IAuthenticationClient provider, IOpenAuthDataProvider dataProvider) {
if (requestContext == null) {
throw new ArgumentNullException("requestContext");
}
this.requestContext = requestContext;
this.dataProvider = dataProvider;
this.authenticationProvider = provider;
}
#endregion
#region Public Properties
/// <summary>
/// Gets a value indicating whether IsAuthenticatedWithOpenAuth.
/// </summary>
public bool IsAuthenticatedWithOpenAuth {
get {
return this.requestContext.Request.IsAuthenticated
&& OpenAuthAuthenticationTicketHelper.IsValidAuthenticationTicket(this.requestContext);
}
}
#endregion
#region Public Methods and Operators
/// <summary>
/// Gets the provider that is responding to an authentication request.
/// </summary>
/// <param name="context">
/// The HTTP request context.
/// </param>
/// <returns>
/// The provider name, if one is available.
/// </returns>
public static string GetProviderName(HttpContextBase context) {
return context.Request.QueryString[ProviderQueryStringName];
}
/// <summary>
/// Checks if the specified provider user id represents a valid account. If it does, log user in.
/// </summary>
/// <param name="providerUserId">
/// The provider user id.
/// </param>
/// <param name="createPersistentCookie">
/// if set to <c>true</c> create persistent cookie.
/// </param>
/// <returns>
/// <c>true</c> if the login is successful.
/// </returns>
[SuppressMessage("Microsoft.Naming", "CA1726:UsePreferredTerms", MessageId = "Login",
Justification = "Login is used more consistently in ASP.Net")]
public bool Login(string providerUserId, bool createPersistentCookie) {
string userName = this.dataProvider.GetUserNameFromOpenAuth(
this.authenticationProvider.ProviderName, providerUserId);
if (string.IsNullOrEmpty(userName)) {
return false;
}
OpenAuthAuthenticationTicketHelper.SetAuthenticationTicket(this.requestContext, userName, createPersistentCookie);
return true;
}
/// <summary>
/// Requests the specified provider to start the authentication by directing users to an external website
/// </summary>
/// <param name="returnUrl">
/// The return url after user is authenticated.
/// </param>
public void RequestAuthentication(string returnUrl) {
// convert returnUrl to an absolute path
Uri uri;
if (!string.IsNullOrEmpty(returnUrl)) {
uri = UriHelper.ConvertToAbsoluteUri(returnUrl, this.requestContext);
} else {
uri = this.requestContext.Request.GetPublicFacingUrl();
}
// attach the provider parameter so that we know which provider initiated
// the login when user is redirected back to this page
uri = uri.AttachQueryStringParameter(ProviderQueryStringName, this.authenticationProvider.ProviderName);
this.authenticationProvider.RequestAuthentication(this.requestContext, uri);
}
/// <summary>
/// Checks if user is successfully authenticated when user is redirected back to this user.
/// </summary>
/// <returns>The result of the authentication.</returns>
public AuthenticationResult VerifyAuthentication() {
AuthenticationResult result = this.authenticationProvider.VerifyAuthentication(this.requestContext);
if (!result.IsSuccessful) {
// if the result is a Failed result, creates a new Failed response which has providerName info.
result = new AuthenticationResult(
isSuccessful: false,
provider: this.authenticationProvider.ProviderName,
providerUserId: null,
userName: null,
extraData: null);
}
return result;
}
/// <summary>
/// Checks if user is successfully authenticated when user is redirected back to this user.
/// </summary>
/// <param name="returnUrl">The return Url which must match exactly the Url passed into RequestAuthentication() earlier.</param>
/// <returns>
/// The result of the authentication.
/// </returns>
public AuthenticationResult VerifyAuthentication(string returnUrl) {
Requires.NotNullOrEmpty(returnUrl, "returnUrl");
// Only OAuth2 requires the return url value for the verify authenticaiton step
OAuth2Client oauth2Client = this.authenticationProvider as OAuth2Client;
if (oauth2Client != null) {
// convert returnUrl to an absolute path
Uri uri;
if (!string.IsNullOrEmpty(returnUrl)) {
uri = UriHelper.ConvertToAbsoluteUri(returnUrl, this.requestContext);
}
else {
uri = this.requestContext.Request.GetPublicFacingUrl();
}
AuthenticationResult result = oauth2Client.VerifyAuthentication(this.requestContext, uri);
if (!result.IsSuccessful) {
// if the result is a Failed result, creates a new Failed response which has providerName info.
result = new AuthenticationResult(
isSuccessful: false,
provider: this.authenticationProvider.ProviderName,
providerUserId: null,
userName: null,
extraData: null);
}
return result;
}
else {
return this.VerifyAuthentication();
}
}
#endregion
}
}
|
