I am trying to implement google fustion table api in my WPF application to show large number of marker in my google map but problem is this when I am going to authenticate the function "GetAuthorization" never call.
public Fusion()
{
// Create the service.
objService = new FusiontablesService(new BaseClientService.Initializer()
{
Authenticator = CreateAuthenticator()
});
//GetAuthorization(provider);
}
/// <summary>
/// The remote service on which all the requests are executed.
/// </summary>
public FusiontablesService objService { get; private set; }
NativeApplicationClient provider = null;
private IAuthenticator CreateAuthenticator()
{
provider = new NativeApplicationClient(GoogleAuthenticationServer.Description)
{
ClientIdentifier = ClientCredentials.ClientID,
ClientSecret = ClientCredentials.ClientSecret
};
return new OAuth2Authenticator<NativeApplicationClient>(provider, GetAuthorization);
}
private IAuthorizationState GetAuthorization(NativeApplicationClient client)
{
// You should use a more secure way of storing the key here as
// .NET applications can be disassembled using a reflection tool.
const string STORAGE = "google.samples.dotnet.fusion";
const string KEY = "AIzaSyCtaH=6+";
string scope = FusiontablesService.Scopes.Fusiontables.GetStringValue();
// Check if there is a cached refresh token available.
IAuthorizationState state = AuthorizationMgr.GetCachedRefreshToken(STORAGE, KEY);
if (state != null)
{
try
{
client.RefreshToken(state);
return state; // Yes - we are done.
}
catch (DotNetOpenAuth.Messaging.ProtocolException ex)
{
CommandLine.WriteError("Using existing refresh token failed: " + ex.Message);
}
}
// Retrieve the authorization from the user.
state = AuthorizationMgr.RequestNativeAuthorization(client, scope);
AuthorizationMgr.SetCachedRefreshToken(STORAGE, KEY, state);
return state;
}
Please help me out of this issue.
P.S This code works fine when i am using TaskService and BookService.
Edit : Forgot that the method is not exposed in the IAuthenticator interface
private IAuthenticator CreateAuthenticator()
{
provider = new NativeApplicationClient(GoogleAuthenticationServer.Description)
{
ClientIdentifier = ClientCredentials.ClientID,
ClientSecret = ClientCredentials.ClientSecret
};
var auth = new OAuth2Authenticator<NativeApplicationClient>(provider, GetAuthorization);
auth.LoadAccessToken()
return auth;
}
Related
Currently I'm implementing Microsoft Authentication Library(MSAL) on my C# .NET framework webapp (single tenant) and when I acquire the token using the code from Owin I'm getting the wrong GUID for the user/tenant in my confidential app.
This is the return from the confidential app(dc3... is the UserId and cf3.. is the TenantId), this is from a different directory on Azure.
But the claims generated by C# have the correct values:
If I check the object from the confidential app I can see inside "TenantProfiles" the same values as the above (f81 and e24), the correct ones.
But since the Claims have different values as the Confidential App, I cannot get the user with GetAccountAsync(), because it tries to find a user based on "dc3" GUID not "f81" GUID. I can get the user using a filter on GetAccountsAsync(), but this method is deprecated.
Here's my code
public static string appKey = ConfigurationManager.AppSettings["ida:AppKey"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"]; //https://login.microsoftonline.com/{0}
public static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
public static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
public static readonly string Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant) + "/v2.0";
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() { CookieSecure = CookieSecureOption.SameAsRequest });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
Authority = Startup.Authority,
ClientId = Startup.clientId,
RedirectUri = Startup.redirectUri,
PostLogoutRedirectUri = Startup.redirectUri,
Scope = OpenIdConnectScopes.OpenIdProfile,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthorizationFailed
}
});
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
{
var app = IdentityApiUtility.BuildConfidentialClientApplication();
var result = await app.AcquireTokenByAuthorizationCode(new[] { "https://graph.microsoft.com/.default" }, notification.Code).ExecuteAsync();
}
and
public static IConfidentialClientApplication BuildConfidentialClientApplication()
{
if (clientapp == null)
{
clientapp = ConfidentialClientApplicationBuilder
.Create(Startup.clientId)
.WithClientSecret(Startup.appKey)
.WithRedirectUri(Startup.redirectUri)
.WithAuthority(Startup.Authority)
.Build();
}
return clientapp;
}
/// <summary>
/// Gets an auth code on behalf of the current user
/// </summary>
private AuthenticationResult GetOpenIdConnectAuth()
{
try
{
string userObjectID = $"{ClaimsPrincipal.Current.GetObjectId()}.{ClaimsPrincipal.Current.GetTenantId()}";
var app = BuildConfidentialClientApplication();
var scopes = new[] { "https://graph.microsoft.com/.default" };
//The userObjectId here starts with f81, which I got from the claims. But the user in the ConfidentialApp starts with dc3 which from another Azure Directory
var account = app.GetAccountAsync(userObjectID).Result;
var accessToken = app.AcquireTokenSilent(scopes, account).ExecuteAsync().Result;
return accessToken;
}
catch (Exception ex)
{
throw new Exception("Authentication Error in GetOpenIdConnectAuth method");
}
}
I already checked clientid/secret/tenant multiple times just to be sure that I wasn't sending the wrong authority/tenant and this is not the case. Does anyone have a suggestion how I can get the user from the ConfidentialApp or what I'm doing wrong?
I'm trying to create an online meeting from ASP.NET Core Web API, but I'm getting this "generalException" error.
AuthenticationProvider for configuring auth for the API call:
Code:
public class GraphAuthenticationProvider : IAuthenticationProvider
{
public const string GRAPH_URI = "https://graph.microsoft.com/v1.0/";
/// <summary>
/// Default constructor
/// </summary>
/// <param name="configuration"></param>
public GraphAuthenticationProvider(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; set; }
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
AuthenticationContext authContext = new AuthenticationContext($"https://login.microsoftonline.com/{Configuration["AzureAd:TenantId"]}");
ClientCredential credentials = new ClientCredential(Configuration["AzureAd:ClientId"], Configuration["AzureAd:ClientSecret"]);
AuthenticationResult authResult = await authContext.AcquireTokenAsync(GRAPH_URI, credentials);
request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
request.Headers.Add("Content-type", "application/json");
}
}
GraphProvider for making the actual API request:
public class MicrosoftGraphProvider : IGraphProvider
{
private IGraphServiceClient _graph;
public MicrosoftGraphProvider(IGraphServiceClient graph)
{
_graph = graph;
}
public async Task<CreateMeetingResult> CreateMeetingAsync(OnlineMeeting onlineMeeting)
{
// Initialize error message
var errorMessage = default(string);
// Initialize meeting result
var meetingResult = default(OnlineMeeting);
try
{
// Try creating the meeting
meetingResult = await _graph.Me.OnlineMeetings
.Request()
.AddAsync(onlineMeeting);
}
catch (Exception ex)
{
// Set the error message
errorMessage = ex.Message;
}
// Return the result
return new CreateMeetingResult
{
ErrorPhrase = errorMessage,
MeetingResult = meetingResult
};
}
}
AuthenticationProvider, GraphServiceClient, and GraphProvider transient instances in StartUp.cs:
services.AddTransient<IAuthenticationProvider, GraphAuthenticationProvider>(provider =>
new GraphAuthenticationProvider(provider.GetService<IConfiguration>()));
// Add transient instance of the graph service client
services.AddTransient<IGraphServiceClient, GraphServiceClient>(provider =>
new GraphServiceClient(provider.GetService<IAuthenticationProvider>()));
// Add transient instance of the graph provider
services.AddTransient<IGraphProvider, MicrosoftGraphProvider>(provider =>
new MicrosoftGraphProvider(provider.GetService<IGraphServiceClient>()));
Setting OnlineMeeting data and invoking CreatingMeeting:
var onlineMeeting = new OnlineMeeting
{
Subject = meetingDetails.Subject,
AllowedPresenters = OnlineMeetingPresenters.Organizer,
IsEntryExitAnnounced = true,
Participants = new MeetingParticipants
{
Attendees = new List<MeetingParticipantInfo>
{
new MeetingParticipantInfo
{
Role = OnlineMeetingRole.Attendee,
Identity = new IdentitySet
{
Application = new Identity
{
Id = Guid.NewGuid().ToString(),
DisplayName = "Attendee1"
}
}
},
new MeetingParticipantInfo
{
Role = OnlineMeetingRole.Presenter,
Identity = new IdentitySet
{
Application = new Identity
{
Id = Guid.NewGuid().ToString(),
DisplayName = "Attendee2"
}
}
},
new MeetingParticipantInfo
{
Role = OnlineMeetingRole.Presenter,
Identity = new IdentitySet
{
Application = new Identity
{
Id = Guid.NewGuid().ToString(),
DisplayName = "Attendee3"
}
}
}
},
Organizer = new MeetingParticipantInfo
{
Role = OnlineMeetingRole.Presenter,
Identity = new IdentitySet
{
Application = new Identity
{
Id = Guid.NewGuid().ToString(),
DisplayName = Framework.Construction.Configuration["OnlineMeeting:Organiser:DisplayName"]
}
}
}
},
EndDateTime = DateTimeOffset.Now.AddHours(1),
StartDateTime = DateTimeOffset.Now.AddHours(2)
};
// Fire create meeting
var meetingResult = await _graphProvider.CreateMeetingAsync(onlineMeeting);
ApiResponse:
{
"response": null,
"successful": false,
"errorMessage": "Code: generalException\r\nMessage: An error occurred sending the request.\r\n"
}
I have created an application in azure app service and added all necessary permissions as well.
What is it that I'm not doing correctly?
If you require more info, please ask me.
Thanks in advance.
I'm not sure where the error happened, but there are some problems in your code.
As I said in the comment, the resource should be https://graph.microsoft.com/. https://graph.microsoft.com/v1.0/ is the URL of Microsoft Graph API. Please see this article.
Here are some examples of Microsoft web-hosted resources:
Microsoft Graph: https://graph.microsoft.com
Microsoft 365 Mail API: https://outlook.office.com
Azure Key Vault: https://vault.azure.net
Try to replace Me with Users[<user-id>].
You use ClientCredential to authorize, which means you are using the Client credential flows. The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. So you could not call Microsoft Graph API with .Me which is used for the signed-in user.
Using this approach I can get auth token for my application on home/resource ADFS as well as on partner/users. Also I have claims aware WCF service of my own. It's configured to work with home/resource ADFS. Naturally, it accepts tokens from home/resource ADFS and rejects from partner/users ADFS.
I can make my WCF service trust tokens issued by partner/users ADFS but it seems wrong from architectural point of view. Somehow I should get token from home/resource ADFS using established trust between home/resource ADFS and partner/users ADFS.
Therefore I have to either 1) issue token on home/resource ADFS using token from partner/users ADFS or 2) somehow authorize user from partner/users AD directly on home/resource ADFS using his login and password. Only active authentication scenarios are considered.
Could you help me with samples of code to solve the first or/and the second problem?
I've been looking for solution for two weeks and finally found the answer. Correct flow is the flow number 1 where you authorize partner's user against partner's ADFS and then use received token to authorize it against resource ADFS. The working code sample is following
using System;
using System.IdentityModel.Tokens;
using System.ServiceModel;
using System.ServiceModel.Security;
using Microsoft.IdentityModel.Protocols.WSTrust;
using WSTrustChannel = Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel;
using WSTrustChannelFactory = Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory;
namespace SOS.Tools.AdfsConnectionChecker
{
/// <summary> Parameters to get token from partner's ADFS
/// using his domain user credentials </summary>
public class AdfsIdentityProviderTokenRequest
{
/// <summary>Domain user from identity provider domain.
/// E.g. Name.FamalyName#ipDomainName.local or ipDomain2kName\Name.FamalyName </summary>
public string IpDomainUserName { get; set; }
/// <summary>Domain user password</summary>
public string IpDomainUserPassword { get; set; }
/// <summary> Identyty provider token issuer server, i.e your partner adfs server.
/// E.g. adfs.partnerdomain.com</summary>
public string IpTokenIssuerServer { get; set; }
/// <summary>Resources token issuer server, i.e. your company adsf server.
/// E.g. adfs.resourcedomain.com</summary>
public string ResourcesTokenIssuerServer { get; set; }
}
/// <summary> Parameters to get token for your application from resource ADFS
/// using token from partner's ADFS</summary>
public class AdfsResourceProviderTokenForAppRequest
{
/// <summary>Token recieved from identity provider. </summary>
public SecurityToken IpToken { get; set; }
/// <summary>Resources token issuer server, i.e. your company adsf server.
/// E.g. adfs.resourcedomain.com</summary>
public string ResourcesTokenIssuerServer { get; set; }
/// <summary>Apllication you want token for. In terms of ADFS its Relying Party.
/// E.g. https://myAppServer.MyAppDomain.com/MyWcfService1 </summary>
public string AppUrl { get; set; }
}
public class AdfsTokenFactory
{
public SecurityToken GetIpToken(AdfsIdentityProviderTokenRequest request)
{
//string username, string password, string tokenIssuer, string appliesTo, out
var binding = new WS2007HttpBinding();
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
var tokenIssuerUrlFormat = "https://{0}/adfs/services/trust/13/usernamemixed";
var tokenIssuerUrl = string.Format(tokenIssuerUrlFormat, request.IpTokenIssuerServer);
using (var factory = new WSTrustChannelFactory(binding, new EndpointAddress(tokenIssuerUrl)))
{
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = request.IpDomainUserName;
factory.Credentials.UserName.Password = request.IpDomainUserPassword;
factory.ConfigureChannelFactory();
var trustUrlFromat = "http://{0}/adfs/services/trust";
var trustUrl = string.Format(trustUrlFromat, request.ResourcesTokenIssuerServer);
var requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
requestToken.AppliesTo = new EndpointAddress(trustUrl);
var tokenClient = (WSTrustChannel) factory.CreateChannel();
RequestSecurityTokenResponse rsts;
var token = tokenClient.Issue(requestToken, out rsts);
return token;
}
}
public SecurityToken GetResourceTokenForApp(AdfsResourceProviderTokenForAppRequest request)
{
var binding = new WS2007FederationHttpBinding();
binding.Security.Message.IssuedKeyType = SecurityKeyType.SymmetricKey;
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Mode = WSFederationHttpSecurityMode.TransportWithMessageCredential;
var tokenIssuerUrlFormat = "https://{0}/adfs/services/trust/13/IssuedTokenMixedSymmetricBasic256";
var tokenIssuerUrl = string.Format(tokenIssuerUrlFormat, request.ResourcesTokenIssuerServer);
using (var factory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri(tokenIssuerUrl))))
{
var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress(request.AppUrl),
KeyType = WSTrust13Constants.KeyTypes.Symmetric,
};
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(request.IpToken);
RequestSecurityTokenResponse rstr;
SecurityToken token = channel.Issue(rst, out rstr);
return token;
}
}
}
}
You call it like this
var factory = new AdfsTokenFactory();
var ipTokenRequest = new AdfsIdentityProviderTokenRequest
{
//or "ipDomain2kName\Name.FamalyName"
IpDomainUserName = "Name.FamalyName#ipDomainName.local",
IpDomainUserPassword = "userDomainPassword",
IpTokenIssuerServer = "adfs.partnerdomain.com",
ResourcesTokenIssuerServer = "adfs.resourcedomain.com"
};
var ipToken = factory.GetIpToken(ipTokenRequest);
var appTokenRequest = new AdfsResourceProviderTokenForAppRequest
{
IpToken = ipToken,
ResourcesTokenIssuerServer ="adfs.resourcedomain.com",
AppUrl = "https://myAppServer.MyAppDomain.com/MyWcfService1"
};
var appToken = factory.GetResourceTokenForApp(appTokenRequest);
I have successfully added OAuth to my WebAPI 2 project using OWIN. I receive tokens and can use them in the HTTP Header to access resources.
Now I want to use those tokens also on other channels for authentication that are not the standard HTTP requests that the OWIN template is made for. For example, I am using WebSockets where the client has to send the OAuth Bearer Token to authenticate.
On the server side, I receive the token through the WebSocket. But how can I now put this token into the OWIN pipeline to extract the IPrincipal and ClientIdentifier from it? In the WebApi 2 template, all this is abstracted for me, so there is nothing I have to do to make it work.
So, basically, I have the token as a string and want to use OWIN to access the user information encoded in that token.
Thank you in advance for the help.
I found a part of the solution in this blog post: http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/
So I created my own Provider as follows:
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Query.Get("access_token");
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
}
Then I needed to add it to my App in Startup.Auth.cs like this:
OAuthBearerOptions = new OAuthBearerAuthenticationOptions()
{
Provider = new QueryStringOAuthBearerProvider(),
AccessTokenProvider = new AuthenticationTokenProvider()
{
OnCreate = create,
OnReceive = receive
},
};
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
With a custom AuthenticationTokenProvider, I can retrieve all other values from the token early in the pipeline:
public static Action<AuthenticationTokenCreateContext> create = new Action<AuthenticationTokenCreateContext>(c =>
{
c.SetToken(c.SerializeTicket());
});
public static Action<AuthenticationTokenReceiveContext> receive = new Action<AuthenticationTokenReceiveContext>(c =>
{
c.DeserializeTicket(c.Token);
c.OwinContext.Environment["Properties"] = c.Ticket.Properties;
});
And now, for example in my WebSocket Hander, I can retrieve ClientId and others like this:
IOwinContext owinContext = context.GetOwinContext();
if (owinContext.Environment.ContainsKey("Properties"))
{
AuthenticationProperties properties = owinContext.Environment["Properties"] as AuthenticationProperties;
string clientId = properties.Dictionary["clientId"];
...
}
By default, OWIN use ASP.NET machine key data protection to protect the OAuth access token when hosted on IIS. You can use MachineKey class in System.Web.dll to unprotect the tokens.
public class MachineKeyProtector : IDataProtector
{
private readonly string[] _purpose =
{
typeof(OAuthAuthorizationServerMiddleware).Namespace,
"Access_Token",
"v1"
};
public byte[] Protect(byte[] userData)
{
throw new NotImplementedException();
}
public byte[] Unprotect(byte[] protectedData)
{
return System.Web.Security.MachineKey.Unprotect(protectedData, _purpose);
}
}
Then, construct a TicketDataFormat to get the AuthenticationTicket object where you can get the ClaimsIdentity and AuthenticationProperties.
var access_token="your token here";
var secureDataFormat = new TicketDataFormat(new MachineKeyProtector());
AuthenticationTicket ticket = secureDataFormat.Unprotect(access_token);
To unprotect other OAuth tokens, you just need to change the _purpose content. For detailed information, see OAuthAuthorizationServerMiddleware class here:
http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerMiddleware.cs
if (Options.AuthorizationCodeFormat == null)
{
IDataProtector dataProtecter = app.CreateDataProtector(
typeof(OAuthAuthorizationServerMiddleware).FullName,
"Authentication_Code", "v1");
Options.AuthorizationCodeFormat = new TicketDataFormat(dataProtecter);
}
if (Options.AccessTokenFormat == null)
{
IDataProtector dataProtecter = app.CreateDataProtector(
typeof(OAuthAuthorizationServerMiddleware).Namespace,
"Access_Token", "v1");
Options.AccessTokenFormat = new TicketDataFormat(dataProtecter);
}
if (Options.RefreshTokenFormat == null)
{
IDataProtector dataProtecter = app.CreateDataProtector(
typeof(OAuthAuthorizationServerMiddleware).Namespace,
"Refresh_Token", "v1");
Options.RefreshTokenFormat = new TicketDataFormat(dataProtecter);
}
in addition to johnny-qian answer, using this method is better to create DataProtector. johnny-qian answer, depends on IIS and fails on self-hosted scenarios.
using Microsoft.Owin.Security.DataProtection;
var dataProtector = app.CreateDataProtector(new string[] {
typeof(OAuthAuthorizationServerMiddleware).Namespace,
"Access_Token",
"v1"
});
What is your token like, is it an encrypt string or a formatted string, what is it format?
I my code:
public static Action<AuthenticationTokenReceiveContext> receive = new Action<AuthenticationTokenReceiveContext>(c =>
{
if (!string.IsNullOrEmpty(c.Token))
{
c.DeserializeTicket(c.Token);
//c.OwinContext.Environment["Properties"] = c.Ticket.Properties;
}
});
The c.Ticket is always null.
I am building an OAuth 1.0(a) authorization server using DotNetOpenAuth (NuGet package DotNetOpenAuth.OAuth.ServiceProvider, version = 4.1.4.12333). The server is hosted in an ASP.NET application but that's irrelevant to the question.
My ServiceProvider is configured like this:
private ServiceProvider GetServiceProvider()
{
var baseUri = "http://myauth.com";
return new ServiceProvider(
new ServiceProviderDescription
{
UserAuthorizationEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/get_request_token"),
HttpDeliveryMethods.GetRequest
),
RequestTokenEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/authorize"),
HttpDeliveryMethods.PostRequest
),
AccessTokenEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/get_token"),
HttpDeliveryMethods.PostRequest
),
ProtocolVersion = ProtocolVersion.V10a,
TamperProtectionElements = new ITamperProtectionChannelBindingElement[]
{
new PlaintextSigningBindingElement(),
new HmacSha1SigningBindingElement(),
},
},
tokenManager,
new OAuthServiceProviderMessageFactory(tokenManager)
);
}
The relevant part of my get_request_token endpoint looks like this:
var serviceProvider = GetServiceProvider();
var tokenRequest = serviceProvider.ReadTokenRequest();
Now when a consumer sends the following request to this endpoint:
GET /get_request_token?oauth_nonce=C5657420BCE5F3224914304376B5334696B09B7FFC17C105A7F9629A008869DC&oauth_timestamp=1356006599&oauth_consumer_key=sampleconsumer&oauth_signature_method=plaintext&oauth_signature=samplesecret%26&oauth_version=1.0&oauth_callback=http%3a%2f%2flocalhost%3a30103%2fCustomOAuth1 HTTP/1.1
Host: localhost:8180
Connection: close
(broken for clarity):
oauth_nonce=C5657420BCE5F3224914304376B5334696B09B7FFC17C105A7F9629A008869DC
oauth_timestamp=1356006599
oauth_consumer_key=sampleconsumer
oauth_signature_method=plaintext
oauth_signature=samplesecret%26
oauth_version=1.0
oauth_callback=http%3a%2f%2flocalhost%3a30103%2fCustomOAuth1
The serviceProvider.ReadTokenRequest() method throws an exception:
The UnauthorizedTokenRequest message required protections {All} but the channel could only apply {Expiration, ReplayProtection}.
at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)
at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestBase httpRequest)
at DotNetOpenAuth.Messaging.Channel.TryReadFromRequest[TRequest](HttpRequestBase httpRequest, TRequest& request)
at DotNetOpenAuth.OAuth.ServiceProvider.ReadTokenRequest(HttpRequestBase request)
at DotNetOpenAuth.OAuth.ServiceProvider.ReadTokenRequest()
at OAuthServers.OAuth1.Services.OAuth1Service.Any(GetRequestTokenRequest request)
at lambda_method(Closure , Object , Object )
at ServiceStack.ServiceHost.ServiceRunner`1.Execute(IRequestContext requestContext, Object instance, TRequest request)
On the other hand if the client sends the following request:
GET /get_request_token?oauth_callback=http%3a%2f%2flocalhost%3a65271%2foauth1%2fHandleAccessToken&oauth_consumer_key=sampleconsumer&oauth_nonce=rGFvxlWm&oauth_signature_method=HMAC-SHA1&oauth_signature=HV%2f5Vq%2b0cF3NrtiISE9k4jmgCrY%3d&oauth_version=1.0&oauth_timestamp=1356007830 HTTP/1.1
Host: localhost:8180
Connection: close
(broken for clarity):
oauth_callback=http%3a%2f%2flocalhost%3a65271%2foauth1%2fHandleAccessToken
oauth_consumer_key=sampleconsumer
oauth_nonce=rGFvxlWm
oauth_signature_method=HMAC-SHA1
oauth_signature=HV%2f5Vq%2b0cF3NrtiISE9k4jmgCrY%3d
oauth_version=1.0
oauth_timestamp=1356007830
it succeeds.
As you can see the only difference between those 2 requests is the oauth_signature_method being used. In the first case PLAINTEXT is used whereas in the second HMAC-SHA1.
Is it possible to make DotNetOpenAuth accept a PLAINTEXT signature method for the request token endpoint along with the GET verb (even if the OAuth 1.0(a) specification recommends POST to be used for this endpoint)? Is there some config option that could relax this requirement on the server?
At the moment modifying the client is not an option for me.
OAuth Authentication is done in three steps:
The Consumer obtains an unauthorized Request Token.
The User authorizes the Request Token.
The Consumer exchanges the Request Token for an Access Token.
So here's what that would look like:
public class InMemoryTokenManager : IConsumerTokenManager, IOpenIdOAuthTokenManager
{
private Dictionary<string, string> tokensAndSecrets = new Dictionary<string, string>();
public InMemoryTokenManager(string consumerKey, string consumerSecret)
{
if (String.IsNullOrEmpty(consumerKey))
{
throw new ArgumentNullException("consumerKey");
}
this.ConsumerKey = consumerKey;
this.ConsumerSecret = consumerSecret;
}
public string ConsumerKey { get; private set; }
public string ConsumerSecret { get; private set; }
#region ITokenManager Members
public string GetConsumerSecret(string consumerKey)
{
if (consumerKey == this.ConsumerKey)
{
return this.ConsumerSecret;
}
else
{
throw new ArgumentException("Unrecognized consumer key.", "consumerKey");
}
}
public string GetTokenSecret(string token)
{
return this.tokensAndSecrets[token];
}
public void StoreNewRequestToken(UnauthorizedTokenRequest request, ITokenSecretContainingMessage response)
{
this.tokensAndSecrets[response.Token] = response.TokenSecret;
}
public void ExpireRequestTokenAndStoreNewAccessToken(string consumerKey, string requestToken, string accessToken, string accessTokenSecret)
{
this.tokensAndSecrets.Remove(requestToken);
this.tokensAndSecrets[accessToken] = accessTokenSecret;
}
/// <summary>
/// Classifies a token as a request token or an access token.
/// </summary>
/// <param name="token">The token to classify.</param>
/// <returns>Request or Access token, or invalid if the token is not recognized.</returns>
public TokenType GetTokenType(string token)
{
throw new NotImplementedException();
}
#endregion
#region IOpenIdOAuthTokenManager Members
public void StoreOpenIdAuthorizedRequestToken(string consumerKey, AuthorizationApprovedResponse authorization)
{
this.tokensAndSecrets[authorization.RequestToken] = string.Empty;
}
#endregion
}
Following block of code may help you to generate plain text signature
public static string GetSignature(OAuthSignatureMethod signatureMethod, AuthSignatureTreatment signatureTreatment, string signatureBase, string consumerSecret, string tokenSecret)
{
if (tokenSecret.IsNullOrBlank())
{
tokenSecret = String.Empty;
}
consumerSecret = UrlEncodeRelaxed(consumerSecret);
tokenSecret = UrlEncodeRelaxed(tokenSecret);
string signature;
switch (signatureMethod)
{
case OAuthSignatureMethod.HmacSha1:
{
var crypto = new HMACSHA1();
var key = "{0}&{1}".FormatWith(consumerSecret, tokenSecret);
crypto.Key = _encoding.GetBytes(key);
signature = signatureBase.HashWith(crypto);
break;
}
case OAuthSignatureMethod.PlainText:
{
signature = "{0}&{1}".FormatWith(consumerSecret, tokenSecret);
break;
}
default:
throw new NotImplementedException("Only HMAC-SHA1 is currently supported.");
}
var result = signatureTreatment == OAuthSignatureTreatment.Escaped
? UrlEncodeRelaxed(signature)
: signature;
return result;
}