diff --git a/App/StackExchange.DataExplorer.Tests/Models/TestQueryExecutions.cs b/App/StackExchange.DataExplorer.Tests/Models/TestQueryExecutions.cs index 39348394..e607a925 100644 --- a/App/StackExchange.DataExplorer.Tests/Models/TestQueryExecutions.cs +++ b/App/StackExchange.DataExplorer.Tests/Models/TestQueryExecutions.cs @@ -15,7 +15,7 @@ public class TestQueryExecutions : BaseTest { public void TestBatchingBatch() { string sql = "print 1 \nGO\nprint 2"; var site = Current.DB.Sites.First(); - var user = User.CreateUser("Fred", "a@a.com", "xyzdsa"); + var user = User.CreateUser("Fred", "a@a.com"); var results = QueryRunner.ExecuteNonCached(new ParsedQuery(sql, null), site, user, null); Assert.AreEqual(0, results.ResultSets.Count()); @@ -27,7 +27,7 @@ public void TestBatchingBatch() { public void TestMultiResultSetsInStatement() { string sql = "select 1 select 2"; var site = Current.DB.Sites.First(); - var user = User.CreateUser("Fred", "a@a.com", "xyzdsa"); + var user = User.CreateUser("Fred", "a@a.com"); var results = QueryRunner.ExecuteNonCached(new ParsedQuery(sql, null), site, user, null); Assert.AreEqual(2, results.ResultSets.Count()); diff --git a/App/StackExchange.DataExplorer.Tests/Models/TestUser.cs b/App/StackExchange.DataExplorer.Tests/Models/TestUser.cs index 3561e35f..729f6401 100644 --- a/App/StackExchange.DataExplorer.Tests/Models/TestUser.cs +++ b/App/StackExchange.DataExplorer.Tests/Models/TestUser.cs @@ -12,32 +12,13 @@ namespace StackExchange.DataExplorer.Tests.Models { [TestClass] public class TestUser : BaseTest { - - [TestMethod] - public void TestUserCreationSetsCreationDate() { - var u = User.CreateUser("Fred", "a@a.com", "xyz"); - Assert.IsNotNull(u.CreationDate); - } - - [TestMethod] - public void TestBasicUserCreation() { - - User.CreateUser("Fred", "a@a.com", "xyz"); - - var u2 = Current.DB.Query("select * from Users where Login = @Login", new {Login = "Fred"}).First(); - Assert.AreEqual("Fred", u2.Login); - - var o = Current.DB.Query("select * from UserOpenIds where OpenIdClaim = @claim", new {claim = "xyz"}).FirstOrDefault(); - Assert.AreEqual("xyz", o.OpenIdClaim); - } - [TestMethod] public void TestNoName() { Current.DB.Execute("delete from Users where Login like 'jon.doe%'"); - var u1 = User.CreateUser("", null, "xyz"); - var u2 = User.CreateUser(null, "", "xyz1"); + var u1 = User.CreateUser("", null); + var u2 = User.CreateUser(null, ""); Assert.AreEqual("jon.doe", u1.Login); // This behaviour is probably not what we want @@ -49,13 +30,13 @@ public void TestNoSpaces() { Current.DB.Execute("delete from Users where Login like 'jon.doe%'"); - var u1 = User.CreateUser("jon doe", null, "xyz"); + var u1 = User.CreateUser("jon doe", null); Assert.AreEqual("jon.doe", u1.Login); } [TestMethod] public void TestWeirdChars() { - var u1 = User.CreateUser("jon&*doe", null, "xyz"); + var u1 = User.CreateUser("jon&*doe", null); Assert.AreEqual(u1.Login, "jondoe"); } } diff --git a/App/StackExchange.DataExplorer/App_Start/BundleConfig.cs b/App/StackExchange.DataExplorer/App_Start/BundleConfig.cs index 670fc423..5359466d 100644 --- a/App/StackExchange.DataExplorer/App_Start/BundleConfig.cs +++ b/App/StackExchange.DataExplorer/App_Start/BundleConfig.cs @@ -61,9 +61,15 @@ private static void RegisterBundles(BundleCollection bundles) .Include("~/Content/homepage.css") .Include("~/Content/topbar.css", new CssRewriteUrlTransform()) .Include("~/Content/header.css", new CssRewriteUrlTransform()) + .Include("~/Content/user.css") .Include("~/Content/jquery.autocomplete.css") ); + bundles.Add(new StyleBundle("~/assets/css/login") + .Include("~/Content/login.css", new CssRewriteUrlTransform()) + .Include("~/Content/login-providers.css", new CssRewriteUrlTransform()) + ); + bundles.Add(new StyleBundle("~/assets/css/query") .Include("~/Content/codemirror/codemirror.css") .Include("~/Content/codemirror/custom.css") diff --git a/App/StackExchange.DataExplorer/Content/header.css b/App/StackExchange.DataExplorer/Content/header.css index 537fb559..8047c7db 100644 --- a/App/StackExchange.DataExplorer/Content/header.css +++ b/App/StackExchange.DataExplorer/Content/header.css @@ -130,7 +130,7 @@ nav.primary .site-selector-popup .ac_results li.ac_over { margin-bottom: 0; } -#tabs { +.nav-tabs { float: right; } @@ -138,7 +138,7 @@ nav.primary .site-selector-popup .ac_results li.ac_over { margin-left: 5px; } -#tabs a, .miniTabs a { +.nav-tabs a, .miniTabs a { background:none repeat scroll 0 0 #fff; border: 1px solid #fff; color: #777; @@ -152,7 +152,7 @@ nav.primary .site-selector-popup .ac_results li.ac_over { text-decoration: none; } -#tabs a:hover, .miniTabs a:hover { +.nav-tabs a:hover, .miniTabs a:hover { background: none repeat scroll 0 0 #FFFFFF; border-color: #CCC #CCC #FFFFFF; border-style: solid; @@ -161,7 +161,7 @@ nav.primary .site-selector-popup .ac_results li.ac_over { margin-top: 9px; } -#tabs a.youarehere, .miniTabs a.youarehere { +.nav-tabs a.youarehere, .miniTabs a.youarehere { background: none repeat scroll 0 0 #FFFFFF; border-color: #CCC #CCC #FFFFFF; border-style: solid; diff --git a/App/StackExchange.DataExplorer/Content/login-providers.css b/App/StackExchange.DataExplorer/Content/login-providers.css new file mode 100644 index 00000000..5ad54312 --- /dev/null +++ b/App/StackExchange.DataExplorer/Content/login-providers.css @@ -0,0 +1,8 @@ +.stackexchange { background-position: -356px 0; } +.google { background-position: -426px 0; } +.yahoo { background-position: 1px 4px; } +.livejournal { background-position: -73px 4px; } +.wordpress { background-position: -38px 4px; } +.blogger { background-position: -108px 4px; } +.verisign { background-position: -458px 4px; } +.aol { background-position: -142px 4px; } \ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Content/user.css b/App/StackExchange.DataExplorer/Content/user.css new file mode 100644 index 00000000..e641d6c6 --- /dev/null +++ b/App/StackExchange.DataExplorer/Content/user.css @@ -0,0 +1,104 @@ +.user-profile .page > .subheader { + height: 40px; +} + +.user-profile .page > .subheader .nav-tabs { + float: left; +} + +.user-profile .page > .subheader .nav-tabs a, +.user-profile .page > .subheader .nav-tabs a.youarehere { + border: 0px; + font-size: 13px; + line-height: 1.3em; + height: auto; + padding: 11px 7px 12px 7px; + margin: 0 20px 0 0; +} + +.user-profile .page > .subheader .nav-tabs a:hover { + color: #0C57A0; + border-bottom: 2px solid #0C57A0; +} + +.user-profile .page > .subheader .nav-tabs a.youarehere { + font-weight: bold; + color: #0C57A0; + border-bottom: 2px solid #0C57A0; +} + +.user-profile #add-login { + float: right; + font-weight: bold; + margin-top: -22px; +} + +.user-profile #user-logins { + list-style-type: none; + margin: 0; +} + +.user-profile .user-login { + margin-top: 14px; + margin-bottom: 20px; + padding-left: 24px; +} + +.user-profile .user-login h2 { + font-size: 16px; + margin-left: -24px; +} + +.user-profile .user-login span.icon { + background-image: url('./img/login-icons.svg'); + background-repeat: no-repeat; + display: inline-block; + width: 16px; + height: 16px; + margin-bottom: -2px; + margin-right: 8px; +} + +.user-profile .user-login .claim-identifier { + display: block; + margin-top: 5px; + color: #CCC; +} + +.sectioned-nav { + float: left; + list-style-type: none; + margin: 0; + width: 220px; +} + +.sectioned-nav li { + padding: 10px; + padding-right: 0; +} + +.sectioned-nav li:hover { + background-color: #D8E8F7; +} + +.sectioned-nav li a { + display: block; + color: #777; + padding: 4px; +} + +.sectioned-nav li:hover a, .sectioned-nav li.youarehere a { + text-decoration: none; + border-right: 3px solid #0C57A0; + color: #0C57A0; +} + +.sectioned-nav li.youarehere a { + font-weight: bold; +} + +.sectioned-content { + margin-left: 220px; + padding-left: 50px; + padding-top: 10px; +} \ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Controllers/AccountController.cs b/App/StackExchange.DataExplorer/Controllers/AccountController.cs index 87011e2a..7cda53b0 100644 --- a/App/StackExchange.DataExplorer/Controllers/AccountController.cs +++ b/App/StackExchange.DataExplorer/Controllers/AccountController.cs @@ -1,4 +1,5 @@ using System; +using System.IdentityModel.Tokens; using System.IO; using System.Linq; using System.Net; @@ -41,7 +42,7 @@ public ActionResult Login(string returnUrl, string message = null) return View("LoginActiveDirectory"); //case AppSettings.AuthenitcationMethod.Default: default: - SetHeader(CurrentUser.IsAnonymous ? "Log in with OpenID" : "Log in below to change your OpenID"); + SetHeader(CurrentUser.IsAnonymous ? "Log in to access your Data Explorer account" : "Add a new login method to your account"); return View("Login"); } } @@ -144,89 +145,11 @@ public ActionResult Authenticate(string returnUrl) var normalizedClaim = Models.User.NormalizeOpenId(response.ClaimedIdentifier.ToString()); var sreg = response.GetExtension(); var isSecure = originalClaim.StartsWith("https://"); + var email = sreg != null && sreg.Email != null && sreg.Email.Length > 2 ? sreg.Email : null; + var displayName = sreg != null ? sreg.Nickname ?? sreg.FullName : null; - var whitelistEmail = sreg != null && sreg.Email != null && sreg.Email.Length > 2 ? sreg.Email : null; - var whiteListResponse = CheckWhitelist(normalizedClaim, whitelistEmail); - if (whiteListResponse != null) - return whiteListResponse; - - User user = null; - var openId = Current.DB.Query("SELECT * FROM UserOpenIds WHERE OpenIdClaim = @normalizedClaim", new { normalizedClaim }).FirstOrDefault(); - - if (!CurrentUser.IsAnonymous) - { - if (openId != null && openId.UserId != CurrentUser.Id) //Does another user have this OpenID - { - //TODO: Need to perform a user merge - SetHeader("Log in below to change your OpenID"); - return LoginError("Another user with this OpenID already exists, merging is not possible at this time."); - } - - var currentOpenIds = Current.DB.Query("select * from UserOpenIds where UserId = @Id", new {CurrentUser.Id}); - - // If a user is merged and then tries to add one of the OpenIDs used for the two original users, - // this update will fail...so don't attempt it if we detect that's the case. Really we should - // work on allowing multiple OpenID logins, but for now I'll settle for not throwing an exception... - if (!currentOpenIds.Any(s => s.OpenIdClaim == normalizedClaim)) - { - Current.DB.UserOpenIds.Update(currentOpenIds.First().Id, new { OpenIdClaim = normalizedClaim }); - } - - user = CurrentUser; - returnUrl = "/users/" + user.Id; - } - else if (openId == null) - { - if (sreg != null && IsVerifiedEmailProvider(normalizedClaim)) - { - // Eh...We can trust the verified email provider, but we can't really trust Users.Email. - // I can't think of a particularly malicious way this could be exploited, but it's likely - // worth reviewing at some point. - user = Current.DB.Query("select * from Users where Email = @Email", new { sreg.Email }).FirstOrDefault(); - - if (user != null) - { - Current.DB.UserOpenIds.Insert(new { UserId = user.Id, OpenIdClaim = normalizedClaim, isSecure }); - } - } - - if (user == null) - { - // create new user - string email = ""; - string login = ""; - if (sreg != null) - { - email = sreg.Email; - login = sreg.Nickname ?? sreg.FullName; - } - user = Models.User.CreateUser(login, email, normalizedClaim); - } - } - else - { - user = Current.DB.Users.Get(openId.UserId); - - if (AppSettings.EnableEnforceSecureOpenId && user.EnforceSecureOpenId && !isSecure && openId.IsSecure) - { - return LoginError("User preferences prohibit insecure (non-https) variants of the provided OpenID identifier"); - } - else if (isSecure && !openId.IsSecure) - { - Current.DB.UserOpenIds.Update(openId.Id, new { IsSecure = true }); - } - } - - IssueFormsTicket(user); - - if (!string.IsNullOrEmpty(returnUrl)) - { - return Redirect(returnUrl); - } - else - { - return RedirectToAction("Index", "Home"); - } + return LoginUser(new UserAuthClaim.Identifier(normalizedClaim, UserAuthClaim.ClaimType.OpenID), email, displayName, + returnUrl, IsVerifiedEmailProvider(originalClaim), isSecure); case AuthenticationStatus.Canceled: return LoginError("Canceled at provider"); case AuthenticationStatus.Failed: @@ -236,18 +159,56 @@ public ActionResult Authenticate(string returnUrl) return new EmptyResult(); } - private ActionResult LoginViaEmail(string email, string displayName, string returnUrl) + private ActionResult LoginUser(UserAuthClaim.Identifier identifier, string email, string displayName, string returnUrl, bool trustEmail, bool isSecure = false, UserAuthClaim.Identifier legacyIdentifier = null) { - var whiteListResponse = CheckWhitelist("", email, trustEmail: true); + var whiteListResponse = CheckWhitelist(identifier.Value, email, trustEmail: trustEmail); + if (whiteListResponse != null) return whiteListResponse; - var user = Current.DB.Query("Select * From Users Where Email = @email", new { email }).FirstOrDefault(); + Tuple identity = Models.User.FindUserIdentityByAuthClaim(email, identifier, CurrentUser.IsAnonymous && trustEmail, legacyIdentifier: legacyIdentifier); + + var user = identity.Item1; + var claim = identity.Item2; + + if (!CurrentUser.IsAnonymous && user != null && user.Id != CurrentUser.Id) + { + //TODO: Need to perform a user merge + SetHeader("Log in below to change your OpenID"); + + return LoginError("Another user with this login already exists, merging is not possible at this time."); + } - // Create the user if not found if (user == null) { - user = Models.User.CreateUser(displayName, email, null); + user = !CurrentUser.IsAnonymous ? CurrentUser : Models.User.CreateUser(displayName, email); + } + + if (claim == null) + { + Current.DB.UserAuthClaims.Insert(new { UserId = user.Id, ClaimIdentifier = identifier.Value, IdentifierType = identifier.Type, IsSecure = isSecure, Display = trustEmail ? email : null }); + } + else if (claim.UserId != user.Id) + { + // This implies there's an orphan claim record somehow, I don't think this should be possible + Current.DB.UserAuthClaims.Update(claim.Id, new { UserId = user.Id }); + } + else + { + // This checking is only relevant to OpenID…which is kind of auth-type specific logic for this method, but meh + if (AppSettings.EnableEnforceSecureOpenId && user.EnforceSecureOpenId && !isSecure && claim.IsSecure) + { + return LoginError("User preferences prohibit insecure (non-https) variants of the provided OpenID identifier"); + } + else if (isSecure && !claim.IsSecure) + { + Current.DB.UserAuthClaims.Update(claim.Id, new { IsSecure = true }); + } + + if (trustEmail && claim.Display != email) + { + Current.DB.UserAuthClaims.Update(claim.Id, new { Display = email }); + } } IssueFormsTicket(user); @@ -256,6 +217,7 @@ private ActionResult LoginViaEmail(string email, string displayName, string retu { return Redirect(returnUrl); } + return RedirectToAction("Index", "Home"); } @@ -340,13 +302,14 @@ private ActionResult OAuthLogin() // return Redirect(redirect); case "https://accounts.google.com/o/oauth2/auth": // Google GetGoogleConfig(out secret, out clientId, out path); + return Redirect(string.Format( - "{0}?client_id={1}&scope=openid+email&redirect_uri={2}&state={3}&response_type=code", - server, - clientId, - (BaseUrl + path).UrlEncode(), - stateJson.UrlEncode() - )); + "{0}?client_id={1}&scope=openid+email&redirect_uri={2}&state={3}&response_type=code&openid.realm={2}", + server, + clientId, + (BaseUrl + path).UrlEncode(), + stateJson.UrlEncode() + )); } return LoginError("Unsupported OAuth version or server"); @@ -395,9 +358,10 @@ public ActionResult GoogleCallback(string code, string state, string error) var responseStr = Encoding.UTF8.GetString(response); authResponse = JsonConvert.DeserializeObject(responseStr); } - if (authResponse != null) + + if (authResponse != null && !authResponse.error.HasValue()) { - var loginResponse = FetchFromGoogle(authResponse.access_token); + var loginResponse = FetchFromGoogle(authResponse.access_token, authResponse.id_token); if (loginResponse != null) return loginResponse; } } @@ -430,8 +394,11 @@ public ActionResult GoogleCallback(string code, string state, string error) return LoginError("Google authentication failed"); } - private ActionResult FetchFromGoogle(string accessToken) + private ActionResult FetchFromGoogle(string accessToken, string idToken) { + // We're not bothering to validate the id token because we just got it back directly from Google over HTTPS + var legacyIdentifier = (string)new JwtSecurityToken(idToken).Payload["openid_id"]; + string result = null; Exception lastException = null; for (var retry = 0; retry < GoogleAuthRetryAttempts; retry++) @@ -479,7 +446,14 @@ private ActionResult FetchFromGoogle(string accessToken) if (person.email == null) return LoginError("Error fetching email from Google"); - return LoginViaEmail(person.email, person.name, "/"); + return LoginUser( + new UserAuthClaim.Identifier(person.id, UserAuthClaim.ClaimType.Google), + person.email, + person.name, + "/", + person.verified_email, + legacyIdentifier: legacyIdentifier.HasValue() ? new UserAuthClaim.Identifier(Models.User.NormalizeOpenId(legacyIdentifier), UserAuthClaim.ClaimType.OpenID) : null + ); } catch (Exception e) { @@ -546,6 +520,7 @@ public class OAuthLoginState public class GoogleAuthResponse { public string access_token { get; set; } + public string id_token { get; set; } public string error { get; set; } public string error_description { get; set; } } diff --git a/App/StackExchange.DataExplorer/Controllers/AdminController.cs b/App/StackExchange.DataExplorer/Controllers/AdminController.cs index cb9f69e3..e1827483 100644 --- a/App/StackExchange.DataExplorer/Controllers/AdminController.cs +++ b/App/StackExchange.DataExplorer/Controllers/AdminController.cs @@ -137,9 +137,9 @@ where grp.Count() > 1 } else { - var openids = Current.DB.Query("select * from UserOpenIds").ToList(); + var openids = Current.DB.UserAuthClaims.All(); dupeUserIds = (from openid in openids - group openid by Models.User.NormalizeOpenId(openid.OpenIdClaim) + group openid by Models.User.NormalizeOpenId(openid.ClaimIdentifier) into grp where grp.Count() > 1 select new Tuple>(grp.Key, grp.Select(id => id.UserId).OrderBy(id => id))).ToList(); @@ -169,12 +169,12 @@ where grp.Count() > 1 [StackRoute("admin/normalize-openids")] public ActionResult NormalizeOpenIds() { - foreach (var openId in Current.DB.UserOpenIds.All()) + foreach (var openId in Current.DB.UserAuthClaims.All()) { - var cleanClaim = Models.User.NormalizeOpenId(openId.OpenIdClaim); - if (cleanClaim != openId.OpenIdClaim) + var cleanClaim = Models.User.NormalizeOpenId(openId.ClaimIdentifier); + if (cleanClaim != openId.ClaimIdentifier) { - Current.DB.UserOpenIds.Update(openId.Id, new { OpenIdClaim = cleanClaim }); + Current.DB.UserAuthClaims.Update(openId.Id, new { ClaimIdentifier = cleanClaim }); } } return TextPlain("Done."); @@ -239,12 +239,12 @@ public ActionResult MergeSubmit(int masterId, int mergeId) public ActionResult FindDuplicateUserOpenIds() { - var sql = "select * from UserOpenIds where UserId in (select UserId from UserOpenId having count(*) > 0)"; + var sql = "select * from UserAuthClaims where UserId in (select UserId from UserAuthClaims having count(*) > 0)"; - var dupes = (from uoi in Current.DB.Query(sql) + var dupes = (from uoi in Current.DB.Query(sql) group uoi by uoi.UserId into grp - select new Tuple>(grp.Key, grp.Select(g=>g))).ToList(); + select new Tuple>(grp.Key, grp.Select(g=>g))).ToList(); SetHeader("Possible Duplicate User OpenId records"); return View(dupes); } @@ -253,7 +253,7 @@ into grp [StackRoute("admin/useropenid/remove/{id:int}", HttpVerbs.Post)] public ActionResult RemoveUserOpenIdEntry(int id) { - Current.DB.UserOpenIds.Delete(id); + Current.DB.UserAuthClaims.Delete(id); return Json("ok"); } diff --git a/App/StackExchange.DataExplorer/Controllers/UserController.cs b/App/StackExchange.DataExplorer/Controllers/UserController.cs index 83d43a69..0dd1357c 100644 --- a/App/StackExchange.DataExplorer/Controllers/UserController.cs +++ b/App/StackExchange.DataExplorer/Controllers/UserController.cs @@ -122,7 +122,12 @@ FROM Users /**join**/ /**where**/ [StackRoute(@"users/edit/{id:\d+}", RoutePriority.High)] public ActionResult Edit(int id, User updatedUser) { - User user = Current.DB.Users.Get(id); + User user = CanViewPrivateInfoFor(id) ? GetUser(id) : null; + + if (user == null) + { + return PageNotFound(); + } if (updatedUser.DOB < DateTime.UtcNow.AddYears(-100) || updatedUser.DOB > DateTime.UtcNow.AddYears(-6)) { @@ -175,23 +180,32 @@ public ActionResult Edit(int id, User updatedUser) [StackRoute(@"users/edit/{id:\d+}", RoutePriority.High)] public ActionResult Edit(int id) { - User user = Current.DB.Users.Get(id); + User user = CanViewPrivateInfoFor(id) ? GetUser(id) : null; + if (user == null) { return PageNotFound(); } - if (user.Id == CurrentUser.Id || CurrentUser.IsAdmin) - { - SetHeader(user.Login + " - Edit"); - SelectMenuItem("Users"); + SetProfileMetadata(user, true); - return View(user); - } - else + return View(user); + } + + [HttpGet] + [StackRoute(@"users/logins/{id:\d+}", RoutePriority.High)] + public ActionResult Logins(int id) + { + User user = AppSettings.AuthMethod == AppSettings.AuthenitcationMethod.Default && CanViewPrivateInfoFor(id) ? GetUser(id) : null; + + if (user == null) { - return Redirect("/"); + return PageNotFound(); } + + SetProfileMetadata(user, true, "logins"); + + return View(user); } [HttpPost] @@ -202,9 +216,9 @@ public ActionResult SavePreference(int id, string preference, string value) return ContentError("Invalid preference"); } - User user = Current.DB.Users.Get(id); + User user = CanViewPrivateInfoFor(id) ? GetUser(id) : null; - if (user == null || (user.Id != CurrentUser.Id && !CurrentUser.IsAdmin)) + if (user == null) { return ContentError("Invalid action"); } @@ -220,7 +234,7 @@ public ActionResult SavePreference(int id, string preference, string value) [StackRoute(@"users/{id:INT}/{name?}")] public ActionResult Show(int id, string name, string order_by, int? page) { - User user = !Current.User.IsAnonymous && Current.User.Id == id ? Current.User : Current.DB.Users.Get(id); + User user = GetUser(id); if (user == null) { @@ -235,8 +249,7 @@ public ActionResult Show(int id, string name, string order_by, int? page) DataExplorerDatabase db = Current.DB; - SetHeader(user.Login); - SelectMenuItem("Users"); + SetProfileMetadata(user, false); var profileTabs = new SubHeader { @@ -371,5 +384,66 @@ Votes v ON return View(user); } + + private bool CanViewPrivateInfoFor(int id) + { + return !CurrentUser.IsAnonymous && (CurrentUser.Id == id || CurrentUser.IsAdmin); + } + + private User GetUser(int id) + { + return CurrentUser.Id == id ? CurrentUser : Current.DB.Users.Get(id); + } + + private void SetProfileMetadata(User user, bool isEditing, string currentEditPage = null) + { + var subheaders = new List + { + new SubHeaderViewData + { + Description = "Profile", + Href = "/users/" + user.ProfilePath, + Default = true + } + }; + + if (CanViewPrivateInfoFor(user.Id)) + { + subheaders.Add(new SubHeaderViewData + { + Name = "edit", + Description = "Edit Profile & Logins", + Href = "/users/edit/" + user.Id + }); + } + + ViewData["BodyClass"] = "user-profile"; + SelectMenuItem("Users"); + SetHeader(null, isEditing ? "edit" : null, subheaders.ToArray()); + + if (isEditing) + { + ViewData["ProfileNav"] = new SubHeader + { + Selected = currentEditPage, + Items = new List + { + new SubHeaderViewData + { + Name = "profile", + Description = "Edit Profile", + Href = "/users/edit/" + user.Id, + Default = true + }, + new SubHeaderViewData + { + Name = "logins", + Description = "My Logins", + Href = "/users/logins/" + user.Id + } + } + }; + } + } } } \ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Models/User.cs b/App/StackExchange.DataExplorer/Models/User.cs index 317a1082..b16a341e 100644 --- a/App/StackExchange.DataExplorer/Models/User.cs +++ b/App/StackExchange.DataExplorer/Models/User.cs @@ -25,13 +25,13 @@ public partial class User public string PreferencesRaw { get; set; } public string ADLogin { get; set; } - List _userOpenIds; - public List UserOpenIds + List _userAuthClaims; + public List UserAuthClaims { get { - _userOpenIds = _userOpenIds ?? Current.DB.Query("select * from UserOpenIds where UserId = @Id", new { Id }).ToList(); - return _userOpenIds; + _userAuthClaims = _userAuthClaims ?? Current.DB.Query("select * from UserAuthClaims where UserId = @Id", new { Id }).ToList(); + return _userAuthClaims; } } @@ -105,6 +105,41 @@ public static User CreateUser(string accountLogin) return u; } + public static Tuple FindUserIdentityByAuthClaim(string email, UserAuthClaim.Identifier identifier, bool useEmailFallback = true, UserAuthClaim.Identifier legacyIdentifier = null) + { + var claim = Current.DB.Query( + "SELECT * FROM UserAuthClaims WHERE ClaimIdentifier = @identifier AND IdentifierType = @type", + new { identifier = identifier.Value, type = identifier.Type } + ).FirstOrDefault(); + + if (claim == null && legacyIdentifier != null) + { + claim = Current.DB.Query( + "SELECT * FROM UserAuthClaims WHERE ClaimIdentifier = @identifier AND IdentifierType = @type", + new { identifier = legacyIdentifier.Value, type = legacyIdentifier.Type } + ).FirstOrDefault(); + + if (claim != null) + { + // Update the legacy auth claim (only Google OpenID -> email right now) + Current.DB.UserAuthClaims.Update(claim.Id, new { ClaimIdentifier = identifier.Value, IdentifierType = identifier.Type, IsSecure = false, Display = email }); + } + } + + User user = null; + + if (claim != null) + { + user = Current.DB.Users.Get(claim.UserId); + } + else if (useEmailFallback && email.HasValue()) + { + user = Current.DB.Query("SELECT * FROM Users WHERE Email = @email", new { email }).FirstOrDefault(); + } + + return Tuple.Create(user, claim); + } + public void SetAdmin(bool isAdmin) { Current.DB.Execute("Update Users Set IsAdmin = @isAdmin Where Id = @Id", new {Id, isAdmin}); @@ -115,7 +150,7 @@ public static User GetByADLogin(string accountLogin) return Current.DB.Query("Select * From Users Where ADLogin = @accountLogin", new {accountLogin}).SingleOrDefault(); } - public static User CreateUser(string login, string email, string openIdClaim) + public static User CreateUser(string login, string email) { var u = new User(); u.CreationDate = DateTime.UtcNow; @@ -155,8 +190,7 @@ public static User CreateUser(string login, string email, string openIdClaim) } u.Id = Current.DB.Users.Insert(new { u.Email, u.Login, u.CreationDate }).Value; - if (openIdClaim != null) - Current.DB.UserOpenIds.Insert(new {OpenIdClaim = openIdClaim, UserId = u.Id}); + return u; } @@ -242,7 +276,7 @@ from RevisionExecutions r // User Open Ids { - var rempped = db.Execute("update UserOpenIds set UserId = @masterId where UserId = @mergeId", new { mergeId, masterId }); + var rempped = db.Execute("update UserAuthClaims set UserId = @masterId where UserId = @mergeId", new { mergeId, masterId }); log.AppendLine(string.Format("Remapped {0} user open ids", rempped)); } diff --git a/App/StackExchange.DataExplorer/Models/UserAuthClaim.cs b/App/StackExchange.DataExplorer/Models/UserAuthClaim.cs new file mode 100644 index 00000000..1fbf6d4e --- /dev/null +++ b/App/StackExchange.DataExplorer/Models/UserAuthClaim.cs @@ -0,0 +1,113 @@ +using System; +using System.Collections.Generic; +using System.Text.RegularExpressions; + +namespace StackExchange.DataExplorer.Models +{ + public class UserAuthClaim + { + private static readonly Regex subdomainUsernameRegex = new Regex("https?://(?[^.]+)\\..*", RegexOptions.IgnoreCase | RegexOptions.Compiled); + private static readonly Regex pathUsernameRegex = new Regex("https?://[^/]+/(?[^/?]+)(?:/|\\?).*", RegexOptions.IgnoreCase | RegexOptions.Compiled); + private static readonly Dictionary knownProviders = new Dictionary + { + { "openid.stackexchange.com", new AuthProvider("Stack Exchange") }, + { "me.yahoo.com", new AuthProvider("Yahoo") }, + { ".livejournal.com", new AuthProvider("LiveJournal", usernameRegex: subdomainUsernameRegex) }, + { ".wordpress.com", new AuthProvider("Wordpress", usernameRegex: subdomainUsernameRegex) }, + { ".blogspot.com", new AuthProvider("Blogger", usernameRegex: subdomainUsernameRegex) }, + { ".pip.verisignlabs.com", new AuthProvider("Verisign", usernameRegex: subdomainUsernameRegex) }, + { "openid.aol.com", new AuthProvider("AOL", usernameRegex: pathUsernameRegex) }, + { "www.google.com", new AuthProvider("Google") } + }; + + public enum ClaimType + { + OpenID = 1, + Google = 2 + } + + public class Identifier + { + public readonly ClaimType Type; + public readonly string Value; + + public Identifier(String value, ClaimType type) + { + Value = value; + Type = type; + } + } + + public class AuthProvider + { + public string Name { get; private set; } + public string IconClass { get; private set; } + + private readonly Regex usernameRegex; + + public AuthProvider(string name, bool hasIcon = true, Regex usernameRegex = null) + { + Name = name; + + if (hasIcon) + IconClass = name.ToLower().Replace(" ", ""); + + this.usernameRegex = usernameRegex; + } + + public string GetUsername(string identifier) + { + if (usernameRegex == null) + return identifier; + + var username = usernameRegex.Match(identifier).Groups["username"]; + + return username != null ? username.Value : identifier; + } + } + + private string display; + private AuthProvider provider; + + public int Id { get; set; } + public int UserId { get; set; } + public string ClaimIdentifier { get; set; } + public bool IsSecure { get; set; } + public ClaimType IdentifierType { get; set; } + public string Display + { + get { return display ?? Provider.GetUsername(ClaimIdentifier); } + set { display = value; } + } + + public AuthProvider Provider { + get + { + if (provider == null) + { + switch (IdentifierType) + { + case ClaimType.Google: + provider = knownProviders["www.google.com"]; + break; + // case ClaimType.OpenID + default: + var uri = new Uri(ClaimIdentifier); + var host = uri.Host; + var subdomainIndex = host.IndexOf('.'); + + if (!knownProviders.ContainsKey(host) && subdomainIndex != -1 && subdomainIndex != host.LastIndexOf('.')) + { + host = host.Substring(subdomainIndex); + } + + provider = knownProviders.ContainsKey(host) ? knownProviders[host] : new AuthProvider(uri.Host, hasIcon: false); + break; + } + } + + return provider; + } + } + } +} \ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Models/UserOpenId.cs b/App/StackExchange.DataExplorer/Models/UserOpenId.cs deleted file mode 100644 index 5a711529..00000000 --- a/App/StackExchange.DataExplorer/Models/UserOpenId.cs +++ /dev/null @@ -1,15 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Linq; -using System.Web; - -namespace StackExchange.DataExplorer.Models -{ - public class UserOpenId - { - public int Id { get; set; } - public int UserId { get; set; } - public string OpenIdClaim { get; set; } - public bool IsSecure { get; set; } - } -} \ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Models/_Database.Specific.cs b/App/StackExchange.DataExplorer/Models/_Database.Specific.cs index 02516fd2..e1a4e6ee 100644 --- a/App/StackExchange.DataExplorer/Models/_Database.Specific.cs +++ b/App/StackExchange.DataExplorer/Models/_Database.Specific.cs @@ -10,7 +10,7 @@ public class DataExplorerDatabase : Dapper.Database public Table Sites { get; private set; } public Table Users { get; private set; } public Table OpenIdWhiteList { get; private set; } - public Table UserOpenIds { get; private set; } + public Table UserAuthClaims { get; private set; } public Table Votes { get; private set; } public Table BlackList { get; private set; } public Table QuerySets { get; private set; } diff --git a/App/StackExchange.DataExplorer/StackExchange.DataExplorer.csproj b/App/StackExchange.DataExplorer/StackExchange.DataExplorer.csproj index d7747170..cc60d608 100644 --- a/App/StackExchange.DataExplorer/StackExchange.DataExplorer.csproj +++ b/App/StackExchange.DataExplorer/StackExchange.DataExplorer.csproj @@ -118,6 +118,11 @@ 3.5 + + + ..\packages\System.IdentityModel.Tokens.Jwt.4.0.2.206221351\lib\net45\System.IdentityModel.Tokens.Jwt.dll + True + False @@ -261,7 +266,7 @@ User.cs - + @@ -283,6 +288,7 @@ + login.less @@ -365,6 +371,7 @@ + @@ -480,6 +487,8 @@ + + 10.0 diff --git a/App/StackExchange.DataExplorer/Views/Account/LogIn.cshtml b/App/StackExchange.DataExplorer/Views/Account/LogIn.cshtml index 61dc6f37..5d05a32f 100644 --- a/App/StackExchange.DataExplorer/Views/Account/LogIn.cshtml +++ b/App/StackExchange.DataExplorer/Views/Account/LogIn.cshtml @@ -1,7 +1,8 @@ @using StackExchange.DataExplorer @using StackExchange.DataExplorer.Helpers +@using System.Web.Optimization; @{this.SetPageTitle("Log In or Register - Stack Exchange Data Explorer");} - +@Styles.Render("~/assets/css/login")
@if (ViewData["Message"] != null) { diff --git a/App/StackExchange.DataExplorer/Views/Shared/Master.cshtml b/App/StackExchange.DataExplorer/Views/Shared/Master.cshtml index cb27e28a..dc63df57 100644 --- a/App/StackExchange.DataExplorer/Views/Shared/Master.cshtml +++ b/App/StackExchange.DataExplorer/Views/Shared/Master.cshtml @@ -32,7 +32,7 @@ }); - +
diff --git a/App/StackExchange.DataExplorer/Views/Shared/SubHeader.cshtml b/App/StackExchange.DataExplorer/Views/Shared/SubHeader.cshtml index 1ab054dd..fcba7810 100644 --- a/App/StackExchange.DataExplorer/Views/Shared/SubHeader.cshtml +++ b/App/StackExchange.DataExplorer/Views/Shared/SubHeader.cshtml @@ -9,7 +9,7 @@ } @if (Model.Items != null) { -
+
@foreach (SubHeaderViewData item in Model.Items) { - - - -

- @Html.Raw(Model.Gravatar(128)) - Change Picture -

- - -

Registered User

-
- @Html.ValidationSummary(true) - @Html.AntiForgeryToken() - - - - - - - @if (AppSettings.EnableEnforceSecureOpenId) - { - - - - - } - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - @Html.TextBoxFor(model=>model.Login,new { style="width:260px;"}) - @Html.ValidationMessageFor(model=>model.Login) -
- - - -
- @Html.LabelFor(model=>model.Email) - - @Html.TextBoxFor(model=>model.Email,new {style = "width:260px;"}) - @Html.ValidationMessageFor(model=>model.Email) -
- @Html.LabelFor(model=>model.Website) - - @Html.TextBoxFor(model=>model.Website,new {style="width:260px"}) - @Html.ValidationMessageFor(model=>model.Website) -
- @Html.LabelFor(model=>model.Location) - - @Html.TextBoxFor(model=>model.Location,new {style="width:260px;"}) - @Html.ValidationMessageFor(mode=>Model.Location) -
- - - @Html.TextBoxFor(model=>model.DOB, string.Format("{0:g}", Model.DOB)) - @Html.ValidationMessageFor(model=>model.DOB) - YYYY/MM/DD -
- - - @Html.TextAreaFor(model=>model.AboutMe, new {rows=12, cols=56}) - @Html.ValidationMessageFor(model=>model.AboutMe) -
- - -
-
- - - - +@Html.Partial("ProfileNav", ViewData["ProfileNav"] as SubHeader) +
+

Edit your profile

+ + + + + + + +
+

+ @Html.Raw(Model.Gravatar(128)) + Change Picture +

+ 		+
+ @Html.ValidationSummary(true) + @Html.AntiForgeryToken() + + + + + + + @if (AppSettings.EnableEnforceSecureOpenId) + { + + + + + } + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + @Html.TextBoxFor(model => model.Login, new { style = "width:260px;" }) + @Html.ValidationMessageFor(model => model.Login) +
+ + + +
+ @Html.LabelFor(model => model.Email) + + @Html.TextBoxFor(model => model.Email, new { style = "width:260px;" }) + @Html.ValidationMessageFor(model => model.Email) +
+ @Html.LabelFor(model => model.Website) + + @Html.TextBoxFor(model => model.Website, new { style = "width:260px" }) + @Html.ValidationMessageFor(model => model.Website) +
+ @Html.LabelFor(model => model.Location) + + @Html.TextBoxFor(model => model.Location, new { style = "width:260px;" }) + @Html.ValidationMessageFor(mode => Model.Location) +
+ + + @Html.TextBoxFor(model => model.DOB, string.Format("{0:g}", Model.DOB)) + @Html.ValidationMessageFor(model => model.DOB) + YYYY/MM/DD +
+ + + @Html.TextAreaFor(model => model.AboutMe, new { rows = 12, cols = 56 }) + @Html.ValidationMessageFor(model => model.AboutMe) +
+ + +
+
+
+
diff --git a/App/StackExchange.DataExplorer/Views/User/Logins.cshtml b/App/StackExchange.DataExplorer/Views/User/Logins.cshtml new file mode 100644 index 00000000..c68a6fb6 --- /dev/null +++ b/App/StackExchange.DataExplorer/Views/User/Logins.cshtml @@ -0,0 +1,30 @@ + +@model User +@using StackExchange.DataExplorer +@using StackExchange.DataExplorer.Models +@using StackExchange.DataExplorer.ViewModel +@using System.Web.Optimization; +@{ + this.SetPageTitle("User " + Model.Login + " Logins - Stack Exchange Data Explorer"); +} +@Styles.Render("~/assets/css/login") +@Html.Partial("ProfileNav", ViewData["ProfileNav"] as SubHeader) +
+

My Logins

+ add login +
    + @foreach (var claim in Model.UserAuthClaims) + { + + } +
+
\ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Views/User/ProfileNav.cshtml b/App/StackExchange.DataExplorer/Views/User/ProfileNav.cshtml new file mode 100644 index 00000000..e967a316 --- /dev/null +++ b/App/StackExchange.DataExplorer/Views/User/ProfileNav.cshtml @@ -0,0 +1,14 @@ +@model StackExchange.DataExplorer.ViewModel.SubHeader +
    + @foreach(var item in Model.Items) + { +
  • class="youarehere" + } + > + @item.Description +
    • + } +
\ No newline at end of file diff --git a/App/StackExchange.DataExplorer/Views/User/Show.cshtml b/App/StackExchange.DataExplorer/Views/User/Show.cshtml index 31c04677..22751040 100644 --- a/App/StackExchange.DataExplorer/Views/User/Show.cshtml +++ b/App/StackExchange.DataExplorer/Views/User/Show.cshtml @@ -1,6 +1,4 @@ @model StackExchange.DataExplorer.Models.User -@using System.Configuration -@using System.IdentityModel.Tokens @using StackExchange.DataExplorer @using StackExchange.DataExplorer.Helpers @using StackExchange.DataExplorer.ViewModel @@ -22,18 +20,7 @@ - @if (isCurrentUser || Current.User.IsAdmin) - { -
- edit - @if (isCurrentUser && AppSettings.AuthMethod == AppSettings.AuthenitcationMethod.Default) - { - | - change openid - } -
- } -

Registered User

+

@Model.Login

@@ -53,23 +40,6 @@ break; - //case AppSettings.AuthenitcationMethod.Default: - default: - if (Model.UserOpenIds.Any()) - { - - - - - } - else - { - - - - - } - break; } } @if (Model.Website != null && Model.Website.Length > 4) diff --git a/App/StackExchange.DataExplorer/packages.config b/App/StackExchange.DataExplorer/packages.config index 50e6d89e..2eb051a0 100644 --- a/App/StackExchange.DataExplorer/packages.config +++ b/App/StackExchange.DataExplorer/packages.config @@ -17,11 +17,12 @@ - + + \ No newline at end of file diff --git a/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/System.IdentityModel.Tokens.Jwt.4.0.2.206221351.nupkg b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/System.IdentityModel.Tokens.Jwt.4.0.2.206221351.nupkg new file mode 100644 index 00000000..fdb057f0 Binary files /dev/null and b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/System.IdentityModel.Tokens.Jwt.4.0.2.206221351.nupkg differ diff --git a/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.Xml b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.Xml new file mode 100644 index 00000000..817f5bfe --- /dev/null +++ b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.Xml @@ -0,0 +1,2502 @@ + + + + System.IdentityModel.Tokens.Jwt + + + + + Helper class for adding DateTimes and Timespans. + + + + + Add a DateTime and a TimeSpan. + The maximum time is DateTime.MaxTime. It is not an error if time + timespan > MaxTime. + Just return MaxTime. + + Initial value. + to add. + as the sum of time and timespan. + + + + Gets the Maximum value for a DateTime specifying kind. + + DateTimeKind to use. + DateTime of specified kind. + + + + Gets the Minimum value for a DateTime specifying kind. + + DateTimeKind to use. + DateTime of specified kind. + + + + Error codes and messages + + + + + Serializes the list of strings into string as follows: + 'str1','str2','str3' ... + + + The strings used to build a comma delimited string. + + + The single . + + + + + Provides signing and verifying operations when working with an + + + + + This class defines the object model for types that provide signature services. + + + + + Produces a signature over the 'input' + + bytes to sign. + signed bytes + + + + Verifies that a signature created over the 'input' matches the signature. + + bytes to verify. + signature to compare against. + true if the computed signature matches the signature parameter, false otherwise. + + + + Calls and + + + + + Can be over written in descendants to dispose of internal components. + + true, if called from Dispose(), false, if invoked inside a finalizer + + + + Gets or sets a user context for a . + + + + + Initializes a new instance of the class used to create and verify signatures. + + + The that will be used for cryptographic operations. + + + The signature algorithm to apply. + + + If this is required to create signatures then set this to true. + + Creating signatures requires that the has access to a private key. + Verifying signatures (the default), does not require access to the private key. + + + + 'key' is null. + + + 'algorithm' is null. + + + 'algorithm' contains only whitespace. + + + willCreateSignatures is true and .KeySize is less than . + + + .KeySize is less than . Note: this is always checked. + + + Is thrown if the throws. + + + Is thrown if the returns null. + + + Is thrown if the throws. + + + Is thrown if the returns null. + + + Is thrown if the throws. + + + Is thrown if the returns null. + + + Is thrown if the throws. + + + Is thrown if the throws. + + + + + Produces a signature over the 'input' using the and algorithm passed to . + + bytes to be signed. + a signature over the input. + 'input' is null. + 'input.Length' == 0. + if has been called. + if the internal is null. This can occur if the constructor parameter 'willBeUsedforSigning' was not 'true'. + if the internal is null. This can occur if a derived type deletes it or does not create it. + + + + Verifies that a signature over the' input' matches the signature. + + the bytes to generate the signature over. + the value to verify against. + true if signature matches, false otherwise. + 'input' is null. + 'signature' is null. + 'input.Length' == 0. + 'signature.Length' == 0. + if has been called. + if the internal is null. This can occur if a derived type does not call the base constructor. + if the internal is null. This can occur if a derived type deletes it or does not create it. + + + + Calls to release this managed resources. + + true, if called from Dispose(), false, if invoked inside a finalizer. + + + + Encodes and Decodes strings as Base64Url encoding. + + + + + The following functions perform base64url encoding which differs from regular base64 encoding as follows + * padding is skipped so the pad character '=' doesn't have to be percent encoded + * the 62nd and 63rd regular base64 encoding characters ('+' and '/') are replace with ('-' and '_') + The changes make the encoding alphabet file and URL safe. + + string to encode. + Base64Url encoding of the UTF8 bytes. + + + + Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation that is encoded with base-64-url digits. Parameters specify + the subset as an offset in the input array, and the number of elements in the array to convert. + + An array of 8-bit unsigned integers. + An offset in inArray. + The number of elements of inArray to convert. + The string representation in base 64 url encodingof length elements of inArray, starting at position offset. + 'inArray' is null. + offset or length is negative OR offset plus length is greater than the length of inArray. + + + + Converts a subset of an array of 8-bit unsigned integers to its equivalent string representation that is encoded with base-64-url digits. Parameters specify + the subset as an offset in the input array, and the number of elements in the array to convert. + + An array of 8-bit unsigned integers. + The string representation in base 64 url encodingof length elements of inArray, starting at position offset. + 'inArray' is null. + offset or length is negative OR offset plus length is greater than the length of inArray. + + + + Converts the specified string, which encodes binary data as base-64-url digits, to an equivalent 8-bit unsigned integer array. + base64Url encoded string. + UTF8 bytes. + + + + Decodes the string from Base64UrlEncoded to UTF8. + + string to decode. + UTF8 string. + + + + Defines the inbound and outbound mapping for claim claim types from jwt to .net claim + + + + + Initializes static members of the class. + + + + + Gets the InboundClaimTypeMap used by JwtSecurityTokenHandler when producing claims from jwt. + + + + + Gets the OutboundClaimTypeMap is used by JwtSecurityTokenHandler to shorten claim types when creating a jwt. + + + + + Provides common code for services to use in generating diagnostics and taking actions. + + + + + Returns true if the provided exception matches any of a list of hard system faults that should be allowed + through to outer exception handlers. + + The exception to check. + + Typically this method is used when there is a need to catch all exceptions, but to ensure that .NET runtime + and execution engine exceptions are not absorbed by the catch block. Use of this method also avoids FxCop + warnings about not using general catch blocks. + Please note that use of this method is expensive because of the amount of reflection it performs. + If you can refactor your code to catch more specific exceptions than Exception to avoid using this method, + you should. + Example of use: + + try + { + // Code needing a full Exception catch block + } + catch (Exception ex) + { + if (DiagnosticUtility.IsFatal(ex)) + { + throw; + } + // Perform any needed logging and handling for absorbed exception. + } + + + true if the exception should NOT be trapped + + + + Returns the absolute DateTime or the Seconds since Unix Epoch, where Epoch is UTC 1970-01-01T0:0:0Z. + + + + + DateTime as UTV for UnixEpoch + + + + + Per JWT spec: + Gets the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time. + + The DateTime to convert to seconds. + if dateTimeUtc less than UnixEpoch, return 0 + the number of seconds since Unix Epoch. + + + + Creates a DateTime from epoch time. + + Number of seconds. + The DateTime in UTC. + + + + ISecurityTokenValidator + + + + + Returns true if the token can be read, false otherwise. + + + + + Validates a token passed as a string using + + + + + Gets and sets the maximum size in bytes, that a will be processed. + + + + + Interface that defines a simple cache for tacking replaying of security tokens. + + + + + Try to add a securityToken. + + the security token to add. + the time when security token expires. + true if the security token was successfully added. + + + + Try to find securityToken + + the security token to find. + true if the security token is found. + + + + Definition for a delegate that can be set on to control serialization of objects into JSON. + + Object to serialize + The serialized object. + + + + Definition for a delegate that can be set on to control deserialization JSON into objects. + + JSON to deserialize. + type expected. + The deserialized object. + + + + Dictionary extensions for serializations + + + + + Serializes an object to JSON. + + The object to serialize + the object as JSON. + + + + Deserialzes JSON into an instance of type T. + + the object type. + the JSON to deserialze. + a new instance of type T. + + + + Deserialzes JSON into an instance of . + + the JSON to deserialze. + a new instance . + + + + Deserialzes JSON into an instance of . + + the JSON to deserialze. + a new instance . + + + + Gets or sets a to use when serializing objects to JSON. + + if 'value' is null. + + + + Gets or sets a to use when deserializing objects from JSON. + + if 'value' is null. + + + + contains the element and attribute names used in config when parsing the JwtSecurityTokenHandler from XML. + + + + + Constants for Json Web tokens. + + + + + Short header type. + + + + + Long header type. + + + + + Short token type. + + + + + Long token type. + + + + + Token format: 'header.payload.signature'. Signature is optional, but '.' is required. + + + + + When mapping json to .Net Claim(s), if the value was not a string (or an enumeration of strings), the ClaimValue will serialized using the current JSON serializer, a property will be added with the .Net type and the ClaimTypeValue will be set to 'JsonClaimValueType'. + + + + + List of algorithms see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + see: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26#section-3 + + + + + List of header parameter names see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5. + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + see: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-5 + + + + + List of registered claims from different sources + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + http://openid.net/specs/openid-connect-core-1_0.html#IDToken + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://openid.net/specs/openid-connect-core-1_0.html#IDToken + + + + + http://openid.net/specs/openid-connect-core-1_0.html#IDToken + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://openid.net/specs/openid-connect-core-1_0.html#IDToken + + + + + http://openid.net/specs/openid-connect-core-1_0.html#IDToken + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4 + + + + + Initializes a new instance of which contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT. + The member names within the JWT Header are referred to as Header Parameter Names. + These names MUST be unique and the values must be (s). The corresponding values are referred to as Header Parameter Values. + + + + + Initializes a new instance of the class. Default string comparer . + + + + + Initializes a new instance of the class. With the Header Parameters as follows: + { { typ, JWT }, { alg, Mapped( } } + See: Algorithm Mapping below. + + The that will be or were used to sign the . + + For each in signingCredentials.SigningKeyIdentifier + if the clause is a Header Parameter { clause.Name, clause.Id } will be added. + For example, if clause.Name == 'kid' and clause.Id == 'SecretKey99'. The JSON object { kid, SecretKey99 } would be added. + In addition, if the is a the JSON object { x5t, Base64UrlEncoded( } will be added. + This simplifies the common case where a X509Certificate is used. + ================= + Algorithm Mapping + ================= + describes the algorithm that is discoverable by the CLR runtime. + The { alg, 'value' } placed in the header reflects the JWT specification. + contains a signature mapping where the 'value' above will be translated according to this mapping. + Current mapping is: +     'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' => 'RS256' +     'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256' => 'HS256' + + + + + Serializes this instance to JSON. + + this instance as JSON. + use to customize JSON serialization. + + + + Encodes this instance as Base64UrlEncoded JSON. + + Base64UrlEncoded JSON. + use to customize JSON serialization. + + + + Deserializes Base64UrlEncoded JSON into a instance. + + base64url encoded JSON to deserialize. + an instance of . + use to customize JSON serialization. + + + + Deserialzes JSON into a instance. + + the JSON to deserialize. + an instance of . + use to customize JSON serialization. + + + + Gets the signature algorithm that was used to create the signature. + + If the signature algorithm is not found, null is returned. + + + + Gets the passed in the constructor. + + This value may be null. + + + + Gets the mime type (Typ) of the token. + + If the mime type is not found, null is returned. + + + + Gets a that contains a for each key found. + + + Keys are identified by matching a 'Reserved Header Parameter Name' found in the in JSON Web Signature specification. + Names recognized are: jku, jkw, kid, x5c, x5t, x5u + 'x5t' adds a passing a the Base64UrlDecoded( Value ) to the constructor. + 'jku', 'jkw', 'kid', 'x5u', 'x5c' each add a with the { Name, Value } passed to the . + + If no keys are found, an empty will be returned. + + + + + Initializes a new instance of which contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value }. + + + + + Initializes a new instance of the class with no claims. Default string comparer . + Creates a empty + + + + + Initializes a new instance of the class with . Default string comparer . + the claims to add. + + + + + Initializes a new instance of the class with claims added for each parameter specified. Default string comparer . + + if this value is not null, a { iss, 'issuer' } claim will be added. + if this value is not null, a { aud, 'audience' } claim will be added + if this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. + if notbefore.HasValue is 'true' a { nbf, 'value' } claim is added. + if expires.HasValue is 'true' a { exp, 'value' } claim is added. + Comparison is set to + The 4 parameters: 'issuer', 'audience', 'notBefore', 'expires' take precednece over (s) in 'claims'. The values in 'claims' will be overridden. + if 'expires' <= 'notbefore'. + + + + Adds a JSON object representing the to the + + { 'Claim.Type', 'Claim.Value' } is added. If a JSON object is found with the name == then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. + See for details on how is applied. + 'claim' is null. + + + + Adds a number of to the as JSON { name, value } pairs. + + for each a JSON pair { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. + Each added will have translated according to the mapping found in . Adding and removing to + will affect the name component of the Json claim + Any in the that is null, will be ignored. + 'claims' is null. + + + + Gets the DateTime using the number of seconds from 1970-01-01T0:0:0Z (UTC) + + Claim in the payload that should map to an integer. + If the claim is not found, the function returns: DateTime.MinValue + + if an overflow exception is thrown by the runtime. + the DateTime representation of a claim. + + + + Serializes this instance to JSON. + + this instance as JSON. + use to customize JSON serialization. + + + + Encodes this instance as Base64UrlEncoded JSON. + + Base64UrlEncoded JSON. + use to customize JSON serialization. + + + + Deserializes Base64UrlEncoded JSON into a instance. + + base64url encoded JSON to deserialize. + an instance of . + use to customize JSON serialization. + + + + Deserialzes JSON into a instance. + + the JSON to deserialize. + an instance of . + use to customize JSON serialization. + + + + Gets the 'value' of the 'actor' claim { actort, 'value' }. + + If the 'actor' claim is not found, null is returned. + + + + Gets the 'value' of the 'acr' claim { acr, 'value' }. + + If the 'acr' claim is not found, null is returned. + + + + Gets the 'value' of the 'amr' claim { amr, 'value' }. + + If the 'amr' claim is not found, null is returned. + + + + Gets the 'value' of the 'auth_time' claim { auth_time, 'value' }. + + If the 'auth_time' claim is not found, null is returned. + + + + Gets the 'value' of the 'audience' claim { aud, 'value' } as a list of strings. + + If the 'audience' claim is not found, an empty enumerable is returned. + + + + Gets the 'value' of the 'azp' claim { azp, 'value' }. + + If the 'azp' claim is not found, null is returned. + + + + Gets 'value' of the 'c_hash' claim { c_hash, 'value' }. + + If the 'c_hash' claim is not found, null is returned. + + + + Gets the 'value' of the 'expiration' claim { exp, 'value' }. + + If the 'expiration' claim is not found OR could not be converted to , null is returned. + + + + Gets the 'value' of the 'JWT ID' claim { jti, 'value' }. + + If the 'JWT ID' claim is not found, null is returned. + + + + Gets the 'value' of the 'Issued At' claim { iat, 'value' }. + + If the 'Issued At' claim is not found OR cannot be converted to null is returned. + + + + Gets 'value' of the 'issuer' claim { iss, 'value' }. + + If the 'issuer' claim is not found, null is returned. + + + + Gets the 'value' of the 'expiration' claim { nbf, 'value' }. + + If the 'notbefore' claim is not found OR could not be converted to , null is returned. + + + + Gets 'value' of the 'nonce' claim { nonce, 'value' }. + + If the 'nonce' claim is not found, null is returned. + + + + Gets "value" of the 'subject' claim { sub, 'value' }. + + If the 'subject' claim is not found, null is returned. + + + + Gets 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z). + + If the 'notbefore' claim is not found, then is returned. + + + + Gets 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z). + + If the 'expiration' claim is not found, then is returned. + + + + Gets a for each JSON { name, value }. + + Each (s) returned will have the translated according to the mapping found in . Adding and removing to will affect the value of the . + and will be set to the value of ( if null). + + + + A designed for representing a JSON Web Token (JWT). + + + + + Initializes a new instance of from a string in JWS Compact serialized format. + + A JSON Web Token that has been serialized in JWS Compact serialized format. + 'jwtEncodedString' is null. + 'jwtEncodedString' contains only whitespace. + 'jwtEncodedString' is not in JWS Compact serialized format. + + The contents of this have not been validated, the JSON Web Token is simply decoded. Validation can be accomplished using + + + + + Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations. + + Contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT + Contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value } + base64urlencoded JwtHeader + base64urlencoded JwtPayload + base64urlencoded JwtSignature + 'header' is null. + 'payload' is null. + 'rawSignature' is null. + 'rawHeader' or 'rawPayload' is null or whitespace. + + + + Initializes a new instance of the class where the contains the crypto algorithms applied to the encoded and . The jwtEncodedString is the result of those operations. + + Contains JSON objects representing the cryptographic operations applied to the JWT and optionally any additional properties of the JWT + Contains JSON objects representing the claims contained in the JWT. Each claim is a JSON object of the form { Name, Value } + 'header' is null. + 'payload' is null. + + + + Initializes a new instance of the class specifying optional parameters. + + if this value is not null, a { iss, 'issuer' } claim will be added. + if this value is not null, a { aud, 'audience' } claim will be added + if this value is not null then for each a { 'Claim.Type', 'Claim.Value' } is added. If duplicate claims are found then a { 'Claim.Type', List<object> } will be created to contain the duplicate values. + if expires.HasValue a { exp, 'value' } claim is added. + if notbefore.HasValue a { nbf, 'value' } claim is added. + The that will be used to sign the . See for details pertaining to the Header Parameter(s). + if 'expires' <= 'notbefore'. + + + + Serializes the and + + A string containing the header and payload in JSON format + + + + Decodes the string into the header, payload and signature + + Base64Url encoded string. + + + + Gets the 'value' of the 'actor' claim { actort, 'value' }. + + If the 'actor' claim is not found, null is returned. + + + + Gets the list of 'audience' claim { aud, 'value' }. + + If the 'audience' claim is not found, enumeration will be empty. + + + + Gets the (s) for this token. + + (s) returned will NOT have the translated according to + + + + Gets the Base64UrlEncoded associated with this instance. + + + + + Gets the Base64UrlEncoded associated with this instance. + + + + + Gets the associated with this instance. + + + + + Gets the 'value' of the 'JWT ID' claim { jti, ''value' }. + + If the 'JWT ID' claim is not found, null is returned. + + + + Gets the 'value' of the 'issuer' claim { iss, 'value' }. + + If the 'issuer' claim is not found, null is returned. + + + + Gets the associated with this instance. + + + + + Gets the original raw data of this instance when it was created. + + The original JSON Compact serialized format passed to one of the two constructors + or + + + + Gets the original raw data of this instance when it was created. + + The original JSON Compact serialized format passed to one of the two constructors + or + + + + Gets the original raw data of this instance when it was created. + + The original JSON Compact serialized format passed to one of the two constructors + or + + + + Gets the original raw data of this instance when it was created. + + The original JSON Compact serialized format passed to one of the two constructors + or + + + + Gets the s for this instance. + + By default an empty collection is returned. + + + + Gets the signature algorithm associated with this instance. + + if there is a associated with this instance, a value will be returned. Null otherwise. + + + + Gets the associated with this instance. + + + + + Gets or sets the that signed this instance. + + .ValidateSignature(...) sets this value when a is used to successfully validate a signature. + + + + Gets or sets the that contains a that signed this instance. + + .ValidateSignature(...) sets this value when a is used to successfully validate a signature. + + + + Gets "value" of the 'subject' claim { sub, 'value' }. + + If the 'subject' claim is not found, null is returned. + + + + Gets 'value' of the 'notbefore' claim { nbf, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z). + + If the 'notbefore' claim is not found, then is returned. + + + + Gets 'value' of the 'expiration' claim { exp, 'value' } converted to a assuming 'value' is seconds since UnixEpoch (UTC 1970-01-01T0:0:0Z). + + If the 'expiration' claim is not found, then is returned. + + + + A designed for creating and validating Json Web Tokens. See http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07. + + + + + Default lifetime of tokens created. When creating tokens, if 'expires' and 'notbefore' are both null, then a default will be set to: expires = DateTime.UtcNow, notbefore = DateTime.UtcNow + TimeSpan.FromMinutes(TokenLifetimeInMinutes). + + + + + Initializes a new instance of the class. + + + + + Obsolete method, use when processing tokens. + + use . when processing tokens. + + + + Determines if the is positioned on a well formed <BinarySecurityToken> element. + + positioned at xml. + + 'true' if the reader is positioned at an element <BinarySecurityToken>. + in the namespace: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' + With an attribute of 'valueType' equal to one of: +     "urn:ietf:params:oauth:token-type:jwt", "JWT" + + For example: <wsse:BinarySecurityToken valueType = "JWT"> ... + + 'false' otherwise. + + The 'EncodingType' attribute is optional, if it is set, it must be equal to: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary". + 'reader' is null. + + + + Determines if the string is a well formed Json Web token (see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07) + + string that should represent a valid JSON Web Token. + Uses ( token, @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$" ). + + + 'true' if the token is in JSON compact serialization format. + 'false' if token.Length * 2 > . + + 'tokenString' is null. + + + + Creating is not NotSupported. + + to create a . + + + + Creates a based on values found in the . + + Contains the parameters used to create the token. + A . + + If is not null, will be signed. + + 'tokenDescriptor' is null. + + + + Uses the constructor, first creating the and . + If is not null, will be signed. + + the issuer of the token. + the audience for this token. + the source of the (s) for this token. + the notbefore time for this token. + the expiration time for this token. + contains cryptographic material for generating a signature. + optional . + If is not null, then a claim { actort, 'value' } will be added to the payload. for details on how the value is created. + See for details on how the HeaderParameters are added to the header. + See for details on how the values are added to the payload. + If signautureProvider is not null, then it will be used to create the signature and will not be called. + A . + if 'expires' <= 'notBefore'. + + + + Gets the token type identifier(s) supported by this handler. + + A collection of strings that identify the tokens this instance can handle. + When receiving a wrapped inside a <wsse:BinarySecurityToken> element. The <wsse:BinarySecurityToken> element must have the ValueType attribute set to one of these values + in order for this handler to recognize that it can read the token. + + + + Reads a JSON web token wrapped inside a WS-Security BinarySecurityToken xml element. + + The pointing at the jwt. + An instance of + First calls .CanReadToken + The reader must be positioned at an element named: + BinarySecurityToken'. + in the namespace: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' + with a 'ValueType' attribute equal to one of: "urn:ietf:params:oauth:token-type:jwt", "JWT". + + For example <wsse:BinarySecurityToken valueType = "JWT"> ... + + + The 'EncodingType' attribute is optional, if it is set, it must be equal to: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" + + + 'reader' is null. + if returns false. + + + + Reads a token encoded in JSON Compact serialized format. + + A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed + using 'JSON Web Signature' (JWS). + + The JWT must be encoded using Base64Url encoding of the UTF-8 representation of the JWT: Header, Payload and Signature. + The contents of the JWT returned are not validated in any way, the token is simply decoded. Use ValidateToken to validate the JWT. + + A + + + + Obsolete method, use . + + use . + + + + Reads and validates a token encoded in JSON Compact serialized format. + + A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS). + Contains validation parameters for the . + The that was validated. + 'securityToken' is null or whitespace. + 'validationParameters' is null. + 'securityToken.Length' > . + A from the jwt. Does not include the header claims. + + + + Writes the wrapped in a WS-Security BinarySecurityToken using the . + + used to write token. + The that will be written. + 'writer' is null. + 'token' is null. + 'token' is not a not . + The current contents are encoded. If is not null, the encoding will contain a signature. + + + + Writes the as a JSON Compact serialized format string. + + to serialize. + + If the are not null, the encoding will contain a signature. + + 'token' is null. + 'token' is not a not . + The as a signed (if exist) encoded string. + + + + Produces a signature over the 'input' using the and algorithm specified. + + string to be signed + the to use. + the algorithm to use. + if provided, the will be used to sign the token + The signature over the bytes obtained from UTF8Encoding.GetBytes( 'input' ). + The used to created the signature is obtained by calling . + 'input' is null. + returns null. + + + + Validates that the signature, if found and / or required is valid. + + A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed + using 'JSON Web Signature' (JWS). + that contains signing keys. + thrown if 'token is null or whitespace. + thrown if 'validationParameters is null. + thrown if a signature is not found and is true. + thrown if the 'token' has a key identifier and none of the (s) provided result in a validated signature. + This can indicate that a key refresh is required. + thrown if after trying all the (s), none result in a validated signture AND the 'token' does not have a key identifier. + that has the signature validated if token was signed and is true. + If the 'token' is signed, the signature is validated even if is false. + If the 'token' signature is validated, then the will be set to the key that signed the 'token'. + + + + Produces a readable string for a key, used in error messages. + + + + + + + Creates a from a . + + The to use as a source. + The value to set + contains parameters for validating the token. + A containing the . + + + + Creates the 'value' for the actor claim: { actor, 'value' } + + as actor. + representing the actor. + If is not null: +   if 'type' is 'string', return as string. +   if 'type' is 'BootstrapContext' and 'BootstrapContext.SecurityToken' is 'JwtSecurityToken' +     if 'JwtSecurityToken.RawData' != null, return RawData. +     else return . +   if 'BootstrapContext.Token' != null, return 'Token'. + default: new ( ( actor.Claims ). + + 'actor' is null. + + + + Determines if the audiences found in a are valid. + + The audiences found in the . + The being validated. + required for validation. + see for additional details. + + + + Validates the lifetime of a . + + The value of the 'nbf' claim if it exists in the 'jwt'. + The value of the 'exp' claim if it exists in the 'jwt'. + The being validated. + required for validation. + for additional details. + + + + Determines if an issuer found in a is valid. + + The issuer to validate + The that is being validated. + required for validation. + The issuer to use when creating the (s) in the . + for additional details. + + + + Returns a to use when validating the signature of a token. + + the representation of the token that is being validated. + the that is being validated. + the found in the token. + A required for validation. + Returns a to use for signature validation. + if 'keyIdentifier' is null. + if 'validationParameters' is null. + If key fails to resolve, then null is returned + + + + Validates the is an expected value. + + The that signed the . + The to validate. + the current . + If the is a then the X509Certificate2 will be validated using . + + + Gets or sets the used to map Inbound Cryptographic Algorithms. + Strings that describe Cryptographic Algorithms that are understood by the runtime are not necessarily the same values used in the JsonWebToken specification. + When a signature is validated, the algorithm is obtained from the HeaderParameter { alg, 'value' }. + The 'value' is translated according to this mapping and the translated 'value' is used when performing cryptographic operations. + Default mapping is: +     RS256 => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 +     HS256 => http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 + + 'value' is null. + + + Gets or sets the used to map Outbound Cryptographic Algorithms. + Strings that describe Cryptographic Algorithms understood by the runtime are not necessarily the same in the JsonWebToken specification. + This property contains mappings the will be used to when creating a and setting the HeaderParameter { alg, 'value' }. + The 'value' set is translated according to this mapping. + + Default mapping is: +     http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 => RS256 +     http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 => HS256 + + 'value' is null. + + + + Gets or sets the that is used when setting the for claims in the extracted when validating a . + The is set to the JSON claim 'name' after translating using this mapping. + + 'value is null. + + + + Gets or sets the that is used when creating a from (s). + The JSON claim 'name' value is set to after translating using this mapping. + + This mapping is applied only when using or . Adding values directly will not result in translation. + 'value is null. + + + Gets or sets the used to filter claims when populating a claims form a . + When a is validated, claims with types found in this will not be added to the . + 'value' is null. + + + + Gets or sets the property name of the will contain the original JSON claim 'name' if a mapping occurred when the (s) were created. + See for more information. + + if .IsIsNullOrWhiteSpace('value') is true. + + + + Gets or sets the property name of the will contain .Net type that was recogninzed when JwtPayload.Claims serialized the value to JSON. + See for more information. + + if .IsIsNullOrWhiteSpace('value') is true. + + + + Returns 'true' which indicates this instance can validate a . + + + + + Returns 'true', which indicates this instance can write . + + + + + Gets and sets the token lifetime in minutes. + + 'value' less than 1. + + + + Gets and sets the maximum size in bytes, that a will be processed. + + 'value' less than 1. + + + + Gets or sets the for creating (s). + + This extensibility point can be used to insert custom (s). + is called to obtain a (s) when needed. + 'value' is null. + + + + Gets the supported by this handler. + + + + + represents a collection of named sets of (s) that can be matched by a + and return a that contains (s). + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + Populates this instance with a named collection of (s) and an optional that will be called when a + or cannot be resolved. + + + A named collection of (s). + + + A to call when resolving fails, before calling base. + + + if 'keys' is null an empty collection will be created. A named collection of (s) can be added by accessing the property . + + + + + Populates the from xml. + + xml for processing. + 'nodeList' is null. + Only (s) with == 'securityKey' will be processed. Unprocessed nodes will added to a list and can be accessed using the property. + + + + When processing xml in each that has = "securityKey' is passed here for processing. + + contains xml to map to a named . + + A single is expected with up to three attributes: {'expected values'}. + <securityKey +     symmetricKey {required} +     name {required} +     EncodingType or encodingType {optional} + > + </securityKey> + If "EncodingType' type is specified only: +     'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' +     'Base64Binary' +     'base64Binary' + are allowed and have the same meaning. + When a symmetricKey is found, Convert.FromBase64String( value ) is applied to create the key. + + 'element' is null. + attribute 'symmetricKey' is not found. + value of 'symmetricKey' is empty or whitespace. + attribute 'name' is not found. + value of 'name' is empty or whitespace. + value of 'encodingType' is not valid. + + + + Finds the first in a named collection that match the . + + + The to resolve to a + + + The resolved . + + + If there is no match, then and 'base' are called in order. + + + true if key resolved, false otherwise. + + + + + Finds a named collection of (s) that match the and returns a that contains the (s). + + The to resolve to a + The resolved . + + + A can contain multiple (s). This method will return the named collection that matches the first + + + If there is no match, then and 'base' are called in order. + + + + true is the keyIdentifier is resolved, false otherwise. + + + + + Finds a named collection of (s) that match the and returns a that contains the (s). + + The to resolve to a + The resolved . + If there is no match, then and 'base' are called in order. + true if token was resolved. + if 'keyIdentifierClause' is null. + + + + Gets the named collection of (s). + + + + + Gets or sets the to call when or fails to resolve, before calling base. + + 'value' is null. + 'object.ReferenceEquals( this, value)' is true. + + + + Gets the unprocessed (s) from . + + processes only (s) that have the == 'securityKey'. Unprocessed (s) are accessible here. + + + + A that can be used to match . + + + + + Initializes a new instance of the class. The 'name' for matching key identifiers found in the securityToken. + + Used to identify a named collection of keys. + Additional information for matching. + if 'name' is null or whitespace. + if 'id' is null or whitespace + + + + Determines if a matches this instance. + + The to match. + true if: +     1. keyIdentifierClause is a . +     2. string.Equals( keyIdentifierClause.Name, this.Name, StringComparison.Ordinal). +     2. string.Equals( keyIdentifierClause.Id, this.Id, StringComparison.Ordinal). + Otherwise calls base.Matches( keyIdentifierClause ). + + 'keyIdentifierClause' is null. + + + + Gets the name of the (s) this represents. + + + + + A that contains multiple that have a name. + + + + + Initializes a new instance of the class that contains a single . + + A name for the . + the identifier for this token. + A + if 'name' is null or whitespace. + if 'id' is null or whitespace. + if 'key' is null. + + + + Initializes a new instance of the class that contains a (System.IdentityModel.Tokens.SecurityKey) that can be matched by name. + + the identifier for this token. + A name for the (System.IdentityModel.Tokens.SecurityKey). + A collection of + if 'name' is null or whitespace. + if 'id' is null or whitespace. + if 'keys' is null. + + + + Gets the first that matches a + + the to match. + The first that matches the . + null if there is no match. + Only are matched. + 'keyIdentifierClause' is null. + + + + Answers if the is a match. + + The + true if matched. + A successful match occurs when == . + Only are matched. + 'keyIdentifierClause' is null. + + + + Gets the id of the security token. + + + + + Gets the Name of the security token. + + + + + Gets the creation time as a . + + The default is: . + + + + Gets the expiration time as a + + The default is: . + + + + Gets the (s). + + + + + This exception is thrown when 'audience' of a token was not valid. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + This exception is thrown when 'issuer' of a token was not valid. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + This exception is thrown when 'lifetime' of a token was not valid. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + This exception is thrown when a security is missing an ExpirationTime. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + This exception is thrown when an add to the TokenReplayCache fails. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + This exception is thrown when a security token contained a key identifier but the key was not found by the runtime. + + + + + Initializes a new instance of the class. + + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + + + + Initializes a new instance of the class. + + Addtional information to be included in the exception and displayed to user. + A that represents the root cause of the exception. + + + + Initializes a new instance of the class. + + the that holds the serialized object data. + The contextual information about the source or destination. + + + + Creates s by specifying a and algorithm. + Supports both and . + + + + + This is the minimum .KeySize when creating signatures. + + + + + This is the minimum .KeySize when verifying signatures. + + + + + This is the minimum .KeySize when creating and verifying signatures. + + + + + Creates a that supports the and algorithm. + + + The to use for signing. + + + The algorithm to use for signing. + + + 'key' is null. + + + 'algorithm' is null. + + + 'algorithm' contains only whitespace. + + + '' is smaller than . + + + '' is smaller than . + + + '' is not a or a . + + + AsymmetricSignatureProviders require access to a PrivateKey for Signing. + + + The . + + + + + Returns a instance supports the and algorithm. + + + The to use for signing. + + + The algorithm to use for signing. + + + 'key' is null. + + + 'algorithm' is null. + + + 'algorithm' contains only whitespace. + + + '' is smaller than . + + + '' is smaller than . + + + '' is not a or a . + + + The . + + + + + When finished with a call this method for cleanup. The default behavior is to call + + to be released. + + + + Gets or sets the minimum .KeySize"/>. + + 'value' is smaller than . + + + + Gets or sets the minimum .KeySize for creating signatures. + + 'value' is smaller than . + + + + Gets or sets the minimum .KeySize for verifying signatures. + 'value' is smaller than . + + + + + Provides signing and verifying operations using a and specifying an algorithm. + + + + + Initializes a new instance of the class that uses an to create and / or verify signatures over a array of bytes. + + The used for signing. + The signature algorithm to use. + 'key' is null. + 'algorithm' is null. + 'algorithm' contains only whitespace. + '.KeySize' is smaller than . + throws. + returns null. + throws. + + + + Produces a signature over the 'input' using the and 'algorithm' passed to . + + bytes to sign. + signed bytes + 'input' is null. + 'input.Length' == 0. + has been called. + is null. This can occur if a derived type deletes it or does not create it. + + + + Verifies that a signature created over the 'input' matches the signature. Using and 'algorithm' passed to . + + bytes to verify. + signature to compare against. + true if computed signature matches the signature parameter, false otherwise. + 'input' is null. + 'signature' is null. + 'input.Length' == 0. + 'signature.Length' == 0. + has been called. + if the internal is null. This can occur if a derived type deletes it or does not create it. + + + + Disposes of internal components. + + true, if called from Dispose(), false, if invoked inside a finalizer. + + + + Compares two byte arrays for equality. Hash size is fixed normally it is 32 bytes. + The attempt here is to take the same time if an attacker shortens the signature OR changes some of the signed contents. + + + One set of bytes to compare. + + + The other set of bytes to compare with. + + + true if the bytes are equal, false otherwise. + + + + + Definition for AudienceValidator. + + The audiences found in the . + The being validated. + required for validation. + + + + Definition for IssuerSigningKeyRetriever. When validating signatures, this method will return key to use. + + the representation of the token that is being validated. + the that is being validated. It may be null. + the found in the token. It may be null. + required for validation. + + + + + Definition for IssuerValidator. + + The issuer to validate. + The that is being validated. + required for validation. + The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". + + + + Definition for LifetimeValidator. + + The 'notBefore' time found in the . + The 'expiration' time found in the . + The being validated. + required for validation. + + + + Contains a set of parameters that are used by a when validating a . + + + + + Default for the maximm token size. + + 2 MB (mega bytes). + + + + This is the fallback authenticationtype that a will use if nothing is set. + + + + + Default for the clock skew. + + 300 seconds (5 minutes). + + + + Copy constructor for . + + + + + Initializes a new instance of the class. + + + + + Returns a new instance of with values copied from this object. + + A new object copied from this object + This is a shallow Clone. + + + + Creates a using: + + 'NameClaimType' is calculated: If NameClaimTypeRetriever call that else use NameClaimType. If the result is a null or empty string, use . + 'RoleClaimType' is calculated: If RoleClaimTypeRetriever call that else use RoleClaimType. If the result is a null or empty string, use . + + A with Authentication, NameClaimType and RoleClaimType set. + + + + Gets or sets a delegate that will be used to validate the audience of the tokens + + + + + Gets or sets the AuthenticationType when creating a during token validation. + + if 'value' is null or whitespace. + + + + Gets or sets the for validating X509Certificate2(s). + + + + + Gets or sets the that is to be used for decrypting inbound tokens. + + if 'value' is null. + + + + Gets or sets the clock skew to apply when validating times + + if 'value' is less than 0. + + + + Gets or sets the that is to be used for validating signed tokens. + + + + + Gets or sets the that is to be used for validating signed tokens. + + + + + Gets or sets a delegate that will be used to retreive (s) used for checking signatures. + + Each will be used to check the signature. Returning multiple key can be helpful when the does not contain a key identifier. + This can occur when the issuer has multiple keys available. This sometimes occurs during key rollover. + + + + Gets or sets the that are to be used for validating signed tokens. + + + + + Gets or sets the that is used for validating signed tokens. + + + + + Gets or sets the that are to be used for validating signed tokens. + + + + + Gets or sets a delegate that will be used to validate the issuer of the token. The delegate returns the issuer to use. + + + + + Gets or sets a delegate that will be used to validate the lifetime of the token + + + + + Gets or sets the passed to . + + + Controls the value returns. It will return the first where the equals . + + + + + Gets or sets the passed to . + + + Controls the (s) returned from . + Each returned will have a equal to . + + + + + Gets or sets a delegate that will be called to obtain the NameClaimType to use when creating a ClaimsIdentity + when validating a token. + + + + + Gets or sets a value indicating whether tokens must have an 'expiration' value. + + + + + Gets or sets a value indicating whether a can be valid if not signed. + + + + + Gets or sets a delegate that will be called to obtain the RoleClaimType to use when creating a ClaimsIdentity + when validating a token. + + + + + Gets or sets a boolean to control if the original token is saved when a session is created. /// + The SecurityTokenValidator will use this value to save the orginal string that was validated. + + + + Gets or set the that will be checked to help in detecting that a token has been 'seen' before. + + + + + Gets or sets a value indicating whether the should be validated. + + + + + Gets or sets a boolean to control if the audience will be validated during token validation. + + + + + Gets or sets a boolean to control if the issuer will be validated during token validation. + + + + + Gets or sets a boolean to control if the lifetime will be validated during token validation. + + + + + Gets or sets a boolean that controls if validation of the that signed the securityToken is called. + + + + + Gets or sets a string that represents a valid audience that will be used during token validation. + + + + + Gets or sets the that contains valid audiences that will be used during token validation. + + + + + Gets or sets a that represents a valid issuer that will be used during token validation. + + + + + Gets or sets the that contains valid issuers that will be used during token validation. + + + + + AudienceValidator + + + + + Determines if the audiences found in a are valid. + + The audiences found in the . + The being validated. + required for validation. + if 'vaidationParameters' is null. + if 'audiences' is null and is true. + if is null or whitespace and is null. + if none of the 'audiences' matched either or one of . + An EXACT match is required. + + + + Determines if an issuer found in a is valid. + + The issuer to validate + The that is being validated. + required for validation. + The issuer to use when creating the "Claim"(s) in a "ClaimsIdentity". + if 'vaidationParameters' is null. + if 'issuer' is null or whitespace and is true. + if is null or whitespace and is null. + if 'issuer' failed to matched either or one of . + An EXACT match is required. + + + + Validates the that signed a . + + The that signed the . + The being validated. + required for validation. + if 'vaidationParameters' is null. + + + + Validates the lifetime of a . + + The 'notBefore' time found in the . + The 'expiration' time found in the . + The being validated. + required for validation. + if 'vaidationParameters' is null. + if 'expires.HasValue' is false and is true. + if 'notBefore' is > 'expires'. + if 'notBefore' is > DateTime.UtcNow. + if 'expires' is < DateTime.UtcNow. + All time comparisons apply . + + + + Validates if a token has been replayed. + + The being validated. + When does the security token expire. + required for validation. + if 'securityToken' is null or whitespace. + if 'validationParameters' is null or whitespace. + if is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time. + if the 'securityToken' is found in the cache. + if the 'securityToken' could not be added to the . + + + + Defines constants needed from WS-Security 1.0. + + + + + Defines constants needed from WS-SecureUtility standard schema. + + + + + This class also resets the chainPolicy.VerificationTime = DateTime.Now each time a certificate is validated otherwise certificates created after the validator is created will not chain. + + + + + Initializes a new instance of the class. + + + The certificate validation mode. + + + The revocation mode. + + + The trusted store location. + + thrown if the certificationValidationMode is custom or unknown. + + + + + Validates a . + + + The to validate. + + + + + Security key that allows access to cert + + + + + Instantiates a using a + + cert to use. + + + + Gets the . + + + + diff --git a/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.dll b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.dll new file mode 100644 index 00000000..384dfaf1 Binary files /dev/null and b/App/packages/System.IdentityModel.Tokens.Jwt.4.0.2.206221351/lib/net45/System.IdentityModel.Tokens.Jwt.dll differ diff --git a/Migrations/055 - Make UserOpenIds generic.sql b/Migrations/055 - Make UserOpenIds generic.sql new file mode 100644 index 00000000..4d867fa1 --- /dev/null +++ b/Migrations/055 - Make UserOpenIds generic.sql @@ -0,0 +1,40 @@ +IF OBJECT_ID('UserAuthClaims') IS NULL +BEGIN + EXEC sp_rename 'UserOpenIds', 'UserAuthClaims' +END + +GO + +IF dbo.fnIndexExists('UserAuthClaims', 'OpenIdClaimIdx') = 1 +BEGIN + DROP INDEX OpenIdClaimIdx ON UserAuthClaims +END + +GO + +IF dbo.fnColumnExists('UserAuthClaims', 'OpenIdClaim') = 1 +BEGIN + EXEC sp_rename 'UserAuthClaims.OpenIdClaim', 'ClaimIdentifier', 'COLUMN' +END + +GO + +IF dbo.fnColumnExists('UserAuthClaims', 'IdentifierType') = 0 +BEGIN + ALTER TABLE UserAuthClaims ADD IdentifierType TINYINT NOT NULL DEFAULT 1 +END + +GO + +IF dbo.fnColumnExists('UserAuthClaims', 'Display') = 0 +BEGIN + ALTER TABLE UserAuthClaims ADD Display NVARCHAR(150) +END + +GO + +IF dbo.fnIndexExists('UserAuthClaims', 'ClaimIdentifierIdx') = 0 +BEGIN + ALTER TABLE UserAuthClaims ALTER COLUMN ClaimIdentifier NVARCHAR(449) NOT NULL + CREATE UNIQUE NONCLUSTERED INDEX ClaimIdentifierIdx ON UserAuthClaims(IdentifierType, ClaimIdentifier) +END \ No newline at end of file
member for
@Model.ADLogin
openid
@Model.UserOpenIds[0].OpenIdClaim
email (private)
@Model.Email