diff --git a/src/Microsoft.AspNet.Authentication/Constants.cs b/src/Microsoft.AspNet.Authentication.OAuth/Constants.cs similarity index 70% rename from src/Microsoft.AspNet.Authentication/Constants.cs rename to src/Microsoft.AspNet.Authentication.OAuth/Constants.cs index e6b0d7b43e..53114e2443 100644 --- a/src/Microsoft.AspNet.Authentication/Constants.cs +++ b/src/Microsoft.AspNet.Authentication.OAuth/Constants.cs @@ -2,11 +2,11 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. -namespace Microsoft.AspNet.Authentication +namespace Microsoft.AspNet.Authentication.OAuth { internal static class Constants { - public static string SecurityAuthenticate = "security.Authenticate"; + internal const string SecurityAuthenticate = "security.Authenticate"; internal const string CorrelationPrefix = ".AspNet.Correlation."; } } diff --git a/src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationHandler.cs index c5a8b0fc7f..86d4954745 100644 --- a/src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationHandler.cs @@ -5,7 +5,10 @@ using System; using System.Collections.Generic; using System.Net.Http; using System.Net.Http.Headers; +using System.Security.Cryptography; using System.Threading.Tasks; +using Microsoft.AspNet.Authentication.DataHandler.Encoder; +using Microsoft.AspNet.Http; using Microsoft.AspNet.Http.Authentication; using Microsoft.AspNet.Http.Extensions; using Microsoft.AspNet.Http.Features.Authentication; @@ -20,6 +23,8 @@ namespace Microsoft.AspNet.Authentication.OAuth where TOptions : OAuthAuthenticationOptions where TNotifications : IOAuthAuthenticationNotifications { + private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create(); + public OAuthAuthenticationHandler(HttpClient backchannel) { Backchannel = backchannel; @@ -226,5 +231,61 @@ namespace Microsoft.AspNet.Authentication.OAuth // OAuth2 3.3 space separated return string.Join(" ", Options.Scope); } + + protected void GenerateCorrelationId([NotNull] AuthenticationProperties properties) + { + var correlationKey = Constants.CorrelationPrefix + Options.AuthenticationScheme; + + var nonceBytes = new byte[32]; + CryptoRandom.GetBytes(nonceBytes); + var correlationId = TextEncodings.Base64Url.Encode(nonceBytes); + + var cookieOptions = new CookieOptions + { + HttpOnly = true, + Secure = Request.IsHttps + }; + + properties.Items[correlationKey] = correlationId; + + Response.Cookies.Append(correlationKey, correlationId, cookieOptions); + } + + protected bool ValidateCorrelationId([NotNull] AuthenticationProperties properties) + { + var correlationKey = Constants.CorrelationPrefix + Options.AuthenticationScheme; + var correlationCookie = Request.Cookies[correlationKey]; + if (string.IsNullOrWhiteSpace(correlationCookie)) + { + Logger.LogWarning("{0} cookie not found.", correlationKey); + return false; + } + + var cookieOptions = new CookieOptions + { + HttpOnly = true, + Secure = Request.IsHttps + }; + Response.Cookies.Delete(correlationKey, cookieOptions); + + string correlationExtra; + if (!properties.Items.TryGetValue( + correlationKey, + out correlationExtra)) + { + Logger.LogWarning("{0} state property not found.", correlationKey); + return false; + } + + properties.Items.Remove(correlationKey); + + if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal)) + { + Logger.LogWarning("{0} correlation cookie and state property mismatch.", correlationKey); + return false; + } + + return true; + } } } diff --git a/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs index 745d4d8d67..8651c4b9a6 100644 --- a/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs @@ -2,11 +2,8 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. using System; -using System.Security.Cryptography; using System.Threading.Tasks; -using Microsoft.AspNet.Authentication.DataHandler.Encoder; using Microsoft.AspNet.Http; -using Microsoft.AspNet.Http.Authentication; using Microsoft.AspNet.Http.Features.Authentication; using Microsoft.Framework.Internal; using Microsoft.Framework.Logging; @@ -19,8 +16,6 @@ namespace Microsoft.AspNet.Authentication /// public abstract class AuthenticationHandler : IAuthenticationHandler { - private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create(); - private bool _finishCalled; private AuthenticationOptions _baseOptions; @@ -279,62 +274,6 @@ namespace Microsoft.AspNet.Authentication } } - protected void GenerateCorrelationId([NotNull] AuthenticationProperties properties) - { - var correlationKey = Constants.CorrelationPrefix + BaseOptions.AuthenticationScheme; - - var nonceBytes = new byte[32]; - CryptoRandom.GetBytes(nonceBytes); - var correlationId = TextEncodings.Base64Url.Encode(nonceBytes); - - var cookieOptions = new CookieOptions - { - HttpOnly = true, - Secure = Request.IsHttps - }; - - properties.Items[correlationKey] = correlationId; - - Response.Cookies.Append(correlationKey, correlationId, cookieOptions); - } - - protected bool ValidateCorrelationId([NotNull] AuthenticationProperties properties) - { - var correlationKey = Constants.CorrelationPrefix + BaseOptions.AuthenticationScheme; - var correlationCookie = Request.Cookies[correlationKey]; - if (string.IsNullOrWhiteSpace(correlationCookie)) - { - Logger.LogWarning("{0} cookie not found.", correlationKey); - return false; - } - - var cookieOptions = new CookieOptions - { - HttpOnly = true, - Secure = Request.IsHttps - }; - Response.Cookies.Delete(correlationKey, cookieOptions); - - string correlationExtra; - if (!properties.Items.TryGetValue( - correlationKey, - out correlationExtra)) - { - Logger.LogWarning("{0} state property not found.", correlationKey); - return false; - } - - properties.Items.Remove(correlationKey); - - if (!string.Equals(correlationCookie, correlationExtra, StringComparison.Ordinal)) - { - Logger.LogWarning("{0} correlation cookie and state property mismatch.", correlationKey); - return false; - } - - return true; - } - private void RegisterAuthenticationHandler() { var auth = Context.GetAuthentication();