/* * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0) * See https://github.com/openiddict/openiddict-core for more information concerning * the license and the contributors participating to this project. */ using System.Collections.Immutable; using System.Security.Claims; using Microsoft.AspNetCore.DataProtection; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; using Microsoft.IdentityModel.Tokens; using OpenIddict.Extensions; using static OpenIddict.Server.DataProtection.OpenIddictServerDataProtectionConstants.Purposes; using static OpenIddict.Server.OpenIddictServerHandlers.Protection; using Schemes = OpenIddict.Server.DataProtection.OpenIddictServerDataProtectionConstants.Purposes.Schemes; namespace OpenIddict.Server.DataProtection; public static partial class OpenIddictServerDataProtectionHandlers { public static class Protection { public static ImmutableArray DefaultHandlers { get; } = [ /* * Token validation: */ ValidateDataProtectionToken.Descriptor, /* * Token generation: */ OverrideGeneratedTokenFormat.Descriptor, GenerateDataProtectionToken.Descriptor ]; /// /// Contains the logic responsible for validating tokens generated using Data Protection. /// public sealed class ValidateDataProtectionToken : IOpenIddictServerHandler { private readonly IOptionsMonitor _options; public ValidateDataProtectionToken(IOptionsMonitor options) => _options = options ?? throw new ArgumentNullException(nameof(options)); /// /// Gets the default descriptor definition assigned to this handler. /// public static OpenIddictServerHandlerDescriptor Descriptor { get; } = OpenIddictServerHandlerDescriptor.CreateBuilder() .UseSingletonHandler() .SetOrder(ValidateIdentityModelToken.Descriptor.Order + 500) .SetType(OpenIddictServerHandlerType.BuiltIn) .Build(); /// public ValueTask HandleAsync(ValidateTokenContext context) { // If a principal was already attached, don't overwrite it. if (context.Principal is not null) { return default; } // If a specific token format is expected, return immediately if it doesn't match the expected value. if (context.TokenFormat is not null && context.TokenFormat is not TokenFormats.Private.DataProtection) { return default; } // Note: ASP.NET Core Data Protection tokens created by the default implementation always start // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. // // Unless a custom provider implementation - that may use a different mechanism - has been // registered, return immediately if the token doesn't start with the expected magic header. // // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details // for more information. if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", StringComparison.Ordinal)) { return default; } // Tokens generated using ASP.NET Core Data Protection are encrypted by symmetric keys // that are derived from both a master key resolved from the key ring and a specific value // known as "purpose" that helps ensure that Data Protection payloads can't be decrypted // without the correct "purpose" value, which is different for all types of tokens. // // While offering extensive protection at the cryptographic level, this prevents decrypting // unknown tokens without re-executing the entire decryption routine for each type of token // considered valid. To speed up this process when supporting multiple types is required, // the Data Protection integration relies on the "token_type_hint" parameter specified // by the client when it is available (e.g with introspection or revocation requests). var principal = context.ValidTokenTypes.Count switch { // If no valid token type was set, all supported token types are allowed. // // Note: if a "token_type_hint" was specified by the client, use it to optimize // the token decryption lookup but fall back to other types of tokens // if the token can't be decrypted using the specified token type hint. // // In this case, common types (e.g access/refresh tokens) are checked first. 0 => context.TokenTypeHint switch { TokenTypeHints.RefreshToken => ValidateToken(TokenTypeIdentifiers.RefreshToken) ?? ValidateToken(TokenTypeIdentifiers.AccessToken) ?? ValidateToken(TokenTypeIdentifiers.Private.AuthorizationCode) ?? ValidateToken(TokenTypeIdentifiers.Private.DeviceCode) ?? ValidateToken(TokenTypeIdentifiers.Private.UserCode) ?? ValidateToken(TokenTypeIdentifiers.Private.RequestToken), TokenTypeHints.AccessToken or _ => ValidateToken(TokenTypeIdentifiers.AccessToken) ?? ValidateToken(TokenTypeIdentifiers.RefreshToken) ?? ValidateToken(TokenTypeIdentifiers.Private.AuthorizationCode) ?? ValidateToken(TokenTypeIdentifiers.Private.DeviceCode) ?? ValidateToken(TokenTypeIdentifiers.Private.UserCode) ?? ValidateToken(TokenTypeIdentifiers.Private.RequestToken), }, // If a single valid token type was set, ignore the specified token type hint. 1 => context.ValidTokenTypes.ElementAt(0) switch { TokenTypeIdentifiers.AccessToken => ValidateToken(TokenTypeIdentifiers.AccessToken), TokenTypeIdentifiers.RefreshToken => ValidateToken(TokenTypeIdentifiers.RefreshToken), TokenTypeIdentifiers.Private.AuthorizationCode => ValidateToken(TokenTypeIdentifiers.Private.AuthorizationCode), TokenTypeIdentifiers.Private.DeviceCode => ValidateToken(TokenTypeIdentifiers.Private.DeviceCode), TokenTypeIdentifiers.Private.RequestToken => ValidateToken(TokenTypeIdentifiers.Private.RequestToken), TokenTypeIdentifiers.Private.UserCode => ValidateToken(TokenTypeIdentifiers.Private.UserCode), _ => null // The token type is not supported by the Data Protection integration (e.g identity tokens). }, // If multiple valid types were set, use the specified token type hint // and select the first non-null token that can be successfully decrypted. _ => context.ValidTokenTypes.OrderBy(type => type switch { // If the token type hint corresponds to one of the valid types, test it first. string value when value == context.TokenTypeHint => 0, TokenTypeIdentifiers.AccessToken => 1, TokenTypeIdentifiers.RefreshToken => 2, TokenTypeIdentifiers.Private.AuthorizationCode => 3, TokenTypeIdentifiers.Private.DeviceCode => 4, TokenTypeIdentifiers.Private.UserCode => 5, TokenTypeIdentifiers.Private.RequestToken => 6, _ => int.MaxValue }) .Select(type => type switch { TokenTypeIdentifiers.AccessToken => ValidateToken(TokenTypeIdentifiers.AccessToken), TokenTypeIdentifiers.RefreshToken => ValidateToken(TokenTypeIdentifiers.RefreshToken), TokenTypeIdentifiers.Private.AuthorizationCode => ValidateToken(TokenTypeIdentifiers.Private.AuthorizationCode), TokenTypeIdentifiers.Private.DeviceCode => ValidateToken(TokenTypeIdentifiers.Private.DeviceCode), TokenTypeIdentifiers.Private.UserCode => ValidateToken(TokenTypeIdentifiers.Private.UserCode), TokenTypeIdentifiers.Private.RequestToken => ValidateToken(TokenTypeIdentifiers.Private.RequestToken), _ => null // The token type is not supported by the Data Protection integration (e.g identity tokens). }) .Where(static principal => principal is not null) .FirstOrDefault() }; if (principal is null) { context.Reject( error: Errors.InvalidToken, description: SR.GetResourceString(SR.ID2004), uri: SR.FormatID8000(SR.ID2004)); return default; } context.Principal = principal; context.Logger.LogTrace(6152, SR.GetResourceString(SR.ID6152), context.Token, context.Principal.Claims); return default; ClaimsPrincipal? ValidateToken(string type) { // Create a Data Protection protector using the provider registered in the options. // // Note: reference tokens are encrypted using a different "purpose" string than non-reference tokens. var protector = _options.CurrentValue.DataProtectionProvider.CreateProtector( (type, context.IsReferenceToken) switch { (TokenTypeIdentifiers.AccessToken, true) => [Handlers.Server, Formats.AccessToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.AccessToken, false) => [Handlers.Server, Formats.AccessToken, Schemes.Server], (TokenTypeIdentifiers.Private.AuthorizationCode, true) => [Handlers.Server, Formats.AuthorizationCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.AuthorizationCode, false) => [Handlers.Server, Formats.AuthorizationCode, Schemes.Server], (TokenTypeIdentifiers.Private.DeviceCode, true) => [Handlers.Server, Formats.DeviceCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.DeviceCode, false) => [Handlers.Server, Formats.DeviceCode, Schemes.Server], (TokenTypeIdentifiers.RefreshToken, true) => [Handlers.Server, Formats.RefreshToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.RefreshToken, false) => [Handlers.Server, Formats.RefreshToken, Schemes.Server], (TokenTypeIdentifiers.Private.UserCode, true) => [Handlers.Server, Formats.UserCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.UserCode, false) => [Handlers.Server, Formats.UserCode, Schemes.Server], (TokenTypeIdentifiers.Private.RequestToken, true) => [Handlers.Server, Formats.RequestToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.RequestToken, false) => [Handlers.Server, Formats.RequestToken, Schemes.Server], _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0003)) }); try { using var buffer = new MemoryStream(protector.Unprotect(Base64UrlEncoder.DecodeBytes(context.Token))); using var reader = new BinaryReader(buffer); // Note: since the data format relies on a data protector using different "purposes" strings // per token type, the token processed at this stage is guaranteed to be of the expected type. return _options.CurrentValue.Formatter.ReadToken(reader)?.SetTokenType(type); } catch (Exception exception) when (!OpenIddictHelpers.IsFatal(exception)) { context.Logger.LogTrace(6153, exception, SR.GetResourceString(SR.ID6153), context.Token); return null; } } } } /// /// Contains the logic responsible for overriding the default token format /// to generate ASP.NET Core Data Protection tokens instead of JSON Web Tokens. /// public sealed class OverrideGeneratedTokenFormat : IOpenIddictServerHandler { private readonly IOptionsMonitor _options; public OverrideGeneratedTokenFormat(IOptionsMonitor options) => _options = options ?? throw new ArgumentNullException(nameof(options)); /// /// Gets the default descriptor definition assigned to this handler. /// public static OpenIddictServerHandlerDescriptor Descriptor { get; } = OpenIddictServerHandlerDescriptor.CreateBuilder() .UseSingletonHandler() .SetOrder(AttachSecurityCredentials.Descriptor.Order + 500) .SetType(OpenIddictServerHandlerType.BuiltIn) .Build(); /// public ValueTask HandleAsync(GenerateTokenContext context) { if (context is null) { throw new ArgumentNullException(nameof(context)); } // ASP.NET Core Data Protection can be used to format certain types of tokens in lieu // of the default token format (typically, JSON Web Token). By default, Data Protection // is automatically used for all the supported token types once the integration is enabled // but the default token format can be re-enabled in the options. Alternatively, the token // format can be overridden manually using a custom event handler registered after this one. context.TokenFormat = context.TokenType switch { TokenTypeIdentifiers.AccessToken when !_options.CurrentValue.PreferDefaultAccessTokenFormat => TokenFormats.Private.DataProtection, TokenTypeIdentifiers.Private.AuthorizationCode when !_options.CurrentValue.PreferDefaultAuthorizationCodeFormat => TokenFormats.Private.DataProtection, TokenTypeIdentifiers.Private.DeviceCode when !_options.CurrentValue.PreferDefaultDeviceCodeFormat => TokenFormats.Private.DataProtection, TokenTypeIdentifiers.RefreshToken when !_options.CurrentValue.PreferDefaultRefreshTokenFormat => TokenFormats.Private.DataProtection, TokenTypeIdentifiers.Private.UserCode when !_options.CurrentValue.PreferDefaultUserCodeFormat => TokenFormats.Private.DataProtection, TokenTypeIdentifiers.Private.RequestToken when !_options.CurrentValue.PreferDefaultRequestTokenFormat => TokenFormats.Private.DataProtection, _ => context.TokenFormat // Don't override the format if the token type is not supported. }; return default; } } /// /// Contains the logic responsible for generating a token using Data Protection. /// public sealed class GenerateDataProtectionToken : IOpenIddictServerHandler { private readonly IOptionsMonitor _options; public GenerateDataProtectionToken(IOptionsMonitor options) => _options = options ?? throw new ArgumentNullException(nameof(options)); /// /// Gets the default descriptor definition assigned to this handler. /// public static OpenIddictServerHandlerDescriptor Descriptor { get; } = OpenIddictServerHandlerDescriptor.CreateBuilder() .AddFilter() .UseSingletonHandler() .SetOrder(GenerateIdentityModelToken.Descriptor.Order - 500) .SetType(OpenIddictServerHandlerType.BuiltIn) .Build(); /// public ValueTask HandleAsync(GenerateTokenContext context) { if (context is null) { throw new ArgumentNullException(nameof(context)); } // If an access token was already attached by another handler, don't overwrite it. if (!string.IsNullOrEmpty(context.Token)) { return default; } // Create a Data Protection protector using the provider registered in the options. // // Note: reference tokens are encrypted using a different "purpose" string than non-reference tokens. var protector = _options.CurrentValue.DataProtectionProvider.CreateProtector( (context.TokenType, context.IsReferenceToken) switch { (TokenTypeIdentifiers.AccessToken, true) => [Handlers.Server, Formats.AccessToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.AccessToken, false) => [Handlers.Server, Formats.AccessToken, Schemes.Server], (TokenTypeIdentifiers.Private.AuthorizationCode, true) => [Handlers.Server, Formats.AuthorizationCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.AuthorizationCode, false) => [Handlers.Server, Formats.AuthorizationCode, Schemes.Server], (TokenTypeIdentifiers.Private.DeviceCode, true) => [Handlers.Server, Formats.DeviceCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.DeviceCode, false) => [Handlers.Server, Formats.DeviceCode, Schemes.Server], (TokenTypeIdentifiers.RefreshToken, true) => [Handlers.Server, Formats.RefreshToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.RefreshToken, false) => [Handlers.Server, Formats.RefreshToken, Schemes.Server], (TokenTypeIdentifiers.Private.UserCode, true) => [Handlers.Server, Formats.UserCode, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.UserCode, false) => [Handlers.Server, Formats.UserCode, Schemes.Server], (TokenTypeIdentifiers.Private.RequestToken, true) => [Handlers.Server, Formats.RequestToken, Features.ReferenceTokens, Schemes.Server], (TokenTypeIdentifiers.Private.RequestToken, false) => [Handlers.Server, Formats.RequestToken, Schemes.Server], _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0003)) }); using var buffer = new MemoryStream(); using var writer = new BinaryWriter(buffer); _options.CurrentValue.Formatter.WriteToken(writer, context.Principal); context.Token = Base64UrlEncoder.Encode(protector.Protect(buffer.ToArray())); context.Logger.LogTrace(6016, SR.GetResourceString(SR.ID6016), context.TokenType, context.Token, context.Principal.Claims); return default; } } } }