Introduce a new DecryptToken event in the validation handler

Author: kevinchalet

src/AspNet.Security.OAuth.Validation/Events/DecryptTokenContext.cs

@@ -0,0 +1,43 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions for more information
+ * concerning the license and the contributors participating to this project.
+ */
+
+using JetBrains.Annotations;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+
+namespace AspNet.Security.OAuth.Validation
+{
+    /// <summary>
+    /// Allows custom decryption of access tokens.
+    /// </summary>
+    public class DecryptTokenContext : BaseControlContext
+    {
+        public DecryptTokenContext(
+            [NotNull] HttpContext context,
+            [NotNull] OAuthValidationOptions options,
+            [NotNull] string token)
+            : base(context)
+        {
+            Options = options;
+            Token = token;
+        }
+
+        /// <summary>
+        /// Gets the options used by the validation middleware.
+        /// </summary>
+        public OAuthValidationOptions Options { get; }
+
+        /// <summary>
+        /// Gets the access token.
+        /// </summary>
+        public string Token { get; }
+
+        /// <summary>
+        /// Gets or sets the data format used to deserialize the authentication ticket.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationTicket> DataFormat { get; set; }
+    }
+}

src/AspNet.Security.OAuth.Validation/OAuthValidationEvents.cs

@@ -24,6 +24,11 @@ public class OAuthValidationEvents
         /// </summary>
         public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public Func<DecryptTokenContext, Task> OnDecryptToken { get; set; } = context => Task.FromResult(0);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
@@ -44,6 +49,11 @@ public class OAuthValidationEvents
         /// </summary>
         public virtual Task CreateTicket(CreateTicketContext context) => OnCreateTicket(context);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public virtual Task DecryptToken(DecryptTokenContext context) => OnDecryptToken(context);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>

src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -370,9 +370,43 @@ private bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
+        private async Task<AuthenticationTicket> DecryptTokenAsync(string token)
+        {
+            var notification = new DecryptTokenContext(Context, Options, token)
+            {
+                DataFormat = Options.AccessTokenFormat
+            };
+
+            await Options.Events.DecryptToken(notification);
+
+            if (notification.HandledResponse)
+            {
+                // If no ticket has been provided, return a failed result to
+                // indicate that authentication was rejected by application code.
+                if (notification.Ticket == null)
+                {
+                    return null;
+                }
+
+                return notification.Ticket;
+            }
+
+            else if (notification.Skipped)
+            {
+                return null;
+            }
+
+            if (notification.DataFormat == null)
+            {
+                throw new InvalidOperationException("A data formatter must be provided.");
+            }
+
+            return notification.DataFormat.Unprotect(token);
+        }
+
         private async Task<AuthenticationTicket> CreateTicketAsync(string token)
         {
-            var ticket = Options.AccessTokenFormat.Unprotect(token);
+            var ticket = await DecryptTokenAsync(token);
             if (ticket == null)
             {
                 return null;

src/Owin.Security.OAuth.Validation/Events/DecryptTokenContext.cs

@@ -0,0 +1,44 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions for more information
+ * concerning the license and the contributors participating to this project.
+ */
+
+using JetBrains.Annotations;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Notifications;
+
+namespace Owin.Security.OAuth.Validation
+{
+    /// <summary>
+    /// Allows custom decryption of access tokens.
+    /// </summary>
+    public class DecryptTokenContext : BaseNotification<OAuthValidationOptions>
+    {
+        public DecryptTokenContext(
+            [NotNull] IOwinContext context,
+            [NotNull] OAuthValidationOptions options,
+            [NotNull] string token)
+            : base(context, options)
+        {
+            Token = token;
+        }
+
+        /// <summary>
+        /// Gets the access token.
+        /// </summary>
+        public string Token { get; }
+
+        /// <summary>
+        /// Gets or sets the data format used to deserialize the authentication ticket.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationTicket> DataFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="AuthenticationTicket"/>
+        /// extracted from the access token.
+        /// </summary>
+        public AuthenticationTicket Ticket { get; set; }
+    }
+}

src/Owin.Security.OAuth.Validation/OAuthValidationEvents.cs

@@ -24,6 +24,11 @@ public class OAuthValidationEvents
         /// </summary>
         public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public Func<DecryptTokenContext, Task> OnDecryptToken { get; set; } = context => Task.FromResult(0);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
@@ -44,6 +49,11 @@ public class OAuthValidationEvents
         /// </summary>
         public virtual Task CreateTicket(CreateTicketContext context) => OnCreateTicket(context);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public virtual Task DecryptToken(DecryptTokenContext context) => OnDecryptToken(context);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>

src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -359,9 +359,43 @@ private bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
+        private async Task<AuthenticationTicket> DecryptTokenAsync(string token)
+        {
+            var notification = new DecryptTokenContext(Context, Options, token)
+            {
+                DataFormat = Options.AccessTokenFormat
+            };
+
+            await Options.Events.DecryptToken(notification);
+
+            if (notification.HandledResponse)
+            {
+                // If no ticket has been provided, return a failed result to
+                // indicate that authentication was rejected by application code.
+                if (notification.Ticket == null)
+                {
+                    return null;
+                }
+
+                return notification.Ticket;
+            }
+
+            else if (notification.Skipped)
+            {
+                return null;
+            }
+
+            if (notification.DataFormat == null)
+            {
+                throw new InvalidOperationException("A data formatter must be provided.");
+            }
+
+            return notification.DataFormat.Unprotect(token);
+        }
+
         private async Task<AuthenticationTicket> CreateTicketAsync(string token)
         {
-            var ticket = Options.AccessTokenFormat.Unprotect(token);
+            var ticket = await DecryptTokenAsync(token);
             if (ticket == null)
             {
                 return null;

test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationHandlerTests.cs

@@ -400,6 +400,93 @@ public async Task HandleAuthenticateAsync_ReplacedTicketAndHandleResponseFromRec
             Assert.Equal("Fabrikam", await response.Content.ReadAsStringAsync());
         }
 
+        [Fact]
+        public async Task HandleAuthenticateAsync_HandleResponseFromFromDecryptTokenCauseInvalidAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer(options =>
+            {
+                options.Events.OnDecryptToken = context =>
+                {
+                    context.HandleResponse();
+
+                    return Task.FromResult(0);
+                };
+            });
+
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task HandleAuthenticateAsync_SkipToNextMiddlewareFromFromDecryptTokenCauseInvalidAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer(options =>
+            {
+                options.Events.OnDecryptToken = context =>
+                {
+                    context.SkipToNextMiddleware();
+
+                    return Task.FromResult(0);
+                };
+            });
+
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task HandleAuthenticateAsync_TicketAndHandleResponseFromFromDecryptTokenCauseSuccessfulAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer(options =>
+            {
+                options.Events.OnDecryptToken = context =>
+                {
+                    var identity = new ClaimsIdentity(OAuthValidationDefaults.AuthenticationScheme);
+                    identity.AddClaim(new Claim(OAuthValidationConstants.Claims.Subject, "Contoso"));
+
+                    context.Ticket = new AuthenticationTicket(
+                        new ClaimsPrincipal(identity),
+                        new AuthenticationProperties(),
+                        context.Options.AuthenticationScheme);
+
+                    context.HandleResponse();
+
+                    return Task.FromResult(0);
+                };
+            });
+
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.Equal("Contoso", await response.Content.ReadAsStringAsync());
+        }
+
         [Fact]
         public async Task HandleAuthenticateAsync_SkipToNextMiddlewareFromValidateTokenCausesInvalidAuthentication()
         {