Update Owin.Security.OAuth.Validation to use the ASP.NET Core Data Protection stack

Author: kevinchalet

src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -36,7 +36,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
 
             // Try to unprotect the token and return an error
             // if the ticket can't be decrypted or validated.
-            var ticket = Options.TicketFormat.Unprotect(token);
+            var ticket = Options.AccessTokenFormat.Unprotect(token);
             if (ticket == null) {
                 return AuthenticateResult.Fail("Authentication failed because the access token was invalid.");
             }

src/AspNet.Security.OAuth.Validation/OAuthValidationMiddleware.cs

@@ -21,13 +21,16 @@ public OAuthValidationMiddleware(
             [NotNull] UrlEncoder encoder,
             [NotNull] IDataProtectionProvider dataProtectionProvider)
             : base(next, options, loggerFactory, encoder) {
-            if (Options.TicketFormat == null) {
-                // Note: the purposes of the default ticket
-                // format must match the values used by ASOS.
-                Options.TicketFormat = new TicketDataFormat(
-                    dataProtectionProvider.CreateProtector(
-                        "AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware",
-                        "ASOS", "Access_Token", "v1"));
+            if (Options.DataProtectionProvider == null) {
+                Options.DataProtectionProvider = dataProtectionProvider;
+            }
+
+            if (Options.AccessTokenFormat == null) {
+                // Note: the following purposes must match the values used by ASOS.
+                var protector = Options.DataProtectionProvider.CreateProtector(
+                    "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");
+
+                Options.AccessTokenFormat = new TicketDataFormat(protector);
             }
         }
 

src/AspNet.Security.OAuth.Validation/OAuthValidationOptions.cs

@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace AspNet.Security.OAuth.Validation {
     public class OAuthValidationOptions : AuthenticationOptions {
@@ -28,8 +29,16 @@ public OAuthValidationOptions() {
 
         /// <summary>
         /// Gets or sets the data format used to unprotect the
-        /// authenticated tickets received by the validation middleware.
+        /// access tokens received by the validation middleware.
         /// </summary>
-        public ISecureDataFormat<AuthenticationTicket> TicketFormat { get; set; }
+        public ISecureDataFormat<AuthenticationTicket> AccessTokenFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the data protection provider used to create the default
+        /// data protectors used by <see cref="OAuthValidationMiddleware"/>.
+        /// When this property is set to <c>null</c>, the data protection provider
+        /// is directly retrieved from the dependency injection container.
+        /// </summary>
+        public IDataProtectionProvider DataProtectionProvider { get; set; }
     }
 }

src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -40,7 +40,7 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync() {
 
             // Try to unprotect the token and return an error
             // if the ticket can't be decrypted or validated.
-            var ticket = Options.TicketFormat.Unprotect(token);
+            var ticket = Options.AccessTokenFormat.Unprotect(token);
             if (ticket == null) {
                 Options.Logger.WriteWarning("Authentication failed because the access token was invalid.");
 

src/Owin.Security.OAuth.Validation/OAuthValidationMiddleware.cs

@@ -5,199 +5,58 @@
  */
 
 using System;
-using System.IdentityModel.Tokens;
-using System.IO;
-using System.Linq;
-using System.Security.Claims;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Owin;
+using Microsoft.Owin.BuilderProperties;
 using Microsoft.Owin.Logging;
-using Microsoft.Owin.Security;
-using Microsoft.Owin.Security.DataHandler;
-using Microsoft.Owin.Security.DataHandler.Encoder;
-using Microsoft.Owin.Security.DataHandler.Serializer;
-using Microsoft.Owin.Security.DataProtection;
 using Microsoft.Owin.Security.Infrastructure;
+using Microsoft.Owin.Security.Interop;
 
 namespace Owin.Security.OAuth.Validation {
     public class OAuthValidationMiddleware : AuthenticationMiddleware<OAuthValidationOptions> {
         public OAuthValidationMiddleware(OwinMiddleware next, IAppBuilder app, OAuthValidationOptions options)
             : base(next, options) {
-            if (options.TicketFormat == null) {
-                // Note: the purposes of the default ticket
-                // format must match the values used by ASOS.
-                options.TicketFormat = new EnhancedTicketDataFormat(
-                    app.CreateDataProtector(
-                        "Owin.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware",
-                        "ASOS", "Access_Token", "v1"));
-            }
-
-            if (options.Logger == null) {
-                options.Logger = app.CreateLogger<OAuthValidationMiddleware>();
-            }
-        }
-
-        protected override AuthenticationHandler<OAuthValidationOptions> CreateHandler() {
-            return new OAuthValidationHandler();
-        }
-
-        internal sealed class EnhancedTicketDataFormat : SecureDataFormat<AuthenticationTicket> {
-            private static readonly EnhancedTicketSerializer Serializer = new EnhancedTicketSerializer();
-
-            public EnhancedTicketDataFormat(IDataProtector protector)
-                : base(Serializer, protector, TextEncodings.Base64Url) {
-            }
-
-            private sealed class EnhancedTicketSerializer : IDataSerializer<AuthenticationTicket> {
-                private const int FormatVersion = 3;
-
-                public byte[] Serialize(AuthenticationTicket model) {
-                    if (model == null) {
-                        throw new ArgumentNullException("model");
-                    }
-
-                    using (var buffer = new MemoryStream())
-                    using (var writer = new BinaryWriter(buffer)) {
-                        writer.Write(FormatVersion);
-
-                        WriteIdentity(writer, model.Identity);
-                        PropertiesSerializer.Write(writer, model.Properties);
-
-                        return buffer.ToArray();
-                    }
-                }
-
-                public AuthenticationTicket Deserialize(byte[] data) {
-                    if (data == null) {
-                        throw new ArgumentNullException("data");
-                    }
-
-                    using (var buffer = new MemoryStream(data))
-                    using (var reader = new BinaryReader(buffer)) {
-                        if (reader.ReadInt32() != FormatVersion) {
-                            return null;
-                        }
-
-                        var identity = ReadIdentity(reader);
-                        var properties = PropertiesSerializer.Read(reader);
-
-                        return new AuthenticationTicket(identity, properties);
-                    }
-                }
-
-                private static void WriteIdentity(BinaryWriter writer, ClaimsIdentity identity) {
-                    writer.Write(identity.AuthenticationType);
-                    WriteWithDefault(writer, identity.NameClaimType, DefaultValues.NameClaimType);
-                    WriteWithDefault(writer, identity.RoleClaimType, DefaultValues.RoleClaimType);
-                    writer.Write(identity.Claims.Count());
-
-                    foreach (var claim in identity.Claims) {
-                        WriteClaim(writer, claim, identity.NameClaimType);
-                    }
-
-                    var context = identity.BootstrapContext as BootstrapContext;
-                    if (context == null || string.IsNullOrEmpty(context.Token)) {
-                        writer.Write(0);
-                    }
+            if (options.DataProtectionProvider == null) {
+                // Create a new DI container and register
+                // the data protection services.
+                var services = new ServiceCollection();
 
-                    else {
-                        writer.Write(context.Token.Length);
-                        writer.Write(context.Token);
-                    }
-
-                    if (identity.Actor != null) {
-                        writer.Write(true);
-                        WriteIdentity(writer, identity.Actor);
-                    }
-
-                    else {
-                        writer.Write(false);
-                    }
-                }
-
-                private static ClaimsIdentity ReadIdentity(BinaryReader reader) {
-                    var authenticationType = reader.ReadString();
-                    var nameClaimType = ReadWithDefault(reader, DefaultValues.NameClaimType);
-                    var roleClaimType = ReadWithDefault(reader, DefaultValues.RoleClaimType);
-                    var count = reader.ReadInt32();
-
-                    var claims = new Claim[count];
-
-                    for (int index = 0; index != count; ++index) {
-                        claims[index] = ReadClaim(reader, nameClaimType);
-                    }
-
-                    var identity = new ClaimsIdentity(claims, authenticationType, nameClaimType, roleClaimType);
-
-                    int bootstrapContextSize = reader.ReadInt32();
-                    if (bootstrapContextSize > 0) {
-                        identity.BootstrapContext = new BootstrapContext(reader.ReadString());
-                    }
-
-                    if (reader.ReadBoolean()) {
-                        identity.Actor = ReadIdentity(reader);
-                    }
-
-                    return identity;
-                }
-
-                private static void WriteClaim(BinaryWriter writer, Claim claim, string nameClaimType) {
-                    WriteWithDefault(writer, claim.Type, nameClaimType);
-                    writer.Write(claim.Value);
-                    WriteWithDefault(writer, claim.ValueType, DefaultValues.StringValueType);
-                    WriteWithDefault(writer, claim.Issuer, DefaultValues.LocalAuthority);
-                    WriteWithDefault(writer, claim.OriginalIssuer, claim.Issuer);
-                    writer.Write(claim.Properties.Count);
+                services.AddDataProtection(configuration => {
+                    // Try to use the application name provided by
+                    // the OWIN host as the application discriminator.
+                    var discriminator = new AppProperties(app.Properties).AppName;
 
-                    foreach (var property in claim.Properties) {
-                        writer.Write(property.Key);
-                        writer.Write(property.Value);
+                    // When an application discriminator cannot be resolved from
+                    // the OWIN host properties, generate a temporary identifier.
+                    if (string.IsNullOrEmpty(discriminator)) {
+                        discriminator = Guid.NewGuid().ToString();
                     }
-                }
 
-                private static Claim ReadClaim(BinaryReader reader, string nameClaimType) {
-                    var type = ReadWithDefault(reader, nameClaimType);
-                    var value = reader.ReadString();
-                    var valueType = ReadWithDefault(reader, DefaultValues.StringValueType);
-                    var issuer = ReadWithDefault(reader, DefaultValues.LocalAuthority);
-                    var originalIssuer = ReadWithDefault(reader, issuer);
-                    var count = reader.ReadInt32();
+                    configuration.ApplicationDiscriminator = discriminator;
+                });
 
-                    var claim = new Claim(type, value, valueType, issuer, originalIssuer);
+                var container = services.BuildServiceProvider();
 
-                    for (var index = 0; index != count; ++index) {
-                        claim.Properties.Add(key: reader.ReadString(), value: reader.ReadString());
-                    }
-
-                    return claim;
-                }
-
-                private static void WriteWithDefault(BinaryWriter writer, string value, string defaultValue) {
-                    if (string.Equals(value, defaultValue, StringComparison.Ordinal)) {
-                        writer.Write(DefaultValues.DefaultStringPlaceholder);
-                    }
-
-                    else {
-                        writer.Write(value);
-                    }
-                }
+                // Resolve a data protection provider from the services container.
+                options.DataProtectionProvider = container.GetRequiredService<IDataProtectionProvider>();
+            }
 
-                private static string ReadWithDefault(BinaryReader reader, string defaultValue) {
-                    string value = reader.ReadString();
-                    if (string.Equals(value, DefaultValues.DefaultStringPlaceholder, StringComparison.Ordinal)) {
-                        return defaultValue;
-                    }
+            if (options.AccessTokenFormat == null) {
+                // Note: the following purposes must match the ones used by ASOS.
+                var protector = options.DataProtectionProvider.CreateProtector(
+                    "OpenIdConnectServerMiddleware", "ASOS", "Access_Token", "v1");
 
-                    return value;
-                }
+                options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
+            }
 
-                private static class DefaultValues {
-                    public const string DefaultStringPlaceholder = "\0";
-                    public const string NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
-                    public const string RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
-                    public const string LocalAuthority = "LOCAL AUTHORITY";
-                    public const string StringValueType = "http://www.w3.org/2001/XMLSchema#string";
-                }
+            if (options.Logger == null) {
+                options.Logger = app.CreateLogger<OAuthValidationMiddleware>();
             }
         }
+
+        protected override AuthenticationHandler<OAuthValidationOptions> CreateHandler() {
+            return new OAuthValidationHandler();
+        }
     }
 }

src/Owin.Security.OAuth.Validation/OAuthValidationOptions.cs

@@ -5,6 +5,7 @@
  */
 
 using System.Collections.Generic;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security;
@@ -35,8 +36,14 @@ public OAuthValidationOptions()
 
         /// <summary>
         /// Gets or sets the data format used to unprotect the
-        /// authenticated tickets received by the validation middleware.
+        /// access tokens received by the validation middleware.
         /// </summary>
-        public ISecureDataFormat<AuthenticationTicket> TicketFormat { get; set; }
+        public ISecureDataFormat<AuthenticationTicket> AccessTokenFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the data protection provider used to create the default
+        /// data protector used by <see cref="OAuthValidationMiddleware"/>.
+        /// </summary>
+        public IDataProtectionProvider DataProtectionProvider { get; set; }
     }
 }

src/Owin.Security.OAuth.Validation/project.json

@@ -29,13 +29,15 @@
 
   "dependencies": {
     "JetBrains.Annotations": { "type": "build", "version": "10.1.2-eap" },
-    "Microsoft.Owin.Security": "3.0.1"
+    "Microsoft.Owin.Security.Interop": "1.0.0-*"
   },
 
   "frameworks": {
     "net451": {
       "frameworkAssemblies": {
-        "System.IdentityModel": "4.0.0.0"
+        "System.ComponentModel": { "type": "build" },
+        "System.IdentityModel": "4.0.0.0",
+        "System.Runtime": { "type": "build" }
       }
     }
   }

test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs

@@ -243,7 +243,7 @@ private static TestServer CreateResourceServer(Action<OAuthValidationOptions> co
                 app.UseOAuthValidation(options => {
                     options.AutomaticAuthenticate = true;
                     options.AutomaticChallenge = true;
-                    options.TicketFormat = format.Object;
+                    options.AccessTokenFormat = format.Object;
 
                     // Run the configuration delegate
                     // registered by the unit tests.

test/Owin.Security.OAuth.Validation.Tests/OAuthValidationMiddlewareTests.cs

@@ -223,7 +223,7 @@ private static TestServer CreateResourceServer(Action<OAuthValidationOptions> co
             return TestServer.Create(app => {
                 app.UseOAuthValidation(options => {
                     options.AuthenticationMode = AuthenticationMode.Active;
-                    options.TicketFormat = format.Object;
+                    options.AccessTokenFormat = format.Object;
 
                     // Run the configuration delegate
                     // registered by the unit tests.