Introduce a new DecryptToken event in the validation handler

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionEvents.cs

@@ -17,27 +17,27 @@ public class OAuthIntrospectionEvents
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
         /// </summary>
-        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.FromResult(0);
+        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a ticket is to be created from an introspection response.
         /// </summary>
-        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
+        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be sent to the authorization server for introspection.
         /// </summary>
-        public Func<SendIntrospectionRequestContext, Task> OnSendIntrospectionRequest { get; set; } = context => Task.FromResult(0);
+        public Func<SendIntrospectionRequestContext, Task> OnSendIntrospectionRequest { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
-        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.FromResult(0);
+        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be validated, before final processing.
         /// </summary>
-        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.FromResult(0);
+        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -806,7 +806,7 @@ private Task StoreTicketAsync(string token, AuthenticationTicket ticket)
         {
             if (Options.CachingPolicy == null)
             {
-                return Task.FromResult(0);
+                return Task.CompletedTask;
             }
 
             var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));

src/AspNet.Security.OAuth.Validation/Events/DecryptTokenContext.cs

@@ -0,0 +1,38 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions for more information
+ * concerning the license and the contributors participating to this project.
+ */
+
+using JetBrains.Annotations;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+
+namespace AspNet.Security.OAuth.Validation
+{
+    /// <summary>
+    /// Allows custom decryption of access tokens.
+    /// </summary>
+    public class DecryptTokenContext : ResultContext<OAuthValidationOptions>
+    {
+        public DecryptTokenContext(
+            [NotNull] HttpContext context,
+            [NotNull] AuthenticationScheme scheme,
+            [NotNull] OAuthValidationOptions options,
+            [NotNull] string token)
+            : base(context, scheme, options)
+        {
+            Token = token;
+        }
+
+        /// <summary>
+        /// Gets the access token.
+        /// </summary>
+        public string Token { get; }
+
+        /// <summary>
+        /// Gets or sets the data format used to deserialize the authentication ticket.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationTicket> DataFormat { get; set; }
+    }
+}

src/AspNet.Security.OAuth.Validation/OAuthValidationEvents.cs

@@ -17,22 +17,27 @@ public class OAuthValidationEvents
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
         /// </summary>
-        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.FromResult(0);
+        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a ticket is to be created from an introspection response.
         /// </summary>
-        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
+        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.CompletedTask;
+
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public Func<DecryptTokenContext, Task> OnDecryptToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
-        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.FromResult(0);
+        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be validated, before final processing.
         /// </summary>
-        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.FromResult(0);
+        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
@@ -44,6 +49,11 @@ public class OAuthValidationEvents
         /// </summary>
         public virtual Task CreateTicket(CreateTicketContext context) => OnCreateTicket(context);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public virtual Task DecryptToken(DecryptTokenContext context) => OnDecryptToken(context);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>

src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -348,9 +348,45 @@ private bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
+        private async Task<AuthenticateResult> DecryptTokenAsync(string token)
+        {
+            var notification = new DecryptTokenContext(Context, Scheme, Options, token)
+            {
+                DataFormat = Options.AccessTokenFormat
+            };
+
+            await Events.DecryptToken(notification);
+
+            if (notification.Result != null)
+            {
+                Logger.LogInformation("The default authentication handling was skipped from user code.");
+
+                return notification.Result;
+            }
+
+            if (notification.DataFormat == null)
+            {
+                throw new InvalidOperationException("A data formatter must be provided.");
+            }
+
+            var ticket = notification.DataFormat.Unprotect(token);
+            if (ticket == null)
+            {
+                return AuthenticateResult.Fail("Authentication failed because the access token was invalid.");
+            }
+
+            return AuthenticateResult.Success(ticket);
+        }
+
         private async Task<AuthenticateResult> CreateTicketAsync(string token)
         {
-            var ticket = Options.AccessTokenFormat.Unprotect(token);
+            var result = await DecryptTokenAsync(token);
+            if (!result.Succeeded)
+            {
+                return result;
+            }
+
+            var ticket = result.Ticket;
             if (ticket == null)
             {
                 return AuthenticateResult.Fail("Authentication failed because the access token was invalid.");

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionEvents.cs

@@ -17,27 +17,27 @@ public class OAuthIntrospectionEvents
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
         /// </summary>
-        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.FromResult(0);
+        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a ticket is to be created from an introspection response.
         /// </summary>
-        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
+        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
-        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.FromResult(0);
+        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be sent to the authorization server for introspection.
         /// </summary>
-        public Func<SendIntrospectionRequestContext, Task> OnSendIntrospectionRequest { get; set; } = context => Task.FromResult(0);
+        public Func<SendIntrospectionRequestContext, Task> OnSendIntrospectionRequest { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be validated, before final processing.
         /// </summary>
-        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.FromResult(0);
+        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -749,7 +749,7 @@ private Task StoreTicketAsync(string token, AuthenticationTicket ticket)
         {
             if (Options.CachingPolicy == null)
             {
-                return Task.FromResult(0);
+                return Task.CompletedTask;
             }
 
             var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));

src/Owin.Security.OAuth.Validation/Events/DecryptTokenContext.cs

@@ -0,0 +1,64 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions for more information
+ * concerning the license and the contributors participating to this project.
+ */
+
+using JetBrains.Annotations;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+
+namespace Owin.Security.OAuth.Validation
+{
+    /// <summary>
+    /// Allows custom decryption of access tokens.
+    /// </summary>
+    public class DecryptTokenContext : BaseContext<OAuthValidationOptions>
+    {
+        public DecryptTokenContext(
+            [NotNull] IOwinContext context,
+            [NotNull] OAuthValidationOptions options,
+            [NotNull] string token)
+            : base(context, options)
+        {
+            Token = token;
+        }
+
+        /// <summary>
+        /// Gets the access token.
+        /// </summary>
+        public string Token { get; }
+
+        /// <summary>
+        /// Gets or sets the data format used to deserialize the authentication ticket.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationTicket> DataFormat { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="AuthenticationTicket"/>
+        /// extracted from the access token.
+        /// </summary>
+        public AuthenticationTicket Ticket { get; set; }
+
+        /// <summary>
+        /// Gets a boolean indicating if the operation was handled from user code.
+        /// </summary>
+        public bool Handled { get; private set; }
+
+        /// <summary>
+        /// Marks the operation as handled to prevent the default logic from being applied.
+        /// </summary>
+        public void HandleDecryption() => Handled = true;
+
+        /// <summary>
+        /// Marks the operation as handled to prevent the default logic from being applied.
+        /// </summary>
+        /// <param name="ticket">The authentication ticket to use.</param>
+        public void HandleDecryption(AuthenticationTicket ticket)
+        {
+            Ticket = ticket;
+            Handled = true;
+        }
+    }
+}

src/Owin.Security.OAuth.Validation/OAuthValidationEvents.cs

@@ -17,22 +17,27 @@ public class OAuthValidationEvents
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
         /// </summary>
-        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.FromResult(0);
+        public Func<ApplyChallengeContext, Task> OnApplyChallenge { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a ticket is to be created from an access token.
         /// </summary>
-        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.FromResult(0);
+        public Func<CreateTicketContext, Task> OnCreateTicket { get; set; } = context => Task.CompletedTask;
+
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public Func<DecryptTokenContext, Task> OnDecryptToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>
-        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.FromResult(0);
+        public Func<RetrieveTokenContext, Task> OnRetrieveToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a token is to be validated, before final processing.
         /// </summary>
-        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.FromResult(0);
+        public Func<ValidateTokenContext, Task> OnValidateToken { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
         /// Invoked when a challenge response is returned to the caller.
@@ -44,6 +49,11 @@ public class OAuthValidationEvents
         /// </summary>
         public virtual Task CreateTicket(CreateTicketContext context) => OnCreateTicket(context);
 
+        /// <summary>
+        /// Invoked when a token is to be decrypted.
+        /// </summary>
+        public virtual Task DecryptToken(DecryptTokenContext context) => OnDecryptToken(context);
+
         /// <summary>
         /// Invoked when a token is to be parsed from a newly-received request.
         /// </summary>

src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -324,9 +324,33 @@ private bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
+        private async Task<AuthenticationTicket> DecryptTokenAsync(string token)
+        {
+            var notification = new DecryptTokenContext(Context, Options, token)
+            {
+                DataFormat = Options.AccessTokenFormat
+            };
+
+            await Options.Events.DecryptToken(notification);
+
+            if (notification.Handled)
+            {
+                Logger.LogInformation("The default authentication handling was skipped from user code.");
+
+                return notification.Ticket;
+            }
+
+            if (notification.DataFormat == null)
+            {
+                throw new InvalidOperationException("A data formatter must be provided.");
+            }
+
+            return notification.DataFormat.Unprotect(token);
+        }
+
         private async Task<AuthenticationTicket> CreateTicketAsync(string token)
         {
-            var ticket = Options.AccessTokenFormat.Unprotect(token);
+            var ticket = await DecryptTokenAsync(token);
             if (ticket == null)
             {
                 return null;