Use v2 API for EVEOnline provider (#497)

* Add EVEOnlineV2 provider

* Rebased

* Correct failing tests in EVEOnline provider

* Add scopes back for EVEOnline provider

* Add error handling where missing in EVEOnline provider

* Alter exceptions from EVEOnline provider to InvalidOperationException

* Remove redundant setting of GivenName claim for EVEOnline provider

* Fixed broken rebase

* Pull request edits for EVEOnline provider

Author: Dusty-Meg

README.md

@@ -72,6 +72,7 @@ We would love it if you could help contributing to this repository.
 * [Luke Fulliton](https://github.com/lukefulliton)
 * [Mariusz Zieliński](https://github.com/mariozski)
 * [Martin Costello](https://github.com/martincostello)
+* [Matthew Moore](https://github.com/Dusty-Meg)
 * [Maxime Roussin-Bélanger](https://github.com/Lorac)
 * [Michael Knowles](https://github.com/mjknowles)
 * [Michael Tanczos](https://github.com/tanczosm)

src/AspNet.Security.OAuth.EVEOnline/AspNet.Security.OAuth.EVEOnline.csproj

@@ -6,13 +6,14 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core security middleware enabling EVEOnline authentication.</Description>
-    <Authors>Mariusz Zieliński;Chino Chang</Authors>
+    <Authors>Mariusz Zieliński;Chino Chang;Matthew Moore</Authors>
     <PackageTags>aspnetcore;authentication;eveonline;oauth;security</PackageTags>
   </PropertyGroup>
 
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="JetBrains.Annotations" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
   </ItemGroup>
 
-</Project>
+</Project>

src/AspNet.Security.OAuth.EVEOnline/EVEOnlineAuthenticationDefaults.cs

@@ -39,16 +39,17 @@ public static class Tranquility
         /// <summary>
         /// Default value for <see cref="OAuthOptions.AuthorizationEndpoint"/>.
         /// </summary>
-        public static readonly string AuthorizationEndpoint = "https://login.eveonline.com/oauth/authorize";
+        public static readonly string AuthorizationEndpoint = "https://login.eveonline.com/v2/oauth/authorize";
 
         /// <summary>
         /// Default value for <see cref="OAuthOptions.TokenEndpoint"/>.
         /// </summary>
-        public static readonly string TokenEndpoint = "https://login.eveonline.com/oauth/token";
+        public static readonly string TokenEndpoint = "https://login.eveonline.com/v2/oauth/token";
 
         /// <summary>
         /// Default value for <see cref="OAuthOptions.UserInformationEndpoint"/>.
         /// </summary>
+        [Obsolete("This endpoint is no longer used by the EVEOnline provider.")]
         public static readonly string UserInformationEndpoint = "https://login.eveonline.com/oauth/verify";
     }
 
@@ -60,16 +61,17 @@ public static class Singularity
         /// <summary>
         /// Default value for <see cref="OAuthOptions.AuthorizationEndpoint"/>.
         /// </summary>
-        public static readonly string AuthorizationEndpoint = "https://sisilogin.testeveonline.com/oauth/authorize";
+        public static readonly string AuthorizationEndpoint = "https://sisilogin.testeveonline.com/v2/oauth/authorize";
 
         /// <summary>
         /// Default value for <see cref="OAuthOptions.TokenEndpoint"/>.
         /// </summary>
-        public static readonly string TokenEndpoint = "https://sisilogin.testeveonline.com/oauth/token";
+        public static readonly string TokenEndpoint = "https://sisilogin.testeveonline.com/v2/oauth/token";
 
         /// <summary>
         /// Default value for <see cref="OAuthOptions.UserInformationEndpoint"/>.
         /// </summary>
+        [Obsolete("This endpoint is no longer used by the EVEOnline provider.")]
         public static readonly string UserInformationEndpoint = "https://sisilogin.testeveonline.com/oauth/verify";
     }
 }

src/AspNet.Security.OAuth.EVEOnline/EVEOnlineAuthenticationExtensions.cs

@@ -5,6 +5,8 @@
  */
 
 using AspNet.Security.OAuth.EVEOnline;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection;
 
@@ -69,6 +71,8 @@ public static AuthenticationBuilder AddEVEOnline(
         [CanBeNull] string caption,
         [NotNull] Action<EVEOnlineAuthenticationOptions> configuration)
     {
+        builder.Services.TryAddSingleton<IPostConfigureOptions<EVEOnlineAuthenticationOptions>, EVEOnlinePostConfigureOptions>();
+
         return builder.AddOAuth<EVEOnlineAuthenticationOptions, EVEOnlineAuthenticationHandler>(scheme, caption, configuration);
     }
 }

src/AspNet.Security.OAuth.EVEOnline/EVEOnlineAuthenticationHandler.cs

@@ -4,17 +4,24 @@
  * for more information concerning the license and the contributors participating to this project.
  */
 
-using System.Net.Http.Headers;
+using System.Globalization;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
-using System.Text.Json;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace AspNet.Security.OAuth.EVEOnline;
 
 public partial class EVEOnlineAuthenticationHandler : OAuthHandler<EVEOnlineAuthenticationOptions>
 {
+    /// <summary>
+    /// Initializes a new instance of the <see cref="EVEOnlineAuthenticationHandler"/> class.
+    /// </summary>
+    /// <param name="options">The authentication options.</param>
+    /// <param name="logger">The logger to use.</param>
+    /// <param name="encoder">The URL encoder to use.</param>
+    /// <param name="clock">The system clock to use.</param>
     public EVEOnlineAuthenticationHandler(
         [NotNull] IOptionsMonitor<EVEOnlineAuthenticationOptions> options,
         [NotNull] ILoggerFactory logger,
@@ -29,27 +36,88 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
         [NotNull] AuthenticationProperties properties,
         [NotNull] OAuthTokenResponse tokens)
     {
-        using var request = new HttpRequestMessage(HttpMethod.Get, Options.UserInformationEndpoint);
-        request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.AccessToken);
+        string? accessToken = tokens.AccessToken;
 
-        using var response = await Backchannel.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
-        if (!response.IsSuccessStatusCode)
+        if (string.IsNullOrWhiteSpace(accessToken))
         {
-            await Log.UserProfileErrorAsync(Logger, response, Context.RequestAborted);
-            throw new HttpRequestException("An error occurred while retrieving the user profile.");
+            throw new InvalidOperationException("No access token was returned in the OAuth token.");
         }
 
-        using var payload = JsonDocument.Parse(await response.Content.ReadAsStringAsync(Context.RequestAborted));
+        var tokenClaims = ExtractClaimsFromToken(accessToken);
+
+        foreach (var claim in tokenClaims)
+        {
+            identity.AddClaim(claim);
+        }
 
         var principal = new ClaimsPrincipal(identity);
-        var context = new OAuthCreatingTicketContext(principal, properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
+        var context = new OAuthCreatingTicketContext(principal, properties, Context, Scheme, Options, Backchannel, tokens, tokens.Response!.RootElement);
         context.RunClaimActions();
 
         await Events.CreatingTicket(context);
         return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
     }
 
+    /// <summary>
+    /// Extracts the claims from the token received from the token endpoint.
+    /// </summary>
+    /// <param name="token">The token to extract the claims from.</param>
+    /// <returns>
+    /// An <see cref="IEnumerable{Claim}"/> containing the claims extracted from the token.
+    /// </returns>
+    protected virtual IEnumerable<Claim> ExtractClaimsFromToken([NotNull] string token)
+    {
+        try
+        {
+            var securityToken = Options.SecurityTokenHandler.ReadJsonWebToken(token);
+
+            var nameClaim = ExtractClaim(securityToken, "name");
+            var expClaim = ExtractClaim(securityToken, "exp");
+
+            var claims = new List<Claim>(securityToken.Claims);
+
+            claims.Add(new Claim(ClaimTypes.NameIdentifier, securityToken.Subject.Replace("CHARACTER:EVE:", string.Empty, StringComparison.OrdinalIgnoreCase), ClaimValueTypes.String, ClaimsIssuer));
+            claims.Add(new Claim(ClaimTypes.Name, nameClaim.Value, ClaimValueTypes.String, ClaimsIssuer));
+            claims.Add(new Claim(ClaimTypes.Expiration, UnixTimeStampToDateTime(expClaim.Value), ClaimValueTypes.DateTime, ClaimsIssuer));
+
+            var scopes = claims.Where(x => string.Equals(x.Type, "scp", StringComparison.OrdinalIgnoreCase)).ToList();
+
+            if (scopes.Count > 0)
+            {
+                claims.Add(new Claim(EVEOnlineAuthenticationConstants.Claims.Scopes, string.Join(' ', scopes.Select(x => x.Value)), ClaimValueTypes.String, ClaimsIssuer));
+            }
+
+            return claims;
+        }
+        catch (Exception ex)
+        {
+            throw new InvalidOperationException("Failed to parse JWT for claims from EVEOnline token.", ex);
+        }
+    }
+
+    private static Claim ExtractClaim([NotNull] JsonWebToken token, [NotNull] string claim)
+    {
+        var extractedClaim = token.Claims.FirstOrDefault(x => string.Equals(x.Type, claim, StringComparison.OrdinalIgnoreCase));
+
+        if (extractedClaim == null)
+        {
+            throw new InvalidOperationException($"The claim '{claim}' is missing from the EVEOnline JWT.");
+        }
+
+        return extractedClaim;
+    }
+
+    private static string UnixTimeStampToDateTime(string unixTimeStamp)
+    {
+        if (!long.TryParse(unixTimeStamp, NumberStyles.Integer, CultureInfo.InvariantCulture, out long unixTime))
+        {
+            throw new InvalidOperationException($"The value {unixTimeStamp} of the 'exp' claim is not a valid 64-bit integer.");
+        }
+
+        DateTimeOffset offset = DateTimeOffset.FromUnixTimeSeconds(unixTime);
+        return offset.ToString("o", CultureInfo.InvariantCulture);
+    }
+
     private static partial class Log
     {
         internal static async Task UserProfileErrorAsync(ILogger logger, HttpResponseMessage response, CancellationToken cancellationToken)

src/AspNet.Security.OAuth.EVEOnline/EVEOnlineAuthenticationOptions.cs

@@ -4,8 +4,7 @@
  * for more information concerning the license and the contributors participating to this project.
  */
 
-using System.Security.Claims;
-using static AspNet.Security.OAuth.EVEOnline.EVEOnlineAuthenticationConstants;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace AspNet.Security.OAuth.EVEOnline;
 
@@ -20,13 +19,13 @@ public EVEOnlineAuthenticationOptions()
         CallbackPath = EVEOnlineAuthenticationDefaults.CallbackPath;
 
         Server = EVEOnlineAuthenticationServer.Tranquility;
-
-        ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "CharacterID");
-        ClaimActions.MapJsonKey(ClaimTypes.Name, "CharacterName");
-        ClaimActions.MapJsonKey(ClaimTypes.Expiration, "ExpiresOn");
-        ClaimActions.MapJsonKey(Claims.Scopes, "Scopes");
     }
 
+    /// <summary>
+    /// Gets or sets the optional <see cref="JsonWebTokenHandler"/> to use.
+    /// </summary>
+    public JsonWebTokenHandler SecurityTokenHandler { get; set; } = default!;
+
     /// <summary>
     /// Sets the server used when communicating with EVE Online
     /// (by default, <see cref="EVEOnlineAuthenticationServer.Tranquility"/>).
@@ -40,13 +39,11 @@ public EVEOnlineAuthenticationServer Server
                 case EVEOnlineAuthenticationServer.Tranquility:
                     AuthorizationEndpoint = EVEOnlineAuthenticationDefaults.Tranquility.AuthorizationEndpoint;
                     TokenEndpoint = EVEOnlineAuthenticationDefaults.Tranquility.TokenEndpoint;
-                    UserInformationEndpoint = EVEOnlineAuthenticationDefaults.Tranquility.UserInformationEndpoint;
                     break;
 
                 case EVEOnlineAuthenticationServer.Singularity:
                     AuthorizationEndpoint = EVEOnlineAuthenticationDefaults.Singularity.AuthorizationEndpoint;
                     TokenEndpoint = EVEOnlineAuthenticationDefaults.Singularity.TokenEndpoint;
-                    UserInformationEndpoint = EVEOnlineAuthenticationDefaults.Singularity.UserInformationEndpoint;
                     break;
 
                 default:

src/AspNet.Security.OAuth.EVEOnline/EVEOnlineAuthenticationPostConfigureOptions.cs

@@ -0,0 +1,27 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+ * for more information concerning the license and the contributors participating to this project.
+ */
+
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.JsonWebTokens;
+
+namespace AspNet.Security.OAuth.EVEOnline;
+
+/// <summary>
+/// Used to setup defaults for all <see cref="EVEOnlineAuthenticationOptions"/>.
+/// </summary>
+public class EVEOnlinePostConfigureOptions : IPostConfigureOptions<EVEOnlineAuthenticationOptions>
+{
+    /// <inheritdoc />
+    public void PostConfigure(
+        [NotNull] string name,
+        [NotNull] EVEOnlineAuthenticationOptions options)
+    {
+        if (options.SecurityTokenHandler == null)
+        {
+            options.SecurityTokenHandler = new JsonWebTokenHandler();
+        }
+    }
+}

test/AspNet.Security.OAuth.Providers.Tests/EVEOnline/EVEOnlineTests.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
  * for more information concerning the license and the contributors participating to this project.

test/AspNet.Security.OAuth.Providers.Tests/EVEOnline/bundle.json

@@ -2,24 +2,14 @@
   "$schema": "https://raw.githubusercontent.com/justeat/httpclient-interception/master/src/HttpClientInterception/Bundles/http-request-bundle-schema.json",
   "items": [
     {
-      "uri": "https://login.eveonline.com/oauth/token",
+      "uri": "https://login.eveonline.com/v2/oauth/token",
       "method": "POST",
       "contentFormat": "json",
       "contentJson": {
-        "access_token": "secret-access-token",
-        "token_type": "access",
-        "refresh_token": "secret-refresh-token",
-        "expires_in": "300"
-      }
-    },
-    {
-      "uri": "https://login.eveonline.com/oauth/verify",
-      "contentFormat": "json",
-      "contentJson": {
-        "CharacterID": "my-id",
-        "CharacterName": "John Smith",
-        "ExpiresOn": "2019-12-31T23:59:59+00:00",
-        "Scopes": "my-scopes"
+        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY3AiOlsibXktc2NvcGVzIl0sImp0aSI6Ijk5OGUxMmM3LTMyNDEtNDNjNS04MzU1LTJjNDg4MjJlMGExYiIsImtpZCI6IkpXVC1TaWduYXR1cmUtS2V5Iiwic3ViIjoiQ0hBUkFDVEVSOkVWRTpteS1pZCIsImF6cCI6Im15M3JkcGFydHljbGllbnRpZCIsIm5hbWUiOiJKb2huIFNtaXRoIiwib3duZXIiOiI4UG16Q2VUS2I0VkZVRHJITGMvQWVaWERTV009IiwiZXhwIjoxNTc3ODM2Nzk5LCJpc3MiOiJsb2dpbi5ldmVvbmxpbmUuY29tIn0._0ziOjbFbJY2Mo9BEaJmEEBKjiKSj1IGIbvbdBH_1Vw",
+        "refresh_token": "sdfsdfsdfwd",
+        "expires_in": "1199",
+        "token_type": "Bearer"
       }
     }
   ]