Merge pull request #26 from umbraco/feature/long-lived-access-token

Exchange access tokens implementation

Author: acoumb

examples/Umbraco.AuthorizedServices.TestSite/appsettings.json

@@ -432,7 +432,7 @@
           "RequestIdentityPath": "",
           "RequestTokenPath": "",
           "RequestTokenFormat": "",
-          "ApiKey: "[api_key]",
+          "ApiKey": "",
           "ApiKeyProvision": {
             "Method": "QueryString",
             "Key": "key"
@@ -472,6 +472,30 @@
           "Scopes": "https://graph.microsoft.com/.default",
           "IncludeScopesInAuthorizationRequest": true,
           "SampleRequest": "/me"
+        },
+        "instagram": {
+          "DisplayName": "Instagram",
+          "ApiHost": "https://api.instagram.com",
+          "IdentityHost": "https://api.instagram.com",
+          "TokenHost": "https://api.instagram.com",
+          "RequestIdentityPath": "/oauth/authorize",
+          "RequestTokenPath": "/oauth/access_token",
+          "RequestTokenFormat": "FormUrlEncoded",
+          "AuthorizationUrlRequiresRedirectUrl": true,
+          "ClientId": "",
+          "ClientSecret": "",
+          "Scopes": "user_profile",
+          "SampleRequest": "/v3.0/me",
+          "CanExchangeToken": true,
+          "ExchangeTokenProvision": {
+            "TokenHost": "https://graph.instagram.com",
+            "RequestTokenPath": "/access_token",
+            "TokenGrantType": "ig_exchange_token",
+            "RequestRefreshTokenPath": "/refresh_access_token",
+            "RefreshTokenGrantType": "ig_refresh_token",
+            "ExchangeTokenWhenExpiresWithin": "25.00:00:00"
+          },
+          "RefreshAccessTokenWhenExpiresWithin": "00.00:00:40"
         }
       }
     }

src/Umbraco.AuthorizedServices/AuthorizedServicesComposer.cs

@@ -41,6 +41,7 @@ private static void RegisterServices(IUmbracoBuilder builder)
     {
         builder.Services.AddUnique<IAuthorizationClientFactory, AuthorizationClientFactory>();
         builder.Services.AddUnique<IAuthorizationParametersBuilder, AuthorizationParametersBuilder>();
+        builder.Services.AddUnique<IExchangeTokenParametersBuilder, ExchangeTokenParametersBuilder>();
         builder.Services.AddUnique<IAuthorizationRequestSender, AuthorizationRequestSender>();
         builder.Services.AddUnique<IAuthorizedServiceAuthorizer, AuthorizedServiceAuthorizer>();
         builder.Services.AddUnique<IAuthorizationUrlBuilder, AuthorizationUrlBuilder>();

src/Umbraco.AuthorizedServices/Configuration/AuthorizedServiceSettings.cs

@@ -83,6 +83,27 @@ public class ApiKeyProvision
     public override string ToString() => $"{Method} / {Key}";
 }
 
+/// <summary>
+/// Defines the provisioning options for an API exchanging short lived tokens with long lived ones.
+/// </summary>
+public class ExchangeTokenProvision
+{
+    public string TokenHost { get; set;} = string.Empty;
+
+    public string RequestTokenPath { get; set;} = string.Empty;
+
+    public string TokenGrantType { get; set; } = string.Empty;
+
+    public string RequestRefreshTokenPath { get; set; } = string.Empty;
+
+    public string RefreshTokenGrantType { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Gets or sets the time interval for expiration of exchange tokens.
+    /// </summary>
+    public TimeSpan ExchangeTokenWhenExpiresWithin { get; set; } = TimeSpan.FromDays(30);
+}
+
 /// <summary>
 /// Defines the strongly typed configuration for a single service.
 /// </summary>
@@ -207,6 +228,16 @@ public class ServiceDetail : ServiceSummary
     /// </summary>
     public bool UseProofKeyForCodeExchange { get; set; }
 
+    /// <summary>
+    /// Gets or sets a value indicating whether the OAuth flow should exchange the access token.
+    /// </summary>
+    public bool CanExchangeToken { get; set; }
+
+    /// <summary>
+    /// Gets or sets the provisioning options for exchanging token flow.
+    /// </summary>
+    public ExchangeTokenProvision? ExchangeTokenProvision { get; set; }
+
     /// <summary>
     /// Gets or sets the key expected in the token response that identifies the access token.
     /// </summary>
@@ -227,6 +258,11 @@ public class ServiceDetail : ServiceSummary
     /// </summary>
     public string? SampleRequest { get; set; }
 
+    /// <summary>
+    /// Gets or sets the time interval for expiration of access tokens.
+    /// </summary>
+    public TimeSpan RefreshAccessTokenWhenExpiresWithin { get; set; } = TimeSpan.FromSeconds(30);
+
     internal string GetTokenHost() => string.IsNullOrWhiteSpace(TokenHost)
         ? IdentityHost
         : TokenHost;

src/Umbraco.AuthorizedServices/Controllers/AuthorizedServiceResponseController.cs

@@ -1,4 +1,6 @@
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+using Umbraco.AuthorizedServices.Configuration;
 using Umbraco.AuthorizedServices.Exceptions;
 using Umbraco.AuthorizedServices.Extensions;
 using Umbraco.AuthorizedServices.Models;
@@ -14,16 +16,19 @@ public class AuthorizedServiceResponseController : UmbracoApiController
 {
     private readonly IAuthorizedServiceAuthorizer _serviceAuthorizer;
     private readonly IAuthorizationPayloadCache _authorizedServiceAuthorizationPayloadCache;
+    private readonly IOptionsMonitor<ServiceDetail> _serviceDetailOptions;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="AuthorizedServiceResponseController"/> class.
     /// </summary>
     public AuthorizedServiceResponseController(
         IAuthorizedServiceAuthorizer serviceAuthorizer,
-        IAuthorizationPayloadCache authorizedServiceAuthorizationPayloadCache)
+        IAuthorizationPayloadCache authorizedServiceAuthorizationPayloadCache,
+        IOptionsMonitor<ServiceDetail> serviceDetailOptions)
     {
         _serviceAuthorizer = serviceAuthorizer;
         _authorizedServiceAuthorizationPayloadCache = authorizedServiceAuthorizationPayloadCache;
+        _serviceDetailOptions = serviceDetailOptions;
     }
 
     /// <summary>
@@ -52,11 +57,39 @@ public async Task<IActionResult> HandleIdentityResponse(string code, string stat
         _authorizedServiceAuthorizationPayloadCache.Remove(stateParts[0]);
         AuthorizationResult result = await _serviceAuthorizer.AuthorizeOAuth2AuthorizationCodeServiceAsync(serviceAlias, code, redirectUri, codeVerifier);
 
+        // handle exchange
+        ServiceDetail serviceDetail = _serviceDetailOptions.Get(serviceAlias);
+        if (serviceDetail.CanExchangeToken)
+        {
+            return await HandleTokenExchange(serviceDetail);
+        }
+
         if (result.Success)
         {
             return Redirect($"/umbraco#/settings/AuthorizedServices/edit/{serviceAlias}");
         }
 
         throw new AuthorizedServiceException("Failed to obtain access token");
     }
+
+    /// <summary>
+    /// Handles the token exchange flow.
+    /// </summary>
+    /// <param name="serviceDetail">The service detail.</param>
+    private async Task<IActionResult> HandleTokenExchange(ServiceDetail serviceDetail)
+    {
+        if (serviceDetail.ExchangeTokenProvision is null)
+        {
+            throw new AuthorizedServiceException("Failed to retrieve exchange token provisioning.");
+        }
+
+        AuthorizationResult exchangeResult = await _serviceAuthorizer.ExchangeOAuth2AccessTokenAsync(serviceDetail.Alias);
+
+        if (exchangeResult.Success)
+        {
+            return Redirect($"/umbraco#/settings/AuthorizedServices/edit/{serviceDetail.Alias}");
+        }
+
+        throw new AuthorizedServiceException("Failed to exchange the access token.");
+    }
 }

src/Umbraco.AuthorizedServices/Models/Token.cs

@@ -1,3 +1,5 @@
+using System;
+
 namespace Umbraco.AuthorizedServices.Models;
 
 /// <summary>
@@ -40,7 +42,7 @@ public Token(string accessToken, string? refreshToken, DateTime? expiresOn)
     public DateTime? ExpiresOn { get; }
 
     /// <summary>
-    /// Checks to see if the token either has or is about to expire (in the next 30 seconds).
+    /// Checks to see if the token will be expired after the provided period.
     /// </summary>
-    public bool HasOrIsAboutToExpire => ExpiresOn.HasValue && DateTime.UtcNow.AddSeconds(30) > ExpiresOn;
+    public bool WillBeExpiredAfter(TimeSpan period) => ExpiresOn.HasValue && DateTime.UtcNow.Add(period) > ExpiresOn;
 }

src/Umbraco.AuthorizedServices/Services/IAuthorizationRequestSender.cs

@@ -14,4 +14,12 @@ public interface IAuthorizationRequestSender
     /// <param name="parameters">The authorization parameters.</param>
     /// <returns>A <see cref="Task{HttpResponseMessage}"/> representing the result of the asynchronous operation.</returns>
     Task<HttpResponseMessage> SendRequest(ServiceDetail serviceDetail, Dictionary<string, string> parameters);
+
+    /// <summary>
+    /// Sends an authorization request to a service.
+    /// </summary>
+    /// <param name="serviceDetail">The service detail.</param>
+    /// <param name="parameters">The authorization parameters.</param>
+    /// <returns>A <see cref="Task{HttpResponseMessage}"/> representing the result of the asynchronous operation.</returns>
+    Task<HttpResponseMessage> SendExchangeRequest(ServiceDetail serviceDetail, Dictionary<string, string> parameters);
 }

src/Umbraco.AuthorizedServices/Services/IAuthorizedServiceAuthorizer.cs

@@ -23,4 +23,11 @@ public interface IAuthorizedServiceAuthorizer
     /// <param name="serviceAlias">The service alias.</param>
     /// <returns>A <see cref="Task{AuthorizationResult}"/> representing the result of the asynchronous operation.</returns>
     Task<AuthorizationResult> AuthorizeOAuth2ClientCredentialsServiceAsync(string serviceAlias);
+
+    /// <summary>
+    /// Exchanges the access token with a long lived one.
+    /// </summary>
+    /// <param name="serviceAlias">The service alias.</param>
+    /// <returns>A <see cref="Task{AuthorizationResult}"/> representing the result of the asynchronous operation.</returns>
+    Task<AuthorizationResult> ExchangeOAuth2AccessTokenAsync(string serviceAlias);
 }

src/Umbraco.AuthorizedServices/Services/IExchangeTokenParametersBuilder.cs

@@ -0,0 +1,17 @@
+using Umbraco.AuthorizedServices.Configuration;
+
+namespace Umbraco.AuthorizedServices.Services;
+
+/// <summary>
+/// Defines operations on building the parameter dictionary used in exchange token authorization requests.
+/// </summary>
+public interface IExchangeTokenParametersBuilder
+{
+    /// <summary>
+    /// Builds the parameter dictionary used in the exchange token flow.
+    /// </summary>
+    /// <param name="serviceDetail">The service detail.</param>
+    /// <param name="accessToken">The short lived access token.</param>
+    /// <returns>A dictionary containing the authorization parameters.</returns>
+    Dictionary<string, string> BuildParameters(ServiceDetail serviceDetail, string accessToken);
+}

src/Umbraco.AuthorizedServices/Services/IRefreshTokenParametersBuilder.cs

@@ -8,7 +8,7 @@ namespace Umbraco.AuthorizedServices.Services;
 public interface IRefreshTokenParametersBuilder
 {
     /// <summary>
-    /// Builds the the parameter dictionary used in token refresh requests.
+    /// Builds the parameter dictionary used in token refresh requests.
     /// </summary>
     /// <param name="serviceDetail">The service detail.</param>
     /// <param name="refreshToken">The refresh token.</param>

src/Umbraco.AuthorizedServices/Services/Implement/AuthorizationRequestSender.cs

@@ -39,6 +39,31 @@ public async Task<HttpResponseMessage> SendRequest(ServiceDetail serviceDetail,
         return await httpClient.PostAsync(url, content);
     }
 
+    public async Task<HttpResponseMessage> SendExchangeRequest(ServiceDetail serviceDetail, Dictionary<string, string> parameters)
+    {
+        HttpClient httpClient = _authorizationClientFactory.CreateClient();
+
+        var url = serviceDetail.ExchangeTokenProvision is not null
+            ? string.Format(
+                "{0}{1}",
+                string.IsNullOrWhiteSpace(serviceDetail.ExchangeTokenProvision.TokenHost)
+                    ? serviceDetail.GetTokenHost()
+                    : serviceDetail.ExchangeTokenProvision.TokenHost,
+                string.IsNullOrWhiteSpace(serviceDetail.ExchangeTokenProvision.RequestTokenPath)
+                    ? serviceDetail.RequestTokenPath
+                    : serviceDetail.ExchangeTokenProvision.RequestTokenPath)
+            : serviceDetail.GetTokenHost() + serviceDetail.RequestTokenPath;
+
+        if (serviceDetail.ExchangeTokenProvision is null)
+        {
+            throw new ArgumentNullException(nameof(serviceDetail.ExchangeTokenProvision));
+        }
+
+        url += BuildAuthorizationQuerystring(parameters);
+
+        return await httpClient.GetAsync(url);
+    }
+
     private static string BuildAuthorizationQuerystring(Dictionary<string, string> parameters)
     {
         var qs = new StringBuilder();