using System; using System.Collections.Generic; using System.Net.Http; using System.Security.Claims; using System.Threading.Tasks; using Microsoft.Owin.Infrastructure; using Microsoft.Owin.Logging; using Microsoft.Owin.Security; using Microsoft.Owin.Security.Infrastructure; using Newtonsoft.Json; using Newtonsoft.Json.Linq; using Owin.Security.Providers.Discord.Provider; namespace Owin.Security.Providers.Discord { public class DiscordAuthenticationHandler : AuthenticationHandler { private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string"; private const string TokenEndpoint = "https://discordapp.com/api/oauth2/token"; private const string UserInfoEndpoint = "https://discordapp.com/api/users/@me"; private readonly ILogger _logger; private readonly HttpClient _httpClient; public DiscordAuthenticationHandler(HttpClient httpClient, ILogger logger) { _httpClient = httpClient; _logger = logger; } protected override async Task AuthenticateCoreAsync() { AuthenticationProperties properties = null; try { string code = null; string state = null; var query = Request.Query; var values = query.GetValues("code"); if (values != null && values.Count == 1) { code = values[0]; } values = query.GetValues("state"); if (values != null && values.Count == 1) { state = values[0]; } properties = Options.StateDataFormat.Unprotect(state); if (properties == null) { return null; } // OAuth2 10.12 CSRF if (!ValidateCorrelationId(properties, _logger)) { return new AuthenticationTicket(null, properties); } var requestPrefix = Request.Scheme + "://" + Request.Host; var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath; // Build up the body for the token request var body = new List> { new KeyValuePair("grant_type", "authorization_code"), new KeyValuePair("code", code), new KeyValuePair("redirect_uri", redirectUri), new KeyValuePair("client_id", Options.ClientId), new KeyValuePair("client_secret", Options.ClientSecret) }; var request = new HttpRequestMessage(HttpMethod.Post, TokenEndpoint); request.Content = new FormUrlEncodedContent(body); // Request the token var tokenResponse = await _httpClient.SendAsync(request); tokenResponse.EnsureSuccessStatusCode(); var text = await tokenResponse.Content.ReadAsStringAsync(); // Deserializes the token response dynamic response = JsonConvert.DeserializeObject(text); var accessToken = (string)response.access_token; var expires = (string)response.expires_in; var refreshToken = (string)response.refresh_token; // Get the Discord user var userRequest = new HttpRequestMessage(HttpMethod.Get, UserInfoEndpoint); userRequest.Headers.Add("Authorization", "Bearer " + Uri.EscapeDataString(accessToken) + ""); var graphResponse = await _httpClient.SendAsync(userRequest, Request.CallCancelled); graphResponse.EnsureSuccessStatusCode(); text = await graphResponse.Content.ReadAsStringAsync(); var user = JObject.Parse(text); var context = new DiscordAuthenticatedContext(Context, user, accessToken, expires, refreshToken) { Identity = new ClaimsIdentity( Options.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType) }; if (!string.IsNullOrEmpty(context.Id)) { context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.UserName)) { context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.UserName, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Email)) { context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Avatar)) { context.Identity.AddClaim(new Claim("urn:discord:avatar", context.Avatar, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.Discriminator)) { context.Identity.AddClaim(new Claim("urn:discord:discriminator", context.Discriminator, XmlSchemaString, Options.AuthenticationType)); } if (!string.IsNullOrEmpty(context.AccessToken)) { context.Identity.AddClaim(new Claim("urn:discord:accesstoken", context.AccessToken, XmlSchemaString, Options.AuthenticationType)); } context.Identity.AddClaim(new Claim("urn:discord:verified", context.Verified.ToString(), XmlSchemaString, Options.AuthenticationType)); context.Properties = properties; await Options.Provider.Authenticated(context); return new AuthenticationTicket(context.Identity, context.Properties); } catch (Exception ex) { _logger.WriteError(ex.Message); } return new AuthenticationTicket(null, properties); } protected override Task ApplyResponseChallengeAsync() { if (Response.StatusCode != 401) { return Task.FromResult(null); } var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode); if (challenge == null) return Task.FromResult(null); var baseUri = Request.Scheme + Uri.SchemeDelimiter + Request.Host + Request.PathBase; var currentUri = baseUri + Request.Path + Request.QueryString; var redirectUri = baseUri + Options.CallbackPath; var properties = challenge.Properties; if (string.IsNullOrEmpty(properties.RedirectUri)) { properties.RedirectUri = currentUri; } // OAuth2 10.12 CSRF GenerateCorrelationId(properties); // comma separated var scope = string.Join(" ", Options.Scope); var state = Options.StateDataFormat.Protect(properties); var authorizationEndpoint = "https://discordapp.com/api/oauth2/authorize" + "?response_type=code" + "&client_id=" + Uri.EscapeDataString(Options.ClientId) + "&redirect_uri=" + Uri.EscapeDataString(redirectUri) + "&scope=" + Uri.EscapeDataString(scope) + "&state=" + Uri.EscapeDataString(state) + "&duration=permanent"; Response.Redirect(authorizationEndpoint); return Task.FromResult(null); } public override async Task InvokeAsync() { return await InvokeReplyPathAsync(); } private async Task InvokeReplyPathAsync() { if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path) return false; // TODO: error responses var ticket = await AuthenticateAsync(); if (ticket == null) { _logger.WriteWarning("Invalid return state, unable to redirect."); Response.StatusCode = 500; return true; } var context = new DiscordReturnEndpointContext(Context, ticket) { SignInAsAuthenticationType = Options.SignInAsAuthenticationType, RedirectUri = ticket.Properties.RedirectUri }; await Options.Provider.ReturnEndpoint(context); if (context.SignInAsAuthenticationType != null && context.Identity != null) { var grantIdentity = context.Identity; if (!string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal)) { grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType, grantIdentity.NameClaimType, grantIdentity.RoleClaimType); } Context.Authentication.SignIn(context.Properties, grantIdentity); } if (context.IsRequestCompleted || context.RedirectUri == null) return context.IsRequestCompleted; var redirectUri = context.RedirectUri; if (context.Identity == null) { // add a redirect hint that sign-in failed in some way redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied"); } Response.Redirect(redirectUri); context.RequestCompleted(); return context.IsRequestCompleted; } } }