Merge pull request #254 from gwilymatgearset/add-google-signin-provider

Add Google Sign-In provider

Author: TerribleDev

OwinOAuthProviders.sln

@@ -1,4 +1,4 @@
-Microsoft Visual Studio Solution File, Format Version 12.00
+Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.26730.12
 MinimumVisualStudioVersion = 10.0.40219.1
@@ -114,6 +114,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Arc
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Typeform", "src\Owin.Security.Providers.Typeform\Owin.Security.Providers.Typeform.csproj", "{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Google", "src\Owin.Security.Providers.Google\Owin.Security.Providers.Google.csproj", "{ED434959-8CF8-4CAB-83B3-E4A618327AB5}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -344,6 +346,10 @@ Global
 		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Release|Any CPU.Build.0 = Release|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

src/Owin.Security.Providers.Google/Constants.cs

@@ -0,0 +1,7 @@
+namespace Owin.Security.Providers.Google
+{
+    internal static class Constants
+    {
+        public const string DefaultAuthenticationType = "Google";
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationExtensions.cs

@@ -0,0 +1,29 @@
+using System;
+
+namespace Owin.Security.Providers.Google
+{
+    public static class GoogleAuthenticationExtensions
+    {
+        public static IAppBuilder UseGoogleAuthentication(this IAppBuilder app,
+            GoogleAuthenticationOptions options)
+        {
+            if (app == null)
+                throw new ArgumentNullException(nameof(app));
+            if (options == null)
+                throw new ArgumentNullException(nameof(options));
+
+            app.Use(typeof(GoogleAuthenticationMiddleware), app, options);
+
+            return app;
+        }
+
+        public static IAppBuilder UseGoogleAuthentication(this IAppBuilder app, string clientId, string clientSecret)
+        {
+            return app.UseGoogleAuthentication(new GoogleAuthenticationOptions
+            {
+                ClientId = clientId,
+                ClientSecret = clientSecret
+            });
+        }
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationHandler.cs

@@ -0,0 +1,246 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Owin.Infrastructure;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Owin.Security.Providers.Google.Provider;
+
+namespace Owin.Security.Providers.Google
+{
+    public class GoogleAuthenticationHandler : AuthenticationHandler<GoogleAuthenticationOptions>
+    {
+        private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
+        private const string TokenEndpoint = "https://accounts.google.com/o/oauth2/token";
+        // TODO: This url should come from here: https://accounts.google.com/.well-known/openid-configuration
+        // TODO: as described by https://developers.google.com/identity/protocols/OpenIDConnect#discovery
+        private const string UserInfoEndpoint = "https://www.googleapis.com/oauth2/v3/userinfo";
+
+        private readonly ILogger _logger;
+        private readonly HttpClient _httpClient;
+
+        public GoogleAuthenticationHandler(HttpClient httpClient, ILogger logger)
+        {
+            _httpClient = httpClient;
+            _logger = logger;
+        }
+
+        protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
+        {
+            AuthenticationProperties properties = null;
+
+            try
+            {
+                string code = null;
+                string state = null;
+
+                var query = Request.Query;
+                var values = query.GetValues("code");
+                if (values != null && values.Count == 1)
+                {
+                    code = values[0];
+                }
+                values = query.GetValues("state");
+                if (values != null && values.Count == 1)
+                {
+                    state = values[0];
+                }
+
+                properties = Options.StateDataFormat.Unprotect(state);
+                if (properties == null)
+                {
+                    return null;
+                }
+
+                // OAuth2 10.12 CSRF
+                if (!ValidateCorrelationId(properties, _logger))
+                {
+                    return new AuthenticationTicket(null, properties);
+                }
+
+                var requestPrefix = Request.Scheme + "://" + Request.Host;
+                var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
+
+                // Build up the body for the token request
+                var body = new List<KeyValuePair<string, string>>
+                {
+                    new KeyValuePair<string, string>("grant_type", "authorization_code"),
+                    new KeyValuePair<string, string>("code", code),
+                    new KeyValuePair<string, string>("redirect_uri", redirectUri),
+                    new KeyValuePair<string, string>("client_id", Options.ClientId),
+                    new KeyValuePair<string, string>("client_secret", Options.ClientSecret)
+                };
+
+                // Request the token
+                var tokenResponse =
+                    await _httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
+                tokenResponse.EnsureSuccessStatusCode();
+                var text = await tokenResponse.Content.ReadAsStringAsync();
+
+                // Deserializes the token response
+                dynamic response = JsonConvert.DeserializeObject<dynamic>(text);
+                var accessToken = (string)response.access_token;
+                var expires = (string) response.expires_in;
+                string refreshToken = null;
+                if (response.refresh_token != null)
+                    refreshToken = (string) response.refresh_token;
+
+                // Get the Google user
+                var graphResponse = await _httpClient.GetAsync(
+                    UserInfoEndpoint + "?access_token=" + Uri.EscapeDataString(accessToken), Request.CallCancelled);
+                graphResponse.EnsureSuccessStatusCode();
+                text = await graphResponse.Content.ReadAsStringAsync();
+                var userInfo = JObject.Parse(text);
+
+                var context = new GoogleAuthenticatedContext(Context, userInfo, accessToken, expires, refreshToken)
+                {
+                    Identity = new ClaimsIdentity(
+                        Options.AuthenticationType,
+                        ClaimsIdentity.DefaultNameClaimType,
+                        ClaimsIdentity.DefaultRoleClaimType)
+                };
+                if (!string.IsNullOrEmpty(context.Id))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.UserName))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.UserName, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Email))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Name))
+                {
+                    context.Identity.AddClaim(new Claim("urn:google:name", context.Name, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Link))
+                {
+                    context.Identity.AddClaim(new Claim("urn:google:url", context.Link, XmlSchemaString, Options.AuthenticationType));
+                }
+                context.Properties = properties;
+
+                await Options.Provider.Authenticated(context);
+
+                return new AuthenticationTicket(context.Identity, context.Properties);
+            }
+            catch (Exception ex)
+            {
+                _logger.WriteError(ex.Message);
+            }
+            return new AuthenticationTicket(null, properties);
+        }
+
+        protected override Task ApplyResponseChallengeAsync()
+        {
+            if (Response.StatusCode != 401)
+            {
+                return Task.FromResult<object>(null);
+            }
+
+            var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
+
+            if (challenge == null) return Task.FromResult<object>(null);
+            var baseUri =
+                Request.Scheme +
+                Uri.SchemeDelimiter +
+                Request.Host +
+                Request.PathBase;
+
+            var currentUri =
+                baseUri +
+                Request.Path +
+                Request.QueryString;
+
+            var redirectUri =
+                baseUri +
+                Options.CallbackPath;
+
+            var properties = challenge.Properties;
+            if (string.IsNullOrEmpty(properties.RedirectUri))
+            {
+                properties.RedirectUri = currentUri;
+            }
+
+            // OAuth2 10.12 CSRF
+            GenerateCorrelationId(properties);
+
+            // comma separated
+            var scope = string.Join(" ", Options.Scope);
+
+            var state = Options.StateDataFormat.Protect(properties);
+
+            var authorizationEndpoint =
+                "https://accounts.google.com/o/oauth2/auth" +
+                "?response_type=code" +
+                "&client_id=" + Uri.EscapeDataString(Options.ClientId) +
+                "&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
+                "&scope=" + Uri.EscapeDataString(scope) +
+                "&state=" + Uri.EscapeDataString(state);
+
+            // Check if offline access was requested
+            if (Options.RequestOfflineAccess)
+                authorizationEndpoint += "&access_type=offline";
+
+            Response.Redirect(authorizationEndpoint);
+
+            return Task.FromResult<object>(null);
+        }
+
+        public override async Task<bool> InvokeAsync()
+        {
+            return await InvokeReplyPathAsync();
+        }
+
+        private async Task<bool> InvokeReplyPathAsync()
+        {
+            if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path) return false;
+            // TODO: error responses
+
+            var ticket = await AuthenticateAsync();
+            if (ticket == null)
+            {
+                _logger.WriteWarning("Invalid return state, unable to redirect.");
+                Response.StatusCode = 500;
+                return true;
+            }
+
+            var context = new GoogleReturnEndpointContext(Context, ticket)
+            {
+                SignInAsAuthenticationType = Options.SignInAsAuthenticationType,
+                RedirectUri = ticket.Properties.RedirectUri
+            };
+
+            await Options.Provider.ReturnEndpoint(context);
+
+            if (context.SignInAsAuthenticationType != null &&
+                context.Identity != null)
+            {
+                var grantIdentity = context.Identity;
+                if (!string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal))
+                {
+                    grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType, grantIdentity.NameClaimType, grantIdentity.RoleClaimType);
+                }
+                Context.Authentication.SignIn(context.Properties, grantIdentity);
+            }
+
+            if (context.IsRequestCompleted || context.RedirectUri == null) return context.IsRequestCompleted;
+            var redirectUri = context.RedirectUri;
+            if (context.Identity == null)
+            {
+                // add a redirect hint that sign-in failed in some way
+                redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied");
+            }
+            Response.Redirect(redirectUri);
+            context.RequestCompleted();
+
+            return context.IsRequestCompleted;
+        }
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationMiddleware.cs

@@ -0,0 +1,83 @@
+using System;
+using System.Globalization;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.DataHandler;
+using Microsoft.Owin.Security.DataProtection;
+using Microsoft.Owin.Security.Infrastructure;
+using Owin.Security.Providers.Google.Provider;
+
+namespace Owin.Security.Providers.Google
+{
+    public class GoogleAuthenticationMiddleware : AuthenticationMiddleware<GoogleAuthenticationOptions>
+    {
+        private readonly HttpClient _httpClient;
+        private readonly ILogger _logger;
+
+        public GoogleAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app,
+            GoogleAuthenticationOptions options)
+            : base(next, options)
+        {
+            if (string.IsNullOrWhiteSpace(Options.ClientId))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientId"));
+            if (string.IsNullOrWhiteSpace(Options.ClientSecret))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientSecret"));
+
+            _logger = app.CreateLogger<GoogleAuthenticationMiddleware>();
+
+            if (Options.Provider == null)
+                Options.Provider = new GoogleAuthenticationProvider();
+
+            if (Options.StateDataFormat == null)
+            {
+                var dataProtector = app.CreateDataProtector(
+                    typeof (GoogleAuthenticationMiddleware).FullName,
+                    Options.AuthenticationType, "v1");
+                Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
+            }
+
+            if (string.IsNullOrEmpty(Options.SignInAsAuthenticationType))
+                Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
+
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options))
+            {
+                Timeout = Options.BackchannelTimeout,
+                MaxResponseContentBufferSize = 1024*1024*10
+            };
+        }
+
+        /// <summary>
+        ///     Provides the <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> object for processing
+        ///     authentication-related requests.
+        /// </summary>
+        /// <returns>
+        ///     An <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> configured with the
+        ///     <see cref="T:Owin.Security.Providers.GooglePlus.GooglePlusAuthenticationOptions" /> supplied to the constructor.
+        /// </returns>
+        protected override AuthenticationHandler<GoogleAuthenticationOptions> CreateHandler()
+        {
+            return new GoogleAuthenticationHandler(_httpClient, _logger);
+        }
+
+        private static HttpMessageHandler ResolveHttpMessageHandler(GoogleAuthenticationOptions options)
+        {
+            var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
+
+            // If they provided a validator, apply it or fail.
+            if (options.BackchannelCertificateValidator == null) return handler;
+            // Set the cert validate callback
+            var webRequestHandler = handler as WebRequestHandler;
+            if (webRequestHandler == null)
+            {
+                throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
+            }
+            webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+
+            return handler;
+        }
+    }
+}