315 lines
18 KiB
C#
315 lines
18 KiB
C#
namespace WalkingTec.Mvvm.Core.Auth
|
||
{
|
||
public static class AuthConstants
|
||
{
|
||
public const string JwtTokenType = "Bearer";
|
||
public const string AuthenticationType = "WTMAuthentication";
|
||
public const string CookieAuthName = "WTM.CookieWithJwtAuth";
|
||
|
||
public static class JwtClaimTypes
|
||
{
|
||
//
|
||
// Summary:
|
||
// Unique Identifier for the End-User at the Issuer.
|
||
public const string Subject = "sub";
|
||
//
|
||
// Summary:
|
||
// The iat (issued at) claim identifies the time at which the JWT was issued, ,
|
||
// specified as the number of seconds from 1970-01-01T0:0:0Z
|
||
public const string IssuedAt = "iat";
|
||
//
|
||
// Summary:
|
||
// Authentication Methods References. JSON array of strings that are identifiers
|
||
// for authentication methods used in the authentication.
|
||
public const string AuthenticationMethod = "amr";
|
||
//
|
||
// Summary:
|
||
// Session identifier. This represents a Session of an OP at an RP to a User Agent
|
||
// or device for a logged-in End-User. Its contents are unique to the OP and opaque
|
||
// to the RP.
|
||
public const string SessionId = "sid";
|
||
//
|
||
// Summary:
|
||
// Authentication Context Class Reference. String specifying an Authentication Context
|
||
// Class Reference value that identifies the Authentication Context Class that the
|
||
// authentication performed satisfied. The value "0" indicates the End-User authentication
|
||
// did not meet the requirements of ISO/IEC 29115 level 1. Authentication using
|
||
// a long-lived browser cookie, for instance, is one example where the use of "level
|
||
// 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize
|
||
// access to any resource of any monetary value. (This corresponds to the OpenID
|
||
// 2.0 PAPE nist_auth_level 0.) An absolute URI or an RFC 6711 registered name SHOULD
|
||
// be used as the acr value; registered names MUST NOT be used with a different
|
||
// meaning than that which is registered. Parties using this claim will need to
|
||
// agree upon the meanings of the values used, which may be context-specific. The
|
||
// acr value is a case sensitive string.
|
||
public const string AuthenticationContextClassReference = "acr";
|
||
//
|
||
// Summary:
|
||
// Time when the End-User authentication occurred. Its value is a JSON number representing
|
||
// the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
|
||
// When a max_age request is made or when auth_time is requested as an Essential
|
||
// Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.
|
||
public const string AuthenticationTime = "auth_time";
|
||
//
|
||
// Summary:
|
||
// The party to which the ID Token was issued. If present, it MUST contain the OAuth
|
||
// 2.0 Client ID of this party. This Claim is only needed when the ID Token has
|
||
// a single audience value and that audience is different than the authorized party.
|
||
// It MAY be included even when the authorized party is the same as the sole audience.
|
||
// The azp value is a case sensitive string containing a StringOrURI value.
|
||
public const string AuthorizedParty = "azp";
|
||
//
|
||
// Summary:
|
||
// Access Token hash value. Its value is the base64url encoding of the left-most
|
||
// half of the hash of the octets of the ASCII representation of the access_token
|
||
// value, where the hash algorithm used is the hash algorithm used in the alg Header
|
||
// Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash
|
||
// the access_token value with SHA-256, then take the left-most 128 bits and base64url
|
||
// encode them. The at_hash value is a case sensitive string.
|
||
public const string AccessTokenHash = "at_hash";
|
||
//
|
||
// Summary:
|
||
// Code hash value. Its value is the base64url encoding of the left-most half of
|
||
// the hash of the octets of the ASCII representation of the code value, where the
|
||
// hash algorithm used is the hash algorithm used in the alg Header Parameter of
|
||
// the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code
|
||
// value with SHA-512, then take the left-most 256 bits and base64url encode them.
|
||
// The c_hash value is a case sensitive string.
|
||
public const string AuthorizationCodeHash = "c_hash";
|
||
//
|
||
// Summary:
|
||
// Time the End-User's information was last updated. Its value is a JSON number
|
||
// representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC
|
||
// until the date/time.
|
||
public const string UpdatedAt = "updated_at";
|
||
//
|
||
// Summary:
|
||
// String value used to associate a Client session with an ID Token, and to mitigate
|
||
// replay attacks. The value is passed through unmodified from the Authentication
|
||
// Request to the ID Token. If present in the ID Token, Clients MUST verify that
|
||
// the nonce Claim Value is equal to the value of the nonce parameter sent in the
|
||
// Authentication Request. If present in the Authentication Request, Authorization
|
||
// Servers MUST include a nonce Claim in the ID Token with the Claim Value being
|
||
// the nonce value sent in the Authentication Request. Authorization Servers SHOULD
|
||
// perform no other processing on nonce values used. The nonce value is a case sensitive
|
||
// string.
|
||
public const string Nonce = "nonce";
|
||
//
|
||
// Summary:
|
||
// Defines a set of event statements that each may add additional claims to fully
|
||
// describe a single logical event that has occurred.
|
||
public const string Events = "events";
|
||
//
|
||
// Summary:
|
||
// OAuth 2.0 Client Identifier valid at the Authorization Server.
|
||
public const string ClientId = "client_id";
|
||
//
|
||
// Summary:
|
||
// OpenID Connect requests MUST contain the "openid" scope value. If the openid
|
||
// scope value is not present, the behavior is entirely unspecified. Other scope
|
||
// values MAY be present. Scope values used that are not understood by an implementation
|
||
// SHOULD be ignored.
|
||
public const string Scope = "scope";
|
||
//
|
||
// Summary:
|
||
// The "act" (actor) claim provides a means within a JWT to express that delegation
|
||
// has occurred and identify the acting party to whom authority has been delegated.The
|
||
// "act" claim value is a JSON object and members in the JSON object are claims
|
||
// that identify the actor. The claims that make up the "act" claim identify and
|
||
// possibly provide additional information about the actor.
|
||
public const string Actor = "act";
|
||
//
|
||
// Summary:
|
||
// The "may_act" claim makes a statement that one party is authorized to become
|
||
// the actor and act on behalf of another party. The claim value is a JSON object
|
||
// and members in the JSON object are claims that identify the party that is asserted
|
||
// as being eligible to act for the party identified by the JWT containing the claim.
|
||
public const string MayAct = "may_act";
|
||
//
|
||
// Summary:
|
||
// an identifier
|
||
public const string Id = "id";
|
||
//
|
||
// Summary:
|
||
// The identity provider
|
||
public const string IdentityProvider = "idp";
|
||
//
|
||
// Summary:
|
||
// The role
|
||
public const string Role = "role";
|
||
public const string TenantCode = "tenant";
|
||
//
|
||
// Summary:
|
||
// JWT ID. A unique identifier for the token, which can be used to prevent reuse
|
||
// of the token. These tokens MUST only be used once, unless conditions for reuse
|
||
// were negotiated between the parties; any such negotiation is beyond the scope
|
||
// of this specification.
|
||
public const string JwtId = "jti";
|
||
//
|
||
// Summary:
|
||
// The exp (expiration time) claim identifies the expiration time on or after which
|
||
// the token MUST NOT be accepted for processing, specified as the number of seconds
|
||
// from 1970-01-01T0:0:0Z
|
||
public const string Expiration = "exp";
|
||
//
|
||
// Summary:
|
||
// The time before which the JWT MUST NOT be accepted for processing, specified
|
||
// as the number of seconds from 1970-01-01T0:0:0Z
|
||
public const string NotBefore = "nbf";
|
||
//
|
||
// Summary:
|
||
// Issuer Identifier for the Issuer of the response. The iss value is a case sensitive
|
||
// URL using the https scheme that contains scheme, host, and optionally, port number
|
||
// and path components and no query or fragment components.
|
||
public const string Issuer = "iss";
|
||
//
|
||
// Summary:
|
||
// End-User's full name in displayable form including all name parts, possibly including
|
||
// titles and suffixes, ordered according to the End-User's locale and preferences.
|
||
public const string Name = "name";
|
||
//
|
||
// Summary:
|
||
// Given name(s) or first name(s) of the End-User. Note that in some cultures, people
|
||
// can have multiple given names; all can be present, with the names being separated
|
||
// by space characters.
|
||
public const string GivenName = "given_name";
|
||
//
|
||
// Summary:
|
||
// Surname(s) or last name(s) of the End-User. Note that in some cultures, people
|
||
// can have multiple family names or no family name; all can be present, with the
|
||
// names being separated by space characters.
|
||
public const string FamilyName = "family_name";
|
||
//
|
||
// Summary:
|
||
// Middle name(s) of the End-User. Note that in some cultures, people can have multiple
|
||
// middle names; all can be present, with the names being separated by space characters.
|
||
// Also note that in some cultures, middle names are not used.
|
||
public const string MiddleName = "middle_name";
|
||
//
|
||
// Summary:
|
||
// Casual name of the End-User that may or may not be the same as the given_name.
|
||
// For instance, a nickname value of Mike might be returned alongside a given_name
|
||
// value of Michael.
|
||
public const string NickName = "nickname";
|
||
//
|
||
// Summary:
|
||
// Shorthand name by which the End-User wishes to be referred to at the RP, such
|
||
// as janedoe or j.doe. This value MAY be any valid JSON string including special
|
||
// characters such as @, /, or whitespace. The relying party MUST NOT rely upon
|
||
// this value being unique
|
||
//
|
||
// Remarks:
|
||
// The RP MUST NOT rely upon this value being unique, as discussed in http://openid.net/specs/openid-connect-basic-1_0-32.html#ClaimStability
|
||
public const string PreferredUserName = "preferred_username";
|
||
//
|
||
// Summary:
|
||
// URL of the End-User's profile page. The contents of this Web page SHOULD be about
|
||
// the End-User.
|
||
public const string Profile = "profile";
|
||
//
|
||
// Summary:
|
||
// URL of the End-User's profile picture. This URL MUST refer to an image file (for
|
||
// example, a PNG, JPEG, or GIF image file), rather than to a Web page containing
|
||
// an image.
|
||
//
|
||
// Remarks:
|
||
// Note that this URL SHOULD specifically reference a profile photo of the End-User
|
||
// suitable for displaying when describing the End-User, rather than an arbitrary
|
||
// photo taken by the End-User.
|
||
public const string Picture = "picture";
|
||
//
|
||
// Summary:
|
||
// URL of the End-User's Web page or blog. This Web page SHOULD contain information
|
||
// published by the End-User or an organization that the End-User is affiliated
|
||
// with.
|
||
public const string WebSite = "website";
|
||
//
|
||
// Summary:
|
||
// End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322]
|
||
// addr-spec syntax. The relying party MUST NOT rely upon this value being unique
|
||
public const string Email = "email";
|
||
//
|
||
// Summary:
|
||
// "true" if the End-User's e-mail address has been verified; otherwise "false".
|
||
//
|
||
// Remarks:
|
||
// When this Claim Value is "true", this means that the OP took affirmative steps
|
||
// to ensure that this e-mail address was controlled by the End-User at the time
|
||
// the verification was performed. The means by which an e-mail address is verified
|
||
// is context-specific, and dependent upon the trust framework or contractual agreements
|
||
// within which the parties are operating.
|
||
public const string EmailVerified = "email_verified";
|
||
//
|
||
// Summary:
|
||
// End-User's gender. Values defined by this specification are "female" and "male".
|
||
// Other values MAY be used when neither of the defined values are applicable.
|
||
public const string Gender = "gender";
|
||
//
|
||
// Summary:
|
||
// End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD
|
||
// format. The year MAY be 0000, indicating that it is omitted. To represent only
|
||
// the year, YYYY format is allowed. Note that depending on the underlying platform's
|
||
// date related function, providing just year can result in varying month and day,
|
||
// so the implementers need to take this factor into account to correctly process
|
||
// the dates.
|
||
public const string BirthDate = "birthdate";
|
||
//
|
||
// Summary:
|
||
// String from the time zone database (http://www.twinsun.com/tz/tz-link.htm) representing
|
||
// the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
|
||
public const string ZoneInfo = "zoneinfo";
|
||
//
|
||
// Summary:
|
||
// End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically
|
||
// an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1
|
||
// Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example,
|
||
// en-US or fr-CA. As a compatibility note, some implementations have used an underscore
|
||
// as the separator rather than a dash, for example, en_US; Relying Parties MAY
|
||
// choose to accept this locale syntax as well.
|
||
public const string Locale = "locale";
|
||
//
|
||
// Summary:
|
||
// End-User's preferred telephone number. E.164 (https://www.itu.int/rec/T-REC-E.164/e)
|
||
// is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or
|
||
// +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED
|
||
// that the extension be represented using the RFC 3966 [RFC3966] extension syntax,
|
||
// for example, +1 (604) 555-1234;ext=5678.
|
||
public const string PhoneNumber = "phone_number";
|
||
//
|
||
// Summary:
|
||
// True if the End-User's phone number has been verified; otherwise false. When
|
||
// this Claim Value is true, this means that the OP took affirmative steps to ensure
|
||
// that this phone number was controlled by the End-User at the time the verification
|
||
// was performed.
|
||
//
|
||
// Remarks:
|
||
// The means by which a phone number is verified is context-specific, and dependent
|
||
// upon the trust framework or contractual agreements within which the parties are
|
||
// operating. When true, the phone_number Claim MUST be in E.164 format and any
|
||
// extensions MUST be represented in RFC 3966 format.
|
||
public const string PhoneNumberVerified = "phone_number_verified";
|
||
//
|
||
// Summary:
|
||
// End-User's preferred postal address. The value of the address member is a JSON
|
||
// structure containing some or all of the members defined in http://openid.net/specs/openid-connect-basic-1_0-32.html#AddressClaim
|
||
public const string Address = "address";
|
||
//
|
||
// Summary:
|
||
// Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0
|
||
// client_id of the Relying Party as an audience value. It MAY also contain identifiers
|
||
// for other audiences. In the general case, the aud value is an array of case sensitive
|
||
// strings. In the common special case when there is one audience, the aud value
|
||
// MAY be a single case sensitive string.
|
||
public const string Audience = "aud";
|
||
//
|
||
// Summary:
|
||
// The reference token identifier
|
||
public const string ReferenceTokenId = "reference_token_id";
|
||
//
|
||
// Summary:
|
||
// The confirmation
|
||
public const string Confirmation = "cnf";
|
||
}
|
||
}
|
||
}
|