public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (!context.Request.IsPasswordGrantType())
{
context.Reject(OpenIdConnectConstants.Errors.UnsupportedGrantType,
"Only password grants are accepted by this server");
return;
}
User existUser = await _userRepository.GetUser(context.Request.Username, context.Request.Password);
if (existUser == null)
{
context.Reject(error: OpenIdConnectConstants.Errors.AccessDenied,
description: "Invalid user credentials.");
return;
}
var identity = new ClaimsIdentity(context.Scheme.Name, OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, context.Request.Username);
identity.AddClaim("urn:customclaim", "value", OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(),
context.Scheme.Name);
ticket.SetScopes(OpenIdConnectConstants.Scopes.Profile);
context.Validate(ticket);
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
var user = new { Id = "users-123", UserName = "******", Password = "******" };
if (!string.Equals(context.Request.Username, user.UserName, StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, user.Password, StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return(Task.FromResult(0));
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
context.Validate(new ClaimsPrincipal(identity));
}
return(Task.FromResult(0));
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (context.Request.IsPasswordGrantType())
{
// make db query here
var user = new { Id = "users-123", Email = "*****@*****.**", Password = "******" };
if (!string.Equals(context.Request.Username, user.Email, StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, user.Password, StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return(Task.FromResult(0));
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, user.Email, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
context.Validate(new ClaimsPrincipal(identity));
}
return(Task.FromResult(0));
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (userStore.ValidateUserSecret(context.Request.Username, context.Request.Password))
{
var user = userStore.Get(context.Request.Username);
var identity = new ClaimsIdentity(OpenIdConnectConstants.Schemes.Bearer);
// Note: the subject claim is always included in both identity and
// access tokens, even if an explicit destination is not specified
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.Id.ToString());
// When adding custom claims, you MUST specify one or more destinations.
identity.AddClaim(ClaimTypes.Name, user.Name, OpenIdConnectConstants.Destinations.AccessToken);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, OpenIdConnectConstants.Schemes.Bearer);
//ticket.SetScopes(
// // access reresh token
// OpenIdConnectConstants.Scopes.OfflineAccess,
// // access identity token
// OpenIdConnectConstants.Scopes.OpenId);
context.Validate(ticket);
}
else
{
context.Reject(OpenIdConnectConstants.Errors.InvalidGrant);
}
return(Task.CompletedTask);
}
//
// Summary:
// Represents an event called for each validated token request to allow the user
// code to decide how the request should be handled.
//
// Parameters:
// context:
// The context instance associated with this event.
//
// Returns:
// A System.Threading.Tasks.Task that can be used to monitor the asynchronous operation.
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
try
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
return(HandleUserAuthentication(context));
}
else if (context.Request.IsRefreshTokenGrantType())
{
return(HandleRefreshTokenRequest(context));
}
else if (context.Request.IsClientCredentialsGrantType())
{
return(HandleClientCredentialsAuthentication(context));
}
}
catch (Exception ex)
{
context.Reject(
error: $"{ex.HResult}",
description: ex.Message);
}
return(Task.CompletedTask);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (context.Request.IsPasswordGrantType())
{
var username = context.Request.Username.ToLowerInvariant();
var user = await _userService.GetUserLoginDtoAsync(
// filter
u => u.UserName == username
);
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return;
}
var password = context.Request.Password;
var passWordCheckResult = await _userService.CheckUserPasswordAsync(user, context.Request.Password);
if (!passWordCheckResult)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return;
}
var roles = await _userService.GetUserRolesAsync(user);
if (!roles.Any())
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "Invalid user configuration.");
return;
}
// add the claims
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, user.UserName, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
// add the user's roles as claims
foreach (var role in roles)
{
identity.AddClaim(ClaimTypes.Role, role, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
}
context.Validate(new ClaimsPrincipal(identity));
}
else
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid grant type.");
return;
}
return;
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
// Validate the credentials here (e.g using ASP.NET Core Identity).
// You can call Reject() with an error code/description to reject
// the request and return a message to the caller.
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique identifier]");
// By default, claims are not serialized in the access and identity tokens.
// Use the overload taking a "destinations" parameter to make sure
// your claims are correctly serialized in the appropriate tokens.
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
}
return(Task.FromResult(0));
}
public override Task HandleTokenRequest(HandleTokenRequestContext context) {
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType()) {
var user = new { Id = "users-123", UserName = "******", Password = "******" };
if (!string.Equals(context.Request.Username, user.UserName, StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, user.Password, StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid username or password.");
return Task.FromResult(0);
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
context.Validate(new ClaimsPrincipal(identity));
}
return Task.FromResult(0);
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
AuthenticationTicket ticket;
// Handling Client Credentials
if (context.Request.IsClientCredentialsGrantType())
{
// If we do not specify any form of Ticket, or ClaimsIdentity, or ClaimsPrincipal, our validation will succeed here but fail later.
// ASOS needs those to serialize a token, and without any, it fails because there's way to fashion a token properly. Check the ASOS source for more details.
ticket = TicketCounter.MakeClaimsForClientCredentials(context.Request.ClientId);
context.Validate(ticket);
return(Task.CompletedTask);
}
// Handling Authorization Codes
if (context.Request.IsAuthorizationCodeGrantType() || context.Request.IsRefreshTokenGrantType())
{
ticket = context.Ticket;
if (ticket != null)
{
context.Validate(ticket);
return(Task.CompletedTask);
}
context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "User isn't valid");
return(Task.CompletedTask);
}
// Catch all error
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Could not validate the token request");
return(Task.CompletedTask);
}
private Task HandleRefreshTokenRequest(HandleTokenRequestContext context)
{
try
{
// Retrieve the token from the database and ensure it is still valid.
var clientId = context.Ticket.Properties.Items["ClientId"];
var token = _authService.FindRefreshToken(t =>
t.TokenIdentifier.Equals(context.Ticket.GetTokenId()) &&
t.ClientId.Equals(clientId));
if (token == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The refresh token is no longer valid.");
return(Task.CompletedTask);
}
_authService.DeleteRefreshToken(token);
context.Validate(new ClaimsPrincipal(context.Ticket.Principal),
new AuthenticationProperties(context.Ticket.Properties.Items),
OpenIdConnectServerDefaults.AuthenticationScheme);
}
catch (Exception ex)
{
context.Reject(
error: $"{ex.HResult}",
description: ex.Message);
}
return(Task.CompletedTask);
}
private async Task _handleAuthorizationToken(HandleTokenRequestContext context)
{
AuthenticateResult ar = await context.HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
AuthenticationTicket at = ar.Ticket;
context.Validate(at);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (!context.Request.IsPasswordGrantType())
{
return;
}
var username = context.Request.Username;
var password = context.Request.Password;
var user = await _userManager.FindByNameAsync(username);
if (user == null || await _userManager.CheckPasswordAsync(user, password))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials."
);
return;
}
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role
);
identity.AddClaim(
OpenIdConnectConstants.Claims.Subject,
user.Id.ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken
);
identity.AddClaim(
OpenIdConnectConstants.Claims.Name,
user.UserName.ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken
);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme
);
ticket.SetScopes(
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess
);
context.Validate(ticket);
return;
}
/// <summary>
/// Set cross-origin HTTP request (Cors) header to allow requests from a different domains.
/// This Cors value is specific to an Application and set by when validating the client application (ValidateClientAuthenticationp).
/// </summary>
private static void SetCorsHeader(HandleTokenRequestContext context)
{
var allowedOrigin = context.HttpContext.Items["as:clientAllowedOrigin"] as string;
if (allowedOrigin != null)
{
context.HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", new StringValues(allowedOrigin));
}
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
//HttpContext.RequestServices.GetRequiredService
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
var user = await _authManager.FindUser(context.Request.Username, context.Request.Password);
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified user credentials are invalid.");
return;
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(
new Claim(OpenIdConnectConstants.Claims.Subject, user.Id.ToString())
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken));
identity.AddClaim(
new Claim(OpenIdConnectConstants.Claims.Name, user.UserName)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken));
identity.AddClaim(
new Claim(OpenIdConnectConstants.Claims.Email, user.Email)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken));
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(new [] {
/* openid: */
OpenIdConnectConstants.Scopes.OpenId,
/* email: */
OpenIdConnectConstants.Scopes.Email,
/* profile: */
OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */
OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(context.Request.GetScopes()));
ticket.SetResources("resource_server");
context.Validate(ticket);
}
}
/// <inheritdoc />
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
// Validate the credentials here (e.g using ASP.NET Core Identity).
// You can call Reject() with an error code/description to reject
// the request and return a message to the caller.
// ReSharper disable once NotAccessedVariable
UserDto user;
var credential = new NetworkCredential(context.Request.Username, context.Request.Password);
try
{
// ReSharper disable once RedundantAssignment
user = _loginProvider.GetUser(credential.UserName, credential.Password);
}
catch (AuthenticationException err)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: err.Message);
return(Task.CompletedTask);
}
var identity = new ClaimsIdentity();
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique identifier]");
// By default, claims are not serialized in the access and identity tokens.
// Use the overload taking a "destinations" parameter to make sure
// your claims are correctly serialized in the appropriate tokens.
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
"Role");
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
}
return(Task.CompletedTask);
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType())
{
// Using password derivation and a time-constant comparer is STRONGLY recommended.
if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified user credentials are invalid.");
return(Task.FromResult(0));
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, "Bob le Bricoleur",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Role, "Admin",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(context.Request.GetScopes()));
context.Validate(ticket);
}
return(Task.FromResult(0));
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
NotificationResult result = null;
var userService = GetUserService();
if (context.Request.IsPasswordGrantType())
{
result = await userService.IsValidUsernameAndPasswordAsync(context.Request.Username, context.Request.Password);
}
else if (context.Request.IsRefreshTokenGrantType())
{
var idUser = new Guid(context.Ticket.Principal.GetClaim(ClaimTypes.NameIdentifier));
string username = context.Ticket.Principal.GetClaim(ClaimTypes.Name);
result = await userService.IsValidUsernameAndTokenAsync(username, idUser);
}
if (result.IsValid && result.Data == null && result.Messages.Any(x => x.Type == NotificationResult.NotificationMessageType.Warning))
{
result.AddError(result.Messages.First(x => x.Type == NotificationResult.NotificationMessageType.Warning).Message);
}
if (!result.IsValid)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: result.GetErrors()
);
}
else
{
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
var user = result.Data as UserCommandResult;
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.IdUser.ToString());
identity.AddClaim(ClaimTypes.NameIdentifier, user.IdUser.ToString(), Destinations.AccessToken);
identity.AddClaim(ClaimTypes.Name, user.Username, Destinations.AccessToken);
identity.AddClaim(ClaimTypes.GivenName, user.FirstName, Destinations.AccessToken, Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Email, user.Email, Destinations.AccessToken, Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme
);
ticket.SetScopes(
Scopes.OpenId,
Scopes.OfflineAccess
);
context.Validate(ticket);
}
}
private async Task OnHandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password token requests and let
// the OpenID Connect server handle the other grant types.
if (context.Request.GrantType == "Password")
{
if (context.Request.Password == "12345")
{
// your choice of claims...
ReturnIdentity(context, context.Request.Username);
}
}
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
var encrypter = context.HttpContext.RequestServices.GetRequiredService <IEncrypter>();
if (context.Request.IsPasswordGrantType())
{
var Config = context.HttpContext.RequestServices.GetRequiredService <IConfiguration>();
var conString = Config.GetSection("ConnectionString").GetValue <string>("dbCon");
conString = conString.Replace("@@username@@", context.Request.Username);
conString = conString.Replace("@@pass@@", context.Request.Password);
using (FbConnection mycon = new FbConnection(conString))
{
try
{
mycon.Open();
}
catch (Exception)
{
throw new ArgumentException("Wrong password or login");
}
}
conString = encrypter.EncryptConnectionString(conString);
var identity = new ClaimsIdentity(
context.Options.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
// Add the mandatory subject/user identifier claim.
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, conString);
identity.AddClaim("username", conString,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes(
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIdConnectConstants.Scopes.OpenId);
context.Validate(ticket);
}
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (!context.Request.IsPasswordGrantType())
{
return(Task.FromResult(0));
}
// "There was a server error while trying to validate the authentication.");
if (!context.Request.Username.Equals("hello"))
{
context.Reject("authentication error. Username must be 'hello'");
return(Task.FromResult(0));
}
// "There was a server error while trying to validate the authentication.");
if (!context.Request.Password.Equals("world"))
{
context.Reject("authentication error. Password must be 'world'");
return(Task.FromResult(0));
}
var identity = new ClaimsIdentity(context.Scheme.Name);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "userID");
// When adding custom claims, you MUST specify one or more destinations.
// Read "part 7" for more information about custom claims and scopes.
/*
* foreach(var data in authenticatedData.GetData())
* {
* identity.AddClaim(data.Key, data.Value, OpenIdConnectConstants.Destinations.AccessToken,
* OpenIdConnectConstants.Destinations.IdentityToken);
* }*/
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity), new AuthenticationProperties()
{
AllowRefresh = true
},
context.Scheme.Name);
// Set the list of scopes granted to the client application. OfflineAccess will return the refresh token
ticket.SetScopes(OpenIdConnectConstants.Scopes.OfflineAccess, OpenIdConnectConstants.Scopes.Profile);
// Set the resource servers the access token should be issued for.
ticket.SetResources("resource_server");
context.Validate(ticket);
return(Task.FromResult(0));
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (context.Request.IsPasswordGrantType())
{
try
{
var user = await this.userService.AuthenticateAsync(context.Request.Username, context.Request.Password);
var identity = new ClaimsIdentity(context.Scheme.Name);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.Email);
identity.AddClaim(
"username",
$"{user.Email}",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(
OpenIdConnectConstants.Claims.Role,
user.Role.ToString(),
new List <string> {
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken
});
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
// Set the list of scopes granted to the client application.
ticket.SetScopes(
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess);
context.Validate(ticket);
}
catch
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Utilisateur et/ou mot de passe incorrect");
}
}
else
{
// Cas du refresh_token ASOS gère tout seul
}
}
/// <summary>
/// Validates the userName and password provided by the user.
/// </summary>
private async Task GrantResourceOwnerCredentials(HandleTokenRequestContext context)
{
var query = new UserNamePasswordLoginQuery(context.Request.Username, context.Request.Password);
var result = await ExecuteQuery(context, query);
if (!result.Succeeded)
{
context.Reject("invalid_grant", "The user name or password is incorrect.");
return;
}
SetCorsHeader(context);
var ticket = CreateAuthenticationTicket(result, context);
context.Validate(ticket);
}
public override Task HandleTokenRequest(HandleTokenRequestContext context) {
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType()) {
// Using password derivation and a time-constant comparer is STRONGLY recommended.
if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return Task.FromResult(0);
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, "Bob le Bricoleur",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(context.Request.GetScopes()));
context.Validate(ticket);
}
return Task.FromResult(0);
}
/// <summary>
/// Use this method, because there we are using old version of AuthenticationTicket object from Asp.Net Core 1.0, until OpenIdConnect update their library to use .Net Core 2.0 objects
/// </summary>
/// <param name="context"></param>
/// <param name="principal"></param>
/// <param name="properties"></param>
/// <param name="authenticationScheme"></param>
/// <param name="scopes"></param>
/// <param name="resources"></param>
public static void Validate(this HandleTokenRequestContext context,
ClaimsPrincipal principal,
AuthenticationProperties properties,
string authenticationScheme,
List <string> scopes = null,
List <string> resources = null)
{
var ticket = new AuthenticationTicket(principal, properties, authenticationScheme);
if (context.Request.IsClientCredentialsGrantType())
{
if (scopes == null || !scopes.Any())
{
scopes = new[]
{
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
}
}
private static void ReturnIdentity(HandleTokenRequestContext context, string user)
{
var identity = new ClaimsIdentity(context.Scheme.Name, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
identity.AddClaim(
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
string.IsNullOrEmpty(user) ? "Anonyme" : user,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
user,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(
OpenIdConnectConstants.Claims.Subject,
user,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(
"tokenId",
"1235453432FSD",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
// Call SetScopes with the list of scopes you want to grant
// (specify offline_access to issue a refresh token).
ticket.SetScopes(
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess);
context.Validate(ticket);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Don't inject the UserManager to avoid save a reference for the application lifetime
// Internally manages an EF DbContext
var userManager = context.HttpContext.RequestServices.GetRequiredService <UserManager <ApplicationUser> >();
bool isValidUser = false;
var user = await userManager.FindByNameAsync(context.Request.Username);
if (user != null)
{
isValidUser = await userManager.CheckPasswordAsync(user, context.Request.Password);
}
if (isValidUser)
{
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, user.UserName);
identity.AddClaim(ClaimTypes.GivenName, user.FullName);
identity.AddClaim("username", user.UserName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
ticket.SetScopes("api");
context.Validate(ticket);
}
else
{
context.Reject();
}
}
/// <summary>
/// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the
/// refresh token is still valid or revoked.
/// </summary>
private async Task GrantRefreshToken(HandleTokenRequestContext context)
{
var validator = new RefreshTokenValidatorQuery(
context.Ticket.GetTicketId(),
context.Request.ClientId,
context.Ticket.Principal.GetClaim(ClaimTypes.NameIdentifier));
var result = await ExecuteQuery(context, validator);
if (!result.Succeeded)
{
context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token.");
return;
}
SetCorsHeader(context);
var principal = new ClaimsPrincipal(context.Ticket.Principal);
var ticket = CreateAuthenticationTicket(principal, context.Ticket.Properties, context.Options, context);
context.Validate(ticket);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
if (!context.Request.IsPasswordGrantType() &&
!context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only password and refresh token grant types " +
"are accepted by this authorization server");
return;
}
if (context.Request.IsPasswordGrantType())
{
await this.GrantResourceOwnerCredentials(context);
}
if (context.Request.IsRefreshTokenGrantType())
{
await this.GrantRefreshToken(context);
}
}
public Task GetAccessToken(HandleTokenRequestContext context, CancellationToken cancellationToken)
{
if (context.Request.IsPasswordGrantType())
{
if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return(Task.CompletedTask);
}
var identity = new ClaimsIdentity(context.Scheme.Name,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]", OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
ticket.SetResources("resource_server");
ticket.SetScopes(
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess
);
context.Validate(ticket);
}
return(Task.CompletedTask);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>();
if (authservice == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
if (context.Request.IsRefreshTokenGrantType())
{
await _handleRefreshToken(context);
return;
}
else if (context.Request.IsAuthorizationCodeGrantType())
{
await _handleAuthorizationToken(context);
return;
}
else if (context.Request.IsImplicitFlow())
{
await _handleImplicitCredentialsToken(context);
return;
}
else if (context.Request.IsClientCredentialsGrantType())
{
await _handleClientCredentialsToken(context);
return;
}
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only authorization code, client credentials, and implicit grants " +
"are accepted by this authorization server");
return;
}
/// <summary>
/// Represents an event called for each validated token request
/// to allow the user code to decide how the request should be handled.
/// </summary>
/// <param name="context">The context instance associated with this event.</param>
/// <returns>
/// A <see cref="T:System.Threading.Tasks.Task" /> that can be used to monitor the asynchronous operation.
/// </returns>
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
//// TODO: Revisar lo que no va quemado
if (context.Request.IsPasswordGrantType())
{
var userService = (IUserService)context.HttpContext.RequestServices.GetService(typeof(IUserService));
var user = await userService.GetUserAuthenticated(context.Request.Username, context.Request.Password);
if (user != null)
{
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.Id.ToString());
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
ticket.SetScopes(
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile);
ticket.SetResources("http://hostaliando.com");
context.Validate(ticket);
}
else
{
context.Reject(
error: OpenIdConnectConstants.Errors.AccessDenied,
description: "Los datos ingresados son invalidos");
}
}
}
private async Task _handleClientCredentialsToken(HandleTokenRequestContext context)
{
ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role);
// We serialize the user_id so we can determine which user the caller of this token is
identity.AddClaim(
new Claim(OpenIdConnectConstants.Claims.Subject, context.Request.ClientId)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
// We serialize the grant_type so we can user discriminate rate-limits. AuthorizationCode grants have the highest rate-limit allowance
identity.AddClaim(
new Claim("grant_type", OpenIdConnectConstants.GrantTypes.ClientCredentials)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
// We serialize the client_id so we can monitor for usage patterns of a given app, and also to allow for app-based token revokes.
identity.AddClaim(
new Claim("client_id", context.Request.ClientId)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
AuthenticationTicket ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
context.Validate(ticket);
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Resolve ASP.NET Core Identity's user manager from the DI container.
var manager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
// Only handle grant_type=password requests and let ASOS
// process grant_type=refresh_token requests automatically.
if (context.Request.IsPasswordGrantType())
{
var user = await manager.FindByNameAsync(context.Request.Username);
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
// Ensure the user is not already locked out.
if (manager.SupportsUserLockout && await manager.IsLockedOutAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
// Ensure the password is valid.
if (!await manager.CheckPasswordAsync(user, context.Request.Password))
{
if (manager.SupportsUserLockout)
{
await manager.AccessFailedAsync(user);
}
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
if (manager.SupportsUserLockout)
{
await manager.ResetAccessFailedCountAsync(user);
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (manager.SupportsUserTwoFactor && await manager.GetTwoFactorEnabledAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Two-factor authentication is required for this account.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
// Note: the name identifier is always included in both identity and
// access tokens, even if an explicit destination is not specified.
identity.AddClaim(ClaimTypes.NameIdentifier, await manager.GetUserIdAsync(user));
// When adding custom claims, you MUST specify one or more destinations.
// Read "part 7" for more information about custom claims and scopes.
identity.AddClaim("username", await manager.GetUserNameAsync(user),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim("firstName", user.FirstName, OpenIdConnectConstants.Destinations.IdentityToken);
//Add roles
var roles = await manager.GetRolesAsync(user);
var roleClaims = new List<Claim>();
foreach(var role in roles)
{
identity.AddClaim(ClaimTypes.Role, role, OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
var estheticians = (IEstheticianService)context.HttpContext.RequestServices.GetService(typeof(IEstheticianService));
var esthetician = await estheticians.GetByEmailAsync(user.Email);
if (esthetician != null)
{
identity.AddClaim("estheticianId", esthetician.Id.ToString(), OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access */ OpenIdConnectConstants.Scopes.OfflineAccess);
// Set the resource servers the access token should be issued for.
ticket.SetResources("resource_server");
context.Validate(ticket);
}
}
