protected async Task <IActionResult> Authenticate(string returnUrl, string currentAmr, OAuthUser user, bool rememberLogin = false)
{
var unprotectedUrl = Unprotect(returnUrl);
var query = unprotectedUrl.GetQueries().ToJObj();
var acrValues = query.GetAcrValuesFromAuthorizationRequest();
var clientId = query.GetClientIdFromAuthorizationRequest();
var client = (OpenIdClient)await _oauthClientRepository.FindOAuthClientById(clientId);
var acr = await _amrHelper.FetchDefaultAcr(acrValues, client);
string amr;
if (acr == null || string.IsNullOrWhiteSpace(amr = _amrHelper.FetchNextAmr(acr, currentAmr)))
{
var claims = user.ToClaims();
claims.Add(new Claim(ClaimTypes.AuthenticationInstant, DateTime.UtcNow.ToString()));
var claimsIdentity = new ClaimsIdentity(claims, currentAmr);
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
await HttpContext.SignInAsync(claimsPrincipal, new AuthenticationProperties
{
IsPersistent = rememberLogin
});
return(Redirect(unprotectedUrl));
}
return(RedirectToAction("Index", "Authenticate", new { area = amr, ReturnUrl = returnUrl }));
}
protected virtual async Task <JwsPayload> BuildIdToken(HandlerContext currentContext, JObject queryParameters, IEnumerable <string> requestedScopes, CancellationToken cancellationToken)
{
var openidClient = (OpenIdClient)currentContext.Client;
var result = new JwsPayload
{
{ OAuthClaims.Audiences, new [] { openidClient.ClientId, currentContext.Request.IssuerName } },
{ OAuthClaims.Issuer, currentContext.Request.IssuerName },
{ OAuthClaims.Iat, DateTime.UtcNow.ConvertToUnixTimestamp() },
{ OAuthClaims.ExpirationTime, DateTime.UtcNow.AddSeconds(openidClient.TokenExpirationTimeInSeconds).ConvertToUnixTimestamp() },
{ OAuthClaims.Azp, openidClient.ClientId }
};
var maxAge = queryParameters.GetMaxAgeFromAuthorizationRequest();
var nonce = queryParameters.GetNonceFromAuthorizationRequest();
var acrValues = queryParameters.GetAcrValuesFromAuthorizationRequest();
var requestedClaims = queryParameters.GetClaimsFromAuthorizationRequest();
var subjectTypeBuilder = _subjectTypeBuilders.First(f => f.SubjectType == (string.IsNullOrWhiteSpace(openidClient.SubjectType) ? PublicSubjectTypeBuilder.SUBJECT_TYPE : openidClient.SubjectType));
var subject = await subjectTypeBuilder.Build(currentContext);
string accessToken, code;
if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.AccessToken, out accessToken))
{
result.Add(OAuthClaims.AtHash, ComputeHash(accessToken));
}
if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.Code, out code))
{
result.Add(OAuthClaims.CHash, ComputeHash(code));
}
if (maxAge != null)
{
result.Add(OAuthClaims.AuthenticationTime, currentContext.User.AuthenticationTime.Value.ConvertToUnixTimestamp());
}
if (!string.IsNullOrWhiteSpace(nonce))
{
result.Add(OAuthClaims.Nonce, nonce);
}
var defaultAcr = await _amrHelper.FetchDefaultAcr(acrValues, requestedClaims, openidClient, cancellationToken);
if (defaultAcr != null)
{
result.Add(OAuthClaims.Amr, defaultAcr.AuthenticationMethodReferences);
result.Add(OAuthClaims.Acr, defaultAcr.Name);
}
var scopes = openidClient.AllowedOpenIdScopes.Where(s => requestedScopes.Any(r => r == s.Name));
EnrichWithScopeParameter(result, scopes, currentContext.User, subject);
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(result, requestedClaims, currentContext.User, currentContext.User.AuthenticationTime);
foreach (var claimsSource in _claimsSources)
{
await claimsSource.Enrich(result, openidClient).ConfigureAwait(false);
}
return(result);
}
protected async Task <string> GetFirstAmr(IEnumerable <string> acrValues, IEnumerable <AuthorizationRequestClaimParameter> claims, OpenIdClient client, CancellationToken cancellationToken)
{
var acr = await _amrHelper.FetchDefaultAcr(acrValues, claims, client, cancellationToken);
if (acr == null)
{
return(null);
}
return(acr.AuthenticationMethodReferences.First());
}
private async Task <string> GetFirstAmr(IEnumerable <string> acrValues, OpenIdClient client)
{
var acr = await _amrHelper.FetchDefaultAcr(acrValues, client);
if (acr == null)
{
return(null);
}
return(acr.AuthenticationMethodReferences.First());
}
protected async Task <IActionResult> Authenticate(string returnUrl, string currentAmr, OAuthUser user, CancellationToken token, bool rememberLogin = false)
{
var unprotectedUrl = Unprotect(returnUrl);
var query = unprotectedUrl.GetQueries().ToJObj();
var acrValues = query.GetAcrValuesFromAuthorizationRequest();
var clientId = query.GetClientIdFromAuthorizationRequest();
var requestedClaims = query.GetClaimsFromAuthorizationRequest();
var client = (OpenIdClient)await _oauthClientRepository.FindOAuthClientById(clientId, token);
var acr = await _amrHelper.FetchDefaultAcr(acrValues, requestedClaims, client, token);
string amr;
if (acr == null || string.IsNullOrWhiteSpace(amr = _amrHelper.FetchNextAmr(acr, currentAmr)))
{
var currentDateTime = DateTime.UtcNow;
var expirationDateTime = currentDateTime.AddSeconds(_options.CookieAuthExpirationTimeInSeconds);
var offset = DateTimeOffset.UtcNow.AddSeconds(_options.CookieAuthExpirationTimeInSeconds);
var claims = user.ToClaims();
var claimsIdentity = new ClaimsIdentity(claims, currentAmr);
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
user.AddSession(expirationDateTime);
await _oauthUserCommandRepository.Update(user, token);
await _oauthUserCommandRepository.SaveChanges(token);
Response.Cookies.Append(_options.SessionCookieName, user.GetActiveSession().SessionId, new CookieOptions
{
Secure = true,
HttpOnly = false,
SameSite = SameSiteMode.None
});
if (rememberLogin)
{
await HttpContext.SignInAsync(claimsPrincipal, new AuthenticationProperties
{
IsPersistent = true
});
}
else
{
await HttpContext.SignInAsync(claimsPrincipal, new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = offset
});
}
return(Redirect(unprotectedUrl));
}
return(RedirectToAction("Index", "Authenticate", new { area = amr, ReturnUrl = returnUrl }));
}
protected async Task <IActionResult> Authenticate(string returnUrl, string currentAmr, OAuthUser user, CancellationToken token, bool rememberLogin = false)
{
var unprotectedUrl = Unprotect(returnUrl);
var query = unprotectedUrl.GetQueries().ToJObj();
var acrValues = query.GetAcrValuesFromAuthorizationRequest();
var clientId = query.GetClientIdFromAuthorizationRequest();
var requestedClaims = query.GetClaimsFromAuthorizationRequest();
var client = (OpenIdClient)await _oauthClientRepository.FindOAuthClientById(clientId, token);
var acr = await _amrHelper.FetchDefaultAcr(acrValues, requestedClaims, client, token);
string amr;
if (acr == null || string.IsNullOrWhiteSpace(amr = _amrHelper.FetchNextAmr(acr, currentAmr)))
{
return(await Sign(unprotectedUrl, currentAmr, user, token, rememberLogin));
}
return(RedirectToAction("Index", "Authenticate", new { area = amr, ReturnUrl = returnUrl }));
}