public async Task <ClaimsPrincipal> Handle(OpenIddictRequest request)
{
if (!request.IsClientCredentialsGrantType())
{
throw new NotImplementedException("The specified grant type is not implemented");
}
var application = await _applicationManager.FindByClientIdAsync(request.ClientId !) ??
throw new NotFoundException <string?>("Admin API Client", request.ClientId);
if (!await _applicationManager.ValidateClientSecretAsync(application, request.ClientSecret !))
{
throw new AuthenticationException("Invalid Admin API Client key and secret");
}
var requestedScopes = request.GetScopes();
var appScopes = (await _applicationManager.GetPermissionsAsync(application))
.Where(p => p.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope))
.Select(p => p.Substring(OpenIddictConstants.Permissions.Prefixes.Scope.Length))
.ToList();
var missingScopes = requestedScopes.Where(s => !appScopes.Contains(s)).ToList();
if (missingScopes.Any())
{
throw new AuthenticationException($"Client is not allowed access to requested scope(s): {string.Join(", " , missingScopes)}");
}
var displayName = await _applicationManager.GetDisplayNameAsync(application);
var identity = new ClaimsIdentity(JwtBearerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId !, OpenIddictConstants.Destinations.AccessToken);
identity.AddClaim(OpenIddictConstants.Claims.Name, displayName !, OpenIddictConstants.Destinations.AccessToken);
var principal = new ClaimsPrincipal(identity);
principal.SetScopes(requestedScopes);
return(principal);
}
