public async Task HandleOpenIdAuthorizationCodeAsync( AuthorizationCodeReceivedNotification authorizationCodeReceived) { string tokenAsBase64 = JwtTokenHelper.CreateSecurityTokenDescriptor(authorizationCodeReceived.JwtSecurityToken.Claims, _jwtOptions).CreateTokenAsBase64(); authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri += string.Format("&{0}={1}", _jwtOptions.JwtTokenParameterName, tokenAsBase64); if (_createConsentOptions.CreateConsentAsync != null) { await _createConsentOptions.CreateConsentAsync(authorizationCodeReceived.Response, new Uri(authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri)); authorizationCodeReceived.HandleResponse(); } else { string implicitConsent = string.Format("&{0}={1}", _consentHandlerOptions.ConsentParameterName, Uri.EscapeDataString("implicit")); authorizationCodeReceived.AuthenticationTicket.Properties.RedirectUri += implicitConsent; } }
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context) { string uri = context.Request.Uri.ToString(); if (string.IsNullOrWhiteSpace(_options.JwtOptions.SupportedScope)) { Error(context, OAuthImplicitFlowError.ServerError, "no supported scope defined"); return; } if (!HasSupportedScope(context, _options.JwtOptions.SupportedScope)) { string errorDescription = string.Format("only {0} scope is supported", _options.JwtOptions.SupportedScope); Error(context, OAuthImplicitFlowError.Scope, errorDescription); return; } string rawJwt = await TryGetRawJwtTokenAsync(context); if (string.IsNullOrWhiteSpace(rawJwt)) { context.OwinContext.Authentication.Challenge(new AuthenticationProperties { RedirectUri = uri }); return; } var tokenValidator = new TokenValidator(); ClaimsPrincipal principal = tokenValidator.Validate(rawJwt, _options.JwtOptions); if (!principal.Identity.IsAuthenticated) { Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user, unauthenticated"); return; } ClaimsIdentity claimsIdentity = await _options.TransformPrincipal(principal); if (!claimsIdentity.Claims.Any()) { Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user"); return; } ConsentAnswer consentAnswer = await TryGetConsentAnswerAsync(context.Request); if (consentAnswer == ConsentAnswer.Rejected) { Error(context, OAuthImplicitFlowError.AccessDenied, "resource owner denied request"); return; } if (consentAnswer == ConsentAnswer.Missing) { Error(context, OAuthImplicitFlowError.ServerError, "missing consent answer"); return; } if (!(consentAnswer == ConsentAnswer.Accepted || consentAnswer == ConsentAnswer.Implicit)) { Error(context, OAuthImplicitFlowError.ServerError, string.Format("invalid consent answer '{0}'", consentAnswer.Display)); return; } string appJwtTokenAsBase64 = JwtTokenHelper.CreateSecurityTokenDescriptor(claimsIdentity.Claims, _options.JwtOptions) .CreateTokenAsBase64(); var builder = new UriBuilder(context.AuthorizeRequest.RedirectUri); const string tokenType = "bearer"; var fragmentStringBuilder = new StringBuilder(); fragmentStringBuilder.AppendFormat("access_token={0}&token_type={1}&state={2}&scope={3}", Uri.EscapeDataString(appJwtTokenAsBase64), Uri.EscapeDataString(tokenType), Uri.EscapeDataString(context.AuthorizeRequest.State ?? ""), Uri.EscapeDataString(_options.JwtOptions.SupportedScope)); if (consentAnswer == ConsentAnswer.Implicit) { fragmentStringBuilder.AppendFormat("&consent_type={0}", Uri.EscapeDataString(consentAnswer.Invariant)); } builder.Fragment = fragmentStringBuilder.ToString(); string redirectUri = builder.Uri.ToString(); context.Response.Redirect(redirectUri); context.RequestCompleted(); }