public async Task <IActionResult> Token(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
try
{
var @for = request.GetParameter("for").GetValueOrDefault();
return(@for == "Business"
? await PasswordBusiness(request.Username, request.Password)
: await Password(request.Username, request.Password));
}
catch
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid email or password"
}));
}
}
else if (request.IsRefreshTokenGrantType())
{
// todo: test!
// Retrieve the claims principal stored in the refresh token.
var principal = (await HttpContext.AuthenticateAsync(OpenIddictValidationDefaults.AuthenticationScheme)).Principal;
return(RefreshToken(principal));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "The grant_type is not supported"
}));
}
private IEnumerable <string> GetScopes(OpenIdConnectRequest request)
{
var scope = request.GetParameter("scopes");
return(scope != null?
scope.Value.ToString().Split(' ') :
Enumerable.Empty <string>());
}
public void PropertySetter_AddsExpectedParameter(string property, string name, OpenIdConnectParameter value)
{
// Arrange
var request = new OpenIdConnectRequest();
// Act
typeof(OpenIdConnectRequest).GetProperty(property).SetValue(request, value.Value);
// Assert
Assert.Equal(value, request.GetParameter(name));
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest connectRequest)
{
if (connectRequest.IsPasswordGrantType())
{
ApplicationUser user = null;
if (connectRequest.HasParameter("survey_user"))
{
user = await this._accountManager.GetSurveyUserByShortcodeAsync(
int.Parse(connectRequest.GetParameter("survey_id")?.Value.ToString()),
connectRequest.GetParameter("shortcode")?.Value.ToString());
}
else
{
user = await _userManager.FindByEmailAsync(connectRequest.Username) ?? await _userManager.FindByNameAsync(connectRequest.Username);
}
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Please check that your email and password is correct"
}));
}
// Ensure the user is enabled.
if (!user.IsEnabled)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user account is disabled"
}));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, connectRequest.Password, true);
// Ensure the user is not already locked out.
if (result.IsLockedOut)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user account has been suspended"
}));
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (result.RequiresTwoFactor)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid login procedure"
}));
}
// Ensure the user is allowed to sign in.
if (result.IsNotAllowed)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user is not allowed to sign in"
}));
}
if (!result.Succeeded)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Please check that your email and password is correct"
}));
}
// Create a new authentication ticket.
var ticket = await this._authenticationService.CreateTicketAsync(connectRequest, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (connectRequest.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the refresh token.
var info = await HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Retrieve the user profile corresponding to the refresh token.
// Note: if you want to automatically invalidate the refresh token
// when the user password/roles change, use the following line instead:
var user = await _signInManager.ValidateSecurityStampAsync(info.Principal);
//var user = await _userManager.GetUserAsync(info.Principal);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The refresh token is no longer valid"
}));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The user is no longer allowed to sign in"
}));
}
// Create a new authentication ticket, but reuse the properties stored
// in the refresh token, including the scopes originally granted.
var ticket = await this._authenticationService.CreateTicketAsync(connectRequest, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported"
}));
}
