/// <summary>
/// Creates an id_token for a refresh token request if identity resources have been requested.
/// </summary>
/// <param name="request">The request.</param>
/// <param name="newAccessToken">The new access token.</param>
/// <returns></returns>
protected virtual async Task <string> CreateIdTokenFromRefreshTokenRequestAsync(ValidatedTokenRequest request, string newAccessToken)
{
var resources = await Resources.FindEnabledResourcesByScopeAsync(request.RefreshToken.Scopes);
if (resources.IdentityResources.Any())
{
var oldAccessToken = request.RefreshToken.AccessToken;
var parsedScopes = await ResourceValidator.ParseRequestedScopesAsync(oldAccessToken.Scopes);
var validatedResources = await Resources.CreateResourceValidationResult(parsedScopes);
var tokenRequest = new TokenCreationRequest
{
Subject = request.RefreshToken.Subject,
ValidatedResources = validatedResources,
ValidatedRequest = request,
AccessTokenToHash = newAccessToken
};
var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest);
return(await TokenService.CreateSecurityTokenAsync(idToken));
}
return(null);
}
public async Task <string> GetToken(string subjectId, string deviceId, string secret)
{
var request = new TokenCreationRequest();
var identityUser = new IdentityServerUser(subjectId);
identityUser.DisplayName = deviceId;
identityUser.AuthenticationTime = System.DateTime.UtcNow;
identityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
request.Subject = identityUser.CreatePrincipal();
request.IncludeAllIdentityClaims = true;
request.ValidatedRequest = new ValidatedRequest();
request.ValidatedRequest.Subject = request.Subject;
request.ValidatedRequest.SetClient(new Client()
{
ClientId = deviceId,
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret(secret.Sha256())
}
});
request.Resources = new Resources(IdentityServerConfig.GetIdentityResources(),
IdentityServerConfig.GetApiResources());
request.ValidatedRequest.Options = _options;
request.ValidatedRequest.ClientClaims = identityUser.AdditionalClaims;
var token = await _tokenService.CreateAccessTokenAsync(request);
var tokenValue = await _tokenService.CreateSecurityTokenAsync(token);
return(tokenValue);
}
public async Task CreateAccessTokenAsync_when_no_apiresources_should_not_include_any_aud()
{
var request = new TokenCreationRequest
{
ValidatedResources = new ResourceValidationResult()
{
Resources = new Resources()
{
ApiScopes =
{
new ApiScope("scope1"),
new ApiScope("scope2"),
new ApiScope("scope3"),
},
},
ParsedScopes =
{
new ParsedScopeValue("scope1"),
new ParsedScopeValue("scope2"),
new ParsedScopeValue("scope3"),
}
},
ValidatedRequest = new ValidatedRequest()
{
Client = new Client {
}
}
};
var result = await _subject.CreateAccessTokenAsync(request);
result.Audiences.Count.Should().Be(0);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
_logger.LogVerbose("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.ValidatedRequest));
if (request.Client.IncludeJwtId)
{
claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
}
var issuer = _context.GetIssuerUri();
var token = new Token(Constants.TokenTypes.AccessToken)
{
Audience = string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()),
Issuer = issuer,
Lifetime = request.Client.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
Client = request.Client
};
return(token);
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
claims.Add(new Claim(JwtClaimTypes.Name, request.Subject.GetDisplayName()));
var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
foreach (var api in request.Resources.ApiResources)
{
if (!string.IsNullOrWhiteSpace(api.Name))
{
token.Audiences.Add(api.Name);
}
}
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.Debug("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.ValidatedRequest));
if (request.Client.IncludeJwtId)
{
claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
}
if (request.ProofKey.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.Confirmation, request.ProofKey, Constants.ClaimValueTypes.Json));
}
return(CreateAccessToken(request.Client, claims));
}
/// <summary>
/// Creates an id_token for a refresh token request if identity resources have been requested.
/// </summary>
/// <param name="request">The request.</param>
/// <param name="newAccessToken">The new access token.</param>
/// <returns></returns>
protected virtual async Task <string> CreateIdTokenFromRefreshTokenRequestAsync(ValidatedTokenRequest request, string newAccessToken)
{
// todo: can we just check for "openid" scope?
//var identityResources = await Resources.FindEnabledIdentityResourcesByScopeAsync(request.RefreshToken.Scopes);
//if (identityResources.Any())
if (request.RefreshToken.Scopes.Contains(OidcConstants.StandardScopes.OpenId))
{
var oldAccessToken = request.RefreshToken.AccessToken;
var parsedScopesResult = ScopeParser.ParseScopeValues(oldAccessToken.Scopes);
var validatedResources = await Resources.CreateResourceValidationResult(parsedScopesResult);
var tokenRequest = new TokenCreationRequest
{
Subject = request.RefreshToken.Subject,
ValidatedResources = validatedResources,
ValidatedRequest = request,
AccessTokenToHash = newAccessToken
};
var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest);
return(await TokenService.CreateSecurityTokenAsync(idToken));
}
return(null);
}
private async Task <string> GenrateToken(ITokenService TS, IUserClaimsPrincipalFactory <ApplicationUser> principalFactory, IdentityServerOptions options, ApplicationUser user)
{
var Request = new TokenCreationRequest();
var User = await _userManager.FindByIdAsync(user.Id);
var IdentityPricipal = await principalFactory.CreateAsync(User);
var IdentityUser = new IdentityServerUser(User.Id.ToString());
IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray();
IdentityUser.DisplayName = User.UserName;
IdentityUser.AuthenticationTime = System.DateTime.UtcNow;
IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
Request.Subject = IdentityUser.CreatePrincipal();
Request.IncludeAllIdentityClaims = true;
Request.ValidatedRequest = new ValidatedRequest();
Request.ValidatedRequest.Subject = Request.Subject;
Request.ValidatedRequest.SetClient(Config.Clients.First());
Request.ValidatedResources = new ResourceValidationResult(new Resources(Config.IdentityResources, new ApiResource[] { }, Config.ApiScopes));
Request.ValidatedRequest.Options = options;
Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims;
var Token = await TS.CreateAccessTokenAsync(Request);
Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value;
var TokenValue = await TS.CreateSecurityTokenAsync(Token);
return(TokenValue);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedResources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
// add aud based on ApiResources in the validated request
foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
{
token.Audiences.Add(aud);
}
if (Options.EmitLegacyResourceAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
// add cnf if present
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else
{
if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (clientCertificate != null)
{
token.Confirmation = clientCertificate.CreateThumbprintCnf();
}
}
}
return(token);
}
private async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
_logger.LogTrace("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
// load the client that belongs to the authorization code
Client client = null;
if (request.AuthorizationCode.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var resources = await _resources.FindEnabledResourcesAsync(request.AuthorizationCode.RequestedScopes);
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = client,
Resources = resources,
Nonce = request.AuthorizationCode.Nonce,
ValidatedRequest = request
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return(response);
}
public async Task <string> RefreshToken(IdentityUser <int> user)
{
var identityPricipal = await _principalFactory.CreateAsync(user);
var identityUser = new IdentityServerUser(user.Id.ToString())
{
AdditionalClaims = identityPricipal.Claims.ToArray(),
DisplayName = user.UserName,
AuthenticationTime = DateTime.UtcNow,
IdentityProvider = IdentityServerConstants.LocalIdentityProvider
};
var request = new TokenCreationRequest();
request.Subject = identityUser.CreatePrincipal();
request.IncludeAllIdentityClaims = true;
request.ValidatedRequest = new ValidatedRequest();
request.ValidatedRequest.Subject = request.Subject;
request.ValidatedRequest.SetClient(Config.Clients().First());
request.Resources = new Resources(Config.IdentityResources(), new List <ApiResource>());
request.ValidatedRequest.Options = _options;
request.ValidatedRequest.ClientClaims = identityUser.AdditionalClaims;
var token = await _tokenService.CreateAccessTokenAsync(request);
token.Issuer = "...";
return(await _refreshTokenService.CreateRefreshTokenAsync(identityPricipal, token, Config.Clients().First()));
}
public async Task <AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode = null)
{
_logger.LogDebug("Creating Implicit Flow response.");
string accessTokenValue = null;
int accessTokenLifetime = 0;
var responseTypes = request.ResponseType.FromSpaceSeparatedString();
if (responseTypes.Contains(OidcConstants.ResponseTypes.Token))
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
var accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
accessTokenLifetime = accessToken.Lifetime;
accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken);
}
string jwt = null;
if (responseTypes.Contains(OidcConstants.ResponseTypes.IdToken))
{
var tokenRequest = new TokenCreationRequest
{
ValidatedRequest = request,
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
Nonce = request.Raw.Get(OidcConstants.AuthorizeRequest.Nonce),
IncludeAllIdentityClaims = !request.AccessTokenRequested,
AccessTokenToHash = accessTokenValue,
AuthorizationCodeToHash = authorizationCode
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
}
var response = new AuthorizeResponse
{
Request = request,
AccessToken = accessTokenValue,
AccessTokenLifetime = accessTokenLifetime,
IdentityToken = jwt,
SessionState = request.GenerateSessionStateValue()
};
return(response);
}
/// <summary>
/// Creates the response for an authorization code request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException">Client does not exist anymore.</exception>
protected virtual async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request)
{
Logger.LogTrace("Creating response for authorization code request");
//////////////////////////
// access token
/////////////////////////
(var accessToken, var refreshToken) = await CreateAccessTokenAsync(request.ValidatedRequest);
var response = new TokenResponse
{
AccessToken = accessToken,
AccessTokenLifetime = request.ValidatedRequest.AccessTokenLifetime,
Custom = request.CustomResponse
};
//////////////////////////
// refresh token
/////////////////////////
if (refreshToken.IsPresent())
{
response.RefreshToken = refreshToken;
}
//////////////////////////
// id token
/////////////////////////
if (request.ValidatedRequest.AuthorizationCode.IsOpenId)
{
// load the client that belongs to the authorization code
Client client = null;
if (request.ValidatedRequest.AuthorizationCode.ClientId != null)
{
client = await Clients.FindEnabledClientByIdAsync(request.ValidatedRequest.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var resources = await Resources.FindEnabledResourcesByScopeAsync(request.ValidatedRequest.AuthorizationCode.RequestedScopes);
var tokenRequest = new TokenCreationRequest
{
Subject = request.ValidatedRequest.AuthorizationCode.Subject,
Resources = resources,
Nonce = request.ValidatedRequest.AuthorizationCode.Nonce,
AccessTokenToHash = response.AccessToken,
ValidatedRequest = request.ValidatedRequest
};
var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await TokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return(response);
}
/// <summary>
/// Processes the response for device code grant request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected virtual async Task <TokenResponse> ProcessDeviceCodeRequestAsync(TokenRequestValidationResult request)
{
Logger.LogTrace("Creating response for device code request");
//////////////////////////
// access token
/////////////////////////
var(accessToken, refreshToken) = await CreateAccessTokenAsync(request.ValidatedRequest);
var response = new TokenResponse
{
AccessToken = accessToken,
AccessTokenLifetime = request.ValidatedRequest.AccessTokenLifetime,
Custom = request.CustomResponse,
Scope = request.ValidatedRequest.ValidatedResources.RawScopeValues.ToSpaceSeparatedString()
};
//////////////////////////
// refresh token
/////////////////////////
if (refreshToken.IsPresent())
{
response.RefreshToken = refreshToken;
}
//////////////////////////
// id token
/////////////////////////
if (request.ValidatedRequest.DeviceCode.IsOpenId)
{
// load the client that belongs to the device code
Client client = null;
if (request.ValidatedRequest.DeviceCode.ClientId != null)
{
// todo: do we need this check?
client = await Clients.FindEnabledClientByIdAsync(request.ValidatedRequest.DeviceCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var tokenRequest = new TokenCreationRequest
{
Subject = request.ValidatedRequest.DeviceCode.Subject,
AccessTokenToHash = response.AccessToken,
ValidatedResources = request.ValidatedRequest.ValidatedResources,
ValidatedRequest = request.ValidatedRequest
};
var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await TokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return(response);
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
var token = await base.CreateAccessTokenAsync(request);
await _tokenHandleStore.StoreAsync(await _signingService.SignTokenAsync(token), token);
return(token);
}
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
// if pop request, claims must be updated because we need a fresh proof token
if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes),
};
// if pop request, embed proof token
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
creationRequest.ProofKey = GetProofKey(request);
}
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
var copy = new Token(oldAccessToken);
copy.CreationTime = DateTimeOffsetHelper.UtcNow;
copy.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
var response = new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
response.IdentityToken = await CreateIdTokenFromRefreshTokenRequestAsync(request, accessTokenString);
return(response);
}
/// <summary>
/// Creates an identity token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An identity token
/// </returns>
public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating identity token");
request.Validate();
// host provided claims
var claims = new List <Claim>();
// if nonce was sent, must be mirrored in id token
if (request.Nonce.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce));
}
// add iat claim
claims.Add(new Claim(JwtClaimTypes.IssuedAt, IdentityServerDateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer));
// add at_hash claim
if (request.AccessTokenToHash.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
}
// add c_hash claim
if (request.AuthorizationCodeToHash.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash)));
}
// add sid if present
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
claims.AddRange(await ClaimsProvider.GetIdentityTokenClaimsAsync(
request.Subject,
request.ValidatedRequest.Client,
request.Resources,
request.IncludeAllIdentityClaims,
request.ValidatedRequest));
var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.IdentityToken)
{
Audiences = { request.ValidatedRequest.Client.ClientId },
Issuer = issuer,
Lifetime = request.ValidatedRequest.Client.IdentityTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
return(token);
}
public async Task <AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode = null)
{
string accessTokenValue = null;
int accessTokenLifetime = 0;
var responseTypes = request.ResponseType.FromSpaceSeparatedString();
if (responseTypes.Contains(Constants.ResponseTypes.Token))
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
var accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
accessTokenLifetime = accessToken.Lifetime;
accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken);
}
string jwt = null;
if (responseTypes.Contains(Constants.ResponseTypes.IdToken))
{
var tokenRequest = new TokenCreationRequest
{
ValidatedRequest = request,
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
IncludeAllIdentityClaims = !request.AccessTokenRequested,
AccessTokenToHash = accessTokenValue,
AuthorizationCodeToHash = authorizationCode
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
}
return(new AuthorizeResponse
{
Request = request,
RedirectUri = request.RedirectUri,
AccessToken = accessTokenValue,
AccessTokenLifetime = accessTokenLifetime,
IdentityToken = jwt,
State = request.State,
Scope = request.ValidatedScopes.GrantedScopes.ToSpaceSeparatedString()
});
}
private async Task <Tuple <string, string> > CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Contains(Constants.StandardScopes.OfflineAccess);
// load the client that belongs to the authorization code
Client client = null;
if (request.AuthorizationCode.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var scopes = await _scopes.FindEnabledScopesAsync(request.AuthorizationCode.RequestedScopes);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = client,
Scopes = scopes,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
}
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
return(Tuple.Create(securityToken, refreshToken));
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
var token = await base.CreateAccessTokenAsync(request);
if (ShouldAddOrganisationClaims(request))
{
await AddOrganisationClaimsAsync(token);
}
return(token);
}
private async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
Nonce = request.AuthorizationCode.Nonce,
ValidatedRequest = request,
AccessTokenToHash = accessToken.Item1
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return(response);
}
/// <summary>
/// Creates an identity token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An identity token
/// </returns>
public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
Logger.Debug("Creating identity token");
request.Validate();
// host provided claims
var claims = new List <Claim>();
// if nonce was sent, must be mirrored in id token
if (request.Nonce.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.Nonce, request.Nonce));
}
// add iat claim
claims.Add(new Claim(Constants.ClaimTypes.IssuedAt, DateTimeOffsetHelper.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer));
// add at_hash claim
if (request.AccessTokenToHash.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
}
// add c_hash claim
if (request.AuthorizationCodeToHash.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash)));
}
// add sid if present
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
claims.AddRange(await _claimsProvider.GetIdentityTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.IncludeAllIdentityClaims,
request.ValidatedRequest));
var token = new Token(Constants.TokenTypes.IdentityToken)
{
Audience = request.Client.ClientId,
Issuer = _issuerUri,
WebService = _wsUri,
Lifetime = request.Client.IdentityTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
Client = request.Client
};
return(token);
}
/// <summary>
/// Creates the access/refresh token.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException">Client does not exist anymore.</exception>
protected async Task <(string accessToken, string refreshToken)> CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Contains(IdentityServerConstants.StandardScopes.OfflineAccess);
// load the client that belongs to the authorization code
Client client = null;
if (request.AuthorizationCode.ClientId != null)
{
client = await Clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var resources = await Resources.FindEnabledResourcesByScopeAsync(request.AuthorizationCode.RequestedScopes);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Resources = resources,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Resources = request.ValidatedScopes.GrantedResources,
ValidatedRequest = request
};
}
var at = await TokenService.CreateAccessTokenAsync(tokenRequest);
var accessToken = await TokenService.CreateSecurityTokenAsync(at);
if (createRefreshToken)
{
var refreshToken = await RefreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, at, request.Client);
return(accessToken, refreshToken);
}
return(accessToken, null);
}
public async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
var token = await _inner.CreateIdentityTokenAsync(request);
// id token lifetime is not setup via request.
if (request.Subject?.IsAnonymous() == true)
{
token.Lifetime = _anonIdsrvOptions.IdentityTokenLifetime;
}
return(token);
}
public virtual bool ShouldAddOrganisationClaims(TokenCreationRequest request)
{
var requestedClaimTypes = new HashSet <string>();
requestedClaimTypes.UnionWith(request.ValidatedResources.Resources.ApiResources.SelectMany(r => r.UserClaims));
requestedClaimTypes.UnionWith(request.ValidatedResources.Resources.ApiScopes.SelectMany(s => s.UserClaims));
var isOrganisaionClaimRequired = requestedClaimTypes.Contains(InssClaimTypes.Organisation);
var isClientCredentials = (request.ValidatedRequest as ValidatedTokenRequest)?.GrantType == GrantTypes.ClientCredentials.First();
return(isOrganisaionClaimRequired && isClientCredentials);
}
public void Validate(TokenCreationRequest request)
{
if (request.Resources == null)
{
throw new ArgumentNullException(nameof(request.Resources));
}
if (request.ValidatedRequest == null)
{
throw new ArgumentNullException(nameof(request.ValidatedRequest));
}
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
var token = await base.CreateAccessTokenAsync(request);
var sessionId = request.ValidatedRequest.SessionId;
if (string.IsNullOrWhiteSpace(sessionId) == false)
{
token.Claims.Add(new Claim(Constants.ClaimTypes.SessionId, sessionId.Trim()));
}
return(token);
}
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
List <Claim> claims = new List <Claim>();
List <Claim> list = claims;
list.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(request.Subject, request.ValidatedResources, request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim("jti", CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim("sid", request.ValidatedRequest.SessionId));
}
claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64"));
string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
Token token = new Token("access_token")
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = identityServerIssuerUri,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
Description = request.Description,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
foreach (string item in request.ValidatedResources.Resources.ApiResources.Select((ApiResource x) => x.Name).Distinct())
{
token.Audiences.Add(item);
}
if (Options.EmitStaticAudienceClaim)
{
token.Audiences.Add($"{identityServerIssuerUri.EnsureTrailingSlash()}resources");
}
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
X509Certificate2 x509Certificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (x509Certificate != null)
{
token.Confirmation = x509Certificate.CreateThumbprintCnf();
}
}
return(token);
}
public async override Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
var token = await base.CreateAccessTokenAsync(request);
token.Lifetime = token.Client.AccessTokenLifetime;
/*
* var claims = new List<Claim>();
* claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
* request.Subject,
* request.Client,
* request.Scopes,
* request.ValidatedRequest));
*
* if (request.Client.IncludeJwtId)
* {
* claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
* }
*
* if (request.ProofKey.IsPresent())
* {
* claims.Add(new Claim(Constants.ClaimTypes.Confirmation, request.ProofKey, Constants.ClaimValueTypes.Json));
* }
*
* var token = new Token(Constants.TokenTypes.AccessToken)
* {
* Audience = string.Format(Constants.AccessTokenAudience, IssuerUri.EnsureTrailingSlash()),
* Issuer = IssuerUri,
* Lifetime = request.Client.AccessTokenLifetime,
* Claims = claims.Distinct(new ClaimComparer()).ToList(),
* Client = request.Client
* };
*/
var resource = request.ValidatedRequest.Raw["resource"];
if (String.IsNullOrEmpty(resource))
{
token.Audience = Namespaces.OAuth2SiteResourceUri;
}
else
{
token.Audience = resource;
}
UriBuilder uri = new UriBuilder(token.Issuer);
uri.Host = uri.Host.ToLowerInvariant();
token.Issuer = uri.ToString();
return(token);
}
public async Task AddTokenAsync(TokenCreationRequest tokenCreationRequest)
{
var token = new DataModelToken
{
Symbol = tokenCreationRequest.Symbol,
Name = tokenCreationRequest.Name,
Decimals = tokenCreationRequest.Decimals,
FundTokens = new List <DataModel.FundToken>()
};
this.galaxisContext.Tokens.Add(token);
await this.galaxisContext.SaveChangesAsync();
}
