/// <summary> /// Creates an id_token for a refresh token request if identity resources have been requested. /// </summary> /// <param name="request">The request.</param> /// <param name="newAccessToken">The new access token.</param> /// <returns></returns> protected virtual async Task <string> CreateIdTokenFromRefreshTokenRequestAsync(ValidatedTokenRequest request, string newAccessToken) { var resources = await Resources.FindEnabledResourcesByScopeAsync(request.RefreshToken.Scopes); if (resources.IdentityResources.Any()) { var oldAccessToken = request.RefreshToken.AccessToken; var parsedScopes = await ResourceValidator.ParseRequestedScopesAsync(oldAccessToken.Scopes); var validatedResources = await Resources.CreateResourceValidationResult(parsedScopes); var tokenRequest = new TokenCreationRequest { Subject = request.RefreshToken.Subject, ValidatedResources = validatedResources, ValidatedRequest = request, AccessTokenToHash = newAccessToken }; var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest); return(await TokenService.CreateSecurityTokenAsync(idToken)); } return(null); }
public async Task <string> GetToken(string subjectId, string deviceId, string secret) { var request = new TokenCreationRequest(); var identityUser = new IdentityServerUser(subjectId); identityUser.DisplayName = deviceId; identityUser.AuthenticationTime = System.DateTime.UtcNow; identityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider; request.Subject = identityUser.CreatePrincipal(); request.IncludeAllIdentityClaims = true; request.ValidatedRequest = new ValidatedRequest(); request.ValidatedRequest.Subject = request.Subject; request.ValidatedRequest.SetClient(new Client() { ClientId = deviceId, AllowedGrantTypes = GrantTypes.ClientCredentials, ClientSecrets = { new Secret(secret.Sha256()) } }); request.Resources = new Resources(IdentityServerConfig.GetIdentityResources(), IdentityServerConfig.GetApiResources()); request.ValidatedRequest.Options = _options; request.ValidatedRequest.ClientClaims = identityUser.AdditionalClaims; var token = await _tokenService.CreateAccessTokenAsync(request); var tokenValue = await _tokenService.CreateSecurityTokenAsync(token); return(tokenValue); }
public async Task CreateAccessTokenAsync_when_no_apiresources_should_not_include_any_aud() { var request = new TokenCreationRequest { ValidatedResources = new ResourceValidationResult() { Resources = new Resources() { ApiScopes = { new ApiScope("scope1"), new ApiScope("scope2"), new ApiScope("scope3"), }, }, ParsedScopes = { new ParsedScopeValue("scope1"), new ParsedScopeValue("scope2"), new ParsedScopeValue("scope3"), } }, ValidatedRequest = new ValidatedRequest() { Client = new Client { } } }; var result = await _subject.CreateAccessTokenAsync(request); result.Audiences.Count.Should().Be(0); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { _logger.LogVerbose("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.ValidatedRequest)); if (request.Client.IncludeJwtId) { claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId())); } var issuer = _context.GetIssuerUri(); var token = new Token(Constants.TokenTypes.AccessToken) { Audience = string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()), Issuer = issuer, Lifetime = request.Client.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), Client = request.Client }; return(token); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Resources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } claims.Add(new Claim(JwtClaimTypes.Name, request.Subject.GetDisplayName())); var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; foreach (var api in request.Resources.ApiResources) { if (!string.IsNullOrWhiteSpace(api.Name)) { token.Audiences.Add(api.Name); } } return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.Debug("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.ValidatedRequest)); if (request.Client.IncludeJwtId) { claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId())); } if (request.ProofKey.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.Confirmation, request.ProofKey, Constants.ClaimValueTypes.Json)); } return(CreateAccessToken(request.Client, claims)); }
/// <summary> /// Creates an id_token for a refresh token request if identity resources have been requested. /// </summary> /// <param name="request">The request.</param> /// <param name="newAccessToken">The new access token.</param> /// <returns></returns> protected virtual async Task <string> CreateIdTokenFromRefreshTokenRequestAsync(ValidatedTokenRequest request, string newAccessToken) { // todo: can we just check for "openid" scope? //var identityResources = await Resources.FindEnabledIdentityResourcesByScopeAsync(request.RefreshToken.Scopes); //if (identityResources.Any()) if (request.RefreshToken.Scopes.Contains(OidcConstants.StandardScopes.OpenId)) { var oldAccessToken = request.RefreshToken.AccessToken; var parsedScopesResult = ScopeParser.ParseScopeValues(oldAccessToken.Scopes); var validatedResources = await Resources.CreateResourceValidationResult(parsedScopesResult); var tokenRequest = new TokenCreationRequest { Subject = request.RefreshToken.Subject, ValidatedResources = validatedResources, ValidatedRequest = request, AccessTokenToHash = newAccessToken }; var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest); return(await TokenService.CreateSecurityTokenAsync(idToken)); } return(null); }
private async Task <string> GenrateToken(ITokenService TS, IUserClaimsPrincipalFactory <ApplicationUser> principalFactory, IdentityServerOptions options, ApplicationUser user) { var Request = new TokenCreationRequest(); var User = await _userManager.FindByIdAsync(user.Id); var IdentityPricipal = await principalFactory.CreateAsync(User); var IdentityUser = new IdentityServerUser(User.Id.ToString()); IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray(); IdentityUser.DisplayName = User.UserName; IdentityUser.AuthenticationTime = System.DateTime.UtcNow; IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider; Request.Subject = IdentityUser.CreatePrincipal(); Request.IncludeAllIdentityClaims = true; Request.ValidatedRequest = new ValidatedRequest(); Request.ValidatedRequest.Subject = Request.Subject; Request.ValidatedRequest.SetClient(Config.Clients.First()); Request.ValidatedResources = new ResourceValidationResult(new Resources(Config.IdentityResources, new ApiResource[] { }, Config.ApiScopes)); Request.ValidatedRequest.Options = options; Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims; var Token = await TS.CreateAccessTokenAsync(Request); Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value; var TokenValue = await TS.CreateSecurityTokenAsync(Token); return(TokenValue); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; // add aud based on ApiResources in the validated request foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct()) { token.Audiences.Add(aud); } if (Options.EmitLegacyResourceAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } // add cnf if present if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else { if (Options.MutualTls.AlwaysEmitConfirmationClaim) { var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { token.Confirmation = clientCertificate.CreateThumbprintCnf(); } } } return(token); }
private async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request) { _logger.LogTrace("Processing authorization code request"); ////////////////////////// // access token ///////////////////////// var accessToken = await CreateAccessTokenAsync(request); var response = new TokenResponse { AccessToken = accessToken.Item1, AccessTokenLifetime = request.Client.AccessTokenLifetime }; ////////////////////////// // refresh token ///////////////////////// if (accessToken.Item2.IsPresent()) { response.RefreshToken = accessToken.Item2; } ////////////////////////// // id token ///////////////////////// if (request.AuthorizationCode.IsOpenId) { // load the client that belongs to the authorization code Client client = null; if (request.AuthorizationCode.ClientId != null) { client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId); } if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } var resources = await _resources.FindEnabledResourcesAsync(request.AuthorizationCode.RequestedScopes); var tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Client = client, Resources = resources, Nonce = request.AuthorizationCode.Nonce, ValidatedRequest = request }; var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest); var jwt = await _tokenService.CreateSecurityTokenAsync(idToken); response.IdentityToken = jwt; } return(response); }
public async Task <string> RefreshToken(IdentityUser <int> user) { var identityPricipal = await _principalFactory.CreateAsync(user); var identityUser = new IdentityServerUser(user.Id.ToString()) { AdditionalClaims = identityPricipal.Claims.ToArray(), DisplayName = user.UserName, AuthenticationTime = DateTime.UtcNow, IdentityProvider = IdentityServerConstants.LocalIdentityProvider }; var request = new TokenCreationRequest(); request.Subject = identityUser.CreatePrincipal(); request.IncludeAllIdentityClaims = true; request.ValidatedRequest = new ValidatedRequest(); request.ValidatedRequest.Subject = request.Subject; request.ValidatedRequest.SetClient(Config.Clients().First()); request.Resources = new Resources(Config.IdentityResources(), new List <ApiResource>()); request.ValidatedRequest.Options = _options; request.ValidatedRequest.ClientClaims = identityUser.AdditionalClaims; var token = await _tokenService.CreateAccessTokenAsync(request); token.Issuer = "..."; return(await _refreshTokenService.CreateRefreshTokenAsync(identityPricipal, token, Config.Clients().First())); }
public async Task <AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode = null) { _logger.LogDebug("Creating Implicit Flow response."); string accessTokenValue = null; int accessTokenLifetime = 0; var responseTypes = request.ResponseType.FromSpaceSeparatedString(); if (responseTypes.Contains(OidcConstants.ResponseTypes.Token)) { var tokenRequest = new TokenCreationRequest { Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, ValidatedRequest = request }; var accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest); accessTokenLifetime = accessToken.Lifetime; accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken); } string jwt = null; if (responseTypes.Contains(OidcConstants.ResponseTypes.IdToken)) { var tokenRequest = new TokenCreationRequest { ValidatedRequest = request, Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, Nonce = request.Raw.Get(OidcConstants.AuthorizeRequest.Nonce), IncludeAllIdentityClaims = !request.AccessTokenRequested, AccessTokenToHash = accessTokenValue, AuthorizationCodeToHash = authorizationCode }; var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest); jwt = await _tokenService.CreateSecurityTokenAsync(idToken); } var response = new AuthorizeResponse { Request = request, AccessToken = accessTokenValue, AccessTokenLifetime = accessTokenLifetime, IdentityToken = jwt, SessionState = request.GenerateSessionStateValue() }; return(response); }
/// <summary> /// Creates the response for an authorization code request. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> /// <exception cref="System.InvalidOperationException">Client does not exist anymore.</exception> protected virtual async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request) { Logger.LogTrace("Creating response for authorization code request"); ////////////////////////// // access token ///////////////////////// (var accessToken, var refreshToken) = await CreateAccessTokenAsync(request.ValidatedRequest); var response = new TokenResponse { AccessToken = accessToken, AccessTokenLifetime = request.ValidatedRequest.AccessTokenLifetime, Custom = request.CustomResponse }; ////////////////////////// // refresh token ///////////////////////// if (refreshToken.IsPresent()) { response.RefreshToken = refreshToken; } ////////////////////////// // id token ///////////////////////// if (request.ValidatedRequest.AuthorizationCode.IsOpenId) { // load the client that belongs to the authorization code Client client = null; if (request.ValidatedRequest.AuthorizationCode.ClientId != null) { client = await Clients.FindEnabledClientByIdAsync(request.ValidatedRequest.AuthorizationCode.ClientId); } if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } var resources = await Resources.FindEnabledResourcesByScopeAsync(request.ValidatedRequest.AuthorizationCode.RequestedScopes); var tokenRequest = new TokenCreationRequest { Subject = request.ValidatedRequest.AuthorizationCode.Subject, Resources = resources, Nonce = request.ValidatedRequest.AuthorizationCode.Nonce, AccessTokenToHash = response.AccessToken, ValidatedRequest = request.ValidatedRequest }; var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest); var jwt = await TokenService.CreateSecurityTokenAsync(idToken); response.IdentityToken = jwt; } return(response); }
/// <summary> /// Processes the response for device code grant request. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected virtual async Task <TokenResponse> ProcessDeviceCodeRequestAsync(TokenRequestValidationResult request) { Logger.LogTrace("Creating response for device code request"); ////////////////////////// // access token ///////////////////////// var(accessToken, refreshToken) = await CreateAccessTokenAsync(request.ValidatedRequest); var response = new TokenResponse { AccessToken = accessToken, AccessTokenLifetime = request.ValidatedRequest.AccessTokenLifetime, Custom = request.CustomResponse, Scope = request.ValidatedRequest.ValidatedResources.RawScopeValues.ToSpaceSeparatedString() }; ////////////////////////// // refresh token ///////////////////////// if (refreshToken.IsPresent()) { response.RefreshToken = refreshToken; } ////////////////////////// // id token ///////////////////////// if (request.ValidatedRequest.DeviceCode.IsOpenId) { // load the client that belongs to the device code Client client = null; if (request.ValidatedRequest.DeviceCode.ClientId != null) { // todo: do we need this check? client = await Clients.FindEnabledClientByIdAsync(request.ValidatedRequest.DeviceCode.ClientId); } if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } var tokenRequest = new TokenCreationRequest { Subject = request.ValidatedRequest.DeviceCode.Subject, AccessTokenToHash = response.AccessToken, ValidatedResources = request.ValidatedRequest.ValidatedResources, ValidatedRequest = request.ValidatedRequest }; var idToken = await TokenService.CreateIdentityTokenAsync(tokenRequest); var jwt = await TokenService.CreateSecurityTokenAsync(idToken); response.IdentityToken = jwt; } return(response); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { var token = await base.CreateAccessTokenAsync(request); await _tokenHandleStore.StoreAsync(await _signingService.SignTokenAsync(token), token); return(token); }
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; string accessTokenString; // if pop request, claims must be updated because we need a fresh proof token if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP) { var subject = request.RefreshToken.GetOriginalSubject(); var creationRequest = new TokenCreationRequest { Client = request.Client, Subject = subject, ValidatedRequest = request, Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes), }; // if pop request, embed proof token if (request.RequestedTokenType == RequestedTokenTypes.PoP) { creationRequest.ProofKey = GetProofKey(request); } var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest); accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken); } else { var copy = new Token(oldAccessToken); copy.CreationTime = DateTimeOffsetHelper.UtcNow; copy.Lifetime = request.Client.AccessTokenLifetime; accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy); } var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); var response = new TokenResponse { AccessToken = accessTokenString, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }; if (request.RequestedTokenType == RequestedTokenTypes.PoP) { response.TokenType = Constants.ResponseTokenTypes.PoP; response.Algorithm = request.ProofKeyAlgorithm; } response.IdentityToken = await CreateIdTokenFromRefreshTokenRequestAsync(request, accessTokenString); return(response); }
/// <summary> /// Creates an identity token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An identity token /// </returns> public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating identity token"); request.Validate(); // host provided claims var claims = new List <Claim>(); // if nonce was sent, must be mirrored in id token if (request.Nonce.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce)); } // add iat claim claims.Add(new Claim(JwtClaimTypes.IssuedAt, IdentityServerDateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer)); // add at_hash claim if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash))); } // add c_hash claim if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash))); } // add sid if present if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } claims.AddRange(await ClaimsProvider.GetIdentityTokenClaimsAsync( request.Subject, request.ValidatedRequest.Client, request.Resources, request.IncludeAllIdentityClaims, request.ValidatedRequest)); var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.IdentityToken) { Audiences = { request.ValidatedRequest.Client.ClientId }, Issuer = issuer, Lifetime = request.ValidatedRequest.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; return(token); }
public async Task <AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode = null) { string accessTokenValue = null; int accessTokenLifetime = 0; var responseTypes = request.ResponseType.FromSpaceSeparatedString(); if (responseTypes.Contains(Constants.ResponseTypes.Token)) { var tokenRequest = new TokenCreationRequest { Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, ValidatedRequest = request }; var accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest); accessTokenLifetime = accessToken.Lifetime; accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken); } string jwt = null; if (responseTypes.Contains(Constants.ResponseTypes.IdToken)) { var tokenRequest = new TokenCreationRequest { ValidatedRequest = request, Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, IncludeAllIdentityClaims = !request.AccessTokenRequested, AccessTokenToHash = accessTokenValue, AuthorizationCodeToHash = authorizationCode }; var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest); jwt = await _tokenService.CreateSecurityTokenAsync(idToken); } return(new AuthorizeResponse { Request = request, RedirectUri = request.RedirectUri, AccessToken = accessTokenValue, AccessTokenLifetime = accessTokenLifetime, IdentityToken = jwt, State = request.State, Scope = request.ValidatedScopes.GrantedScopes.ToSpaceSeparatedString() }); }
private async Task <Tuple <string, string> > CreateAccessTokenAsync(ValidatedTokenRequest request) { TokenCreationRequest tokenRequest; bool createRefreshToken; if (request.AuthorizationCode != null) { createRefreshToken = request.AuthorizationCode.RequestedScopes.Contains(Constants.StandardScopes.OfflineAccess); // load the client that belongs to the authorization code Client client = null; if (request.AuthorizationCode.ClientId != null) { client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId); } if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } var scopes = await _scopes.FindEnabledScopesAsync(request.AuthorizationCode.RequestedScopes); tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Client = client, Scopes = scopes, ValidatedRequest = request }; } else { createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope; tokenRequest = new TokenCreationRequest { Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, ValidatedRequest = request }; } Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest); string refreshToken = ""; if (createRefreshToken) { refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client); } var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken); return(Tuple.Create(securityToken, refreshToken)); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { var token = await base.CreateAccessTokenAsync(request); if (ShouldAddOrganisationClaims(request)) { await AddOrganisationClaimsAsync(token); } return(token); }
private async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing authorization code request"); ////////////////////////// // access token ///////////////////////// var accessToken = await CreateAccessTokenAsync(request); var response = new TokenResponse { AccessToken = accessToken.Item1, AccessTokenLifetime = request.Client.AccessTokenLifetime }; if (request.RequestedTokenType == RequestedTokenTypes.PoP) { response.TokenType = Constants.ResponseTokenTypes.PoP; response.Algorithm = request.ProofKeyAlgorithm; } ////////////////////////// // refresh token ///////////////////////// if (accessToken.Item2.IsPresent()) { response.RefreshToken = accessToken.Item2; } ////////////////////////// // id token ///////////////////////// if (request.AuthorizationCode.IsOpenId) { var tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Client = request.AuthorizationCode.Client, Scopes = request.AuthorizationCode.RequestedScopes, Nonce = request.AuthorizationCode.Nonce, ValidatedRequest = request, AccessTokenToHash = accessToken.Item1 }; var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest); var jwt = await _tokenService.CreateSecurityTokenAsync(idToken); response.IdentityToken = jwt; } return(response); }
/// <summary> /// Creates an identity token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An identity token /// </returns> public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.Debug("Creating identity token"); request.Validate(); // host provided claims var claims = new List <Claim>(); // if nonce was sent, must be mirrored in id token if (request.Nonce.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.Nonce, request.Nonce)); } // add iat claim claims.Add(new Claim(Constants.ClaimTypes.IssuedAt, DateTimeOffsetHelper.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer)); // add at_hash claim if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash))); } // add c_hash claim if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash))); } // add sid if present if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } claims.AddRange(await _claimsProvider.GetIdentityTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.IncludeAllIdentityClaims, request.ValidatedRequest)); var token = new Token(Constants.TokenTypes.IdentityToken) { Audience = request.Client.ClientId, Issuer = _issuerUri, WebService = _wsUri, Lifetime = request.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), Client = request.Client }; return(token); }
/// <summary> /// Creates the access/refresh token. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> /// <exception cref="System.InvalidOperationException">Client does not exist anymore.</exception> protected async Task <(string accessToken, string refreshToken)> CreateAccessTokenAsync(ValidatedTokenRequest request) { TokenCreationRequest tokenRequest; bool createRefreshToken; if (request.AuthorizationCode != null) { createRefreshToken = request.AuthorizationCode.RequestedScopes.Contains(IdentityServerConstants.StandardScopes.OfflineAccess); // load the client that belongs to the authorization code Client client = null; if (request.AuthorizationCode.ClientId != null) { client = await Clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId); } if (client == null) { throw new InvalidOperationException("Client does not exist anymore."); } var resources = await Resources.FindEnabledResourcesByScopeAsync(request.AuthorizationCode.RequestedScopes); tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Resources = resources, ValidatedRequest = request }; } else { createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope; tokenRequest = new TokenCreationRequest { Subject = request.Subject, Resources = request.ValidatedScopes.GrantedResources, ValidatedRequest = request }; } var at = await TokenService.CreateAccessTokenAsync(tokenRequest); var accessToken = await TokenService.CreateSecurityTokenAsync(at); if (createRefreshToken) { var refreshToken = await RefreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, at, request.Client); return(accessToken, refreshToken); } return(accessToken, null); }
public async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { var token = await _inner.CreateIdentityTokenAsync(request); // id token lifetime is not setup via request. if (request.Subject?.IsAnonymous() == true) { token.Lifetime = _anonIdsrvOptions.IdentityTokenLifetime; } return(token); }
public virtual bool ShouldAddOrganisationClaims(TokenCreationRequest request) { var requestedClaimTypes = new HashSet <string>(); requestedClaimTypes.UnionWith(request.ValidatedResources.Resources.ApiResources.SelectMany(r => r.UserClaims)); requestedClaimTypes.UnionWith(request.ValidatedResources.Resources.ApiScopes.SelectMany(s => s.UserClaims)); var isOrganisaionClaimRequired = requestedClaimTypes.Contains(InssClaimTypes.Organisation); var isClientCredentials = (request.ValidatedRequest as ValidatedTokenRequest)?.GrantType == GrantTypes.ClientCredentials.First(); return(isOrganisaionClaimRequired && isClientCredentials); }
public void Validate(TokenCreationRequest request) { if (request.Resources == null) { throw new ArgumentNullException(nameof(request.Resources)); } if (request.ValidatedRequest == null) { throw new ArgumentNullException(nameof(request.ValidatedRequest)); } }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { var token = await base.CreateAccessTokenAsync(request); var sessionId = request.ValidatedRequest.SessionId; if (string.IsNullOrWhiteSpace(sessionId) == false) { token.Claims.Add(new Claim(Constants.ClaimTypes.SessionId, sessionId.Trim())); } return(token); }
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); List <Claim> claims = new List <Claim>(); List <Claim> list = claims; list.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim("jti", CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex))); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim("sid", request.ValidatedRequest.SessionId)); } claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64")); string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); Token token = new Token("access_token") { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = identityServerIssuerUri, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, Description = request.Description, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; foreach (string item in request.ValidatedResources.Resources.ApiResources.Select((ApiResource x) => x.Name).Distinct()) { token.Audiences.Add(item); } if (Options.EmitStaticAudienceClaim) { token.Audiences.Add($"{identityServerIssuerUri.EnsureTrailingSlash()}resources"); } if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else if (Options.MutualTls.AlwaysEmitConfirmationClaim) { X509Certificate2 x509Certificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (x509Certificate != null) { token.Confirmation = x509Certificate.CreateThumbprintCnf(); } } return(token); }
public async override Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { var token = await base.CreateAccessTokenAsync(request); token.Lifetime = token.Client.AccessTokenLifetime; /* * var claims = new List<Claim>(); * claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync( * request.Subject, * request.Client, * request.Scopes, * request.ValidatedRequest)); * * if (request.Client.IncludeJwtId) * { * claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId())); * } * * if (request.ProofKey.IsPresent()) * { * claims.Add(new Claim(Constants.ClaimTypes.Confirmation, request.ProofKey, Constants.ClaimValueTypes.Json)); * } * * var token = new Token(Constants.TokenTypes.AccessToken) * { * Audience = string.Format(Constants.AccessTokenAudience, IssuerUri.EnsureTrailingSlash()), * Issuer = IssuerUri, * Lifetime = request.Client.AccessTokenLifetime, * Claims = claims.Distinct(new ClaimComparer()).ToList(), * Client = request.Client * }; */ var resource = request.ValidatedRequest.Raw["resource"]; if (String.IsNullOrEmpty(resource)) { token.Audience = Namespaces.OAuth2SiteResourceUri; } else { token.Audience = resource; } UriBuilder uri = new UriBuilder(token.Issuer); uri.Host = uri.Host.ToLowerInvariant(); token.Issuer = uri.ToString(); return(token); }
public async Task AddTokenAsync(TokenCreationRequest tokenCreationRequest) { var token = new DataModelToken { Symbol = tokenCreationRequest.Symbol, Name = tokenCreationRequest.Name, Decimals = tokenCreationRequest.Decimals, FundTokens = new List <DataModel.FundToken>() }; this.galaxisContext.Tokens.Add(token); await this.galaxisContext.SaveChangesAsync(); }