public void Build()
{
if (this.Subject == null || this.Subject == "")
{
throw new ArgumentNullException("Subject must have a value");
}
var now = DateTime.UtcNow;
_jwt = new JwtSecurityToken(
issuer: _audience.Issuer,
audience: _audience.Id,
notBefore: now,
expires: now.Add(this.Expiration),
signingCredentials: this.GetSigningCredentials(),
claims: this.GetClaims(now)
);
//TODO:
//Encrypt refresh token protected ticket here:
//
_refreshToken = Domain.RefreshToken.New(this.Subject, _audience.Id, now, GetAccessTokenString(), _audience.RefreshTokenLifetimeMinutes);
}
public async Task Execute(RequestDelegate next, HttpContext context, ArgonautOptions options)
{
var rtFromRequest = context.Request.Form["refresh_token"];
var hashedRefreshTokenId = Argonaut.Internal.Hashing.GetHash(rtFromRequest);
var persistenceResponse = options.RefreshAccessToken(hashedRefreshTokenId); //Client returns refresh token model with encrpted ticket.
if (persistenceResponse == null)
{
await RespondRefreshTokenInvalid(context);
return;
}
if (persistenceResponse.RefreshToken == null)
{
await RespondRefreshTokenInvalid(context);
return;
}
if (persistenceResponse.Audience == null)
{
await RespondRefreshTokenInvalid(context);
return;
}
//Map to domain refresh token
Domain.RefreshToken rt = Domain.RefreshToken.New(
persistenceResponse.RefreshToken.Id,
persistenceResponse.RefreshToken.Subject,
persistenceResponse.RefreshToken.AudienceId,
persistenceResponse.RefreshToken.ProtectedTicket,
persistenceResponse.RefreshToken.IssuedUtc,
persistenceResponse.RefreshToken.ExpiresUtc
);
var nowUtc = DateTime.UtcNow; //TODO: Could do with moving to interface
if (nowUtc > rt.ExpiresUtc)
{
await RespondRefreshTokenInvalid(context);
return;
}
try {
rt.DecryptTicket(_encryptor, rtFromRequest.ToString());
} catch {
context.Response.StatusCode = 401;
await context.Response.WriteAsync("Persisted refresh token failed decryption - Log in using username and password.");
return;
}
if (rt.ProtectedTicket == null)
{
await RespondRefreshTokenInvalid(context);
return;
}
var vp = new JWTValidationParametersGenerator(persistenceResponse.Audience).SecretOnly();
var handler = new JwtSecurityTokenHandler();
Microsoft.IdentityModel.Tokens.SecurityToken validatedToken = null;
try {
handler.ValidateToken(rt.ProtectedTicket, vp, out validatedToken);
} catch {
await RespondRefreshTokenInvalid(context);
return;
}
if (validatedToken == null)
{
await RespondRefreshTokenInvalid(context);
return;
}
var jwt = validatedToken as System.IdentityModel.Tokens.Jwt.JwtSecurityToken;
var sub = jwt.Claims.Where(l => l.Type == "sub").FirstOrDefault().Value;
var claimsToUse = jwt.Claims.ExcludeDefaultAccessTokenClaims();
_jwtBuilder = JWTBuilder.New(persistenceResponse.Audience);
_jwtBuilder.AddClaims(claimsToUse);
await GenerateAccessToken(context, sub, options);
}
