public async Task <IActionResult> Register(RegisterViewModel model)
{
if (await _manager.FindByClientIdAsync(model.ClientId) == null)
{
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = model.ClientId,
ClientSecret = model.ClientSecret,
DisplayName = model.DisplayName,
PostLogoutRedirectUris = { model.PostLogoutRedirectUris },
RedirectUris = { model.RedirectUris },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.Scopes.Email,
CustomScopes.PermissionMeasurements(),
CustomScopes.PermissionGender(),
CustomScopes.PermissionName()
}
};
var setApplicationResult = _manager.CreateAsync(descriptor);
if (!setApplicationResult.IsFaulted)
{
StatusMessage = "Your application has been registered";
return(RedirectToAction(nameof(Register)));
}
ModelState.AddModelError(String.Empty, setApplicationResult.Exception.Message);
}
//if we get here something is wrong re displaying form.
StatusMessage = "Error: Something went wrong";
return(RedirectToAction(nameof(Register)));
}
private async Task <AuthenticationTicket> CreateTicketAsync(
OpenIdConnectRequest oidcRequest, ApplicationUser user,
AuthenticationProperties properties = null)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIddictServerDefaults.AuthenticationScheme);
if (!oidcRequest.IsAuthorizationCodeGrantType())
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
CustomScopes.Measurements(),
CustomScopes.Gender(),
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(oidcRequest.GetScopes()));
}
ticket.SetResources("resource_server");
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
var destinations = new List <string>
{
OpenIdConnectConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIdConnectConstants.Claims.Name && ticket.HasScope(OpenIdConnectConstants.Scopes.Profile)) ||
(claim.Type == OpenIdConnectConstants.Claims.Email && ticket.HasScope(OpenIdConnectConstants.Scopes.Email)) ||
(claim.Type == OpenIdConnectConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Scopes.Roles)))
{
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
return(ticket);
}
