public async Task Can_get_delegation_token()
{
var authenticationApiClient = new AuthenticationApiClient(new Uri(GetVariable("AUTH0_AUTHENTICATION_API_URL")));
// First get the access token
var token = await authenticationApiClient.GetAccessTokenAsync(new AccessTokenRequest
{
ClientId = GetVariable("AUTH0_CLIENT_ID"),
Connection = "google-oauth2",
AccessToken = accessToken,
Scope = "openid"
});
// Then request the delegation token
var delegationToken = await authenticationApiClient.GetDelegationTokenAsync(new IdTokenDelegationRequest(
GetVariable("AUTH0_CLIENT_ID"),
GetVariable("AUTH0_CLIENT_ID"),
token.IdToken)
{
Scope = "openid",
GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer",
ApiType = "app"
});
delegationToken.Should().NotBeNull();
delegationToken.IdToken.Should().NotBeNull();
}
public async Task Can_get_delegation_token()
{
var authenticationApiClient = new AuthenticationApiClient(new Uri(GetVariable("AUTH0_AUTHENTICATION_API_URL")));
// First get the access token
var token = await authenticationApiClient.GetAccessTokenAsync(new AccessTokenRequest
{
ClientId = GetVariable("AUTH0_CLIENT_ID"),
Connection = "google-oauth2",
AccessToken = accessToken,
Scope = "openid"
});
// Then request the delegation token
var delegationToken = await authenticationApiClient.GetDelegationTokenAsync(new IdTokenDelegationRequest(
GetVariable("AUTH0_CLIENT_ID"),
GetVariable("AUTH0_CLIENT_ID"),
token.IdToken)
{
Scope = "openid",
GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer",
ApiType = "app"
});
delegationToken.Should().NotBeNull();
delegationToken.IdToken.Should().NotBeNull();
}
public static async Task ValidateExpirationAndTryRefresh(CookieValidatePrincipalContext context)
{
var auth0Settings = context.HttpContext.RequestServices.GetRequiredService <IOptions <Auth0Settings> >();
var shouldReject = true;
var expClaim = context.Principal.FindFirst(c => c.Type == "exp" && c.OriginalIssuer == $"https://{auth0Settings.Value.Domain}/");
// Unix timestamp is seconds past epoch
var validTo = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc).AddSeconds(int.Parse(expClaim.Value));
if (validTo > DateTimeOffset.UtcNow)
{
shouldReject = false;
}
else
{
var refreshToken = context.Principal.FindFirst("refresh_token")?.Value;
if (refreshToken != null)
{
// Try to get a new id_token from auth0 using refresh token
var authClient = new AuthenticationApiClient(new Uri($"https://{auth0Settings.Value.Domain}"));
var newIdToken =
await
authClient.GetDelegationTokenAsync(
new RefreshTokenDelegationRequest(
auth0Settings.Value.ClientId,
auth0Settings.Value.ClientId,
refreshToken));
if (!string.IsNullOrWhiteSpace(newIdToken.IdToken))
{
var newPrincipal = ValidateJwt(newIdToken.IdToken, auth0Settings);
var identity = expClaim.Subject;
identity.RemoveClaim(expClaim);
identity.AddClaim(newPrincipal.FindFirst("exp"));
// Remove existing id_token claim
var tokenClaim = identity.FindFirst("id_token");
if (tokenClaim != null)
{
identity.RemoveClaim(tokenClaim);
}
// Add the new token claim
identity.AddClaim(new Claim("id_token", newIdToken.IdToken));
// TODO: if required, refresh identity with updated claims inside the new token
// or calling the /api/v2/user/{id}?
// How to reuse OpenIdConnectHandler's code to get the new profile
// and create the new Identity?
// see GetUserInformationAsync() in
// https://github.com/aspnet/Security/blob/master/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs
// now issue a new cookie
context.ShouldRenew = true;
shouldReject = false;
}
}
}
if (shouldReject)
{
context.RejectPrincipal();
// optionally clear cookie
await context.HttpContext.Authentication.SignOutAsync("Auth0");
}
}
