public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (var db = new Models.TodoAppDbContext())
{
var user = db.Users.SingleOrDefault(t => t.Username == context.UserName);
if (Crypto.VerifyHashedPassword(user.Password, context.Password))
{
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaims(new List <Claim>
{
new Claim(ClaimTypes.Name, context.UserName),
new Claim("as:client_id", context.ClientId)
});
if (!string.IsNullOrEmpty(context.Scope.FirstOrDefault()))
{
identity.AddClaims(context.Scope.First()?.Split(',')?.Select(t => new Claim("as:scope", t)));
}
var props = new AuthenticationProperties(new Dictionary <string, string>
{
{ "client_id", context.ClientId },
{ "username", context.UserName }
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
else
{
context.Rejected();
context.SetError("invalid_grant", "Username or Password is not correct.");
}
}
}
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string ClientID = string.Empty;
string ClientSecret = string.Empty;
if (!context.TryGetBasicCredentials(out ClientID, out ClientSecret))
{
context.TryGetFormCredentials(out ClientID, out ClientSecret);
}
using (var db = new Models.TodoAppDbContext())
{
var client = db.Clients.SingleOrDefault(t => t.Client_ID == ClientID);
// TODO - Security: Authorize SPA clients without asking for client secret.
// Secret should not be kept in SPA application for security reason
if (client.Client_Secret == ClientSecret)
{
context.Validated();
}
else
{
context.SetError("invalid_clientid", "Incorrect Client ID or Client Secret.");
}
}
context.OwinContext.Set <string>("as:client_id", context.ClientId);
}
