public async Task <bool> CheckScopesAreValid(string scope)
        {
            if (string.IsNullOrWhiteSpace(scope))
            {
                return(true); // Unlike the other checks, an empty scope is a valid scope. It just means the application has default permissions.
            }

            string[] scopes = scope.Split(' ');
            foreach (string s in scopes)
            {
                if (!OAuthScope.NameInScopes(s))
                {
                    return(false);
                }
            }
            return(true);
        }
Ejemplo n.º 2
0
        private async Task <AuthorizeViewModel> FillFromRequest(OpenIdConnectRequest OIDCRequest)
        {
            string      clientId = OIDCRequest.ClientId;
            OAuthClient client   = await _context.ClientApplications.FindAsync(clientId);

            if (client == null)
            {
                return(null);
            }
            else
            {
                // Get the Scopes for this application from the query - disallow duplicates
                ICollection <OAuthScope> scopes = new HashSet <OAuthScope>();
                if (!String.IsNullOrWhiteSpace(OIDCRequest.Scope))
                {
                    foreach (string s in OIDCRequest.Scope.Split(' '))
                    {
                        if (OAuthScope.NameInScopes(s))
                        {
                            OAuthScope scope = OAuthScope.GetScope(s);
                            if (!scopes.Contains(scope))
                            {
                                scopes.Add(scope);
                            }
                        }
                        else
                        {
                            return(null);
                        }
                    }
                }

                AuthorizeViewModel avm = new AuthorizeViewModel()
                {
                    ClientId     = OIDCRequest.ClientId,
                    ResponseType = OIDCRequest.ResponseType,
                    State        = OIDCRequest.State,
                    Scopes       = String.IsNullOrWhiteSpace(OIDCRequest.Scope) ? new string[0] : OIDCRequest.Scope.Split(' '),
                    RedirectUri  = OIDCRequest.RedirectUri
                };

                return(avm);
            }
        }
Ejemplo n.º 3
0
        public static AuthenticationTicket MakeClaimsForInteractive(ApplicationUser user, AuthorizeViewModel authorizeViewModel)
        {
            /*
             *  If you want to issue an OpenId Token, the spec for which is available at https://openid.net/connect/
             *  Then in each of the SetDestinations, add a reference to OpenIdConnect.Destinations.IdentityToken, like so:
             *
             *  new Claim("grant_type", OpenIdConnectConstants.GrantTypes.AuthorizationCode)
             *         .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
             *
             *   This ensures that the claims you are concerned about will be placed into the Identity Token, which other services may access.
             */
            ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role);

            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
            identity.AddClaim(new Claim(ClaimTypes.Name, user.NormalizedUserName).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
            identity.AddClaim(new Claim("AspNet.Identity.SecurityStamp", user.SecurityStamp).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));

            // We serialize the user_id so we can determine which user the caller of this token is
            identity.AddClaim(
                new Claim(OpenIdConnectConstants.Claims.Subject, user.Id)
                .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));

            switch (authorizeViewModel.ResponseType)
            {
            // We serialize the grant_type so we can user discriminate rate-limits. AuthorizationCode grants typically have the highest rate-limit allowance
            case OpenIdConnectConstants.ResponseTypes.Code:
                identity.AddClaim(
                    new Claim("grant_type", OpenIdConnectConstants.GrantTypes.AuthorizationCode)
                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
                break;

            case OpenIdConnectConstants.ResponseTypes.Token:
                identity.AddClaim(
                    new Claim("grant_type", OpenIdConnectConstants.GrantTypes.Implicit)
                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
                break;
            }

            // We serialize the client_id so we can monitor for usage patterns of a given app, and also to allow for app-based token revokes.
            identity.AddClaim(
                new Claim("client_id", authorizeViewModel.ClientId)
                .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));


            AuthenticationTicket ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);

            ICollection <string> scopesToAdd = new List <string>()
            {
                /* If  you've chosen to add an OpenId token to your destinations, be sure to include the OpenIdCOnnectConstants.Scopes.OpenId in this list */
                OpenIdConnectConstants.Scopes.OpenId, // Lets our requesting clients know that an OpenId Token was generated with the original request.
            };

            if (authorizeViewModel.ResponseType == OpenIdConnectConstants.ResponseTypes.Code)
            {
                scopesToAdd.Add(OpenIdConnectConstants.Scopes.OfflineAccess); //Gives us a RefreshToken, only do this if we're following the `Authorization Code` flow. For `Implicit Grant`, we don't supply a refresh token.
            }

            foreach (var s in authorizeViewModel.Scopes)
            {
                if (OAuthScope.NameInScopes(s))
                {
                    scopesToAdd.Add(s);
                }
            }

            ticket.SetScopes(scopesToAdd);

            return(ticket);
        }