public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
// Validate the user credentials.
// Note: to mitigate brute force attacks, you SHOULD strongly consider
// applying a key derivation function like PBKDF2 to slow down
// the password validation process. You SHOULD also consider
// using a time-constant comparer to prevent timing attacks.
var user = await _userService.GetByName(request.Username);
// || !PasswordHelper.CheckPassword(user, request.Password)
if (user == null || !PasswordHelper.CompareHash(request.Password, user.Password, user.Salt))
{
return(Forbid(OpenIdConnectServerDefaults.AuthenticationScheme));
}
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.UserId.ToString(),
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Role, (await _roleService.GetRoleById(user.RoleId)).Name,
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
// Ask OpenIddict to generate a new token and return an OAuth2 token response.
return(SignIn(principal, OpenIdConnectServerDefaults.AuthenticationScheme));
}
throw new InvalidOperationException("The specified grant type is not supported.");
}
private bool ComparePassword(string clearPassword, string transformedPassword)
{
return(PasswordHelper.CompareHash(clearPassword, transformedPassword));
}
