/// <summary>
 /// Called when receiving an identity token. An application may use this context
 /// to deserialize the token using a custom format and to skip the default logic using
 /// <see cref="BaseContext{OpenIdConnectServerOptions}.HandleResponse"/>.
 /// </summary>
 /// <param name="context">The context of the event carries information in and results out.</param>
 /// <returns>Task to enable asynchronous execution</returns>
 public virtual Task ReceiveIdentityToken(ReceiveIdentityTokenContext context) => OnReceiveIdentityToken(context);
Ejemplo n.º 2
0
        private async Task <AuthenticationTicket> ReceiveIdentityTokenAsync(string token, OpenIdConnectMessage request)
        {
            try {
                var notification = new ReceiveIdentityTokenContext(Context, Options, request, token)
                {
                    Issuer = Context.GetIssuer(Options),
                    SecurityTokenHandler = Options.IdentityTokenHandler,
                    SignatureProvider    = Options.SignatureProvider,
                    SigningKey           = Options.SigningCredentials.Select(credentials => credentials.SigningKey)
                                           .FirstOrDefault()
                };

                // Sets the default deserializer used to resolve the
                // authentication ticket corresponding to the identity token.
                notification.Deserializer = payload => {
                    if (notification.SecurityTokenHandler == null)
                    {
                        return(Task.FromResult <AuthenticationTicket>(null));
                    }

                    // Create new validation parameters to validate the security token.
                    // ValidateAudience and ValidateLifetime are always set to false:
                    // if necessary, the audience and the expiration can be validated
                    // in InvokeValidationEndpointAsync or InvokeTokenEndpointAsync.
                    var parameters = new TokenValidationParameters {
                        IssuerSigningKey = notification.SigningKey,
                        ValidIssuer      = notification.Issuer,
                        ValidateAudience = false,
                        ValidateLifetime = false
                    };

                    SecurityToken securityToken;
                    var           principal = notification.SecurityTokenHandler.ValidateToken(payload, parameters, out securityToken);

                    // Parameters stored in AuthenticationProperties are lost
                    // when the identity token is serialized using a security token handler.
                    // To mitigate that, they are inferred from the claims or the security token.
                    var properties = new AuthenticationProperties {
                        ExpiresUtc = securityToken.ValidTo,
                        IssuedUtc  = securityToken.ValidFrom
                    };

                    var audiences = principal.FindAll(JwtRegisteredClaimNames.Aud);
                    if (audiences.Any())
                    {
                        properties.SetAudiences(audiences.Select(claim => claim.Value));
                    }

                    var usage = principal.FindFirst(OpenIdConnectConstants.Extra.Usage);
                    if (usage != null)
                    {
                        properties.SetUsage(usage.Value);
                    }

                    if (principal.Claims.Any(claim => claim.Type == OpenIdConnectConstants.Extra.Confidential))
                    {
                        properties.Items[OpenIdConnectConstants.Extra.Confidential] = "true";
                    }

                    return(Task.FromResult(new AuthenticationTicket(principal, properties, Options.AuthenticationScheme)));
                };

                await Options.Provider.ReceiveIdentityToken(notification);

                // Directly return the authentication ticket if one
                // has been provided by ReceiveIdentityToken.
                // Treat a non-null ticket like an implicit HandleResponse call.
                if (notification.HandledResponse || notification.AuthenticationTicket != null)
                {
                    if (notification.AuthenticationTicket == null)
                    {
                        return(null);
                    }

                    // Ensure the received ticket is an identity token.
                    if (!notification.AuthenticationTicket.IsIdentityToken())
                    {
                        Logger.LogVerbose("The received token was not an identity token: {0}.", token);

                        return(null);
                    }

                    return(notification.AuthenticationTicket);
                }

                else if (notification.Skipped)
                {
                    return(null);
                }

                var ticket = await notification.DeserializeTicketAsync(token);

                if (ticket == null)
                {
                    return(null);
                }

                // Ensure the received ticket is an identity token.
                if (!ticket.IsIdentityToken())
                {
                    Logger.LogVerbose("The received token was not an identity token: {0}.", token);

                    return(null);
                }

                return(ticket);
            }

            catch (Exception exception) {
                Logger.LogWarning("An exception occured when deserializing an identity token.", exception);

                return(null);
            }
        }