private async Task <bool> InvokeUserinfoEndpointAsync()
{
OpenIdConnectRequest request;
if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
request = new OpenIdConnectRequest(Request.Query);
}
else if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
// Note: if no Content-Type header was specified, assume the userinfo request
// doesn't contain any parameter and create an empty OpenIdConnectRequest.
if (string.IsNullOrEmpty(Request.ContentType))
{
request = new OpenIdConnectRequest();
}
else
{
// May have media/type; charset=utf-8, allow partial match.
if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The userinfo request was rejected because an invalid 'Content-Type' " +
"header was specified: {ContentType}.", Request.ContentType);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The specified 'Content-Type' header is not valid."
}));
}
request = new OpenIdConnectRequest(await Request.ReadFormAsync());
}
}
else
{
Logger.LogError("The userinfo request was rejected because an invalid " +
"HTTP method was specified: {Method}.", Request.Method);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The specified HTTP method is not valid."
}));
}
// Note: set the message type before invoking the ExtractUserinfoRequest event.
request.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.UserinfoRequest);
// Insert the userinfo request in the OWIN context.
Context.SetOpenIdConnectRequest(request);
var @event = new ExtractUserinfoRequestContext(Context, Options, request);
await Options.Provider.ExtractUserinfoRequest(@event);
if (@event.HandledResponse)
{
Logger.LogDebug("The userinfo request was handled in user code.");
return(true);
}
else if (@event.Skipped)
{
Logger.LogDebug("The default userinfo request handling was skipped from user code.");
return(false);
}
else if (@event.IsRejected)
{
Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
Logger.LogInformation("The userinfo request was successfully extracted " +
"from the HTTP request: {Request}.", request);
string token = null;
if (!string.IsNullOrEmpty(request.AccessToken))
{
token = request.AccessToken;
}
else
{
var header = Request.Headers.Get("Authorization");
if (!string.IsNullOrEmpty(header))
{
if (!header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The userinfo request was rejected because the " +
"'Authorization' header was invalid: {Header}.", header);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The specified 'Authorization' header is invalid."
}));
}
token = header.Substring("Bearer ".Length);
}
}
if (string.IsNullOrEmpty(token))
{
Logger.LogError("The userinfo request was rejected because the access token was missing.");
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'access_token' parameter is missing."
}));
}
var context = new ValidateUserinfoRequestContext(Context, Options, request);
await Options.Provider.ValidateUserinfoRequest(context);
if (context.HandledResponse)
{
Logger.LogDebug("The userinfo request was handled in user code.");
return(true);
}
else if (context.Skipped)
{
Logger.LogDebug("The default userinfo request handling was skipped from user code.");
return(false);
}
else if (context.IsRejected)
{
Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
Logger.LogInformation("The userinfo request was successfully validated.");
var ticket = await DeserializeAccessTokenAsync(token, request);
if (ticket == null)
{
Logger.LogError("The userinfo request was rejected because the access token was invalid.");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidToken,
ErrorDescription = "The specified access token is not valid."
}));
}
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow)
{
Logger.LogError("The userinfo request was rejected because the access token was expired.");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidToken,
ErrorDescription = "The specified access token is no longer valid."
}));
}
var notification = new HandleUserinfoRequestContext(Context, Options, request, ticket)
{
Issuer = Context.GetIssuer(Options),
Subject = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.Subject)
};
// Note: when receiving an access token, its audiences list cannot be used for the "aud" claim
// as the client application is not the intented audience but only an authorized presenter.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
notification.Audiences.UnionWith(ticket.GetPresenters());
// The following claims are all optional and should be excluded when
// no corresponding value has been found in the authentication ticket.
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
notification.FamilyName = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.FamilyName);
notification.GivenName = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.GivenName);
notification.BirthDate = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.Birthdate);
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
notification.Email = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.Email);
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
notification.PhoneNumber = ticket.Identity.GetClaim(OpenIdConnectConstants.Claims.PhoneNumber);
}
await Options.Provider.HandleUserinfoRequest(notification);
if (notification.HandledResponse)
{
Logger.LogDebug("The userinfo request was handled in user code.");
return(true);
}
else if (notification.Skipped)
{
Logger.LogDebug("The default userinfo request handling was skipped from user code.");
return(false);
}
else if (notification.IsRejected)
{
Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ notification.ErrorDescription);
return(await SendUserinfoResponseAsync(new OpenIdConnectResponse
{
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
// Ensure the "sub" claim has been correctly populated.
if (string.IsNullOrEmpty(notification.Subject))
{
throw new InvalidOperationException("The subject claim cannot be null or empty.");
}
var response = new OpenIdConnectResponse
{
[OpenIdConnectConstants.Claims.Subject] = notification.Subject,
[OpenIdConnectConstants.Claims.Address] = notification.Address,
[OpenIdConnectConstants.Claims.Birthdate] = notification.BirthDate,
[OpenIdConnectConstants.Claims.Email] = notification.Email,
[OpenIdConnectConstants.Claims.EmailVerified] = notification.EmailVerified,
[OpenIdConnectConstants.Claims.FamilyName] = notification.FamilyName,
[OpenIdConnectConstants.Claims.GivenName] = notification.GivenName,
[OpenIdConnectConstants.Claims.Issuer] = notification.Issuer,
[OpenIdConnectConstants.Claims.PhoneNumber] = notification.PhoneNumber,
[OpenIdConnectConstants.Claims.PhoneNumberVerified] = notification.PhoneNumberVerified,
[OpenIdConnectConstants.Claims.PreferredUsername] = notification.PreferredUsername,
[OpenIdConnectConstants.Claims.Profile] = notification.Profile,
[OpenIdConnectConstants.Claims.Website] = notification.Website
};
switch (notification.Audiences.Count)
{
case 0: break;
case 1:
response[OpenIdConnectConstants.Claims.Audience] = notification.Audiences.ElementAt(0);
break;
default:
response[OpenIdConnectConstants.Claims.Audience] = new JArray(notification.Audiences);
break;
}
foreach (var claim in notification.Claims)
{
response.SetParameter(claim.Key, claim.Value);
}
return(await SendUserinfoResponseAsync(response));
}
/// <summary> /// Represents an event called for each request to the userinfo endpoint to give the user code /// a chance to manually extract the userinfo request from the ambient HTTP context. /// </summary> /// <param name="context">The context instance associated with this event.</param> /// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns> public virtual Task ExtractUserinfoRequest(ExtractUserinfoRequestContext context) => OnExtractUserinfoRequest(context);
private async Task <bool> InvokeUserinfoEndpointAsync()
{
OpenIdConnectMessage request;
if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
request = new OpenIdConnectMessage(Request.Query);
}
else if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
// See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
if (string.IsNullOrWhiteSpace(Request.ContentType))
{
Options.Logger.LogError("The userinfo request was rejected because " +
"the mandatory 'Content-Type' header was missing.");
return(await SendUserinfoResponseAsync(null, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"the mandatory 'Content-Type' header was missing from the POST request."
}));
}
// May have media/type; charset=utf-8, allow partial match.
if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
{
Options.Logger.LogError("The userinfo request was rejected because an invalid 'Content-Type' " +
"header was received: {ContentType}.", Request.ContentType);
return(await SendUserinfoResponseAsync(null, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"the 'Content-Type' header contained an unexcepted value. " +
"Make sure to use 'application/x-www-form-urlencoded'."
}));
}
request = new OpenIdConnectMessage(await Request.ReadFormAsync());
}
else
{
Options.Logger.LogError("The userinfo request was rejected because an invalid " +
"HTTP method was received: {Method}.", Request.Method);
return(await SendUserinfoResponseAsync(null, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"make sure to use either GET or POST."
}));
}
var @event = new ExtractUserinfoRequestContext(Context, Options, request);
await Options.Provider.ExtractUserinfoRequest(@event);
// Allow the application code to replace the userinfo request.
request = @event.Request;
if (@event.HandledResponse)
{
return(true);
}
else if (@event.Skipped)
{
return(false);
}
else if (@event.IsRejected)
{
Options.Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendUserinfoResponseAsync(null, new OpenIdConnectMessage {
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
// Insert the userinfo request in the OWIN context.
Context.SetOpenIdConnectRequest(request);
string token;
if (!string.IsNullOrEmpty(request.AccessToken))
{
token = request.AccessToken;
}
else
{
var header = Request.Headers.Get("Authorization");
if (string.IsNullOrEmpty(header))
{
Options.Logger.LogError("The userinfo request was rejected because " +
"the 'Authorization' header was missing.");
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
}));
}
if (!header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
Options.Logger.LogError("The userinfo request was rejected because the " +
"'Authorization' header was invalid: {Header}.", header);
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
}));
}
token = header.Substring("Bearer ".Length);
if (string.IsNullOrEmpty(token))
{
Options.Logger.LogError("The userinfo request was rejected because the access token was missing.");
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
}));
}
}
var ticket = await DeserializeAccessTokenAsync(token, request);
if (ticket == null)
{
Options.Logger.LogError("The userinfo request was rejected because the access token was invalid.");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid token."
}));
}
if (!ticket.Properties.ExpiresUtc.HasValue ||
ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow)
{
Options.Logger.LogError("The userinfo request was rejected because the access token was expired.");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Expired token."
}));
}
var context = new ValidateUserinfoRequestContext(Context, Options, request);
await Options.Provider.ValidateUserinfoRequest(context);
if (context.HandledResponse)
{
return(true);
}
else if (context.Skipped)
{
return(false);
}
else if (!context.IsValidated)
{
Options.Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
var notification = new HandleUserinfoRequestContext(Context, Options, request, ticket);
notification.Subject = ticket.Identity.GetClaim(ClaimTypes.NameIdentifier);
notification.Issuer = Context.GetIssuer(Options);
// Note: when receiving an access token, its audiences list cannot be used for the "aud" claim
// as the client application is not the intented audience but only an authorized presenter.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
foreach (var presenter in ticket.GetPresenters())
{
notification.Audiences.Add(presenter);
}
// The following claims are all optional and should be excluded when
// no corresponding value has been found in the authentication ticket.
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
notification.FamilyName = ticket.Identity.GetClaim(ClaimTypes.Surname);
notification.GivenName = ticket.Identity.GetClaim(ClaimTypes.GivenName);
notification.BirthDate = ticket.Identity.GetClaim(ClaimTypes.DateOfBirth);
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
notification.Email = ticket.Identity.GetClaim(ClaimTypes.Email);
}
;
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
notification.PhoneNumber = ticket.Identity.GetClaim(ClaimTypes.HomePhone) ??
ticket.Identity.GetClaim(ClaimTypes.MobilePhone) ??
ticket.Identity.GetClaim(ClaimTypes.OtherPhone);
}
;
await Options.Provider.HandleUserinfoRequest(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
else if (notification.IsRejected)
{
Options.Logger.LogError("The userinfo request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ notification.ErrorDescription);
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
// Ensure the "sub" claim has been correctly populated.
if (string.IsNullOrEmpty(notification.Subject))
{
Options.Logger.LogError("The mandatory 'sub' claim was missing from the userinfo response.");
Response.StatusCode = 500;
return(await SendUserinfoResponseAsync(request, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "The mandatory 'sub' claim was missing."
}));
}
var response = new JObject();
response.Add(OpenIdConnectConstants.Claims.Subject, notification.Subject);
if (notification.Address != null)
{
response[OpenIdConnectConstants.Claims.Address] = notification.Address;
}
if (!string.IsNullOrEmpty(notification.BirthDate))
{
response[OpenIdConnectConstants.Claims.Birthdate] = notification.BirthDate;
}
if (!string.IsNullOrEmpty(notification.Email))
{
response[OpenIdConnectConstants.Claims.Email] = notification.Email;
}
if (notification.EmailVerified.HasValue)
{
response[OpenIdConnectConstants.Claims.EmailVerified] = notification.EmailVerified.Value;
}
if (!string.IsNullOrEmpty(notification.FamilyName))
{
response[OpenIdConnectConstants.Claims.FamilyName] = notification.FamilyName;
}
if (!string.IsNullOrEmpty(notification.GivenName))
{
response[OpenIdConnectConstants.Claims.GivenName] = notification.GivenName;
}
if (!string.IsNullOrEmpty(notification.Issuer))
{
response[OpenIdConnectConstants.Claims.Issuer] = notification.Issuer;
}
if (!string.IsNullOrEmpty(notification.PhoneNumber))
{
response[OpenIdConnectConstants.Claims.PhoneNumber] = notification.PhoneNumber;
}
if (notification.PhoneNumberVerified.HasValue)
{
response[OpenIdConnectConstants.Claims.PhoneNumberVerified] = notification.PhoneNumberVerified.Value;
}
if (!string.IsNullOrEmpty(notification.PreferredUsername))
{
response[OpenIdConnectConstants.Claims.PreferredUsername] = notification.PreferredUsername;
}
if (!string.IsNullOrEmpty(notification.Profile))
{
response[OpenIdConnectConstants.Claims.Profile] = notification.Profile;
}
if (!string.IsNullOrEmpty(notification.Website))
{
response[OpenIdConnectConstants.Claims.Website] = notification.Website;
}
switch (notification.Audiences.Count)
{
case 0: break;
case 1:
response.Add(OpenIdConnectConstants.Claims.Audience, notification.Audiences[0]);
break;
default:
response.Add(OpenIdConnectConstants.Claims.Audience, JArray.FromObject(notification.Audiences));
break;
}
foreach (var claim in notification.Claims)
{
// Ignore claims whose value is null.
if (claim.Value == null)
{
continue;
}
response[claim.Key] = claim.Value;
}
return(await SendUserinfoResponseAsync(request, response));
}