internal static SaaSScopeBase Create(string[] scope, BaseValidatingTicketContext <OAuthAuthorizationServerOptions> context, AuthRepository auth, AuthProductRepository authProduct)
{
var worker = Create(scope, auth, authProduct);
worker.Context = context;
return(worker);
}
private static void VerifyAuthentication(BaseValidatingTicketContext <OAuthAuthorizationServerOptions> context, AuthenticatedUser response)
{
if (response != null && response.UserName != EmailAddress.Empty)
{
BuildToken(context, response);
}
else
{
context.SetError("Autorization Error", "The username or password is incorrect!");
context.Response.Headers.Add("AuthorizationResponse", new[] { "401" });
}
}
private static void GrantResourceOwnerCredentials(
BaseValidatingTicketContext <OAuthAuthorizationServerOptions> context,
SignInStatus status,
ClaimsIdentity user,
string clientId)
{
if (status == SignInStatus.Success)
{
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(JwtRegisteredClaimNames.Sub, user.Name));
// identity.AddClaim(new Claim(ClaimTypes.Sid, user.Id));
identity.AddClaims(
from claim in user.Claims
where
string.Equals(claim.Type, ClaimTypes.Role, StringComparison.OrdinalIgnoreCase)
// ||
// claim.ClaimType.Contains(SecurityExtensions.PermissionClaimTypePrefix)
select new Claim(claim.Type, claim.Value));
var props =
new AuthenticationProperties(
new Dictionary <string, string> {
{ "audience", clientId ?? string.Empty }
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
else
{
switch (status)
{
case SignInStatus.Failure:
context.SetError("invalid_grant", "The user name or password is incorrect");
break;
case SignInStatus.LockedOut:
context.SetError("invalid_grant.locked", "The user account is locked");
break;
case SignInStatus.RequiresVerification:
context.SetError("invalid_grant.unverified", "The user account requires verification");
break;
default:
context.SetError("invalid_grant.error", "Unexpected failure. SignIn status: " + status);
break;
}
}
}
private static void BuildToken(BaseValidatingTicketContext <OAuthAuthorizationServerOptions> context, AuthenticatedUser response)
{
var claims = new ClaimsIdentity(context.Options.AuthenticationType);
claims.AddClaim(new Claim("Permissions", JsonConvert.SerializeObject(response.Permissions)));
claims.AddClaim(new Claim("UserOrgUnitId", JsonConvert.SerializeObject(response.OrgUnitId)));
claims.AddClaim(new Claim("UserId", JsonConvert.SerializeObject(new Guid(response.Id.ToString()))));
claims.AddClaim(new Claim("UserName", response.UserName.ToString()));
claims.AddClaim(new Claim("RoleId", JsonConvert.SerializeObject(response.RoleId)));
claims.AddClaim(new Claim("Email", response.EmailAddress.ToString()));
// claims.AddClaim(new Claim("SId", JsonConvert.SerializeObject(response.SId)));
claims.AddClaim(new Claim("IpAddress", context.Request.RemoteIpAddress));
context.Validated(claims);
}
private async Task CreateAuthenticationSignInInfo(BaseValidatingTicketContext <OAuthAuthorizationServerOptions> context, Formular.BaaS.Domain.User baasUser)
{
using (UserManager <ApplicationUser, int> userManager = _userManagerFactory())
{
var user = new ApplicationUser(baasUser);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
}
private void InvalidGrant(BaseValidatingTicketContext context)
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidGrant, description: "Invalid user credentials.");
}
