private async Task <IActionResult> IssueTokensAsync(
ClaimsPrincipal principal, OpenIdConnectRequest request,
IOpenIdApplication application, IOpenIdAuthorization authorization = null)
{
// Retrieve the profile of the logged in user.
var user = await _userManager.GetUserAsync(principal);
if (user == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = T["An internal error has occurred"]
}));
}
var ticket = await CreateTicketAsync(user, application, authorization, request);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private async Task <AuthenticationTicket> CreateTicketAsync(
IUser user, IOpenIdApplication application, IOpenIdAuthorization authorization,
OpenIdConnectRequest request, AuthenticationProperties properties = null)
{
Debug.Assert(request.IsAuthorizationRequest() || request.IsTokenRequest(),
"The request should be an authorization or token request.");
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
var identity = (ClaimsIdentity)principal.Identity;
// Note: while ASP.NET Core Identity uses the legacy WS-Federation claims (exposed by the ClaimTypes class),
// OpenIddict uses the newer JWT claims defined by the OpenID Connect specification. To ensure the mandatory
// subject claim is correctly populated (and avoid an InvalidOperationException), it's manually added here.
if (string.IsNullOrEmpty(principal.FindFirstValue(OpenIdConnectConstants.Claims.Subject)))
{
identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Subject, await _userManager.GetUserIdAsync(user)));
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIdConnectServerDefaults.AuthenticationScheme);
if (request.IsAuthorizationRequest() || (!request.IsAuthorizationCodeGrantType() &&
!request.IsRefreshTokenGrantType()))
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()));
ticket.SetResources(await GetResourcesAsync(request));
// If the request is an authorization request, automatically create
// a permanent authorization to avoid requiring explicit consent for
// future authorization or token requests containing the same scopes.
if (authorization == null && request.IsAuthorizationRequest())
{
authorization = await _authorizationManager.CreateAsync(
principal : ticket.Principal,
subject : await _userManager.GetUserIdAsync(user),
client : await _applicationManager.GetIdAsync(application),
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(ticket.GetScopes()),
properties : ImmutableDictionary.CreateRange(ticket.Properties.Items));
}
if (authorization != null)
{
// Attach the authorization identifier to the authentication ticket.
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId,
await _authorizationManager.GetIdAsync(authorization));
}
}
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
var destinations = new List <string>
{
OpenIdConnectConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIdConnectConstants.Claims.Name && ticket.HasScope(OpenIdConnectConstants.Scopes.Profile)) ||
(claim.Type == OpenIdConnectConstants.Claims.Email && ticket.HasScope(OpenIdConnectConstants.Scopes.Email)) ||
(claim.Type == OpenIdConnectConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles)))
{
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
return(ticket);
}
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .UpdateAsync(IOpenIdAuthorization authorization, CancellationToken cancellationToken) => UpdateAsync((OpenIdAuthorization)authorization, cancellationToken);
Task <string> IOpenIdAuthorizationStore.GetPhysicalIdAsync(IOpenIdAuthorization authorization, CancellationToken cancellationToken) => GetPhysicalIdAsync((OpenIdAuthorization)authorization, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetSubjectAsync(IOpenIdAuthorization authorization,
string subject, CancellationToken cancellationToken)
=> SetSubjectAsync((OpenIdAuthorization)authorization, subject, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetTypeAsync(IOpenIdAuthorization authorization,
string type, CancellationToken cancellationToken)
=> SetTypeAsync((OpenIdAuthorization)authorization, type, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetScopesAsync(IOpenIdAuthorization authorization,
ImmutableArray <string> scopes, CancellationToken cancellationToken)
=> SetScopesAsync((OpenIdAuthorization)authorization, scopes, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetStatusAsync(IOpenIdAuthorization authorization,
string status, CancellationToken cancellationToken)
=> SetStatusAsync((OpenIdAuthorization)authorization, status, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetPropertiesAsync(IOpenIdAuthorization authorization, JObject properties, CancellationToken cancellationToken) => SetPropertiesAsync((OpenIdAuthorization)authorization, properties, cancellationToken);
Task IOpenIddictAuthorizationStore <IOpenIdAuthorization> .SetApplicationIdAsync(IOpenIdAuthorization authorization,
string identifier, CancellationToken cancellationToken)
=> SetApplicationIdAsync((OpenIdAuthorization)authorization, identifier, cancellationToken);
Task <string> IOpenIddictAuthorizationStore <IOpenIdAuthorization> .GetTypeAsync(IOpenIdAuthorization authorization, CancellationToken cancellationToken) => GetTypeAsync((OpenIdAuthorization)authorization, cancellationToken);
Task <ImmutableArray <string> > IOpenIddictAuthorizationStore <IOpenIdAuthorization> .GetScopesAsync(IOpenIdAuthorization authorization, CancellationToken cancellationToken) => GetScopesAsync((OpenIdAuthorization)authorization, cancellationToken);
Task <JObject> IOpenIddictAuthorizationStore <IOpenIdAuthorization> .GetPropertiesAsync(IOpenIdAuthorization authorization, CancellationToken cancellationToken) => GetPropertiesAsync((OpenIdAuthorization)authorization, cancellationToken);
