public async Task <GrantedToken> Execute(ClientCredentialsGrantTypeParameter clientCredentialsGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (clientCredentialsGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(clientCredentialsGrantTypeParameter));
}
_clientCredentialsGrantTypeParameterValidator.Validate(clientCredentialsGrantTypeParameter);
// 1. Authenticate the client
var instruction = CreateAuthenticateInstruction(clientCredentialsGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check client
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.client_credentials))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.client_credentials));
}
if (client.ResponseTypes == null || !client.ResponseTypes.Contains(ResponseType.token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, ResponseType.token));
}
// 3. Check scopes
string allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(clientCredentialsGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(clientCredentialsGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(
ErrorCodes.InvalidScope,
scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the JWT access token on the fly.
var grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, issuerName);
await _tokenStore.AddToken(grantedToken);
_oauthEventSource.GrantAccessToClient(client.ClientId, grantedToken.AccessToken, allowedTokenScopes);
}
return(grantedToken);
}
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate = null)
{
if (resourceOwnerGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction);
var client = authResult.Client;
if (authResult.Client == null)
{
_simpleIdentityServerEventSource.Info(ErrorDescriptions.TheClientCannotBeAuthenticated);
client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId);
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InternalError, string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId));
}
}
// 2. Try to authenticate a resource owner
var resourceOwner = await _authenticateResourceOwnerService.AuthenticateResourceOwnerAsync(resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password);
if (resourceOwner == null)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid);
}
// 3. Check if the requested scopes are valid
var allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the user information payload and store it.
var claims = resourceOwner.Claims;
var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
Scope = resourceOwnerGrantTypeParameter.Scope
};
var payload = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(claimsPrincipal, authorizationParameter);
var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload);
if (generatedToken == null)
{
generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client.ClientId, allowedTokenScopes, payload, payload);
await _grantedTokenRepository.InsertAsync(generatedToken);
// Fill-in the id-token
if (generatedToken.IdTokenPayLoad != null)
{
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad);
}
_simpleIdentityServerEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes);
}
return(generatedToken);
}
public async Task <ActionResult> ProcessAsync(AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Core.Common.Models.Client client, string issuerName)
{
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var endUserIsAuthenticated = IsAuthenticated(claimsPrincipal);
Consent confirmedConsent = null;
if (endUserIsAuthenticated)
{
confirmedConsent = await GetResourceOwnerConsent(claimsPrincipal, authorizationParameter);
}
var serializedAuthorizationParameter = authorizationParameter.SerializeWithJavascript();
_oauthEventSource.StartProcessingAuthorizationRequest(serializedAuthorizationParameter);
ActionResult result = null;
var prompts = _parameterParserHelper.ParsePrompts(authorizationParameter.Prompt);
if (prompts == null || !prompts.Any())
{
prompts = new List <PromptParameter>();
if (!endUserIsAuthenticated)
{
prompts.Add(PromptParameter.login);
}
else
{
if (confirmedConsent == null)
{
prompts.Add(PromptParameter.consent);
}
else
{
prompts.Add(PromptParameter.none);
}
}
}
var redirectionUrls = _clientValidator.GetRedirectionUrls(client, authorizationParameter.RedirectUrl);
if (!redirectionUrls.Any())
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.RedirectUrlIsNotValid, authorizationParameter.RedirectUrl),
authorizationParameter.State);
}
var scopeValidationResult = _scopeValidator.Check(authorizationParameter.Scope, client);
if (!scopeValidationResult.IsValid)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidScope,
scopeValidationResult.ErrorMessage,
authorizationParameter.State);
}
if (!scopeValidationResult.Scopes.Contains(Constants.StandardScopes.OpenId.Name))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidScope,
string.Format(ErrorDescriptions.TheScopesNeedToBeSpecified, Constants.StandardScopes.OpenId.Name),
authorizationParameter.State);
}
var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
if (!responseTypes.Any())
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.MissingParameter, Constants.StandardAuthorizationRequestParameterNames.ResponseTypeName),
authorizationParameter.State);
}
if (!_clientValidator.CheckResponseTypes(client, responseTypes.ToArray()))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType,
authorizationParameter.ClientId,
string.Join(",", responseTypes)),
authorizationParameter.State);
}
// Check if the user connection is still valid.
if (endUserIsAuthenticated && !authorizationParameter.MaxAge.Equals(default(double)))
{
var authenticationDateTimeClaim = claimsPrincipal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.AuthenticationInstant);
if (authenticationDateTimeClaim != null)
{
var maxAge = authorizationParameter.MaxAge;
var currentDateTimeUtc = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
var authenticationDateTime = long.Parse(authenticationDateTimeClaim.Value);
if (maxAge < currentDateTimeUtc - authenticationDateTime)
{
result = _actionResultFactory.CreateAnEmptyActionResultWithRedirection();
result.RedirectInstruction.Action = IdentityServerEndPoints.AuthenticateIndex;
}
}
}
if (result == null)
{
result = ProcessPromptParameters(
prompts,
claimsPrincipal,
authorizationParameter,
confirmedConsent);
await ProcessIdTokenHint(result,
authorizationParameter,
prompts,
claimsPrincipal,
issuerName);
}
var actionTypeName = Enum.GetName(typeof(TypeActionResult), result.Type);
var actionName = result.RedirectInstruction == null
? string.Empty
: Enum.GetName(typeof(IdentityServerEndPoints), result.RedirectInstruction.Action);
_oauthEventSource.EndProcessingAuthorizationRequest(
serializedAuthorizationParameter,
actionTypeName,
actionName);
return(result);
}
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (resourceOwnerGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (authResult.Client == null)
{
_oauthEventSource.Info(authResult.ErrorMessage);
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check the client.
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.password))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.password));
}
if (client.ResponseTypes == null || !client.ResponseTypes.Contains(ResponseType.token) || !client.ResponseTypes.Contains(ResponseType.id_token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient, string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, "token id_token"));
}
// 3. Try to authenticate a resource owner
var resourceOwner = await _resourceOwnerAuthenticateHelper.Authenticate(resourceOwnerGrantTypeParameter.UserName,
resourceOwnerGrantTypeParameter.Password,
resourceOwnerGrantTypeParameter.AmrValues);
if (resourceOwner == null)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid);
}
// 4. Check if the requested scopes are valid
var allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 5. Generate the user information payload and store it.
var claims = resourceOwner.Claims;
var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
Scope = resourceOwnerGrantTypeParameter.Scope
};
var payload = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claimsPrincipal, authorizationParameter, issuerName);
var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload);
if (generatedToken == null)
{
generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, issuerName, payload, payload);
if (generatedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad);
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(generatedToken);
_oauthEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes);
}
return(generatedToken);
}