public async Task <GrantedToken> Execute(RefreshTokenGrantTypeParameter refreshTokenGrantTypeParameter)
{
if (refreshTokenGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(refreshTokenGrantTypeParameter));
}
// 1. Validate parameters
var grantedToken = await ValidateParameter(refreshTokenGrantTypeParameter);
// 2. Generate a new access token & insert it
var generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(
grantedToken.ClientId,
grantedToken.Scope,
grantedToken.UserInfoPayLoad,
grantedToken.IdTokenPayLoad);
generatedToken.ParentTokenId = grantedToken.Id;
await _grantedTokenRepository.InsertAsync(generatedToken);
// 3. Fill-in the idtoken
if (generatedToken.IdTokenPayLoad != null)
{
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(generatedToken.ClientId, generatedToken.IdTokenPayLoad);
}
_simpleIdentityServerEventSource.GrantAccessToClient(generatedToken.ClientId,
generatedToken.AccessToken,
generatedToken.Scope);
return(generatedToken);
}
public async Task <GrantedToken> Execute(
AuthorizationCodeGrantTypeParameter authorizationCodeGrantTypeParameter,
AuthenticationHeaderValue authenticationHeaderValue)
{
if (authorizationCodeGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(authorizationCodeGrantTypeParameter));
}
var result = await ValidateParameter(
authorizationCodeGrantTypeParameter,
authenticationHeaderValue);
// Invalidate the authorization code by removing it !
await _authorizationCodeRepository.RemoveAsync(result.Code.Code);
var grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(
result.Code.Scopes,
result.Code.ClientId,
result.Code.IdTokenPayload,
result.Code.UserInfoPayLoad);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(
result.Code.ClientId,
result.Code.Scopes,
result.Code.UserInfoPayLoad,
result.Code.IdTokenPayload);
await _grantedTokenRepository.InsertAsync(grantedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(
result.Code.ClientId,
grantedToken.AccessToken,
grantedToken.IdToken);
}
// Fill-in the id-token
if (grantedToken.IdTokenPayLoad != null)
{
grantedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(result.Client, grantedToken.IdTokenPayLoad);
}
return(grantedToken);
}
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate = null)
{
if (resourceOwnerGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction);
var client = authResult.Client;
if (authResult.Client == null)
{
_simpleIdentityServerEventSource.Info(ErrorDescriptions.TheClientCannotBeAuthenticated);
client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId);
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InternalError, string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId));
}
}
// 2. Try to authenticate a resource owner
var resourceOwner = await _authenticateResourceOwnerService.AuthenticateResourceOwnerAsync(resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password);
if (resourceOwner == null)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid);
}
// 3. Check if the requested scopes are valid
var allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the user information payload and store it.
var claims = resourceOwner.Claims;
var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
Scope = resourceOwnerGrantTypeParameter.Scope
};
var payload = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(claimsPrincipal, authorizationParameter);
var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload);
if (generatedToken == null)
{
generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client.ClientId, allowedTokenScopes, payload, payload);
await _grantedTokenRepository.InsertAsync(generatedToken);
// Fill-in the id-token
if (generatedToken.IdTokenPayLoad != null)
{
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad);
}
_simpleIdentityServerEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes);
}
return(generatedToken);
}
public async Task <GrantedToken> Execute(
ClientCredentialsGrantTypeParameter clientCredentialsGrantTypeParameter,
AuthenticationHeaderValue authenticationHeaderValue)
{
if (clientCredentialsGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(clientCredentialsGrantTypeParameter));
}
_clientCredentialsGrantTypeParameterValidator.Validate(clientCredentialsGrantTypeParameter);
// 1. Authenticate the client
var instruction = CreateAuthenticateInstruction(clientCredentialsGrantTypeParameter,
authenticationHeaderValue);
var authResult = await _authenticateClient.AuthenticateAsync(instruction);
var client = authResult.Client;
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check client
if (client.GrantTypes == null ||
!client.GrantTypes.Contains(GrantType.client_credentials))
{
throw new IdentityServerException(ErrorCodes.InvalidGrant,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.client_credentials));
}
if (client.ResponseTypes == null ||
!client.ResponseTypes.Contains(ResponseType.token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, ResponseType.token));
}
// 3. Check scopes
string allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(clientCredentialsGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(clientCredentialsGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(
ErrorCodes.InvalidScope,
scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the JWT access token on the fly.
var grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes);
await _tokenStore.AddToken(grantedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(client.ClientId, grantedToken.AccessToken, allowedTokenScopes);
}
return(grantedToken);
}
public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Client client)
{
if (actionResult == null || actionResult.RedirectInstruction == null)
{
throw new ArgumentNullException(nameof(actionResult));
}
;
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var newAccessTokenGranted = false;
var allowedTokenScopes = string.Empty;
GrantedToken grantedToken = null;
var newAuthorizationCodeGranted = false;
AuthorizationCode authorizationCode = null;
_simpleIdentityServerEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
authorizationParameter.ResponseType);
var responses = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter);
var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter);
if (responses.Contains(ResponseType.token)) // 1. Generate an access token.
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope))
{
allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope));
}
grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId,
userInformationPayload, idTokenPayload);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes,
userInformationPayload, idTokenPayload);
newAccessTokenGranted = true;
}
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken);
}
if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject();
var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter);
if (assignedConsent != null)
{
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Guid.NewGuid().ToString(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTime.UtcNow,
ClientId = authorizationParameter.ClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
newAuthorizationCodeGranted = true;
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code);
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
authorizationParameter, client);
if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
await _tokenStore.AddToken(grantedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(authorizationParameter.ClientId,
grantedToken.AccessToken,
allowedTokenScopes);
}
if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode.CodeChallenge = authorizationParameter.CodeChallenge;
authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod;
}
await _authorizationCodeStore.AddAuthorizationCode(authorizationCode);
_simpleIdentityServerEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId,
authorizationCode.Code,
authorizationParameter.Scope);
}
if (responses.Contains(ResponseType.id_token))
{
var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter);
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken);
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State);
}
var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId);
if (sessionState != null)
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState);
}
if (authorizationParameter.ResponseMode == ResponseMode.form_post)
{
actionResult.Type = TypeActionResult.RedirectToAction;
actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex;
actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl);
}
// Set the response mode
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseMode.None)
{
var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes,
authorizationParameter.State);
responseMode = GetResponseMode(authorizationFlow);
}
actionResult.RedirectInstruction.ResponseMode = responseMode;
}
_simpleIdentityServerEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
actionResult.RedirectInstruction.Parameters.SerializeWithJavascript());
}
