public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var claims = principal.Claims.ToList();
claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
claims.Add(new Claim(JwtClaimTypes.GivenName, user.UserName));
if (user.IsAdmin)
{
claims.Add(new Claim(JwtClaimTypes.Role, "admin"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "user"));
}
if (user.DataEventRecordsRole == "dataEventRecords.admin")
{
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.admin"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
claims.Add(new Claim(JwtClaimTypes.Scope, "dataEventRecords"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
claims.Add(new Claim(JwtClaimTypes.Scope, "dataEventRecords"));
}
if (user.SecuredFilesRole == "securedFiles.admin")
{
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.admin"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
claims.Add(new Claim(JwtClaimTypes.Scope, "securedFiles"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
claims.Add(new Claim(JwtClaimTypes.Scope, "securedFiles"));
}
claims.Add(new Claim(IdentityServerConstants.StandardScopes.Email, user.Email));
context.IssuedClaims = claims;
}
async public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
if (subject == null) throw new ArgumentNullException(nameof(context.Subject));
var subjectId = subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(subjectId);
if (user == null)
throw new ArgumentException("Invalid subject identifier");
var claims = await GetClaimsFromUser(user);
if (!context.AllClaimsRequested)
{
var requestedClaimTypes = context.RequestedClaimTypes;
if (requestedClaimTypes != null)
claims = claims.Where(c => requestedClaimTypes.Contains(c.Type));
else
claims = claims.Take(0);
}
context.IssuedClaims = claims;
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.IssuedClaims.Add(new Claim("special", "martin"));
return(Task.CompletedTask);
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
return(Task.FromResult(0));
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var claims = principal.Claims.ToList();
if (!context.AllClaimsRequested)
{
claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
}
claims.Add(new Claim(JwtClaimTypes.GivenName, user.UserName));
//new Claim(JwtClaimTypes.Role, "admin"),
//new Claim(JwtClaimTypes.Role, "dataEventRecords.admin"),
//new Claim(JwtClaimTypes.Role, "dataEventRecords.user"),
//new Claim(JwtClaimTypes.Role, "dataEventRecords"),
//new Claim(JwtClaimTypes.Role, "securedFiles.user"),
//new Claim(JwtClaimTypes.Role, "securedFiles.admin"),
//new Claim(JwtClaimTypes.Role, "securedFiles")
if (user.IsAdmin)
{
claims.Add(new Claim(JwtClaimTypes.Role, "admin"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "user"));
}
if (user.DataEventRecordsRole == "dataEventRecords.admin")
{
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.admin"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
}
if (user.SecuredFilesRole == "securedFiles.admin")
{
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.admin"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
}
claims.Add(new System.Security.Claims.Claim(StandardScopes.Email.Name, user.Email));
context.IssuedClaims = claims;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var issued = context.IssuedClaims;
context.AddRequestedClaims(principal.Claims);
var requestedClaims = context.RequestedClaimTypes.ToList();
var allClaims = principal.Claims.ToList();
var foundClaims = principal.Claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).Select(x => x.Type).ToList();
var neededClaims = requestedClaims.Except(foundClaims);
var claimsToAdd = new List <Claim>();
//try to add needed claims if we know what they are
foreach (var c in neededClaims)
{
if (c == JwtClaimTypes.Name)
{
claimsToAdd.Add(new Claim(JwtClaimTypes.Name, user.DisplayName));
}
if (c == JwtClaimTypes.Email)
{
claimsToAdd.Add(new Claim(JwtClaimTypes.Email, user.Email));
}
if (c == JwtClaimTypes.BirthDate && user.DateOfBirth.HasValue)
{
claimsToAdd.Add(new Claim(JwtClaimTypes.BirthDate, user.DateOfBirth.Value.ToString("YYYY-MM-DD")));
}
if (c == JwtClaimTypes.EmailVerified)
{
claimsToAdd.Add(new Claim(JwtClaimTypes.EmailVerified, user.EmailConfirmed.ToString().ToLowerInvariant()));
}
if (c == JwtClaimTypes.FamilyName && !string.IsNullOrWhiteSpace(user.LastName))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.FamilyName, user.LastName));
}
if (c == JwtClaimTypes.GivenName && !string.IsNullOrWhiteSpace(user.FirstName))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.GivenName, user.FirstName));
}
if (c == JwtClaimTypes.PhoneNumber && !string.IsNullOrWhiteSpace(user.PhoneNumber))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.PhoneNumber, user.PhoneNumber));
}
if (c == JwtClaimTypes.PhoneNumberVerified)
{
claimsToAdd.Add(new Claim(JwtClaimTypes.PhoneNumberVerified, user.PhoneNumberConfirmed.ToString().ToLowerInvariant()));
}
if (c == JwtClaimTypes.WebSite && !string.IsNullOrWhiteSpace(user.WebSiteUrl))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.WebSite, user.WebSiteUrl));
}
if (c == JwtClaimTypes.ZoneInfo && !string.IsNullOrWhiteSpace(user.TimeZoneId))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.ZoneInfo, user.TimeZoneId));
}
if (c == JwtClaimTypes.Gender && !string.IsNullOrWhiteSpace(user.Gender))
{
claimsToAdd.Add(new Claim(JwtClaimTypes.Gender, user.Gender));
}
}
if (claimsToAdd.Count > 0)
{
context.IssuedClaims.AddRange(claimsToAdd);
}
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
return(base.GetProfileDataAsync(context));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.IssuedClaims.AddRange(context.Subject.Claims);
return(Task.FromResult(0));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.IssuedClaims.AddRange(context.Subject.Claims.Where(x => x.Type == CustomClaimTypes.Roles).ToList());
return(Task.CompletedTask);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = context.Subject.Claims.ToList();
context.IssuedClaims = claims.ToList();
}
protected async Task <ClaimsIdentity> CreateSubjectAsync(SignInValidationResult result)
{
var requestedClaimTypes = new List <string>();
var resources = await this.resources.FindEnabledIdentityResourcesByScopeAsync(result.Client.AllowedScopes);
foreach (var resource in resources)
{
foreach (var claim in resource.UserClaims)
{
requestedClaimTypes.Add(claim);
}
}
var ctx = new ProfileDataRequestContext
{
Subject = result.User,
RequestedClaimTypes = requestedClaimTypes,
Client = result.Client,
Caller = "WS-Federation"
};
await profile.GetProfileDataAsync(ctx);
// map outbound claims
var nameid = new Claim(ClaimTypes.NameIdentifier, result.User.GetSubjectId());
nameid.Properties[ClaimProperties.SamlNameIdentifierFormat] = result.RelyingParty.SamlNameIdentifierFormat;
var outboundClaims = new List <Claim> {
nameid
};
foreach (var claim in ctx.IssuedClaims)
{
if (result.RelyingParty.ClaimMapping.ContainsKey(claim.Type))
{
var outboundClaim = new Claim(result.RelyingParty.ClaimMapping[claim.Type], claim.Value);
if (outboundClaim.Type == ClaimTypes.NameIdentifier)
{
outboundClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = result.RelyingParty.SamlNameIdentifierFormat;
}
outboundClaims.Add(outboundClaim);
}
else if (result.RelyingParty.TokenType != WsFederationConstants.TokenTypes.Saml11TokenProfile11)
{
outboundClaims.Add(claim);
}
else
{
logger.LogInformation("No explicit claim type mapping for {claimType} configured. Saml11 requires a URI claim type. Skipping.", claim.Type);
}
}
// The AuthnStatement statement generated from the following 2
// claims is manditory for some service providers (i.e. Shibboleth-Sp).
// The value of the AuthenticationMethod claim must be one of the constants in
// System.IdentityModel.Tokens.AuthenticationMethods.
// Password is the only one that can be directly matched, everything
// else defaults to Unspecified.
if (result.User.GetAuthenticationMethod() == OidcConstants.AuthenticationMethods.Password)
{
outboundClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password));
}
else
{
outboundClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Unspecified));
}
// authentication instant claim is required
outboundClaims.Add(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, "yyyy-MM-ddTHH:mm:ss.fffZ"), ClaimValueTypes.DateTime));
return(new ClaimsIdentity(outboundClaims, "idsrv"));
}
/// <summary>
/// Returns claims for an identity token
/// </summary>
/// <param name="subject">The subject</param>
/// <param name="client">The client</param>
/// <param name="scopes">The requested scopes</param>
/// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param>
/// <param name="request">The raw request</param>
/// <returns>
/// Claims for the identity token
/// </returns>
public virtual async Task <IEnumerable <Claim> > GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable <Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
{
Logger.Info("Getting claims for identity token for subject: " + subject.GetSubjectId());
var outputClaims = new List <Claim>(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
var additionalClaims = new List <string>();
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity))
{
Logger.Info("All claims rule found - emitting all claims for user.");
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return(outputClaims);
}
// fetch all identity claims that need to go into the id token
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Identity)
{
foreach (var scopeClaim in scope.Claims)
{
if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken,
additionalClaims);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
return(outputClaims);
}
/// <summary>
/// Returns claims for an identity token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="client">The client.</param>
/// <param name="scopes">The requested scopes.</param>
/// <param name="request">The raw request.</param>
/// <returns>
/// Claims for the access token
/// </returns>
public virtual async Task <IEnumerable <Claim> > GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable <Scope> scopes, ValidatedRequest request)
{
// add client_id
var outputClaims = new List <Claim>
{
new Claim(Constants.ClaimTypes.ClientId, client.ClientId),
};
// check for client claims
if (client.Claims != null && client.Claims.Any())
{
if (subject == null || client.AlwaysSendClientClaims)
{
foreach (var claim in client.Claims)
{
var claimType = claim.Type;
if (client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
}
}
}
// add scopes
foreach (var scope in scopes)
{
outputClaims.Add(new Claim(Constants.ClaimTypes.Scope, scope.Name));
}
// a user is involved
if (subject != null)
{
outputClaims.AddRange(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource))
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return(outputClaims);
}
// fetch all resource claims that need to go into the access token
var additionalClaims = new List <string>();
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Resource)
{
if (scope.Claims != null)
{
foreach (var scopeClaim in scope.Claims)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken,
additionalClaims.Distinct());
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
}
return(outputClaims);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var existingClaims = context.Subject.Claims;
var newClaims = new List <Claim>();
var user = await _userService.GetUserByPrincipalAsync(context.Subject);
if (user != null)
{
var isPremium = await _licensingService.ValidateUserPremiumAsync(user);
newClaims.AddRange(new List <Claim>
{
new Claim("premium", isPremium ? "true" : "false", ClaimValueTypes.Boolean),
new Claim(JwtClaimTypes.Email, user.Email),
new Claim(JwtClaimTypes.EmailVerified, user.EmailVerified ? "true" : "false", ClaimValueTypes.Boolean),
new Claim("sstamp", user.SecurityStamp)
});
if (!string.IsNullOrWhiteSpace(user.Name))
{
newClaims.Add(new Claim(JwtClaimTypes.Name, user.Name));
}
// Orgs that this user belongs to
var orgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
if (orgs.Any())
{
var groupedOrgs = orgs.Where(o => o.Status == Enums.OrganizationUserStatusType.Confirmed)
.GroupBy(o => o.Type);
foreach (var group in groupedOrgs)
{
switch (group.Key)
{
case Enums.OrganizationUserType.Owner:
foreach (var org in group)
{
newClaims.Add(new Claim("orgowner", org.OrganizationId.ToString()));
}
break;
case Enums.OrganizationUserType.Admin:
foreach (var org in group)
{
newClaims.Add(new Claim("orgadmin", org.OrganizationId.ToString()));
}
break;
case Enums.OrganizationUserType.User:
foreach (var org in group)
{
newClaims.Add(new Claim("orguser", org.OrganizationId.ToString()));
}
break;
default:
break;
}
}
}
}
// filter out any of the new claims
var existingClaimsToKeep = existingClaims
.Where(c => !c.Type.StartsWith("org") && (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type)))
.ToList();
newClaims.AddRange(existingClaimsToKeep);
if (newClaims.Any())
{
context.AddRequestedClaims(newClaims);
}
}
/// <summary>
/// Returns claims for an identity token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="client">The client.</param>
/// <param name="scopes">The requested scopes.</param>
/// <param name="request">The raw request.</param>
/// <returns>
/// Claims for the access token
/// </returns>
public virtual async Task <IEnumerable <Claim> > GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, Resources resources, ValidatedRequest request)
{
_logger.LogDebug("Getting claims for access token for client: {clientId}", client.ClientId);
// add client_id
var outputClaims = new List <Claim>
{
new Claim(JwtClaimTypes.ClientId, client.ClientId),
};
// check for client claims
if (client.Claims != null && client.Claims.Any())
{
if (subject == null || client.AlwaysSendClientClaims)
{
foreach (var claim in client.Claims)
{
var claimType = claim.Type;
if (client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
}
}
}
// add scopes
foreach (var scope in resources.IdentityResources)
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
}
foreach (var scope in resources.ApiResources.SelectMany(x => x.Scopes))
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
}
// a user is involved
if (subject != null)
{
if (resources.OfflineAccess)
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, IdentityServerConstants.StandardScopes.OfflineAccess));
}
_logger.LogDebug("Getting claims for access token for subject: {subject}", subject.GetSubjectId());
outputClaims.AddRange(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
// fetch all resource claims that need to go into the access token
var additionalClaims = new List <string>();
foreach (var api in resources.ApiResources)
{
// add claims configured on api resource
if (api.UserClaims != null)
{
foreach (var claim in api.UserClaims)
{
additionalClaims.Add(claim.Type);
}
}
// add claims configured on scope
// TODO: need unit test
foreach (var scope in api.Scopes)
{
if (scope.UserClaims != null)
{
foreach (var claim in scope.UserClaims)
{
additionalClaims.Add(claim.Type);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
IdentityServerConstants.ProfileDataCallers.ClaimsProviderAccessToken,
additionalClaims.Distinct());
await _profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
}
return(outputClaims);
}
public async Task <Dictionary <string, object> > ProcessAsync(ClaimsPrincipal subject, IEnumerable <string> scopes, Client client)
{
_logger.LogTrace("Creating userinfo response");
var profileData = new Dictionary <string, object>();
var requestedClaimTypes = await GetRequestedClaimTypesAsync(scopes);
IEnumerable <Claim> profileClaims;
if (requestedClaimTypes.IncludeAllClaims)
{
_logger.LogDebug("Requested claim types: all");
var context = new ProfileDataRequestContext(
subject,
client,
IdentityServerConstants.ProfileDataCallers.UserInfoEndpoint);
await _profile.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
else
{
_logger.LogDebug("Requested claim types: {claimTypes}", requestedClaimTypes.ClaimTypes.ToSpaceSeparatedString());
var context = new ProfileDataRequestContext(
subject,
client,
IdentityServerConstants.ProfileDataCallers.UserInfoEndpoint,
requestedClaimTypes.ClaimTypes);
await _profile.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
List <Claim> results = new List <Claim>();
if (profileClaims == null)
{
_logger.LogInformation("Profile service returned no claims (null)");
}
else
{
results.AddRange(profileClaims);
_logger.LogInformation("Profile service returned to the following claim types: {types}", profileClaims.Select(c => c.Type).ToSpaceSeparatedString());
}
// TODO: unit tests
var subClaim = results.SingleOrDefault(x => x.Type == JwtClaimTypes.Subject);
if (subClaim == null)
{
results.Add(new Claim(JwtClaimTypes.Subject, subject.GetSubjectId()));
}
else if (subClaim.Value != subject.GetSubjectId())
{
_logger.LogError("Profile service returned incorrect subject value: {sub}", subClaim);
throw new InvalidOperationException("Profile service returned incorrect subject value");
}
return(results.ToClaimsDictionary());
}
public virtual async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var user = await GetUser(context.Subject);
context.IssuedClaims = (await GetClaims(user)).ToList();
}
/// <summary>
/// Returns claims for an identity token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="resources">The requested resources</param>
/// <param name="request">The raw request.</param>
/// <returns>
/// Claims for the access token
/// </returns>
public virtual async Task <IEnumerable <Claim> > GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Resources resources, ValidatedRequest request)
{
Logger.LogDebug("Getting claims for access token for client: {clientId}", request.Client.ClientId);
var outputClaims = new List <Claim>()
{
new Claim(JwtClaimTypes.ClientId, request.ClientId)
};
// log if client ID is overwritten
if (!string.Equals(request.ClientId, request.Client.ClientId))
{
Logger.LogDebug("Client {clientId} is impersonating {impersonatedClientId}", request.Client.ClientId, request.ClientId);
}
// add cnf if present
if (request.Confirmation.IsPresent())
{
outputClaims.Add(new Claim(JwtClaimTypes.Confirmation, request.Confirmation, IdentityServerConstants.ClaimValueTypes.Json));
}
// check for client claims
if (request.ClientClaims != null && request.ClientClaims.Any())
{
if (subject == null || request.Client.AlwaysSendClientClaims)
{
foreach (var claim in request.ClientClaims)
{
var claimType = claim.Type;
if (request.Client.ClientClaimsPrefix.IsPresent())
{
claimType = request.Client.ClientClaimsPrefix + claimType;
}
outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
}
}
}
// add scopes
foreach (var scope in resources.IdentityResources)
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
}
foreach (var scope in resources.ApiResources.SelectMany(x => x.Scopes))
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
}
// a user is involved
if (subject != null)
{
if (resources.OfflineAccess)
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, IdentityServerConstants.StandardScopes.OfflineAccess));
}
Logger.LogDebug("Getting claims for access token for subject: {subject}", subject.GetSubjectId());
outputClaims.AddRange(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
// fetch all resource claims that need to go into the access token
var additionalClaimTypes = new List <string>();
foreach (var api in resources.ApiResources)
{
// add claims configured on api resource
if (api.UserClaims != null)
{
foreach (var claim in api.UserClaims)
{
additionalClaimTypes.Add(claim);
}
}
// add claims configured on scope
foreach (var scope in api.Scopes)
{
if (scope.UserClaims != null)
{
foreach (var claim in scope.UserClaims)
{
additionalClaimTypes.Add(claim);
}
}
}
}
// filter so we don't ask for claim types that we will eventually filter out
additionalClaimTypes = FilterRequestedClaimTypes(additionalClaimTypes).ToList();
var context = new ProfileDataRequestContext(
subject,
request.Client,
IdentityServerConstants.ProfileDataCallers.ClaimsProviderAccessToken,
additionalClaimTypes.Distinct())
{
RequestedResources = resources,
ValidatedRequest = request
};
await Profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
return(outputClaims);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var nameClaim = context.Subject.FindAll(JwtClaimTypes.Name);
context.IssuedClaims.AddRange(nameClaim);
var roleClaims = context.Subject.FindAll(JwtClaimTypes.Role);
context.IssuedClaims.AddRange(roleClaims);
bool isReadonly = false;
var user = await _userManager.FindByNameAsync(context.Subject.Identity.Name);
if (user != null)
{
var notifications = await _notificationService.GetNotifications(user.Id, NotificationTypeEnum.DailyReminder);
if (notifications.Any(n => n.CreatedDate.Date.Equals(DateTime.UtcNow.Date)) == false)
{
await _notificationService.Create(user.Id, "daily-reminder", "subscription-pack", "reminder", "reminder", "reminder", Shared.ViewModels.NotificationTypeEnum.DailyReminder);
}
if (user.IsUnlimited == false && user.IsAdmin == false)
{
var subscription = await _functionalUnitOfWork.SubscriptionRepository.GetLatestSubscriptionForUser(user.Id);
if (subscription != null && subscription.SubscriptionPackId != Guid.Empty)
{
var pack = await _functionalUnitOfWork.SubscriptionPackRepository.FirstOrDefault(s => s.Id == subscription.SubscriptionPackId);
if (subscription != null)
{
AddClaim(context, ClaimNames.Subscription, pack.Label.ToLower());
}
if (pack.Price > 0)
{
AddClaim(context, ClaimNames.IsPayable, "true");
}
else
{
AddClaim(context, ClaimNames.IsFree, "true");
}
}
if (user.SubscriptionEndDate.HasValue && user.SubscriptionEndDate < DateTime.UtcNow)
{
notifications = await _notificationService.GetNotifications(user.Id, NotificationTypeEnum.ExpiredProfile);
if (notifications.Any(n => n.CreatedDate.Date.Equals(DateTime.UtcNow.Date)) == false)
{
await _notificationService.Create(user.Id, "expiredprofile", "subscription-pack", "reminder", "reminder", "reminder", Shared.ViewModels.NotificationTypeEnum.ExpiredProfile);
isReadonly = true;
await SendEmailTemplate(user, EmailTemplateEnum.ExpiredProfile, "expiredprofile");
}
}
else if (user.SubscriptionEndDate.HasValue && user.SubscriptionEndDate.Value.Subtract(DateTime.UtcNow).Days <= 5)
{
notifications = await _notificationService.GetNotifications(user.Id, NotificationTypeEnum.SoonExpireProfile);
if (notifications.Any(n => n.CreatedDate.Date.Equals(DateTime.UtcNow.Date)) == false)
{
await _notificationService.Create(user.Id, "soonexpireprofile", "subscription-pack", "reminder", "reminder", "reminder", Shared.ViewModels.NotificationTypeEnum.SoonExpireProfile);
await SendEmailTemplate(user, EmailTemplateEnum.SoonExpiredProfile, "soonexpireprofile");
}
}
}
if (!user.IsOnline)
{
user.IsOnline = true;
user.LastLogin = DateTime.UtcNow;
await _userManager.UpdateAsync(user);
}
AddClaim(context, ClaimNames.Title, user.Title);
AddClaim(context, ClaimNames.Address, user.Address);
AddClaim(context, ClaimNames.City, user.City);
AddClaim(context, ClaimNames.Country, user.Country);
AddClaim(context, ClaimNames.DisplayDescription, user.DisplayDescription);
AddClaim(context, ClaimNames.DescriptionVideo, user.DescriptionVideo);
AddClaim(context, ClaimNames.DescriptionVideoCover, user.DescriptionVideoCover);
AddClaim(context, ClaimNames.VideoProfileUrl, user.VideoProfileUrl);
AddClaim(context, ClaimNames.VideProfileCoverUrl, user.VideProfileCoverUrl);
AddClaim(context, ClaimNames.Description, user.Description);
AddClaim(context, ClaimNames.DigitCode, user.PinCode);
AddClaim(context, ClaimNames.DisplayName, GetDisplayName(user));
AddClaim(context, ClaimNames.Email, user.Email);
AddClaim(context, ClaimNames.FirstName, user.FirstName);
AddClaim(context, ClaimNames.Id, user.Id);
AddClaim(context, ClaimNames.PhoneNumber, user.PhoneNumber);
AddRole(context, ClaimNames.IsAdmin, user.IsAdmin);
AddRole(context, ClaimNames.IsManager, user.IsManager);
AddRole(context, ClaimNames.IsOperator, user.IsOperator);
AddRole(context, ClaimNames.IsOnline, user.IsOnline);
AddClaim(context, ClaimNames.LastLogin, user.LastLogin);
AddClaim(context, ClaimNames.LastName, user.LastName);
AddClaim(context, ClaimNames.NumberOfView, user.NubmerOfView);
AddClaim(context, ClaimNames.PhotoUrl, user.PhotoUrl);
AddClaim(context, ClaimNames.PinCode, user.PinCode);
AddClaim(context, ClaimNames.SubscriptionStart, user.SubscriptionStartDate);
AddClaim(context, ClaimNames.SubscriptionEnd, user.SubscriptionEndDate);
AddClaim(context, ClaimNames.IsReadOnly, user.SubscriptionEndDate.HasValue && user.SubscriptionEndDate.Value <= DateTime.UtcNow);
}
}
