private async Task<LoginResult> ValidateResponseAsync(AuthorizeResponse response)
{
// id_token validieren
var tokenClaims = ValidateIdentityToken(response.IdentityToken);
if (tokenClaims == null)
{
return new LoginResult { ErrorMessage = "Invalid identity token." };
}
// nonce validieren
var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce);
if (nonce == null || !string.Equals(nonce.Value, _nonce, StringComparison.Ordinal))
{
return new LoginResult { ErrorMessage = "Inalid nonce." };
}
// c_hash validieren
var c_hash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash);
if (c_hash == null || ValidateCodeHash(c_hash.Value, response.Code) == false)
{
return new LoginResult { ErrorMessage = "Invalid code." };
}
_provider = JwkNetExtensions.CreateProvider();
var jwk = _provider.ToJsonWebKey();
// code eintauschen gegen tokens
var tokenClient = new TokenClient(
_config.TokenEndpoint,
_settings.ClientId,
_settings.ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync(
code: response.Code,
redirectUri: _settings.RedirectUri,
codeVerifier: _verifier,
algorithm: jwk.Alg,
key: jwk.ToJwkString());
if (tokenResponse.IsError)
{
return new LoginResult { ErrorMessage = tokenResponse.Error };
}
// optional userinfo aufrufen
var profileClaims = new List<Claim>();
if (_settings.LoadUserProfile)
{
var userInfoClient = new UserInfoClient(
new Uri(_config.UserInfoEndpoint),
tokenResponse.AccessToken);
var userInfoResponse = await userInfoClient.GetAsync();
profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList();
}
var principal = CreatePrincipal(tokenClaims, profileClaims);
return new LoginResult
{
Success = true,
User = principal,
IdentityToken = response.IdentityToken,
AccessToken = tokenResponse.AccessToken,
RefreshToken = tokenResponse.RefreshToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
};
}
