private async Task <AuthenticationTicket> InvokeTokenEndpointClientCredentialsGrantAsync(
OAuthValidateTokenRequestContext validatingContext,
DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
if (!validatingContext.IsValidated)
{
return(null);
}
var grantContext = new OAuthGrantClientCredentialsContext(
Context,
Options,
validatingContext.ClientContext.ClientId,
tokenEndpointRequest.ClientCredentialsGrant.Scope);
await Options.Provider.GrantClientCredentials(grantContext);
return(ReturnOutcome(
validatingContext,
grantContext,
grantContext.Ticket,
Constants.Errors.UnauthorizedClient));
}
private async Task <AuthenticationTicket> InvokeTokenEndpointResourceOwnerPasswordCredentialsGrantAsync(
OAuthValidateTokenRequestContext validatingContext,
DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantResourceOwnerCredentialsContext(
Context,
Options,
validatingContext.ClientContext.ClientId,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.UserName,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.Password,
tokenEndpointRequest.ResourceOwnerPasswordCredentialsGrant.Scope);
if (validatingContext.IsValidated)
{
await Options.Provider.GrantResourceOwnerCredentials(grantContext);
}
return(ReturnOutcome(
validatingContext,
grantContext,
grantContext.Ticket,
Constants.Errors.InvalidGrant));
}
private async Task <AuthenticationTicket> InvokeTokenEndpointCustomGrantAsync(
OAuthValidateTokenRequestContext validatingContext,
DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantCustomExtensionContext(
Context,
Options,
validatingContext.ClientContext.ClientId,
tokenEndpointRequest.GrantType,
tokenEndpointRequest.CustomExtensionGrant.Parameters);
if (validatingContext.IsValidated)
{
await Options.Provider.GrantCustomExtension(grantContext);
}
return(ReturnOutcome(
validatingContext,
grantContext,
grantContext.Ticket,
Constants.Errors.UnsupportedGrantType));
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthValidateTokenRequestContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="tokenRequest"></param>
/// <param name="clientContext"></param>
public OAuthValidateTokenRequestContext(
HttpContext context,
OAuthAuthorizationServerOptions options,
TokenEndpointRequest tokenRequest,
BaseValidatingClientContext clientContext) : base(context, options)
{
TokenRequest = tokenRequest;
ClientContext = clientContext;
}
private async Task <AuthenticationTicket> InvokeTokenEndpointRefreshTokenGrantAsync(
OAuthValidateTokenRequestContext validatingContext,
DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
var refreshTokenContext = new AuthenticationTokenReceiveContext(
Context,
Options.RefreshTokenFormat,
tokenEndpointRequest.RefreshTokenGrant.RefreshToken);
await Options.RefreshTokenProvider.ReceiveAsync(refreshTokenContext);
AuthenticationTicket ticket = refreshTokenContext.Ticket;
if (ticket == null)
{
Logger.LogError("invalid refresh token");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
if (!ticket.Properties.ExpiresUtc.HasValue ||
ticket.Properties.ExpiresUtc < currentUtc)
{
Logger.LogError("expired refresh token");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantRefreshTokenContext(Context, Options, ticket, validatingContext.ClientContext.ClientId);
if (validatingContext.IsValidated)
{
await Options.Provider.GrantRefreshToken(grantContext);
}
return(ReturnOutcome(
validatingContext,
grantContext,
grantContext.Ticket,
Constants.Errors.InvalidGrant));
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthTokenEndpointContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="tokenEndpointRequest"></param>
public OAuthTokenEndpointContext(
HttpContext context,
OAuthAuthorizationServerOptions options,
AuthenticationTicket ticket,
TokenEndpointRequest tokenEndpointRequest)
: base(context, options)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Identity = ticket.Principal;
Properties = ticket.Properties;
TokenEndpointRequest = tokenEndpointRequest;
AdditionalResponseParameters = new Dictionary <string, object>(StringComparer.Ordinal);
TokenIssued = Identity != null;
}
private async Task <AuthenticationTicket> InvokeTokenEndpointAuthorizationCodeGrantAsync(
OAuthValidateTokenRequestContext validatingContext,
DateTimeOffset currentUtc)
{
TokenEndpointRequest tokenEndpointRequest = validatingContext.TokenRequest;
var authorizationCodeContext = new AuthenticationTokenReceiveContext(
Context,
Options.AuthorizationCodeFormat,
tokenEndpointRequest.AuthorizationCodeGrant.Code);
await Options.AuthorizationCodeProvider.ReceiveAsync(authorizationCodeContext);
AuthenticationTicket ticket = authorizationCodeContext.Ticket;
if (ticket == null)
{
Logger.LogError("invalid authorization code");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
if (!ticket.Properties.ExpiresUtc.HasValue ||
ticket.Properties.ExpiresUtc < currentUtc)
{
Logger.LogError("expired authorization code");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
string clientId;
if (!ticket.Properties.Items.TryGetValue(Constants.Extra.ClientId, out clientId) ||
!String.Equals(clientId, validatingContext.ClientContext.ClientId, StringComparison.Ordinal))
{
Logger.LogError("authorization code does not contain matching client_id");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
string redirectUri;
if (ticket.Properties.Items.TryGetValue(Constants.Extra.RedirectUri, out redirectUri))
{
ticket.Properties.Items.Remove(Constants.Extra.RedirectUri);
if (!String.Equals(redirectUri, tokenEndpointRequest.AuthorizationCodeGrant.RedirectUri, StringComparison.Ordinal))
{
Logger.LogError("authorization code does not contain matching redirect_uri");
validatingContext.SetError(Constants.Errors.InvalidGrant);
return(null);
}
}
await Options.Provider.ValidateTokenRequest(validatingContext);
var grantContext = new OAuthGrantAuthorizationCodeContext(
Context, Options, ticket);
if (validatingContext.IsValidated)
{
await Options.Provider.GrantAuthorizationCode(grantContext);
}
return(ReturnOutcome(
validatingContext,
grantContext,
grantContext.Ticket,
Constants.Errors.InvalidGrant));
}
private async Task InvokeTokenEndpointAsync()
{
DateTimeOffset currentUtc = Options.SystemClock.UtcNow;
// remove milliseconds in case they don't round-trip
currentUtc = currentUtc.Subtract(TimeSpan.FromMilliseconds(currentUtc.Millisecond));
if (!Request.HasFormContentType)
{
Logger.LogError("content-type is not application/x-www-form-urlencoded");
var errorContext = new OAuthValidateTokenRequestContext(Context, Options, null, null);
errorContext.SetError(Constants.Errors.UnsupportedContentType);
await SendErrorAsJsonAsync(errorContext);
return;
}
IFormCollection form = await Request.ReadFormAsync();
var clientContext = new OAuthValidateClientAuthenticationContext(
Context,
Options,
form);
await Options.Provider.ValidateClientAuthentication(clientContext);
if (!clientContext.IsValidated)
{
Logger.LogError("clientID is not valid.");
if (!clientContext.HasError)
{
clientContext.SetError(Constants.Errors.InvalidClient);
}
await SendErrorAsJsonAsync(clientContext);
return;
}
var tokenEndpointRequest = new TokenEndpointRequest(form);
var validatingContext = new OAuthValidateTokenRequestContext(Context, Options, tokenEndpointRequest, clientContext);
AuthenticationTicket ticket = null;
if (tokenEndpointRequest.IsAuthorizationCodeGrantType)
{
// Authorization Code Grant http://tools.ietf.org/html/rfc6749#section-4.1
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.1.3
ticket = await InvokeTokenEndpointAuthorizationCodeGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsResourceOwnerPasswordCredentialsGrantType)
{
// Resource Owner Password Credentials Grant http://tools.ietf.org/html/rfc6749#section-4.3
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.3.2
ticket = await InvokeTokenEndpointResourceOwnerPasswordCredentialsGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsClientCredentialsGrantType)
{
// Client Credentials Grant http://tools.ietf.org/html/rfc6749#section-4.4
// Access Token Request http://tools.ietf.org/html/rfc6749#section-4.4.2
ticket = await InvokeTokenEndpointClientCredentialsGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsRefreshTokenGrantType)
{
// Refreshing an Access Token
// http://tools.ietf.org/html/rfc6749#section-6
ticket = await InvokeTokenEndpointRefreshTokenGrantAsync(validatingContext, currentUtc);
}
else if (tokenEndpointRequest.IsCustomExtensionGrantType)
{
// Defining New Authorization Grant Types
// http://tools.ietf.org/html/rfc6749#section-8.3
ticket = await InvokeTokenEndpointCustomGrantAsync(validatingContext, currentUtc);
}
else
{
// Error Response http://tools.ietf.org/html/rfc6749#section-5.2
// The authorization grant type is not supported by the
// authorization server.
Logger.LogError("grant type is not recognized");
validatingContext.SetError(Constants.Errors.UnsupportedGrantType);
}
if (ticket == null)
{
await SendErrorAsJsonAsync(validatingContext);
return;
}
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(Options.AccessTokenExpireTimeSpan);
var tokenEndpointContext = new OAuthTokenEndpointContext(
Context,
Options,
ticket,
tokenEndpointRequest);
await Options.Provider.TokenEndpoint(tokenEndpointContext);
if (tokenEndpointContext.TokenIssued)
{
ticket = new AuthenticationTicket(
tokenEndpointContext.Identity,
tokenEndpointContext.Properties,
Options.AuthenticationType);
}
else
{
Logger.LogError("Token was not issued to tokenEndpointContext");
validatingContext.SetError(Constants.Errors.InvalidGrant);
await SendErrorAsJsonAsync(validatingContext);
return;
}
var accessTokenContext = new AuthenticationTokenCreateContext(
Context,
Options.AccessTokenFormat,
ticket);
await Options.AccessTokenProvider.CreateAsync(accessTokenContext);
string accessToken = accessTokenContext.Token;
if (string.IsNullOrEmpty(accessToken))
{
accessToken = accessTokenContext.SerializeTicket();
}
DateTimeOffset?accessTokenExpiresUtc = ticket.Properties.ExpiresUtc;
var refreshTokenCreateContext = new AuthenticationTokenCreateContext(
Context,
Options.RefreshTokenFormat,
accessTokenContext.Ticket);
await Options.RefreshTokenProvider.CreateAsync(refreshTokenCreateContext);
string refreshToken = refreshTokenCreateContext.Token;
var tokenEndpointResponseContext = new OAuthTokenEndpointResponseContext(
Context,
Options,
ticket,
tokenEndpointRequest,
accessToken,
tokenEndpointContext.AdditionalResponseParameters);
await Options.Provider.TokenEndpointResponse(tokenEndpointResponseContext);
StringBuilder body = new StringBuilder();
TextWriter stringWriter = new StringWriter(body);
using (var writer = new JsonTextWriter(stringWriter))
{
writer.WriteStartObject();
writer.WritePropertyName(Constants.Parameters.AccessToken);
writer.WriteValue(accessToken);
writer.WritePropertyName(Constants.Parameters.TokenType);
writer.WriteValue(Constants.TokenTypes.Bearer);
if (accessTokenExpiresUtc.HasValue)
{
TimeSpan?expiresTimeSpan = accessTokenExpiresUtc - currentUtc;
var expiresIn = (long)expiresTimeSpan.Value.TotalSeconds;
if (expiresIn > 0)
{
writer.WritePropertyName(Constants.Parameters.ExpiresIn);
writer.WriteValue(expiresIn);
}
}
if (!String.IsNullOrEmpty(refreshToken))
{
writer.WritePropertyName(Constants.Parameters.RefreshToken);
writer.WriteValue(refreshToken);
}
foreach (var additionalResponseParameter in tokenEndpointResponseContext.AdditionalResponseParameters)
{
writer.WritePropertyName(additionalResponseParameter.Key);
writer.WriteValue(additionalResponseParameter.Value);
}
writer.WriteEndObject();
writer.Flush();
}
Response.ContentType = "application/json;charset=UTF-8";
Response.Headers.Set("Cache-Control", "no-cache");
Response.Headers.Set("Pragma", "no-cache");
Response.Headers.Set("Expires", "-1");
Response.ContentLength = body.Length;
await Response.WriteAsync(body.ToString());
}
