/// <summary>
        /// Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
        /// called by application code directly, instead it is added by calling the the IAppBuilder UseOpenIdConnectServer
        /// extension method.
        /// </summary>
        public OpenIdConnectServerMiddleware(OwinMiddleware next, IAppBuilder app, OpenIdConnectServerOptions options)
            : base(next, options)
        {
            if (Options.HtmlEncoder == null)
            {
                throw new ArgumentException("The HTML encoder registered in the options " +
                                            "cannot be null.", nameof(options));
            }

            if (Options.Provider == null)
            {
                throw new ArgumentException("The authorization provider registered in " +
                                            "the options cannot be null.", nameof(options));
            }

            if (Options.SystemClock == null)
            {
                throw new ArgumentException("The system clock registered in the options " +
                                            "cannot be null.", nameof(options));
            }

            if (Options.Issuer != null)
            {
                if (!Options.Issuer.IsAbsoluteUri)
                {
                    throw new ArgumentException("The issuer registered in the options must be " +
                                                "a valid absolute URI.", nameof(options));
                }

                // See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
                if (!string.IsNullOrEmpty(Options.Issuer.Query) || !string.IsNullOrEmpty(Options.Issuer.Fragment))
                {
                    throw new ArgumentException("The issuer registered in the options must contain no query " +
                                                "and no fragment parts.", nameof(options));
                }

                // Note: while the issuer parameter should be a HTTPS URI, making HTTPS mandatory
                // in Owin.Security.OpenIdConnect.Server would prevent the end developer from
                // running the different samples in test environments, where HTTPS is often disabled.
                // To mitigate this issue, AllowInsecureHttp can be set to true to bypass the HTTPS check.
                // See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
                if (!Options.AllowInsecureHttp && string.Equals(Options.Issuer.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
                {
                    throw new ArgumentException("The issuer registered in the options must be a HTTPS URI when " +
                                                "AllowInsecureHttp is not set to true.", nameof(options));
                }
            }

            if (Options.AccessTokenHandler != null && !(Options.AccessTokenHandler is ISecurityTokenValidator))
            {
                throw new ArgumentException("The access token handler must implement 'ISecurityTokenValidator'.", nameof(options));
            }

            if (Options.Logger == null)
            {
                Options.Logger = new LoggerFactory().CreateLogger <OpenIdConnectServerMiddleware>();
            }

            if (Options.DataProtectionProvider == null)
            {
                // Try to use the application name provided by
                // the OWIN host as the application discriminator.
                var discriminator = new AppProperties(app.Properties).AppName;

                // When an application discriminator cannot be resolved from
                // the OWIN host properties, generate a temporary identifier.
                if (string.IsNullOrEmpty(discriminator))
                {
                    discriminator = Guid.NewGuid().ToString();
                }

                Options.DataProtectionProvider = DataProtectionProvider.Create(discriminator);
            }

            if (Options.AccessTokenFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Access_Token", "v1");

                Options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            if (Options.AuthorizationCodeFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Authorization_Code", "v1");

                Options.AuthorizationCodeFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            if (Options.RefreshTokenFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Refresh_Token", "v1");

                Options.RefreshTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            var environment = new AppProperties(app.Properties).Get <string>("host.AppMode");

            if (Options.AllowInsecureHttp && !string.Equals(environment, "Development", StringComparison.OrdinalIgnoreCase))
            {
                Options.Logger.LogWarning("Disabling the transport security requirement is not recommended on production. " +
                                          "Consider setting 'OpenIdConnectServerOptions.AllowInsecureHttp' to 'false' " +
                                          "to prevent the OpenID Connect server middleware from serving non-HTTPS requests.");
            }

            // If no key has been explicitly added, use the fallback mode.
            if (Options.EncryptingCredentials.Count == 0 || Options.SigningCredentials.Count == 0)
            {
                // When detecting a non-development environment, log a warning to inform the developer
                // that registering a X.509 certificate is recommended when going live.
                if (!string.Equals(environment, "Development", StringComparison.OrdinalIgnoreCase))
                {
                    Options.Logger.LogWarning("No explicit signing credentials have been registered. " +
                                              "Using a X.509 certificate stored in the machine store " +
                                              "is recommended for production environments.");
                }

                var directory = OpenIdConnectServerHelpers.GetDefaultKeyStorageDirectory();
                if (directory == null)
                {
                    Options.Logger.LogError("No suitable directory can be found to store the dynamically-generated RSA keys.");

                    return;
                }

                // Get a data protector from the services provider.
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Keys", "v1");

                // Note: all the exceptions thrown when enumerating
                // existing keys or generating new ones must be caught.
                try {
                    foreach (var key in OpenIdConnectServerHelpers.GetKeys(directory))
                    {
                        // Extract the key material using the data protector.
                        // Ignore the key if the decryption process failed.
                        string usage;
                        var    parameters = OpenIdConnectServerHelpers.DecryptKey(protector, key.Value, out usage);
                        if (parameters == null)
                        {
                            Options.Logger.LogDebug("An invalid/incompatible key was ignored: {Key}.", key.Key);

                            continue;
                        }

                        if (string.Equals(usage, "Encryption", StringComparison.OrdinalIgnoreCase))
                        {
                            var algorithm = RSA.Create();
                            algorithm.ImportParameters(parameters.Value);

                            // Add the key to the encryption credentials list.
                            Options.EncryptingCredentials.AddKey(new RsaSecurityKey(algorithm));

                            Options.Logger.LogInformation("An existing key was automatically added to the " +
                                                          "encryption credentials list: {Key}.", key.Key);
                        }

                        else if (string.Equals(usage, "Signing", StringComparison.OrdinalIgnoreCase))
                        {
                            var algorithm = RSA.Create();
                            algorithm.ImportParameters(parameters.Value);

                            // Add the key to the signing credentials list.
                            Options.SigningCredentials.AddKey(new RsaSecurityKey(algorithm));

                            Options.Logger.LogInformation("An existing key was automatically added to the " +
                                                          "signing credentials list: {Key}.", key.Key);
                        }
                    }
                }

                catch (Exception exception) {
                    Options.Logger.LogDebug("An error ocurred when retrieving the keys stored " +
                                            "on the disk: {Exception}.", exception.ToString());
                }

                // Note: all the exceptions thrown when enumerating
                // existing keys or generating new ones must be caught.
                try {
                    // If no encryption key has been found, generate and persist a new RSA key.
                    if (Options.EncryptingCredentials.Count == 0)
                    {
                        // Generate a new RSA key and export its public/private parameters.
                        var algorithm  = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
                        var parameters = algorithm.ExportParameters(/* includePrivateParameters: */ true);

                        // Add the encryption key to the credentials list before trying to persist it on the disk.
                        Options.EncryptingCredentials.AddKey(new RsaSecurityKey(algorithm));

                        try {
                            // Encrypt the key using the data protector and try to persist it on the disk.
                            var key  = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Encryption");
                            var path = OpenIdConnectServerHelpers.PersistKey(directory, key);

                            Options.Logger.LogInformation("A new RSA key was automatically generated, added to the " +
                                                          "encryption credentials list and persisted on the disk: {Path}.", path);
                        }

                        catch (Exception exception) {
                            Options.Logger.LogWarning("An error ocurred when persisting a new key on the disk: {Exception}. " +
                                                      "The key will be kept in memory and will be lost when the " +
                                                      "application shuts down or restarts.", exception.ToString());
                        }
                    }

                    // If no signing key has been found, generate and persist a new RSA key.
                    if (Options.SigningCredentials.Count == 0)
                    {
                        // Generate a new RSA key and export its public/private parameters.
                        var algorithm  = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
                        var parameters = algorithm.ExportParameters(/* includePrivateParameters: */ true);

                        // Add the signing key to the credentials list before trying to persist it on the disk.
                        Options.SigningCredentials.AddKey(new RsaSecurityKey(algorithm));

                        try {
                            // Encrypt the key using the data protector and try to persist it on the disk.
                            var key  = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Signing");
                            var path = OpenIdConnectServerHelpers.PersistKey(directory, key);

                            Options.Logger.LogInformation("A new RSA key was automatically generated, added to the " +
                                                          "signing credentials list and persisted on the disk: {Path}.", path);
                        }

                        catch (Exception exception) {
                            Options.Logger.LogWarning("An error ocurred when persisting a new key on the disk: {Exception}. " +
                                                      "The key will be kept in memory and will be lost when the " +
                                                      "application shuts down or restarts.", exception.ToString());
                        }
                    }
                }

                catch (Exception exception) {
                    Options.Logger.LogDebug("An error ocurred when generating a new key: {Exception}.", exception.ToString());
                }
            }

            if (Options.SigningCredentials.Count == 0)
            {
                throw new ArgumentException("At least one signing key must be registered.", nameof(options));
            }
        }
        /// <summary>
        /// Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
        /// called by application code directly, instead it is added by calling the the IAppBuilder UseOpenIdConnectServer
        /// extension method.
        /// </summary>
        public OpenIdConnectServerMiddleware(OwinMiddleware next, IAppBuilder app, OpenIdConnectServerOptions options)
            : base(next, options)
        {
            if (Options.HtmlEncoder == null)
            {
                throw new ArgumentException("The HTML encoder registered in the options " +
                                            "cannot be null.", nameof(options));
            }

            if (Options.Provider == null)
            {
                throw new ArgumentException("The authorization provider registered in " +
                                            "the options cannot be null.", nameof(options));
            }

            if (Options.RandomNumberGenerator == null)
            {
                throw new ArgumentException("The random number generator registered in " +
                                            "the options cannot be null.", nameof(options));
            }

            if (Options.SystemClock == null)
            {
                throw new ArgumentException("The system clock registered in the options " +
                                            "cannot be null.", nameof(options));
            }

            if (Options.Issuer != null)
            {
                if (!Options.Issuer.IsAbsoluteUri)
                {
                    throw new ArgumentException("The issuer registered in the options must be " +
                                                "a valid absolute URI.", nameof(options));
                }

                // See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
                if (!string.IsNullOrEmpty(Options.Issuer.Query) || !string.IsNullOrEmpty(Options.Issuer.Fragment))
                {
                    throw new ArgumentException("The issuer registered in the options must contain no query " +
                                                "and no fragment parts.", nameof(options));
                }

                // Note: while the issuer parameter should be a HTTPS URI, making HTTPS mandatory
                // in Owin.Security.OpenIdConnect.Server would prevent the end developer from
                // running the different samples in test environments, where HTTPS is often disabled.
                // To mitigate this issue, AllowInsecureHttp can be set to true to bypass the HTTPS check.
                // See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
                if (!Options.AllowInsecureHttp && string.Equals(Options.Issuer.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
                {
                    throw new ArgumentException("The issuer registered in the options must be a HTTPS URI when " +
                                                "AllowInsecureHttp is not set to true.", nameof(options));
                }
            }

            if (Options.Logger == null)
            {
                Options.Logger = new LoggerFactory().CreateLogger <OpenIdConnectServerMiddleware>();
            }

            if (Options.DataProtectionProvider == null)
            {
                // Create a new DI container and register
                // the data protection services.
                var services = new ServiceCollection();

                services.AddDataProtection(configuration => {
                    // Try to use the application name provided by
                    // the OWIN host as the application discriminator.
                    var discriminator = new AppProperties(app.Properties).AppName;

                    // When an application discriminator cannot be resolved from
                    // the OWIN host properties, generate a temporary identifier.
                    if (string.IsNullOrEmpty(discriminator))
                    {
                        discriminator = Guid.NewGuid().ToString();
                    }

                    configuration.ApplicationDiscriminator = discriminator;
                });

                var container = services.BuildServiceProvider();

                // Resolve a data protection provider from the services container.
                Options.DataProtectionProvider = container.GetRequiredService <IDataProtectionProvider>();
            }

            if (Options.AccessTokenFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Access_Token", "v1");

                Options.AccessTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            if (Options.AuthorizationCodeFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Authorization_Code", "v1");

                Options.AuthorizationCodeFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            if (Options.RefreshTokenFormat == null)
            {
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Refresh_Token", "v1");

                Options.RefreshTokenFormat = new AspNetTicketDataFormat(new DataProtectorShim(protector));
            }

            // If no key has been explicitly added, use the fallback mode.
            if (Options.EncryptingCredentials.Count == 0 || Options.SigningCredentials.Count == 0)
            {
                var directory = OpenIdConnectServerHelpers.GetDefaultKeyStorageDirectory();
                Debug.Assert(directory != null);

                // Get a data protector from the services provider.
                var protector = Options.DataProtectionProvider.CreateProtector(
                    nameof(OpenIdConnectServerMiddleware),
                    Options.AuthenticationType, "Keys", "v1");

                foreach (var file in directory.EnumerateFiles("*.key"))
                {
                    using (var buffer = new MemoryStream())
                        using (var stream = file.Open(FileMode.Open, FileAccess.Read, FileShare.Read)) {
                            // Copy the key content to the buffer.
                            stream.CopyTo(buffer);

                            // Extract the key material using the data protector.
                            // Ignore the key if the decryption process failed.
                            string usage;
                            var    parameters = OpenIdConnectServerHelpers.DecryptKey(protector, buffer.ToArray(), out usage);
                            if (parameters == null)
                            {
                                Options.Logger.LogDebug("An invalid/incompatible key was ignored: {Key}.", file.FullName);

                                continue;
                            }

                            if (string.Equals(usage, "Encryption", StringComparison.OrdinalIgnoreCase))
                            {
                                // Only add the encryption key if none has been explictly added.
                                if (Options.EncryptingCredentials.Count != 0)
                                {
                                    continue;
                                }

                                var algorithm = RSA.Create();
                                algorithm.ImportParameters(parameters.Value);

                                // Add the key to the encryption credentials list.
                                Options.EncryptingCredentials.AddKey(new RsaSecurityKey(algorithm));

                                Options.Logger.LogInformation("An existing key was automatically added to the " +
                                                              "encryption credentials list: {Key}.", file.FullName);
                            }

                            else if (string.Equals(usage, "Signing", StringComparison.OrdinalIgnoreCase))
                            {
                                // Only add the signing key if none has been explictly added.
                                if (Options.SigningCredentials.Count != 0)
                                {
                                    continue;
                                }

                                var algorithm = RSA.Create();
                                algorithm.ImportParameters(parameters.Value);

                                // Add the key to the signing credentials list.
                                Options.SigningCredentials.AddKey(new RsaSecurityKey(algorithm));

                                Options.Logger.LogInformation("An existing key was automatically added to the " +
                                                              "signing credentials list: {Key}.", file.FullName);
                            }
                        }
                }

                // If no encryption key has been found, generate and persist a new RSA key.
                if (Options.EncryptingCredentials.Count == 0)
                {
                    // Generate a new RSA key and export its public/private parameters.
                    var algorithm  = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
                    var parameters = algorithm.ExportParameters(/* includePrivateParameters: */ true);

                    // Generate a new file name for the key and determine its absolute path.
                    var path = Path.Combine(directory.FullName, Guid.NewGuid().ToString() + ".key");

                    using (var stream = new FileStream(path, FileMode.CreateNew, FileAccess.Write)) {
                        // Encrypt the key using the data protector.
                        var bytes = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Encryption");

                        // Write the encrypted key to the file stream.
                        stream.Write(bytes, 0, bytes.Length);
                    }

                    Options.EncryptingCredentials.AddKey(new RsaSecurityKey(algorithm));

                    Options.Logger.LogInformation("A new RSA key was automatically generated, added to the " +
                                                  "encryption credentials list and persisted on the disk: {Path}.", path);
                }

                // If no signing key has been found, generate and persist a new RSA key.
                if (Options.SigningCredentials.Count == 0)
                {
                    // Generate a new RSA key and export its public/private parameters.
                    var algorithm  = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
                    var parameters = algorithm.ExportParameters(/* includePrivateParameters: */ true);

                    // Generate a new file name for the key and determine its absolute path.
                    var path = Path.Combine(directory.FullName, Guid.NewGuid().ToString() + ".key");

                    using (var stream = new FileStream(path, FileMode.CreateNew, FileAccess.Write)) {
                        // Encrypt the key using the data protector.
                        var bytes = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Signing");

                        // Write the encrypted key to the file stream.
                        stream.Write(bytes, 0, bytes.Length);
                    }

                    Options.SigningCredentials.AddKey(new RsaSecurityKey(algorithm));

                    Options.Logger.LogInformation("A new RSA key was automatically generated, added to the " +
                                                  "signing credentials list and persisted on the disk: {Path}.", path);
                }
            }
        }