public async Task <IActionResult> RegisterExternal([FromBody] RegisterExternalBindingModel model)
{
EnsureDatabaseCreated(_applicationDbContext);
if (ModelState.IsValid)
{
var isValid = await _externalAuthManager.VerifyExternalAccessToken(model.AccessToken, model.Provider);
if (!isValid)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid access_token, this usually happens when it is expired"
}));
}
var profile = await _externalAuthManager.GetProfile(model.AccessToken, model.Provider);
var user = new ApplicationUser {
UserName = profile.email,
Email = profile.email,
FirstName = profile.first_name,
LastName = profile.last_name
};
var externalAccount = new ExternalAccount()
{
Id = Guid.NewGuid().ToString(),
AddedAt = DateTimeOffset.Now,
Provider = model.Provider,
ProviderUserId = profile.id
};
user.ExternalAccounts.Add(externalAccount);
var result = await _userManager.CreateAsync(user);
if (result.Succeeded)
{
return(Ok());
}
AddErrors(result);
}
// If we got this far, something failed.
return(BadRequest(ModelState));
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
// Ensure the user is allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user is not allowed to sign in."
}));
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (_userManager.SupportsUserTwoFactor && await _userManager.GetTwoFactorEnabledAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user is not allowed to sign in."
}));
}
// Ensure the user is not already locked out.
if (_userManager.SupportsUserLockout && await _userManager.IsLockedOutAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
// Ensure the password is valid.
if (!await _userManager.CheckPasswordAsync(user, request.Password))
{
if (_userManager.SupportsUserLockout)
{
await _userManager.AccessFailedAsync(user);
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
if (_userManager.SupportsUserLockout)
{
await _userManager.ResetAccessFailedCountAsync(user);
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.GrantType == "urn:ietf:params:oauth:grant-type:external_identity_token")
{
//Assertion should be the access_token
// Reject the request if the "assertion" parameter is missing.
if (string.IsNullOrEmpty(request.Assertion))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'assertion' parameter was missing."
}));
}
;
ExternalAuthProviders provider;
var providerExists = Enum.TryParse(request["provider"].ToString(), out provider);
if (!providerExists)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'provider' parameter was missing."
}));
}
;
var isValid = await _externalAuthManager.VerifyExternalAccessToken(request.Assertion, provider);
if (!isValid)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid access_token, this usually happens when it is expired"
}));
}
var profile = await _externalAuthManager.GetProfile(request.Assertion, provider);
var user = await _userManager.FindByEmailAsync(profile.email);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The user does not exist"
}));
}
var ticket = await CreateTicketAsync(request, user);
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
//var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Manually validate the identity token issued by Google,
// including the issuer, the signature and the audience.
// Then, copy the claims you need to the "identity" instance.
// Create a new authentication ticket holding the user identity.
//var ticket = new AuthenticationTicket(
// new ClaimsPrincipal(identity),
// new AuthenticationProperties(),
// OpenIdConnectServerDefaults.AuthenticationScheme);
//ticket.SetScopes(
// OpenIdConnectConstants.Scopes.OpenId,
// OpenIdConnectConstants.Scopes.OfflineAccess);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
}));
}