public virtual TokenResponse CreateTokenResponseFromAuthorizationCode(StoredGrant handle, IStoredGrantManager handleManager)
{
var resourceOwner = Principal.Create(
"OAuth2",
handle.ResourceOwner.ToClaims().ToArray());
var validatedRequest = new ValidatedRequest
{
Client = handle.Client,
Application = handle.Application,
Scopes = handle.Scopes
};
var response = CreateTokenResponse(validatedRequest, resourceOwner);
if (handle.CreateRefreshToken)
{
var refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
handle.RefreshTokenExpiration.Value,
validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken);
handleManager.Add(refreshTokenHandle);
response.RefreshToken = refreshTokenHandle.GrantId;
}
handleManager.Delete(handle.GrantId);
return response;
}
public virtual TokenResponse CreateTokenResponseFromAuthorizationCode(StoredGrant handle, IStoredGrantManager handleManager)
{
var resourceOwner = Principal.Create(
"OAuth2",
handle.ResourceOwner.ToClaims().ToArray());
var validatedRequest = new ValidatedRequest
{
Client = handle.Client,
Application = handle.Application,
Scopes = handle.Scopes
};
var response = CreateTokenResponse(validatedRequest, resourceOwner);
if (handle.CreateRefreshToken)
{
var refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
handle.RefreshTokenExpiration.Value);
handleManager.Add(refreshTokenHandle);
response.RefreshToken = refreshTokenHandle.GrantId;
}
handleManager.Delete(handle.GrantId);
return(response);
}
private HttpResponseMessage ProcessResourceOwnerCredentialRequest(ValidatedRequest validatedRequest)
{
Tracing.Information("Processing resource owner credential request");
ClaimsPrincipal principal;
try
{
principal = _rocv.Validate(validatedRequest.UserName, validatedRequest.Password);
}
catch (Exception ex)
{
Tracing.Error("Resource owner credential validation failed: " + ex.ToString());
throw;
}
if (principal != null && principal.Identity.IsAuthenticated)
{
var sts = new TokenService(this._config.GlobalConfiguration);
var response = sts.CreateTokenResponse(validatedRequest, principal);
// check if refresh token is enabled for the client
if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken)
{
var handle = StoredGrant.CreateRefreshTokenHandle(
principal.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
principal.Claims,
validatedRequest.Scopes,
DateTime.UtcNow.AddYears(5));
_handleManager.Add(handle);
response.RefreshToken = handle.GrantId;
}
return(Request.CreateTokenResponse(response));
}
else
{
return(Request.CreateOAuthErrorResponse(OAuthConstants.Errors.InvalidGrant));
}
}
public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int?rememberDuration = null)
{
Tracing.Start("OAuth2 Authorize Endoint - Consent response");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return(HttpNotFound());
}
if (button == "no")
{
Tracing.Information("User denies access token request.");
return(new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state));
}
if (button == "yes")
{
Tracing.Information("User allows access token request.");
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return(this.AuthorizeValidationError(ex));
}
if (scopes == null || scopes.Length == 0)
{
ModelState.AddModelError("", "Please choose at least one permission.");
return(View("Consent", validatedRequest));
}
// parse scopes form post and substitue scopes
validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));
// store consent decision if
// checkbox was checked
// and storage is allowed
// and flow == implicit
if (validatedRequest.Application.AllowRememberConsentDecision &&
validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token &&
rememberDuration == -1)
{
var handle = StoredGrant.CreateConsentDecision(
ClaimsPrincipal.Current.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
validatedRequest.Scopes);
_handleManager.Add(handle);
Tracing.Information("Consent decision stored.");
}
// parse refresh token lifetime if
// code flow is used
// and refresh tokens are allowed
if (validatedRequest.RequestingRefreshToken &&
rememberDuration != null &&
validatedRequest.Client.Flow == OAuthFlow.Code)
{
if (rememberDuration == -1)
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
}
else
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddHours(rememberDuration.Value);
}
Tracing.Information("Selected refresh token lifetime in hours: " + rememberDuration);
}
var grantResult = PerformGrant(validatedRequest);
if (grantResult != null)
{
return(grantResult);
}
}
return(new ClientErrorResult(
new Uri(request.redirect_uri),
OAuthConstants.Errors.InvalidRequest,
request.response_type,
request.state));
}
public virtual TokenResponse CreateTokenResponseFromRefreshToken(StoredGrant handle, IStoredGrantManager handleManager)
{
var resourceOwner = Principal.Create(
"OAuth2",
handle.ResourceOwner.ToClaims().ToArray());
if (DateTime.UtcNow > handle.Expiration)
{
throw new InvalidOperationException("Refresh token has expired.");
}
var validatedRequest = new ValidatedRequest
{
Client = handle.Client,
Application = handle.Application,
Scopes = handle.Scopes,
};
var response = CreateTokenResponse(validatedRequest, resourceOwner);
if (handle.CreateRefreshToken)
{
StoredGrant refreshTokenHandle;
if (validatedRequest.Application.AllowSlidingRefreshTokenExpiration)
{
var rememberTimeSpan = handle.Expiration.Subtract(handle.Created);
var newRefreshTokenExpiration = DateTime.UtcNow.Add(rememberTimeSpan);
refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
newRefreshTokenExpiration,
createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken);
}
else
{
refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
handle.Expiration,
createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken);
}
response.RefreshToken = refreshTokenHandle.GrantId;
handleManager.Add(refreshTokenHandle);
handleManager.Delete(handle.GrantId);
}
else
{
response.RefreshToken = handle.GrantId;
}
return response;
}
public virtual TokenResponse CreateTokenResponseFromRefreshToken(StoredGrant handle, IStoredGrantManager handleManager)
{
var resourceOwner = Principal.Create(
"OAuth2",
handle.ResourceOwner.ToClaims().ToArray());
if (DateTime.UtcNow > handle.Expiration)
{
throw new InvalidOperationException("Refresh token has expired.");
}
var validatedRequest = new ValidatedRequest
{
Client = handle.Client,
Application = handle.Application,
Scopes = handle.Scopes,
};
var response = CreateTokenResponse(validatedRequest, resourceOwner);
if (handle.CreateRefreshToken)
{
StoredGrant refreshTokenHandle;
if (validatedRequest.Application.AllowSlidingRefreshTokenExpiration)
{
var rememberTimeSpan = handle.Expiration.Subtract(handle.Created);
var newRefreshTokenExpiration = DateTime.UtcNow.Add(rememberTimeSpan);
refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
newRefreshTokenExpiration,
createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken);
}
else
{
refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle(
resourceOwner.GetSubject(),
handle.Client,
handle.Application,
resourceOwner.Claims,
handle.Scopes,
handle.Expiration,
createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken);
}
response.RefreshToken = refreshTokenHandle.GrantId;
handleManager.Add(refreshTokenHandle);
handleManager.Delete(handle.GrantId);
}
else
{
response.RefreshToken = handle.GrantId;
}
return(response);
}
