public async Task <IActionResult> Post(CancellationToken token)
{
var clientCertificate = await Request.HttpContext.Connection.GetClientCertificateAsync();
var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
var userSubject = claimName == null ? string.Empty : claimName.Value;
var jObjHeader = Request.Headers.ToJObject();
var jObjBody = Request.Form.ToJObject();
var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, jObjBody, jObjHeader, null, clientCertificate));
return(await _tokenRequestHandler.Handle(context, token));
}
public async Task <IActionResult> Post(CancellationToken token)
{
var clientCertificate = await Request.HttpContext.Connection.GetClientCertificateAsync();
var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
var userSubject = claimName == null ? string.Empty : claimName.Value;
var jObjHeader = Request.Headers.ToJObject();
var jObjBody = Request.Form.ToJObject();
var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, jObjBody, jObjHeader, Request.Cookies, clientCertificate));
var result = await _tokenRequestHandler.Handle(context, token);
// rfc6749 : the authorization server must include the HTTP "Cache-Control" response header field with a value of "no-store"
// in any response containing tokens, credentials, or sensitive information.
Response.SetNoCache();
return(result);
}
public async Task <IActionResult> Post()
{
var claimName = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
var claimAuthTime = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.AuthenticationInstant);
var userSubject = claimName == null ? string.Empty : claimName.Value;
DateTime?authTime = null;
DateTime auth;
if (claimAuthTime != null && !string.IsNullOrWhiteSpace(claimAuthTime.Value) && DateTime.TryParse(claimAuthTime.Value, out auth))
{
authTime = auth;
}
var jObjHeader = Request.Headers.ToJObject();
var jObjBody = Request.Form.ToJObject();
var context = new HandlerContext(new HandlerContextRequest(Request.GetAbsoluteUriWithVirtualPath(), userSubject, authTime, jObjBody, jObjHeader));
return(await _tokenRequestHandler.Handle(context));
}
public IHttpActionResult Post([FromBody] TokenRequest tokenRequest)
{
IHttpActionResult actionResult;
var httpRequest = ActionContext.Request;
// Only handle the "client_credentials" grant type
if (!RequestIsRequiredGrantType(tokenRequest))
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.UnsupportedGrantType)));
}
// If there is Authorization in the header
if (httpRequest.Headers.Authorization != null)
{
// Only Basic authorization is supported
if (!httpRequest.Headers.Authorization.Scheme.EqualsIgnoreCase("Basic"))
{
return(new AuthenticationUnauthorized(httpRequest));
}
// If there is an Authorization header, the authorization parameter is required.
if (!HasCredentialsInHeader(httpRequest))
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest)));
}
// Go and try to retrieve the ID and Secret from the header
var headerTokenRequest = GetIdSecretFromHeader(httpRequest, tokenRequest);
// If we failed to get the credentials from the header, the request was invalid.
if (headerTokenRequest == null)
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest)));
}
// If body contains a value for Client_id, verify it matches Client_id retrieved from authorization header
if (!string.IsNullOrEmpty(tokenRequest.Client_id) && tokenRequest.Client_id != headerTokenRequest.Client_id)
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest)));
}
// If body contains a value for Client_secret, verify it matches Client_secret retrieved from authorization header
if (!string.IsNullOrEmpty(tokenRequest.Client_secret) && tokenRequest.Client_secret != headerTokenRequest.Client_secret)
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidRequest)));
}
// If a valid token request retrieved from header, override body token request values.
tokenRequest.Client_id = headerTokenRequest.Client_id;
tokenRequest.Client_secret = headerTokenRequest.Client_secret;
}
// Verify client_id and client_secret are present
if (!IsIdAndSecretPresent(tokenRequest))
{
return(new AuthenticationError(httpRequest, new TokenError(TokenErrorType.InvalidClient)));
}
// Handle token request
_requestHandler.Handle(ActionContext.Request, tokenRequest, out actionResult);
return(actionResult);
}
