public Task OnGeneratingClaims(TokenGeneratingContext context)
{
var resource = context.RequestGrants.Scopes.FirstOrDefault(rg => rg.ClientId != null)?.ClientId;
if (context.IsContextForTokenTypes(TokenTypes.AccessToken) && resource != null)
{
// For access tokens we use the scopes from the set of granted scopes, this takes into account the
// fact that a token request can ask for a subset of the scopes granted during authorization, either
// on a code exchange or on a refresh token grant flow.
AddClaimsForAccessToken(context, resource);
return(Task.CompletedTask);
}
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode))
{
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.Scope,
GetScopeValue(context.RequestGrants.Scopes, excludeCanonical: false));
if (resource != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Resource, resource);
}
return(Task.CompletedTask);
}
if (context.IsContextForTokenTypes(TokenTypes.RefreshToken))
{
// For refresh tokens the scope claim never changes as the set of scopes granted for a refresh token
// should not change no matter what scopes are sent on a token request.
var scopeClaim = context
.RequestGrants
.Claims
.Single(c => c.Type.Equals(IdentityServiceClaimTypes.Scope, StringComparison.Ordinal));
var resourceClaim = context
.RequestGrants
.Claims
.SingleOrDefault(c => c.Type.Equals(IdentityServiceClaimTypes.Resource, StringComparison.Ordinal));
context.AddClaimToCurrentToken(scopeClaim);
if (resourceClaim != null)
{
context.AddClaimToCurrentToken(resourceClaim);
}
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
if (context.IsContextForTokenTypes(TokenTypes.IdToken))
{
var accessToken = context
.IssuedTokens.SingleOrDefault(t => t.Token.Kind == TokenTypes.AccessToken);
var authorizationCode = context
.IssuedTokens.SingleOrDefault(t => t.Token.Kind == TokenTypes.AuthorizationCode);
if (accessToken != null)
{
context.CurrentClaims.Add(new Claim(
IdentityServiceClaimTypes.AccessTokenHash,
GetTokenHash(accessToken.SerializedValue)));
}
if (authorizationCode != null)
{
context.CurrentClaims.Add(new Claim(
IdentityServiceClaimTypes.CodeHash,
GetTokenHash(authorizationCode.SerializedValue)));
}
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode))
{
foreach (var grantedToken in GetGrantedTokensForAuthorizationCode(context))
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken);
}
}
if (context.IsContextForTokenTypes(TokenTypes.RefreshToken))
{
foreach (var grantedToken in context.RequestGrants.Tokens)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken);
}
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
var nonce = GetNonce(context);
if (context.IsContextForTokenTypes(
TokenTypes.IdToken,
TokenTypes.AccessToken,
TokenTypes.AuthorizationCode) && nonce != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Nonce, nonce);
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.TokenUniqueId, Guid.NewGuid().ToString());
var userMapping = GetUserPrincipalTokenMapping(context.CurrentToken);
var applicationMapping = GetApplicationPrincipalTokenMapping(context.CurrentToken);
var ambientMapping = GetAmbientClaimsTokenMapping(context.CurrentToken);
MapFromPrincipal(context, context.User, userMapping);
MapFromPrincipal(context, context.Application, applicationMapping);
MapFromContext(context, context.AmbientClaims, ambientMapping);
if (context.IsContextForTokenTypes(TokenTypes.AccessToken, TokenTypes.IdToken))
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Issuer, _options.Value.Issuer);
}
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) && context.RequestParameters.RedirectUri != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.RedirectUri, context.RequestParameters.RedirectUri);
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) &&
context.RequestParameters.Parameters.ContainsKey(ProofOfKeyForCodeExchangeParameterNames.CodeChallenge))
{
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.CodeChallenge,
context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallenge]);
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.CodeChallengeMethod,
context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod]);
}
return(Task.CompletedTask);
}