public async Task IsActiveAsync(IsActiveContext context)
{
var client = Mapper.Map<IdentityServerClient, DomainClient>(context.Client);
var result = await domainService.IsActiveAsync(context.Subject, client);
context.IsActive = result;
}
public override async Task IsActiveAsync(IsActiveContext context)
{
var userName = context.Subject.Identity.Name;
using (var client = new HttpClient { BaseAddress = new Uri(this.usersApiUri) })
{
context.IsActive = await UserExistsAsync(client, userName);
}
}
public async Task IsActiveAsync(IsActiveContext context)
{
context.IsActive = false;
foreach (var service in this.services)
{
await service.IsActiveAsync(context);
if (context.IsActive)
{
return;
}
}
}
/// <summary>
/// Custom validation logic for access tokens.
/// </summary>
/// <param name="result">The validation result so far.</param>
/// <returns>
/// The validation result
/// </returns>
public virtual async Task<TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result)
{
if (result.IsError)
{
return result;
}
// make sure user is still active (if sub claim is present)
var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
var principal = Principal.Create("tokenvalidator", result.Claims.ToArray());
if (result.ReferenceTokenId.IsPresent())
{
principal.Identities.First().AddClaim(new Claim(Constants.ClaimTypes.ReferenceTokenId, result.ReferenceTokenId));
}
var isActiveCtx = new IsActiveContext(principal, result.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
Logger.Warn("User marked as not active: " + subClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return result;
}
}
// make sure client is still active (if client_id claim is present)
var clientClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.ClientId);
if (clientClaim != null)
{
var client = await _clients.FindClientByIdAsync(clientClaim.Value);
if (client == null || client.Enabled == false)
{
Logger.Warn("Client deleted or disabled: " + clientClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return result;
}
}
return result;
}
public override Task IsActiveAsync(IdentityServer3.Core.Models.IsActiveContext context)
{
if (context.Subject == null)
{
throw new ArgumentNullException("subject");
}
var subjectId = context.Subject.GetSubjectId();
var user = _userManager.Users.FirstOrDefault(u => u.Id == subjectId);
// set whether or not the user is active
context.IsActive = (user != null) && user.IsActive;
return(Task.FromResult(0));
}
public override Task IsActiveAsync(IdentityServer3.Core.Models.IsActiveContext context)
{
using (var userRepository = new UserRepository())
{
if (context.Subject == null)
{
throw new ArgumentNullException("subject");
}
var user = userRepository.GetUser(context.Subject.GetSubjectId());
// set whether or not the user is active
context.IsActive = (user != null) && user.IsActive;
return(Task.FromResult(0));
}
}
private async Task<TokenRequestValidationResult> ValidateAuthorizationCodeRequestAsync(NameValueCollection parameters)
{
Logger.Info("Start validation of authorization code token request");
/////////////////////////////////////////////
// check if client is authorized for grant type
/////////////////////////////////////////////
if (_validatedRequest.Client.Flow != Flows.AuthorizationCode &&
_validatedRequest.Client.Flow != Flows.Hybrid)
{
LogError("Client not authorized for code flow");
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
/////////////////////////////////////////////
// validate authorization code
/////////////////////////////////////////////
var code = parameters.Get(Constants.TokenRequest.Code);
if (code.IsMissing())
{
var error = "Authorization code is missing.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
if (code.Length > _options.InputLengthRestrictions.AuthorizationCode)
{
var error = "Authorization code is too long.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.AuthorizationCodeHandle = code;
var authZcode = await _authorizationCodes.GetAsync(code);
if (authZcode == null)
{
LogError("Invalid authorization code: " + code);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid handle");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
await _authorizationCodes.RemoveAsync(code);
/////////////////////////////////////////////
// populate session id
/////////////////////////////////////////////
if (authZcode.SessionId.IsPresent())
{
_validatedRequest.SessionId = authZcode.SessionId;
}
/////////////////////////////////////////////
// validate client binding
/////////////////////////////////////////////
if (authZcode.Client.ClientId != _validatedRequest.Client.ClientId)
{
LogError(string.Format("Client {0} is trying to use a code from client {1}", _validatedRequest.Client.ClientId, authZcode.Client.ClientId));
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid client binding");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
/////////////////////////////////////////////
// validate code expiration
/////////////////////////////////////////////
if (authZcode.CreationTime.HasExceeded(_validatedRequest.Client.AuthorizationCodeLifetime))
{
var error = "Authorization code is expired";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.AuthorizationCode = authZcode;
/////////////////////////////////////////////
// validate redirect_uri
/////////////////////////////////////////////
var redirectUri = parameters.Get(Constants.TokenRequest.RedirectUri);
if (redirectUri.IsMissing())
{
var error = "Redirect URI is missing.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
if (redirectUri.Equals(_validatedRequest.AuthorizationCode.RedirectUri, StringComparison.Ordinal) == false)
{
var error = "Invalid redirect_uri: " + redirectUri;
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
/////////////////////////////////////////////
// validate scopes are present
/////////////////////////////////////////////
if (_validatedRequest.AuthorizationCode.RequestedScopes == null ||
!_validatedRequest.AuthorizationCode.RequestedScopes.Any())
{
var error = "Authorization code has no associated scopes.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
/////////////////////////////////////////////
// make sure user is enabled
/////////////////////////////////////////////
var isActiveCtx = new IsActiveContext(_validatedRequest.AuthorizationCode.Subject, _validatedRequest.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
var error = "User has been disabled: " + _validatedRequest.AuthorizationCode.Subject;
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
Logger.Info("Validation of authorization code token request success");
await RaiseSuccessfulAuthorizationCodeRedeemedEventAsync();
return Valid();
}
public async Task IsActiveAsync(IsActiveContext context)
{
await this.inMemoryUserService.IsActiveAsync(context);
}
/// <summary>
/// This method gets called whenever identity server needs to determine if the user is valid or active (e.g. during token issuance or validation)
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">subject</exception>
public override Task IsActiveAsync(IsActiveContext context)
{
if (context.Subject == null) throw new ArgumentNullException("subject");
var query =
from u in _users
where
u.Subject == context.Subject.GetSubjectId()
select u;
var user = query.SingleOrDefault();
context.IsActive = (user != null) && user.Enabled;
return Task.FromResult(0);
}
public Task IsActiveAsync(IsActiveContext context)
{
context.IsActive = true;
return Task.FromResult(0);
}
private async Task<TokenRequestValidationResult> ValidateAuthorizationCodeRequestAsync(NameValueCollection parameters)
{
Logger.Info("Start validation of authorization code token request");
/////////////////////////////////////////////
// check if client is authorized for grant type
/////////////////////////////////////////////
if (Constants.AllowedFlowsForAuthorizationCodeGrantType.Contains(_validatedRequest.Client.Flow) == false)
{
LogError("Client not authorized for code flow");
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
/////////////////////////////////////////////
// validate authorization code
/////////////////////////////////////////////
var code = parameters.Get(Constants.TokenRequest.Code);
if (code.IsMissing())
{
var error = "Authorization code is missing.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
if (code.Length > _options.InputLengthRestrictions.AuthorizationCode)
{
var error = "Authorization code is too long.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.AuthorizationCodeHandle = code;
var authZcode = await _authorizationCodes.GetAsync(code);
if (authZcode == null)
{
LogError("Invalid authorization code: " + code);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid handle");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
await _authorizationCodes.RemoveAsync(code);
/////////////////////////////////////////////
// populate session id
/////////////////////////////////////////////
if (authZcode.SessionId.IsPresent())
{
_validatedRequest.SessionId = authZcode.SessionId;
}
/////////////////////////////////////////////
// validate client binding
/////////////////////////////////////////////
if (authZcode.Client.ClientId != _validatedRequest.Client.ClientId)
{
LogError(string.Format("Client {0} is trying to use a code from client {1}", _validatedRequest.Client.ClientId, authZcode.Client.ClientId));
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid client binding");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
/////////////////////////////////////////////
// validate PKCE parameters
/////////////////////////////////////////////
var codeVerifier = parameters.Get(Constants.TokenRequest.CodeVerifier);
if (authZcode.Client.Flow == Flows.AuthorizationCodeWithProofKey ||
authZcode.Client.Flow == Flows.HybridWithProofKey)
{
var proofKeyResult = ValidateAuthorizationCodeWithProofKeyParameters(codeVerifier, authZcode);
if (proofKeyResult.IsError)
{
return proofKeyResult;
}
_validatedRequest.CodeVerifier = codeVerifier;
}
else
{
if (codeVerifier.IsPresent())
{
LogError("Unexpected code_verifier with Flow " + authZcode.Client.Flow.ToString());
return Invalid(Constants.TokenErrors.InvalidGrant);
}
}
/////////////////////////////////////////////
// validate code expiration
/////////////////////////////////////////////
if (authZcode.CreationTime.HasExceeded(_validatedRequest.Client.AuthorizationCodeLifetime))
{
var error = "Authorization code is expired";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.AuthorizationCode = authZcode;
/////////////////////////////////////////////
// validate redirect_uri
/////////////////////////////////////////////
var redirectUri = parameters.Get(Constants.TokenRequest.RedirectUri);
if (redirectUri.IsMissing())
{
var error = "Redirect URI is missing.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
if (redirectUri.Equals(_validatedRequest.AuthorizationCode.RedirectUri, StringComparison.Ordinal) == false)
{
var error = "Invalid redirect_uri: " + redirectUri;
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
/////////////////////////////////////////////
// validate scopes are present
/////////////////////////////////////////////
if (_validatedRequest.AuthorizationCode.RequestedScopes == null ||
!_validatedRequest.AuthorizationCode.RequestedScopes.Any())
{
var error = "Authorization code has no associated scopes.";
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
/////////////////////////////////////////////
// make sure user is enabled
/////////////////////////////////////////////
var isActiveCtx = new IsActiveContext(_validatedRequest.AuthorizationCode.Subject, _validatedRequest.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
var error = "User has been disabled: " + _validatedRequest.AuthorizationCode.Subject;
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
/////////////////////////////////////////////
// validate token type and PoP parameters if pop token is requested
/////////////////////////////////////////////
var tokenType = parameters.Get("token_type");
if (tokenType != null && tokenType == Constants.ResponseTokenTypes.PoP)
{
var result = ValidatePopParameters(parameters);
if (result.IsError)
{
var error = "PoP parameter validation failed: " + result.ErrorDescription;
LogError(error);
await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error);
return Invalid(result.Error, result.ErrorDescription);
}
else
{
_validatedRequest.RequestedTokenType = RequestedTokenTypes.PoP;
}
}
Logger.Info("Validation of authorization code token request success");
await RaiseSuccessfulAuthorizationCodeRedeemedEventAsync();
return Valid();
}
public Task IsActiveAsync(IsActiveContext context)
{
return inner.IsActiveAsync(context);
}
public override async Task IsActiveAsync(IsActiveContext context)
{
var username = GetName(context.Subject);
using (var client = await CreateClientAsync())
{
context.IsActive = await UserExistsAsync(client, username);
}
}
public override Task IsActiveAsync(IsActiveContext context)
{
var subject = context.Subject; //Should be the objectid of the user.
//TODO Check with graph client that the account is enabled. See properties of GetAllUsers in unit tests
return base.IsActiveAsync(context);
}
/// <summary>
/// Check exited user by Subject from client
/// </summary>
/// <param name="ctx"></param>
/// <returns></returns>
public override async Task IsActiveAsync(IsActiveContext ctx)
{
var subject = ctx.Subject;
if (subject == null) throw new ArgumentNullException("subject");
//get username in token
var id = subject.GetSubjectId();
ctx.IsActive = true;
//check active
using (var aduser = GetUser(id))
{
if (aduser != null && !aduser.IsAccountLockedOut())
{
ctx.IsActive = true;
}
}
}
/// <summary>
/// This method gets called whenever identity server needs to determine if the user is valid or active (e.g. if the user's account has been deactivated since they logged in).
/// (e.g. during token issuance or validation).
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public virtual Task IsActiveAsync(IsActiveContext context)
{
return Task.FromResult(0);
}
public override Task IsActiveAsync(IsActiveContext context)
{
if(context.Subject == null)
{
throw new ArgumentException("subject");
}
//var currentUser = dbContext.UserProfiles.FirstOrDefault(x => x.Id.ToString() == context.Subject.GetSubjectId());
// Todo: Check active flag on the user and set it
context.IsActive = true;
return Task.FromResult(0);
}
private async Task<TokenRequestValidationResult> ValidateRefreshTokenRequestAsync(NameValueCollection parameters)
{
Logger.Info("Start validation of refresh token request");
var refreshTokenHandle = parameters.Get(Constants.TokenRequest.RefreshToken);
if (refreshTokenHandle.IsMissing())
{
var error = "Refresh token is missing";
LogError(error);
await RaiseRefreshTokenRefreshFailureEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
if (refreshTokenHandle.Length > _options.InputLengthRestrictions.RefreshToken)
{
var error = "Refresh token too long";
LogError(error);
await RaiseRefreshTokenRefreshFailureEventAsync(null, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.RefreshTokenHandle = refreshTokenHandle;
/////////////////////////////////////////////
// check if refresh token is valid
/////////////////////////////////////////////
var refreshToken = await _refreshTokens.GetAsync(refreshTokenHandle);
if (refreshToken == null)
{
var error = "Refresh token is invalid";
LogWarn(error);
await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
/////////////////////////////////////////////
// check if refresh token has expired
/////////////////////////////////////////////
if (refreshToken.CreationTime.HasExceeded(refreshToken.LifeTime))
{
var error = "Refresh token has expired";
LogWarn(error);
await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error);
await _refreshTokens.RemoveAsync(refreshTokenHandle);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
/////////////////////////////////////////////
// check if client belongs to requested refresh token
/////////////////////////////////////////////
if (_validatedRequest.Client.ClientId != refreshToken.ClientId)
{
LogError(string.Format("Client {0} tries to refresh token belonging to client {1}", _validatedRequest.Client.ClientId, refreshToken.ClientId));
await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, "Invalid client binding");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
/////////////////////////////////////////////
// check if client still has offline_access scope
/////////////////////////////////////////////
if (!_validatedRequest.Client.AllowAccessToAllScopes)
{
if (!_validatedRequest.Client.AllowedScopes.Contains(Constants.StandardScopes.OfflineAccess))
{
var error = "Client does not have access to offline_access scope anymore";
LogError(error);
await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error);
return Invalid(Constants.TokenErrors.InvalidGrant);
}
}
_validatedRequest.RefreshToken = refreshToken;
/////////////////////////////////////////////
// make sure user is enabled
/////////////////////////////////////////////
var principal = IdentityServerPrincipal.FromSubjectId(_validatedRequest.RefreshToken.SubjectId, refreshToken.AccessToken.Claims);
var isActiveCtx = new IsActiveContext(principal, _validatedRequest.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
var error = "User has been disabled: " + _validatedRequest.RefreshToken.SubjectId;
LogError(error);
await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error);
return Invalid(Constants.TokenErrors.InvalidRequest);
}
Logger.Info("Validation of refresh token request success");
return Valid();
}
public async Task IsActiveAsync(IsActiveContext context)
{
if (context.Subject == null)
throw new ArgumentNullException("Subject");
var userId = Guid.Parse(context.Subject.GetSubjectId());
var user = await this.userManager.FindByIdAsync(userId);
if (user == null)
{
context.IsActive = false;
return;
}
if (this.userManager.SupportsUserSecurityStamp)
{
var securityStamp = context.Subject.Claims.Where(x => x.Type == SecurityStampClaimType).Select(x => x.Value).SingleOrDefault();
if (securityStamp != null && securityStamp != user.SecurityStamp)
{
context.IsActive = false;
return;
}
}
context.IsActive = true;
}
public override async Task IsActiveAsync(IsActiveContext context)
{
var user = await _userRepository.GetUserAsync(context.Subject.GetSubjectId());
context.IsActive = user != null && user.IsActive;
}
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user)
{
// let the login page know the client requesting authorization
_signIn.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
_signIn.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
_signIn.UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
_signIn.LoginHint = request.LoginHint;
}
// process acr values
var acrValues = request.AuthenticationContextReferenceClasses.Distinct().ToList();
// look for well-known acr value -- idp
var idp = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.HomeRealm));
if (idp.IsPresent())
{
_signIn.IdP = idp.Substring(Constants.KnownAcrValues.HomeRealm.Length);
acrValues.Remove(idp);
}
// look for well-known acr value -- tenant
var tenant = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.Tenant));
if (tenant.IsPresent())
{
_signIn.Tenant = tenant.Substring(Constants.KnownAcrValues.Tenant.Length);
acrValues.Remove(tenant);
}
// pass through any remaining acr values
if (acrValues.Any())
{
_signIn.AcrValues = acrValues;
}
if (request.PromptMode == Constants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(Constants.AuthorizeRequest.Prompt);
Logger.Info("Redirecting to login page because of prompt=login");
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// unauthenticated user
var isAuthenticated = user.Identity.IsAuthenticated;
if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login.");
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(user, request.Client);
await _users.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
if (!isActive) Logger.Info("User is not active. Redirecting to login.");
}
if (!isAuthenticated || !isActive)
{
// prompt=none means user must be signed in already
if (request.PromptMode == Constants.PromptModes.None)
{
Logger.Info("prompt=none was requested. But user is not authenticated.");
return new LoginInteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
// check current idp
var currentIdp = user.GetIdentityProvider();
// check if idp login hint matches current provider
if (_signIn.IdP.IsPresent())
{
if (_signIn.IdP != currentIdp)
{
Logger.Info("Current IdP is not the requested IdP. Redirecting to login");
Logger.InfoFormat("Current: {0} -- Requested: {1}", currentIdp, _signIn.IdP);
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = user.GetAuthenticationTime();
if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.Info("Requested MaxAge exceeded. Redirecting to login");
return new LoginInteractionResponse
{
SignInMessage = _signIn
};
}
}
return new LoginInteractionResponse();
}
/// <summary>
/// Custom validation logic for identity tokens.
/// </summary>
/// <param name="result">The validation result so far.</param>
/// <returns>
/// The validation result
/// </returns>
public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result)
{
// make sure user is still active (if sub claim is present)
var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
var principal = Principal.Create("tokenvalidator", result.Claims.ToArray());
var isActiveCtx = new IsActiveContext(principal, result.Client);
await _users.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
Logger.Warn("User marked as not active: " + subClaim.Value);
result.IsError = true;
result.Error = Constants.ProtectedResourceErrors.InvalidToken;
result.Claims = null;
return result;
}
}
return result;
}
