public async Task Can_get_delegation_token() { var authenticationApiClient = new AuthenticationApiClient(new Uri(GetVariable("AUTH0_AUTHENTICATION_API_URL"))); // First get the access token var token = await authenticationApiClient.GetAccessTokenAsync(new AccessTokenRequest { ClientId = GetVariable("AUTH0_CLIENT_ID"), Connection = "google-oauth2", AccessToken = accessToken, Scope = "openid" }); // Then request the delegation token var delegationToken = await authenticationApiClient.GetDelegationTokenAsync(new IdTokenDelegationRequest( GetVariable("AUTH0_CLIENT_ID"), GetVariable("AUTH0_CLIENT_ID"), token.IdToken) { Scope = "openid", GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer", ApiType = "app" }); delegationToken.Should().NotBeNull(); delegationToken.IdToken.Should().NotBeNull(); }
public async Task Can_get_delegation_token() { var authenticationApiClient = new AuthenticationApiClient(new Uri(GetVariable("AUTH0_AUTHENTICATION_API_URL"))); // First get the access token var token = await authenticationApiClient.GetAccessTokenAsync(new AccessTokenRequest { ClientId = GetVariable("AUTH0_CLIENT_ID"), Connection = "google-oauth2", AccessToken = accessToken, Scope = "openid" }); // Then request the delegation token var delegationToken = await authenticationApiClient.GetDelegationTokenAsync(new IdTokenDelegationRequest( GetVariable("AUTH0_CLIENT_ID"), GetVariable("AUTH0_CLIENT_ID"), token.IdToken) { Scope = "openid", GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer", ApiType = "app" }); delegationToken.Should().NotBeNull(); delegationToken.IdToken.Should().NotBeNull(); }
public static async Task ValidateExpirationAndTryRefresh(CookieValidatePrincipalContext context) { var auth0Settings = context.HttpContext.RequestServices.GetRequiredService <IOptions <Auth0Settings> >(); var shouldReject = true; var expClaim = context.Principal.FindFirst(c => c.Type == "exp" && c.OriginalIssuer == $"https://{auth0Settings.Value.Domain}/"); // Unix timestamp is seconds past epoch var validTo = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc).AddSeconds(int.Parse(expClaim.Value)); if (validTo > DateTimeOffset.UtcNow) { shouldReject = false; } else { var refreshToken = context.Principal.FindFirst("refresh_token")?.Value; if (refreshToken != null) { // Try to get a new id_token from auth0 using refresh token var authClient = new AuthenticationApiClient(new Uri($"https://{auth0Settings.Value.Domain}")); var newIdToken = await authClient.GetDelegationTokenAsync( new RefreshTokenDelegationRequest( auth0Settings.Value.ClientId, auth0Settings.Value.ClientId, refreshToken)); if (!string.IsNullOrWhiteSpace(newIdToken.IdToken)) { var newPrincipal = ValidateJwt(newIdToken.IdToken, auth0Settings); var identity = expClaim.Subject; identity.RemoveClaim(expClaim); identity.AddClaim(newPrincipal.FindFirst("exp")); // Remove existing id_token claim var tokenClaim = identity.FindFirst("id_token"); if (tokenClaim != null) { identity.RemoveClaim(tokenClaim); } // Add the new token claim identity.AddClaim(new Claim("id_token", newIdToken.IdToken)); // TODO: if required, refresh identity with updated claims inside the new token // or calling the /api/v2/user/{id}? // How to reuse OpenIdConnectHandler's code to get the new profile // and create the new Identity? // see GetUserInformationAsync() in // https://github.com/aspnet/Security/blob/master/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs // now issue a new cookie context.ShouldRenew = true; shouldReject = false; } } } if (shouldReject) { context.RejectPrincipal(); // optionally clear cookie await context.HttpContext.Authentication.SignOutAsync("Auth0"); } }