protected virtual async Task <JwsPayload> BuildIdToken(HandlerContext currentContext, JObject queryParameters, IEnumerable <string> requestedScopes, CancellationToken cancellationToken)
{
var openidClient = (OpenIdClient)currentContext.Client;
var result = new JwsPayload
{
{ OAuthClaims.Audiences, new [] { openidClient.ClientId, currentContext.Request.IssuerName } },
{ OAuthClaims.Issuer, currentContext.Request.IssuerName },
{ OAuthClaims.Iat, DateTime.UtcNow.ConvertToUnixTimestamp() },
{ OAuthClaims.ExpirationTime, DateTime.UtcNow.AddSeconds(openidClient.TokenExpirationTimeInSeconds).ConvertToUnixTimestamp() },
{ OAuthClaims.Azp, openidClient.ClientId }
};
var maxAge = queryParameters.GetMaxAgeFromAuthorizationRequest();
var nonce = queryParameters.GetNonceFromAuthorizationRequest();
var acrValues = queryParameters.GetAcrValuesFromAuthorizationRequest();
var requestedClaims = queryParameters.GetClaimsFromAuthorizationRequest();
var subjectTypeBuilder = _subjectTypeBuilders.First(f => f.SubjectType == (string.IsNullOrWhiteSpace(openidClient.SubjectType) ? PublicSubjectTypeBuilder.SUBJECT_TYPE : openidClient.SubjectType));
var subject = await subjectTypeBuilder.Build(currentContext);
string accessToken, code;
if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.AccessToken, out accessToken))
{
result.Add(OAuthClaims.AtHash, ComputeHash(accessToken));
}
if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.Code, out code))
{
result.Add(OAuthClaims.CHash, ComputeHash(code));
}
if (maxAge != null)
{
result.Add(OAuthClaims.AuthenticationTime, currentContext.User.AuthenticationTime.Value.ConvertToUnixTimestamp());
}
if (!string.IsNullOrWhiteSpace(nonce))
{
result.Add(OAuthClaims.Nonce, nonce);
}
var defaultAcr = await _amrHelper.FetchDefaultAcr(acrValues, requestedClaims, openidClient, cancellationToken);
if (defaultAcr != null)
{
result.Add(OAuthClaims.Amr, defaultAcr.AuthenticationMethodReferences);
result.Add(OAuthClaims.Acr, defaultAcr.Name);
}
var scopes = openidClient.AllowedOpenIdScopes.Where(s => requestedScopes.Any(r => r == s.Name));
EnrichWithScopeParameter(result, scopes, currentContext.User, subject);
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(result, requestedClaims, currentContext.User, currentContext.User.AuthenticationTime);
foreach (var claimsSource in _claimsSources)
{
await claimsSource.Enrich(result, openidClient).ConfigureAwait(false);
}
return(result);
}
protected virtual JwsPayload BuildOpenIdPayload(IEnumerable <string> scopes, IEnumerable <AuthorizationRequestClaimParameter> claimParameters, HandlerContext handlerContext)
{
var jwsPayload = BuildPayload(scopes, handlerContext);
if (handlerContext.User != null)
{
jwsPayload.Add(UserClaims.Subject, handlerContext.User.Id);
if (handlerContext.User.AuthenticationTime != null)
{
jwsPayload.Add(OAuthClaims.AuthenticationTime, handlerContext.User.AuthenticationTime.Value.ConvertToUnixTimestamp());
}
}
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(jwsPayload, claimParameters);
return(jwsPayload);
}
private async Task <IActionResult> Common(JObject content, CancellationToken cancellationToken)
{
try
{
var accessToken = ExtractAccessToken(content);
var jwsPayload = await Extract(accessToken);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN);
}
var subject = jwsPayload.GetSub();
var scopes = jwsPayload.GetScopes();
var audiences = jwsPayload.GetAudiences();
var claims = jwsPayload.GetClaimsFromAccessToken(AuthorizationRequestClaimTypes.UserInfo);
var authTime = jwsPayload.GetAuthTime();
var user = await _oauthUserRepository.FindOAuthUserByLogin(subject, cancellationToken);
if (user == null)
{
return(new UnauthorizedResult());
}
var filteredClients = await _oauthClientRepository.FindOAuthClientByIds(audiences, cancellationToken);
if (!filteredClients.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT, ErrorMessages.INVALID_AUDIENCE);
}
var oauthClient = (OpenIdClient)filteredClients.First();
if (!user.HasOpenIDConsent(oauthClient.ClientId, scopes, claims, AuthorizationRequestClaimTypes.UserInfo))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.NO_CONSENT);
}
var token = await _tokenQueryRepository.Get(accessToken, cancellationToken);
if (token == null)
{
_logger.LogError("Cannot get user information because access token has been rejected");
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.ACCESS_TOKEN_REJECTED);
}
var oauthScopes = (await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken)).Cast <OpenIdScope>();
var payload = new JwsPayload();
IdTokenBuilder.EnrichWithScopeParameter(payload, oauthScopes, user, subject);
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(payload, claims, user, authTime, AuthorizationRequestClaimTypes.UserInfo);
foreach (var claimsSource in _claimsSources)
{
await claimsSource.Enrich(payload, oauthClient).ConfigureAwait(false);
}
string contentType = "application/json";
var result = JsonConvert.SerializeObject(payload).ToString();
if (!string.IsNullOrWhiteSpace(oauthClient.UserInfoSignedResponseAlg))
{
result = await _jwtBuilder.BuildClientToken(oauthClient, payload, oauthClient.UserInfoSignedResponseAlg, oauthClient.UserInfoEncryptedResponseAlg, oauthClient.UserInfoEncryptedResponseEnc);
contentType = "application/jwt";
}
return(new ContentResult
{
Content = result,
ContentType = contentType
});
}
catch (OAuthException ex)
{
var jObj = new JObject
{
{ ErrorResponseParameters.Error, ex.Code },
{ ErrorResponseParameters.ErrorDescription, ex.Message }
};
return(new ContentResult
{
Content = jObj.ToString(),
ContentType = "application/json",
StatusCode = (int)HttpStatusCode.BadRequest
});
}
}