/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
_logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.ValidatedRequest));
if (request.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
}
var issuer = _context.HttpContext.GetIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
Audience = string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()),
Issuer = issuer,
Lifetime = request.Client.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.Client.ClientId,
AccessTokenType = request.Client.AccessTokenType
};
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedResources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
// add aud based on ApiResources in the validated request
foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
{
token.Audiences.Add(aud);
}
if (Options.EmitLegacyResourceAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
// add cnf if present
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else
{
if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (clientCertificate != null)
{
token.Confirmation = clientCertificate.CreateThumbprintCnf();
}
}
}
return(token);
}
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
List <Claim> claims = new List <Claim>();
List <Claim> list = claims;
list.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(request.Subject, request.ValidatedResources, request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim("jti", CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim("sid", request.ValidatedRequest.SessionId));
}
claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64"));
string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
Token token = new Token("access_token")
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = identityServerIssuerUri,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
Description = request.Description,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
foreach (string item in request.ValidatedResources.Resources.ApiResources.Select((ApiResource x) => x.Name).Distinct())
{
token.Audiences.Add(item);
}
if (Options.EmitStaticAudienceClaim)
{
token.Audiences.Add($"{identityServerIssuerUri.EnsureTrailingSlash()}resources");
}
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
X509Certificate2 x509Certificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (x509Certificate != null)
{
token.Confirmation = x509Certificate.CreateThumbprintCnf();
}
}
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
if (Options.EmitLegacyResourceAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
foreach (var api in request.Resources.ApiResources)
{
if (api.Name.IsPresent())
{
token.Audiences.Add(api.Name);
}
}
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedRequest.Client,
request.Resources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
Audiences = { string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()) },
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims,
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
foreach (var api in request.Resources.ApiResources)
{
if (api.Name.IsPresent())
{
token.Audiences.Add(api.Name);
}
}
return(token);
}
private async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
var claims = new List <Claim>();
claims.AddRange(await _claimsService.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest).ConfigureAwait(false));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = _configurationProvider.DefaultClientAuthority;
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = DateTimeOffset.Now.UtcDateTime,
Audiences = { string.Format(AccessTokenAudience, issuer) },
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims,
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
foreach (var api in request.Resources.ApiResources)
{
if (!string.IsNullOrEmpty(api.Name))
{
token.Audiences.Add(api.Name);
}
}
return(token);
}
public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
_logger.LogTrace("Creating identity token");
Validate(request);
var claims = new List <Claim>();
// if nonce was sent, must be mirrored in id token
if (!string.IsNullOrWhiteSpace(request.Nonce))
{
claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce));
}
// add iat claim
claims.Add(
new Claim(JwtClaimTypes.IssuedAt, _clock.UtcNow.DateTime.ToEpochTime().ToString(),
ClaimValueTypes.Integer));
// add at_hash claim
if (!string.IsNullOrWhiteSpace(request.AccessTokenToHash))
{
claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
}
// add c_hash claim
if (!string.IsNullOrWhiteSpace(request.AuthorizationCodeToHash))
{
claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash,
HashAdditionalData(request.AuthorizationCodeToHash)));
}
// add sid if present
if (!string.IsNullOrWhiteSpace(request.ValidatedRequest.SessionId))
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest));
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
var issuer = _partyDetailsOptions.ClientId;
var audience = request.ValidatedRequest.Client.ClientId;
claims.Add(new Claim(JwtClaimTypes.AuthorizedParty, audience));
claims.Add(new Claim(JwtClaimTypes.AuthenticationContextClassReference, "urn:http://eidas.europa.eu/LoA/NotNotified/low"));
var token = new Token(OidcConstants.TokenTypes.IdentityToken)
{
CreationTime = _clock.UtcNow.UtcDateTime,
Audiences = { audience },
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims,
ClientId = audience,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedResources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
// oz
claims.Add(new Claim("userName", "*****@*****.**"));
claims.Add(new Claim("serverName", "identityserver.test.rsa"));
// iat claim as required by JWT profile
claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(),
ClaimValueTypes.Integer64));
var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
Description = request.Description,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
// add aud based on ApiResources in the validated request
foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
{
token.Audiences.Add(aud);
}
if (Options.EmitStaticAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
// add cnf if present
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else
{
if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (clientCertificate != null)
{
token.Confirmation = clientCertificate.CreateThumbprintCnf();
}
}
}
return(token);
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedResources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
// oz
bool foundUserName = false;
var jwtToken = new JwtSecurityToken((string)request.ValidatedRequest.Secret.Credential);
object o;
if (jwtToken.Header.TryGetValue("ssiInvitation", out o))
{
if (o is string s)
{
if (s != null && s != "")
{
Console.WriteLine("ssiURL = " + s);
string email = "";
// Verifier verifier = new Verifier("http://192.168.178.33:5000"); //OpenId Server
Verifier verifier = new Verifier(s + ":5000"); //OpenId Server
Dictionary <string, string> attributes = verifier.GetVerifiedAttributes(s);
foreach (var item in attributes)
{
Console.WriteLine(item.Key + ":" + item.Value); // OpenId Server responds with verified attributes
if (item.Key == "email")
{
email = item.Value;
}
}
claims.Add(new Claim("userName", email));
Console.WriteLine("username = "******"email", out o))
{
if (o is string s)
{
if (s != null && s != "")
{
claims.Add(new Claim("userName", s.ToLower()));
Console.WriteLine("username = "******"x5c", out o))
{
if (o is JArray)
{
string[] x5c = (o as JArray).ToObject <string[]>();
if (x5c != null)
{
Byte[] certFileBytes = Convert.FromBase64String(x5c[0]);
var x509 = new X509Certificate2(certFileBytes);
if (x509.Issuer.ToLower().Contains("phoenix contact"))
{
string subject = x509.Subject.Substring(4);
string[] split1 = subject.Split("(");
if (split1.Length == 2)
{
string[] split2 = split1[0].Split(",");
if (split2.Length == 2)
{
string email = split2[1].Substring(1, 1) + split2[0] + "@phoenixcontact.com";
email = email.ToLower();
email = email.Replace("ä", "ae");
email = email.Replace("ö", "oe");
email = email.Replace("ü", "ue");
email = email.Replace("ß", "ss");
claims.Add(new Claim("userName", email));
Console.WriteLine("username = "******"bosch"))
{
string subject = x509.Subject.Substring(3);
string[] split1 = subject.Split(",");
string email = split1[0] + "@de.bosch.com";
email = email.ToLower();
claims.Add(new Claim("userName", email));
Console.WriteLine("username = "******"festo"))
{
string subject = x509.Subject.Substring(3);
string email = subject + "@de.festo.com";
email = email.ToLower();
claims.Add(new Claim("userName", email));
Console.WriteLine("username = "******"userName", "*****@*****.**"));
claims.Add(new Claim("serverName", "identityserver.test.rsa"));
// iat claim as required by JWT profile
claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(),
ClaimValueTypes.Integer64));
var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
Description = request.Description,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
// add aud based on ApiResources in the validated request
foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
{
token.Audiences.Add(aud);
}
if (Options.EmitStaticAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
// add cnf if present
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else
{
if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (clientCertificate != null)
{
token.Confirmation = clientCertificate.CreateThumbprintCnf();
}
}
}
return(token);
}
public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
_logger.LogTrace("Creating identity token");
Validate(request);
var claims = new List <Claim>();
// if nonce was sent, must be mirrored in id token
if (!string.IsNullOrWhiteSpace(request.Nonce))
{
claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce));
}
// add iat claim
claims.Add(
new Claim(JwtClaimTypes.IssuedAt, _clock.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer));
// add at_hash claim
if (!string.IsNullOrWhiteSpace(request.AccessTokenToHash))
{
claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
}
// add c_hash claim
if (!string.IsNullOrWhiteSpace(request.AuthorizationCodeToHash))
{
claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash,
HashAdditionalData(request.AuthorizationCodeToHash)));
}
// add sid if present
if (!string.IsNullOrWhiteSpace(request.ValidatedRequest.SessionId))
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
var issuer = _context.HttpContext.GetIdentityServerIssuerUri();
var clientId = _idpOptions.Enable && request.ValidatedRequest
.Client
.AllowedGrantTypes
.Any(g => g == GrantTypes.Hybrid.FirstOrDefault())
? request.ValidatedRequest.Client.ClientId : _partyDetailsOptions.ClientId;
var token = new Token(OidcConstants.TokenTypes.IdentityToken)
{
CreationTime = _clock.UtcNow.UtcDateTime,
Audiences = { clientId },
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims,
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
return(token);
}
