Esempio n. 1
0
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            _logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.Client,
                                request.Scopes,
                                request.ValidatedRequest));

            if (request.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
            }

            var issuer = _context.HttpContext.GetIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                Audience        = string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()),
                Issuer          = issuer,
                Lifetime        = request.Client.AccessTokenLifetime,
                Claims          = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId        = request.Client.ClientId,
                AccessTokenType = request.Client.AccessTokenType
            };

            return(token);
        }
Esempio n. 2
0
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.ValidatedResources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
            }

            var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                CreationTime             = Clock.UtcNow.UtcDateTime,
                Issuer                   = issuer,
                Lifetime                 = request.ValidatedRequest.AccessTokenLifetime,
                Claims                   = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId                 = request.ValidatedRequest.Client.ClientId,
                AccessTokenType          = request.ValidatedRequest.AccessTokenType,
                AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
            };

            // add aud based on ApiResources in the validated request
            foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
            {
                token.Audiences.Add(aud);
            }

            if (Options.EmitLegacyResourceAudienceClaim)
            {
                token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
            }

            // add cnf if present
            if (request.ValidatedRequest.Confirmation.IsPresent())
            {
                token.Confirmation = request.ValidatedRequest.Confirmation;
            }
            else
            {
                if (Options.MutualTls.AlwaysEmitConfirmationClaim)
                {
                    var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();

                    if (clientCertificate != null)
                    {
                        token.Confirmation = clientCertificate.CreateThumbprintCnf();
                    }
                }
            }

            return(token);
        }
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();
            List <Claim> claims = new List <Claim>();
            List <Claim> list   = claims;

            list.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(request.Subject, request.ValidatedResources, request.ValidatedRequest));
            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim("jti", CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
            }
            if (request.ValidatedRequest.SessionId.IsPresent())
            {
                claims.Add(new Claim("sid", request.ValidatedRequest.SessionId));
            }
            claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64"));
            string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
            Token  token = new Token("access_token")
            {
                CreationTime             = Clock.UtcNow.UtcDateTime,
                Issuer                   = identityServerIssuerUri,
                Lifetime                 = request.ValidatedRequest.AccessTokenLifetime,
                Claims                   = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId                 = request.ValidatedRequest.Client.ClientId,
                Description              = request.Description,
                AccessTokenType          = request.ValidatedRequest.AccessTokenType,
                AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
            };

            foreach (string item in request.ValidatedResources.Resources.ApiResources.Select((ApiResource x) => x.Name).Distinct())
            {
                token.Audiences.Add(item);
            }
            if (Options.EmitStaticAudienceClaim)
            {
                token.Audiences.Add($"{identityServerIssuerUri.EnsureTrailingSlash()}resources");
            }
            if (request.ValidatedRequest.Confirmation.IsPresent())
            {
                token.Confirmation = request.ValidatedRequest.Confirmation;
            }
            else if (Options.MutualTls.AlwaysEmitConfirmationClaim)
            {
                X509Certificate2 x509Certificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();

                if (x509Certificate != null)
                {
                    token.Confirmation = x509Certificate.CreateThumbprintCnf();
                }
            }
            return(token);
        }
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.Resources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
            }

            var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                CreationTime             = Clock.UtcNow.UtcDateTime,
                Issuer                   = issuer,
                Lifetime                 = request.ValidatedRequest.AccessTokenLifetime,
                Claims                   = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId                 = request.ValidatedRequest.Client.ClientId,
                AccessTokenType          = request.ValidatedRequest.AccessTokenType,
                AllowedSigningAlgorithms = request.Resources.ApiResources.FindMatchingSigningAlgorithms()
            };

            if (Options.EmitLegacyResourceAudienceClaim)
            {
                token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
            }

            foreach (var api in request.Resources.ApiResources)
            {
                if (api.Name.IsPresent())
                {
                    token.Audiences.Add(api.Name);
                }
            }

            return(token);
        }
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.ValidatedRequest.Client,
                                request.Resources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
            }

            var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                Audiences       = { string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()) },
                Issuer          = issuer,
                Lifetime        = request.ValidatedRequest.AccessTokenLifetime,
                Claims          = claims,
                ClientId        = request.ValidatedRequest.Client.ClientId,
                AccessTokenType = request.ValidatedRequest.AccessTokenType
            };

            foreach (var api in request.Resources.ApiResources)
            {
                if (api.Name.IsPresent())
                {
                    token.Audiences.Add(api.Name);
                }
            }

            return(token);
        }
Esempio n. 6
0
        private async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            var claims = new List <Claim>();

            claims.AddRange(await _claimsService.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.Resources,
                                request.ValidatedRequest).ConfigureAwait(false));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
            }

            var issuer = _configurationProvider.DefaultClientAuthority;
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                CreationTime    = DateTimeOffset.Now.UtcDateTime,
                Audiences       = { string.Format(AccessTokenAudience, issuer) },
                Issuer          = issuer,
                Lifetime        = request.ValidatedRequest.AccessTokenLifetime,
                Claims          = claims,
                ClientId        = request.ValidatedRequest.Client.ClientId,
                AccessTokenType = request.ValidatedRequest.AccessTokenType
            };

            foreach (var api in request.Resources.ApiResources)
            {
                if (!string.IsNullOrEmpty(api.Name))
                {
                    token.Audiences.Add(api.Name);
                }
            }

            return(token);
        }
        public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
        {
            _logger.LogTrace("Creating identity token");
            Validate(request);

            var claims = new List <Claim>();

            // if nonce was sent, must be mirrored in id token
            if (!string.IsNullOrWhiteSpace(request.Nonce))
            {
                claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce));
            }

            // add iat claim
            claims.Add(
                new Claim(JwtClaimTypes.IssuedAt, _clock.UtcNow.DateTime.ToEpochTime().ToString(),
                          ClaimValueTypes.Integer));

            // add at_hash claim
            if (!string.IsNullOrWhiteSpace(request.AccessTokenToHash))
            {
                claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
            }

            // add c_hash claim
            if (!string.IsNullOrWhiteSpace(request.AuthorizationCodeToHash))
            {
                claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash,
                                     HashAdditionalData(request.AuthorizationCodeToHash)));
            }

            // add sid if present
            if (!string.IsNullOrWhiteSpace(request.ValidatedRequest.SessionId))
            {
                claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
            }

            claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.Resources,
                                request.ValidatedRequest));

            claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));

            var issuer   = _partyDetailsOptions.ClientId;
            var audience = request.ValidatedRequest.Client.ClientId;

            claims.Add(new Claim(JwtClaimTypes.AuthorizedParty, audience));
            claims.Add(new Claim(JwtClaimTypes.AuthenticationContextClassReference, "urn:http://eidas.europa.eu/LoA/NotNotified/low"));

            var token = new Token(OidcConstants.TokenTypes.IdentityToken)
            {
                CreationTime    = _clock.UtcNow.UtcDateTime,
                Audiences       = { audience },
                Issuer          = issuer,
                Lifetime        = request.ValidatedRequest.AccessTokenLifetime,
                Claims          = claims,
                ClientId        = audience,
                AccessTokenType = request.ValidatedRequest.AccessTokenType
            };

            return(token);
        }
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.ValidatedResources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
            }

            if (request.ValidatedRequest.SessionId.IsPresent())
            {
                claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
            }
            // oz
            claims.Add(new Claim("userName", "*****@*****.**"));
            claims.Add(new Claim("serverName", "identityserver.test.rsa"));

            // iat claim as required by JWT profile
            claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(),
                                 ClaimValueTypes.Integer64));

            var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                CreationTime             = Clock.UtcNow.UtcDateTime,
                Issuer                   = issuer,
                Lifetime                 = request.ValidatedRequest.AccessTokenLifetime,
                Claims                   = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId                 = request.ValidatedRequest.Client.ClientId,
                Description              = request.Description,
                AccessTokenType          = request.ValidatedRequest.AccessTokenType,
                AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
            };

            // add aud based on ApiResources in the validated request
            foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
            {
                token.Audiences.Add(aud);
            }

            if (Options.EmitStaticAudienceClaim)
            {
                token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
            }

            // add cnf if present
            if (request.ValidatedRequest.Confirmation.IsPresent())
            {
                token.Confirmation = request.ValidatedRequest.Confirmation;
            }
            else
            {
                if (Options.MutualTls.AlwaysEmitConfirmationClaim)
                {
                    var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();

                    if (clientCertificate != null)
                    {
                        token.Confirmation = clientCertificate.CreateThumbprintCnf();
                    }
                }
            }

            return(token);
        }
Esempio n. 9
0
        /// <summary>
        /// Creates an access token.
        /// </summary>
        /// <param name="request">The token creation request.</param>
        /// <returns>
        /// An access token
        /// </returns>
        public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
        {
            Logger.LogTrace("Creating access token");
            request.Validate();

            var claims = new List <Claim>();

            claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.ValidatedResources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
            }

            if (request.ValidatedRequest.SessionId.IsPresent())
            {
                claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
            }
            // oz
            bool   foundUserName = false;
            var    jwtToken      = new JwtSecurityToken((string)request.ValidatedRequest.Secret.Credential);
            object o;

            if (jwtToken.Header.TryGetValue("ssiInvitation", out o))
            {
                if (o is string s)
                {
                    if (s != null && s != "")
                    {
                        Console.WriteLine("ssiURL = " + s);

                        string email = "";

                        // Verifier verifier = new Verifier("http://192.168.178.33:5000"); //OpenId Server
                        Verifier verifier = new Verifier(s + ":5000"); //OpenId Server

                        Dictionary <string, string> attributes = verifier.GetVerifiedAttributes(s);
                        foreach (var item in attributes)
                        {
                            Console.WriteLine(item.Key + ":" + item.Value); // OpenId Server responds with verified attributes
                            if (item.Key == "email")
                            {
                                email = item.Value;
                            }
                        }

                        claims.Add(new Claim("userName", email));
                        Console.WriteLine("username = "******"email", out o))
                {
                    if (o is string s)
                    {
                        if (s != null && s != "")
                        {
                            claims.Add(new Claim("userName", s.ToLower()));
                            Console.WriteLine("username = "******"x5c", out o))
                {
                    if (o is JArray)
                    {
                        string[] x5c = (o as JArray).ToObject <string[]>();

                        if (x5c != null)
                        {
                            Byte[] certFileBytes = Convert.FromBase64String(x5c[0]);
                            var    x509          = new X509Certificate2(certFileBytes);
                            if (x509.Issuer.ToLower().Contains("phoenix contact"))
                            {
                                string   subject = x509.Subject.Substring(4);
                                string[] split1  = subject.Split("(");
                                if (split1.Length == 2)
                                {
                                    string[] split2 = split1[0].Split(",");
                                    if (split2.Length == 2)
                                    {
                                        string email = split2[1].Substring(1, 1) + split2[0] + "@phoenixcontact.com";
                                        email = email.ToLower();
                                        email = email.Replace("ä", "ae");
                                        email = email.Replace("ö", "oe");
                                        email = email.Replace("ü", "ue");
                                        email = email.Replace("ß", "ss");
                                        claims.Add(new Claim("userName", email));
                                        Console.WriteLine("username = "******"bosch"))
                                {
                                    string   subject = x509.Subject.Substring(3);
                                    string[] split1  = subject.Split(",");
                                    string   email   = split1[0] + "@de.bosch.com";
                                    email = email.ToLower();
                                    claims.Add(new Claim("userName", email));
                                    Console.WriteLine("username = "******"festo"))
                                {
                                    string subject = x509.Subject.Substring(3);
                                    string email   = subject + "@de.festo.com";
                                    email = email.ToLower();
                                    claims.Add(new Claim("userName", email));
                                    Console.WriteLine("username = "******"userName", "*****@*****.**"));
            claims.Add(new Claim("serverName", "identityserver.test.rsa"));

            // iat claim as required by JWT profile
            claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(),
                                 ClaimValueTypes.Integer64));

            var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
            var token  = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                CreationTime             = Clock.UtcNow.UtcDateTime,
                Issuer                   = issuer,
                Lifetime                 = request.ValidatedRequest.AccessTokenLifetime,
                Claims                   = claims.Distinct(new ClaimComparer()).ToList(),
                ClientId                 = request.ValidatedRequest.Client.ClientId,
                Description              = request.Description,
                AccessTokenType          = request.ValidatedRequest.AccessTokenType,
                AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
            };

            // add aud based on ApiResources in the validated request
            foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
            {
                token.Audiences.Add(aud);
            }

            if (Options.EmitStaticAudienceClaim)
            {
                token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
            }

            // add cnf if present
            if (request.ValidatedRequest.Confirmation.IsPresent())
            {
                token.Confirmation = request.ValidatedRequest.Confirmation;
            }
            else
            {
                if (Options.MutualTls.AlwaysEmitConfirmationClaim)
                {
                    var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();

                    if (clientCertificate != null)
                    {
                        token.Confirmation = clientCertificate.CreateThumbprintCnf();
                    }
                }
            }

            return(token);
        }
Esempio n. 10
0
        public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request)
        {
            _logger.LogTrace("Creating identity token");
            Validate(request);

            var claims = new List <Claim>();

            // if nonce was sent, must be mirrored in id token
            if (!string.IsNullOrWhiteSpace(request.Nonce))
            {
                claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce));
            }

            // add iat claim
            claims.Add(
                new Claim(JwtClaimTypes.IssuedAt, _clock.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer));

            // add at_hash claim
            if (!string.IsNullOrWhiteSpace(request.AccessTokenToHash))
            {
                claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash)));
            }

            // add c_hash claim
            if (!string.IsNullOrWhiteSpace(request.AuthorizationCodeToHash))
            {
                claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash,
                                     HashAdditionalData(request.AuthorizationCodeToHash)));
            }

            // add sid if present
            if (!string.IsNullOrWhiteSpace(request.ValidatedRequest.SessionId))
            {
                claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
            }

            claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
                                request.Subject,
                                request.Resources,
                                request.ValidatedRequest));

            if (request.ValidatedRequest.Client.IncludeJwtId)
            {
                claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
            }

            var issuer = _context.HttpContext.GetIdentityServerIssuerUri();

            var clientId = _idpOptions.Enable && request.ValidatedRequest
                           .Client
                           .AllowedGrantTypes
                           .Any(g => g == GrantTypes.Hybrid.FirstOrDefault())
                ? request.ValidatedRequest.Client.ClientId : _partyDetailsOptions.ClientId;

            var token = new Token(OidcConstants.TokenTypes.IdentityToken)
            {
                CreationTime    = _clock.UtcNow.UtcDateTime,
                Audiences       = { clientId },
                Issuer          = issuer,
                Lifetime        = request.ValidatedRequest.AccessTokenLifetime,
                Claims          = claims,
                ClientId        = request.ValidatedRequest.Client.ClientId,
                AccessTokenType = request.ValidatedRequest.AccessTokenType
            };

            return(token);
        }