public async Task <OidcTokenReply> TokenReply(string code, string client_id, string client_secret) { // FIXME: should use time-constant comparison OIDCSession session = await _authDbContext.OIDCSessions .Where(o => o.OIDCAppSettings.ClientSecret == client_secret && o.OIDCAppSettings.ClientId == client_id) .Where(o => o.Id == new Guid(code)) .Include(s => s.User) .Include(s => s.OIDCAppSettings) .SingleAsync(); string protocolString = (_httpContextAccessor.HttpContext.Request.IsHttps ? "https://" : "http://"); string issuer = protocolString + _httpContextAccessor.HttpContext.Request.Host; JwtBuilder jwtBuilder = _jwtFactory.Build(); string json = jwtBuilder .Issuer(issuer) .Subject(session.User.Id.ToString()) .AddClaim(ClaimName.Nonce, session.Nonce) .Audience(session.OIDCAppSettings.ClientId) .AddHeader(HeaderName.KeyId, "1") .IssuedAt(DateTime.UtcNow) .ExpirationTime(DateTime.UtcNow.AddHours(10)) .Encode(); // fixme: tokens should expire return(new OidcTokenReply { AccessToken = code, TokenType = "Bearer", RefreshToken = code, ExpiresIn = 3600, IdToken = json, }); }