public TokenRequestValidationLog(ValidatedTokenRequest request)
{
const string scrubValue = "******";
Raw = request.Raw.ToDictionary();
foreach (var field in SensitiveData.Where(field => Raw.ContainsKey(field)))
{
Raw[field] = scrubValue;
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
QueryString = request.SignInMessage.QueryString;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)
{
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters)),
Options = _options
};
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
case OidcConstants.GrantTypes.DeviceCode:
return(await RunValidationAsync(ValidateDeviceCodeRequestAsync, parameters));
default:
return(await RunValidationAsync(ValidateExtensionGrantRequestAsync, parameters));
}
}
/// <inheritdoc/>
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
string userName = request.Raw.Get("name");
IdSrvUserDto user = await this.UserRepository.GetUserByUserNameAsync(userName);
IdSrvClientDto client = await this.ClientRepository.GetClientByIdAsync(request.Client.ClientId);
string password = request.Raw.Get("password");
// Выполняем проверку учетки пользователя
// Значение ContextType.Machine для домена вероятно надо будет поменять на ContextType.Domain (не тестировал)
var pc = new PrincipalContext(ContextType.Machine);
bool isCredentialValid = false;
if (user != null && !user.IsBlocked && client != null && !client.IsBlocked)
{
isCredentialValid = pc.ValidateCredentials(userName, password);
}
var authResult = new AuthenticateResult(
subject: user != null ? user.Id.ToString() : "-",
name: userName);
var grantResult = new CustomGrantValidationResult
{
IsError = !isCredentialValid,
Error = authResult.ErrorMessage,
ErrorDescription = (user != null && user.IsBlocked) ? $"User \"{userName}\" is blocked" : authResult.ErrorMessage,
Principal = authResult.User,
};
return(grantResult);
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenRequestValidationResult"/> class.
/// </summary>
/// <param name="validatedRequest">The validated request.</param>
/// <param name="customResponse">The custom response.</param>
public TokenRequestValidationResult(ValidatedTokenRequest validatedRequest, Dictionary <string, object> customResponse = null)
{
IsError = false;
ValidatedRequest = validatedRequest;
CustomResponse = customResponse;
}
public Task <ValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return(Task.FromResult(new ValidationResult
{
IsError = false
}));
}
public TokenRequestValidationLog(ValidatedTokenRequest request)
{
if (request.Options.DiagnosticsOptions.IncludeSensitiveDataInLogs)
{
Raw = request.Raw.ToDictionary();
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
public async Task DeviceCode_Missing_Subject()
{
deviceCode.Subject = null;
var client = await _clients.FindClientByIdAsync("device_flow");
var service = Factory.CreateDeviceCodeService();
var handle = await service.StoreDeviceAuthorizationAsync(Guid.NewGuid().ToString(), deviceCode);
var validator = Factory.CreateDeviceCodeValidator(service);
var request = new ValidatedTokenRequest();
request.SetClient(client);
var context = new DeviceCodeValidationContext {
DeviceCode = handle, Request = request
};
await validator.ValidateAsync(context);
context.Result.IsError.Should().BeTrue();
context.Result.Error.Should().Be(OidcConstants.TokenErrors.AuthorizationPending);
}
public async Task <ClaimsPrincipal> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType != "legacy_account_store")
{
Logger.Error("unknown custom grant type");
return(null);
}
var legacyAccountStoreType = request.Raw.Get("account_store");
var id = request.Raw.Get("legacy_id");
var secret = request.Raw.Get("legacy_secret");
if (legacyAccountStoreType.IsMissing() ||
id.IsMissing() ||
secret.IsMissing())
{
Logger.Error("malformed request");
return(null);
}
var message = new SignInMessage {
Tenant = legacyAccountStoreType
};
var result = await _users.AuthenticateLocalAsync(id, secret, message);
if (result.IsError)
{
Logger.Error("authentication failed");
return(null);
}
return(result.User);
}
public Task <ValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request, Core.Services.IUserService profile)
{
return(Task.FromResult(new ValidationResult
{
IsError = false
}));
}
Task <CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
{
CustomGrantValidationResult grantResult = null;
var param = request.Raw.Get("token");
if (string.IsNullOrWhiteSpace(param))
{
grantResult = new CustomGrantValidationResult(Constants.TokenErrors.InvalidRequest);
}
var result = _validator.ValidateAccessTokenAsync(param).Result;
if (result.IsError)
{
grantResult = new CustomGrantValidationResult(result.Error);
}
var subjectClaim = result.Claims.FirstOrDefault(x => x.Type == "sub");
if (subjectClaim == null)
{
grantResult = new CustomGrantValidationResult(Constants.TokenErrors.InvalidRequest);
}
if (grantResult == null)
{
grantResult = new CustomGrantValidationResult(subjectClaim.Value, "access_token");
}
return(Task.FromResult(grantResult));
}
/// <inheritdoc/>
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
CustomGrantValidationResult result = await this.Validator.ValidateAsync(request);
var userId = result.Principal.Claims.FirstOrDefault(v => v.Type == Constants.ClaimTypes.Subject)?.Value;
var userName = result.Principal.Claims.FirstOrDefault(v => v.Type == Constants.ClaimTypes.Name)?.Value;
if (!result.IsError)
{
await this.Logger?.UserSignedInAsync(
userId : userId,
userName : userName,
clientId : request.Client?.ClientId,
clientName : request.Client?.ClientName);
}
else
{
await this.Logger?.UnsuccessfulSigningInAsync(
userName : userName,
clientId : request.Client?.ClientId,
clientName : request.Client?.ClientName,
reason : result?.ErrorDescription);
}
return(result);
}
private async Task <TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
_logger.LogTrace("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
// load the client that belongs to the authorization code
Client client = null;
if (request.AuthorizationCode.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var resources = await _resources.FindEnabledResourcesByScopeAsync(request.AuthorizationCode.RequestedScopes);
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = client,
Resources = resources,
Nonce = request.AuthorizationCode.Nonce,
AccessTokenToHash = response.AccessToken,
ValidatedRequest = request
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return(response);
}
private async Task <Device> SaveDeviceAsync(User user, ValidatedTokenRequest request)
{
var device = GetDeviceFromRequest(request);
if (device != null)
{
var existingDevice = await _deviceRepository.GetByIdentifierAsync(device.Identifier, user.Id);
if (existingDevice == null)
{
device.UserId = user.Id;
await _deviceService.SaveAsync(device);
var now = DateTime.UtcNow;
if (now - user.CreationDate > TimeSpan.FromMinutes(10))
{
var deviceType = device.Type.GetType().GetMember(device.Type.ToString())
.FirstOrDefault()?.GetCustomAttribute <DisplayAttribute>()?.GetName();
if (!_globalSettings.DisableEmailNewDevice)
{
await _mailService.SendNewDeviceLoggedInEmail(user.Email, deviceType, now,
_currentContext.IpAddress);
}
}
return(device);
}
return(existingDevice);
}
return(null);
}
public Task<ValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request, Core.Services.IUserService profile)
{
return Task.FromResult(new ValidationResult
{
IsError = false
});
}
public void ValidateAsync_ReturnsInvalidRequestWhenSubjectClaimNotFound()
{
// Arrange
var tokenRequest = new ValidatedTokenRequest {
Raw = new NameValueCollection()
};
tokenRequest.Raw.Add("access_token", "A12345");
tokenRequest.Raw.Add("client_referer", "http://localhost:12345");
var tokenValidatorFake = createTokenValidatorFake;
A.CallTo(() => tokenValidatorFake.ValidateAccessTokenAsync("A12345", null))
.Returns(Task.FromResult(new TokenValidationResult {
IsError = false, Claims = new List <Claim>()
}));
var validator = new ActAsUserGrantValidator(tokenValidatorFake);
// Act
var result = validator.ValidateAsync(tokenRequest).Result;
// Assert
result.Error.Should().Be(Constants.TokenErrors.InvalidRequest);
A.CallTo(() => tokenValidatorFake.ValidateAccessTokenAsync("A12345", null)).MustHaveHappened();
}
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var param = request.Raw.Get("win_token");
if (string.IsNullOrWhiteSpace(param))
{
return(await Task.FromResult(new CustomGrantValidationResult("Missing parameter win_token.")));
}
var principal = TryValidateToken(param, request.Options.SigningCertificate);
var nameIdentifierClaim = principal.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
if (nameIdentifierClaim == null)
{
return(await Task.FromResult(new CustomGrantValidationResult("Missing NameIdentifier claim in win_token.")));
}
var authenticationResult = await AuthenticateUserAsync(nameIdentifierClaim.Value, principal.Claims);
var customGrantResult = new CustomGrantValidationResult()
{
IsError = authenticationResult.IsError,
Error = authenticationResult.ErrorMessage,
ErrorDescription = authenticationResult.ErrorMessage,
Principal = authenticationResult.User
};
return(await Task.FromResult(customGrantResult));
}
public async Task Valid_Custom_Grant_Multiple_Validator()
{
var validator = new CustomGrantValidator(new List <ICustomGrantValidator>
{
new TestGrantValidator(),
new TestGrantValidator2()
});
var request = new ValidatedTokenRequest
{
GrantType = "custom_grant"
};
var result = await validator.ValidateAsync(request);
result.IsError.Should().BeFalse();
result.Principal.Should().NotBeNull();
result.Principal.GetSubjectId().Should().Be("bob");
result.Principal.GetAuthenticationMethod().Should().Be("CustomGrant");
request.GrantType = "custom_grant2";
result = await validator.ValidateAsync(request);
result.IsError.Should().BeFalse();
result.Principal.Should().NotBeNull();
result.Principal.GetSubjectId().Should().Be("alice");
result.Principal.GetAuthenticationMethod().Should().Be("CustomGrant2");
}
public TokenRequestValidationLog(ValidatedTokenRequest request)
{
const string scrubValue = "******";
Raw = request.Raw.ToDictionary();
if (Raw.ContainsKey(Constants.TokenRequest.Password))
{
Raw[Constants.TokenRequest.Password] = scrubValue;
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
Task <CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType != "custom")
{
return(Task.FromResult <CustomGrantValidationResult>(null));
}
var assertion = request.Raw.Get("assertion");
if (string.IsNullOrWhiteSpace(assertion))
{
return(Task.FromResult <CustomGrantValidationResult>(new CustomGrantValidationResult
{
ErrorMessage = "Missing assertion."
}));
}
// validate assertion and return principal
var principal = IdentityServerPrincipal.Create(
"bob",
"bob",
"custom_grant",
"idsrv");
return(Task.FromResult(new CustomGrantValidationResult
{
Principal = principal
}));
}
/// <summary>
/// Validates the request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
public async Task <GrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
_logger.LogError("No validator found for grant type");
return(new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType));
}
try
{
_logger.LogTrace("Calling into custom grant validator: {type}", validator.GetType().FullName);
var context = new ExtensionGrantValidationContext
{
Request = request
};
await validator.ValidateAsync(context);
return(context.Result);
}
catch (Exception e)
{
_logger.LogError(1, e, "Grant validation error: {message}", e.Message);
return(new GrantValidationResult(TokenRequestErrors.InvalidGrant));
}
}
public async Task Expired_DeviceCode()
{
deviceCode.CreationTime = DateTime.UtcNow.AddDays(-10);
deviceCode.Lifetime = 300;
var client = await _clients.FindClientByIdAsync("device_flow");
var service = Factory.CreateDeviceCodeService();
var handle = await service.StoreDeviceAuthorizationAsync(Guid.NewGuid().ToString(), deviceCode);
var validator = Factory.CreateDeviceCodeValidator(service);
var request = new ValidatedTokenRequest();
request.SetClient(client);
var context = new DeviceCodeValidationContext {
DeviceCode = handle, Request = request
};
await validator.ValidateAsync(context);
context.Result.IsError.Should().BeTrue();
context.Result.Error.Should().Be(OidcConstants.TokenErrors.ExpiredToken);
}
public async Task <TokenExchangeValidation> ValidateAsync(ValidatedTokenRequest request)
{
var tokenExchangeValidation = new TokenExchangeValidation();
var subjectTokenValidation = await this.ValidateTokenAsync(request, RequestParameters.SubjectTokenType, RequestParameters.SubjectToken).ConfigureAwait(false);
tokenExchangeValidation.SubjectTokenValidationResult = subjectTokenValidation;
if (subjectTokenValidation.IsError)
{
tokenExchangeValidation.SetErrors(subjectTokenValidation);
return(tokenExchangeValidation);
}
var actorTokenValidation = await this.ValidateActorTokenAsync(request).ConfigureAwait(false);
tokenExchangeValidation.ActorTokenValidationResult = actorTokenValidation;
if (actorTokenValidation.IsError)
{
tokenExchangeValidation.SetErrors(actorTokenValidation);
return(tokenExchangeValidation);
}
if (request.Client.ClientId != actorTokenValidation.Client.ClientId)
{
tokenExchangeValidation.SetErrors("Request client_id and actor_token client_id must match.");
return(tokenExchangeValidation);
}
return(tokenExchangeValidation);
}
protected async Task ValidateAsync(T context, ValidatedTokenRequest request)
{
var twoFactorToken = request.Raw["TwoFactorToken"]?.ToString();
var twoFactorProvider = request.Raw["TwoFactorProvider"]?.ToString();
var twoFactorRemember = request.Raw["TwoFactorRemember"]?.ToString() == "1";
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) &&
!string.IsNullOrWhiteSpace(twoFactorProvider);
var(user, valid) = await ValidateContextAsync(context);
if (!valid)
{
await BuildErrorResultAsync(false, context, user);
return;
}
var twoFactorRequirement = await RequiresTwoFactorAsync(user);
if (twoFactorRequirement.Item1)
{
var twoFactorProviderType = TwoFactorProviderType.Authenticator; // Just defaulting it
if (!twoFactorRequest || !Enum.TryParse(twoFactorProvider, out twoFactorProviderType))
{
await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context);
return;
}
var verified = await VerifyTwoFactor(user, twoFactorRequirement.Item2,
twoFactorProviderType, twoFactorToken);
if (!verified && twoFactorProviderType != TwoFactorProviderType.Remember)
{
await BuildErrorResultAsync(true, context, user);
return;
}
else if (!verified && twoFactorProviderType == TwoFactorProviderType.Remember)
{
await Task.Delay(2000); // Delay for brute force.
await BuildTwoFactorResultAsync(user, twoFactorRequirement.Item2, context);
return;
}
}
else
{
twoFactorRequest = false;
twoFactorRemember = false;
twoFactorToken = null;
}
var device = await SaveDeviceAsync(user, request);
await BuildSuccessResultAsync(user, context, device, twoFactorRequest&& twoFactorRemember);
return;
}
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
// if pop request, claims must be updated because we need a fresh proof token
if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes),
};
// if pop request, embed proof token
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
creationRequest.ProofKey = GetProofKey(request);
}
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
var copy = new Token(oldAccessToken);
copy.CreationTime = DateTimeOffsetHelper.UtcNow;
copy.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
var response = new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
response.IdentityToken = await CreateIdTokenFromRefreshTokenRequestAsync(request, accessTokenString);
return(response);
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenRequestValidationResult"/> class.
/// </summary>
/// <param name="validatedRequest">The validated request.</param>
/// <param name="error">The error.</param>
/// <param name="errorDescription">The error description.</param>
/// <param name="customResponse">The custom response.</param>
public TokenRequestValidationResult(ValidatedTokenRequest validatedRequest, string error, string errorDescription = null, Dictionary <string, object> customResponse = null)
{
IsError = true;
Error = error;
ErrorDescription = errorDescription;
ValidatedRequest = validatedRequest;
CustomResponse = customResponse;
}
public Task <GrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
if (_isInvalid)
{
return(Task.FromResult(new GrantValidationResult(TokenRequestErrors.InvalidGrant, _errorDescription)));
}
return(Task.FromResult(new GrantValidationResult("bob", "CustomGrant")));
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
_logger.LogDebug("Start token request validation");
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var raw = context.Request.Raw;
_validatedRequest = new ValidatedTokenRequest
{
Raw = raw ?? throw new ArgumentNullException(nameof(raw)),
Options = _options
};
var customTokenRequestValidationContext = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(_validatedRequest)
};
await _arbitraryNoSubjectRequestValidator.ValidateAsync(customTokenRequestValidationContext);
if (customTokenRequestValidationContext.Result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest,
customTokenRequestValidationContext.Result.Error);
return;
}
var clientValidationResult = await _clientSecretValidator.ValidateAsync(_validatedRequest.Raw);
if (clientValidationResult == null)
{
throw new ArgumentNullException(nameof(clientValidationResult));
}
_validatedRequest.SetClient(clientValidationResult.Client, clientValidationResult.Secret);
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
_validatedRequest.GrantType = grantType;
context.Result = new GrantValidationResult();
}
private async Task <Tuple <string, string> > CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Contains(Constants.StandardScopes.OfflineAccess);
// load the client that belongs to the authorization code
Client client = null;
if (request.AuthorizationCode.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(request.AuthorizationCode.ClientId);
}
if (client == null)
{
throw new InvalidOperationException("Client does not exist anymore.");
}
var scopes = await _scopes.FindEnabledScopesAsync(request.AuthorizationCode.RequestedScopes);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = client,
Scopes = scopes,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
}
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
return(Tuple.Create(securityToken, refreshToken));
}
public Task <ClaimsPrincipal> ValidateAsync(ValidatedTokenRequest request, IUserService users)
{
if (request.GrantType == "assertionType" && request.Assertion == "assertion")
{
return(Task.FromResult(Principal.Create("Assertion", new Claim("sub", "bob"))));
}
;
return(Task.FromResult <ClaimsPrincipal>(null));
}
async public Task<CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
var user = await _userManager.FindByNameAsync(userName);
if (user != null && await _userManager.CheckPasswordAsync(user, password))
{
return new CustomGrantValidationResult(user.Id, "password");
}
return new CustomGrantValidationResult("Invalid username or password");
}
public Task <TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
{
response.Custom.Add("custom_field", "custom data");
response.Custom.Add("custom_complex_field", new ResponsePoco {
SomeString = "foo", SomeInt = 42
});
return(Task.FromResult(response));
}
public Task <ClaimsPrincipal> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType == "customGrant")
{
return(Task.FromResult(Principal.Create("CustomGrant", new Claim("sub", "bob"))));
}
;
return(Task.FromResult <ClaimsPrincipal>(null));
}
public Task<ClaimsPrincipal> ValidateAsync(ValidatedTokenRequest request)
{
return Task.FromResult<ClaimsPrincipal>(null);
}
public TokenRequestValidationResult(ValidatedTokenRequest validatedRequest)
{
IsError = false;
ValidatedRequest = validatedRequest;
}
