private async Task <string> SerializeIdentityTokenAsync(
ClaimsPrincipal principal, AuthenticationProperties properties,
OpenIdConnectRequest request, OpenIdConnectResponse response)
{
// Replace the principal by a new one containing only the filtered claims.
// Actors identities are also filtered (delegation scenarios).
principal = principal.Clone(claim =>
{
// Never exclude the subject claim.
if (string.Equals(claim.Type, OpenIdConnectConstants.Claims.Subject, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
// Claims whose destination is not explicitly referenced or doesn't
// contain "id_token" are not included in the identity token.
if (!claim.HasDestination(OpenIdConnectConstants.Destinations.IdentityToken))
{
Logger.LogDebug("'{Claim}' was excluded from the identity token claims.", claim.Type);
return(false);
}
return(true);
});
// Remove the destinations from the claim properties.
foreach (var claim in principal.Claims)
{
claim.Properties.Remove(OpenIdConnectConstants.Properties.Destinations);
}
var identity = (ClaimsIdentity)principal.Identity;
// Create a new ticket containing the updated properties and the filtered principal.
var ticket = new AuthenticationTicket(principal, properties, Options.AuthenticationScheme);
ticket.Properties.IssuedUtc = Options.SystemClock.UtcNow;
ticket.Properties.ExpiresUtc = ticket.Properties.IssuedUtc +
(ticket.GetIdentityTokenLifetime() ?? Options.IdentityTokenLifetime);
ticket.SetUsage(OpenIdConnectConstants.Usages.IdentityToken);
// Associate a random identifier with the identity token.
ticket.SetTicketId(Guid.NewGuid().ToString());
// Remove the unwanted properties from the authentication ticket.
ticket.RemoveProperty(OpenIdConnectConstants.Properties.AccessTokenLifetime)
.RemoveProperty(OpenIdConnectConstants.Properties.AuthorizationCodeLifetime)
.RemoveProperty(OpenIdConnectConstants.Properties.ClientId)
.RemoveProperty(OpenIdConnectConstants.Properties.CodeChallenge)
.RemoveProperty(OpenIdConnectConstants.Properties.CodeChallengeMethod)
.RemoveProperty(OpenIdConnectConstants.Properties.IdentityTokenLifetime)
.RemoveProperty(OpenIdConnectConstants.Properties.RedirectUri)
.RemoveProperty(OpenIdConnectConstants.Properties.RefreshTokenLifetime);
ticket.SetAudiences(ticket.GetPresenters());
var notification = new SerializeIdentityTokenContext(Context, Options, request, response, ticket)
{
Issuer = Context.GetIssuer(Options),
SecurityTokenHandler = Options.IdentityTokenHandler,
SigningCredentials = Options.SigningCredentials.FirstOrDefault(key => key.Key is AsymmetricSecurityKey)
};
await Options.Provider.SerializeIdentityToken(notification);
if (notification.HandledResponse || !string.IsNullOrEmpty(notification.IdentityToken))
{
return(notification.IdentityToken);
}
else if (notification.Skipped)
{
return(null);
}
if (!ReferenceEquals(ticket, notification.Ticket))
{
throw new InvalidOperationException("The authentication ticket cannot be replaced.");
}
if (notification.SecurityTokenHandler == null)
{
return(null);
}
// Extract the main identity from the principal.
identity = (ClaimsIdentity)ticket.Principal.Identity;
if (string.IsNullOrEmpty(identity.GetClaim(OpenIdConnectConstants.Claims.Subject)))
{
throw new InvalidOperationException("The authentication ticket was rejected because " +
"it doesn't contain the mandatory subject claim.");
}
// Note: identity tokens must be signed but an exception is made by the OpenID Connect specification
// when they are returned from the token endpoint: in this case, signing is not mandatory, as the TLS
// server validation can be used as a way to ensure an identity token was issued by a trusted party.
// See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation for more information.
if (notification.SigningCredentials == null && request.IsAuthorizationRequest())
{
throw new InvalidOperationException("A signing key must be provided.");
}
// Store the "unique_id" property as a claim.
identity.AddClaim(OpenIdConnectConstants.Claims.JwtId, ticket.GetTicketId());
// Store the "usage" property as a claim.
identity.AddClaim(OpenIdConnectConstants.Claims.Usage, ticket.GetUsage());
// Store the "confidentiality_level" property as a claim.
var confidentiality = ticket.GetProperty(OpenIdConnectConstants.Properties.ConfidentialityLevel);
if (!string.IsNullOrEmpty(confidentiality))
{
identity.AddClaim(OpenIdConnectConstants.Claims.ConfidentialityLevel, confidentiality);
}
// Store the audiences as claims.
foreach (var audience in notification.Audiences)
{
identity.AddClaim(OpenIdConnectConstants.Claims.Audience, audience);
}
// If a nonce was present in the authorization request, it MUST
// be included in the id_token generated by the token endpoint.
// See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
var nonce = request.Nonce;
if (request.IsAuthorizationCodeGrantType())
{
// Restore the nonce stored in the authentication
// ticket extracted from the authorization code.
nonce = ticket.GetProperty(OpenIdConnectConstants.Properties.Nonce);
}
if (!string.IsNullOrEmpty(nonce))
{
identity.AddClaim(OpenIdConnectConstants.Claims.Nonce, nonce);
}
if (notification.SigningCredentials != null && (!string.IsNullOrEmpty(response.Code) ||
!string.IsNullOrEmpty(response.AccessToken)))
{
using (var algorithm = OpenIdConnectServerHelpers.GetHashAlgorithm(notification.SigningCredentials.Algorithm))
{
// Create an authorization code hash if necessary.
if (!string.IsNullOrEmpty(response.Code))
{
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.Code));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
identity.AddClaim(OpenIdConnectConstants.Claims.CodeHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
// Create an access token hash if necessary.
if (!string.IsNullOrEmpty(response.AccessToken))
{
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.AccessToken));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
identity.AddClaim(OpenIdConnectConstants.Claims.AccessTokenHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
}
}
// Extract the presenters from the authentication ticket.
var presenters = notification.Presenters.ToArray();
switch (presenters.Length)
{
case 0: break;
case 1:
identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]);
break;
default:
Logger.LogWarning("Multiple presenters have been associated with the identity token " +
"but the JWT format only accepts single values.");
// Only add the first authorized party.
identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]);
break;
}
var token = notification.SecurityTokenHandler.CreateToken(new SecurityTokenDescriptor
{
Subject = identity,
Issuer = notification.Issuer,
SigningCredentials = notification.SigningCredentials,
IssuedAt = notification.Ticket.Properties.IssuedUtc?.UtcDateTime,
NotBefore = notification.Ticket.Properties.IssuedUtc?.UtcDateTime,
Expires = notification.Ticket.Properties.ExpiresUtc?.UtcDateTime
});
return(notification.SecurityTokenHandler.WriteToken(token));
}
private async Task <bool> InvokeTokenEndpointAsync()
{
if (!string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The token request was rejected because an invalid " +
"HTTP method was received: {Method}.", Request.Method);
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed token request has been received: make sure to use POST."
}));
}
// See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
if (string.IsNullOrEmpty(Request.ContentType))
{
Logger.LogError("The token request was rejected because the " +
"mandatory 'Content-Type' header was missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed token request has been received: " +
"the mandatory 'Content-Type' header was missing from the POST request."
}));
}
// May have media/type; charset=utf-8, allow partial match.
if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The token request was rejected because an invalid 'Content-Type' " +
"header was received: {ContentType}.", Request.ContentType);
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed token request has been received: " +
"the 'Content-Type' header contained an unexcepted value. " +
"Make sure to use 'application/x-www-form-urlencoded'."
}));
}
var request = new OpenIdConnectRequest(await Request.ReadFormAsync(Context.RequestAborted));
// Note: set the message type before invoking the ExtractTokenRequest event.
request.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.TokenRequest);
// Store the token request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
var @event = new ExtractTokenRequestContext(Context, Options, request);
await Options.Provider.ExtractTokenRequest(@event);
if (@event.HandledResponse)
{
Logger.LogDebug("The token request was handled in user code.");
return(true);
}
else if (@event.Skipped)
{
Logger.LogDebug("The default token request handling was skipped from user code.");
return(false);
}
else if (@event.IsRejected)
{
Logger.LogError("The token request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
Logger.LogInformation("The token request was successfully extracted " +
"from the HTTP request: {Request}", request);
// Reject token requests missing the mandatory grant_type parameter.
if (string.IsNullOrEmpty(request.GrantType))
{
Logger.LogError("The token request was rejected because the grant type was missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'grant_type' parameter was missing.",
}));
}
// Reject grant_type=authorization_code requests if the authorization endpoint is disabled.
else if (request.IsAuthorizationCodeGrantType() && !Options.AuthorizationEndpointPath.HasValue)
{
Logger.LogError("The token request was rejected because the authorization code grant was disabled.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The authorization code grant is not allowed by this authorization server."
}));
}
// Reject grant_type=authorization_code requests missing the authorization code.
// See https://tools.ietf.org/html/rfc6749#section-4.1.3
else if (request.IsAuthorizationCodeGrantType() && string.IsNullOrEmpty(request.Code))
{
Logger.LogError("The token request was rejected because the authorization code was missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'code' parameter was missing."
}));
}
// Reject grant_type=refresh_token requests missing the refresh token.
// See https://tools.ietf.org/html/rfc6749#section-6
else if (request.IsRefreshTokenGrantType() && string.IsNullOrEmpty(request.RefreshToken))
{
Logger.LogError("The token request was rejected because the refresh token was missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'refresh_token' parameter was missing."
}));
}
// Reject grant_type=password requests missing username or password.
// See https://tools.ietf.org/html/rfc6749#section-4.3.2
else if (request.IsPasswordGrantType() && (string.IsNullOrEmpty(request.Username) ||
string.IsNullOrEmpty(request.Password)))
{
Logger.LogError("The token request was rejected because the resource owner credentials were missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'username' and/or 'password' parameters " +
"was/were missing from the request message."
}));
}
// When client_id and client_secret are both null, try to extract them from the Authorization header.
// See http://tools.ietf.org/html/rfc6749#section-2.3.1 and
// http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
if (string.IsNullOrEmpty(request.ClientId) && string.IsNullOrEmpty(request.ClientSecret))
{
string header = Request.Headers[HeaderNames.Authorization];
if (!string.IsNullOrEmpty(header) && header.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
try
{
var value = header.Substring("Basic ".Length).Trim();
var data = Encoding.UTF8.GetString(Convert.FromBase64String(value));
var index = data.IndexOf(':');
if (index >= 0)
{
request.ClientId = data.Substring(0, index);
request.ClientSecret = data.Substring(index + 1);
}
}
catch (FormatException) { }
catch (ArgumentException) { }
}
}
var context = new ValidateTokenRequestContext(Context, Options, request);
await Options.Provider.ValidateTokenRequest(context);
// If the validation context was set as fully validated,
// mark the OpenID Connect request as confidential.
if (context.IsValidated)
{
request.SetProperty(OpenIdConnectConstants.Properties.ConfidentialityLevel,
OpenIdConnectConstants.ConfidentialityLevels.Private);
}
if (context.HandledResponse)
{
Logger.LogDebug("The token request was handled in user code.");
return(true);
}
else if (context.Skipped)
{
Logger.LogDebug("The default token request handling was skipped from user code.");
return(false);
}
else if (context.IsRejected)
{
Logger.LogError("The token request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
// Reject grant_type=client_credentials requests if validation was skipped.
else if (context.IsSkipped && request.IsClientCredentialsGrantType())
{
Logger.LogError("The token request must be fully validated to use the client_credentials grant type.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Client authentication is required when using client_credentials."
}));
}
// At this stage, client_id cannot be null for grant_type=authorization_code requests,
// as it must either be set in the ValidateTokenRequest notification
// by the developer or manually flowed by non-confidential client applications.
// See https://tools.ietf.org/html/rfc6749#section-4.1.3
if (request.IsAuthorizationCodeGrantType() && string.IsNullOrEmpty(context.ClientId))
{
Logger.LogError("The token request was rejected because the mandatory 'client_id' was missing.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "client_id was missing from the token request"
}));
}
// Store the validated client_id as a request property.
request.SetProperty(OpenIdConnectConstants.Properties.ClientId, context.ClientId);
Logger.LogInformation("The token request was successfully validated.");
AuthenticationTicket ticket = null;
// See http://tools.ietf.org/html/rfc6749#section-4.1
// and http://tools.ietf.org/html/rfc6749#section-4.1.3 (authorization code grant).
// See http://tools.ietf.org/html/rfc6749#section-6 (refresh token grant).
if (request.IsAuthorizationCodeGrantType() || request.IsRefreshTokenGrantType())
{
ticket = request.IsAuthorizationCodeGrantType() ?
await DeserializeAuthorizationCodeAsync(request.Code, request) :
await DeserializeRefreshTokenAsync(request.RefreshToken, request);
if (ticket == null)
{
Logger.LogError("The token request was rejected because the " +
"authorization code or the refresh token was invalid.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid ticket"
}));
}
// If the client was fully authenticated when retrieving its refresh token,
// the current request must be rejected if client authentication was not enforced.
if (request.IsRefreshTokenGrantType() && !context.IsValidated && ticket.IsConfidential())
{
Logger.LogError("The token request was rejected because client authentication " +
"was required to use the confidential refresh token.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Client authentication is required to use this ticket"
}));
}
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow)
{
Logger.LogError("The token request was rejected because the " +
"authorization code or the refresh token was expired.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Expired ticket"
}));
}
// Note: presenters may be empty during a grant_type=refresh_token request if the refresh token
// was issued to a public client but cannot be null for an authorization code grant request.
var presenters = ticket.GetPresenters();
if (request.IsAuthorizationCodeGrantType() && !presenters.Any())
{
throw new InvalidOperationException("The presenters list cannot be extracted from the authorization code.");
}
// Ensure the authorization code/refresh token was issued to the client application making the token request.
// Note: when using the refresh token grant, client_id is optional but must validated if present.
// As a consequence, this check doesn't depend on the actual status of client authentication.
// See https://tools.ietf.org/html/rfc6749#section-6
// and http://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
if (!string.IsNullOrEmpty(context.ClientId) && presenters.Any() &&
!presenters.Contains(context.ClientId, StringComparer.Ordinal))
{
Logger.LogError("The token request was rejected because the authorization " +
"code was issued to a different client application.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Ticket does not contain matching client_id"
}));
}
// Validate the redirect_uri flowed by the client application during this token request.
// Note: for pure OAuth2 requests, redirect_uri is only mandatory if the authorization request
// contained an explicit redirect_uri. OpenID Connect requests MUST include a redirect_uri
// but the specifications allow proceeding the token request without returning an error
// if the authorization request didn't contain an explicit redirect_uri.
// See https://tools.ietf.org/html/rfc6749#section-4.1.3
// and http://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation
var address = ticket.GetProperty(OpenIdConnectConstants.Properties.RedirectUri);
if (request.IsAuthorizationCodeGrantType() && !string.IsNullOrEmpty(address))
{
if (string.IsNullOrEmpty(request.RedirectUri))
{
Logger.LogError("The token request was rejected because the mandatory 'redirect_uri' " +
"parameter was missing from the grant_type=authorization_code request.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "redirect_uri was missing from the token request"
}));
}
else if (!string.Equals(address, request.RedirectUri, StringComparison.Ordinal))
{
Logger.LogError("The token request was rejected because the 'redirect_uri' " +
"parameter didn't correspond to the expected value.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Authorization code does not contain matching redirect_uri"
}));
}
}
// If a code challenge was initially sent in the authorization request and associated with the
// code, validate the code verifier to ensure the token request is sent by a legit caller.
var challenge = ticket.GetProperty(OpenIdConnectConstants.Properties.CodeChallenge);
if (request.IsAuthorizationCodeGrantType() && !string.IsNullOrEmpty(challenge))
{
// Get the code verifier from the token request.
// If it cannot be found, return an invalid_grant error.
var verifier = request.CodeVerifier;
if (string.IsNullOrEmpty(verifier))
{
Logger.LogError("The token request was rejected because the required 'code_verifier' " +
"parameter was missing from the grant_type=authorization_code request.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The required 'code_verifier' was missing from the token request."
}));
}
// Note: the code challenge method is always validated when receiving the authorization request.
var method = ticket.GetProperty(OpenIdConnectConstants.Properties.CodeChallengeMethod);
Debug.Assert(string.IsNullOrEmpty(method) ||
string.Equals(method, OpenIdConnectConstants.CodeChallengeMethods.Plain, StringComparison.Ordinal) ||
string.Equals(method, OpenIdConnectConstants.CodeChallengeMethods.Sha256, StringComparison.Ordinal),
"The specified code challenge method should be supported.");
// If the S256 challenge method was used, compute the hash corresponding to the code verifier.
if (string.Equals(method, OpenIdConnectConstants.CodeChallengeMethods.Sha256, StringComparison.Ordinal))
{
using (var algorithm = SHA256.Create())
{
// Compute the SHA-256 hash of the code verifier and encode it using base64-url.
// See https://tools.ietf.org/html/rfc7636#section-4.6 for more information.
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(request.CodeVerifier));
verifier = Base64UrlEncoder.Encode(hash);
}
}
// Compare the verifier and the code challenge: if the two don't match, return an error.
// Note: to prevent timing attacks, a time-constant comparer is always used.
if (!OpenIdConnectServerHelpers.AreEqual(verifier, challenge))
{
Logger.LogError("The token request was rejected because the 'code_verifier' was invalid.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified 'code_verifier' was invalid."
}));
}
}
if (request.IsRefreshTokenGrantType() && !string.IsNullOrEmpty(request.Resource))
{
// When an explicit resource parameter has been included in the token request
// but was missing from the initial request, the request MUST be rejected.
var resources = ticket.GetResources();
if (!resources.Any())
{
Logger.LogError("The token request was rejected because the 'resource' parameter was not allowed.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Token request cannot contain a resource parameter " +
"if the authorization request didn't contain one"
}));
}
// When an explicit resource parameter has been included in the token request,
// the authorization server MUST ensure that it doesn't contain resources
// that were not allowed during the initial authorization/token request.
else if (!new HashSet <string>(resources).IsSupersetOf(request.GetResources()))
{
Logger.LogError("The token request was rejected because the 'resource' parameter was not valid.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Token request doesn't contain a valid resource parameter"
}));
}
}
if (request.IsRefreshTokenGrantType() && !string.IsNullOrEmpty(request.Scope))
{
// When an explicit scope parameter has been included in the token request
// but was missing from the initial request, the request MUST be rejected.
// See http://tools.ietf.org/html/rfc6749#section-6
var scopes = ticket.GetScopes();
if (!scopes.Any())
{
Logger.LogError("The token request was rejected because the 'scope' parameter was not allowed.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Token request cannot contain a scope parameter " +
"if the authorization request didn't contain one"
}));
}
// When an explicit scope parameter has been included in the token request,
// the authorization server MUST ensure that it doesn't contain scopes
// that were not allowed during the initial authorization/token request.
// See https://tools.ietf.org/html/rfc6749#section-6
else if (!new HashSet <string>(scopes).IsSupersetOf(request.GetScopes()))
{
Logger.LogError("The token request was rejected because the 'scope' parameter was not valid.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Token request doesn't contain a valid scope parameter"
}));
}
}
}
var notification = new HandleTokenRequestContext(Context, Options, request, ticket);
await Options.Provider.HandleTokenRequest(notification);
if (notification.HandledResponse)
{
Logger.LogDebug("The token request was handled in user code.");
return(true);
}
else if (notification.Skipped)
{
Logger.LogDebug("The default token request handling was skipped from user code.");
return(false);
}
else if (notification.IsRejected)
{
Logger.LogError("The token request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidGrant,
/* Description: */ notification.ErrorDescription);
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
// Flow the changes made to the ticket.
ticket = notification.Ticket;
// Ensure an authentication ticket has been provided or return
// an error code indicating that the grant type is not supported.
if (ticket == null)
{
Logger.LogError("The token request was rejected because no authentication " +
"ticket was returned by application code.");
return(await SendTokenResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant_type parameter is not supported."
}));
}
// Call HandleSignInAsync to generate a token response.
return(await HandleSignInAsync(ticket));
}
/// <summary>
/// Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
/// called by application code directly, instead it is added by calling the the IAppBuilder UseOpenIdConnectServer
/// extension method.
/// </summary>
public OpenIdConnectServerMiddleware(
[NotNull] RequestDelegate next,
[NotNull] IOptions <OpenIdConnectServerOptions> options,
[NotNull] IHostingEnvironment environment,
[NotNull] ILoggerFactory loggerFactory,
[NotNull] IDistributedCache cache,
[NotNull] HtmlEncoder htmlEncoder,
[NotNull] UrlEncoder urlEncoder,
[NotNull] IDataProtectionProvider dataProtectionProvider)
: base(next, options, loggerFactory, urlEncoder)
{
if (Options.Provider == null)
{
throw new ArgumentException("The authorization provider registered in " +
"the options cannot be null.", nameof(options));
}
if (Options.RandomNumberGenerator == null)
{
throw new ArgumentException("The random number generator registered in " +
"the options cannot be null.", nameof(options));
}
if (Options.SystemClock == null)
{
throw new ArgumentException("The system clock registered in the options " +
"cannot be null.", nameof(options));
}
if (Options.Issuer != null)
{
if (!Options.Issuer.IsAbsoluteUri)
{
throw new ArgumentException("The issuer registered in the options must be " +
"a valid absolute URI.", nameof(options));
}
// See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
if (!string.IsNullOrEmpty(Options.Issuer.Query) || !string.IsNullOrEmpty(Options.Issuer.Fragment))
{
throw new ArgumentException("The issuer registered in the options must contain no query " +
"and no fragment parts.", nameof(options));
}
// Note: while the issuer parameter should be a HTTPS URI, making HTTPS mandatory
// in AspNet.Security.OpenIdConnect.Server would prevent the end developer from
// running the different samples in test environments, where HTTPS is often disabled.
// To mitigate this issue, AllowInsecureHttp can be set to true to bypass the HTTPS check.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
if (!Options.AllowInsecureHttp && string.Equals(Options.Issuer.Scheme, "http", StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("The issuer registered in the options must be a HTTPS URI when " +
"AllowInsecureHttp is not set to true.", nameof(options));
}
}
if (Options.DataProtectionProvider == null)
{
Options.DataProtectionProvider = dataProtectionProvider;
}
if (Options.AccessTokenFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Access_Token", "v1");
Options.AccessTokenFormat = new TicketDataFormat(protector);
}
if (Options.AuthorizationCodeFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Authentication_Code", "v1");
Options.AuthorizationCodeFormat = new TicketDataFormat(protector);
}
if (Options.RefreshTokenFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Refresh_Token", "v1");
Options.RefreshTokenFormat = new TicketDataFormat(protector);
}
if (Options.Cache == null)
{
Options.Cache = cache;
}
if (Options.HtmlEncoder == null)
{
Options.HtmlEncoder = htmlEncoder;
}
// If no key has been explicitly added, use the fallback mode.
if (Options.SigningCredentials.Count == 0)
{
// When detecting a non-development environment, log a warning to inform the developer
// that registering a X.509 certificate is recommended when going live.
if (environment.IsProduction())
{
Logger.LogWarning("No explicit signing credentials have been registered. " +
"Using a X.509 certificate stored in the machine store " +
"is recommended for production environments.");
}
var directory = OpenIdConnectServerHelpers.GetDefaultKeyStorageDirectory();
if (directory == null)
{
Logger.LogWarning("No suitable directory can be found to store the RSA keys." +
"Using a X.509 certificate stored in the machine store " +
"is recommended for production environments.");
return;
}
// Get a data protector from the services provider.
var protector = dataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Keys", "v1");
// Note: all the exceptions thrown when enumerating
// existing keys or generating new ones must be caught.
try {
foreach (var key in OpenIdConnectServerHelpers.GetKeys(directory))
{
// Extract the key material using the data protector.
// Ignore the key if the decryption process failed.
string usage;
var parameters = OpenIdConnectServerHelpers.DecryptKey(protector, key.Value, out usage);
if (parameters == null)
{
Logger.LogDebug("An invalid/incompatible key was ignored: {Key}.", key.Key);
continue;
}
// Only add the key if it corresponds to the intended usage.
if (!string.Equals(usage, "Signing", StringComparison.OrdinalIgnoreCase))
{
continue;
}
// Add the key to the signing credentials list.
Options.SigningCredentials.AddKey(new RsaSecurityKey(parameters.Value));
Logger.LogInformation("An existing key was automatically added to the " +
"signing credentials list: {Key}.", key.Key);
}
}
catch (Exception exception) {
Logger.LogDebug("An error ocurred when retrieving the keys stored " +
"on the disk: {Exception}.", exception.ToString());
}
// Note: all the exceptions thrown when enumerating
// existing keys or generating new ones must be caught.
try {
// If no signing key has been found, generate and persist a new RSA key.
if (Options.SigningCredentials.Count == 0)
{
// Generate a new RSA key and export its public/private parameters.
var provider = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
var parameters = provider.ExportParameters(/* includePrivateParameters */ true);
// Add the signing key to the credentials list before trying to persist it on the disk.
Options.SigningCredentials.AddKey(new RsaSecurityKey(parameters));
try {
// Encrypt the key using the data protector and try to persist it on the disk.
var key = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Signing");
var path = OpenIdConnectServerHelpers.PersistKey(directory, key);
Logger.LogInformation("A new RSA key was automatically generated, added to the " +
"signing credentials list and persisted on the disk: {Path}.", path);
}
catch (Exception exception) {
Logger.LogWarning("An error ocurred when persisting a new key on the disk: {Exception}. " +
"The key will be kept in memory and will be lost when the " +
"application shuts down or restarts.", exception.ToString());
}
}
}
catch (Exception exception) {
Logger.LogDebug("An error ocurred when generating a new key: {Exception}.", exception.ToString());
}
}
}
private async Task <bool> InvokeConfigurationEndpointAsync()
{
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The discovery request was rejected because an invalid " +
"HTTP method was used: {Method}.", Request.Method);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid HTTP method: make sure to use GET."
}));
}
var request = new OpenIdConnectRequest(Request.Query);
// Note: set the message type before invoking the ExtractConfigurationRequest event.
request.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.Configuration);
// Store the discovery request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
var @event = new ExtractConfigurationRequestContext(Context, Options, request);
await Options.Provider.ExtractConfigurationRequest(@event);
if (@event.HandledResponse)
{
return(true);
}
else if (@event.Skipped)
{
return(false);
}
else if (@event.IsRejected)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse {
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
var context = new ValidateConfigurationRequestContext(Context, Options, request);
await Options.Provider.ValidateConfigurationRequest(context);
if (context.HandledResponse)
{
return(true);
}
else if (context.Skipped)
{
return(false);
}
else if (!context.IsValidated)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse {
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
var notification = new HandleConfigurationRequestContext(Context, Options, request);
notification.Issuer = Context.GetIssuer(Options);
if (Options.AuthorizationEndpointPath.HasValue)
{
notification.AuthorizationEndpoint = notification.Issuer.AddPath(Options.AuthorizationEndpointPath);
}
if (Options.CryptographyEndpointPath.HasValue)
{
notification.CryptographyEndpoint = notification.Issuer.AddPath(Options.CryptographyEndpointPath);
}
if (Options.IntrospectionEndpointPath.HasValue)
{
notification.IntrospectionEndpoint = notification.Issuer.AddPath(Options.IntrospectionEndpointPath);
}
if (Options.LogoutEndpointPath.HasValue)
{
notification.LogoutEndpoint = notification.Issuer.AddPath(Options.LogoutEndpointPath);
}
if (Options.RevocationEndpointPath.HasValue)
{
notification.RevocationEndpoint = notification.Issuer.AddPath(Options.RevocationEndpointPath);
}
if (Options.TokenEndpointPath.HasValue)
{
notification.TokenEndpoint = notification.Issuer.AddPath(Options.TokenEndpointPath);
}
if (Options.UserinfoEndpointPath.HasValue)
{
notification.UserinfoEndpoint = notification.Issuer.AddPath(Options.UserinfoEndpointPath);
}
if (Options.AuthorizationEndpointPath.HasValue)
{
// Only expose the implicit grant type if the token
// endpoint has not been explicitly disabled.
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.Implicit);
if (Options.TokenEndpointPath.HasValue)
{
// Only expose the authorization code and refresh token grant types
// if both the authorization and the token endpoints are enabled.
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.AuthorizationCode);
}
}
if (Options.TokenEndpointPath.HasValue)
{
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.RefreshToken);
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.ClientCredentials);
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.Password);
}
// Only populate response_modes_supported and response_types_supported
// if the authorization endpoint is available.
if (Options.AuthorizationEndpointPath.HasValue)
{
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.FormPost);
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.Fragment);
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.Query);
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.Token);
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.IdToken);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.IdToken + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
// Only expose response types containing code when
// the token endpoint has not been explicitly disabled.
if (Options.TokenEndpointPath.HasValue)
{
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.Code);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.IdToken);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.IdToken + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
}
}
notification.Scopes.Add(OpenIdConnectConstants.Scopes.OpenId);
notification.SubjectTypes.Add(OpenIdConnectConstants.SubjectTypes.Public);
// Note: supporting S256 is mandatory for authorization servers that implement PKCE.
// See https://tools.ietf.org/html/rfc7636#section-4.2 for more information.
notification.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Plain);
notification.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Sha256);
foreach (var credentials in Options.SigningCredentials)
{
// Try to resolve the JWA algorithm short name. If a null value is returned, ignore it.
var algorithm = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm);
if (string.IsNullOrEmpty(algorithm))
{
continue;
}
// If the algorithm is already listed, ignore it.
if (notification.SigningAlgorithms.Contains(algorithm))
{
continue;
}
notification.SigningAlgorithms.Add(algorithm);
}
await Options.Provider.HandleConfigurationRequest(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
else if (notification.IsRejected)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ notification.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse {
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse(notification.Metadata)));
}
private async Task <bool> InvokeCryptographyEndpointAsync()
{
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The discovery request was rejected because an invalid " +
"HTTP method was used: {Method}.", Request.Method);
return(await SendCryptographyResponseAsync(new OpenIdConnectResponse {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid HTTP method: make sure to use GET."
}));
}
var request = new OpenIdConnectRequest(Request.Query);
// Note: set the message type before invoking the ExtractCryptographyRequest event.
request.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.Cryptography);
// Store the discovery request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
var @event = new ExtractCryptographyRequestContext(Context, Options, request);
await Options.Provider.ExtractCryptographyRequest(@event);
if (@event.HandledResponse)
{
return(true);
}
else if (@event.Skipped)
{
return(false);
}
else if (@event.IsRejected)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendCryptographyResponseAsync(new OpenIdConnectResponse {
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
var context = new ValidateCryptographyRequestContext(Context, Options, request);
await Options.Provider.ValidateCryptographyRequest(context);
if (context.HandledResponse)
{
return(true);
}
else if (context.Skipped)
{
return(false);
}
else if (!context.IsValidated)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendCryptographyResponseAsync(new OpenIdConnectResponse {
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
var notification = new HandleCryptographyRequestContext(Context, Options, request);
foreach (var credentials in Options.SigningCredentials)
{
// Ignore the key if it's not supported.
#if SUPPORTS_ECDSA
if (!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512Signature))
{
Logger.LogInformation("An unsupported signing key was ignored and excluded from the " +
"key set: {Type}. Only RSA and ECDSA asymmetric security keys " +
"can be exposed via the JWKS endpoint.", credentials.Key.GetType().Name);
continue;
}
#else
if (!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
Logger.LogInformation("An unsupported signing key was ignored and excluded from the " +
"key set: {Type}. Only RSA asymmetric security keys can be exposed " +
"via the JWKS endpoint.", credentials.Key.GetType().Name);
continue;
}
#endif
var key = new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// Use the key identifier specified in the signing credentials.
Kid = credentials.Kid,
};
if (credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
RSA algorithm = null;
// Note: IdentityModel 5 doesn't expose a method allowing to retrieve the underlying algorithm
// from a generic asymmetric security key. To work around this limitation, try to cast
// the security key to the built-in IdentityModel types to extract the required RSA instance.
// See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/395
var x509SecurityKey = credentials.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
algorithm = x509SecurityKey.PublicKey as RSA;
}
var rsaSecurityKey = credentials.Key as RsaSecurityKey;
if (rsaSecurityKey != null)
{
algorithm = rsaSecurityKey.Rsa;
// If no RSA instance can be found, create one using
// the RSA parameters attached to the security key.
if (algorithm == null)
{
var rsa = RSA.Create();
rsa.ImportParameters(rsaSecurityKey.Parameters);
algorithm = rsa;
}
}
// Skip the key if an algorithm instance cannot be extracted.
if (algorithm == null)
{
Logger.LogWarning("A signing key was ignored because it was unable " +
"to provide the requested algorithm instance.");
continue;
}
// Export the RSA public key to create a new JSON Web Key
// exposing the exponent and the modulus parameters.
var parameters = algorithm.ExportParameters(includePrivateParameters: false);
Debug.Assert(parameters.Exponent != null &&
parameters.Modulus != null,
"RSA.ExportParameters() shouldn't return null parameters.");
key.Kty = JsonWebAlgorithmsKeyTypes.RSA;
// Note: both E and N must be base64url-encoded.
// See https://tools.ietf.org/html/rfc7518#section-6.3.1.1
key.E = Base64UrlEncoder.Encode(parameters.Exponent);
key.N = Base64UrlEncoder.Encode(parameters.Modulus);
}
#if SUPPORTS_ECDSA
else if (credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256Signature) ||
credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384Signature) ||
credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512Signature))
{
ECDsa algorithm = null;
var x509SecurityKey = credentials.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
algorithm = x509SecurityKey.PublicKey as ECDsa;
}
var ecdsaSecurityKey = credentials.Key as ECDsaSecurityKey;
if (ecdsaSecurityKey != null)
{
algorithm = ecdsaSecurityKey.ECDsa;
}
// Skip the key if an algorithm instance cannot be extracted.
if (algorithm == null)
{
Logger.LogWarning("A signing key was ignored because it was unable " +
"to provide the requested algorithm instance.");
continue;
}
// Export the ECDsa public key to create a new JSON Web Key
// exposing the coordinates of the point on the curve.
var parameters = algorithm.ExportParameters(includePrivateParameters: false);
Debug.Assert(parameters.Q.X != null &&
parameters.Q.Y != null,
"ECDsa.ExportParameters() shouldn't return null coordinates.");
key.Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve;
key.Crv = OpenIdConnectServerHelpers.GetJwtAlgorithmCurve(parameters.Curve);
// Note: both X and Y must be base64url-encoded.
// See https://tools.ietf.org/html/rfc7518#section-6.2.1.2
key.X = Base64UrlEncoder.Encode(parameters.Q.X);
key.Y = Base64UrlEncoder.Encode(parameters.Q.Y);
}
#endif
// If the signing key is embedded in a X.509 certificate, set
// the x5t and x5c parameters using the certificate details.
var certificate = (credentials.Key as X509SecurityKey)?.Certificate;
if (certificate != null)
{
// x5t must be base64url-encoded.
// See https://tools.ietf.org/html/rfc7517#section-4.8
key.X5t = Base64UrlEncoder.Encode(certificate.GetCertHash());
// Unlike E or N, the certificates contained in x5c
// must be base64-encoded and not base64url-encoded.
// See https://tools.ietf.org/html/rfc7517#section-4.7
key.X5c.Add(Convert.ToBase64String(certificate.RawData));
}
notification.Keys.Add(key);
}
await Options.Provider.HandleCryptographyRequest(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
else if (notification.IsRejected)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ notification.ErrorDescription);
return(await SendCryptographyResponseAsync(new OpenIdConnectResponse {
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
var keys = new JArray();
foreach (var key in notification.Keys)
{
var item = new JObject();
// Ensure a key type has been provided.
// See https://tools.ietf.org/html/rfc7517#section-4.1
if (string.IsNullOrEmpty(key.Kty))
{
Logger.LogError("A JSON Web Key was excluded from the key set because " +
"it didn't contain the mandatory 'kid' parameter.");
continue;
}
// Create a dictionary associating the
// JsonWebKey components with their values.
var parameters = new Dictionary <string, string> {
[JsonWebKeyParameterNames.Kid] = key.Kid,
[JsonWebKeyParameterNames.Use] = key.Use,
[JsonWebKeyParameterNames.Kty] = key.Kty,
[JsonWebKeyParameterNames.Alg] = key.Alg,
[JsonWebKeyParameterNames.Crv] = key.Crv,
[JsonWebKeyParameterNames.E] = key.E,
[JsonWebKeyParameterNames.N] = key.N,
[JsonWebKeyParameterNames.X] = key.X,
[JsonWebKeyParameterNames.Y] = key.Y,
[JsonWebKeyParameterNames.X5t] = key.X5t,
[JsonWebKeyParameterNames.X5u] = key.X5u
};
foreach (var parameter in parameters)
{
if (!string.IsNullOrEmpty(parameter.Value))
{
item.Add(parameter.Key, parameter.Value);
}
}
if (key.KeyOps.Count != 0)
{
item.Add(JsonWebKeyParameterNames.KeyOps, JArray.FromObject(key.KeyOps));
}
if (key.X5c.Count != 0)
{
item.Add(JsonWebKeyParameterNames.X5c, JArray.FromObject(key.X5c));
}
keys.Add(item);
}
return(await SendCryptographyResponseAsync(new OpenIdConnectResponse {
[OpenIdConnectConstants.Parameters.Keys] = keys
}));
}
private async Task <string> SerializeIdentityTokenAsync(
ClaimsPrincipal principal, AuthenticationProperties properties,
OpenIdConnectMessage request, OpenIdConnectMessage response)
{
// properties.IssuedUtc and properties.ExpiresUtc
// should always be preferred when explicitly set.
if (properties.IssuedUtc == null)
{
properties.IssuedUtc = Options.SystemClock.UtcNow;
}
if (properties.ExpiresUtc == null)
{
properties.ExpiresUtc = properties.IssuedUtc + Options.IdentityTokenLifetime;
}
// Replace the principal by a new one containing only the filtered claims.
// Actors identities are also filtered (delegation scenarios).
principal = principal.Clone(claim => {
// Never exclude ClaimTypes.NameIdentifier.
if (string.Equals(claim.Type, ClaimTypes.NameIdentifier, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
// Claims whose destination is not explicitly referenced or doesn't
// contain "id_token" are not included in the identity token.
return(claim.HasDestination(OpenIdConnectConstants.Destinations.IdentityToken));
});
var identity = (ClaimsIdentity)principal.Identity;
// Create a new ticket containing the updated properties and the filtered principal.
var ticket = new AuthenticationTicket(principal, properties, Options.AuthenticationScheme);
ticket.SetUsage(OpenIdConnectConstants.Usages.IdToken);
// By default, add the client_id to the list of the
// presenters allowed to use the identity token.
if (!string.IsNullOrEmpty(request.ClientId))
{
ticket.SetAudiences(request.ClientId);
ticket.SetPresenters(request.ClientId);
}
var notification = new SerializeIdentityTokenContext(Context, Options, request, response, ticket)
{
Issuer = Context.GetIssuer(Options),
SecurityTokenHandler = Options.IdentityTokenHandler,
SigningCredentials = Options.SigningCredentials.FirstOrDefault()
};
await Options.Provider.SerializeIdentityToken(notification);
if (!string.IsNullOrEmpty(notification.IdentityToken))
{
return(notification.IdentityToken);
}
if (notification.SecurityTokenHandler == null)
{
return(null);
}
if (!identity.HasClaim(claim => claim.Type == JwtRegisteredClaimNames.Sub) &&
!identity.HasClaim(claim => claim.Type == ClaimTypes.NameIdentifier))
{
Logger.LogError("A unique identifier cannot be found to generate a 'sub' claim: " +
"make sure to add a 'ClaimTypes.NameIdentifier' claim.");
return(null);
}
// Extract the main identity from the principal.
identity = (ClaimsIdentity)ticket.Principal.Identity;
// Store the unique subject identifier as a claim.
if (!identity.HasClaim(claim => claim.Type == JwtRegisteredClaimNames.Sub))
{
identity.AddClaim(JwtRegisteredClaimNames.Sub, identity.GetClaim(ClaimTypes.NameIdentifier));
}
// Remove the ClaimTypes.NameIdentifier claims to avoid getting duplicate claims.
// Note: the "sub" claim is automatically mapped by JwtSecurityTokenHandler
// to ClaimTypes.NameIdentifier when validating a JWT token.
// Note: make sure to call ToArray() to avoid an InvalidOperationException
// on old versions of Mono, where FindAll() is implemented using an iterator.
foreach (var claim in identity.FindAll(ClaimTypes.NameIdentifier).ToArray())
{
identity.RemoveClaim(claim);
}
// Store the "usage" property as a claim.
identity.AddClaim(OpenIdConnectConstants.Claims.Usage, ticket.GetUsage());
// If the ticket is marked as confidential, add a new
// "confidential" claim in the security token.
if (ticket.IsConfidential())
{
identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Confidential, "true", ClaimValueTypes.Boolean));
}
// Store the audiences as claims.
foreach (var audience in ticket.GetAudiences())
{
identity.AddClaim(JwtRegisteredClaimNames.Aud, audience);
}
// If a nonce was present in the authorization request, it MUST
// be included in the id_token generated by the token endpoint.
// See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
var nonce = request.Nonce;
if (request.IsAuthorizationCodeGrantType())
{
// Restore the nonce stored in the authentication
// ticket extracted from the authorization code.
nonce = ticket.GetNonce();
}
if (!string.IsNullOrEmpty(nonce))
{
identity.AddClaim(JwtRegisteredClaimNames.Nonce, nonce);
}
if (!string.IsNullOrEmpty(response.Code))
{
using (var algorithm = OpenIdConnectServerHelpers.GetHashAlgorithm(notification.SigningCredentials.Algorithm)) {
// Create the c_hash using the authorization code returned by SerializeAuthorizationCodeAsync.
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.Code));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
identity.AddClaim(JwtRegisteredClaimNames.CHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
}
if (!string.IsNullOrEmpty(response.AccessToken))
{
using (var algorithm = OpenIdConnectServerHelpers.GetHashAlgorithm(notification.SigningCredentials.Algorithm)) {
// Create the at_hash using the access token returned by SerializeAccessTokenAsync.
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.AccessToken));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
identity.AddClaim(JwtRegisteredClaimNames.AtHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
}
// Extract the presenters from the authentication ticket.
var presenters = ticket.GetPresenters().ToArray();
switch (presenters.Length)
{
case 0: break;
case 1:
identity.AddClaim(JwtRegisteredClaimNames.Azp, presenters[0]);
break;
default:
Logger.LogWarning("Multiple presenters have been associated with the identity token " +
"but the JWT format only accepts single values.");
// Only add the first authorized party.
identity.AddClaim(JwtRegisteredClaimNames.Azp, presenters[0]);
break;
}
var token = notification.SecurityTokenHandler.CreateJwtSecurityToken(
subject: identity,
issuer: notification.Issuer,
signingCredentials: notification.SigningCredentials,
issuedAt: ticket.Properties.IssuedUtc.Value.UtcDateTime,
notBefore: ticket.Properties.IssuedUtc.Value.UtcDateTime,
expires: ticket.Properties.ExpiresUtc.Value.UtcDateTime);
var x509SecurityKey = notification.SigningCredentials?.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
// Note: unlike "kid", "x5t" is not automatically added by JwtHeader's constructor in IdentityModel for .NET Core.
// Though not required by the specifications, this property is needed for IdentityModel for Katana to work correctly.
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/132
// and https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/181.
token.Header[JwtHeaderParameterNames.X5t] = Base64UrlEncoder.Encode(x509SecurityKey.Certificate.GetCertHash());
}
return(notification.SecurityTokenHandler.WriteToken(token));
}
private async Task <bool> InvokeCryptographyEndpointAsync()
{
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The discovery request was rejected because an invalid " +
"HTTP method was used: {Method}.", Request.Method);
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid HTTP method: make sure to use GET."
}));
}
var validatingContext = new ValidateCryptographyRequestContext(Context, Options);
await Options.Provider.ValidateCryptographyRequest(validatingContext);
if (!validatingContext.IsValidated)
{
Logger.LogInformation("The discovery request was rejected by application code.");
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = validatingContext.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = validatingContext.ErrorDescription,
ErrorUri = validatingContext.ErrorUri
}));
}
var notification = new HandleCryptographyRequestContext(Context, Options);
foreach (var credentials in Options.SigningCredentials)
{
// Ignore the key if it's not supported.
if (!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha384Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha512Signature))
{
Logger.LogInformation("An unsupported signing key was ignored and excluded " +
"from the key set: {Type}. Only asymmetric security keys " +
"supporting RS256, RS384 or RS512 can be exposed " +
"via the JWKS endpoint.", credentials.Key.GetType().Name);
continue;
}
// Determine whether the security key is a RSA key embedded in a X.509 certificate.
var x509SecurityKey = credentials.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
// Create a new JSON Web Key exposing the
// certificate instead of its public RSA key.
notification.Keys.Add(new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
Kty = JsonWebAlgorithmsKeyTypes.RSA,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// Use the key identifier specified
// in the signing credentials.
Kid = credentials.Kid,
// x5t must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.8
X5t = Base64UrlEncoder.Encode(x509SecurityKey.Certificate.GetCertHash()),
// Unlike E or N, the certificates contained in x5c
// must be base64-encoded and not base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.7
X5c = { Convert.ToBase64String(x509SecurityKey.Certificate.RawData) }
});
}
var rsaSecurityKey = credentials.Key as RsaSecurityKey;
if (rsaSecurityKey != null)
{
// Export the RSA public key.
notification.Keys.Add(new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
Kty = JsonWebAlgorithmsKeyTypes.RSA,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// Use the key identifier specified
// in the signing credentials.
Kid = credentials.Kid,
// Both E and N must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#appendix-A.1
E = Base64UrlEncoder.Encode(rsaSecurityKey.Parameters.Exponent),
N = Base64UrlEncoder.Encode(rsaSecurityKey.Parameters.Modulus)
});
}
}
await Options.Provider.HandleCryptographyRequest(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
var payload = new JObject();
var keys = new JArray();
foreach (var key in notification.Keys)
{
var item = new JObject();
// Ensure a key type has been provided.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.1
if (string.IsNullOrEmpty(key.Kty))
{
Logger.LogError("A JSON Web Key was excluded from the key set because " +
"it didn't contain the mandatory 'kid' parameter.");
continue;
}
// Create a dictionary associating the
// JsonWebKey components with their values.
var parameters = new Dictionary <string, string> {
[JsonWebKeyParameterNames.Kid] = key.Kid,
[JsonWebKeyParameterNames.Use] = key.Use,
[JsonWebKeyParameterNames.Kty] = key.Kty,
[JsonWebKeyParameterNames.Alg] = key.Alg,
[JsonWebKeyParameterNames.X5t] = key.X5t,
[JsonWebKeyParameterNames.X5u] = key.X5u,
[JsonWebKeyParameterNames.E] = key.E,
[JsonWebKeyParameterNames.N] = key.N
};
foreach (var parameter in parameters)
{
if (!string.IsNullOrEmpty(parameter.Value))
{
item.Add(parameter.Key, parameter.Value);
}
}
if (key.KeyOps.Any())
{
item.Add(JsonWebKeyParameterNames.KeyOps, JArray.FromObject(key.KeyOps));
}
if (key.X5c.Any())
{
item.Add(JsonWebKeyParameterNames.X5c, JArray.FromObject(key.X5c));
}
keys.Add(item);
}
payload.Add(JsonWebKeyParameterNames.Keys, keys);
var context = new ApplyCryptographyResponseContext(Context, Options, payload);
await Options.Provider.ApplyCryptographyResponse(context);
if (context.HandledResponse)
{
return(true);
}
else if (context.Skipped)
{
return(false);
}
using (var buffer = new MemoryStream())
using (var writer = new JsonTextWriter(new StreamWriter(buffer))) {
payload.WriteTo(writer);
writer.Flush();
Response.ContentLength = buffer.Length;
Response.ContentType = "application/json;charset=UTF-8";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Context.RequestAborted);
return(true);
}
}
/// <summary>
/// Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
/// called by application code directly, instead it is added by calling the the IAppBuilder UseOpenIdConnectServer
/// extension method.
/// </summary>
public OpenIdConnectServerMiddleware(
[NotNull] RequestDelegate next,
[NotNull] IOptions <OpenIdConnectServerOptions> options,
[NotNull] IHostingEnvironment environment,
[NotNull] ILoggerFactory loggerFactory,
[NotNull] IDistributedCache cache,
[NotNull] HtmlEncoder htmlEncoder,
[NotNull] UrlEncoder urlEncoder,
[NotNull] IDataProtectionProvider dataProtectionProvider)
: base(next, options, loggerFactory, urlEncoder)
{
if (Options.Provider == null)
{
throw new ArgumentException("The authorization provider registered in " +
"the options cannot be null.", nameof(options));
}
if (Options.RandomNumberGenerator == null)
{
throw new ArgumentException("The random number generator registered in " +
"the options cannot be null.", nameof(options));
}
if (Options.SystemClock == null)
{
throw new ArgumentException("The system clock registered in the options " +
"cannot be null.", nameof(options));
}
if (Options.Issuer != null)
{
if (!Options.Issuer.IsAbsoluteUri)
{
throw new ArgumentException("The issuer registered in the options must be " +
"a valid absolute URI.", nameof(options));
}
// See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
if (!string.IsNullOrEmpty(Options.Issuer.Query) || !string.IsNullOrEmpty(Options.Issuer.Fragment))
{
throw new ArgumentException("The issuer registered in the options must contain no query " +
"and no fragment parts.", nameof(options));
}
// Note: while the issuer parameter should be a HTTPS URI, making HTTPS mandatory
// in AspNet.Security.OpenIdConnect.Server would prevent the end developer from
// running the different samples in test environments, where HTTPS is often disabled.
// To mitigate this issue, AllowInsecureHttp can be set to true to bypass the HTTPS check.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
if (!Options.AllowInsecureHttp && string.Equals(Options.Issuer.Scheme, "http", StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("The issuer registered in the options must be a HTTPS URI when " +
"AllowInsecureHttp is not set to true.", nameof(options));
}
}
if (Options.DataProtectionProvider == null)
{
Options.DataProtectionProvider = dataProtectionProvider;
}
if (Options.AccessTokenFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Access_Token", "v1");
Options.AccessTokenFormat = new TicketDataFormat(protector);
}
if (Options.AuthorizationCodeFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Authentication_Code", "v1");
Options.AuthorizationCodeFormat = new TicketDataFormat(protector);
}
if (Options.RefreshTokenFormat == null)
{
var protector = Options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Refresh_Token", "v1");
Options.RefreshTokenFormat = new TicketDataFormat(protector);
}
if (Options.Cache == null)
{
Options.Cache = cache;
}
if (Options.HtmlEncoder == null)
{
Options.HtmlEncoder = htmlEncoder;
}
// If no key has been explicitly added, use the fallback mode.
if (Options.SigningCredentials.Count == 0)
{
if (environment.IsProduction())
{
Logger.LogWarning("No explicit signing credentials have been registered. " +
"Using a X.509 certificate stored in the machine store " +
"is recommended for production environments.");
}
var directory = OpenIdConnectServerHelpers.GetDefaultKeyStorageDirectory();
Debug.Assert(directory != null);
// Get a data protector from the services provider.
var protector = dataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerMiddleware),
Options.AuthenticationScheme, "Keys", "v1");
foreach (var file in directory.EnumerateFiles("*.key"))
{
using (var buffer = new MemoryStream())
using (var stream = file.Open(FileMode.Open, FileAccess.Read, FileShare.Read)) {
// Copy the key content to the buffer.
stream.CopyTo(buffer);
// Extract the key material using the data protector.
// Ignore the key if the decryption process failed.
string usage;
var parameters = OpenIdConnectServerHelpers.DecryptKey(protector, buffer.ToArray(), out usage);
if (parameters == null)
{
Logger.LogDebug("An invalid/incompatible key was ignored: {Key}.", file.FullName);
continue;
}
// Only add the key if it corresponds to the intended usage.
if (!string.Equals(usage, "Signing", StringComparison.OrdinalIgnoreCase))
{
continue;
}
Logger.LogInformation("An existing key was automatically added to the " +
"signing credentials list: {Key}.", file.FullName);
// Add the key to the signing credentials list.
Options.SigningCredentials.AddKey(new RsaSecurityKey(parameters.Value));
}
}
// If no signing key has been found, generate and persist a new RSA key.
if (Options.SigningCredentials.Count == 0)
{
// Generate a new RSA key and export its public/private parameters.
var provider = OpenIdConnectServerHelpers.GenerateKey(size: 2048);
var parameters = provider.ExportParameters(/* includePrivateParameters */ true);
// Generate a new file name for the key and determine its absolute path.
var path = Path.Combine(directory.FullName, Guid.NewGuid().ToString() + ".key");
using (var stream = new FileStream(path, FileMode.CreateNew, FileAccess.Write)) {
// Encrypt the key using the data protector.
var bytes = OpenIdConnectServerHelpers.EncryptKey(protector, parameters, usage: "Signing");
// Write the encrypted key to the file stream.
stream.Write(bytes, 0, bytes.Length);
}
Logger.LogInformation("A new RSA key was automatically generated, added to the " +
"signing credentials list and persisted on the disk: {Path}.", path);
Options.SigningCredentials.AddKey(new RsaSecurityKey(parameters));
}
}
}
private async Task InvokeCryptographyEndpointAsync()
{
var notification = new CryptographyEndpointContext(Context, Options);
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("Cryptography endpoint: invalid method used.");
return;
}
foreach (var credentials in Options.SigningCredentials)
{
// Ignore the key if it's not supported.
if (!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha384Signature) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha512Signature))
{
Logger.LogDebug("Cryptography endpoint: unsupported signing key ignored. " +
"Only asymmetric security keys supporting RS256, RS384 " +
"or RS512 can be exposed via the JWKS endpoint.");
continue;
}
// Determine whether the security key is a RSA key embedded in a X.509 certificate.
var x509SecurityKey = credentials.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
// Create a new JSON Web Key exposing the
// certificate instead of its public RSA key.
notification.Keys.Add(new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
Kty = JsonWebAlgorithmsKeyTypes.RSA,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// By default, use the key identifier specified in the signing credentials. If none is specified,
// use the hexadecimal representation of the certificate's SHA-1 hash as the unique key identifier.
Kid = credentials.Kid ?? x509SecurityKey.KeyId ?? x509SecurityKey.Certificate.Thumbprint,
// x5t must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.8
X5t = Base64UrlEncoder.Encode(x509SecurityKey.Certificate.GetCertHash()),
// Unlike E or N, the certificates contained in x5c
// must be base64-encoded and not base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.7
X5c = { Convert.ToBase64String(x509SecurityKey.Certificate.RawData) }
});
}
var rsaSecurityKey = credentials.Key as RsaSecurityKey;
if (rsaSecurityKey != null)
{
// Export the RSA public key.
notification.Keys.Add(new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
Kty = JsonWebAlgorithmsKeyTypes.RSA,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// By default, use the key identifier specified in the signing credentials.
// If none is specified, try to extract it from the security key itself or
// create one using the base64url-encoded representation of the modulus.
Kid = credentials.Kid ?? rsaSecurityKey.KeyId ??
// Note: use the first 40 chars to avoid using a too long identifier.
Base64UrlEncoder.Encode(rsaSecurityKey.Parameters.Modulus)
.Substring(0, 40).ToUpperInvariant(),
// Both E and N must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#appendix-A.1
E = Base64UrlEncoder.Encode(rsaSecurityKey.Parameters.Exponent),
N = Base64UrlEncoder.Encode(rsaSecurityKey.Parameters.Modulus)
});
}
}
await Options.Provider.CryptographyEndpoint(notification);
if (notification.HandledResponse)
{
return;
}
var payload = new JObject();
var keys = new JArray();
foreach (var key in notification.Keys)
{
var item = new JObject();
// Ensure a key type has been provided.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.1
if (string.IsNullOrEmpty(key.Kty))
{
Logger.LogWarning("Cryptography endpoint: a JSON Web Key didn't " +
"contain the mandatory 'Kty' parameter and has been ignored.");
continue;
}
// Create a dictionary associating the
// JsonWebKey components with their values.
var parameters = new Dictionary <string, string> {
[JsonWebKeyParameterNames.Kid] = key.Kid,
[JsonWebKeyParameterNames.Use] = key.Use,
[JsonWebKeyParameterNames.Kty] = key.Kty,
[JsonWebKeyParameterNames.Alg] = key.Alg,
[JsonWebKeyParameterNames.X5t] = key.X5t,
[JsonWebKeyParameterNames.X5u] = key.X5u,
[JsonWebKeyParameterNames.E] = key.E,
[JsonWebKeyParameterNames.N] = key.N
};
foreach (var parameter in parameters)
{
if (!string.IsNullOrEmpty(parameter.Value))
{
item.Add(parameter.Key, parameter.Value);
}
}
if (key.KeyOps.Any())
{
item.Add(JsonWebKeyParameterNames.KeyOps, JArray.FromObject(key.KeyOps));
}
if (key.X5c.Any())
{
item.Add(JsonWebKeyParameterNames.X5c, JArray.FromObject(key.X5c));
}
keys.Add(item);
}
payload.Add(JsonWebKeyParameterNames.Keys, keys);
var context = new CryptographyEndpointResponseContext(Context, Options, payload);
await Options.Provider.CryptographyEndpointResponse(context);
if (context.HandledResponse)
{
return;
}
using (var buffer = new MemoryStream())
using (var writer = new JsonTextWriter(new StreamWriter(buffer))) {
payload.WriteTo(writer);
writer.Flush();
Response.ContentLength = buffer.Length;
Response.ContentType = "application/json;charset=UTF-8";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Context.RequestAborted);
}
}
private async Task <bool> InvokeConfigurationEndpointAsync()
{
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The configuration request was rejected because an invalid " +
"HTTP method was specified: {Method}.", Request.Method);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The specified HTTP method is not valid."
}));
}
var request = new OpenIdConnectRequest(Request.Query);
// Note: set the message type before invoking the ExtractConfigurationRequest event.
request.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.ConfigurationRequest);
// Store the configuration request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
var @event = new ExtractConfigurationRequestContext(Context, Scheme, Options, request);
await Provider.ExtractConfigurationRequest(@event);
if (@event.Result != null)
{
if (@event.Result.Handled)
{
Logger.LogDebug("The configuration request was handled in user code.");
return(true);
}
else if (@event.Result.Skipped)
{
Logger.LogDebug("The default configuration request handling was skipped from user code.");
return(false);
}
}
else if (@event.IsRejected)
{
Logger.LogError("The configuration request was rejected with the following error: {Error} ; {Description}",
/* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ @event.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse
{
Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = @event.ErrorDescription,
ErrorUri = @event.ErrorUri
}));
}
Logger.LogInformation("The configuration request was successfully extracted " +
"from the HTTP request: {Request}.", request);
var context = new ValidateConfigurationRequestContext(Context, Scheme, Options, request);
await Provider.ValidateConfigurationRequest(context);
if (context.Result != null)
{
if (context.Result.Handled)
{
Logger.LogDebug("The configuration request was handled in user code.");
return(true);
}
else if (context.Result.Skipped)
{
Logger.LogDebug("The default configuration request handling was skipped from user code.");
return(false);
}
}
else if (context.IsRejected)
{
Logger.LogError("The configuration request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse
{
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
Logger.LogInformation("The configuration request was successfully validated.");
var notification = new HandleConfigurationRequestContext(Context, Scheme, Options, request)
{
Issuer = Context.GetIssuer(Options)
};
if (Options.AuthorizationEndpointPath.HasValue)
{
notification.AuthorizationEndpoint = notification.Issuer.AddPath(Options.AuthorizationEndpointPath);
}
if (Options.CryptographyEndpointPath.HasValue)
{
notification.CryptographyEndpoint = notification.Issuer.AddPath(Options.CryptographyEndpointPath);
}
if (Options.IntrospectionEndpointPath.HasValue)
{
notification.IntrospectionEndpoint = notification.Issuer.AddPath(Options.IntrospectionEndpointPath);
notification.IntrospectionEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretBasic);
notification.IntrospectionEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretPost);
}
if (Options.LogoutEndpointPath.HasValue)
{
notification.LogoutEndpoint = notification.Issuer.AddPath(Options.LogoutEndpointPath);
}
if (Options.RevocationEndpointPath.HasValue)
{
notification.RevocationEndpoint = notification.Issuer.AddPath(Options.RevocationEndpointPath);
notification.RevocationEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretBasic);
notification.RevocationEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretPost);
}
if (Options.TokenEndpointPath.HasValue)
{
notification.TokenEndpoint = notification.Issuer.AddPath(Options.TokenEndpointPath);
notification.TokenEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretBasic);
notification.TokenEndpointAuthenticationMethods.Add(
OpenIdConnectConstants.ClientAuthenticationMethods.ClientSecretPost);
}
if (Options.UserinfoEndpointPath.HasValue)
{
notification.UserinfoEndpoint = notification.Issuer.AddPath(Options.UserinfoEndpointPath);
}
if (Options.AuthorizationEndpointPath.HasValue)
{
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.Implicit);
if (Options.TokenEndpointPath.HasValue)
{
// Only expose the code grant type and the code challenge methods
// if both the authorization and the token endpoints are enabled.
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.AuthorizationCode);
// Note: supporting S256 is mandatory for authorization servers that implement PKCE.
// See https://tools.ietf.org/html/rfc7636#section-4.2 for more information.
notification.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Plain);
notification.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Sha256);
}
}
if (Options.TokenEndpointPath.HasValue)
{
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.RefreshToken);
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.ClientCredentials);
notification.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.Password);
}
// Only populate response_modes_supported and response_types_supported
// if the authorization endpoint is available.
if (Options.AuthorizationEndpointPath.HasValue)
{
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.FormPost);
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.Fragment);
notification.ResponseModes.Add(OpenIdConnectConstants.ResponseModes.Query);
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.Token);
// Only expose response types containing code when
// the token endpoint has not been explicitly disabled.
if (Options.TokenEndpointPath.HasValue)
{
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.Code);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
}
// Only expose the response types containing id_token if an asymmetric signing key is available.
if (Options.SigningCredentials.Any(credentials => credentials.Key is AsymmetricSecurityKey))
{
notification.ResponseTypes.Add(OpenIdConnectConstants.ResponseTypes.IdToken);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.IdToken + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
// Only expose response types containing code when
// the token endpoint has not been explicitly disabled.
if (Options.TokenEndpointPath.HasValue)
{
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.IdToken);
notification.ResponseTypes.Add(
OpenIdConnectConstants.ResponseTypes.Code + ' ' +
OpenIdConnectConstants.ResponseTypes.IdToken + ' ' +
OpenIdConnectConstants.ResponseTypes.Token);
}
}
}
notification.Scopes.Add(OpenIdConnectConstants.Scopes.OpenId);
notification.SubjectTypes.Add(OpenIdConnectConstants.SubjectTypes.Public);
foreach (var credentials in Options.SigningCredentials)
{
// If the signing key is not an asymmetric key, ignore it.
if (!(credentials.Key is AsymmetricSecurityKey))
{
continue;
}
// Try to resolve the JWA algorithm short name. If a null value is returned, ignore it.
var algorithm = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm);
if (string.IsNullOrEmpty(algorithm))
{
continue;
}
notification.IdTokenSigningAlgorithms.Add(algorithm);
}
await Provider.HandleConfigurationRequest(notification);
if (notification.Result != null)
{
if (notification.Result.Handled)
{
Logger.LogDebug("The configuration request was handled in user code.");
return(true);
}
else if (notification.Result.Skipped)
{
Logger.LogDebug("The default configuration request handling was skipped from user code.");
return(false);
}
}
else if (notification.IsRejected)
{
Logger.LogError("The configuration request was rejected with the following error: {Error} ; {Description}",
/* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ notification.ErrorDescription);
return(await SendConfigurationResponseAsync(new OpenIdConnectResponse
{
Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = notification.ErrorDescription,
ErrorUri = notification.ErrorUri
}));
}
var response = new OpenIdConnectResponse
{
[OpenIdConnectConstants.Metadata.Issuer] = notification.Issuer,
[OpenIdConnectConstants.Metadata.AuthorizationEndpoint] = notification.AuthorizationEndpoint,
[OpenIdConnectConstants.Metadata.TokenEndpoint] = notification.TokenEndpoint,
[OpenIdConnectConstants.Metadata.IntrospectionEndpoint] = notification.IntrospectionEndpoint,
[OpenIdConnectConstants.Metadata.EndSessionEndpoint] = notification.LogoutEndpoint,
[OpenIdConnectConstants.Metadata.RevocationEndpoint] = notification.RevocationEndpoint,
[OpenIdConnectConstants.Metadata.UserinfoEndpoint] = notification.UserinfoEndpoint,
[OpenIdConnectConstants.Metadata.JwksUri] = notification.CryptographyEndpoint,
[OpenIdConnectConstants.Metadata.GrantTypesSupported] = new JArray(notification.GrantTypes),
[OpenIdConnectConstants.Metadata.ResponseTypesSupported] = new JArray(notification.ResponseTypes),
[OpenIdConnectConstants.Metadata.ResponseModesSupported] = new JArray(notification.ResponseModes),
[OpenIdConnectConstants.Metadata.ScopesSupported] = new JArray(notification.Scopes),
[OpenIdConnectConstants.Metadata.IdTokenSigningAlgValuesSupported] = new JArray(notification.IdTokenSigningAlgorithms),
[OpenIdConnectConstants.Metadata.CodeChallengeMethodsSupported] = new JArray(notification.CodeChallengeMethods),
[OpenIdConnectConstants.Metadata.SubjectTypesSupported] = new JArray(notification.SubjectTypes),
[OpenIdConnectConstants.Metadata.TokenEndpointAuthMethodsSupported] = new JArray(notification.TokenEndpointAuthenticationMethods),
[OpenIdConnectConstants.Metadata.IntrospectionEndpointAuthMethodsSupported] = new JArray(notification.IntrospectionEndpointAuthenticationMethods),
[OpenIdConnectConstants.Metadata.RevocationEndpointAuthMethodsSupported] = new JArray(notification.RevocationEndpointAuthenticationMethods)
};
foreach (var metadata in notification.Metadata)
{
response.SetParameter(metadata.Key, metadata.Value);
}
return(await SendConfigurationResponseAsync(response));
}
private async Task <bool> InvokeCryptographyEndpointAsync()
{
// Metadata requests must be made via GET.
// See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The discovery request was rejected because an invalid " +
"HTTP method was used: {Method}.", Request.Method);
return(await SendCryptographyResponseAsync(null, new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "Invalid HTTP method: make sure to use GET."
}));
}
var request = new OpenIdConnectMessage(Request.Query.ToDictionary());
var context = new ValidateCryptographyRequestContext(Context, Options);
await Options.Provider.ValidateCryptographyRequest(context);
if (!context.IsValidated)
{
Logger.LogError("The discovery request was rejected with the following error: {Error} ; {Description}",
/* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
/* Description: */ context.ErrorDescription);
return(await SendCryptographyResponseAsync(request, new OpenIdConnectMessage {
Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = context.ErrorDescription,
ErrorUri = context.ErrorUri
}));
}
var notification = new HandleCryptographyRequestContext(Context, Options, request);
foreach (var credentials in Options.SigningCredentials)
{
// Ignore the key if it's not supported.
if (!(credentials.Key is AsymmetricSecurityKey) &&
!credentials.Key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
Logger.LogInformation("An unsupported signing key was ignored and excluded " +
"from the key set: {Type}. Only asymmetric security keys " +
"supporting RS256, RS384 or RS512 can be exposed " +
"via the JWKS endpoint.", credentials.Key.GetType().Name);
continue;
}
RSA algorithm = null;
// Note: IdentityModel 5 doesn't expose a method allowing to retrieve the underlying algorithm
// from a generic asymmetric security key. To work around this limitation, try to cast
// the security key to the built-in IdentityModel types to extract the required RSA instance.
// See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/395
var x509SecurityKey = credentials.Key as X509SecurityKey;
if (x509SecurityKey != null)
{
algorithm = (RSA)x509SecurityKey.PublicKey;
}
var rsaSecurityKey = credentials.Key as RsaSecurityKey;
if (rsaSecurityKey != null)
{
algorithm = rsaSecurityKey.Rsa;
// If no RSA instance can be found, create one using
// the RSA parameters attached to the security key.
if (algorithm == null)
{
algorithm = RSA.Create();
algorithm.ImportParameters(rsaSecurityKey.Parameters);
}
}
// Skip the key if a RSA instance cannot be retrieved.
if (algorithm == null)
{
Logger.LogError("A signing key was ignored because it was unable " +
"to provide the requested RSA instance.");
continue;
}
// Export the RSA public key to create a new JSON Web Key
// exposing the exponent and the modulus parameters.
var parameters = algorithm.ExportParameters(includePrivateParameters: false);
Debug.Assert(parameters.Exponent != null, "A null exponent was returned by RSA.ExportParameters()");
Debug.Assert(parameters.Modulus != null, "A null modulus was returned by RSA.ExportParameters()");
var key = new JsonWebKey {
Use = JsonWebKeyUseNames.Sig,
Kty = JsonWebAlgorithmsKeyTypes.RSA,
// Resolve the JWA identifier from the algorithm specified in the credentials.
Alg = OpenIdConnectServerHelpers.GetJwtAlgorithm(credentials.Algorithm),
// Use the key identifier specified
// in the signing credentials.
Kid = credentials.Kid,
// Both E and N must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#appendix-A.1
E = Base64UrlEncoder.Encode(parameters.Exponent),
N = Base64UrlEncoder.Encode(parameters.Modulus)
};
// If the signing key is embedded in a X.509 certificate, set
// the x5t and x5c parameters using the certificate details.
var x509Certificate = x509SecurityKey?.Certificate;
if (x509Certificate != null)
{
// x5t must be base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.8
key.X5t = Base64UrlEncoder.Encode(x509SecurityKey.Certificate.GetCertHash());
// Unlike E or N, the certificates contained in x5c
// must be base64-encoded and not base64url-encoded.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.7
key.X5c.Add(Convert.ToBase64String(x509SecurityKey.Certificate.RawData));
}
notification.Keys.Add(key);
}
await Options.Provider.HandleCryptographyRequest(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
var response = new JObject();
var keys = new JArray();
foreach (var key in notification.Keys)
{
var item = new JObject();
// Ensure a key type has been provided.
// See http://tools.ietf.org/html/draft-ietf-jose-json-web-key-31#section-4.1
if (string.IsNullOrEmpty(key.Kty))
{
Logger.LogError("A JSON Web Key was excluded from the key set because " +
"it didn't contain the mandatory 'kid' parameter.");
continue;
}
// Create a dictionary associating the
// JsonWebKey components with their values.
var parameters = new Dictionary <string, string> {
[JsonWebKeyParameterNames.Kid] = key.Kid,
[JsonWebKeyParameterNames.Use] = key.Use,
[JsonWebKeyParameterNames.Kty] = key.Kty,
[JsonWebKeyParameterNames.Alg] = key.Alg,
[JsonWebKeyParameterNames.E] = key.E,
[JsonWebKeyParameterNames.N] = key.N,
[JsonWebKeyParameterNames.X5t] = key.X5t,
[JsonWebKeyParameterNames.X5u] = key.X5u
};
foreach (var parameter in parameters)
{
if (!string.IsNullOrEmpty(parameter.Value))
{
item.Add(parameter.Key, parameter.Value);
}
}
if (key.KeyOps.Count != 0)
{
item.Add(JsonWebKeyParameterNames.KeyOps, JArray.FromObject(key.KeyOps));
}
if (key.X5c.Count != 0)
{
item.Add(JsonWebKeyParameterNames.X5c, JArray.FromObject(key.X5c));
}
keys.Add(item);
}
response.Add(JsonWebKeyParameterNames.Keys, keys);
return(await SendCryptographyResponseAsync(request, response));
}
private async Task <string> SerializeIdentityTokenAsync(
ClaimsPrincipal principal, AuthenticationProperties properties,
OpenIdConnectRequest request, OpenIdConnectResponse response)
{
// properties.IssuedUtc and properties.ExpiresUtc
// should always be preferred when explicitly set.
if (properties.IssuedUtc == null)
{
properties.IssuedUtc = Options.SystemClock.UtcNow;
}
if (properties.ExpiresUtc == null)
{
properties.ExpiresUtc = properties.IssuedUtc + Options.IdentityTokenLifetime;
}
// Replace the principal by a new one containing only the filtered claims.
// Actors identities are also filtered (delegation scenarios).
principal = principal.Clone(claim => {
// Never exclude ClaimTypes.NameIdentifier.
if (string.Equals(claim.Type, ClaimTypes.NameIdentifier, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
// Claims whose destination is not explicitly referenced or doesn't
// contain "id_token" are not included in the identity token.
return(claim.HasDestination(OpenIdConnectConstants.Destinations.IdentityToken));
});
var identity = (ClaimsIdentity)principal.Identity;
// Create a new ticket containing the updated properties and the filtered principal.
var ticket = new AuthenticationTicket(principal, properties, Options.AuthenticationScheme);
ticket.SetUsage(OpenIdConnectConstants.Usages.IdentityToken);
// Associate a random identifier with the identity token.
ticket.SetTicketId(Guid.NewGuid().ToString());
// By default, add the client_id to the list of the
// presenters allowed to use the identity token.
if (!string.IsNullOrEmpty(request.ClientId))
{
ticket.SetAudiences(request.ClientId);
ticket.SetPresenters(request.ClientId);
}
var notification = new SerializeIdentityTokenContext(Context, Options, request, response, ticket)
{
Issuer = Context.GetIssuer(Options),
SecurityTokenHandler = Options.IdentityTokenHandler,
SigningCredentials = Options.SigningCredentials.FirstOrDefault()
};
await Options.Provider.SerializeIdentityToken(notification);
if (notification.HandledResponse || !string.IsNullOrEmpty(notification.IdentityToken))
{
return(notification.IdentityToken);
}
else if (notification.Skipped)
{
return(null);
}
if (!ReferenceEquals(ticket, notification.Ticket))
{
throw new InvalidOperationException("The authentication ticket cannot be replaced.");
}
if (notification.SecurityTokenHandler == null)
{
return(null);
}
if (!identity.HasClaim(claim => claim.Type == OpenIdConnectConstants.Claims.Subject) &&
!identity.HasClaim(claim => claim.Type == ClaimTypes.NameIdentifier))
{
throw new InvalidOperationException("A unique identifier cannot be found to generate a 'sub' claim: " +
"make sure to add a 'ClaimTypes.NameIdentifier' claim.");
}
if (notification.SigningCredentials == null)
{
throw new InvalidOperationException("A signing key must be provided.");
}
// Extract the main identity from the principal.
identity = (ClaimsIdentity)ticket.Principal.Identity;
// Store the unique subject identifier as a claim.
if (!identity.HasClaim(claim => claim.Type == OpenIdConnectConstants.Claims.Subject))
{
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, identity.GetClaim(ClaimTypes.NameIdentifier));
}
// Remove the ClaimTypes.NameIdentifier claims to avoid getting duplicate claims.
// Note: the "sub" claim is automatically mapped by JwtSecurityTokenHandler
// to ClaimTypes.NameIdentifier when validating a JWT token.
// Note: make sure to call ToArray() to avoid an InvalidOperationException
// on old versions of Mono, where FindAll() is implemented using an iterator.
foreach (var claim in identity.FindAll(ClaimTypes.NameIdentifier).ToArray())
{
identity.RemoveClaim(claim);
}
// Store the "unique_id" property as a claim.
identity.AddClaim(OpenIdConnectConstants.Claims.JwtId, ticket.GetTicketId());
// Store the "usage" property as a claim.
identity.AddClaim(OpenIdConnectConstants.Claims.Usage, ticket.GetUsage());
// Store the "confidentiality_level" property as a claim.
var confidentiality = ticket.GetProperty(OpenIdConnectConstants.Properties.ConfidentialityLevel);
if (!string.IsNullOrEmpty(confidentiality))
{
identity.AddClaim(OpenIdConnectConstants.Claims.ConfidentialityLevel, confidentiality);
}
// Store the audiences as claims.
foreach (var audience in notification.Audiences)
{
identity.AddClaim(OpenIdConnectConstants.Claims.Audience, audience);
}
// If a nonce was present in the authorization request, it MUST
// be included in the id_token generated by the token endpoint.
// See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
var nonce = request.Nonce;
if (request.IsAuthorizationCodeGrantType())
{
// Restore the nonce stored in the authentication
// ticket extracted from the authorization code.
nonce = ticket.GetProperty(OpenIdConnectConstants.Properties.Nonce);
}
if (!string.IsNullOrEmpty(nonce))
{
identity.AddClaim(OpenIdConnectConstants.Claims.Nonce, nonce);
}
using (var algorithm = OpenIdConnectServerHelpers.GetHashAlgorithm(notification.SigningCredentials.Algorithm)) {
// Create an authorization code hash if necessary.
if (!string.IsNullOrEmpty(response.Code))
{
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.Code));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
identity.AddClaim(OpenIdConnectConstants.Claims.CodeHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
// Create an access token hash if necessary.
if (!string.IsNullOrEmpty(response.AccessToken))
{
var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(response.AccessToken));
// Note: only the left-most half of the hash of the octets is used.
// See http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
identity.AddClaim(OpenIdConnectConstants.Claims.AccessTokenHash, Base64UrlEncoder.Encode(hash, 0, hash.Length / 2));
}
}
// Extract the presenters from the authentication ticket.
var presenters = notification.Presenters.ToArray();
switch (presenters.Length)
{
case 0: break;
case 1:
identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]);
break;
default:
Logger.LogWarning("Multiple presenters have been associated with the identity token " +
"but the JWT format only accepts single values.");
// Only add the first authorized party.
identity.AddClaim(OpenIdConnectConstants.Claims.AuthorizedParty, presenters[0]);
break;
}
var token = notification.SecurityTokenHandler.CreateToken(new SecurityTokenDescriptor {
Subject = identity,
Issuer = notification.Issuer,
SigningCredentials = notification.SigningCredentials,
IssuedAt = notification.Ticket.Properties.IssuedUtc?.UtcDateTime,
NotBefore = notification.Ticket.Properties.IssuedUtc?.UtcDateTime,
Expires = notification.Ticket.Properties.ExpiresUtc?.UtcDateTime
});
return(notification.SecurityTokenHandler.WriteToken(token));
}
