public override Task GetProfileDataAsync(IdentityServer3.Core.Models.ProfileDataRequestContext context)
{
// find the user
var subjectId = context.Subject.GetSubjectId();
var user = _userManager.Users.FirstOrDefault(u => u.Id == subjectId);
// add subject as claim
var claims = new List <Claim>
{
new Claim(IdentityServer3.Core.Constants.ClaimTypes.Subject, user.Id),
};
// add the other UserClaims
//claims.AddRange(user.UserClaims.Select<UserClaim, Claim>(uc => new Claim(uc.ClaimType, uc.ClaimValue)));
claims.AddRange(user.Claims.Select(uc => new Claim(uc.ClaimType, uc.ClaimValue)));
// only return the requested claims
if (!context.AllClaimsRequested)
{
claims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
}
// set the issued claims - these are the ones that were requested, if available
context.IssuedClaims = claims;
return(Task.FromResult(0));
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var profileRequest = Mapper.Map<ProfileDataRequestContext, ProfileDataRequest>(context);
var result = await domainService.GetProfileDataAsync(profileRequest);
context.IssuedClaims = result;
}
public override Task GetProfileDataAsync(IdentityServer3.Core.Models.ProfileDataRequestContext context)
{
using (var userRepository = new UserRepository())
{
// find the user
var user = userRepository.GetUser(context.Subject.GetSubjectId());
// add subject as claim
var claims = new List <Claim>
{
new Claim(Constants.ClaimTypes.Subject, user.Subject),
};
// add the other UserClaims
claims.AddRange(user.UserClaims.Select <UserClaim, Claim>(
uc => new Claim(uc.ClaimType, uc.ClaimValue)));
// only return the requested claims
if (!context.AllClaimsRequested)
{
claims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
}
// set the issued claims - these are the ones that were requested, if available
context.IssuedClaims = claims;
return(Task.FromResult(0));
}
}
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var userName = context.Subject.Identity.Name;
using (var client = new HttpClient { BaseAddress = new Uri(this.usersApiUri) })
{
context.IssuedClaims = await GetClaimsAsync(client, userName, context.RequestedClaimTypes ?? Enumerable.Empty<string>());
}
}
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var username = GetName(context.Subject);
using (var client = await CreateClientAsync())
{
context.IssuedClaims = await GetClaimsAsync(client, username, context.RequestedClaimTypes ?? Enumerable.Empty<string>());
}
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
// issue the claims for the user
var user = Users.SingleOrDefault(x => x.Subject == context.Subject.GetSubjectId());
if (user != null)
{
context.IssuedClaims = user.Claims.Where(x => context.RequestedClaimTypes.Contains(x.Type));
}
return Task.FromResult(0);
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
List<Claim> _claims = new List<Claim>();
Claim _subject = context.Subject.Claims.FirstOrDefault();
if (_subject != null)
{
_claims = this.BuildClaimsForSubject(_subject.Value);
}
context.IssuedClaims = _claims.AsEnumerable();
return Task.FromResult(0);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
await this.innerUserService.GetProfileDataAsync(context);
if (context.IssuedClaims == null)
{
return;
}
var userClientClaims = this.claimsService.GetUserClaimsForClient(
context.Client?.ClientId,
context.Subject?.Identity?.Name);
var finalClaims = context.IssuedClaims.Union(userClientClaims);
context.IssuedClaims = finalClaims;
}
public async Task<Dictionary<string, object>> ProcessAsync(string subject, IEnumerable<string> scopes, Client client)
{
Logger.Info("Creating userinfo response");
var profileData = new Dictionary<string, object>();
var requestedClaimTypes = await GetRequestedClaimTypesAsync(scopes);
var principal = Principal.Create("UserInfo", new Claim("sub", subject));
IEnumerable<Claim> profileClaims;
if (requestedClaimTypes.IncludeAllClaims)
{
Logger.InfoFormat("Requested claim types: all");
var context = new ProfileDataRequestContext(
principal,
client,
Constants.ProfileDataCallers.UserInfoEndpoint);
await _users.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
else
{
Logger.InfoFormat("Requested claim types: {0}", requestedClaimTypes.ClaimTypes.ToSpaceSeparatedString());
var context = new ProfileDataRequestContext(
principal,
client,
Constants.ProfileDataCallers.UserInfoEndpoint,
requestedClaimTypes.ClaimTypes);
await _users.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
if (profileClaims != null)
{
profileData = profileClaims.ToClaimsDictionary();
Logger.InfoFormat("Profile service returned to the following claim types: {0}", profileClaims.Select(c => c.Type).ToSpaceSeparatedString());
}
else
{
Logger.InfoFormat("Profile service returned no claims (null)");
}
return profileData;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
foreach (var service in this.services)
{
try
{
await service.GetProfileDataAsync(context);
if (context.IssuedClaims.Any())
{
return;
}
}
catch
{
// TODO: log
}
}
}
public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(
ClaimsPrincipal subject, Client client,
IEnumerable<Scope> scopes, ValidatedRequest request)
{
var claimsTask = base.GetAccessTokenClaimsAsync(subject, client, scopes, request);
var data = new ProfileDataRequestContext(subject, client, null, new string[] { Constants.ClaimTypes.Role });
var roleClaimsTask = _users.GetProfileDataAsync(data);
var claims = await Task.WhenAll(claimsTask);
List<IEnumerable<Claim>> lst = new List<IEnumerable<Claim>>();
lst.AddRange(claims);
await Task.WhenAll(roleClaimsTask);
lst.Add(data.IssuedClaims);
var outputClaims = lst.Where(result => result != null)
.SelectMany(claimList => claimList).ToList();
return outputClaims;
}
private async Task<ClaimsIdentity> CreateSubjectAsync(SignInValidationResult validationResult)
{
var profileClaims = new List<Claim>();
var mappedClaims = new List<Claim>();
// get all claims from user service
if (validationResult.RelyingParty.IncludeAllClaimsForUser)
{
var ctx = new ProfileDataRequestContext
{
Subject = validationResult.Subject,
AllClaimsRequested = true
};
await _users.GetProfileDataAsync(ctx);
profileClaims = ctx.IssuedClaims.ToList();
}
else
{
// get only claims that are explicitly mapped (if any)
var claimTypes = validationResult.RelyingParty.ClaimMappings.Keys;
if (claimTypes.Any())
{
var ctx = new ProfileDataRequestContext
{
Subject = validationResult.Subject,
RequestedClaimTypes = claimTypes
};
await _users.GetProfileDataAsync(ctx);
profileClaims = ctx.IssuedClaims.ToList();
}
}
foreach (var claim in profileClaims)
{
string mappedType;
// if an explicit mapping exists, use it
if (validationResult.RelyingParty.ClaimMappings.TryGetValue(claim.Type, out mappedType))
{
// if output claim is a SAML name ID - check is any name ID format is configured
if (mappedType == ClaimTypes.NameIdentifier)
{
var nameId = new Claim(ClaimTypes.NameIdentifier, claim.Value);
if (!string.IsNullOrEmpty(validationResult.RelyingParty.SamlNameIdentifierFormat))
{
nameId.Properties[ClaimProperties.SamlNameIdentifierFormat] = validationResult.RelyingParty.SamlNameIdentifierFormat;
}
mappedClaims.Add(nameId);
}
else
{
mappedClaims.Add(new Claim(mappedType, claim.Value));
}
}
else
{
// otherwise pass-through the claims if flag is set
if (validationResult.RelyingParty.IncludeAllClaimsForUser)
{
string newType = claim.Type;
// if prefix is configured, prefix the claim type
if (!string.IsNullOrWhiteSpace(validationResult.RelyingParty.DefaultClaimTypeMappingPrefix))
{
newType = validationResult.RelyingParty.DefaultClaimTypeMappingPrefix + newType;
}
mappedClaims.Add(new Claim(newType, claim.Value));
}
}
}
if (validationResult.Subject.GetAuthenticationMethod() == Constants.AuthenticationMethods.Password)
{
mappedClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password));
mappedClaims.Add(AuthenticationInstantClaim.Now);
}
return new ClaimsIdentity(mappedClaims, "idsrv");
}
/// <summary>
/// This method is called whenever claims about the user are requested (e.g. during token creation or via the userinfo endpoint)
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var query =
from u in _users
where u.Subject == context.Subject.GetSubjectId()
select u;
var user = query.Single();
var claims = new List<Claim>{
new Claim(Constants.ClaimTypes.Subject, user.Subject),
new Claim(Constants.ClaimTypes.ExternalProviderUserId, user.ProviderId)
};
claims.AddRange(user.Claims);
if (!context.AllClaimsRequested)
{
claims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
await this.inMemoryUserService.GetProfileDataAsync(context);
}
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var user = await _userRepository
.GetUserAsync(context.Subject.GetSubjectId());
var claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, user.Subject),
}
.Union(
user.UserClaims.Select(c => new Claim(c.ClaimType, c.ClaimValue)))
.Where(c => ClaimIsRequestedOnly(context, c));
context.IssuedClaims = claims;
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
return Task.FromResult(0);
}
/// <summary>
/// This method is called whenever claims about the user are requested (e.g. during token creation or via the userinfo endpoint)
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var key = GetKey(context.Subject, context.RequestedClaimTypes);
context.IssuedClaims = await cache.GetAsync(key, async () =>
{
await inner.GetProfileDataAsync(context);
return context.IssuedClaims;
});
}
private static bool ClaimIsRequestedOnly(ProfileDataRequestContext context, Claim claim)
{
return !context.AllClaimsRequested && context.RequestedClaimTypes.Contains(claim.Type);
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
//TODO Use graph client with subject as objectid to query for profile info.
return base.GetProfileDataAsync(context);
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
if (context.Subject == null)
throw new ArgumentNullException("Subject");
var userId = Guid.Parse(context.Subject.GetSubjectId());
var user = await this.userManager.FindByIdAsync(userId);
if (user == null)
throw new ArgumentException("Invalid subject identifier");
var claims = await this.GetClaimsFromAccountAsync(user);
if (context.RequestedClaimTypes != null && context.RequestedClaimTypes.Any())
claims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type));
context.IssuedClaims = claims;
}
/// <summary>
/// Returns claims for an identity token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="client">The client.</param>
/// <param name="scopes">The requested scopes.</param>
/// <param name="request">The raw request.</param>
/// <returns>
/// Claims for the access token
/// </returns>
public virtual async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
// add client_id
var outputClaims = new List<Claim>
{
new Claim(Constants.ClaimTypes.ClientId, client.ClientId),
};
// check for client claims
if (client.Claims != null && client.Claims.Any())
{
if (subject == null || client.AlwaysSendClientClaims)
{
foreach (var claim in client.Claims)
{
var claimType = claim.Type;
if (client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
}
}
}
// add scopes
foreach (var scope in scopes)
{
outputClaims.Add(new Claim(Constants.ClaimTypes.Scope, scope.Name));
}
// a user is involved
if (subject != null)
{
outputClaims.AddRange(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource))
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return outputClaims;
}
// fetch all resource claims that need to go into the id token
var additionalClaims = new List<string>();
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Resource)
{
if (scope.Claims != null)
{
foreach (var scopeClaim in scope.Claims)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken,
additionalClaims.Distinct());
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
}
return outputClaims;
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var currentUser = dbContext.UserProfiles.FirstOrDefault(x => x.Id.ToString() == context.Subject.GetSubjectId());
var claims = new List<Claim>
{
new Claim("sub", currentUser.Id.ToString())
};
// Add other claims
claims.Add(new Claim(ClaimTypes.Email, currentUser.EmailAddress));
if(!context.AllClaimsRequested)
{
claims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
private async Task<ClaimsIdentity> CreateSubjectAsync(SignInValidationResult validationResult)
{
var profileClaims = new List<Claim>();
var mappedClaims = new List<Claim>();
// get all claims from user service
if (validationResult.RelyingParty.IncludeAllClaimsForUser)
{
var ctx = new ProfileDataRequestContext
{
Subject = validationResult.Subject,
AllClaimsRequested = true
};
await _users.GetProfileDataAsync(ctx);
profileClaims = ctx.IssuedClaims.ToList();
}
else
{
// get only claims that are explicitly mapped (if any)
var claimTypes = validationResult.RelyingParty.ClaimMappings.Keys;
if (claimTypes.Any())
{
var ctx = new ProfileDataRequestContext
{
Subject = validationResult.Subject,
RequestedClaimTypes = claimTypes
};
await _users.GetProfileDataAsync(ctx);
profileClaims = ctx.IssuedClaims.ToList();
}
}
foreach (var claim in profileClaims)
{
string mappedType;
// if an explicit mapping exists, use it
if (validationResult.RelyingParty.ClaimMappings.TryGetValue(claim.Type, out mappedType))
{
// if output claim is a SAML name ID - check is any name ID format is configured
if (mappedType == ClaimTypes.NameIdentifier)
{
var nameId = new Claim(ClaimTypes.NameIdentifier, claim.Value);
if (!string.IsNullOrEmpty(validationResult.RelyingParty.SamlNameIdentifierFormat))
{
nameId.Properties[ClaimProperties.SamlNameIdentifierFormat] = validationResult.RelyingParty.SamlNameIdentifierFormat;
}
mappedClaims.Add(nameId);
}
else
{
mappedClaims.Add(new Claim(mappedType, claim.Value));
}
}
else
{
// otherwise pass-through the claims if flag is set
if (validationResult.RelyingParty.IncludeAllClaimsForUser)
{
string newType = claim.Type;
// if prefix is configured, prefix the claim type
if (!string.IsNullOrWhiteSpace(validationResult.RelyingParty.DefaultClaimTypeMappingPrefix))
{
newType = validationResult.RelyingParty.DefaultClaimTypeMappingPrefix + newType;
}
mappedClaims.Add(new Claim(newType, claim.Value));
}
}
}
// The AuthnStatement statement generated from the following 2
// claims is manditory for some service providers (i.e. Shibboleth-Sp).
// The value of the AuthenticationMethod claim must be one of the constants in
// System.IdentityModel.Tokens.AuthenticationMethods.
// Password is the only one that can be directly matched, everything
// else defaults to Unspecified.
if (validationResult.Subject.GetAuthenticationMethod() == Constants.AuthenticationMethods.Password)
{
mappedClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password));
} else {
mappedClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Unspecified));
}
mappedClaims.Add(AuthenticationInstantClaim.Now);
var finalClaims = await _customClaimsService.TransformClaimsAsync(validationResult, mappedClaims);
return new ClaimsIdentity(finalClaims, "idsrv");
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
return inner.GetProfileDataAsync(context);
}
/// <summary>
/// Get Profile of User after authentication
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
try
{
using (var user = GetUser(context.Subject.Identity.Name))
{
if (user != null)
{
var identity = new ClaimsIdentity();
var lstClains = GetDisplayNameForAccountAsync(user);
identity.AddClaims(lstClains);
context.IssuedClaims = identity.Claims;
}
}
return Task.FromResult(0);
}
catch
{
return Task.FromResult(0);
}
}
/// <summary>
/// Returns claims for an identity token
/// </summary>
/// <param name="subject">The subject</param>
/// <param name="client">The client</param>
/// <param name="scopes">The requested scopes</param>
/// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param>
/// <param name="request">The raw request</param>
/// <returns>
/// Claims for the identity token
/// </returns>
public virtual async Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
{
Logger.Info("Getting claims for identity token for subject: " + subject.GetSubjectId());
var outputClaims = new List<Claim>(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
var additionalClaims = new List<string>();
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity))
{
Logger.Info("All claims rule found - emitting all claims for user.");
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return outputClaims;
}
// fetch all identity claims that need to go into the id token
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Identity)
{
foreach (var scopeClaim in scope.Claims)
{
if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken,
additionalClaims);
await _users.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
return outputClaims;
}
/// <summary>
/// This method is called whenever claims about the user are requested (e.g. during token
/// creation or via the user info endpoint)
/// </summary>
/// <param name="context">The request context.</param>
/// <returns>A "null" result</returns>
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.IssuedClaims = new List<Claim>
{
_databaseClaim
};
return Task.FromResult(0);
}
