async Task <ConsentAnswer> TryGetConsentAnswerAsync(IOwinRequest request)
{
ConsentAnswer consentAnswer;
if (request.IsPost())
{
IFormCollection formCollection = await request.ReadFormAsync();
string consent = formCollection.Get(_options.HandleConsentOptions.ConsentParameterName);
consentAnswer = ConsentAnswer.TryParse(consent);
}
else if (request.IsGet())
{
string consent = request.Query.Get(_options.HandleConsentOptions.ConsentParameterName);
consentAnswer = ConsentAnswer.TryParse(consent);
}
else
{
consentAnswer = ConsentAnswer.InvalidMethod;
}
return(consentAnswer);
}
public override async Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context)
{
string uri = context.Request.Uri.ToString();
if (string.IsNullOrWhiteSpace(_options.JwtOptions.SupportedScope))
{
Error(context, OAuthImplicitFlowError.ServerError, "no supported scope defined");
return;
}
if (!HasSupportedScope(context, _options.JwtOptions.SupportedScope))
{
string errorDescription = string.Format("only {0} scope is supported",
_options.JwtOptions.SupportedScope);
Error(context, OAuthImplicitFlowError.Scope, errorDescription);
return;
}
string rawJwt = await TryGetRawJwtTokenAsync(context);
if (string.IsNullOrWhiteSpace(rawJwt))
{
context.OwinContext.Authentication.Challenge(new AuthenticationProperties {
RedirectUri = uri
});
return;
}
var tokenValidator = new TokenValidator();
ClaimsPrincipal principal = tokenValidator.Validate(rawJwt, _options.JwtOptions);
if (!principal.Identity.IsAuthenticated)
{
Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user, unauthenticated");
return;
}
ClaimsIdentity claimsIdentity = await _options.TransformPrincipal(principal);
if (!claimsIdentity.Claims.Any())
{
Error(context, OAuthImplicitFlowError.AccessDenied, "unauthorized user");
return;
}
ConsentAnswer consentAnswer = await TryGetConsentAnswerAsync(context.Request);
if (consentAnswer == ConsentAnswer.Rejected)
{
Error(context, OAuthImplicitFlowError.AccessDenied, "resource owner denied request");
return;
}
if (consentAnswer == ConsentAnswer.Missing)
{
Error(context, OAuthImplicitFlowError.ServerError,
"missing consent answer");
return;
}
if (!(consentAnswer == ConsentAnswer.Accepted || consentAnswer == ConsentAnswer.Implicit))
{
Error(context, OAuthImplicitFlowError.ServerError,
string.Format("invalid consent answer '{0}'", consentAnswer.Display));
return;
}
string appJwtTokenAsBase64 =
JwtTokenHelper.CreateSecurityTokenDescriptor(claimsIdentity.Claims, _options.JwtOptions)
.CreateTokenAsBase64();
var builder = new UriBuilder(context.AuthorizeRequest.RedirectUri);
const string tokenType = "bearer";
var fragmentStringBuilder = new StringBuilder();
fragmentStringBuilder.AppendFormat("access_token={0}&token_type={1}&state={2}&scope={3}",
Uri.EscapeDataString(appJwtTokenAsBase64), Uri.EscapeDataString(tokenType),
Uri.EscapeDataString(context.AuthorizeRequest.State ?? ""),
Uri.EscapeDataString(_options.JwtOptions.SupportedScope));
if (consentAnswer == ConsentAnswer.Implicit)
{
fragmentStringBuilder.AppendFormat("&consent_type={0}", Uri.EscapeDataString(consentAnswer.Invariant));
}
builder.Fragment = fragmentStringBuilder.ToString();
string redirectUri = builder.Uri.ToString();
context.Response.Redirect(redirectUri);
context.RequestCompleted();
}
