public void SetTicket(AuthenticationTicket ticket)
{
if (ticket == null)
throw new ArgumentNullException(nameof(ticket));
Ticket = ticket;
}
/// <summary>
/// Converts a v3 ticket to a v5.
/// </summary>
public static AspNetAuth.AuthenticationTicket Convert(AuthenticationTicket ticket, string authScheme)
{
var newTicket = new AspNetAuth.AuthenticationTicket(new ClaimsPrincipal(ticket.Identity),
ticket.Properties, authScheme);
return(newTicket);
}
public async Task<string> StoreAsync(AuthenticationTicket ticket)
{
var guid = Guid.NewGuid();
var key = KeyPrefix + guid.ToString();
await RenewAsync(key, ticket);
return key;
}
public static AuthenticateResult Success(AuthenticationTicket ticket)
{
if (ticket == null)
{
throw new ArgumentNullException(nameof(ticket));
}
return new AuthenticateResult() { Ticket = ticket };
}
public async Task OnValidatePrincipalThrowsWithEmptyServiceCollection()
{
var scheme = new IdentityOptions().Cookies.ApplicationCookieAuthenticationScheme;
var httpContext = new Mock<HttpContext>();
httpContext.Setup(c => c.RequestServices).Returns(new ServiceCollection().BuildServiceProvider());
var id = new ClaimsPrincipal(new ClaimsIdentity(scheme));
var ticket = new AuthenticationTicket(id, new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow }, scheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => SecurityStampValidator.ValidatePrincipalAsync(context));
}
public TicketReceivedContext(HttpContext context, RemoteAuthenticationOptions options, AuthenticationTicket ticket)
: base(context)
{
Options = options;
Ticket = ticket;
if (ticket != null)
{
Principal = ticket.Principal;
Properties = ticket.Properties;
}
}
private Task<AuthenticationTicket> AuthenticateCredential(BasicAuthInfo authInfo)
{
AuthenticationTicket ticket = null;
if (authInfo.Credential.Username == "Test" && authInfo.Credential.Password == "Password")
{
ClaimsIdentity identity = new ClaimsIdentity(authInfo.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.Name, "Test"));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, "TestId"));
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
ticket = new AuthenticationTicket(principal, authInfo.Properties, authInfo.AuthenticationScheme);
}
return Task.FromResult(ticket);
}
public AuthenticationTokenCreateContext(HttpContext context, ISecureDataFormat<AuthenticationTicket> secureDataFormat, AuthenticationTicket ticket)
: base(context)
{
if (secureDataFormat == null)
throw new ArgumentNullException(nameof(secureDataFormat));
if (ticket == null)
throw new ArgumentNullException(nameof(ticket));
_secureDataFormat = secureDataFormat;
Ticket = ticket;
}
public Task RenewAsync(string key, AuthenticationTicket ticket)
{
var options = new MemoryCacheEntryOptions();
var expiresUtc = ticket.Properties.ExpiresUtc;
if (expiresUtc.HasValue)
{
options.SetAbsoluteExpiration(expiresUtc.Value);
}
options.SetSlidingExpiration(TimeSpan.FromHours(1)); // TODO: configurable.
_cache.Set(key, ticket, options);
return Task.FromResult(0);
}
/// <summary>
/// Initializes a new instance of the <see cref="OAuthAuthorizationEndpointResponseContext"/> class
/// </summary>
/// <param name="context"></param>
/// <param name="options"></param>
/// <param name="ticket"></param>
/// <param name="tokenEndpointRequest"></param>
public OAuthAuthorizationEndpointResponseContext(HttpContext context, OAuthAuthorizationServerOptions options, AuthenticationTicket ticket, AuthorizeEndpointRequest authorizeEndpointRequest, string accessToken, string authorizationCode)
: base(context, options)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Principal = ticket.Principal;
Properties = ticket.Properties;
AuthorizeEndpointRequest = authorizeEndpointRequest;
AdditionalResponseParameters = new Dictionary<string, object>(StringComparer.Ordinal);
AccessToken = accessToken;
AuthorizationCode = authorizationCode;
}
public void CanRoundTripEmptyPrincipal()
{
var serializer = new TicketSerializer();
var properties = new AuthenticationProperties();
properties.RedirectUri = "bye";
var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
serializer.Write(writer, ticket);
stream.Position = 0;
var readTicket = serializer.Read(reader);
Assert.Equal(0, readTicket.Principal.Identities.Count());
Assert.Equal("bye", readTicket.Properties.RedirectUri);
Assert.Equal("Hello", readTicket.AuthenticationScheme);
}
}
public string Protect(Microsoft.AspNetCore.Authentication.AuthenticationTicket data)
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Audience = _config.Audience,
Expires = DateTime.UtcNow.AddDays(_expirationDays),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
// Subject = data.Principal. ClaimsIdentity
tokenDescriptor.Issuer = _config.Issuer;
tokenDescriptor.Subject = new ClaimsIdentity(data.Principal.Claims);
var token = tokenHandler.CreateToken(tokenDescriptor);
return(tokenHandler.WriteToken(token));
}
public void CanRoundTripBootstrapContext()
{
var serializer = new TicketSerializer();
var properties = new AuthenticationProperties();
var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
ticket.Principal.AddIdentity(new ClaimsIdentity("misc") { BootstrapContext = "bootstrap" });
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
serializer.Write(writer, ticket);
stream.Position = 0;
var readTicket = serializer.Read(reader);
Assert.Equal(1, readTicket.Principal.Identities.Count());
Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);
Assert.Equal("bootstrap", readTicket.Principal.Identities.First().BootstrapContext);
}
}
public async Task OnValidatePrincipalTestSuccess(bool isPersistent)
{
var user = new TestUser("test");
var userManager = MockHelpers.MockUserManager<TestUser>();
var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.Zero };
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Value).Returns(identityOptions);
var httpContext = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
var id = new ClaimsIdentity(identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));
var principal = new ClaimsPrincipal(id);
var properties = new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow, IsPersistent = isPersistent };
var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
contextAccessor.Object, claimsManager.Object, options.Object, null);
signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>())).ReturnsAsync(user).Verifiable();
signInManager.Setup(s => s.CreateUserPrincipalAsync(user)).ReturnsAsync(principal).Verifiable();
var services = new ServiceCollection();
services.AddSingleton(options.Object);
services.AddSingleton(signInManager.Object);
services.AddSingleton<ISecurityStampValidator>(new SecurityStampValidator<TestUser>(options.Object, signInManager.Object));
httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
var ticket = new AuthenticationTicket(principal,
properties,
identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
Assert.NotNull(context.Properties);
Assert.NotNull(context.Options);
Assert.NotNull(context.Principal);
await
SecurityStampValidator.ValidatePrincipalAsync(context);
Assert.NotNull(context.Principal);
signInManager.VerifyAll();
}
public void CanRoundTripActorIdentity()
{
var serializer = new TicketSerializer();
var properties = new AuthenticationProperties();
var actor = new ClaimsIdentity("actor");
var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
ticket.Principal.AddIdentity(new ClaimsIdentity("misc") { Actor = actor });
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
serializer.Write(writer, ticket);
stream.Position = 0;
var readTicket = serializer.Read(reader);
Assert.Equal(1, readTicket.Principal.Identities.Count());
Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);
var identity = (ClaimsIdentity) readTicket.Principal.Identity;
Assert.NotNull(identity.Actor);
Assert.Equal(identity.Actor.AuthenticationType, "actor");
}
}
public IActionResult Accept() {
var request = HttpContext.GetOpenIdConnectRequest();
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, "Bob le Bricoleur",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: this sample always grants the "openid", "email" and "profile" scopes
// when they are requested by the client application: a real world application
// would probably display a form allowing to select the scopes to grant.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(request.GetScopes()));
// Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
// Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
public async Task<IActionResult> Accept(CancellationToken cancellationToken) {
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null) {
return View("Error", response);
}
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
});
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Copy the claims retrieved from the external identity provider
// (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
foreach (var claim in HttpContext.User.Claims) {
// Allow ClaimTypes.Name to be added in the id_token.
// ClaimTypes.NameIdentifier is automatically added, even if its
// destination is not defined or doesn't include "id_token".
// The other claims won't be visible for the client application.
if (claim.Type == ClaimTypes.Name) {
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
identity.AddClaim(claim);
}
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null) {
return View("Error", new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
});
}
// Create a new ClaimsIdentity containing the claims associated with the application.
// Note: setting identity.Actor is not mandatory but can be useful to access
// the whole delegation chain from the resource server (see ResourceController.cs).
identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID);
identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: this sample always grants the "openid", "email" and "profile" scopes
// when they are requested by the client application: a real world application
// would probably display a form allowing to select the scopes to grant.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(request.GetScopes()));
// Set the resources servers the access token should be issued for.
ticket.SetResources("resource_server");
// Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
// Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
// In this sample, the identity always contains the name identifier returned by the external provider.
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
public string Protect(Microsoft.AspNetCore.Authentication.AuthenticationTicket data, string purpose)
{
return(Protect(data));
}
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, ApplicationUser user)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in principal.Claims)
{
// In this sample, every claim is serialized in both the access and the identity tokens.
// In a real world application, you'd probably want to exclude confidential claims
// or apply a claims policy based on the scopes requested by the client application.
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
principal, new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[] {
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()));
return ticket;
}
public void CanRoundTripClaimProperties()
{
var serializer = new TicketSerializer();
var properties = new AuthenticationProperties();
var claim = new Claim("type", "value", "valueType", "issuer", "original-issuer");
claim.Properties.Add("property-1", "property-value");
// Note: a null value MUST NOT result in a crash
// and MUST instead be treated like an empty string.
claim.Properties.Add("property-2", null);
var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
ticket.Principal.AddIdentity(new ClaimsIdentity(new[] { claim }, "misc"));
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
serializer.Write(writer, ticket);
stream.Position = 0;
var readTicket = serializer.Read(reader);
Assert.Equal(1, readTicket.Principal.Identities.Count());
Assert.Equal("misc", readTicket.Principal.Identity.AuthenticationType);
var readClaim = readTicket.Principal.FindFirst("type");
Assert.NotNull(claim);
Assert.Equal(claim.Type, "type");
Assert.Equal(claim.Value, "value");
Assert.Equal(claim.ValueType, "valueType");
Assert.Equal(claim.Issuer, "issuer");
Assert.Equal(claim.OriginalIssuer, "original-issuer");
var property1 = readClaim.Properties["property-1"];
Assert.Equal(property1, "property-value");
var property2 = readClaim.Properties["property-2"];
Assert.Equal(property2, string.Empty);
}
}
public async Task RenewAsync(string key, AuthenticationTicket ticket)
{
await _bucket.UpsertAsync(key.ConvertSessionKeyToId(_lookupNormalizer), new Session(Serialize(ticket)), _timeout);
}
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, User user)
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
var scopes = new[] {
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIdConnectConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes());
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
principal.AddIdentity(new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, user.UserName)
}));
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in principal.Claims)
{
// Always include the user identifier in the
// access token and the identity token.
if (claim.Type == ClaimTypes.NameIdentifier)
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// Include the name claim, but only if the "profile" scope was requested.
else if (claim.Type == ClaimTypes.Name && scopes.Contains(OpenIdConnectConstants.Scopes.Profile))
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.IdentityToken);
}
// Include the role claims, but only if the "roles" scope was requested.
else if (claim.Type == ClaimTypes.Role && scopes.Contains(OpenIddictConstants.Scopes.Roles))
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// The other claims won't be added to the access
// and identity tokens and will be kept private.
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
principal,
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(scopes);
return ticket;
}
public async Task OnValidateIdentityDoesNotRejectsWhenNotExpired()
{
var user = new TestUser("test");
var httpContext = new Mock<HttpContext>();
var userManager = MockHelpers.MockUserManager<TestUser>();
var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.FromDays(1) };
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Value).Returns(identityOptions);
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
contextAccessor.Object, claimsManager.Object, options.Object, null);
signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>())).Throws(new Exception("Shouldn't be called"));
signInManager.Setup(s => s.SignInAsync(user, false, null)).Throws(new Exception("Shouldn't be called"));
var services = new ServiceCollection();
services.AddSingleton(options.Object);
services.AddSingleton(signInManager.Object);
services.AddSingleton<ISecurityStampValidator>(new SecurityStampValidator<TestUser>(options.Object, signInManager.Object));
httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
var id = new ClaimsIdentity(identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));
var ticket = new AuthenticationTicket(new ClaimsPrincipal(id),
new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow },
identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
Assert.NotNull(context.Properties);
Assert.NotNull(context.Options);
Assert.NotNull(context.Principal);
await SecurityStampValidator.ValidatePrincipalAsync(context);
Assert.NotNull(context.Principal);
}
public async Task<string> StoreAsync(AuthenticationTicket ticket)
{
var key = Guid.NewGuid().ToString() + ticket.GetHashCode();
await _bucket.InsertAsync(key.ConvertSessionKeyToId(_lookupNormalizer), new Session(Serialize(ticket)), _timeout);
return key;
}
public override Task HandleTokenRequest(HandleTokenRequestContext context) {
// Only handle grant_type=password token requests and let the
// OpenID Connect server middleware handle the other grant types.
if (context.Request.IsPasswordGrantType()) {
// Using password derivation and a time-constant comparer is STRONGLY recommended.
if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return Task.FromResult(0);
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString(),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(ClaimTypes.Name, "Bob le Bricoleur",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(context.Request.GetScopes()));
context.Validate(ticket);
}
return Task.FromResult(0);
}
string Serialize(AuthenticationTicket ticket)
{
var bytes = _ticketSerializer.Serialize(ticket);
return Convert.ToBase64String(bytes);
}
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, User user)
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
var scopes = new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
};// .Intersect(request.GetScopes());
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in principal.Claims)
{
// Always include the user identifier in the
// access token and the identity token.
if (claim.Type == ClaimTypes.NameIdentifier)
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// Include the name claim, but only if the "profile" scope was requested.
else if (claim.Type == ClaimTypes.Name && scopes.Contains(OpenIdConnectConstants.Scopes.Profile))
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.IdentityToken);
}
// Include the role claims, but only if the "roles" scope was requested.
else if (claim.Type == ClaimTypes.Role && scopes.Contains(OpenIddictConstants.Scopes.Roles))
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// The other claims won't be added to the access
// and identity tokens and will be kept private.
}
List<Claim> roles = principal.Claims.Where(c => c.Type == ClaimTypes.Role).ToList();
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
principal, new AuthenticationProperties()
{
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.Now.AddDays(14),
IsPersistent = true,
Items = { new KeyValuePair<string, string>(".roles", string.Join(", ", roles.Select(r => r.Value))) }
},
OpenIdConnectServerDefaults.AuthenticationScheme);
// ticket.SetResources(request.GetResources());
ticket.SetScopes(scopes);
return ticket;
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Resolve ASP.NET Core Identity's user manager from the DI container.
var manager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
// Only handle grant_type=password requests and let ASOS
// process grant_type=refresh_token requests automatically.
if (context.Request.IsPasswordGrantType())
{
var user = await manager.FindByNameAsync(context.Request.Username);
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
// Ensure the user is not already locked out.
if (manager.SupportsUserLockout && await manager.IsLockedOutAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
// Ensure the password is valid.
if (!await manager.CheckPasswordAsync(user, context.Request.Password))
{
if (manager.SupportsUserLockout)
{
await manager.AccessFailedAsync(user);
}
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
if (manager.SupportsUserLockout)
{
await manager.ResetAccessFailedCountAsync(user);
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (manager.SupportsUserTwoFactor && await manager.GetTwoFactorEnabledAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Two-factor authentication is required for this account.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
// Note: the name identifier is always included in both identity and
// access tokens, even if an explicit destination is not specified.
identity.AddClaim(ClaimTypes.NameIdentifier, await manager.GetUserIdAsync(user));
// When adding custom claims, you MUST specify one or more destinations.
// Read "part 7" for more information about custom claims and scopes.
identity.AddClaim("username", await manager.GetUserNameAsync(user),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim("firstName", user.FirstName, OpenIdConnectConstants.Destinations.IdentityToken);
//Add roles
var roles = await manager.GetRolesAsync(user);
var roleClaims = new List<Claim>();
foreach(var role in roles)
{
identity.AddClaim(ClaimTypes.Role, role, OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
var estheticians = (IEstheticianService)context.HttpContext.RequestServices.GetService(typeof(IEstheticianService));
var esthetician = await estheticians.GetByEmailAsync(user.Email);
if (esthetician != null)
{
identity.AddClaim("estheticianId", esthetician.Id.ToString(), OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access */ OpenIdConnectConstants.Scopes.OfflineAccess);
// Set the resource servers the access token should be issued for.
ticket.SetResources("resource_server");
context.Validate(ticket);
}
}
private async Task <Microsoft.AspNetCore.Authentication.AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, User user, AuthenticationProperties properties = null)
{
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
//var roleNames = await _repository.GetUserManager().GetRolesAsync(user);
var permissionClaims = new List <string>();
// Get all the roles and add them to the role claim
foreach (var userRole in user.Roles)
{
identity.AddClaim(OpenIdConnectConstants.Claims.Role, userRole.Role.Name,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
//var role = await _repository.GetRoleManager().FindByNameAsync(roleName);
// Get all the permission claims of the role
permissionClaims.AddRange(userRole.Role.Claims.Select(c => c.ClaimValue));//await _repository.GetRoleManager().GetClaimsAsync());
}
// Get all the permission claims of the user if any
// add check for permission claim - not needed access claims through roles only
// permissionClaims.AddRange(await _repository.GetUserManager().GetClaimsAsync(user));
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.Id,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Email, user.Email,
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
OpenIdConnectConstants.Destinations.IdentityToken);
if (user is ITenantEntity)
{
identity.AddClaim(CustomClaimTypes.TenantId, user.TenantId,
OpenIdConnectConstants.Destinations.AccessToken);
}
// Create a new authentication ticket holding the user identity.
var ticket = new Microsoft.AspNetCore.Authentication.AuthenticationTicket(
new ClaimsPrincipal(identity), null,
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
var scopes = new List <string> {
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()).ToList();
// Add permission claims to scope
foreach (var claim in permissionClaims)
{
scopes.Add(claim);
}
ticket.SetScopes(scopes);
ticket.SetAudiences(_appOptions.Jwt.Audiences);
ticket.SetAccessTokenLifetime(TimeSpan.FromSeconds(_appOptions.Jwt.AccessTokenLifetime));
ticket.SetIdentityTokenLifetime(TimeSpan.FromSeconds(_appOptions.Jwt.IdentityTokenLifetime));
ticket.SetRefreshTokenLifetime(TimeSpan.FromSeconds(_appOptions.Jwt.RefreshTokenLifetime));
return(ticket);
}
private AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal principal)
{
var ticket = new AuthenticationTicket(principal, null, OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources(_configuration.WebHostName());
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.Email, OpenIdConnectConstants.Scopes.Profile, OpenIdConnectConstants.Scopes.OfflineAccess);
return ticket.Properties;
}
private async Task CreateOrUpdateUserAsync(AuthenticationTicket authenticationTicket, UserManager userManager, Tenant tenant)
{
Guard.ArgumentNotNull(authenticationTicket, nameof(authenticationTicket));
Guard.ArgumentNotNull(userManager, nameof(userManager));
Guard.ArgumentNotNull(tenant, nameof(tenant));
var principal = authenticationTicket.Principal;
string objectIdentifier = principal.GetObjectIdentifierValue();
string displayName = principal.GetDisplayNameValue();
string email = principal.GetEmailValue();
var user = await userManager.FindByObjectIdentifier(objectIdentifier)
.ConfigureAwait(false);
if (user == null)
{
// The user isn't in our database, so add them.
user = new User
{
Created = DateTimeOffset.UtcNow,
ObjectId = objectIdentifier,
TenantId = tenant.Id,
DisplayName = displayName,
Email = email
};
await userManager.CreateAsync(user)
.ConfigureAwait(false);
}
else
{
// Since we aren't the system of record, we need to attempt to keep our display values in sync with the user store.
// We'll do a simple form of it here.
bool shouldSaveUser = false;
if (!user.DisplayName.Equals(displayName, StringComparison.OrdinalIgnoreCase))
{
user.DisplayName = displayName;
shouldSaveUser = true;
}
// Do a case insensitive comparison for email matching
if (!user.Email.Equals(email, StringComparison.OrdinalIgnoreCase))
{
user.Email = email;
shouldSaveUser = true;
}
if (shouldSaveUser)
{
await userManager
.UpdateAsync(user)
.ConfigureAwait(false);
}
}
// Add in the survey user id claim.
principal.Identities.First().AddClaim(new Claim(SurveyClaimTypes.SurveyUserIdClaimType, user.Id.ToString()));
// Add in the user's tenant id claim.
principal.Identities.First().AddClaim(new Claim(SurveyClaimTypes.SurveyTenantIdClaimType, user.TenantId.ToString()));
}
