/// <summary>
/// Custom validation logic for the token request.
/// </summary>
/// <param name="request">The validated request.</param>
/// <returns>
/// The validation result
/// </returns>
public Task<ValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return Task.FromResult(new ValidationResult
{
IsError = false
});
}
public TokenRequestValidationLog(ValidatedTokenRequest request)
{
if (request.Options.LoggingOptions.IncludeSensitiveDataInLogs)
{
Raw = request.Raw.ToDictionary();
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType != "legacy_account_store")
{
Logger.Error("unknown custom grant type");
return null;
}
var legacyAccountStoreType = request.Raw.Get("account_store");
var id = request.Raw.Get("legacy_id");
var secret = request.Raw.Get("legacy_secret");
if (string.IsNullOrWhiteSpace(legacyAccountStoreType) ||
string.IsNullOrWhiteSpace(id) ||
string.IsNullOrWhiteSpace(secret))
{
Logger.Error("malformed request");
return null;
}
var message = new SignInMessage { Tenant = legacyAccountStoreType };
var result = await _users.AuthenticateLocalAsync(id, secret, message);
if (result.IsError)
{
Logger.Error("authentication failed");
return new CustomGrantValidationResult("Authentication failed.");
}
return new CustomGrantValidationResult(
result.User.GetSubjectId(),
"custom",
result.User.Claims);
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType == "custom_grant")
{
return Task.FromResult(new CustomGrantValidationResult("bob", "CustomGrant"));
};
return Task.FromResult<CustomGrantValidationResult>(null);
}
Task<CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
{
var param = request.Raw.Get("some_custom_parameter");
if (string.IsNullOrWhiteSpace(param))
{
return Task.FromResult<CustomGrantValidationResult>(
new CustomGrantValidationResult("Missing parameters."));
}
return Task.FromResult(new CustomGrantValidationResult("bob", "customGrant"));
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType == "customGrant")
{
return Task.FromResult(new CustomGrantValidationResult
{
Principal = Principal.Create("CustomGrant", new Claim("sub", "bob"))
});
};
return Task.FromResult<CustomGrantValidationResult>(null);
}
public async Task<TokenResponse> ProcessAsync(ValidatedTokenRequest request)
{
Logger.Info("Creating token response");
if (request.GrantType == Constants.GrantTypes.AuthorizationCode)
{
return await ProcessAuthorizationCodeRequestAsync(request);
}
if (request.GrantType == Constants.GrantTypes.RefreshToken)
{
return await ProcessRefreshTokenRequestAsync(request);
}
return await ProcessTokenRequestAsync(request);
}
private async Task<TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
Nonce = request.AuthorizationCode.Nonce,
ValidatedRequest = request
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return response;
}
public async Task <ValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
Logger.Info("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(Constants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > Constants.MaxGrantTypeLength)
{
LogError("Grant type is too long.");
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case Constants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case Constants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case Constants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case Constants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return(result);
}
LogError("Unsupported grant_type: " + grantType);
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
return(result);
}
/// <summary>
/// Validates the custom grant request.
/// </summary>
/// <param name="request">The validated token request.</param>
/// <returns>
/// A principal
/// </returns>
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
return Task.FromResult<CustomGrantValidationResult>(null);
}
public async Task<ValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
Logger.Info("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(Constants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case Constants.GrantTypes.AuthorizationCode:
return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters);
case Constants.GrantTypes.ClientCredentials:
return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters);
case Constants.GrantTypes.Password:
return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters);
case Constants.GrantTypes.RefreshToken:
return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters);
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return result;
}
LogError("Unsupported grant_type: " + grantType);
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
return result;
}
private async Task<Tuple<string, string>> CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Select(s => s.Name).Contains(Constants.StandardScopes.OfflineAccess);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
}
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
return Tuple.Create(securityToken, refreshToken);
}
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
oldAccessToken.CreationTime = DateTimeOffset.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
var newAccessToken = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return new TokenResponse
{
AccessToken = newAccessToken,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
}
private async Task<TokenResponse> ProcessTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing token request");
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
return response;
}
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
if (request.Client.UpdateAccessTokenClaimsOnRefresh)
{
// re-create original subject
var subject = IdentityServerPrincipal.FromClaims(oldAccessToken.Claims, allowMissing: true);
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes)
};
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
}
