/// <summary> /// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the /// refresh token is still valid or revoked. /// </summary> public override async Task GrantRefreshToken(GrantRefreshTokenContext context) { var originalClient = context.AuthenticationTicket.Properties.Items["client_id"]; if (originalClient != context.ClientId) { context.Rejected("invalid_clientId", "Refresh token is issued to a different clientId."); return; } var properties = context.AuthenticationTicket.Properties; var validator = new RefreshTokenValidator(context.Request.RefreshToken, properties.Items["client_id"], context.AuthenticationTicket.Principal.GetClaim(ClaimTypes.NameIdentifier)); var result = await ExecuteMessage(context, validator); if (!result.Succeeded) { context.Rejected(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token."); return; } var principal = new ClaimsPrincipal(context.AuthenticationTicket.Principal); var ticket = CreateAuthenticationTicket(principal, context.AuthenticationTicket.Properties, context.Options, context); context.Validated(ticket); }
public override async Task GrantRefreshToken([NotNull] GrantRefreshTokenContext context) { var manager = context.HttpContext.RequestServices.GetRequiredService <OpenIddictManager <TUser, TApplication> >(); var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <IdentityOptions> >(); // If the user manager doesn't support security // stamps, skip the default validation logic. if (!manager.SupportsUserSecurityStamp) { return; } var principal = context.AuthenticationTicket?.Principal; Debug.Assert(principal != null); var user = await manager.FindByIdAsync(principal.GetUserId()); if (user == null) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidGrant, description: "The refresh token is no longer valid."); return; } var identifier = principal.GetClaim(options.Value.ClaimsIdentity.SecurityStampClaimType); if (!string.IsNullOrEmpty(identifier) && !string.Equals(identifier, await manager.GetSecurityStampAsync(user), StringComparison.Ordinal)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidGrant, description: "The refresh token is no longer valid."); return; } // Note: the "scopes" property stored in context.AuthenticationTicket is automatically // updated by ASOS when the client application requests a restricted scopes collection. var identity = await manager.CreateIdentityAsync(user, context.AuthenticationTicket.GetScopes()); Debug.Assert(identity != null); // Create a new authentication ticket holding the user identity but // reuse the authentication properties stored in the refresh token. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), context.AuthenticationTicket.Properties, context.Options.AuthenticationScheme); context.Validate(ticket); }
public async Task InvokeAsync(HttpContext context, IJwtSecurityTokenService iJwtSecurityTokenService) { var baseValidatingContext = default(BaseValidatingContext); var grantType = this.GetGrantType(context); switch (grantType) { case Parameters.Password: baseValidatingContext = GrantResourceOwnerCredentialsContext.Create(context); if (baseValidatingContext != null) { await jwtServerOptions.AuthorizationServerProvider.GrantClientCredentialsAsync ((GrantResourceOwnerCredentialsContext)baseValidatingContext); } break; case Parameters.RefreshToken: baseValidatingContext = GrantRefreshTokenContext.Create(context); if (baseValidatingContext != null) { await jwtServerOptions.AuthorizationServerProvider.GrantRefreshTokenAsync ((GrantRefreshTokenContext)baseValidatingContext); } break; default: break; } if (baseValidatingContext != null) { if (baseValidatingContext.IsValidated) { var token = await iJwtSecurityTokenService.CreateAsync(baseValidatingContext, jwtServerOptions); await WriteResponseAsync(context, JsonConvert.SerializeObject(token)); } else { await WriteResponseError(context, baseValidatingContext.Error); } } }
/// <summary> /// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the /// refresh token is still valid or revoked. /// </summary> public override async Task GrantRefreshToken(GrantRefreshTokenContext context) { var validator = new RefreshTokenValidator( context.Ticket.GetTicketId(), context.ClientId, context.Ticket.Principal.GetClaim(ClaimTypes.NameIdentifier)); var result = await ExecuteMessage(context, validator); if (!result.Succeeded) { context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token."); return; } var principal = new ClaimsPrincipal(context.Ticket.Principal); var ticket = CreateAuthenticationTicket(principal, context.Ticket.Properties, context.Options, context); context.Validate(ticket); }
public Task GrantRefreshToken(GrantRefreshTokenContext context) { throw new NotImplementedException(); }
public override async Task GrantRefreshToken(GrantRefreshTokenContext context) { //_authService = (IAuthService)context.HttpContext.ApplicationServices.GetService(typeof(IAuthService)); _authService = (IAuthService)context.HttpContext.RequestServices.GetService(typeof(IAuthService)); string originalClient = string.Empty; context.Ticket.Properties.Items.TryGetValue("client_id", out originalClient); var currentClient = context.ClientId; if (originalClient != currentClient) { context.Reject("O Refresh token foi criado para outro client_id"); } string username = string.Empty; context.Ticket.Properties.Items.TryGetValue("userName", out username); var user = await _authService.GetUsuarioEmail(username); var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); int casaId = await _authService.GetCasaSelecionada(user); //verifica se usuario esta bloqueado para aquela casa if (_authService.AcessoUsuarioBloqueado(user.Id, casaId)) { //tenta obter acesso em outra casa int novaCasaSelec = _authService.TentaSelecOutraCasa(user.Id, casaId); if (novaCasaSelec == 0) { context.Reject("O seu acesso foi bloqueado"); return; } casaId = novaCasaSelec; } foreach (var claim in _authService.GetClaims(user, casaId)) { identity.AddClaim(claim.Type, claim.Value, "access_token", "id_token"); } identity.AddClaim("casa", casaId.ToString(), "access_token", "id_token"); identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, "access_token", "id_token"); identity.AddClaim(ClaimTypes.Name, user.UserName, "access_token", "id_token"); var principal = new ClaimsPrincipal(identity); var newTicket = new AuthenticationTicket(principal, context.Ticket.Properties, OpenIdConnectServerDefaults.AuthenticationScheme); context.Validate(newTicket); }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token" /// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token". /// The claims and properties associated with the refresh token are present in the context.Ticket. The token request is automatically handled, /// but the application can call context.Rejected to instruct the Authorization Server middleware to reject the token. /// The application may explicitly call context.Validated and flow a different AuthenticationTicket or ClaimsIdentity in order to control /// which information flows from the refresh token to the access token. The default behavior when using the OpenIdConnectServerProvider /// is to flow information from the refresh token to the access token unmodified. /// See also http://tools.ietf.org/html/rfc6749#section-6 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public virtual Task GrantRefreshToken(GrantRefreshTokenContext context) => OnGrantRefreshToken(context);
public virtual Task GrantRefreshTokenAsync(GrantRefreshTokenContext context) { return(this.OnGrantRefreshToken.Invoke(context)); }