/// <summary>
/// Returns a list of scopes from a concatenate list of scopes separated by whitespaces.
/// </summary>
/// <param name="concatenateListOfScopes"></param>
/// <returns>List of scopes</returns>
private async Task <ICollection <Scope> > GetScopes(string concatenateListOfScopes)
{
var result = new List <Scope>();
var scopeNames = _parameterParserHelper.ParseScopes(concatenateListOfScopes);
return(await _scopeRepository.SearchByNamesAsync(scopeNames));
}
private async Task FillInResourceOwnerClaimsFromScopes(
JwsPayload jwsPayload,
AuthorizationParameter authorizationParameter,
ClaimsPrincipal claimsPrincipal)
{
// 1. Fill-in the subject claim
var subject = claimsPrincipal.GetSubject();
jwsPayload.Add(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject);
if (authorizationParameter == null ||
string.IsNullOrWhiteSpace(authorizationParameter.Scope))
{
return;
}
// 2. Fill-in the other claims
var scopes = _parameterParserHelper.ParseScopes(authorizationParameter.Scope);
var claims = await GetClaimsFromRequestedScopes(scopes, claimsPrincipal);
foreach (var claim in claims)
{
if (claim.Key == Jwt.Constants.StandardResourceOwnerClaimNames.Subject)
{
continue;
}
jwsPayload.Add(claim.Key, claim.Value);
}
}
public async Task <Consent> GetConfirmedConsentsAsync(string subject, AuthorizationParameter authorizationParameter)
{
if (string.IsNullOrWhiteSpace(subject))
{
throw new ArgumentNullException(nameof(subject));
}
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
var consents = await _consentRepository.GetConsentsForGivenUserAsync(subject);
Consent confirmedConsent = null;
if (consents != null && consents.Any())
{
var claimsParameter = authorizationParameter.Claims;
if (claimsParameter.IsAnyUserInfoClaimParameter() ||
claimsParameter.IsAnyIdentityTokenClaimParameter())
{
var expectedClaims = claimsParameter.GetClaimNames();
confirmedConsent = consents.FirstOrDefault(
c =>
c.Client.ClientId == authorizationParameter.ClientId &&
c.Claims != null && c.Claims.Any() &&
expectedClaims.Count() == c.Claims.Count() &&
expectedClaims.All(cl => c.Claims.Contains(cl)));
}
else
{
var scopeNames =
_parameterParserHelper.ParseScopes(authorizationParameter.Scope);
confirmedConsent = consents.FirstOrDefault(
c =>
c.Client.ClientId == authorizationParameter.ClientId &&
c.GrantedScopes != null && c.GrantedScopes.Any() &&
scopeNames.Count() == c.GrantedScopes.Count() &&
c.GrantedScopes.All(g => scopeNames.Contains(g.Name)));
}
}
return(confirmedConsent);
}
public ScopeValidationResult Check(string scope, Core.Common.Models.Client client)
{
var emptyList = new List <string>();
var scopes = _parameterParserHelper.ParseScopes(scope);
if (!scopes.Any())
{
return(new ScopeValidationResult(false)
{
ErrorMessage = string.Format(ErrorDescriptions.TheScopesNeedToBeSpecified, scope)
});
}
var duplicates = scopes.GroupBy(p => p)
.Where(g => g.Count() > 1)
.Select(g => g.Key)
.ToList();
if (duplicates.Any())
{
return(new ScopeValidationResult(false)
{
ErrorMessage = string.Format(ErrorDescriptions.DuplicateScopeValues, string.Join(",", duplicates))
});
}
var scopeAllowed = client.AllowedScopes.Select(a => a.Name).ToList();
var scopesNotAllowedOrInvalid = scopes
.Where(s => !scopeAllowed.Contains(s))
.ToList();
if (scopesNotAllowedOrInvalid.Any())
{
return(new ScopeValidationResult(false)
{
ErrorMessage = string.Format(ErrorDescriptions.ScopesAreNotAllowedOrInvalid, string.Join(",", scopesNotAllowedOrInvalid))
});
}
return(new ScopeValidationResult(true)
{
Scopes = scopes
});
}
public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Client client)
{
if (actionResult == null || actionResult.RedirectInstruction == null)
{
throw new ArgumentNullException(nameof(actionResult));
}
;
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var newAccessTokenGranted = false;
var allowedTokenScopes = string.Empty;
GrantedToken grantedToken = null;
var newAuthorizationCodeGranted = false;
AuthorizationCode authorizationCode = null;
_simpleIdentityServerEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
authorizationParameter.ResponseType);
var responses = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter);
var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter);
if (responses.Contains(ResponseType.token)) // 1. Generate an access token.
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope))
{
allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope));
}
grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId,
userInformationPayload, idTokenPayload);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes,
userInformationPayload, idTokenPayload);
newAccessTokenGranted = true;
}
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken);
}
if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject();
var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter);
if (assignedConsent != null)
{
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Guid.NewGuid().ToString(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTime.UtcNow,
ClientId = authorizationParameter.ClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
newAuthorizationCodeGranted = true;
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code);
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
authorizationParameter, client);
if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
await _tokenStore.AddToken(grantedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(authorizationParameter.ClientId,
grantedToken.AccessToken,
allowedTokenScopes);
}
if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode.CodeChallenge = authorizationParameter.CodeChallenge;
authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod;
}
await _authorizationCodeStore.AddAuthorizationCode(authorizationCode);
_simpleIdentityServerEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId,
authorizationCode.Code,
authorizationParameter.Scope);
}
if (responses.Contains(ResponseType.id_token))
{
var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter);
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken);
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State);
}
var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId);
if (sessionState != null)
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState);
}
if (authorizationParameter.ResponseMode == ResponseMode.form_post)
{
actionResult.Type = TypeActionResult.RedirectToAction;
actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex;
actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl);
}
// Set the response mode
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseMode.None)
{
var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes,
authorizationParameter.State);
responseMode = GetResponseMode(authorizationFlow);
}
actionResult.RedirectInstruction.ResponseMode = responseMode;
}
_simpleIdentityServerEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
actionResult.RedirectInstruction.Parameters.SerializeWithJavascript());
}
