コード例 #1
0
        /// <summary>
        /// Returns a list of scopes from a concatenate list of scopes separated by whitespaces.
        /// </summary>
        /// <param name="concatenateListOfScopes"></param>
        /// <returns>List of scopes</returns>
        private async Task <ICollection <Scope> > GetScopes(string concatenateListOfScopes)
        {
            var result     = new List <Scope>();
            var scopeNames = _parameterParserHelper.ParseScopes(concatenateListOfScopes);

            return(await _scopeRepository.SearchByNamesAsync(scopeNames));
        }
コード例 #2
0
        private async Task FillInResourceOwnerClaimsFromScopes(
            JwsPayload jwsPayload,
            AuthorizationParameter authorizationParameter,
            ClaimsPrincipal claimsPrincipal)
        {
            // 1. Fill-in the subject claim
            var subject = claimsPrincipal.GetSubject();

            jwsPayload.Add(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject);

            if (authorizationParameter == null ||
                string.IsNullOrWhiteSpace(authorizationParameter.Scope))
            {
                return;
            }

            // 2. Fill-in the other claims
            var scopes = _parameterParserHelper.ParseScopes(authorizationParameter.Scope);
            var claims = await GetClaimsFromRequestedScopes(scopes, claimsPrincipal);

            foreach (var claim in claims)
            {
                if (claim.Key == Jwt.Constants.StandardResourceOwnerClaimNames.Subject)
                {
                    continue;
                }

                jwsPayload.Add(claim.Key, claim.Value);
            }
        }
コード例 #3
0
        public async Task <Consent> GetConfirmedConsentsAsync(string subject, AuthorizationParameter authorizationParameter)
        {
            if (string.IsNullOrWhiteSpace(subject))
            {
                throw new ArgumentNullException(nameof(subject));
            }

            if (authorizationParameter == null)
            {
                throw new ArgumentNullException(nameof(authorizationParameter));
            }

            var consents = await _consentRepository.GetConsentsForGivenUserAsync(subject);

            Consent confirmedConsent = null;

            if (consents != null && consents.Any())
            {
                var claimsParameter = authorizationParameter.Claims;
                if (claimsParameter.IsAnyUserInfoClaimParameter() ||
                    claimsParameter.IsAnyIdentityTokenClaimParameter())
                {
                    var expectedClaims = claimsParameter.GetClaimNames();
                    confirmedConsent = consents.FirstOrDefault(
                        c =>
                        c.Client.ClientId == authorizationParameter.ClientId &&
                        c.Claims != null && c.Claims.Any() &&
                        expectedClaims.Count() == c.Claims.Count() &&
                        expectedClaims.All(cl => c.Claims.Contains(cl)));
                }
                else
                {
                    var scopeNames =
                        _parameterParserHelper.ParseScopes(authorizationParameter.Scope);
                    confirmedConsent = consents.FirstOrDefault(
                        c =>
                        c.Client.ClientId == authorizationParameter.ClientId &&
                        c.GrantedScopes != null && c.GrantedScopes.Any() &&
                        scopeNames.Count() == c.GrantedScopes.Count() &&
                        c.GrantedScopes.All(g => scopeNames.Contains(g.Name)));
                }
            }

            return(confirmedConsent);
        }
コード例 #4
0
        public ScopeValidationResult Check(string scope, Core.Common.Models.Client client)
        {
            var emptyList = new List <string>();
            var scopes    = _parameterParserHelper.ParseScopes(scope);

            if (!scopes.Any())
            {
                return(new ScopeValidationResult(false)
                {
                    ErrorMessage = string.Format(ErrorDescriptions.TheScopesNeedToBeSpecified, scope)
                });
            }

            var duplicates = scopes.GroupBy(p => p)
                             .Where(g => g.Count() > 1)
                             .Select(g => g.Key)
                             .ToList();

            if (duplicates.Any())
            {
                return(new ScopeValidationResult(false)
                {
                    ErrorMessage = string.Format(ErrorDescriptions.DuplicateScopeValues, string.Join(",", duplicates))
                });
            }

            var scopeAllowed = client.AllowedScopes.Select(a => a.Name).ToList();
            var scopesNotAllowedOrInvalid = scopes
                                            .Where(s => !scopeAllowed.Contains(s))
                                            .ToList();

            if (scopesNotAllowedOrInvalid.Any())
            {
                return(new ScopeValidationResult(false)
                {
                    ErrorMessage = string.Format(ErrorDescriptions.ScopesAreNotAllowedOrInvalid, string.Join(",", scopesNotAllowedOrInvalid))
                });
            }

            return(new ScopeValidationResult(true)
            {
                Scopes = scopes
            });
        }
コード例 #5
0
        public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Client client)
        {
            if (actionResult == null || actionResult.RedirectInstruction == null)
            {
                throw new ArgumentNullException(nameof(actionResult));
            }
            ;
            if (authorizationParameter == null)
            {
                throw new ArgumentNullException(nameof(authorizationParameter));
            }

            if (claimsPrincipal == null)
            {
                throw new ArgumentNullException(nameof(claimsPrincipal));
            }

            if (client == null)
            {
                throw new ArgumentNullException(nameof(client));
            }

            var               newAccessTokenGranted       = false;
            var               allowedTokenScopes          = string.Empty;
            GrantedToken      grantedToken                = null;
            var               newAuthorizationCodeGranted = false;
            AuthorizationCode authorizationCode           = null;

            _simpleIdentityServerEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
                                                                                          authorizationParameter.ResponseType);
            var responses      = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
            var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter);

            var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter);

            if (responses.Contains(ResponseType.token)) // 1. Generate an access token.
            {
                if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope))
                {
                    allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope));
                }


                grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId,
                                                                                   userInformationPayload, idTokenPayload);

                if (grantedToken == null)
                {
                    grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes,
                                                                                         userInformationPayload, idTokenPayload);

                    newAccessTokenGranted = true;
                }

                actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName,
                                                              grantedToken.AccessToken);
            }

            if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code.
            {
                var subject         = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject();
                var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter);

                if (assignedConsent != null)
                {
                    // Insert a temporary authorization code
                    // It will be used later to retrieve tha id_token or an access token.
                    authorizationCode = new AuthorizationCode
                    {
                        Code            = Guid.NewGuid().ToString(),
                        RedirectUri     = authorizationParameter.RedirectUrl,
                        CreateDateTime  = DateTime.UtcNow,
                        ClientId        = authorizationParameter.ClientId,
                        Scopes          = authorizationParameter.Scope,
                        IdTokenPayload  = idTokenPayload,
                        UserInfoPayLoad = userInformationPayload
                    };

                    newAuthorizationCodeGranted = true;
                    actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
                                                                  authorizationCode.Code);
                }
            }

            _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload,
                                                                authorizationCode == null ? string.Empty : authorizationCode.Code,
                                                                grantedToken == null ? string.Empty : grantedToken.AccessToken,
                                                                authorizationParameter, client);

            if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching.
            {
                await _tokenStore.AddToken(grantedToken);

                _simpleIdentityServerEventSource.GrantAccessToClient(authorizationParameter.ClientId,
                                                                     grantedToken.AccessToken,
                                                                     allowedTokenScopes);
            }

            if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching.
            {
                if (client.RequirePkce)
                {
                    authorizationCode.CodeChallenge       = authorizationParameter.CodeChallenge;
                    authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod;
                }

                await _authorizationCodeStore.AddAuthorizationCode(authorizationCode);

                _simpleIdentityServerEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId,
                                                                                authorizationCode.Code,
                                                                                authorizationParameter.Scope);
            }

            if (responses.Contains(ResponseType.id_token))
            {
                var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter);

                actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken);
            }

            if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
            {
                actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State);
            }

            var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId);

            if (sessionState != null)
            {
                actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState);
            }

            if (authorizationParameter.ResponseMode == ResponseMode.form_post)
            {
                actionResult.Type = TypeActionResult.RedirectToAction;
                actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex;
                actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl);
            }

            // Set the response mode
            if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
            {
                var responseMode = authorizationParameter.ResponseMode;
                if (responseMode == ResponseMode.None)
                {
                    var responseTypes     = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
                    var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes,
                                                                                          authorizationParameter.State);
                    responseMode = GetResponseMode(authorizationFlow);
                }

                actionResult.RedirectInstruction.ResponseMode = responseMode;
            }

            _simpleIdentityServerEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
                                                                                        actionResult.RedirectInstruction.Parameters.SerializeWithJavascript());
        }