public async Task <bool> Execute(RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (revokeTokenParameter == null)
{
throw new ArgumentNullException(nameof(revokeTokenParameter));
}
if (string.IsNullOrWhiteSpace(revokeTokenParameter.Token))
{
throw new ArgumentNullException(nameof(revokeTokenParameter.Token));
}
// 1. Check the client credentials
var errorMessage = string.Empty;
var instruction = CreateAuthenticateInstruction(revokeTokenParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Retrieve the granted token & check if it exists
GrantedToken grantedToken = await _tokenStore.GetAccessToken(revokeTokenParameter.Token);
bool isAccessToken = true;
if (grantedToken == null)
{
grantedToken = await _tokenStore.GetRefreshToken(revokeTokenParameter.Token);
isAccessToken = false;
}
if (grantedToken == null)
{
throw new IdentityServerException(ErrorCodes.InvalidToken, ErrorDescriptions.TheTokenDoesntExist);
}
// 3. Verifies whether the token was issued to the client making the revocation request
if (grantedToken.ClientId != client.ClientId)
{
throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheTokenHasNotBeenIssuedForTheGivenClientId, client.ClientId));
}
// 4. Invalid the granted token
if (isAccessToken)
{
return(await _tokenStore.RemoveAccessToken(grantedToken.AccessToken));
}
return(await _tokenStore.RemoveRefreshToken(grantedToken.RefreshToken));
}
public async Task <GrantedTokenValidationResult> CheckAccessTokenAsync(string accessToken)
{
if (string.IsNullOrWhiteSpace(accessToken))
{
throw new ArgumentNullException(nameof(accessToken));
}
var grantedToken = await _tokenStore.GetAccessToken(accessToken);
return(CheckGrantedToken(grantedToken));
}
public async Task <IActionResult> Get(CancellationToken cancellationToken)
{
var accessToken = await TryToGetTheAccessToken().ConfigureAwait(false);
if (string.IsNullOrWhiteSpace(accessToken))
{
return(BadRequest(new ErrorDetails {
Title = ErrorCodes.InvalidToken
}));
}
var grantedToken = await _tokenStore.GetAccessToken(accessToken, cancellationToken).ConfigureAwait(false);
return(grantedToken == null
? BadRequest(
new ErrorDetails { Detail = Strings.TheTokenIsNotValid, Title = ErrorCodes.InvalidToken })
: new ObjectResult(grantedToken.UserInfoPayLoad ?? grantedToken.IdTokenPayLoad ?? new JwtPayload()));
}
public async Task <Option <Ticket> > Execute(
string owner,
CancellationToken cancellationToken,
params PermissionRequest[] addPermissionParameters)
{
var result = await CheckAddPermissionParameter(owner, addPermissionParameters, cancellationToken).ConfigureAwait(false);
if (result is Option.Error e)
{
return(new Option <Ticket> .Error(e.Details));
}
var token = addPermissionParameters.Select(x => x.IdToken).First();
var grantedToken = token == null ? null : await _tokenStore.GetAccessToken(token, cancellationToken).ConfigureAwait(false);
var payload = grantedToken?.IdTokenPayLoad;
if (payload == null && token != null)
{
var handler = new JwtSecurityTokenHandler();
var jwt = handler.ReadJwtToken(token);
payload = jwt.Payload;
}
var claims = payload?.Claims
.Where(claim => OpenIdClaimTypes.All.Contains(claim.Type))
.Where(claim => !string.IsNullOrWhiteSpace(claim.Value))
.Select(x => new ClaimData {
Type = x.Type, Value = x.Value
})
.ToArray() ?? Array.Empty <ClaimData>();
var lines = addPermissionParameters.Where(x => x.Scopes != null && x.ResourceSetId != null)
.Select(
addPermissionParameter => new TicketLine
{
Scopes = addPermissionParameter.Scopes !,
ResourceSetId = addPermissionParameter.ResourceSetId !
})
public async Task <UserInfoResult> Execute(string accessToken)
{
if (string.IsNullOrWhiteSpace(accessToken))
{
throw new ArgumentNullException(nameof(accessToken));
}
// Check if the access token is still valid otherwise raise an authorization exception.
GrantedTokenValidationResult valResult;
if (!((valResult = await _grantedTokenValidator.CheckAccessTokenAsync(accessToken)).IsValid))
{
throw new AuthorizationException(valResult.MessageErrorCode, valResult.MessageErrorDescription);
}
var grantedToken = await _tokenStore.GetAccessToken(accessToken);
var client = await _clientRepository.GetClientByIdAsync(grantedToken.ClientId);
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheClientIdDoesntExist, grantedToken.ClientId));
}
var signedResponseAlg = client.GetUserInfoSignedResponseAlg();
var userInformationPayload = grantedToken.UserInfoPayLoad;
if (userInformationPayload == null)
{
throw new IdentityServerException(ErrorCodes.InvalidToken, ErrorDescriptions.TheTokenIsNotAValidResourceOwnerToken);
}
if (signedResponseAlg == null ||
signedResponseAlg.Value == JwsAlg.none)
{
var objectResult = new ObjectResult(grantedToken.UserInfoPayLoad)
{
StatusCode = (int)HttpStatusCode.OK
};
objectResult.ContentTypes.Add(new MediaTypeHeaderValue("application/json"));
objectResult.Formatters.Add(new JsonOutputFormatter(new JsonSerializerSettings(), ArrayPool <char> .Shared));
return(new UserInfoResult
{
Content = objectResult
});
}
var jwt = await _jwtGenerator.SignAsync(userInformationPayload,
signedResponseAlg.Value);
var encryptedResponseAlg = client.GetUserInfoEncryptedResponseAlg();
var encryptedResponseEnc = client.GetUserInfoEncryptedResponseEnc();
if (encryptedResponseAlg != null)
{
if (encryptedResponseEnc == null)
{
encryptedResponseEnc = JweEnc.A128CBC_HS256;
}
jwt = await _jwtGenerator.EncryptAsync(jwt,
encryptedResponseAlg.Value,
encryptedResponseEnc.Value);
}
return(new UserInfoResult
{
Content = new ContentResult
{
Content = jwt,
StatusCode = (int)HttpStatusCode.OK,
ContentType = "application/jwt",
}
});
}
public async Task <Option <UmaIntrospectionResponse> > Execute(
IntrospectionParameter introspectionParameter,
CancellationToken cancellationToken)
{
var introspectionParameterToken = introspectionParameter.Token;
if (string.IsNullOrWhiteSpace(introspectionParameterToken))
{
return(new ErrorDetails
{
Status = HttpStatusCode.BadRequest,
Title = ErrorCodes.InvalidToken,
Detail = Strings.TheTokenDoesntExist
});
}
// Read this RFC for more information - https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html#introspection-endpoint
// 3. Retrieve the token type hint
var tokenTypeHint = CoreConstants.StandardTokenTypeHintNames.AccessToken;
if (CoreConstants.AllStandardTokenTypeHintNames.Contains(introspectionParameter.TokenTypeHint))
{
tokenTypeHint = introspectionParameter.TokenTypeHint;
}
// 4. Trying to fetch the information about the access_token || refresh_token
var grantedToken = tokenTypeHint switch
{
CoreConstants.StandardTokenTypeHintNames.AccessToken => await _tokenStore
.GetAccessToken(introspectionParameterToken, cancellationToken)
.ConfigureAwait(false),
CoreConstants.StandardTokenTypeHintNames.RefreshToken => await _tokenStore
.GetRefreshToken(introspectionParameterToken, cancellationToken)
.ConfigureAwait(false),
_ => null
};
// 5. Return an error if there's no granted token
if (grantedToken == null)
{
return(new ErrorDetails {
Title = ErrorCodes.InvalidGrant, Detail = Strings.TheTokenIsNotValid
});
}
// 6. Fill-in parameters
//// default : Specify the other parameters : NBF & JTI
var result = new UmaIntrospectionResponse
{
//Scope = grantedToken.Scope.Split(' ', StringSplitOptions.RemoveEmptyEntries),
ClientId = grantedToken.ClientId,
Expiration = grantedToken.ExpiresIn,
TokenType = grantedToken.TokenType
};
if (grantedToken.UserInfoPayLoad != null)
{
var subject =
grantedToken.IdTokenPayLoad?.GetClaimValue(OpenIdClaimTypes.Subject);
if (!string.IsNullOrWhiteSpace(subject))
{
result = result with {
Subject = subject
};
}
}
// 7. Fill-in the other parameters
if (grantedToken.IdTokenPayLoad != null)
{
var audiencesArr = grantedToken.IdTokenPayLoad.GetArrayValue(StandardClaimNames.Audiences);
var subject =
grantedToken.IdTokenPayLoad.GetClaimValue(OpenIdClaimTypes.Subject);
var userName =
grantedToken.IdTokenPayLoad.GetClaimValue(OpenIdClaimTypes.Name);
result = result with
{
Audience = string.Join(" ", audiencesArr),
IssuedAt = grantedToken.IdTokenPayLoad.Iat ?? 0,
Issuer = grantedToken.IdTokenPayLoad.Iss
};
if (!string.IsNullOrWhiteSpace(subject))
{
result = result with {
Subject = subject
};
}
if (!string.IsNullOrWhiteSpace(userName))
{
result = result with {
UserName = userName
};
}
}
// 8. Based on the expiration date disable OR enable the introspection resultKind
var expirationDateTime = grantedToken.CreateDateTime.AddSeconds(grantedToken.ExpiresIn);
result = result with {
Active = DateTimeOffset.UtcNow < expirationDateTime
};
return(result);
}
}
}
public async Task <IntrospectionResult> Execute(
IntrospectionParameter introspectionParameter,
AuthenticationHeaderValue authenticationHeaderValue, string issuerName)
{
// 1. Validate the parameters
if (introspectionParameter == null)
{
throw new ArgumentNullException(nameof(introspectionParameter));
}
if (string.IsNullOrWhiteSpace(introspectionParameter.Token))
{
throw new ArgumentNullException(nameof(introspectionParameter.Token));
}
_introspectionParameterValidator.Validate(introspectionParameter);
// 2. Authenticate the client
var instruction = CreateAuthenticateInstruction(introspectionParameter, authenticationHeaderValue);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
if (authResult.Client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 3. Retrieve the token type hint
var tokenTypeHint = Constants.StandardTokenTypeHintNames.AccessToken;
if (Constants.AllStandardTokenTypeHintNames.Contains(introspectionParameter.TokenTypeHint))
{
tokenTypeHint = introspectionParameter.TokenTypeHint;
}
// 4. Trying to fetch the information about the access_token || refresh_token
GrantedToken grantedToken = null;
if (tokenTypeHint == Constants.StandardTokenTypeHintNames.AccessToken)
{
grantedToken = await _tokenStore.GetAccessToken(introspectionParameter.Token);
if (grantedToken == null)
{
grantedToken = await _tokenStore.GetRefreshToken(introspectionParameter.Token);
}
}
else
{
grantedToken = await _tokenStore.GetRefreshToken(introspectionParameter.Token);
if (grantedToken == null)
{
grantedToken = await _tokenStore.GetAccessToken(introspectionParameter.Token);
}
}
// 5. Throw an exception if there's no granted token
if (grantedToken == null)
{
throw new IdentityServerException(
ErrorCodes.InvalidToken,
ErrorDescriptions.TheTokenIsNotValid);
}
// 6. Fill-in parameters
//// TODO : Specifiy the other parameters : NBF & JTI
var result = new IntrospectionResult
{
Scope = grantedToken.Scope,
ClientId = grantedToken.ClientId,
Expiration = grantedToken.ExpiresIn,
TokenType = grantedToken.TokenType
};
// 7. Fill-in the other parameters
if (grantedToken.IdTokenPayLoad != null)
{
var audiences = string.Empty;
var audiencesArr = grantedToken.IdTokenPayLoad.GetArrayClaim(StandardClaimNames.Audiences);
var issuedAt = grantedToken.IdTokenPayLoad.Iat;
var issuer = grantedToken.IdTokenPayLoad.Issuer;
var subject = grantedToken.IdTokenPayLoad.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
var userName = grantedToken.IdTokenPayLoad.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Name);
if (audiencesArr.Any())
{
audiences = string.Join(" ", audiencesArr);
}
result.Audience = audiences;
result.IssuedAt = issuedAt;
result.Issuer = issuer;
result.Subject = subject;
result.UserName = userName;
}
// 8. Based on the expiration date disable OR enable the introspection result
var expirationDateTime = grantedToken.CreateDateTime.AddSeconds(grantedToken.ExpiresIn);
var tokenIsExpired = DateTime.UtcNow > expirationDateTime;
if (tokenIsExpired)
{
result.Active = false;
}
else
{
result.Active = true;
}
return(result);
}
public async Task <Option <OauthIntrospectionResponse> > Execute(
IntrospectionParameter introspectionParameter,
CancellationToken cancellationToken)
{
// Read this RFC for more information - https://www.rfc-editor.org/rfc/rfc7662.txt
// 3. Retrieve the token type hint
var tokenTypeHint = CoreConstants.StandardTokenTypeHintNames.AccessToken;
if (CoreConstants.AllStandardTokenTypeHintNames.Contains(introspectionParameter.TokenTypeHint))
{
tokenTypeHint = introspectionParameter.TokenTypeHint;
}
// 4. Trying to fetch the information about the access_token || refresh_token
var introspectionParameterToken = introspectionParameter.Token;
var grantedToken = tokenTypeHint switch
{
_ when introspectionParameterToken == null => null,
CoreConstants.StandardTokenTypeHintNames.AccessToken => await _tokenStore
.GetAccessToken(introspectionParameterToken, cancellationToken)
.ConfigureAwait(false),
CoreConstants.StandardTokenTypeHintNames.RefreshToken => await _tokenStore
.GetRefreshToken(introspectionParameterToken, cancellationToken)
.ConfigureAwait(false),
_ => null
};
// 5. Return an error if there's no granted token
if (grantedToken == null)
{
return(new OauthIntrospectionResponse());
}
// 6. Fill-in parameters
//// default : Specify the other parameters : NBF & JTI
var result = new OauthIntrospectionResponse
{
Scope = grantedToken.Scope.Split(' ', StringSplitOptions.RemoveEmptyEntries),
ClientId = grantedToken.ClientId,
Expiration = grantedToken.ExpiresIn,
TokenType = grantedToken.TokenType
};
if (grantedToken.UserInfoPayLoad != null)
{
var subject =
grantedToken.IdTokenPayLoad?.GetClaimValue(OpenIdClaimTypes.Subject);
if (!string.IsNullOrWhiteSpace(subject))
{
result = result with {
Subject = subject
};
}
}
// 7. Fill-in the other parameters
if (grantedToken.IdTokenPayLoad != null)
{
var audiencesArr = grantedToken.IdTokenPayLoad.GetArrayValue(StandardClaimNames.Audiences);
var subject =
grantedToken.IdTokenPayLoad.GetClaimValue(OpenIdClaimTypes.Subject);
var userName =
grantedToken.IdTokenPayLoad.GetClaimValue(OpenIdClaimTypes.Name);
result = result with
{
Audience = string.Join(" ", audiencesArr),
IssuedAt = grantedToken.IdTokenPayLoad.Iat ?? 0,
Issuer = grantedToken.IdTokenPayLoad.Iss
};
if (!string.IsNullOrWhiteSpace(subject))
{
result = result with {
Subject = subject
};
}
if (!string.IsNullOrWhiteSpace(userName))
{
result = result with {
UserName = userName
};
}
}
// 8. Based on the expiration date disable OR enable the introspection resultKind
var expirationDateTime = grantedToken.CreateDateTime.AddSeconds(grantedToken.ExpiresIn);
result = result with {
Active = DateTimeOffset.UtcNow < expirationDateTime
};
return(result);
}
}
}
