/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
/// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
/// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
/// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
/// Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
/// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
/// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
/// the access token unmodified.
/// See also http://tools.ietf.org/html/rfc6749#section-6
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>
/// Task to enable asynchronous execution
/// </returns>
public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context)
{
this.options.Logger.Debug("Authenticating refresh token flow");
var user = context.Ticket.Identity;
// Add grant type claim
user.RemoveClaim(x => x.Type == Constants.ClaimType.GrantType);
user.AddClaim(Constants.ClaimType.GrantType, Constants.GrantTypes.RefreshToken);
// Set scopes from refresh token
if (user.HasClaim(x => x.Type == Constants.ClaimType.Scope))
{
context.OwinContext.GetOAuthContext().Scope = user.Claims.Where(x => x.Type == Constants.ClaimType.Scope).Select(x => x.Value);
}
// Activate event if subscribed to
if (this.options.Events.IdentityCreated != null)
{
var args = new IdentityCreatedEventArgs(user, context);
await this.options.Events.IdentityCreated(args);
if (args.Identity.AuthenticationType != context.Options.AuthenticationType)
{
user = new ClaimsIdentity(args.Identity.Claims, context.Options.AuthenticationType);
}
}
context.Validated(user);
}
/// <summary>
/// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
/// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
/// optional "refresh_token". If the web application supports the
/// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
/// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
/// with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
/// The default behavior is to reject this grant type.
/// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
/// </summary>
/// <param name="context">The context of the event carries information in and results out.</param>
/// <returns>Task to enable asynchronous execution</returns>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
this.options.Logger.DebugFormat("Authenticating resource owner flow for user '{0}'", Regex.Escape(context.UserName));
var user = await this.options.UserManager.AuthenticateUserWithPasswordAsync(context.UserName, context.Password);
if (!user.IsAuthenticated)
{
context.Rejected();
this.options.Logger.WarnFormat("User '{0}' was not authenticated", Regex.Escape(context.UserName));
return;
}
// Add oauth claims
user.AddClaim(new Claim(Constants.ClaimType.Client, context.ClientId));
user.RemoveClaim(x => x.Type == Constants.ClaimType.GrantType);
user.AddClaim(new Claim(Constants.ClaimType.GrantType, Constants.GrantTypes.Password));
// Activate event if subscribed to
if (this.options.Events.IdentityCreated != null)
{
var args = new IdentityCreatedEventArgs(user, context);
await this.options.Events.IdentityCreated(args);
if (args.Identity.AuthenticationType != context.Options.AuthenticationType)
{
user = new ClaimsIdentity(args.Identity.Claims, context.Options.AuthenticationType);
}
}
// Validate ticket
var ticket = new AuthenticationTicket(user, new AuthenticationProperties());
context.Validated(ticket);
this.options.Logger.DebugFormat("User '{0}' was successfully authenticated", Regex.Escape(context.UserName));
}