public async Task <bool> CheckScopesAreValid(string scope)
{
if (string.IsNullOrWhiteSpace(scope))
{
return(true); // Unlike the other checks, an empty scope is a valid scope. It just means the application has default permissions.
}
string[] scopes = scope.Split(' ');
foreach (string s in scopes)
{
if (!OAuthScope.NameInScopes(s))
{
return(false);
}
}
return(true);
}
private async Task <AuthorizeViewModel> FillFromRequest(OpenIdConnectRequest OIDCRequest)
{
string clientId = OIDCRequest.ClientId;
OAuthClient client = await _context.ClientApplications.FindAsync(clientId);
if (client == null)
{
return(null);
}
else
{
// Get the Scopes for this application from the query - disallow duplicates
ICollection <OAuthScope> scopes = new HashSet <OAuthScope>();
if (!String.IsNullOrWhiteSpace(OIDCRequest.Scope))
{
foreach (string s in OIDCRequest.Scope.Split(' '))
{
if (OAuthScope.NameInScopes(s))
{
OAuthScope scope = OAuthScope.GetScope(s);
if (!scopes.Contains(scope))
{
scopes.Add(scope);
}
}
else
{
return(null);
}
}
}
AuthorizeViewModel avm = new AuthorizeViewModel()
{
ClientId = OIDCRequest.ClientId,
ResponseType = OIDCRequest.ResponseType,
State = OIDCRequest.State,
Scopes = String.IsNullOrWhiteSpace(OIDCRequest.Scope) ? new string[0] : OIDCRequest.Scope.Split(' '),
RedirectUri = OIDCRequest.RedirectUri
};
return(avm);
}
}
public static AuthenticationTicket MakeClaimsForInteractive(ApplicationUser user, AuthorizeViewModel authorizeViewModel)
{
/*
* If you want to issue an OpenId Token, the spec for which is available at https://openid.net/connect/
* Then in each of the SetDestinations, add a reference to OpenIdConnect.Destinations.IdentityToken, like so:
*
* new Claim("grant_type", OpenIdConnectConstants.GrantTypes.AuthorizationCode)
* .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
*
* This ensures that the claims you are concerned about will be placed into the Identity Token, which other services may access.
*/
ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme, OpenIdConnectConstants.Claims.Name, OpenIdConnectConstants.Claims.Role);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
identity.AddClaim(new Claim(ClaimTypes.Name, user.NormalizedUserName).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
identity.AddClaim(new Claim("AspNet.Identity.SecurityStamp", user.SecurityStamp).SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
// We serialize the user_id so we can determine which user the caller of this token is
identity.AddClaim(
new Claim(OpenIdConnectConstants.Claims.Subject, user.Id)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
switch (authorizeViewModel.ResponseType)
{
// We serialize the grant_type so we can user discriminate rate-limits. AuthorizationCode grants typically have the highest rate-limit allowance
case OpenIdConnectConstants.ResponseTypes.Code:
identity.AddClaim(
new Claim("grant_type", OpenIdConnectConstants.GrantTypes.AuthorizationCode)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
break;
case OpenIdConnectConstants.ResponseTypes.Token:
identity.AddClaim(
new Claim("grant_type", OpenIdConnectConstants.GrantTypes.Implicit)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
break;
}
// We serialize the client_id so we can monitor for usage patterns of a given app, and also to allow for app-based token revokes.
identity.AddClaim(
new Claim("client_id", authorizeViewModel.ClientId)
.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken));
AuthenticationTicket ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
ICollection <string> scopesToAdd = new List <string>()
{
/* If you've chosen to add an OpenId token to your destinations, be sure to include the OpenIdCOnnectConstants.Scopes.OpenId in this list */
OpenIdConnectConstants.Scopes.OpenId, // Lets our requesting clients know that an OpenId Token was generated with the original request.
};
if (authorizeViewModel.ResponseType == OpenIdConnectConstants.ResponseTypes.Code)
{
scopesToAdd.Add(OpenIdConnectConstants.Scopes.OfflineAccess); //Gives us a RefreshToken, only do this if we're following the `Authorization Code` flow. For `Implicit Grant`, we don't supply a refresh token.
}
foreach (var s in authorizeViewModel.Scopes)
{
if (OAuthScope.NameInScopes(s))
{
scopesToAdd.Add(s);
}
}
ticket.SetScopes(scopesToAdd);
return(ticket);
}