public async Task <IActionResult> Accept(OpenIdConnectRequest request) { // Retrieve the profile of the logged in user. var user = await _userManager.GetUserAsync(User); if (user == null) { return(View("Error", new ErrorViewModel { Error = OpenIdConnectConstants.Errors.ServerError, ErrorDescription = "An internal error has occurred" })); } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = await _userManager.CreateIdentityAsync(user, request.GetScopes()); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetResources(request.GetResources()); ticket.SetScopes(request.GetScopes()); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public async Task <IActionResult> CreateToken(OpenIdConnectRequest request) { if (request.IsPasswordGrantType()) { var user = await userManager.FindByNameAsync(request.Username); if (user == null) { return(BadRequest(new OpenIdConnectResponse() { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The username/password couple is invalid." })); } if (!await signInManager.CanSignInAsync(user)) { return(BadRequest(new OpenIdConnectResponse() { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The specified user is not allowed to sign in." })); } if (!await userManager.CheckPasswordAsync(user, request.Password)) { return(BadRequest(new OpenIdConnectResponse() { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The username/password couple is invalid." })); } var identity = await userManager.CreateIdentityAsync(user, request.GetScopes()); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetScopes(new[] { OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.Email, OpenIdConnectConstants.Scopes.Profile, OpenIdConnectConstants.Scopes.OfflineAccess }.Intersect(request.GetScopes())); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); } return(BadRequest(new OpenIdConnectResponse() { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType, ErrorDescription = "The specified grant type is not supported." })); }
public async Task <IActionResult> Exchange() { var request = HttpContext.GetOpenIdConnectRequest(); if (request.IsPasswordGrantType()) { var user = await _userManager.FindByNameAsync(request.Username); if (user == null) { return(Json(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant })); } // Ensure the password is valid. if (!await _userManager.CheckPasswordAsync(user, request.Password)) { if (_userManager.SupportsUserLockout) { await _userManager.AccessFailedAsync(user); } return(Json(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant })); } if (_userManager.SupportsUserLockout) { await _userManager.ResetAccessFailedCountAsync(user); } var identity = await _userManager.CreateIdentityAsync(user, request.GetScopes()); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetResources(request.GetResources()); ticket.SetScopes(request.GetScopes()); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); } return(Json(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType })); }
public async Task <IActionResult> Exchange() { var request = HttpContext.GetOpenIdConnectRequest(); if (request.IsPasswordGrantType()) { var user = await _userManager.FindByNameAsync(request.Username); if (user == null) { return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The username/password couple is invalid." })); } // Ensure the password is valid. if (!await _userManager.CheckPasswordAsync(user, request.Password)) { if (_userManager.SupportsUserLockout) { await _userManager.AccessFailedAsync(user); } return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The username/password couple is invalid." })); } if (_userManager.SupportsUserLockout) { await _userManager.ResetAccessFailedCountAsync(user); } var identity = await _userManager.CreateIdentityAsync(user, request.GetScopes()); // Add a custom claim that will be persisted // in both the access and the identity tokens. identity.AddClaim("given_name", user.GivenName, OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetResources(request.GetResources()); ticket.SetScopes(request.GetScopes()); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); } return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType, ErrorDescription = "The specified grant type is not supported." })); }
public async Task <IActionResult> Exchange() { var request = HttpContext.GetOpenIdConnectRequest(); if (request.IsPasswordGrantType()) { var user = await _userManager.FindByNameAsync(request.Username); if (user == null) { return(Res.JsonErrorResult("invalid", 401)); } // Chack that email or phone verification is done if required. if (!await _signInManager.CanSignInAsync(user)) { return(Res.JsonErrorResult("needs_confirm", 401)); // Actual response is 302 redirect. } // Reject the token request if two-factor authentication has been enabled by the user. if (_userManager.SupportsUserTwoFactor && await _userManager.GetTwoFactorEnabledAsync(user)) { return(Res.JsonErrorResult("2fa", 401)); } // Lockout response must be the same as invalid credentials to foil brute force attacks. if (_userManager.SupportsUserLockout && await _userManager.IsLockedOutAsync(user)) { return(Res.JsonErrorResult("invalid", 401)); } // Ensure the password is valid. if (!await _userManager.CheckPasswordAsync(user, request.Password)) { if (_userManager.SupportsUserLockout) { await _userManager.AccessFailedAsync(user); } return(Res.JsonErrorResult("invalid", 401)); } if (_userManager.SupportsUserLockout) { await _userManager.ResetAccessFailedCountAsync(user); } var identity = await _userManager.CreateIdentityAsync(user, request.GetScopes()); // Create a new authentication ticket holding the user identity. var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetResources(request.GetResources()); ticket.SetScopes(request.GetScopes()); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); } return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType, ErrorDescription = "The specified grant type is not supported." })); }