public override async Task ValidateRevocationRequest(ValidateRevocationRequestContext context)
{
var query = new ValidateClientQuery(context.ClientId, context.ClientSecret);
var result = await ExecuteQuery(context, query);
if (!result.Succeeded)
{
context.Reject(
error: "invalid_client",
description: "Client not found in the database: ensure that your client_id is correct");
return;
}
context.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin);
// When token_type_hint is specified, reject the request if it doesn't correspond to a revocable token.
if (!string.IsNullOrEmpty(context.TokenTypeHint) &&
!string.Equals(context.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.RefreshToken))
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Only refresh tokens can be revoked. When specifying a token_type_hint " +
"parameter, its value must be equal to 'refresh_token'.");
return;
}
context.Validate();
}
/// <summary>
/// Validates whether the client is a valid known application in our system.
/// </summary>
public override async Task ValidateTokenRequest(ValidateTokenRequestContext context)
{
if (!context.Request.IsRefreshTokenGrantType() &&
!context.Request.IsPasswordGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only password and refresh token grant types " +
"are accepted by this authorization server");
return;
}
var query = new ValidateClientQuery(context.ClientId, context.ClientSecret);
var result = await ExecuteQuery(context, query);
if (!result.Succeeded)
{
context.Reject(
error: "invalid_client",
description: "Client not found in the database: ensure that your client_id is correct");
return;
}
context.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin);
if (context.Request.IsPasswordGrantType())
{
// Resolve ASP.NET Core Identity's user manager from the DI container.
var userManager = context.HttpContext.RequestServices.GetRequiredService <UserManager <IdentityUser> >();
var user = await userManager.FindByNameAsync(context.Request.Username);
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user details.");
return;
}
// Reject the token request if email confirmation is required.
//if (!(await userManager.IsEmailConfirmedAsync(user)))
//{
// context.Reject(
// error: OpenIdConnectConstants.Errors.InvalidGrant,
// description: "Email confirmation is required for this account.");
// return;
//}
}
context.Validate();
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
Debug.Assert(request.IsTokenRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
if (!request.IsRefreshTokenGrantType() &&
!request.IsPasswordGrantType())
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "Only password and refresh token grant types " +
"are accepted by this authorization server"
}));
}
var query = new ValidateClientQuery(request.ClientId, request.ClientSecret);
var result = await _queryProcessor.ProcessAsync(query);
if (!result.Succeeded)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Client not found in the database: ensure that your client_id is correct"
}));
}
Request.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin);
if (request.IsPasswordGrantType())
{
// Resolve ASP.NET Core Identity's user manager from the DI container.
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid user details."
}));
}
}
if (request.IsPasswordGrantType() || request.IsRefreshTokenGrantType())
{
//Set CORS
SetCorsHeader(request);
// Retrieve the claims principal stored in the authorization code/refresh token.
var info = await HttpContext.Authentication.GetAuthenticateInfoAsync(
OpenIdConnectServerDefaults.AuthenticationScheme);
// Resolve ASP.NET Core Identity's user manager from the DI container.
var user = await _userManager.FindByNameAsync(request.Username);
// Create a new authentication ticket, but reuse the properties stored in the
// authorization code/refresh token, including the scopes originally granted.
var ticket = await CreateTicketAsync(request, user, info.Properties);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
}));
}
