/// <summary>
 /// Called when receiving an access token. An application may use this context
 /// to deserialize the token using a custom format and to skip the default logic using
 /// <see cref="BaseContext{OpenIdConnectServerOptions}.HandleResponse"/>.
 /// </summary>
 /// <param name="context">The context of the event carries information in and results out.</param>
 /// <returns>Task to enable asynchronous execution</returns>
 public virtual Task ReceiveAccessToken(ReceiveAccessTokenContext context) => OnReceiveAccessToken(context);
コード例 #2
0
        private async Task <AuthenticationTicket> ReceiveAccessTokenAsync(string token, OpenIdConnectMessage request)
        {
            try {
                var notification = new ReceiveAccessTokenContext(Context, Options, request, token)
                {
                    DataFormat           = Options.AccessTokenFormat,
                    Issuer               = Context.GetIssuer(Options),
                    SecurityTokenHandler = Options.AccessTokenHandler,
                    SignatureProvider    = Options.SignatureProvider,
                    SigningKey           = Options.SigningCredentials.Select(credentials => credentials.SigningKey)
                                           .FirstOrDefault()
                };

                // Sets the default deserializer used to resolve the
                // authentication ticket corresponding to the access token.
                notification.Deserializer = payload => {
                    var handler = notification.SecurityTokenHandler as ISecurityTokenValidator;
                    if (handler == null)
                    {
                        return(Task.FromResult(notification.DataFormat?.Unprotect(payload)));
                    }

                    // Create new validation parameters to validate the security token.
                    // ValidateAudience and ValidateLifetime are always set to false:
                    // if necessary, the audience and the expiration can be validated
                    // in InvokeValidationEndpointAsync or InvokeTokenEndpointAsync.
                    var parameters = new TokenValidationParameters {
                        IssuerSigningKey = notification.SigningKey,
                        ValidIssuer      = notification.Issuer,
                        ValidateAudience = false,
                        ValidateLifetime = false
                    };

                    SecurityToken securityToken;
                    var           principal = handler.ValidateToken(payload, parameters, out securityToken);

                    // Parameters stored in AuthenticationProperties are lost
                    // when the identity token is serialized using a security token handler.
                    // To mitigate that, they are inferred from the claims or the security token.
                    var properties = new AuthenticationProperties {
                        ExpiresUtc = securityToken.ValidTo,
                        IssuedUtc  = securityToken.ValidFrom
                    };

                    var audiences = principal.FindAll(JwtRegisteredClaimNames.Aud);
                    if (audiences.Any())
                    {
                        properties.SetAudiences(audiences.Select(claim => claim.Value));
                    }

                    var usage = principal.FindFirst(OpenIdConnectConstants.Extra.Usage);
                    if (usage != null)
                    {
                        properties.SetUsage(usage.Value);
                    }

                    if (principal.Claims.Any(claim => claim.Type == OpenIdConnectConstants.Extra.Confidential))
                    {
                        properties.Items[OpenIdConnectConstants.Extra.Confidential] = "true";
                    }

                    return(Task.FromResult(new AuthenticationTicket(principal, properties, Options.AuthenticationScheme)));
                };

                await Options.Provider.ReceiveAccessToken(notification);

                // Directly return the authentication ticket if one
                // has been provided by ReceiveAccessToken.
                // Treat a non-null ticket like an implicit HandleResponse call.
                if (notification.HandledResponse || notification.AuthenticationTicket != null)
                {
                    if (notification.AuthenticationTicket == null)
                    {
                        return(null);
                    }

                    // Ensure the received ticket is an access token.
                    if (!notification.AuthenticationTicket.IsAccessToken())
                    {
                        Logger.LogVerbose("The received token was not an access token: {0}.", token);

                        return(null);
                    }

                    return(notification.AuthenticationTicket);
                }

                else if (notification.Skipped)
                {
                    return(null);
                }

                var ticket = await notification.DeserializeTicketAsync(token);

                if (ticket == null)
                {
                    return(null);
                }

                // Ensure the received ticket is an access token.
                if (!ticket.IsAccessToken())
                {
                    Logger.LogVerbose("The received token was not an access token: {0}.", token);

                    return(null);
                }

                return(ticket);
            }

            catch (Exception exception) {
                Logger.LogWarning("An exception occured when deserializing an access token.", exception);

                return(null);
            }
        }