/// <summary> /// Custom validation logic for the token request. /// </summary> /// <param name="request">The validated request.</param> /// <returns> /// The validation result /// </returns> public Task<ValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request) { return Task.FromResult(new ValidationResult { IsError = false }); }
public TokenRequestValidationLog(ValidatedTokenRequest request) { if (request.Options.LoggingOptions.IncludeSensitiveDataInLogs) { Raw = request.Raw.ToDictionary(); } if (request.Client != null) { ClientId = request.Client.ClientId; ClientName = request.Client.ClientName; } if (request.Scopes != null) { Scopes = request.Scopes.ToSpaceSeparatedString(); } if (request.SignInMessage != null) { IdP = request.SignInMessage.IdP; Tenant = request.SignInMessage.Tenant; AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues; } GrantType = request.GrantType; AuthorizationCode = request.AuthorizationCodeHandle; RefreshToken = request.RefreshTokenHandle; UserName = request.UserName; }
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request) { if (request.GrantType != "legacy_account_store") { Logger.Error("unknown custom grant type"); return null; } var legacyAccountStoreType = request.Raw.Get("account_store"); var id = request.Raw.Get("legacy_id"); var secret = request.Raw.Get("legacy_secret"); if (string.IsNullOrWhiteSpace(legacyAccountStoreType) || string.IsNullOrWhiteSpace(id) || string.IsNullOrWhiteSpace(secret)) { Logger.Error("malformed request"); return null; } var message = new SignInMessage { Tenant = legacyAccountStoreType }; var result = await _users.AuthenticateLocalAsync(id, secret, message); if (result.IsError) { Logger.Error("authentication failed"); return new CustomGrantValidationResult("Authentication failed."); } return new CustomGrantValidationResult( result.User.GetSubjectId(), "custom", result.User.Claims); }
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request) { if (request.GrantType == "custom_grant") { return Task.FromResult(new CustomGrantValidationResult("bob", "CustomGrant")); }; return Task.FromResult<CustomGrantValidationResult>(null); }
Task<CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request) { var param = request.Raw.Get("some_custom_parameter"); if (string.IsNullOrWhiteSpace(param)) { return Task.FromResult<CustomGrantValidationResult>( new CustomGrantValidationResult("Missing parameters.")); } return Task.FromResult(new CustomGrantValidationResult("bob", "customGrant")); }
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request) { if (request.GrantType == "customGrant") { return Task.FromResult(new CustomGrantValidationResult { Principal = Principal.Create("CustomGrant", new Claim("sub", "bob")) }); }; return Task.FromResult<CustomGrantValidationResult>(null); }
public async Task<TokenResponse> ProcessAsync(ValidatedTokenRequest request) { Logger.Info("Creating token response"); if (request.GrantType == Constants.GrantTypes.AuthorizationCode) { return await ProcessAuthorizationCodeRequestAsync(request); } if (request.GrantType == Constants.GrantTypes.RefreshToken) { return await ProcessRefreshTokenRequestAsync(request); } return await ProcessTokenRequestAsync(request); }
private async Task<TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing authorization code request"); ////////////////////////// // access token ///////////////////////// var accessToken = await CreateAccessTokenAsync(request); var response = new TokenResponse { AccessToken = accessToken.Item1, AccessTokenLifetime = request.Client.AccessTokenLifetime }; ////////////////////////// // refresh token ///////////////////////// if (accessToken.Item2.IsPresent()) { response.RefreshToken = accessToken.Item2; } ////////////////////////// // id token ///////////////////////// if (request.AuthorizationCode.IsOpenId) { var tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Client = request.AuthorizationCode.Client, Scopes = request.AuthorizationCode.RequestedScopes, Nonce = request.AuthorizationCode.Nonce, ValidatedRequest = request }; var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest); var jwt = await _tokenService.CreateSecurityTokenAsync(idToken); response.IdentityToken = jwt; } return response; }
public async Task <ValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client) { Logger.Info("Start token request validation"); _validatedRequest = new ValidatedTokenRequest(); if (client == null) { throw new ArgumentNullException("client"); } if (parameters == null) { throw new ArgumentNullException("parameters"); } _validatedRequest.Raw = parameters; _validatedRequest.Client = client; _validatedRequest.Options = _options; ///////////////////////////////////////////// // check grant type ///////////////////////////////////////////// var grantType = parameters.Get(Constants.TokenRequest.GrantType); if (grantType.IsMissing()) { LogError("Grant type is missing."); return(Invalid(Constants.TokenErrors.UnsupportedGrantType)); } if (grantType.Length > Constants.MaxGrantTypeLength) { LogError("Grant type is too long."); return(Invalid(Constants.TokenErrors.UnsupportedGrantType)); } _validatedRequest.GrantType = grantType; // standard grant types switch (grantType) { case Constants.GrantTypes.AuthorizationCode: return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters)); case Constants.GrantTypes.ClientCredentials: return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters)); case Constants.GrantTypes.Password: return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters)); case Constants.GrantTypes.RefreshToken: return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters)); } // custom grant type var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters); if (result.IsError) { if (result.Error.IsPresent()) { return(result); } LogError("Unsupported grant_type: " + grantType); return(Invalid(Constants.TokenErrors.UnsupportedGrantType)); } return(result); }
/// <summary> /// Validates the custom grant request. /// </summary> /// <param name="request">The validated token request.</param> /// <returns> /// A principal /// </returns> public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request) { return Task.FromResult<CustomGrantValidationResult>(null); }
public async Task<ValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client) { Logger.Info("Start token request validation"); _validatedRequest = new ValidatedTokenRequest(); if (client == null) { throw new ArgumentNullException("client"); } if (parameters == null) { throw new ArgumentNullException("parameters"); } _validatedRequest.Raw = parameters; _validatedRequest.Client = client; _validatedRequest.Options = _options; ///////////////////////////////////////////// // check grant type ///////////////////////////////////////////// var grantType = parameters.Get(Constants.TokenRequest.GrantType); if (grantType.IsMissing()) { LogError("Grant type is missing."); return Invalid(Constants.TokenErrors.UnsupportedGrantType); } _validatedRequest.GrantType = grantType; // standard grant types switch (grantType) { case Constants.GrantTypes.AuthorizationCode: return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters); case Constants.GrantTypes.ClientCredentials: return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters); case Constants.GrantTypes.Password: return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters); case Constants.GrantTypes.RefreshToken: return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters); } // custom grant type var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters); if (result.IsError) { if (result.Error.IsPresent()) { return result; } LogError("Unsupported grant_type: " + grantType); return Invalid(Constants.TokenErrors.UnsupportedGrantType); } return result; }
private async Task<Tuple<string, string>> CreateAccessTokenAsync(ValidatedTokenRequest request) { TokenCreationRequest tokenRequest; bool createRefreshToken; if (request.AuthorizationCode != null) { createRefreshToken = request.AuthorizationCode.RequestedScopes.Select(s => s.Name).Contains(Constants.StandardScopes.OfflineAccess); tokenRequest = new TokenCreationRequest { Subject = request.AuthorizationCode.Subject, Client = request.AuthorizationCode.Client, Scopes = request.AuthorizationCode.RequestedScopes, ValidatedRequest = request }; } else { createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope; tokenRequest = new TokenCreationRequest { Subject = request.Subject, Client = request.Client, Scopes = request.ValidatedScopes.GrantedScopes, ValidatedRequest = request }; } Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest); string refreshToken = ""; if (createRefreshToken) { refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(accessToken, request.Client); } var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken); return Tuple.Create(securityToken, refreshToken); }
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; oldAccessToken.CreationTime = DateTimeOffset.UtcNow; oldAccessToken.Lifetime = request.Client.AccessTokenLifetime; var newAccessToken = await _tokenService.CreateSecurityTokenAsync(oldAccessToken); var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); return new TokenResponse { AccessToken = newAccessToken, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }; }
private async Task<TokenResponse> ProcessTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing token request"); var accessToken = await CreateAccessTokenAsync(request); var response = new TokenResponse { AccessToken = accessToken.Item1, AccessTokenLifetime = request.Client.AccessTokenLifetime }; if (accessToken.Item2.IsPresent()) { response.RefreshToken = accessToken.Item2; } return response; }
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; string accessTokenString; if (request.Client.UpdateAccessTokenClaimsOnRefresh) { // re-create original subject var subject = IdentityServerPrincipal.FromClaims(oldAccessToken.Claims, allowMissing: true); var creationRequest = new TokenCreationRequest { Client = request.Client, Subject = subject, ValidatedRequest = request, Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes) }; var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest); accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken); } else { oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow; oldAccessToken.Lifetime = request.Client.AccessTokenLifetime; accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken); } var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); return new TokenResponse { AccessToken = accessTokenString, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }; }