private static AuthenticationProperties CreateAuthenticationProperties()
{
var properties = new AuthenticationProperties();
properties.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess
});
properties.SetResources(new[] { "http://localhost:3000/" });
return(properties);
}
public async Task <IActionResult> Accept(CancellationToken cancellationToken)
{
// Extract the authorization request from the cache, the query string or the request form.
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null)
{
return(View("Error", new OpenIdConnectMessage {
Error = "invalid_request",
ErrorDescription = "An internal error has occurred"
}));
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Copy the claims retrieved from the external identity provider
// (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
foreach (var claim in HttpContext.User.Claims)
{
// Allow ClaimTypes.Name to be added in the id_token.
// ClaimTypes.NameIdentifier is automatically added, even if its
// destination is not defined or doesn't include "id_token".
// The other claims won't be visible for the client application.
if (claim.Type == ClaimTypes.Name)
{
claim.WithDestination("id_token")
.WithDestination("token");
}
identity.AddClaim(claim);
}
// Note: AspNet.Security.OpenIdConnect.Server automatically ensures an application
// corresponds to the client_id specified in the authorization request using
// IOpenIdConnectServerProvider.ValidateClientRedirectUri (see AuthorizationProvider.cs).
// In theory, this null check is thus not strictly necessary. That said, a race condition
// and a null reference exception could appear here if you manually removed the application
// details from the database after the initial check made by AspNet.Security.OpenIdConnect.Server.
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null)
{
return(View("Error", new OpenIdConnectMessage {
Error = "invalid_client",
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
}));
}
// Create a new ClaimsIdentity containing the claims associated with the application.
// Note: setting identity.Actor is not mandatory but can be useful to access
// the whole delegation chain from the resource server (see ResourceController.cs).
identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID);
identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName, destination: "id_token token");
var properties = new AuthenticationProperties();
// Note: you can change the list of scopes granted
// to the client application using SetScopes:
properties.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile
});
// You can also limit the resources endpoints
// the access token should be issued for:
properties.SetResources(new[] {
"http://localhost:54540/"
});
// This call will instruct AspNet.Security.OpenIdConnect.Server to serialize
// the specified identity to build appropriate tokens (id_token and token).
// Note: you should always make sure the identities you return contain either
// a 'sub' or a 'ClaimTypes.NameIdentifier' claim. In this case, the returned
// identities always contain the name identifier returned by the external provider.
// Note: the authenticationScheme parameter must match the value configured in Startup.cs.
await HttpContext.Authentication.SignInAsync(
OpenIdConnectServerDefaults.AuthenticationScheme,
new ClaimsPrincipal(identity), properties);
return(new EmptyResult());
}
