private static AuthenticationProperties CreateAuthenticationProperties() { var properties = new AuthenticationProperties(); properties.SetScopes(new[] { OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.Email, OpenIdConnectConstants.Scopes.Profile, OpenIdConnectConstants.Scopes.OfflineAccess }); properties.SetResources(new[] { "http://localhost:3000/" }); return(properties); }
public async Task <IActionResult> Accept(CancellationToken cancellationToken) { // Extract the authorization request from the cache, the query string or the request form. var request = HttpContext.GetOpenIdConnectRequest(); if (request == null) { return(View("Error", new OpenIdConnectMessage { Error = "invalid_request", ErrorDescription = "An internal error has occurred" })); } // Create a new ClaimsIdentity containing the claims that // will be used to create an id_token, a token or a code. var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); // Copy the claims retrieved from the external identity provider // (e.g Google, Facebook, a WS-Fed provider or another OIDC server). foreach (var claim in HttpContext.User.Claims) { // Allow ClaimTypes.Name to be added in the id_token. // ClaimTypes.NameIdentifier is automatically added, even if its // destination is not defined or doesn't include "id_token". // The other claims won't be visible for the client application. if (claim.Type == ClaimTypes.Name) { claim.WithDestination("id_token") .WithDestination("token"); } identity.AddClaim(claim); } // Note: AspNet.Security.OpenIdConnect.Server automatically ensures an application // corresponds to the client_id specified in the authorization request using // IOpenIdConnectServerProvider.ValidateClientRedirectUri (see AuthorizationProvider.cs). // In theory, this null check is thus not strictly necessary. That said, a race condition // and a null reference exception could appear here if you manually removed the application // details from the database after the initial check made by AspNet.Security.OpenIdConnect.Server. var application = await GetApplicationAsync(request.ClientId, cancellationToken); if (application == null) { return(View("Error", new OpenIdConnectMessage { Error = "invalid_client", ErrorDescription = "Details concerning the calling client application cannot be found in the database" })); } // Create a new ClaimsIdentity containing the claims associated with the application. // Note: setting identity.Actor is not mandatory but can be useful to access // the whole delegation chain from the resource server (see ResourceController.cs). identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID); identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName, destination: "id_token token"); var properties = new AuthenticationProperties(); // Note: you can change the list of scopes granted // to the client application using SetScopes: properties.SetScopes(new[] { /* openid: */ OpenIdConnectConstants.Scopes.OpenId, /* email: */ OpenIdConnectConstants.Scopes.Email, /* profile: */ OpenIdConnectConstants.Scopes.Profile }); // You can also limit the resources endpoints // the access token should be issued for: properties.SetResources(new[] { "http://localhost:54540/" }); // This call will instruct AspNet.Security.OpenIdConnect.Server to serialize // the specified identity to build appropriate tokens (id_token and token). // Note: you should always make sure the identities you return contain either // a 'sub' or a 'ClaimTypes.NameIdentifier' claim. In this case, the returned // identities always contain the name identifier returned by the external provider. // Note: the authenticationScheme parameter must match the value configured in Startup.cs. await HttpContext.Authentication.SignInAsync( OpenIdConnectServerDefaults.AuthenticationScheme, new ClaimsPrincipal(identity), properties); return(new EmptyResult()); }