public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
ApplicationUser user;
var allowedOrigin = context.OwinContext.Get <string>("as:clientAllowedOrigin");
if (allowedOrigin == null)
{
allowedOrigin = "*";
}
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
if (context.UserName.IndexOf("@petronas.com") >= 0)
{
var request = new LoginRequest();
SSOHelper sSOHelper = new SSOHelper();
var ssoToken = sSOHelper.Login(context.UserName, context.Password, "Petronas");
if (ssoToken == null || ssoToken.Result == Guid.Empty)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
user = await _repo.FindUser(context.UserName);
}
else
//using (AuthRepository _repo = new AuthRepository())
{
user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var roles = _repo.GetUserRole(user.Id.ToString());
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, Newtonsoft.Json.JsonConvert.SerializeObject(roles)));
identity.AddClaim(new Claim("sub", context.UserName));
var props = new AuthenticationProperties(new Dictionary <string, string>
{
{
"as:client_id", (context.ClientId == null) ? string.Empty : context.ClientId
},
{
"userName", context.UserName
},
{
"fullname", user.FirstName + " " + user.LastName
},
{
"roles", Newtonsoft.Json.JsonConvert.SerializeObject(roles)
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
}
protected override async Task <AuthenticationTicket> CreateTicketAsync(
[NotNull] ClaimsIdentity identity, [NotNull] AuthenticationProperties properties,
[NotNull] string identifier, [NotNull] IDictionary <string, string> attributes)
{
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, properties, Scheme.Name);
// Return the authentication ticket as-is if the
// user information endpoint has not been set.
if (string.IsNullOrEmpty(Options.UserInformationEndpoint))
{
Logger.LogInformation("The userinfo request was skipped because no userinfo endpoint was configured.");
return(ticket);
}
// Return the authentication ticket as-is
// if the application key has not been set.
if (string.IsNullOrEmpty(Options.ApplicationKey))
{
Logger.LogInformation("The userinfo request was skipped because no application key was configured.");
return(ticket);
}
// Return the authentication ticket as-is if the claimed identifier is malformed.
if (!identifier.StartsWith(SteamAuthenticationConstants.Namespaces.Identifier, StringComparison.Ordinal))
{
Logger.LogWarning("The userinfo request was skipped because an invalid identifier was received: {Identifier}.", identifier);
return(ticket);
}
var address = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, new Dictionary <string, string>
{
[SteamAuthenticationConstants.Parameters.Key] = Options.ApplicationKey,
[SteamAuthenticationConstants.Parameters.SteamId] = identifier.Substring(SteamAuthenticationConstants.Namespaces.Identifier.Length)
});
var request = new HttpRequestMessage(HttpMethod.Get, address);
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue(OpenIdAuthenticationConstants.Media.Json));
// Return the authentication ticket as-is if the userinfo request failed.
var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
if (!response.IsSuccessStatusCode)
{
Logger.LogWarning("The userinfo request failed because an invalid response was received: the identity provider " +
"returned returned a {Status} response with the following payload: {Headers} {Body}.",
/* Status: */ response.StatusCode,
/* Headers: */ response.Headers.ToString(),
/* Body: */ await response.Content.ReadAsStringAsync());
return(ticket);
}
var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
// Try to extract the profile name of the authenticated user.
var profile = payload.Value <JObject>(SteamAuthenticationConstants.Parameters.Response)
?.Value <JArray>(SteamAuthenticationConstants.Parameters.Players)
?[0]?.Value <string>(SteamAuthenticationConstants.Parameters.Name);
if (!string.IsNullOrEmpty(profile))
{
identity.AddClaim(new Claim(ClaimTypes.Name, profile, ClaimValueTypes.String, Options.ClaimsIssuer));
}
var context = new OpenIdAuthenticatedContext(Context, Scheme, Options, ticket)
{
User = payload
};
// Copy the attributes to the context object.
foreach (var attribute in attributes)
{
context.Attributes.Add(attribute);
}
await Events.Authenticated(context);
// Note: return the authentication ticket associated
// with the notification to allow replacing the ticket.
return(context.Ticket);
}
/// <summary>
/// TODO: must be generated by AIP and returned on the first request from MyX
/// Then ticket will be used for Resources authorization
/// </summary>
/// <param name="request"></param>
/// <param name="user"></param>
/// <returns></returns>
private async Task <AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, AppUser user)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIddictServerDefaults.AuthenticationScheme);
//if (!request.IsRefreshTokenGrantType())
//{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Phone,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()));
//}
//ticket.SetResources("webapp-api");
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
var destinations = new List <string> {
OpenIdConnectConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIdConnectConstants.Claims.Subject && ticket.HasScope(OpenIdConnectConstants.Scopes.OpenId)) ||
(claim.Type == OpenIdConnectConstants.Claims.Name && ticket.HasScope(OpenIdConnectConstants.Scopes.Profile)) ||
(claim.Type == OpenIdConnectConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles)) ||
(claim.Type == CustomClaimTypes.Permission && ticket.HasScope(OpenIddictConstants.Claims.Roles)))
{
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
var identity = principal.Identity as ClaimsIdentity;
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
if (!string.IsNullOrWhiteSpace(user.JobTitle))
{
identity.AddClaim(CustomClaimTypes.JobTitle, user.JobTitle, OpenIdConnectConstants.Destinations.IdentityToken);
}
//if (!string.IsNullOrWhiteSpace(user.FullName))
// identity.AddClaim(CustomClaimTypes.FullName, user.FullName, OpenIdConnectConstants.Destinations.IdentityToken);
if (!string.IsNullOrWhiteSpace(user.Configuration))
{
identity.AddClaim(CustomClaimTypes.Configuration, user.Configuration, OpenIdConnectConstants.Destinations.IdentityToken);
}
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
if (!string.IsNullOrWhiteSpace(user.Email))
{
identity.AddClaim(CustomClaimTypes.Email, user.Email, OpenIdConnectConstants.Destinations.IdentityToken);
}
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
if (!string.IsNullOrWhiteSpace(user.PhoneNumber))
{
identity.AddClaim(CustomClaimTypes.Phone, user.PhoneNumber, OpenIdConnectConstants.Destinations.IdentityToken);
}
}
return(ticket);
}
/// <inheritdoc/>
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
return(await Task.Run <AuthenticateResult>(() =>
{
if (!Request.Headers.ContainsKey("Authorization"))
{
_responseHeader = "Bearer realm=\"token_required\"";
_responseResult = ErrorObjectResultFactory.NoAuthorizationHeader();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]);
if (authHeader.Scheme != "Bearer")
{
_responseHeader = "Bearer error=\"invalid_request\"";
_responseResult = ErrorObjectResultFactory.InvalidAuthorizationScheme();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
try
{
if (authHeader.Parameter == null)
{
_responseHeader = "Bearer error=\"invalid_token\"";
_responseResult = ErrorObjectResultFactory.InvalidAuthorizationToken();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
var accessToken = _authorizeService.GetAccessToken(authHeader.Parameter);
if (accessToken == null)
{
_responseHeader = "Bearer error=\"invalid_token\"";
_responseResult = ErrorObjectResultFactory.InvalidAuthorizationToken();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
if (accessToken.ExpiryTime < DateUtil.Now)
{
_responseHeader = "Bearer error=\"invalid_token\"";
_responseResult = ErrorObjectResultFactory.AuthorizationTokenExpired();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
var result = new List <Claim>();
foreach (var role in accessToken.Roles)
{
result.Add(new Claim(ClaimTypes.Role, role));
}
foreach (var scope in accessToken.Scopes)
{
result.Add(new Claim(Scopes.ClaimType, scope));
}
result.Add(new Claim(ClaimTypes.Name, accessToken.Name));
result.Add(new Claim(ClaimTypes.NameIdentifier, accessToken.PrincipalId.ToString()));
var identity = new ClaimsIdentity(result.ToArray(), Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return AuthenticateResult.Success(ticket);
}
catch (Exception ex)
{
_logger.LogError(ex, ex.Message);
_responseResult = ErrorObjectResultFactory.InternalServerError();
return AuthenticateResult.Fail(_responseResult.Error.Message);
}
}));
}
public static void AuthenticationTicket(this HttpContext context, AuthenticationTicket ticket) => context.Items.Add(AuthenticationTicketItemName, ticket);
/// <summary>
/// Replaces the ticket information on this context and marks it as as validated by the application.
/// IsValidated becomes true and HasError becomes false as a result of calling.
/// </summary>
/// <param name="ticket">Assigned to the Ticket property</param>
/// <returns>True if the validation has taken effect.</returns>
public bool Validate(AuthenticationTicket ticket)
{
Ticket = ticket;
return(Validate());
}
/// <summary>
///
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public WordPressReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
/// <summary>
///
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public EveOnlineReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
protected override Task <AuthenticateResult> HandleAuthenticateAsync()
{
var authenticationTicket = new AuthenticationTicket(_principal, new AuthenticationProperties(), "TEST");
return(Task.FromResult(AuthenticateResult.Success(authenticationTicket)));
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
try
{
UnitOfWork unitOfWork = new UnitOfWork();
var userManager = context.OwinContext.GetUserManager <ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var roles = userManager.GetRoles(user.Id);
var scope = context.Scope.ToList();
var str = context.Scope[0];
var customerId = Convert.ToInt32(!str.Contains("*")?str:str.Split('*')[0]);
var app = !str.Contains("*")?"x": str.Split('*')[1];
if (app == "ap")
{
var ap_roles = roles.Where(q => q == "Admin" || q == "User").ToList();
if (ap_roles.Count == 0)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var employee = await unitOfWork.PersonRepository.GetViewEmployeesByUserId(user.Id, customerId);
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
OAuthDefaults.AuthenticationType);
ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
CookieAuthenticationDefaults.AuthenticationType);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, "user"));
oAuthIdentity.AddClaim(new Claim("sub", context.UserName));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, "Vahid"));
AuthenticationProperties properties = CreateProperties(user.UserName, (context.ClientId == null) ? string.Empty : context.ClientId);
if (employee != null)
{
properties.Dictionary.Add("Name", employee.Name);
properties.Dictionary.Add("UserId", employee.PersonId.ToString());
properties.Dictionary.Add("EmployeeId", employee.Id.ToString());
properties.Dictionary.Add("Roles", string.Join(",", roles));
}
//if (employees.Count > 0)
// {
// var customers =string.Join("_", employees.Select(q => q.CustomerId).Distinct().ToArray());
// var name = employees.First().Name;
// }
// properties.Dictionary.Add("Name", "Vahid Moghaddam");
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
catch (Exception ex)
{
int i = 0;
}
}
private async Task <bool> InvokeIntrospectionEndpointAsync()
{
OpenIdConnectMessage request;
// See https://tools.ietf.org/html/rfc7662#section-2.1
// and https://tools.ietf.org/html/rfc7662#section-4
if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
request = new OpenIdConnectMessage(Request.Query.ToDictionary())
{
RequestType = OpenIdConnectRequestType.AuthenticationRequest
};
}
else if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
// See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
if (string.IsNullOrEmpty(Request.ContentType))
{
Logger.LogError("The introspection request was rejected because " +
"the mandatory 'Content-Type' header was missing.");
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed introspection request has been received: " +
"the mandatory 'Content-Type' header was missing from the POST request."
}));
}
// May have media/type; charset=utf-8, allow partial match.
if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
{
Logger.LogError("The introspection request was rejected because an invalid 'Content-Type' " +
"header was received: {ContentType}.", Request.ContentType);
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed introspection request has been received: " +
"the 'Content-Type' header contained an unexcepted value. " +
"Make sure to use 'application/x-www-form-urlencoded'."
}));
}
var form = await Request.ReadFormAsync(Context.RequestAborted);
request = new OpenIdConnectMessage(form.ToDictionary())
{
RequestType = OpenIdConnectRequestType.AuthenticationRequest
};
}
else
{
Logger.LogError("The introspection request was rejected because an invalid " +
"HTTP method was received: {Method}.", Request.Method);
return(await SendErrorPageAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed introspection request has been received: " +
"make sure to use either GET or POST."
}));
}
if (string.IsNullOrWhiteSpace(request.GetToken()))
{
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed introspection request has been received: " +
"a 'token' parameter with an access, refresh, or identity token is required."
}));
}
// Insert the introspection request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
// When client_id and client_secret are both null, try to extract them from the Authorization header.
// See http://tools.ietf.org/html/rfc6749#section-2.3.1 and
// http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
if (string.IsNullOrEmpty(request.ClientId) && string.IsNullOrEmpty(request.ClientSecret))
{
string header = Request.Headers[HeaderNames.Authorization];
if (!string.IsNullOrEmpty(header) && header.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
try {
var value = header.Substring("Basic ".Length).Trim();
var data = Encoding.UTF8.GetString(Convert.FromBase64String(value));
var index = data.IndexOf(':');
if (index >= 0)
{
request.ClientId = data.Substring(0, index);
request.ClientSecret = data.Substring(index + 1);
}
}
catch (FormatException) { }
catch (ArgumentException) { }
}
}
var validatingContext = new ValidateIntrospectionRequestContext(Context, Options, request);
await Options.Provider.ValidateIntrospectionRequest(validatingContext);
if (validatingContext.IsRejected)
{
Logger.LogInformation("The introspection request was rejected by application code.");
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = validatingContext.Error ?? OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = validatingContext.ErrorDescription,
ErrorUri = validatingContext.ErrorUri
}));
}
// Ensure that the client_id has been set from the ValidateIntrospectionRequest event.
else if (validatingContext.IsValidated && string.IsNullOrEmpty(request.ClientId))
{
Logger.LogError("The introspection request was validated but the client_id was not set.");
return(await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal server error occurred."
}));
}
AuthenticationTicket ticket = null;
// Note: use the "token_type_hint" parameter to determine
// the type of the token sent by the client application.
// See https://tools.ietf.org/html/rfc7662#section-2.1
switch (request.GetTokenTypeHint())
{
case OpenIdConnectConstants.Usages.AccessToken:
ticket = await DeserializeAccessTokenAsync(request.GetToken(), request);
break;
case OpenIdConnectConstants.Usages.RefreshToken:
ticket = await DeserializeRefreshTokenAsync(request.GetToken(), request);
break;
case OpenIdConnectConstants.Usages.IdToken:
ticket = await DeserializeIdentityTokenAsync(request.GetToken(), request);
break;
}
// Note: if the token can't be found using "token_type_hint",
// the search must be extended to all supported token types.
// See https://tools.ietf.org/html/rfc7662#section-2.1
if (ticket == null)
{
ticket = await DeserializeAccessTokenAsync(request.GetToken(), request) ??
await DeserializeIdentityTokenAsync(request.GetToken(), request) ??
await DeserializeRefreshTokenAsync(request.GetToken(), request);
}
if (ticket == null)
{
Logger.LogInformation("The introspection request was rejected because the token was invalid.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
// Note: unlike refresh or identity tokens that can only be validated by client applications,
// access tokens can be validated by either resource servers or client applications:
// in both cases, the caller must be authenticated if the ticket is marked as confidential.
if (validatingContext.IsSkipped && ticket.IsConfidential())
{
Logger.LogWarning("The introspection request was rejected because the caller was not authenticated.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
// If the ticket is already expired, directly return active=false.
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow)
{
Logger.LogInformation("The introspection request was rejected because the token was expired.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
// When a client_id can be inferred from the introspection request,
// ensure that the client application is a valid audience/presenter.
if (!string.IsNullOrEmpty(request.ClientId))
{
// Ensure the caller is listed as a valid audience or authorized presenter.
if (ticket.IsAccessToken() && ticket.HasAudience() && !ticket.HasAudience(request.ClientId) &&
ticket.HasPresenter() && !ticket.HasPresenter(request.ClientId))
{
Logger.LogWarning("The introspection request was rejected because the access token " +
"was issued to a different client or for another resource server.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
// Reject the request if the caller is not listed as a valid audience.
else if (ticket.IsIdentityToken() && ticket.HasAudience() && !ticket.HasAudience(request.ClientId))
{
Logger.LogWarning("The introspection request was rejected because the " +
"identity token was issued to a different client.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
// Reject the introspection request if the caller doesn't
// correspond to the client application the token was issued to.
else if (ticket.IsRefreshToken() && ticket.HasPresenter() && !ticket.HasPresenter(request.ClientId))
{
Logger.LogWarning("The introspection request was rejected because the " +
"refresh token was issued to a different client.");
return(await SendPayloadAsync(new JObject {
[OpenIdConnectConstants.Claims.Active] = false
}));
}
}
var notification = new HandleIntrospectionRequestContext(Context, Options, request, ticket);
notification.Active = true;
// Use the unique ticket identifier to populate the "jti" claim.
notification.TokenId = ticket.GetTicketId();
// Note: only set "token_type" when the received token is an access token.
// See https://tools.ietf.org/html/rfc7662#section-2.2
// and https://tools.ietf.org/html/rfc6749#section-5.1
if (ticket.IsAccessToken())
{
notification.TokenType = OpenIdConnectConstants.TokenTypes.Bearer;
}
notification.Issuer = Context.GetIssuer(Options);
notification.Subject = ticket.Principal.GetClaim(ClaimTypes.NameIdentifier);
notification.IssuedAt = ticket.Properties.IssuedUtc;
notification.ExpiresAt = ticket.Properties.ExpiresUtc;
// Copy the audiences extracted from the "aud" claim.
foreach (var audience in ticket.GetAudiences())
{
notification.Audiences.Add(audience);
}
// Note: non-metadata claims are only added if the caller is authenticated
// AND is in the specified audiences, unless there's so explicit audience.
if (!ticket.HasAudience() || (!string.IsNullOrEmpty(request.ClientId) && ticket.HasAudience(request.ClientId)))
{
// Extract the main identity associated with the principal.
var identity = (ClaimsIdentity)ticket.Principal.Identity;
notification.Username = identity.Name;
notification.Scope = ticket.GetProperty(OpenIdConnectConstants.Properties.Scopes);
// Potentially sensitive claims are only exposed to trusted callers
// if the ticket corresponds to an access or identity token.
if (ticket.IsAccessToken() || ticket.IsIdentityToken())
{
foreach (var claim in ticket.Principal.Claims)
{
// Exclude standard claims, that are already handled via strongly-typed properties.
// Make sure to always update this list when adding new built-in claim properties.
if (string.Equals(claim.Type, identity.NameClaimType, StringComparison.Ordinal) ||
string.Equals(claim.Type, ClaimTypes.NameIdentifier, StringComparison.Ordinal))
{
continue;
}
if (string.Equals(claim.Type, OpenIdConnectConstants.Claims.Audience, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.ExpiresAt, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.IssuedAt, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.Issuer, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.NotBefore, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.Scope, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.Subject, StringComparison.Ordinal) ||
string.Equals(claim.Type, OpenIdConnectConstants.Claims.TokenType, StringComparison.Ordinal))
{
continue;
}
string type;
// Try to resolve the short name associated with the claim type:
// if none can be found, the claim type is used as-is.
if (!JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.TryGetValue(claim.Type, out type))
{
type = claim.Type;
}
// Note: make sure to use the indexer
// syntax to avoid duplicate properties.
notification.Claims[type] = claim.Value;
}
}
}
await Options.Provider.HandleIntrospectionRequest(notification);
// Flow the changes made to the authentication ticket.
ticket = notification.Ticket;
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
var payload = new JObject();
payload.Add(OpenIdConnectConstants.Claims.Active, notification.Active);
// Only add the other properties if
// the token is considered as active.
if (notification.Active)
{
if (!string.IsNullOrEmpty(notification.Issuer))
{
payload.Add(OpenIdConnectConstants.Claims.Issuer, notification.Issuer);
}
if (!string.IsNullOrEmpty(notification.Username))
{
payload.Add(OpenIdConnectConstants.Claims.Username, notification.Username);
}
if (!string.IsNullOrEmpty(notification.Subject))
{
payload.Add(OpenIdConnectConstants.Claims.Subject, notification.Subject);
}
if (!string.IsNullOrEmpty(notification.Scope))
{
payload.Add(OpenIdConnectConstants.Claims.Scope, notification.Scope);
}
if (notification.IssuedAt.HasValue)
{
payload.Add(OpenIdConnectConstants.Claims.IssuedAt,
EpochTime.GetIntDate(notification.IssuedAt.Value.UtcDateTime));
payload.Add(OpenIdConnectConstants.Claims.NotBefore,
EpochTime.GetIntDate(notification.IssuedAt.Value.UtcDateTime));
}
if (notification.ExpiresAt.HasValue)
{
payload.Add(OpenIdConnectConstants.Claims.ExpiresAt,
EpochTime.GetIntDate(notification.ExpiresAt.Value.UtcDateTime));
}
if (!string.IsNullOrEmpty(notification.TokenId))
{
payload.Add(OpenIdConnectConstants.Claims.JwtId, notification.TokenId);
}
if (!string.IsNullOrEmpty(notification.TokenType))
{
payload.Add(OpenIdConnectConstants.Claims.TokenType, notification.TokenType);
}
switch (notification.Audiences.Count)
{
case 0: break;
case 1:
payload.Add(OpenIdConnectConstants.Claims.Audience, notification.Audiences[0]);
break;
default:
payload.Add(OpenIdConnectConstants.Claims.Audience, JArray.FromObject(notification.Audiences));
break;
}
foreach (var claim in notification.Claims)
{
// Ignore claims whose value is null.
if (claim.Value == null)
{
continue;
}
// Note: make sure to use the indexer
// syntax to avoid duplicate properties.
payload[claim.Key] = claim.Value;
}
}
var context = new ApplyIntrospectionResponseContext(Context, Options, payload);
await Options.Provider.ApplyIntrospectionResponse(context);
if (context.HandledResponse)
{
return(true);
}
else if (context.Skipped)
{
return(false);
}
using (var buffer = new MemoryStream())
using (var writer = new JsonTextWriter(new StreamWriter(buffer))) {
payload.WriteTo(writer);
writer.Flush();
Response.ContentLength = buffer.Length;
Response.ContentType = "application/json;charset=UTF-8";
Response.Headers[HeaderNames.CacheControl] = "no-cache";
Response.Headers[HeaderNames.Pragma] = "no-cache";
Response.Headers[HeaderNames.Expires] = "-1";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Context.RequestAborted);
return(true);
}
}
public async Task <IActionResult> Exhange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
//request.GrantType = "password";
// Validate the user credentials.
// Note: to mitigate brute force attacks, you SHOULD strongly consider
// applying a key derivation function like PBKDF2 to slow down
// the password validation process. You SHOULD also consider
// using a time-constant comparer to prevent timing attacks.
var bsonUser = await this.dbContext.GetUser(request.Username);
var user = new PropyUser();
if (bsonUser.Count == 0)
{
user.Id = Guid.NewGuid().ToString();
user.UserName = "******";
user.PasswordHash = "AnonPass";
user.SecurityStamp = Guid.NewGuid().ToString();
}
else
{
user = new PropyUser()
{
Id = bsonUser[0]["_id"].ToString(),
UserName = bsonUser[0]["UserName"].ToString(),
PasswordHash = bsonUser[0]["PasswordHash"].ToString(),
SecurityStamp = bsonUser[0]["SecurityStamp"].ToString()
};
}
// Check password hash
var hasher = new PasswordHasher <PropyUser>();
var verificationResult = hasher.VerifyHashedPassword(user, user.PasswordHash, request.Password);
//if (user.Username != "*****@*****.**" ||
// user.Password != "P@ssw0rd")
//{
// return Forbid(OpenIdConnectServerDefaults.AuthenticationScheme);
//}
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
//identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
// "71346D62-9BA5-4B6D-9ECA-755574D628D8",
// OpenIdConnectConstants.Destinations.AccessToken);
//identity.AddClaim(OpenIdConnectConstants.Claims.Name, "Alice",
// OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.Id,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
//var ticket = CreateTicket(request, principal);
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
//OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()));
// Ask OpenIddict to generate a new token and return an OAuth2 token response.
//return SignIn(principal, OpenIdConnectServerDefaults.AuthenticationScheme);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.IsRefreshTokenGrantType())
{
var info = await this.HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
"71346D62-9BA5-4B6D-9ECA-755574D628D8",
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, "Alice",
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, info.Properties,
OpenIdConnectServerDefaults.AuthenticationScheme);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.GrantType == "urn:ietf:params:oauth:grant-type:facebook_access_token")
{
var account = await this.facebookService.GetAccountAsync(request.Assertion);
var bsonUser = await this.dbContext.GetUserByFacebookId(account.Id);
PropyUser user;
if (bsonUser.Count == 0)
{
user = new PropyUser()
{
Id = request.Assertion,
FacebookId = account.Id,
UserName = account.Username,
FirstName = account.FirstName,
LastName = account.LastName,
Email = account.Email
};
await this.dbContext.CreateUser(user);
}
else
{
user = new PropyUser()
{
Id = request.Assertion,
FacebookId = bsonUser[0]["facebookId"].ToString(),
UserName = bsonUser[0]["UserName"].ToString(),
FirstName = bsonUser[0]["firstName"].ToString(),
LastName = bsonUser[0]["lastName"].ToString(),
Email = bsonUser[0]["facebookId"].ToString(),
};
}
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.Id,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OfflineAccess,
});
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.GrantType == "urn:ietf:params:oauth:grant-type:google_identity_token")
{
// Exchange recieved Authorization Code for an access token
var tokenUrl = "https://www.googleapis.com/oauth2/v4/token";
//var code = "4/1VeXJLNmmH2dIYR8FSeW3OaVlYpK7BtZwVAhqzLvErk";
var code = request.Assertion;
var client_id = "295998800597-kao41iolosp6kl304dedl3u2551bogie.apps.googleusercontent.com";
var client_secret = "z4VDv49a9aGMtQQK4NM8dZnn";
var grant_type = "authorization_code";
var redirect_uri = "http://localhost:5000";
var data = new Dictionary <string, string>
{
{ "code", code },
{ "client_id", client_id },
{ "client_secret", client_secret },
{ "grant_type", grant_type },
{ "redirect_uri", redirect_uri }
};
var httpClient = new HttpClient();
var requestToken = new HttpRequestMessage(HttpMethod.Post, tokenUrl)
{
Content = new FormUrlEncodedContent(data)
};
var response = await httpClient.SendAsync(requestToken);
var responseContent = await response.Content.ReadAsStringAsync();
var responseContentDeserializrd = JsonConvert.DeserializeObject <ResponseData>(responseContent);
var accessToken = responseContentDeserializrd.AccessToken;
// Use the access token to request the user's info
httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
var userInfoUrl = "https://www.googleapis.com/oauth2/v1/userinfo";
var userResponse = await httpClient.GetAsync(userInfoUrl);
var userResponseContent = await userResponse.Content.ReadAsStringAsync();
var userInfo = JsonConvert.DeserializeObject <UserInfo>(userResponseContent);
// Create user if one does not exist, and log him in
var user = new PropyUser();
var bsonUser = await this.dbContext.GetUserByGoogleId(userInfo.Id);
if (bsonUser.Count == 0)
{
user.Id = Guid.NewGuid().ToString();
user.Email = userInfo.Email;
user.UserName = userInfo.Name;
user.FirstName = userInfo.GivenName;
user.LastName = userInfo.FamilyName;
user.GoogleId = userInfo.Id;
await this.dbContext.CreateUser(user);
}
else
{
user.Id = Guid.NewGuid().ToString();
user.Email = bsonUser[0]["email"].ToString();
user.UserName = bsonUser[0]["UserName"].ToString();
user.FirstName = bsonUser[0]["firstName"].ToString();
user.LastName = bsonUser[0]["lastName"].ToString();
user.GoogleId = bsonUser[0]["googleId"].ToString();
}
// Create user's identity, a ticket and then sign him in
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.Id,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.UserName,
OpenIdConnectConstants.Destinations.AccessToken);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OfflineAccess,
});
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
}));
}
protected override Task <AuthenticateResult> HandleAuthenticateAsync()
{
var hasAuthToken = Request.Headers.TryGetValue(HeaderNames.Authorization, out var authorization);
if (hasAuthToken)
{
var validUser = IsValidAuthToken(authorization);
if (!validUser.Valid)
{
dynamic error = new
{
Message = "Invalid auth key.",
Code = StatusCodes.Status401Unauthorized
};
var res = new ReturnData <dynamic>()
{
Success = false,
Data = error
};
throw new Exception(JsonConvert.SerializeObject(res));
}
if (validUser.role != Role.Admin)
{
if (string.IsNullOrEmpty(validUser.AllowedPrivileges))
{
dynamic error = new
{
Message = "The group has not yet been assigned privileges, please contact admin",
Code = StatusCodes.Status401Unauthorized
};
var res = new ReturnData <dynamic>()
{
Success = false,
Data = error
};
var exeption = new Exception(JsonConvert.SerializeObject(res));
throw exeption;
}
string userRoute = Request.Path;
if (userRoute.ToLower().Contains("api"))
{
var route = userRoute.Substring(1) != null?userRoute.Substring(1) : "";
var rolesSplit = userRoute.Split('/');
if (userRoute.Contains('/') && userRoute.Split('/').Length > 2)
{
route = rolesSplit[2] + '/' + rolesSplit[3];
}
//route = route.Remove(route.Length - 1);
var action = _context.UserGroupPrivileges.FirstOrDefault(m => m.Action.ToLower() == route.ToLower());
if (action == null)
{
dynamic error = new
{
Message = "Rights not found, please contact admin",
Code = StatusCodes.Status401Unauthorized
};
var res = new ReturnData <dynamic>()
{
Success = false,
Data = error
};
throw new Exception(JsonConvert.SerializeObject(res));
}
var allowedPrivilegesCode = validUser.AllowedPrivileges.Split(",");
if (!allowedPrivilegesCode.Contains("016"))
{
validUser.AllowedPrivileges += ",016";
}
allowedPrivilegesCode = validUser.AllowedPrivileges.Split(",");
var isAllowed = allowedPrivilegesCode.Contains(action.Code);
if (!isAllowed)
{
dynamic error = new
{
Message = "Forbidden request",
Code = StatusCodes.Status401Unauthorized
};
var res = new ReturnData <dynamic>()
{
Success = false,
Data = error
};
throw new Exception(JsonConvert.SerializeObject(res));
//var error = new Exception("The group has not yet been assigned privileges, please contact admin");
//throw error;
}
}
}
}
var identities = new List <ClaimsIdentity> {
new ClaimsIdentity("custom auth type")
};
var ticket = new AuthenticationTicket(new ClaimsPrincipal(identities), Options.Scheme);
var authedicationResults = Task.FromResult(AuthenticateResult.Success(ticket));
return(authedicationResults);
}
private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
{
// Note: client authentication is always enforced by OpenIddict before this action is invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.InvalidClient,
ErrorDescription = T["The specified 'client_id' parameter is invalid."]
}));
}
var identity = new ClaimsIdentity(
OpenIddictServerDefaults.AuthenticationScheme,
OpenIddictConstants.Claims.Name,
OpenIddictConstants.Claims.Role);
identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.Application,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIddictConstants.Claims.Name,
await _applicationManager.GetDisplayNameAsync(application),
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
// If the role service is available, add all the role claims
// associated with the application roles in the database.
var roleService = HttpContext.RequestServices.GetService <IRoleService>();
foreach (var role in await _applicationManager.GetRolesAsync(application))
{
identity.AddClaim(identity.RoleClaimType, role,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
if (roleService != null)
{
foreach (var claim in await roleService.GetRoleClaimsAsync(role))
{
identity.AddClaim(claim.SetDestinations(
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken));
}
}
}
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIddictServerDefaults.AuthenticationScheme);
ticket.SetResources(await GetResourcesAsync(request.GetScopes()));
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private async Task <AuthenticationTicket> CreateUserTicketAsync(
ClaimsPrincipal principal, object application, object authorization,
OpenIdConnectRequest request, AuthenticationProperties properties = null)
{
Debug.Assert(request.IsAuthorizationRequest() || request.IsTokenRequest(),
"The request should be an authorization or token request.");
var identity = (ClaimsIdentity)principal.Identity;
// Note: make sure this claim is not added multiple times (which may happen when the principal
// was extracted from an authorization code or from a refresh token ticket is re-used as-is).
if (string.IsNullOrEmpty(principal.FindFirst(OpenIdConstants.Claims.EntityType)?.Value))
{
identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.User,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
}
// Note: while ASP.NET Core Identity uses the legacy WS-Federation claims (exposed by the ClaimTypes class),
// OpenIddict uses the newer JWT claims defined by the OpenID Connect specification. To ensure the mandatory
// subject claim is correctly populated (and avoid an InvalidOperationException), it's manually added here.
if (string.IsNullOrEmpty(principal.FindFirst(OpenIdConnectConstants.Claims.Subject)?.Value))
{
identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Subject, principal.GetUserIdentifier()));
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIddictServerDefaults.AuthenticationScheme);
if (request.IsAuthorizationRequest() || (!request.IsAuthorizationCodeGrantType() &&
!request.IsRefreshTokenGrantType()))
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
ticket.SetScopes(request.GetScopes());
ticket.SetResources(await GetResourcesAsync(request.GetScopes()));
// If the request is an authorization request, automatically create
// a permanent authorization to avoid requiring explicit consent for
// future authorization or token requests containing the same scopes.
if (authorization == null && request.IsAuthorizationRequest())
{
authorization = await _authorizationManager.CreateAsync(
principal : ticket.Principal,
subject : principal.GetUserIdentifier(),
client : await _applicationManager.GetIdAsync(application),
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(ticket.GetScopes()),
properties : ImmutableDictionary.CreateRange(ticket.Properties.Items));
}
if (authorization != null)
{
// Attach the authorization identifier to the authentication ticket.
ticket.SetInternalAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
}
}
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == "AspNet.Identity.SecurityStamp")
{
continue;
}
var destinations = new List <string>
{
OpenIddictConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIddictConstants.Claims.Name && ticket.HasScope(OpenIddictConstants.Scopes.Profile)) ||
(claim.Type == OpenIddictConstants.Claims.Email && ticket.HasScope(OpenIddictConstants.Scopes.Email)) ||
(claim.Type == OpenIddictConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles)) ||
(claim.Type == OpenIdConstants.Claims.EntityType))
{
destinations.Add(OpenIddictConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
return(ticket);
}
/// <summary>
/// Creates a new instance of the context object.
/// </summary>
/// <param name="context"></param>
/// <param name="scheme"></param>
/// <param name="ticket">Contains the initial values for identity and extra data</param>
/// <param name="options"></param>
public CookieValidatePrincipalContext(HttpContext context, AuthenticationScheme scheme, CookieAuthenticationOptions options, AuthenticationTicket ticket)
: base(context, scheme, options, ticket?.Properties)
{
if (ticket == null)
{
throw new ArgumentNullException(nameof(ticket));
}
Principal = ticket.Principal;
}
public async Task <IActionResult> Accept(CancellationToken cancellationToken)
{
var response = HttpContext.GetOpenIdConnectResponse();
if (response != null)
{
return(View("Error", response));
}
var request = HttpContext.GetOpenIdConnectRequest();
if (request == null)
{
return(View("Error", new OpenIdConnectResponse {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal error has occurred"
}));
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Copy the claims retrieved from the external identity provider
// (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
foreach (var claim in HttpContext.User.Claims)
{
// Allow ClaimTypes.Name to be added in the id_token.
// ClaimTypes.NameIdentifier is automatically added, even if its
// destination is not defined or doesn't include "id_token".
// The other claims won't be visible for the client application.
if (claim.Type == ClaimTypes.Name)
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
identity.AddClaim(claim);
}
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null)
{
return(View("Error", new OpenIdConnectResponse {
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
}));
}
// Create a new ClaimsIdentity containing the claims associated with the application.
// Note: setting identity.Actor is not mandatory but can be useful to access
// the whole delegation chain from the resource server (see ResourceController.cs).
identity.Actor = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.Actor.AddClaim(ClaimTypes.NameIdentifier, application.ApplicationID);
identity.Actor.AddClaim(ClaimTypes.Name, application.DisplayName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: this sample always grants the "openid", "email" and "profile" scopes
// when they are requested by the client application: a real world application
// would probably display a form allowing to select the scopes to grant.
ticket.SetScopes(new[] {
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(request.GetScopes()));
// Set the resources servers the access token should be issued for.
ticket.SetResources("resource_server");
// Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
// Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
// In this sample, the identity always contains the name identifier returned by the external provider.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private byte[] SerializeToBytes(AuthenticationTicket source) => TicketSerializer.Default.Serialize(source);
public string Protect(AuthenticationTicket data, string purpose)
{
throw new NotImplementedException();
}
/// <summary>
///
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public BitbucketReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
public ReturnEndpointContext(
IDictionary<string, object> environment,
AuthenticationTicket ticket,
IDictionary<string, string> errorDetails)
: base(environment)
{
ErrorDetails = errorDetails;
if (ticket != null)
{
Identity = ticket.Identity;
Extra = ticket.Extra;
}
}
public void NullPrincipalThrows()
{
var properties = new AuthenticationProperties();
properties.RedirectUri = "bye";
var ticket = new AuthenticationTicket(properties, "Hello");
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
Assert.Throws<ArgumentNullException>(() => TicketSerializer.Write(writer, ticket));
}
}
public AuthenticationTokenCreateContext(
IOwinContext context,
ISecureDataFormat<AuthenticationTicket> secureDataFormat,
AuthenticationTicket ticket)
: base(context)
{
if (secureDataFormat == null)
{
throw new ArgumentNullException("secureDataFormat");
}
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
_secureDataFormat = secureDataFormat;
Ticket = ticket;
}
public void CanRoundTripEmptyPrincipal()
{
var properties = new AuthenticationProperties();
properties.RedirectUri = "bye";
var ticket = new AuthenticationTicket(new ClaimsPrincipal(), properties, "Hello");
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
using (var reader = new BinaryReader(stream))
{
TicketSerializer.Write(writer, ticket);
stream.Position = 0;
var readTicket = TicketSerializer.Read(reader);
readTicket.Principal.Identities.Count().ShouldBe(0);
readTicket.Properties.RedirectUri.ShouldBe("bye");
readTicket.AuthenticationScheme.ShouldBe("Hello");
}
}
/// <summary>
/// Creates a new instance of the context object.
/// </summary>
/// <param name="context"></param>
/// <param name="ticket">Contains the initial values for identity and extra data</param>
/// <param name="options"></param>
public CookieValidatePrincipalContext(HttpContext context, AuthenticationTicket ticket, CookieAuthenticationOptions options)
: base(context, options)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (ticket == null)
{
throw new ArgumentNullException(nameof(ticket));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
Principal = ticket.Principal;
Properties = ticket.Properties;
}
/// <summary>
/// Initializes a new <see cref="OAuthCreatingTicketContext"/>.
/// </summary>
/// <param name="ticket">The <see cref="AuthenticationTicket"/>.</param>
/// <param name="context">The HTTP environment.</param>
/// <param name="options">The options used by the authentication middleware.</param>
/// <param name="backchannel">The HTTP client used by the authentication middleware</param>
/// <param name="tokens">The tokens returned from the token endpoint.</param>
/// <param name="user">The JSON-serialized user.</param>
public OAuthCreatingTicketContext(
AuthenticationTicket ticket,
HttpContext context,
OAuthOptions options,
HttpClient backchannel,
OAuthTokenResponse tokens,
JObject user)
: base(context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (backchannel == null)
{
throw new ArgumentNullException(nameof(backchannel));
}
if (tokens == null)
{
throw new ArgumentNullException(nameof(tokens));
}
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
TokenResponse = tokens;
Backchannel = backchannel;
User = user;
Options = options;
Ticket = ticket;
}
/// <summary>
/// Initializes a new <see cref="MicrosoftAccountReturnEndpointContext"/>.
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public MicrosoftAccountReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
public FormsValidateIdentityContext(AuthenticationTicket ticket)
{
Identity = ticket.Identity;
Extra = ticket.Extra;
}
public void DeserializeTicket(string protectedData)
{
Ticket = _secureDataFormat.Unprotect(protectedData);
}
/// <summary>
/// Initializes a new <see cref="TwitterReturnEndpointContext"/>.
/// </summary>
/// <param name="context">HTTP environment</param>
/// <param name="ticket">The authentication ticket</param>
public TwitterReturnEndpointContext(
HttpContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
/// <summary>
///
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public FacebookReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
/// <summary>
/// Initialize a <see cref="GoogleOAuth2ReturnEndpointContext"/>
/// </summary>
/// <param name="context">OWIN environment</param>
/// <param name="ticket">The authentication ticket</param>
public GoogleOAuth2ReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
public SinaWeiboAccountReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context, ticket)
{
}
protected override Task<AuthenticationTicket> GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, AuthenticationTicket ticket)
{
var claimsIdentity = (ClaimsIdentity)ticket.Principal.Identity;
if (claimsIdentity == null)
{
claimsIdentity = new ClaimsIdentity();
}
claimsIdentity.AddClaim(new Claim("test claim", "test value"));
return Task.FromResult(new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), ticket.Properties, ticket.AuthenticationScheme));
}
protected ReturnEndpointContext(
HttpContext context,
AuthenticationTicket ticket)
: base(context)
{
if (ticket != null)
{
Principal = ticket.Principal;
Properties = ticket.Properties;
}
}
protected ReturnEndpointContext(
IOwinContext context,
AuthenticationTicket ticket)
: base(context)
{
if (ticket != null)
{
Identity = ticket.Identity;
Properties = ticket.Properties;
}
}
public ReturnEndpointContext(
IDictionary<string, object> environment,
AuthenticationTicket ticket)
: base(environment)
{
Identity = ticket.Identity;
Extra = ticket.Extra;
}
protected override async Task<AuthenticationTicket> GetUserInformationAsync(AuthenticationProperties properties, OpenIdConnectMessage message, AuthenticationTicket ticket)
{
var claimsIdentity = (ClaimsIdentity)ticket.Principal.Identity;
if (claimsIdentity == null)
{
claimsIdentity = new ClaimsIdentity();
}
claimsIdentity.AddClaim(new Claim("test claim", "test value"));
return new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), ticket.Properties, ticket.AuthenticationScheme);
}
public TwitterReturnEndpointContext(
IDictionary<string, object> environment,
AuthenticationTicket ticket,
IDictionary<string, string> errorDetails)
: base(environment, ticket, errorDetails)
{
}
public void SetTicket(AuthenticationTicket ticket)
{
if (ticket == null)
{
throw new ArgumentNullException("ticket");
}
Ticket = ticket;
}
/// <summary>
/// Initializes a new <see cref="OAuthCreatingTicketContext"/>.
/// </summary>
/// <param name="ticket">The <see cref="AuthenticationTicket"/>.</param>
/// <param name="context">The HTTP environment.</param>
/// <param name="options">The options used by the authentication middleware.</param>
/// <param name="backchannel">The HTTP client used by the authentication middleware</param>
/// <param name="tokens">The tokens returned from the token endpoint.</param>
public OAuthCreatingTicketContext(
AuthenticationTicket ticket,
HttpContext context,
OAuthOptions options,
HttpClient backchannel,
OAuthTokenResponse tokens)
: this(ticket, context, options, backchannel, tokens, user: new JObject())
{
}
public OAuthTokenEndpointContext(
IDictionary<string, object> environment,
AuthenticationTicket ticket,
AccessTokenRequest accessTokenRequest) : base(environment)
{
Identity = ticket.Identity;
Extra = ticket.Extra;
AccessTokenRequest = accessTokenRequest;
TokenIssued = Identity != null;
}
public void Persist(AuthenticationTicket ticket)
{
var cookie = _cookies.CreateCookie(_systemTime);
cookie.Value = _encryptor.Encrypt(JsonUtil.ToJson(ticket));
_cookies.Update(cookie);
}
