public void SetAuthorizationCodeLifetime_AddsLifetime(string lifetime)
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsIdentity(),
new AuthenticationProperties());
// Act
ticket.SetAuthorizationCodeLifetime(lifetime != null ? (TimeSpan?)TimeSpan.ParseExact(lifetime, "c", CultureInfo.InvariantCulture) : null);
// Assert
Assert.Equal(lifetime, ticket.GetProperty(OpenIdConnectConstants.Properties.AuthorizationCodeLifetime));
}
private async Task <AuthenticationTicket> CreateTicketAsync(User user, string[] roles)
{
var req = HttpContext.GetOpenIdConnectRequest();
// principal = authenticated user.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
AddRolesToPrincipal(principal, roles);
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
// Token lifetime to 12 hours
ticket.SetAccessTokenLifetime(TimeSpan.FromHours(12));
ticket.SetAuthorizationCodeLifetime(TimeSpan.FromHours(12));
ticket.SetIdentityTokenLifetime(TimeSpan.FromHours(12));
ticket.SetScopes(OpenIddictConstants.Scopes.Roles);
// Explicitly specify which claims should be included in the access token
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp (it's a secret value)
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
// TODO: If there are any other private/secret claims on the user that should
// not be exposed publicly, handle them here!
// The token is encoded but not encrypted, so it is effectively plaintext.
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
}
return(ticket);
}
public async Task <IActionResult> Token(OpenIdConnectRequest requestModel)
{
if (!requestModel.IsPasswordGrantType())
{
// Return bad request if the request is not for password grant type
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
}));
}
var user = await userManager.FindByNameAsync(requestModel.Username);
if (user == null)
{
// Return bad request if the user doesn't exist
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid username or password"
}));
}
// Check that the user can sign in and is not locked out.
// If two-factor authentication is supported, it would also be appropriate to check that 2FA is enabled for the user
if (!await signInManager.CanSignInAsync(user) || (userManager.SupportsUserLockout && await userManager.IsLockedOutAsync(user)))
{
// Return bad request is the user can't sign in
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user cannot sign in."
}));
}
if (!await userManager.CheckPasswordAsync(user, requestModel.Password))
{
// Return bad request if the password is invalid
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid username or password"
}));
}
// The user is now validated, so reset lockout counts, if necessary
if (userManager.SupportsUserLockout)
{
await userManager.ResetAccessFailedCountAsync(user);
}
// Create the principal
var principal = await signInManager.CreateUserPrincipalAsync(user);
// Claims will not be associated with specific destinations by default, so we must indicate whether they should
// be included or not in access and identity tokens.
foreach (var claim in principal.Claims)
{
// For this sample, just include all claims in all token types.
// In reality, claims' destinations would probably differ by token type and depending on the scopes requested.
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
}
// Create a new authentication ticket for the user's principal
var ticket = new AuthenticationTicket(
principal,
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Include resources and scopes, as appropriate
var scope = new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(requestModel.GetScopes());
ticket.SetScopes(scope);
ticket.SetAccessTokenLifetime(new TimeSpan(3, 0, 0));
ticket.SetAuthorizationCodeLifetime(new TimeSpan(3, 0, 0));
// Sign in the user
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
