public void SetIdentityTokenLifetime_AddsLifetime(string lifetime)
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsIdentity(),
new AuthenticationProperties());
// Act
ticket.SetIdentityTokenLifetime(lifetime != null ? (TimeSpan?)TimeSpan.ParseExact(lifetime, "c", CultureInfo.InvariantCulture) : null);
// Assert
Assert.Equal(lifetime, ticket.GetProperty(OpenIdConnectConstants.Properties.IdentityTokenLifetime));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
if (request == null)
{
throw new System.ArgumentNullException(nameof(request));
}
Debug.Assert(request.IsAuthorizationRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
// Check if a user is authenticated. If not, challenge the GitHub authentication handler
if (!User.Identity.IsAuthenticated)
{
return(Challenge("Google"));
}
var response = await _bus.RequestAsync <GetOrCreateUserRequest, GetOrCreateUserResponse>(new GetOrCreateUserRequest(User.FindFirstValue(ClaimTypes.Email)));
var userId = response.Id;
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity("OpenIddict");
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, userId.ToString(),
OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, User.FindFirstValue(ClaimTypes.Name),
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Email, User.FindFirstValue(ClaimTypes.Email),
OpenIdConnectConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIdConnectConstants.Claims.EmailVerified, "true",
OpenIdConnectConstants.Destinations.IdentityToken); // We'll assume email is verified since we get it from GitHub
var principal = new ClaimsPrincipal(identity);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal,
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetIdentityTokenLifetime(TimeSpan.FromDays(1));
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private async Task <AuthenticationTicket> CreateTicketAsync(User user, string[] roles)
{
var req = HttpContext.GetOpenIdConnectRequest();
// principal = authenticated user.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
AddRolesToPrincipal(principal, roles);
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme);
// Token lifetime to 12 hours
ticket.SetAccessTokenLifetime(TimeSpan.FromHours(12));
ticket.SetAuthorizationCodeLifetime(TimeSpan.FromHours(12));
ticket.SetIdentityTokenLifetime(TimeSpan.FromHours(12));
ticket.SetScopes(OpenIddictConstants.Scopes.Roles);
// Explicitly specify which claims should be included in the access token
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp (it's a secret value)
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
// TODO: If there are any other private/secret claims on the user that should
// not be exposed publicly, handle them here!
// The token is encoded but not encrypted, so it is effectively plaintext.
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
}
return(ticket);
}
private async Task <AuthenticationTicket> CreateTicketAsync(
OpenIdConnectRequest request, ApplicationUser user,
AuthenticationProperties properties = null)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal,
properties ?? new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
var roleNames = await _userManager.GetRolesAsync(user);
var identity = ticket.Principal.Identity as ClaimsIdentity;
if (!request.IsAuthorizationCodeGrantType())
{
var scopes = new List <string>
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Roles
}.Intersect(request.GetScopes()).ToList();
ticket.SetScopes(scopes);
}
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIdConnectConstants.Claims.Name && ticket.HasScope(OpenIdConnectConstants.Scopes.Profile)) ||
(claim.Type == OpenIdConnectConstants.Claims.Email && ticket.HasScope(OpenIdConnectConstants.Scopes.Email)) ||
(claim.Type == OpenIdConnectConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles)))
{
var type = claim.Type;
claim.SetDestinations(OpenIdConnectConstants.Destinations.IdentityToken,
OpenIdConnectConstants.Destinations.AccessToken);
}
else
{
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
}
}
if (_appOptions.TokenGeneration.Audiences.Any())
{
foreach (var audience in _appOptions.TokenGeneration.Audiences)
{
ticket.SetAudiences(audience);
}
}
if (_appOptions.TokenGeneration.Resources.Any())
{
foreach (var resource in _appOptions.TokenGeneration.Resources)
{
ticket.SetResources(resource);
}
}
if (_appOptions.TokenGeneration.IncludeUserIdClaim)
{
AddUserIdClaim(ticket, user);
}
ticket.SetAccessTokenLifetime(TimeSpan.FromSeconds(_appOptions.TokenGeneration.AccessTokenLifetime));
ticket.SetIdentityTokenLifetime(TimeSpan.FromSeconds(_appOptions.TokenGeneration.IdentityTokenLifetime));
ticket.SetRefreshTokenLifetime(TimeSpan.FromSeconds(_appOptions.TokenGeneration.RefreshTokenLifetime));
return(ticket);
}