private async Task CreateAuthorizationAsync([NotNull] AuthenticationTicket ticket,
[NotNull] OpenIddictServerOptions options, [NotNull] OpenIdConnectRequest request)
{
var descriptor = new OpenIddictAuthorizationDescriptor
{
Principal = ticket.Principal,
Status = OpenIddictConstants.Statuses.Valid,
Subject = ticket.Principal.GetClaim(OpenIddictConstants.Claims.Subject),
Type = OpenIddictConstants.AuthorizationTypes.AdHoc
};
foreach (var property in ticket.Properties.Items)
{
descriptor.Properties.Add(property);
}
foreach (var scope in ticket.GetScopes())
{
descriptor.Scopes.Add(scope);
}
// If the client application is known, bind it to the authorization.
if (!string.IsNullOrEmpty(request.ClientId))
{
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
throw new InvalidOperationException("The application entry cannot be found in the database.");
}
descriptor.ApplicationId = await _applicationManager.GetIdAsync(application);
}
var authorization = await _authorizationManager.CreateAsync(descriptor);
if (authorization != null)
{
var identifier = await _authorizationManager.GetIdAsync(authorization);
if (string.IsNullOrEmpty(request.ClientId))
{
_logger.LogInformation("An ad hoc authorization was automatically created and " +
"associated with an unknown application: {Identifier}.", identifier);
}
else
{
_logger.LogInformation("An ad hoc authorization was automatically created and " +
"associated with the '{ClientId}' application: {Identifier}.",
request.ClientId, identifier);
}
// Attach the unique identifier of the ad hoc authorization to the authentication ticket
// so that it is attached to all the derived tokens, allowing batched revocations support.
ticket.SetInternalAuthorizationId(identifier);
}
}
public static async Task <AuthenticationTicket> CreateAuthenticationTicket(
OpenIddictApplicationManager <BTCPayOpenIdClient> applicationManager,
OpenIddictAuthorizationManager <BTCPayOpenIdAuthorization> authorizationManager,
IdentityOptions identityOptions,
SignInManager <ApplicationUser> signInManager,
OpenIdConnectRequest request,
ApplicationUser user,
AuthenticationProperties properties = null)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await signInManager.CreateUserPrincipalAsync(user);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIddictServerDefaults.AuthenticationScheme);
if (!request.IsAuthorizationCodeGrantType() && !request.IsRefreshTokenGrantType())
{
ticket.SetScopes(request.GetScopes());
}
else if (request.IsAuthorizationCodeGrantType() &&
string.IsNullOrEmpty(ticket.GetInternalAuthorizationId()))
{
var app = await applicationManager.FindByClientIdAsync(request.ClientId);
var authorizationId = await IsUserAuthorized(authorizationManager, request, user.Id, app.Id);
if (!string.IsNullOrEmpty(authorizationId))
{
ticket.SetInternalAuthorizationId(authorizationId);
}
}
foreach (var claim in ticket.Principal.Claims)
{
claim.SetDestinations(GetDestinations(identityOptions, claim, ticket));
}
return(ticket);
}
private async Task <string> CreateTokenAsync(
[NotNull] string type, [NotNull] AuthenticationTicket ticket,
[NotNull] OpenIddictServerOptions options,
[NotNull] OpenIdConnectRequest request,
[NotNull] ISecureDataFormat <AuthenticationTicket> format)
{
Debug.Assert(!(options.DisableTokenStorage && options.UseReferenceTokens),
"Token storage cannot be disabled when using reference tokens.");
Debug.Assert(type == OpenIdConnectConstants.TokenUsages.AccessToken ||
type == OpenIdConnectConstants.TokenUsages.AuthorizationCode ||
type == OpenIdConnectConstants.TokenUsages.RefreshToken,
"Only authorization codes, access and refresh tokens should be created using this method.");
// When sliding expiration is disabled, the expiration date of generated refresh tokens is fixed
// and must exactly match the expiration date of the refresh token used in the token request.
if (request.IsTokenRequest() && request.IsRefreshTokenGrantType() &&
!options.UseSlidingExpiration && type == OpenIdConnectConstants.TokenUsages.RefreshToken)
{
var properties = request.GetProperty <AuthenticationTicket>(
OpenIddictConstants.Properties.AuthenticationTicket)?.Properties;
Debug.Assert(properties != null, "The authentication properties shouldn't be null.");
ticket.Properties.ExpiresUtc = properties.ExpiresUtc;
}
if (options.DisableTokenStorage)
{
return(null);
}
var descriptor = new OpenIddictTokenDescriptor
{
AuthorizationId = ticket.GetInternalAuthorizationId(),
CreationDate = ticket.Properties.IssuedUtc,
ExpirationDate = ticket.Properties.ExpiresUtc,
Principal = ticket.Principal,
Status = OpenIddictConstants.Statuses.Valid,
Subject = ticket.Principal.GetClaim(OpenIddictConstants.Claims.Subject),
Type = type
};
foreach (var property in ticket.Properties.Items)
{
descriptor.Properties.Add(property);
}
// When reference tokens are enabled or when the token is an authorization code or a
// refresh token, remove the unnecessary properties from the authentication ticket.
if (options.UseReferenceTokens ||
(type == OpenIdConnectConstants.TokenUsages.AuthorizationCode ||
type == OpenIdConnectConstants.TokenUsages.RefreshToken))
{
ticket.Properties.IssuedUtc = ticket.Properties.ExpiresUtc = null;
ticket.RemoveProperty(OpenIddictConstants.Properties.InternalAuthorizationId)
.RemoveProperty(OpenIddictConstants.Properties.InternalTokenId);
}
// If reference tokens are enabled, create a new entry for
// authorization codes, refresh tokens and access tokens.
if (options.UseReferenceTokens)
{
// Note: the data format is automatically replaced at startup time to ensure
// that encrypted tokens stored in the database cannot be considered as
// valid tokens if the developer decides to disable reference tokens support.
descriptor.Payload = format.Protect(ticket);
// Generate a new crypto-secure random identifier that will be
// substituted to the ciphertext returned by the data format.
var bytes = new byte[256 / 8];
options.RandomNumberGenerator.GetBytes(bytes);
// Note: the default token manager automatically obfuscates the
// reference identifier so it can be safely stored in the databse.
descriptor.ReferenceId = Base64UrlEncoder.Encode(bytes);
}
// Otherwise, only create a token metadata entry for authorization codes and refresh tokens.
else if (type != OpenIdConnectConstants.TokenUsages.AuthorizationCode &&
type != OpenIdConnectConstants.TokenUsages.RefreshToken)
{
return(null);
}
// If the client application is known, associate it with the token.
if (!string.IsNullOrEmpty(request.ClientId))
{
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
throw new InvalidOperationException("The application entry cannot be found in the database.");
}
descriptor.ApplicationId = await _applicationManager.GetIdAsync(application);
}
// If a null value was returned by CreateAsync(), return immediately.
// Note: the request cancellation token is deliberately not used here to ensure the caller
// cannot prevent this operation from being executed by resetting the TCP connection.
var token = await _tokenManager.CreateAsync(descriptor);
if (token == null)
{
return(null);
}
// Throw an exception if the token identifier can't be resolved.
var identifier = await _tokenManager.GetIdAsync(token);
if (string.IsNullOrEmpty(identifier))
{
throw new InvalidOperationException("The unique key associated with a refresh token cannot be null or empty.");
}
// Dynamically set the creation and expiration dates.
ticket.Properties.IssuedUtc = descriptor.CreationDate;
ticket.Properties.ExpiresUtc = descriptor.ExpirationDate;
// Restore the token/authorization identifiers using the identifiers attached with the database entry.
ticket.SetInternalAuthorizationId(descriptor.AuthorizationId)
.SetInternalTokenId(identifier);
if (options.UseReferenceTokens)
{
_logger.LogTrace("A new reference token was successfully generated and persisted " +
"in the database: {Token} ; {Claims} ; {Properties}.",
descriptor.ReferenceId, ticket.Principal.Claims, ticket.Properties.Items);
return(descriptor.ReferenceId);
}
return(null);
}
private async Task <AuthenticationTicket> CreateUserTicketAsync(
ClaimsPrincipal principal, object application, object authorization,
OpenIdConnectRequest request, AuthenticationProperties properties = null)
{
Debug.Assert(request.IsAuthorizationRequest() || request.IsTokenRequest(),
"The request should be an authorization or token request.");
var identity = (ClaimsIdentity)principal.Identity;
// Note: make sure this claim is not added multiple times (which may happen when the principal
// was extracted from an authorization code or from a refresh token ticket is re-used as-is).
if (string.IsNullOrEmpty(principal.FindFirst(OpenIdConstants.Claims.EntityType)?.Value))
{
identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.User,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
}
// Note: while ASP.NET Core Identity uses the legacy WS-Federation claims (exposed by the ClaimTypes class),
// OpenIddict uses the newer JWT claims defined by the OpenID Connect specification. To ensure the mandatory
// subject claim is correctly populated (and avoid an InvalidOperationException), it's manually added here.
if (string.IsNullOrEmpty(principal.FindFirst(OpenIdConnectConstants.Claims.Subject)?.Value))
{
identity.AddClaim(new Claim(OpenIdConnectConstants.Claims.Subject, principal.GetUserIdentifier()));
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIddictServerDefaults.AuthenticationScheme);
if (request.IsAuthorizationRequest() || (!request.IsAuthorizationCodeGrantType() &&
!request.IsRefreshTokenGrantType()))
{
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
ticket.SetScopes(request.GetScopes());
ticket.SetResources(await GetResourcesAsync(request.GetScopes()));
// If the request is an authorization request, automatically create
// a permanent authorization to avoid requiring explicit consent for
// future authorization or token requests containing the same scopes.
if (authorization == null && request.IsAuthorizationRequest())
{
authorization = await _authorizationManager.CreateAsync(
principal : ticket.Principal,
subject : principal.GetUserIdentifier(),
client : await _applicationManager.GetIdAsync(application),
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(ticket.GetScopes()),
properties : ImmutableDictionary.CreateRange(ticket.Properties.Items));
}
if (authorization != null)
{
// Attach the authorization identifier to the authentication ticket.
ticket.SetInternalAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
}
}
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == "AspNet.Identity.SecurityStamp")
{
continue;
}
var destinations = new List <string>
{
OpenIddictConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if ((claim.Type == OpenIddictConstants.Claims.Name && ticket.HasScope(OpenIddictConstants.Scopes.Profile)) ||
(claim.Type == OpenIddictConstants.Claims.Email && ticket.HasScope(OpenIddictConstants.Scopes.Email)) ||
(claim.Type == OpenIddictConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles)) ||
(claim.Type == OpenIdConstants.Claims.EntityType))
{
destinations.Add(OpenIddictConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
return(ticket);
}
