public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { var validationSettings = new GoogleJsonWebSignature.ValidationSettings(); validationSettings.Audience = new List <string>() { _settingsService.GoogleApiCrendentials.ClientId ! }; try { var payload = GoogleJsonWebSignature.ValidateAsync(securityToken, validationSettings).Result; var claims = new List <Claim> { new Claim(ClaimTypes.NameIdentifier, payload.Name), new Claim(ClaimTypes.Name, payload.Name), new Claim(JwtRegisteredClaimNames.FamilyName, payload.FamilyName), new Claim(JwtRegisteredClaimNames.GivenName, payload.GivenName), new Claim(JwtRegisteredClaimNames.Email, payload.Email), new Claim(JwtRegisteredClaimNames.Sub, payload.Subject), new Claim(JwtRegisteredClaimNames.Iss, payload.Issuer), }; validatedToken = null; var principle = new ClaimsPrincipal(new ClaimsIdentity(claims, AuthenticationTypes.Google)); return(principle); } catch (Exception e) { Console.WriteLine(e); throw; } } }
/// <summary> /// Sends the jwt token to Google's Servers to be validated. /// </summary> /// <returns> /// The payload received from Google, or null if the token is invalid. /// </returns> /// <param name="token">A JWT.</param> /// <param name="env">The environment, used to check if validation should be skipped.</param> public static async Task <GoogleJsonWebSignature.Payload> ValidateUser(string token, IAppEnvironment env) { if (env.SkipValidation == "true") { return(new GoogleJsonWebSignature.Payload() { Name = "Smitty Jensens", GivenName = "Smitty", FamilyName = "Jensens", Email = "*****@*****.**", Subject = "123456789109876543210", // Subject is longer than Int64 }); } try { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new string[] { env.Audience }, }; var validPayload = await GoogleJsonWebSignature.ValidateAsync(token); return(validPayload); } catch { return(null); } }
public async Task <NewExternalUserViewModel> GetUserViewModelUserFromGoogleToken(string googleIdToken) { var googleTokenSettings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { "680869894998-hujg19vbq0lhmhc8vf8ldmc1dnepvrti.apps.googleusercontent.com" } }; try { var validToken = await GoogleJsonWebSignature.ValidateAsync(googleIdToken, googleTokenSettings); var user = new NewExternalUserViewModel() { AuthenticationTypeId = (int)AuthenticationType.GoogleApi, Email = validToken.Email, FirstName = validToken.Name, LastName = validToken.GivenName, Password = GenerateRandomPasswordForSocialUser(), Username = validToken.Email }; return(user); } catch (InvalidJwtException ex) { Console.WriteLine(ex.Message + ex.StackTrace); throw; } }
public async Task <IActionResult> LoginGoogle(GoogleTokenDto googleToken) { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = Enumerable.Repeat(_config["Authentication:Google:ClientId"], 1), }; var payload = await GoogleJsonWebSignature.ValidateAsync(googleToken.IdToken, settings); if (!payload.EmailVerified) { return(Unauthorized()); } User user; if (await _repo.UserExists(payload.Email)) { user = await _repo.GetExistingUser(payload.Email); } else { var userToCreate = new User { Email = payload.Email, FullName = payload.Name, Activated = true, Registered = false, Role = Role.User, }; user = await _repo.CreateUserWithoutRegistration(userToCreate); } // generate token var tokenHandler = new JwtSecurityTokenHandler(); var key = Encoding.ASCII.GetBytes(_config["JWTSecret"]); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, user.UserId), new Claim(ClaimTypes.Email, user.Email), new Claim(ClaimTypes.Role, user.Role) }), Expires = DateTime.Now.AddDays(1), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha512Signature) }; var token = tokenHandler.CreateToken(tokenDescriptor); var tokenString = tokenHandler.WriteToken(token); HttpContext.Response.Cookies.Append("JWT", tokenString, new CookieOptions { HttpOnly = true, Expires = DateTime.Now.AddDays(14) }); return(Ok()); }
public async Task <GoogleJsonWebSignature.Payload> ValidateGooglePayLoad(string tokenId) { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new string[] { _config.GetSection("Google:ClientId").Value } }; var payload = await GoogleJsonWebSignature.ValidateAsync(tokenId, settings); return(payload); }
private async Task <GoogleJsonWebSignature.Payload> VerifyGoogleToken(AuthRequest authRequest) { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { _authGoogleConfig.ClientId } }; return(await GoogleJsonWebSignature.ValidateAsync(authRequest.IdToken, settings)); }
public async Task <GoogleJsonWebSignature.Payload> VerifyGoogleToken(ExternalAuth externalAuth) { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { _appSettings.ClientId } }; return(await GoogleJsonWebSignature.ValidateAsync(externalAuth.IdToken, settings)); }
public async Task <GoogleJsonWebSignature.Payload> ValidateGoogleToken(string idToken) { var validationSettings = new GoogleJsonWebSignature.ValidationSettings { Audience = new[] { _authOptions.Value.GoogleClientId } }; // Todo: Research: Is this secure enough? var payload = await GoogleJsonWebSignature.ValidateAsync(idToken, validationSettings); return(payload); }
public async Task <ActionResult> TokenLogin(string idToken) { if (idToken == null) { Response.StatusCode = (int)HttpStatusCode.BadRequest; return(null); } var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { _config["GoogleClientId"] } }; string subject = null; string email = null; try { var validPayload = await GoogleJsonWebSignature.ValidateAsync(idToken, settings); subject = validPayload.Subject; email = validPayload.Email; } catch (InvalidJwtException) { Response.StatusCode = 403; // Provide body? // Should probably log this. return(null); } var user = _db.Users.FirstOrDefault(u => u.VendorID == subject); if (user == null) { var newUser = new User() { Email = email, VendorID = subject }; _db.Users.Add(newUser); _db.SaveChanges(); } HttpContext.Session.SetString("userID", user.ID.ToString()); // Should be able to insert this into SQL Server. return(Content(JsonConvert.SerializeObject(user), "application/json")); }
public IActionResult Authenticate([FromBody] AuthenticateRequest data) { GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); // Change this to your google client ID settings.Audience = new List <string>() { "425874635785-9qbseena0h69r9f6jbe7o84qpfjk6krr.apps.googleusercontent.com" }; GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(data.IdToken, settings).Result; return(Ok(new { AuthToken = _jwtGenerator.CreateUserAuthToken(payload.Email) })); }
public async Task <GoogleUserDto> Handle(GetGoogleUser request, CancellationToken cancellationToken) { var settings = new GoogleJsonWebSignature.ValidationSettings { Audience = new List <string> { _audience } }; GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(request.IdToken, settings); return(new GoogleUserDto(payload.Email)); }
public override void OnActionExecuting(ActionExecutingContext context) { var token = context.HttpContext.Request.Headers["authorization"]; GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); settings.Audience = new List <string>() { "419273351615-a2kp1blvs5f3idt3mlr5vbkeqtqgjvr6.apps.googleusercontent.com" }; GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(token, settings).Result; context.ActionArguments["nome"] = payload.Name; context.ActionArguments["email"] = payload.Email; base.OnActionExecuting(context); }
public async Task <GoogleJsonWebSignature.Payload> ValidateToken([FromQuery] string idToken, CancellationToken cancellationToken) { //var validPayload = await GoogleJsonWebSignature.ValidateAsync(idToken); //Assert.NotNull(validPayload, "GoogleValidationResponse", "Id_Token is not valid!"); //return Ok("Token is Valid"); GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); settings.Audience = new List <string>() { _configuration.GetSection("Authentication:Google")["ClientId"] }; GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(idToken, settings); return(payload); }
public async Task<GoogleJsonWebSignature.Payload> VerifyGoogleToken(ExternalAuthDto externalAuth) { try { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List<string>() { _goolgeSettings.GetSection("clientId").Value } }; var payload = await GoogleJsonWebSignature.ValidateAsync(externalAuth.IdToken, settings); return payload; } catch (Exception ex) { //log an exception return null; } }
//public GoogleService(GoogleDataStore googleDataStore) //{ // _googleDataStore = googleDataStore; //} public async Task <ExternalAuthDto?> LogInAsync(string jwt, CancellationToken cancellationToken) { var settings = new GoogleJsonWebSignature.ValidationSettings { Audience = new[] { "341737442078-ajaf5f42pajkosgu9p3i1bcvgibvicbq.apps.googleusercontent.com", // Web site "99716345448-73b697k11joufrvkqtc18ep2j36trgci.apps.googleusercontent.com" // Android } }; try { var result = await GoogleJsonWebSignature.ValidateAsync(jwt, settings); if (result == null) { return(null); } if (!result.EmailVerified) { return(null); } return(new ExternalAuthDto() { Id = result.Subject, FirstName = result.GivenName, LastName = result.FamilyName, Email = result.Email, Language = result.Locale, Name = result.Name, Picture = result.Picture }); } catch (InvalidJwtException) { return(null); } }
public async Task <ActionResult <AuthenticateResponse> > GoogleLogin(GoogleLoginResponse model) { //var refreshToken = Request.Cookies["refreshToken"]; GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings { // your google client ID Audience = new List <string>() { "505653862664-h65g6rpnso3aiukv5i4fgd3o5f8okvm2.apps.googleusercontent.com" } }; GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(model.IdToken, settings).Result; //return Ok(new { AuthToken = _jwtGenerator.CreateUserAuthToken(payload.Email) }); var response = await _accountService.GoogleLogin(payload, IpAddress(), Request.Headers["origin"]); SetTokenCookie(response.RefreshToken); return(Ok(response)); }
public async Task <GoogleJsonWebSignature.Payload> VerifyGoogleToken(ExternalAuthenticationRequestModel externalAuth) { try { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { _goolgeSettings.GetSection("clientId").Value } }; var payload = await GoogleJsonWebSignature.ValidateAsync(externalAuth.IdToken, settings); return(payload); } catch { return(null); } }
public IActionResult GoogleLogin(SocialNetworkIdTokenModel data) { try { GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); settings.Audience = new List <string>() { "752253873246-cg9qrlhp0tmtn7cd8vpg4qrfk03br55c.apps.googleusercontent.com" }; GoogleJsonWebSignature.Payload userGoogle = GoogleJsonWebSignature.ValidateAsync(data.IdToken, settings).Result; _serviceAuth.SocialNetworksAuthenticate(userGoogle.Email, userGoogle.GivenName, userGoogle.FamilyName, userGoogle.Picture); var response = GiveJWTToken(userGoogle.Email, "0"); return(Ok(response)); } catch (Exception ee) { return(BadRequest(ee.Message)); } }
private async Task <GoogleJsonWebSignature.Payload> VerifyGoogleToken(GoogleLoginModel model) { try { var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { _googleConfiguration.ClientId } }; var payload = await GoogleJsonWebSignature.ValidateAsync(model.IdToken, settings); return(payload); } catch (Exception e) { Console.WriteLine(e); return(null); } }
public async Task <IActionResult> POSTAsync([FromBody] TokenDto value) { try { GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); //settings.Audience = new List<string>() { "781444592241-5l8d33p832p4muissesek9gvr74p08rk.apps.googleusercontent.com" }; settings.Audience = new List <string>() { "491676760446-n2786agrpa456hcr6cfns835t130glnm.apps.googleusercontent.com" }; GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(value.token, settings); if (payload.EmailVerified) { Payload userPayload = new Payload { Name = payload.Name, Email = payload.Email, EmailVerified = payload.EmailVerified, Picture = payload.Picture }; TTSUserDetailsByEmail user = loginService.LoginCheck(payload.Email).Result; if (user != null) { var token = loginService.GenerateJWTToken(user, userPayload); return(Ok(token)); } } return(BadRequest()); } catch (Exception ex) { return(StatusCode(500)); throw; } }
public void ValidationSettingsToSignedTokenVerificationOptions() { MockClock clock = new MockClock(DateTime.UtcNow); FakeCertificateCache cache = new FakeCertificateCache(); var options = new GoogleJsonWebSignature.ValidationSettings { Clock = clock, Audience = new[] { "audience" }, HostedDomain = "hosted_domain", IssuedAtClockTolerance = TimeSpan.FromSeconds(5), ExpirationTimeClockTolerance = TimeSpan.FromSeconds(10), CertificateCache = cache, ForceGoogleCertRefresh = true }.ToVerificationOptions(); Assert.Same(clock, options.Clock); Assert.Single(options.TrustedAudiences, "audience"); Assert.Equal(TimeSpan.FromSeconds(5), options.IssuedAtClockTolerance); Assert.Equal(TimeSpan.FromSeconds(10), options.ExpiryClockTolerance); Assert.Same(cache, options.CertificateCache); Assert.True(options.ForceCertificateRefresh); Assert.Equal(GoogleAuthConsts.JsonWebKeySetUrl, options.CertificatesUrl); Assert.Equal(GoogleJsonWebSignature.ValidJwtIssuers.Count(), options.TrustedIssuers.Count); }
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { validatedToken = null; // Create a new list of claims that is to contain Google JWT payload data that will become part of the Identity List <Claim> claims = null; // Create a new payload object GoogleJsonWebSignature.Payload payload = null; // Validate token try { // GoogleJsonWebSignature class contains methods to validate the Google issued JWT // ValidationSettings() method contains definitions for default auth settings (clock deviation tolerances, hosted domain validation for GSuite // and Client ID verification. Nothing is overriden, so all settings are at default for now. GoogleJsonWebSignature.ValidationSettings validationSettings = new GoogleJsonWebSignature.ValidationSettings(); // ValidateAsync() performs the validation of the JWT token. Token payload contains the targeted data as defined during the Auth Token definition // (scope of access to various Google services/APIs/personal information, etc. The payload data will be stored into a list of claims. payload = GoogleJsonWebSignature.ValidateAsync(securityToken, validationSettings).Result; // Create a list of claims containing Google JWT payload data claims = new List <Claim>() { new Claim(ClaimTypes.NameIdentifier, payload.Name), new Claim(ClaimTypes.Name, payload.Name), new Claim(JwtRegisteredClaimNames.FamilyName, payload.FamilyName), new Claim(JwtRegisteredClaimNames.GivenName, payload.GivenName), new Claim(JwtRegisteredClaimNames.Website, payload.Picture), new Claim(JwtRegisteredClaimNames.Email, payload.Email), new Claim(JwtRegisteredClaimNames.Sub, payload.Subject), new Claim(JwtRegisteredClaimNames.Iss, payload.Issuer), }; // Check if the user exists in the local database. using (DataContext _DataContext = new DataContext()) { // Get DB record associated with the Email, if it exists. User userData = _DataContext.Users.Where(x => x.Email == payload.Email).Include(user => user.StaffData).FirstOrDefault(); if (userData != null) { if (!userData.Active) { throw new SecurityTokenValidationException($"[LOGIN] FAILURE User {payload.Email} attempted to login but set to inactive"); } bool userIsStaff = userData.StaffData != null; bool userIsSuperUser = userIsStaff ? userData.StaffData.SuperUser : false; claims.Add(new Claim(ClaimTypes.Role, (userIsSuperUser ? "SuperAdmin" : userIsStaff ? "Staff" : "Student"))); // Compare the current id token in database to the new one. If they differ, store the new token and create a log entry if (userData.ActiveToken != securityToken) { userData.ActiveToken = securityToken; _DataContext.SaveChanges(); Logger.Msg <GoogleTokenValidator>($"[LOGIN] SUCCESS User {payload.Email} {(userIsSuperUser ? "(Super)" : userIsStaff ? "(Staff)" : string.Empty)}", Serilog.Events.LogEventLevel.Debug); } } else { throw new SecurityTokenValidationException($"[LOGIN] FAILURE User with auth token belonging to {payload.Email} not found in database"); } } // Convert token to Identity if (payload != null) { ClaimsPrincipal principal = new ClaimsPrincipal(); principal.AddIdentity(new ClaimsIdentity(claims, "Google")); return(principal); } else { throw new SecurityTokenValidationException($"[LOGIN] FAIL Unable to authenticate user with auth token belonging to {payload?.Email}"); } } catch (Exception ex) { if (ex.InnerException?.Message != null) { Logger.Msg <GoogleTokenValidator>(new SecurityTokenValidationException($"[LOGIN] FAILURE {ex.InnerException.Message}")); } else { Logger.Msg <GoogleTokenValidator>(new SecurityTokenValidationException($"[LOGIN] FAILURE {ex.Message}")); } throw new SecurityTokenValidationException(); } }
public async Task <User> ValidateGoogleUser(string TokenId) { var CLIENT_ID = "393357815889-jl0jci0rs1ghjvq94lcbgl1rfms0cruv.apps.googleusercontent.com"; GoogleJsonWebSignature.Payload googleToken = null; var settings = new GoogleJsonWebSignature.ValidationSettings() { Audience = new List <string>() { CLIENT_ID } }; try { googleToken = await GoogleJsonWebSignature.ValidateAsync(TokenId, settings); } catch { return(null); } var user = await _userManager.FindByNameAsync(googleToken.Email); if (user == null) { var newUser = new User { UserName = googleToken.Email, Email = googleToken.Email }; await _userManager.CreateAsync(newUser); _userManager.AddToRoleAsync(newUser, "User").Wait(); // authentication successful so generate jwt token var tokenHandler2 = new JwtSecurityTokenHandler(); var key2 = Encoding.ASCII.GetBytes(_appSettings.Secret); var tokenDescriptor2 = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Name, newUser.Id.ToString()) }), Expires = DateTime.UtcNow.AddDays(7), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key2), SecurityAlgorithms.HmacSha256Signature) }; var token2 = tokenHandler2.CreateToken(tokenDescriptor2); newUser.Token = tokenHandler2.WriteToken(token2); return(newUser); } // authentication successful so generate jwt token var tokenHandler = new JwtSecurityTokenHandler(); var key = Encoding.ASCII.GetBytes(_appSettings.Secret); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Name, user.Id.ToString()) }), Expires = DateTime.UtcNow.AddDays(7), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) }; var token = tokenHandler.CreateToken(tokenDescriptor); user.Token = tokenHandler.WriteToken(token); return(user); }
public async Task <IActionResult> GoogleAutentificar([FromBody] GoogleAuthRequest googleAuthRequest) { AuthRequest authRequest = new(); AuthResponse authResponse = new(); try { //The authentication API will use the idToken from google and verify it. GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings(); //Here goes the app google client ID settings.Audience = new List <string>() { "225689514544-qccdbtr164tekpjkgq0fn1f7630g2266.apps.googleusercontent.com" }; GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(googleAuthRequest.Id_token, settings).Result; //***LOGIN*** //Revisa si el usuario figura en los registros de la base de datos, si es asi lo logea string hashCommonPassword = Encrypt.GetSHA256(_CommonPassSettings.Pass); bool existe = _context.Usuarios.Any(u => u.NombreUsuario == payload.Email && u.Clave == hashCommonPassword && u.Disabled.Equals(false)); if (existe) { //Then it creates an access token that grants access to the other APIs of your app. authRequest.NombreUsuario = payload.Email; authRequest.Clave = _CommonPassSettings.Pass; authResponse = await _authService.Authorize(authRequest); return(Ok(authResponse)); } //***REGISTRER...*** //Agregamos el usuario nuevo Usuario usuarioNuevo = new(); usuarioNuevo.NombreUsuario = payload.Email; usuarioNuevo.Clave = hashCommonPassword; usuarioNuevo.RolID = 1; //Corresponde al Cliente en la base de datos de Roles _context.Usuarios.Add(usuarioNuevo); _context.SaveChanges(); //Debería hacerse de forma asincrona, cambiar eso //Luego agregamos el cliente nuevo Cliente clienteNuevo = new(); clienteNuevo.Nombre = payload.GivenName; clienteNuevo.Apellido = payload.FamilyName; clienteNuevo.Telefono = 0; clienteNuevo.UsuarioID = usuarioNuevo.Id; _context.Clientes.Add(clienteNuevo); _context.SaveChanges(); //Debería hacerse de forma asincrona, cambiar eso //***...then LOGIN*** //Then it creates an access token that grants access to the other APIs of your app. authRequest.NombreUsuario = payload.Email; authRequest.Clave = _CommonPassSettings.Pass; authResponse = await _authService.Authorize(authRequest); return(Ok(authResponse)); } catch { Console.WriteLine("Error en GoogleAuth"); } return(StatusCode(500)); }
public async Task <IActionResult> SignInGoogle(GoogleIDToken googleIDToken) { if (string.IsNullOrEmpty(googleIDToken.Id_Token)) { this._logger.LogInformation(googleIDToken.Id_Token); return(BadRequest()); } var validationSettings = new GoogleJsonWebSignature.ValidationSettings(); validationSettings.Audience = new List <string> { _configuration["Authentication_Google_ClientId"] }; var result = await GoogleJsonWebSignature .ValidateAsync(googleIDToken.Id_Token, validationSettings); var isSignedUp = await this._userService.IsSignedUp(result.Email); if (isSignedUp) { var user = await this._userService.GetUserByEmail(result.Email); if (user == null) { return(NotFound(new { message = "User not found when sign in" })); } var authResult = await this._authenticationService.AuthenticateByUser(user); if (!authResult.Succeeded) { return(BadRequest(new { message = "User was not signed in" })); } return(Ok(new { redirectUrl = googleIDToken.returnUrl })); } else { var newUser = new User { Email = result.Email, Name = result.Name, UserName = result.Email.Split('@').First() }; await this._userService.Create(newUser); var user = await this._userService.GetUserByEmail(newUser.Email); if (user == null) { return(NotFound(new { message = "User was not found when sign in" })); } var authResult = await this._authenticationService.AuthenticateByUser(user); if (!authResult.Succeeded) { return(BadRequest(new { message = "It wasn't possible to sign in the user." })); } return(Ok(new { redirectUrl = googleIDToken.returnUrl })); } }
public async Task <IActionResult> AuthenticateGoogleSignin(ExternalLoginModel externalLoginModel) { GoogleJsonWebSignature.Payload payload; var provider = "google"; try { var validationSettings = new GoogleJsonWebSignature.ValidationSettings(); //{ Audience = new[] { "YOUR_CLIENT_ID" } }; payload = await GoogleJsonWebSignature .ValidateAsync(externalLoginModel.IdToken, validationSettings); var user = await GetOrCreateExternalLoginUser( "google", payload.Subject, payload.Email); var profilePicture = payload.Picture; /* * result = userMgr.AddClaimsAsync(bob, new Claim[]{ * new Claim(JwtClaimTypes.Name, "Bob Smith"), * new Claim(JwtClaimTypes.GivenName, "Bob"), * new Claim(JwtClaimTypes.FamilyName, "Smith"), * new Claim(JwtClaimTypes.WebSite, "http://bob.com"), * new Claim("location", "somewhere") * }).Result; */ // create custom claims for the user found from Google idToken var userRoleCustomClaim = new Claim("userRole", externalLoginModel.UserRole); var result = await _userManager.AddClaimAsync(user, userRoleCustomClaim); // get the new IdentityServer4 issued access token for the user var userSubscriptionToken = await _identityServerTools .IssueClientJwtAsync( clientId : "userSubscriptionClient", lifetime : 15, scopes : new[] { "userSubscription.read" }, audiences : new[] { "https://user.subscription.service/" }, additionalClaims : new List <Claim>() { userRoleCustomClaim }); var jwttoken = await _identityServerTools .IssueJwtAsync( lifetime : 15, claims : new List <Claim>() { userRoleCustomClaim }); return(Ok(new { access_token = "want_to_give_identity_server4_provided_token" })); } catch (Exception ex) { // Invalid token } return(BadRequest()); }