public override async Task GrantRefreshToken([NotNull] GrantRefreshTokenContext context)
        {
            var manager = context.HttpContext.RequestServices.GetRequiredService <OpenIddictManager <TUser, TApplication> >();
            var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <IdentityOptions> >();

            // If the user manager doesn't support security
            // stamps, skip the default validation logic.
            if (!manager.SupportsUserSecurityStamp)
            {
                return;
            }

            var principal = context.AuthenticationTicket?.Principal;

            Debug.Assert(principal != null);

            var user = await manager.FindByIdAsync(principal.GetUserId());

            if (user == null)
            {
                context.Reject(
                    error: OpenIdConnectConstants.Errors.InvalidGrant,
                    description: "The refresh token is no longer valid.");

                return;
            }

            var identifier = principal.GetClaim(options.Value.ClaimsIdentity.SecurityStampClaimType);

            if (!string.IsNullOrEmpty(identifier) &&
                !string.Equals(identifier, await manager.GetSecurityStampAsync(user), StringComparison.Ordinal))
            {
                context.Reject(
                    error: OpenIdConnectConstants.Errors.InvalidGrant,
                    description: "The refresh token is no longer valid.");

                return;
            }

            // Note: the "scopes" property stored in context.AuthenticationTicket is automatically
            // updated by ASOS when the client application requests a restricted scopes collection.
            var identity = await manager.CreateIdentityAsync(user, context.AuthenticationTicket.GetScopes());

            Debug.Assert(identity != null);

            // Create a new authentication ticket holding the user identity but
            // reuse the authentication properties stored in the refresh token.
            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
                context.AuthenticationTicket.Properties,
                context.Options.AuthenticationScheme);

            context.Validate(ticket);
        }
        /// <summary>
        /// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the
        /// refresh token is still valid or revoked.
        /// </summary>
        public override async Task GrantRefreshToken(GrantRefreshTokenContext context)
        {
            var validator = new RefreshTokenValidator(
                context.Ticket.GetTicketId(),
                context.ClientId,
                context.Ticket.Principal.GetClaim(ClaimTypes.NameIdentifier));

            var result = await ExecuteMessage(context, validator);

            if (!result.Succeeded)
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token.");
                return;
            }

            var principal = new ClaimsPrincipal(context.Ticket.Principal);
            var ticket    = CreateAuthenticationTicket(principal, context.Ticket.Properties, context.Options, context);

            context.Validate(ticket);
        }
예제 #3
0
        public override async Task GrantRefreshToken(GrantRefreshTokenContext context)
        {
            //_authService = (IAuthService)context.HttpContext.ApplicationServices.GetService(typeof(IAuthService));
            _authService = (IAuthService)context.HttpContext.RequestServices.GetService(typeof(IAuthService));
            string originalClient = string.Empty;

            context.Ticket.Properties.Items.TryGetValue("client_id", out originalClient);
            var currentClient = context.ClientId;

            if (originalClient != currentClient)
            {
                context.Reject("O Refresh token foi criado para outro client_id");
            }

            string username = string.Empty;

            context.Ticket.Properties.Items.TryGetValue("userName", out username);


            var user = await _authService.GetUsuarioEmail(username);

            var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);

            int casaId = await _authService.GetCasaSelecionada(user);

            //verifica se usuario esta bloqueado para aquela casa
            if (_authService.AcessoUsuarioBloqueado(user.Id, casaId))
            {
                //tenta obter acesso em outra casa
                int novaCasaSelec = _authService.TentaSelecOutraCasa(user.Id, casaId);

                if (novaCasaSelec == 0)
                {
                    context.Reject("O seu acesso foi bloqueado");
                    return;
                }

                casaId = novaCasaSelec;
            }

            foreach (var claim in _authService.GetClaims(user, casaId))
            {
                identity.AddClaim(claim.Type, claim.Value, "access_token", "id_token");
            }

            identity.AddClaim("casa", casaId.ToString(), "access_token", "id_token");

            identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, "access_token", "id_token");

            identity.AddClaim(ClaimTypes.Name, user.UserName, "access_token", "id_token");


            var principal = new ClaimsPrincipal(identity);


            var newTicket = new AuthenticationTicket(principal,
                                                     context.Ticket.Properties,
                                                     OpenIdConnectServerDefaults.AuthenticationScheme);

            context.Validate(newTicket);
        }