public virtual object Clone()
{
return(new OAuthClient
{
ClientId = ClientId,
ClientNames = ClientNames == null ? new List <OAuthTranslation>() : ClientNames.Select(c => (OAuthTranslation)c.Clone()).ToList(),
ClientUris = ClientUris == null ? new List <OAuthTranslation>() : ClientUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
LogoUris = LogoUris == null ? new List <OAuthTranslation>() : LogoUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
PolicyUris = PolicyUris == null ? new List <OAuthTranslation>() : PolicyUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
TosUris = TosUris == null ? new List <OAuthTranslation>() : TosUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
CreateDateTime = CreateDateTime,
JwksUri = JwksUri,
RefreshTokenExpirationTimeInSeconds = RefreshTokenExpirationTimeInSeconds,
UpdateDateTime = UpdateDateTime,
TokenEndPointAuthMethod = TokenEndPointAuthMethod,
TokenExpirationTimeInSeconds = TokenExpirationTimeInSeconds,
Secrets = Secrets == null ? new List <ClientSecret>() : Secrets.Select(s => (ClientSecret)s.Clone()).ToList(),
AllowedScopes = AllowedScopes == null ? new List <OAuthScope>() : AllowedScopes.Select(s => (OAuthScope)s.Clone()).ToList(),
JsonWebKeys = JsonWebKeys == null ? new List <JsonWebKey>() : JsonWebKeys.Select(j => (JsonWebKey)j.Clone()).ToList(),
GrantTypes = GrantTypes.ToList(),
RedirectionUrls = RedirectionUrls.ToList(),
PreferredTokenProfile = PreferredTokenProfile,
TokenEncryptedResponseAlg = TokenEncryptedResponseAlg,
TokenEncryptedResponseEnc = TokenEncryptedResponseEnc,
TokenSignedResponseAlg = TokenSignedResponseAlg,
ResponseTypes = ResponseTypes.ToList(),
Contacts = Contacts.ToList(),
SoftwareId = SoftwareId,
SoftwareVersion = SoftwareVersion,
PostLogoutRedirectUris = PostLogoutRedirectUris.ToList()
});
}
public async Task allow_refresh_an_accessToken_from_refresh_token()
{
var server = new TestServerBuilder()
.WithSuccessAuthentication()
.WithInMemoryStore()
.Build();
var client = server.CreateClient();
var response = await client.PostAsync("/token", GrantTypes.APasswordGrantType());
response.EnsureSuccessStatusCode();
var tokenResponse = await ReadRequestResponseToJwtTokenResponse(response);
response = await client.PostAsync("/token", GrantTypes.ARefreshTokenGranType(tokenResponse.RefreshToken));
response.EnsureSuccessStatusCode();
var refreshTokenResponse = await ReadRequestResponseToJwtTokenResponse(response);
refreshTokenResponse.AccessToken.Should().NotBeEmpty();
refreshTokenResponse.RefreshToken.Should().NotBeEmpty();
refreshTokenResponse.AccessToken.Should().NotBe(tokenResponse.AccessToken);
refreshTokenResponse.RefreshToken.Should().NotBe(tokenResponse.RefreshToken);
}
public static IEnumerable <Client> GetClients(IConfigurationSection section)
{
var clients = new List <Client>();
List <ClientConfig> configs = new List <ClientConfig>();
section.Bind("Clients", configs);
foreach (var config in configs)
{
Client client = new Client();
client.ClientId = config.ClientId;
List <Secret> clientSecrets = new List <Secret>();
foreach (var secret in config.ClientSecrets)
{
clientSecrets.Add(new Secret(secret.Sha256()));
}
client.ClientSecrets = clientSecrets.ToArray();
GrantTypes grantTypes = new GrantTypes();
var allowedGrantTypes = grantTypes.GetType().GetProperty(config.AllowedGrantTypes);
client.AllowedGrantTypes = allowedGrantTypes == null ?
GrantTypes.ClientCredentials : (ICollection <string>)allowedGrantTypes.GetValue(grantTypes, null);
client.AllowedScopes.Add(IdentityServerConstants.StandardScopes.OpenId);
client.AllowedScopes.Add(IdentityServerConstants.StandardScopes.Profile);
config.AllowedScopes?.Any(a => { client.AllowedScopes.Add(a); return(false); });
clients.Add(client);
}
return(clients);
}
public static IEnumerable <Client> Get()
{
//var redirectUri = "http://localhost:5002";
var redirectUri = "https://fletnix.azurewebsites.net";
return(new List <Client> {
new Client {
ClientId = "fletnix",
ClientSecrets = new List <Secret> {
new Secret("secret".Sha256())
},
ClientName = "Fletnix totally not a copy of netflix...",
AllowedGrantTypes = GrantTypes.List(
GrantType.Implicit,
GrantType.ClientCredentials),
RequireConsent = false,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List <string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role"
},
RedirectUris = new List <string> {
redirectUri + "/signin-oidc"
},
PostLogoutRedirectUris = new List <string> {
redirectUri
}
}
});
}
//Clientes, quem pode se conectar ao Identity Server, nesse caso, o app do Ionic
public static IEnumerable <Client> GetClients()
{
return(new List <Client>
{
new Client
{
ClientId = "jarbasApp",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List(new [] { GrantType.ResourceOwnerPassword, "googleAuth" }),
AllowedScopes = { "jarbasApi", "offline_access" },
AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Sliding,
SlidingRefreshTokenLifetime = 60 * 60 * 24 * 7,
AccessTokenLifetime = 60 * 60 * 24 * 1,
AllowedCorsOrigins = { "http://localhost:8100" }
},
new Client
{
ClientId = "script",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "jarbasApi" },
AccessTokenLifetime = 60 * 60 * 24 * 1,
AllowedCorsOrigins = { "http://localhost:80" }
}
});
}
/// <summary>
/// Define trusted Client client
/// </summary>
/// <returns></returns>
public static IEnumerable <Client> GetClients(IConfigurationSection section)
{
List <Client> clients = new List <Client>();
if (section != null)
{
List <ClientConfig> configs = new List <ClientConfig>();
section.Bind("Clients", configs);
foreach (var config in configs)
{
Client client = new Client();
client.ClientId = config.ClientId;
List <Secret> clientSecrets = new List <Secret>();
foreach (var secret in config.ClientSecrets)
{
clientSecrets.Add(new Secret(secret.Sha256()));
}
client.ClientSecrets = clientSecrets.ToArray();
GrantTypes grantTypes = new GrantTypes();
var allowedGrantTypes = grantTypes.GetType().GetProperty(config.AllowedGrantTypes);
client.AllowedGrantTypes = allowedGrantTypes == null ?
GrantTypes.ClientCredentials : (ICollection <string>)allowedGrantTypes.GetValue(grantTypes, null);
client.AllowedScopes = config.AllowedScopes.ToArray();
clients.Add(client);
}
}
return(clients.ToArray());
}
public void custom_and_forbidden_grant_type_combinations_should_throw(string type1, string type2)
{
var client = new Client();
Action act = () => client.AllowedGrantTypes = GrantTypes.List("custom1", type2, "custom2", type1);
act.ShouldThrow <InvalidOperationException>();
}
public void duplicate_values_should_throw()
{
var client = new Client();
Action act = () => client.AllowedGrantTypes = GrantTypes.List("custom1", "custom2", "custom1");
act.ShouldThrow <InvalidOperationException>();
}
public void empty_grant_type_list_should_throw_single()
{
var client = new Client();
Action act = () => client.AllowedGrantTypes = GrantTypes.List();
act.ShouldThrow <InvalidOperationException>();
}
public void grant_type_with_space_should_throw_single()
{
var client = new Client();
Action act = () => client.AllowedGrantTypes = GrantTypes.List("custo m2");
act.ShouldThrow <InvalidOperationException>();
}
// Clients want to access resources.
public static IEnumerable <Client> GetClients(int accessTokenLifetime, int refreshTokenLifetime)
{
// Clients credentials.
return(new List <Client>
{
// Local authentication client
new Client
{
ClientId = "coraltimeapp",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, // Resource Owner Password Credential grant.
AllowAccessTokensViaBrowser = true,
//AlwaysIncludeUserClaimsInIdToken = true, // Include claims in token
RequireClientSecret = false, // This client does not need a secret to request tokens from the token endpoint.
AccessTokenLifetime = accessTokenLifetime,
AbsoluteRefreshTokenLifetime = refreshTokenLifetime,
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId, // For UserInfo endpoint.
IdentityServerConstants.StandardScopes.Profile,
"roles",
"WebAPI"
},
AllowOfflineAccess = true, // For refresh token.
},
// Authentication client for Azure AD
new Client
{
ClientId = "coraltimeazure",
RequireClientSecret = false, // This client does not need a secret to request tokens from the token endpoint.
//ClientSecrets =
//{
// new Secret("secret".Sha256())
//},
AllowedGrantTypes = GrantTypes.List("azureAuth"),
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId, // For UserInfo endpoint.
IdentityServerConstants.StandardScopes.Profile,
"roles",
"WebAPI"
},
AccessTokenLifetime = accessTokenLifetime,
AbsoluteRefreshTokenLifetime = refreshTokenLifetime,
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AllowOfflineAccess = true
}
});
}
public async Task reject_invalid_grant_type()
{
var server = new TestServerBuilder()
.WithSuccessAuthentication()
.Build();
var response = await server.CreateClient().PostAsync("/token", GrantTypes.AnInvalidGrantType());
var content = await response.Content.ReadAsStringAsync();
content.Should().Be(ServerMessages.InvalidGrantType);
response.StatusCode.Should().Be(StatusCodes.Status400BadRequest);
}
public override object Clone()
{
return(new OpenIdClient
{
ClientId = ClientId,
ClientNames = ClientNames == null ? new List <OAuthTranslation>() : ClientNames.Select(c => (OAuthTranslation)c.Clone()).ToList(),
ClientUris = ClientUris == null ? new List <OAuthTranslation>() : ClientUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
LogoUris = LogoUris == null ? new List <OAuthTranslation>() : LogoUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
PolicyUris = PolicyUris == null ? new List <OAuthTranslation>() : PolicyUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
TosUris = TosUris == null ? new List <OAuthTranslation>() : TosUris.Select(c => (OAuthTranslation)c.Clone()).ToList(),
CreateDateTime = CreateDateTime,
JwksUri = JwksUri,
RefreshTokenExpirationTimeInSeconds = RefreshTokenExpirationTimeInSeconds,
UpdateDateTime = UpdateDateTime,
TokenEndPointAuthMethod = TokenEndPointAuthMethod,
TokenExpirationTimeInSeconds = TokenExpirationTimeInSeconds,
Secrets = Secrets == null ? new List <ClientSecret>() : Secrets.Select(s => (ClientSecret)s.Clone()).ToList(),
AllowedScopes = AllowedScopes == null ? new List <OpenIdScope>() : AllowedScopes.Select(s => (OpenIdScope)s.Clone()).ToList(),
JsonWebKeys = JsonWebKeys == null ? new List <JsonWebKey>() : JsonWebKeys.Select(j => (JsonWebKey)j.Clone()).ToList(),
GrantTypes = GrantTypes.ToList(),
RedirectionUrls = RedirectionUrls.ToList(),
PreferredTokenProfile = PreferredTokenProfile,
TokenEncryptedResponseAlg = TokenEncryptedResponseAlg,
TokenEncryptedResponseEnc = TokenEncryptedResponseEnc,
TokenSignedResponseAlg = TokenSignedResponseAlg,
ResponseTypes = ResponseTypes.ToList(),
Contacts = Contacts.ToList(),
SoftwareId = SoftwareId,
SoftwareVersion = SoftwareVersion,
ApplicationType = ApplicationType,
DefaultAcrValues = DefaultAcrValues.ToList(),
DefaultMaxAge = DefaultMaxAge,
IdTokenEncryptedResponseAlg = IdTokenEncryptedResponseAlg,
IdTokenEncryptedResponseEnc = IdTokenEncryptedResponseEnc,
IdTokenSignedResponseAlg = IdTokenSignedResponseAlg,
PairWiseIdentifierSalt = PairWiseIdentifierSalt,
RequestObjectEncryptionAlg = RequestObjectEncryptionAlg,
RequestObjectEncryptionEnc = RequestObjectEncryptionEnc,
RequestObjectSigningAlg = RequestObjectSigningAlg,
RequireAuthTime = RequireAuthTime,
SectorIdentifierUri = SectorIdentifierUri,
SubjectType = SubjectType,
UserInfoEncryptedResponseAlg = UserInfoEncryptedResponseAlg,
UserInfoEncryptedResponseEnc = UserInfoEncryptedResponseEnc,
UserInfoSignedResponseAlg = UserInfoSignedResponseAlg,
RegistrationAccessToken = RegistrationAccessToken,
PostLogoutRedirectUris = PostLogoutRedirectUris,
InitiateLoginUri = InitiateLoginUri
});
}
public AccessTokenV2 Token(GrantTypes type, NameValueCollection nvc)
{
string result = null;
var error = "unknown";
try
{
// var hvc = HttpUtility.ParseQueryString(string.Empty);
// foreach (string key in nvc.Keys) hvc.Add(key, nvc[key]);
/// var query = "grant_type=" + type + "&" + hvc.ToString();
var query = String.Join("&", nvc.AllKeys.Select(a => a + "=" + HttpUtility.UrlEncode(nvc[a])));
query = "grant_type=" + type + "&" + query;
result = this.HttpPostBasicAuth(this.Settings.EndPointToken, query);
}
catch (Exception ex)
{
Console.WriteLine(ex);
error = ex.Message;
}
if (null == result)
{
return new AccessTokenV2()
{
error = error
}
}
;
AccessTokenV2 token = new AccessTokenV2();
// Homebrew Json deserialization, made in China, by marstone
var pairs = result.Trim(new char[] { ' ', '{', '}' }).Split(',');
var dict = pairs.ToDictionary <string, string>(p => p.Substring(0, p.IndexOf(":")).Trim().Trim(new char[] { ':' }));
foreach (var key in dict.Keys)
{
foreach (var prop in typeof(AccessTokenV2).GetProperties())
{
if (prop.Name == key.Trim(new [] { '"' }))
{
object val = dict[key].Substring(dict[key].IndexOf(":") + 1).Trim().Trim(new char[] { ':', '"' });
if (prop.PropertyType == typeof(int))
{
val = int.Parse((string)val);
}
prop.SetValue(token, val, null);
}
}
}
return(token);
}
public async Task <ClientEditModelCollectionView> Query(ClientQuery query)
{
if (query.Id != null)
{
var client = await Get(query.Id.Value);
if (client == null)
{
return(new ClientEditModelCollectionView(query, 0, Enumerable.Empty <ClientEditModel>()));
}
return(new ClientEditModelCollectionView(query, 1, new ClientEditModel[] { client }));
}
//Don't want secrets here
IQueryable <Client> clients = configDb.Clients
.Include(i => i.RedirectUris)
.Include(i => i.AllowedScopes);
if (!String.IsNullOrEmpty(query.ClientId))
{
clients = clients.Where(i => EF.Functions.Like(i.ClientId, $"%{query.ClientId}%"));
}
if (query.GrantTypes != null)
{
GrantTypes grantTypes = 0;
foreach (var i in query.GrantTypes)
{
grantTypes |= i;
}
clients = clients.Where(i => (i.AllowedGrantTypes & grantTypes) != 0);
}
if (query.HasMissingOrDefaultSecret == true)
{
var hash = appConfig.DefaultSecret.Sha256();
clients = clients.Where(i => !i.ClientSecrets.Any() || i.ClientSecrets.Where(j => j.Secret == hash).Any());
}
int total = await clients.CountAsync();
clients = clients.OrderBy(i => i.ClientId);
var results = clients.Skip(query.SkipTo(total)).Take(query.Limit);
var items = await results.Select(c => mapper.Map <ClientEditModel>(c)).ToListAsync();
return(new ClientEditModelCollectionView(query, total, items));
}
public async Task return_a_valid_jwt_token_when_grant_type_password()
{
var server = new TestServerBuilder()
.WithSuccessAuthentication()
.Build();
var response = await server.CreateClient().PostAsync("/token", GrantTypes.APasswordGrantType());
response.EnsureSuccessStatusCode();
var content = await response.Content.ReadAsStringAsync();
var jwtTokenResponse = JsonConvert.DeserializeObject <JwtTokenResponse>(content);
jwtTokenResponse.Should().NotBeNull();
jwtTokenResponse.AccessToken.Should().NotBeNull();
jwtTokenResponse.ExpiresIn.Should().BeGreaterThan(0);
}
public async Task allow_invoking_authorized_controller_with_a_token()
{
var server = new TestServerBuilder()
.WithSuccessAuthentication()
.Build();
var client = server.CreateClient();
var response = await client.PostAsync("/token", GrantTypes.APasswordGrantType());
response.EnsureSuccessStatusCode();
var content = await response.Content.ReadAsStringAsync();
var jwtTokenResponse = JsonConvert.DeserializeObject <JwtTokenResponse>(content);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtTokenResponse.AccessToken);
response = await client.GetAsync("/api/test");
response.EnsureSuccessStatusCode();
}
public override void validate()
{
if (RedirectUris != null && ResponseTypes != null && RedirectUris.Count != ResponseTypes.Count)
{
throw new OIDCException("The redirect_uris do not match response_types.");
}
if (RedirectUris != null && SectorIdentifierUri != null)
{
List <string> siUris = new List <string>();
dynamic uris = OpenIdRelyingParty.GetUrlContent(WebRequest.Create(SectorIdentifierUri));
foreach (string uri in uris)
{
siUris.Add(uri);
}
foreach (string uri in RedirectUris)
{
if (!siUris.Contains(uri))
{
throw new OIDCException("The sector_identifier_uri json must include URIs from the redirect_uri array.");
}
}
}
if (ResponseTypes != null && GrantTypes != null)
{
foreach (string responseType in ResponseTypes)
{
if ((responseType == "code" && !GrantTypes.Contains("authorization_code")) ||
(responseType == "id_token" && !GrantTypes.Contains("implicit")) ||
(responseType == "token" && !GrantTypes.Contains("implicit")) ||
(responseType == "id_token" && !GrantTypes.Contains("implicit")))
{
throw new OIDCException("The response_types do not match grant_types.");
}
}
}
}
public object Clone()
{
return(new OAuthClient
{
ClientId = ClientId,
Translations = Translations == null ? new List <OAuthClientTranslation>() : Translations.Select(t => (OAuthClientTranslation)t.Clone()).ToList(),
CreateDateTime = CreateDateTime,
JwksUri = JwksUri,
RefreshTokenExpirationTimeInSeconds = RefreshTokenExpirationTimeInSeconds,
UpdateDateTime = UpdateDateTime,
TokenEndPointAuthMethod = TokenEndPointAuthMethod,
TokenExpirationTimeInSeconds = TokenExpirationTimeInSeconds,
ClientSecret = ClientSecret,
ClientSecretExpirationTime = ClientSecretExpirationTime,
AllowedScopes = AllowedScopes == null ? new List <OAuthScope>() : AllowedScopes.Select(s => (OAuthScope)s.Clone()).ToList(),
JsonWebKeys = JsonWebKeys == null ? new List <JsonWebKey>() : JsonWebKeys.Select(j => (JsonWebKey)j.Clone()).ToList(),
GrantTypes = GrantTypes.ToList(),
RedirectionUrls = RedirectionUrls.ToList(),
PreferredTokenProfile = PreferredTokenProfile,
TokenEncryptedResponseAlg = TokenEncryptedResponseAlg,
TokenEncryptedResponseEnc = TokenEncryptedResponseEnc,
TokenSignedResponseAlg = TokenSignedResponseAlg,
ResponseTypes = ResponseTypes.ToList(),
Contacts = Contacts.ToList(),
SoftwareId = SoftwareId,
SoftwareVersion = SoftwareVersion,
RegistrationAccessToken = RegistrationAccessToken,
PostLogoutRedirectUris = PostLogoutRedirectUris.ToList(),
TlsClientAuthSanDNS = TlsClientAuthSanDNS,
TlsClientAuthSanEmail = TlsClientAuthSanEmail,
TlsClientAuthSanIP = TlsClientAuthSanIP,
TlsClientAuthSanURI = TlsClientAuthSanURI,
TlsClientAuthSubjectDN = TlsClientAuthSubjectDN,
TlsClientCertificateBoundAccessToken = TlsClientCertificateBoundAccessToken
});
}
public static IEnumerable <Client> GetClients()
{
return(new List <Client>
{
new Client
{
ClientId = "google",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("googleAuth"),
AllowedScopes =
{
"offline_access",
"api1"
}
},
new Client
{
ClientId = "resourceOwner",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes =
{
"offline_access",
"api1"
}
}
});
}
public bool ShouldSerializeGrantTypes()
{
return(GrantTypes.Any());
}
public static IEnumerable <Client> Get()
{
return(new List <Client>
{
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "client",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api1", "api2.read_only" },
},
///////////////////////////////////////////
// Console Client Credentials Flow with client JWT assertion
//////////////////////////////////////////
new Client
{
ClientId = "client.jwt",
ClientSecrets =
{
new Secret
{
Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
Value = "MIIDATCCAe2gAwIBAgIQoHUYAquk9rBJcq8W+F0FAzAJBgUrDgMCHQUAMBIxEDAOBgNVBAMTB0RldlJvb3QwHhcNMTAwMTIwMjMwMDAwWhcNMjAwMTIwMjMwMDAwWjARMQ8wDQYDVQQDEwZDbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSaY4x1eXqjHF1iXQcF3pbFrIbmNw19w/IdOQxbavmuPbhY7jX0IORu/GQiHjmhqWt8F4G7KGLhXLC1j7rXdDmxXRyVJBZBTEaSYukuX7zGeUXscdpgODLQVay/0hUGz54aDZPAhtBHaYbog+yH10sCXgV1Mxtzx3dGelA6pPwiAmXwFxjJ1HGsS/hdbt+vgXhdlzud3ZSfyI/TJAnFeKxsmbJUyqMfoBl1zFKG4MOvgHhBjekp+r8gYNGknMYu9JDFr1ue0wylaw9UwG8ZXAkYmYbn2wN/CpJl3gJgX42/9g87uLvtVAmz5L+rZQTlS1ibv54ScR2lcRpGQiQav/LAgMBAAGjXDBaMBMGA1UdJQQMMAoGCCsGAQUFBwMCMEMGA1UdAQQ8MDqAENIWANpX5DZ3bX3WvoDfy0GhFDASMRAwDgYDVQQDEwdEZXZSb290ghAsWTt7E82DjU1E1p427Qj2MAkGBSsOAwIdBQADggEBADLje0qbqGVPaZHINLn+WSM2czZk0b5NG80btp7arjgDYoWBIe2TSOkkApTRhLPfmZTsaiI3Ro/64q+Dk3z3Kt7w+grHqu5nYhsn7xQFAQUf3y2KcJnRdIEk0jrLM4vgIzYdXsoC6YO+9QnlkNqcN36Y8IpSVSTda6gRKvGXiAhu42e2Qey/WNMFOL+YzMXGt/nDHL/qRKsuXBOarIb++43DV3YnxGTx22llhOnPpuZ9/gnNY7KLjODaiEciKhaKqt/b57mTEz4jTF4kIg6BP03MUfDXeVlM1Qf1jB43G2QQ19n5lUiqTpmQkcfLfyci2uBZ8BkOhXr3Vk9HIk/xBXQ="
}
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api1", "api2.read_only" }
},
///////////////////////////////////////////
// Custom Grant Sample
//////////////////////////////////////////
new Client
{
ClientId = "client.custom",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("custom"),
AllowedScopes = { "api1", "api2.read_only" }
},
///////////////////////////////////////////
// Console Resource Owner Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
"custom.profile",
"api1", "api2.read_only"
}
},
///////////////////////////////////////////
// Console Public Resource Owner Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient.public",
RequireClientSecret = false,
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only"
}
},
///////////////////////////////////////////
// Console Hybrid with PKCE Sample
//////////////////////////////////////////
new Client
{
ClientId = "console.hybrid.pkce",
ClientName = "Console Hybrid with PKCE Sample",
RequireClientSecret = false,
AllowedGrantTypes = GrantTypes.Hybrid,
RequirePkce = true,
RedirectUris = { "http://127.0.0.1:7890/" },
AllowOfflineAccess = true,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only",
},
},
///////////////////////////////////////////
// Introspection Client Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient.reference",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "api1", "api2.read_only" },
AccessTokenType = AccessTokenType.Reference
},
///////////////////////////////////////////
// MVC Implicit Flow Samples
//////////////////////////////////////////
new Client
{
ClientId = "mvc.implicit",
ClientName = "MVC Implicit",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:44077/signin-oidc" },
LogoutUri = "http://localhost:44077/signout-oidc",
PostLogoutRedirectUris = { "http://localhost:44077/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only"
},
},
///////////////////////////////////////////
// MVC Manual Implicit Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "mvc.manual",
ClientName = "MVC Manual",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = { "http://localhost:44077/home/callback" },
LogoutUri = "http://localhost:44077/signout-oidc",
PostLogoutRedirectUris = { "http://localhost:44077/" },
AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId },
},
///////////////////////////////////////////
// MVC Hybrid Flow Samples
//////////////////////////////////////////
new Client
{
ClientId = "mvc.hybrid",
ClientName = "MVC Hybrid",
ClientUri = "http://identityserver.io",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Hybrid,
AllowAccessTokensViaBrowser = false,
RedirectUris = { "http://localhost:21402/signin-oidc" },
LogoutUri = "http://localhost:21402/signout-oidc",
PostLogoutRedirectUris = { "http://localhost:21402/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only",
},
},
///////////////////////////////////////////
// JS OAuth 2.0 Sample
//////////////////////////////////////////
new Client
{
ClientId = "js_oauth",
ClientName = "JavaScript OAuth 2.0 Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:28895/index.html" },
AllowedScopes = { "api1", "api2.read_only" },
},
///////////////////////////////////////////
// JS OIDC Sample
//////////////////////////////////////////
new Client
{
ClientId = "js_oidc",
ClientName = "JavaScript OIDC Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireClientSecret = false,
AccessTokenType = AccessTokenType.Reference,
RedirectUris =
{
"http://localhost:7017/index.html",
"http://localhost:7017/callback.html",
"http://localhost:7017/silent.html",
"http://localhost:7017/popup.html",
},
PostLogoutRedirectUris = { "http://localhost:7017/index.html" },
AllowedCorsOrigins = { "http://localhost:7017" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only"
},
},
});
}
public static IEnumerable <Client> Get()
{
return(new List <Client>
{
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "client",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List <string>
{
"api1", "api2"
}
},
///////////////////////////////////////////
// Console Resource Owner Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = new List <string>
{
StandardScopes.OpenId.Name,
StandardScopes.Email.Name,
StandardScopes.OfflineAccess.Name,
StandardScopes.Address.Name,
"api1", "api2"
}
},
/////////////////////////////////////////
// Console Custom Grant Flow Sample
////////////////////////////////////////
new Client
{
ClientId = "client.custom",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("custom"),
AllowedScopes = new List <string>
{
"api1", "api2"
}
},
///////////////////////////////////////////
// Introspection Client Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient.reference",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = new List <string>
{
"api1", "api2"
},
AccessTokenType = AccessTokenType.Reference
},
});
}
private static string GetGrantTypeName(string grantType) => GrantTypes.GetGrantTypeName(grantType);
public static IEnumerable <Client> Get()
{
return(new List <Client>
{
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "client",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes =
{
"api1", "api2"
}
},
new Client
{
ClientId = "client.identityscopes",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes =
{
"openid", "profile",
"api1", "api2"
}
},
new Client
{
ClientId = "client.no_default_scopes",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowAccessToAllScopes = true
},
///////////////////////////////////////////
// Console Resource Owner Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.Address,
"roles",
"api1", "api2", "api4.with.roles"
}
},
/////////////////////////////////////////
// Console Custom Grant Flow Sample
////////////////////////////////////////
new Client
{
ClientId = "client.custom",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("custom"),
AllowedScopes =
{
"api1", "api2"
}
},
///////////////////////////////////////////
// Introspection Client Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient.reference",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AllowedScopes =
{
"api1", "api2"
},
AccessTokenType = AccessTokenType.Reference
},
new Client
{
ClientName = "Client with Base64 encoded X509 Certificate",
ClientId = "certificate_base64_valid",
Enabled = true,
ClientSecrets =
{
new Secret
{
Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
Value = Convert.ToBase64String(TestCert.Load().Export(X509ContentType.Cert))
}
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List <string>
{
"api1", "api2"
},
},
});
}
public static IEnumerable <Client> Get()
{
return(new List <Client>
{
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "client",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List <string>
{
"api1", "api2"
}
},
///////////////////////////////////////////
// Custom Grant Sample
//////////////////////////////////////////
new Client
{
ClientId = "client.custom",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("custom"),
AllowedScopes = new List <string>
{
"api1", "api2"
}
},
///////////////////////////////////////////
// Console Resource Owner Flow Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = new List <string>
{
StandardScopes.OpenId.Name,
StandardScopes.Email.Name,
StandardScopes.OfflineAccess.Name,
"api1", "api2"
}
},
///////////////////////////////////////////
// Introspection Client Sample
//////////////////////////////////////////
new Client
{
ClientId = "roclient.reference",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = new List <string>
{
"api1", "api2"
},
AccessTokenType = AccessTokenType.Reference
},
///////////////////////////////////////////
// MVC Implicit Flow Samples
//////////////////////////////////////////
new Client
{
ClientId = "mvc.implicit",
ClientName = "MVC Implicit",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List <string>
{
"http://localhost:44077/signin-oidc"
},
PostLogoutRedirectUris = new List <string>
{
"http://localhost:44077/"
},
LogoutUri = "http://localhost:44077/signout-oidc",
AllowedScopes = new List <string>
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.Email.Name,
StandardScopes.Roles.Name,
"api1", "api2"
},
},
///////////////////////////////////////////
// MVC Hybrid Flow Samples
//////////////////////////////////////////
new Client
{
ClientId = "mvc.hybrid",
ClientName = "MVC Hybrid",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Hybrid,
AllowAccessTokensViaBrowser = false,
RedirectUris = new List <string>
{
"http://localhost:21402/signin-oidc"
},
PostLogoutRedirectUris = new List <string>
{
"http://localhost:21402/"
},
LogoutUri = "http://localhost:21402/signout-oidc",
AllowedScopes = new List <string>
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.Email.Name,
StandardScopes.Roles.Name,
StandardScopes.OfflineAccess.Name,
"api1", "api2",
},
},
///////////////////////////////////////////
// JS OAuth 2.0 Sample
//////////////////////////////////////////
new Client
{
ClientId = "js_oauth",
ClientName = "JavaScript OAuth 2.0 Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List <string>
{
"http://localhost:28895/index.html"
},
AllowedScopes = new List <string>
{
"api1", "api2"
},
},
///////////////////////////////////////////
// JS OIDC Sample
//////////////////////////////////////////
new Client
{
ClientId = "js_oidc",
ClientName = "JavaScript OIDC Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List <string>
{
"http://localhost:7017/index.html",
"http://localhost:7017/silent_renew.html",
},
PostLogoutRedirectUris = new List <string>
{
"http://localhost:7017/index.html",
},
AllowedCorsOrigins = new List <string>
{
"http://localhost:7017"
},
AllowedScopes = new List <string>
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.Email.Name,
StandardScopes.Roles.Name,
"api1", "api2"
},
},
});
}
/// <summary>
/// <see cref="OIDClientSerializableMessage.Validate()"/>
/// </summary>
public override void Validate()
{
if (RedirectUris != null && ResponseTypes != null && RedirectUris.Count != ResponseTypes.Count)
{
throw new OIDCException("The redirect_uris do not match response_types.");
}
if (RedirectUris != null && SectorIdentifierUri != null)
{
List <string> siUris = new List <string>();
dynamic uris = WebOperations.GetUrlContent(WebRequest.Create(SectorIdentifierUri));
foreach (string uri in uris)
{
siUris.Add(uri);
}
foreach (string uri in RedirectUris)
{
if (!siUris.Contains(uri))
{
throw new OIDCException("The sector_identifier_uri json must include URIs from the redirect_uri array.");
}
}
}
if (ResponseTypes != null && GrantTypes != null)
{
foreach (ResponseType responseType in ResponseTypes)
{
if ((responseType == ResponseType.Code && !GrantTypes.Contains("authorization_code")) ||
(responseType == ResponseType.IdToken && !GrantTypes.Contains("implicit")) ||
(responseType == ResponseType.Token && !GrantTypes.Contains("implicit")))
{
throw new OIDCException("The response_types do not match grant_types.");
}
}
}
List <string> listUri = new List <string>()
{
LogoUri, ClientUri, PolicyUri, TosUri, JwksUri, SectorIdentifierUri, InitiateLoginUri, RegistrationClientUri
};
if (RedirectUris != null)
{
listUri.AddRange(RedirectUris);
}
if (RequestUris != null)
{
listUri.AddRange(RequestUris);
}
foreach (string uri in listUri)
{
if (uri == null)
{
continue;
}
if (new Uri(uri).Scheme != "https")
{
throw new OIDCException("Some of the URIs for the client is not on https");
}
}
}
public static IEnumerable <Client> Get()
{
return(new List <Client>
{
new Client
{
ClientName = "Code Client",
Enabled = true,
ClientId = "codeclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Code,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Code Client with PKCE",
Enabled = true,
ClientId = "codeclient.pkce",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Code Client with PKCE and plain allowed",
Enabled = true,
ClientId = "codeclient.pkce.plain",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
AllowPlainTextPkce = true,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Hybrid Client",
Enabled = true,
ClientId = "hybridclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Hybrid,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Hybrid Client with PKCE",
Enabled = true,
ClientId = "hybridclient.pkce",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Hybrid,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Hybrid Client",
Enabled = true,
ClientId = "hybridclient_no_aavb",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Hybrid,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowAccessTokensViaBrowser = false,
RequireConsent = false,
RedirectUris = new List <string>
{
"https://server/cb",
},
AuthorizationCodeLifetime = 60
},
new Client
{
ClientName = "Implicit Client",
ClientId = "implicitclient",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List <string>
{
"oob://implicit/cb"
},
},
new Client
{
ClientName = "Implicit Client",
ClientId = "implicitclient_no_aavb",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowAccessTokensViaBrowser = false,
RequireConsent = false,
RedirectUris = new List <string>
{
"oob://implicit/cb"
},
},
new Client
{
ClientName = "Implicit and Client Credentials Client",
Enabled = true,
ClientId = "implicit_and_client_creds_client",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RequireConsent = false,
RedirectUris = new List <string>
{
"oob://implicit/cb"
},
},
new Client
{
ClientName = "Code Client with Scope Restrictions",
Enabled = true,
ClientId = "codeclient_restricted",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Code,
RequireConsent = false,
AllowedScopes = new List <string>
{
"openid"
},
RedirectUris = new List <string>
{
"https://server/cb",
},
},
new Client
{
ClientName = "Client Credentials Client",
Enabled = true,
ClientId = "client",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AccessTokenType = AccessTokenType.Jwt
},
new Client
{
ClientName = "Client Credentials Client (restricted)",
Enabled = true,
ClientId = "client_restricted",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List <string>
{
"resource"
},
},
new Client
{
ClientName = "Resource Owner Client",
Enabled = true,
ClientId = "roclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AllowOfflineAccess = true
},
new Client
{
ClientName = "Resource Owner Client - Public",
Enabled = true,
ClientId = "roclient.public",
RequireClientSecret = false,
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
},
new Client
{
ClientName = "Resource Owner Client",
Enabled = true,
ClientId = "roclient_absolute_refresh_expiration_one_time_only",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AbsoluteRefreshTokenLifetime = 200
},
new Client
{
ClientName = "Resource Owner Client",
Enabled = true,
ClientId = "roclient_absolute_refresh_expiration_reuse",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.ReUse,
AbsoluteRefreshTokenLifetime = 200
},
new Client
{
ClientName = "Resource Owner Client",
Enabled = true,
ClientId = "roclient_sliding_refresh_expiration_one_time_only",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RefreshTokenExpiration = TokenExpiration.Sliding,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AbsoluteRefreshTokenLifetime = 10,
SlidingRefreshTokenLifetime = 4
},
new Client
{
ClientName = "Resource Owner Client",
Enabled = true,
ClientId = "roclient_sliding_refresh_expiration_reuse",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RefreshTokenExpiration = TokenExpiration.Sliding,
RefreshTokenUsage = TokenUsage.ReUse,
AbsoluteRefreshTokenLifetime = 200,
SlidingRefreshTokenLifetime = 100
},
new Client
{
ClientName = "Resource Owner Client (restricted)",
Enabled = true,
ClientId = "roclient_restricted",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = new List <string>
{
"resource"
},
},
new Client
{
ClientName = "Resource Owner Client (restricted with refresh)",
Enabled = true,
ClientId = "roclient_restricted_refresh",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AllowedScopes = new List <string>
{
"resource",
},
},
new Client
{
ClientName = "Custom Grant Client",
Enabled = true,
ClientId = "customgrantclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.List("custom_grant"),
AllowedScopes = { "openid", "profile", "resource", "resource2" },
},
new Client
{
ClientName = "Disabled Client",
Enabled = false,
ClientId = "disabled",
ClientSecrets = new List <Secret>
{
new Secret("invalid".Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
},
new Client
{
ClientName = "Reference Token Client",
Enabled = true,
ClientId = "referencetokenclient",
ClientSecrets = new List <Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
AccessTokenType = AccessTokenType.Reference
},
new Client
{
ClientId = "wsfed",
ClientName = "WS-Fed Client",
ProtocolType = IdentityServerConstants.ProtocolTypes.WsFederation,
AllowedGrantTypes = GrantTypes.Implicit,
Enabled = true,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
RedirectUris = { "http://wsfed/callback" }
},
new Client
{
ClientId = "client.cred.wsfed",
ClientName = "WS-Fed Client",
ProtocolType = IdentityServerConstants.ProtocolTypes.WsFederation,
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("secret".Sha256()) },
Enabled = true,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
},
new Client
{
ClientId = "client.implicit",
ClientName = "Implicit Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "resource", "resource2" },
},
new Client
{
ClientId = "implicit_and_client_creds",
AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,
AllowedScopes = { "api1" }
},
});
}
private static string GetGrantTypeName(string key) => GrantTypes.GetGrantTypeName(key);
public void custom_should_be_allowed()
{
var client = new Client();
client.AllowedGrantTypes = GrantTypes.List("custom");
}