public async Task Invoke(HttpContext context, ICredentialsProvider credentialsProvider, IAdditionalClaimsProvider additionalClaimsProvider) { if (context.Request.Path.Value.Equals(_options.TokenEndpointPath)) { if (context.Request.ContentType != "application/x-www-form-urlencoded") { context.Response.StatusCode = StatusCodes.Status400BadRequest; context.Response.ContentType = "application/json;charset=utf-8"; await context.Response.WriteAsync("[\"invalid-content-type\"]"); return; } try { AuthServerRequest authRequest = CreateAuthServerRequestObject(context.Request); // Now, we have to investigate authRequest if (authRequest.GrantType == "password") // resource owner { if (!(await credentialsProvider.AreUserCredentialsValidAsync(authRequest.Username, authRequest.Password))) { context.Response.StatusCode = StatusCodes.Status401Unauthorized; context.Response.ContentType = "application/json;charset=utf-8"; await context.Response.WriteAsync($"[\"{AuthServerMessages.InvalidUserCredentials}\"]"); return; } } else if (authRequest.GrantType == "client") // private client { if (!(await credentialsProvider.AreClientCredentialsValidAsync(authRequest.ClientId, authRequest.ClientSecret))) { context.Response.StatusCode = StatusCodes.Status401Unauthorized; context.Response.ContentType = "application/json;charset=utf-8"; await context.Response.WriteAsync($"[\"{AuthServerMessages.InvalidUserCredentials}\"]"); return; } } // Now, we construct the response await WriteResponseAsync(authRequest, _options.Issuer, context.Response, additionalClaimsProvider); return; } catch (Exception e) { context.Response.StatusCode = StatusCodes.Status400BadRequest; context.Response.ContentType = "application/json;charset=utf-8"; await context.Response.WriteAsync($"[\"{e.Message}\"]"); return; } } await _next.Invoke(context); }