public async Task Build(IEnumerable <string> scopes, HandlerContext context, JObject claims = null) { if (!scopes.Contains(SIDOpenIdConstants.StandardScopes.OpenIdScope.Name) || context.User == null) { return; } var openidClient = (OpenIdClient)context.Client; var payload = await BuildIdToken(context, context.Request.Data).ConfigureAwait(false); var idToken = await _jwtBuilder.BuildClientToken(context.Client, payload, openidClient.IdTokenSignedResponseAlg, openidClient.IdTokenEncryptedResponseAlg, openidClient.IdTokenEncryptedResponseEnc); context.Response.Add(Name, idToken); }
public override async Task Build(IEnumerable <string> scopes, HandlerContext context, CancellationToken cancellationToken) { if (context.User == null) { return; } var openidClient = (OpenIdClient)context.Client; var payload = await BuildIdToken(context, context.Request.Data, scopes, cancellationToken); var idToken = await _jwtBuilder.BuildClientToken(context.Client, payload, openidClient.IdTokenSignedResponseAlg, openidClient.IdTokenEncryptedResponseAlg, openidClient.IdTokenEncryptedResponseEnc); context.Response.Add(Name, idToken); }
public async Task Enrich(JwsPayload jwsPayload, OpenIdClient client) { var subject = jwsPayload.GetClaimValue(Jwt.Constants.UserClaims.Subject); using (var httpClient = new HttpClient()) { var request = new HttpRequestMessage { RequestUri = new Uri(_httpClaimsSourceOptions.Url), Method = HttpMethod.Get, // Content = new StringContent(JsonConvert.SerializeObject(new { sub = subject }), Encoding.UTF8, "application/json") }; if (!string.IsNullOrWhiteSpace(_httpClaimsSourceOptions.ApiToken)) { request.Headers.Add("Authorization", $"Bearer {_httpClaimsSourceOptions.ApiToken}"); } var result = await httpClient.SendAsync(request).ConfigureAwait(false); var json = await result.Content.ReadAsStringAsync().ConfigureAwait(false); var kvp = result.Content.Headers.FirstOrDefault(k => k.Key == "Content-Type"); if (!kvp.Equals(default(KeyValuePair <string, IEnumerable <string> >)) && !string.IsNullOrWhiteSpace(kvp.Key) && result.IsSuccessStatusCode) { string jwt = null; JwsPayload jObj = null; if (kvp.Value.Any(v => v.Contains("application/json"))) { jObj = JsonConvert.DeserializeObject <JwsPayload>(json); jwt = await _jwtBuilder.BuildClientToken(client, jObj, client.IdTokenSignedResponseAlg, client.IdTokenEncryptedResponseAlg, client.IdTokenEncryptedResponseEnc); } else if (kvp.Value.Any(v => v.Contains("application/jwt"))) { throw new NotImplementedException(); /* * jwt = json; * jObj = Extract(json); */ } if (!string.IsNullOrWhiteSpace(jwt)) { ClaimsSourceHelper.AddAggregate(jwsPayload, jObj, jwt, _httpClaimsSourceOptions.Name); } } } }
private async Task <IActionResult> Common(JObject content, CancellationToken cancellationToken) { try { var accessToken = ExtractAccessToken(content); var jwsPayload = await Extract(accessToken); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN); } var subject = jwsPayload.GetSub(); var scopes = jwsPayload.GetScopes(); var audiences = jwsPayload.GetAudiences(); var claims = jwsPayload.GetClaimsFromAccessToken(AuthorizationRequestClaimTypes.UserInfo); var authTime = jwsPayload.GetAuthTime(); var user = await _oauthUserRepository.FindOAuthUserByLogin(subject, cancellationToken); if (user == null) { return(new UnauthorizedResult()); } var filteredClients = await _oauthClientRepository.FindOAuthClientByIds(audiences, cancellationToken); if (!filteredClients.Any()) { throw new OAuthException(ErrorCodes.INVALID_CLIENT, ErrorMessages.INVALID_AUDIENCE); } var oauthClient = (OpenIdClient)filteredClients.First(); if (!user.HasOpenIDConsent(oauthClient.ClientId, scopes, claims, AuthorizationRequestClaimTypes.UserInfo)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.NO_CONSENT); } var token = await _tokenQueryRepository.Get(accessToken, cancellationToken); if (token == null) { _logger.LogError("Cannot get user information because access token has been rejected"); throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.ACCESS_TOKEN_REJECTED); } var oauthScopes = (await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken)).Cast <OpenIdScope>(); var payload = new JwsPayload(); IdTokenBuilder.EnrichWithScopeParameter(payload, oauthScopes, user, subject); _claimsJwsPayloadEnricher.EnrichWithClaimsParameter(payload, claims, user, authTime, AuthorizationRequestClaimTypes.UserInfo); foreach (var claimsSource in _claimsSources) { await claimsSource.Enrich(payload, oauthClient).ConfigureAwait(false); } string contentType = "application/json"; var result = JsonConvert.SerializeObject(payload).ToString(); if (!string.IsNullOrWhiteSpace(oauthClient.UserInfoSignedResponseAlg)) { result = await _jwtBuilder.BuildClientToken(oauthClient, payload, oauthClient.UserInfoSignedResponseAlg, oauthClient.UserInfoEncryptedResponseAlg, oauthClient.UserInfoEncryptedResponseEnc); contentType = "application/jwt"; } return(new ContentResult { Content = result, ContentType = contentType }); } catch (OAuthException ex) { var jObj = new JObject { { ErrorResponseParameters.Error, ex.Code }, { ErrorResponseParameters.ErrorDescription, ex.Message } }; return(new ContentResult { Content = jObj.ToString(), ContentType = "application/json", StatusCode = (int)HttpStatusCode.BadRequest }); } }