예제 #1
0
    public async Task <ClaimsPrincipal> Handle(OpenIddictRequest request)
    {
        if (!request.IsClientCredentialsGrantType())
        {
            throw new NotImplementedException("The specified grant type is not implemented");
        }

        var application = await _applicationManager.FindByClientIdAsync(request.ClientId !) ??
                          throw new NotFoundException <string?>("Admin API Client", request.ClientId);

        if (!await _applicationManager.ValidateClientSecretAsync(application, request.ClientSecret !))
        {
            throw new AuthenticationException("Invalid Admin API Client key and secret");
        }

        var requestedScopes = request.GetScopes();
        var appScopes       = (await _applicationManager.GetPermissionsAsync(application))
                              .Where(p => p.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope))
                              .Select(p => p.Substring(OpenIddictConstants.Permissions.Prefixes.Scope.Length))
                              .ToList();

        var missingScopes = requestedScopes.Where(s => !appScopes.Contains(s)).ToList();

        if (missingScopes.Any())
        {
            throw new AuthenticationException($"Client is not allowed access to requested scope(s): {string.Join(", " , missingScopes)}");
        }

        var displayName = await _applicationManager.GetDisplayNameAsync(application);

        var identity = new ClaimsIdentity(JwtBearerDefaults.AuthenticationScheme);

        identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId !, OpenIddictConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIddictConstants.Claims.Name, displayName !, OpenIddictConstants.Destinations.AccessToken);

        var principal = new ClaimsPrincipal(identity);

        principal.SetScopes(requestedScopes);

        return(principal);
    }