/// <summary> /// Returns a list of scopes from a concatenate list of scopes separated by whitespaces. /// </summary> /// <param name="concatenateListOfScopes"></param> /// <returns>List of scopes</returns> private async Task <ICollection <Scope> > GetScopes(string concatenateListOfScopes) { var result = new List <Scope>(); var scopeNames = _parameterParserHelper.ParseScopes(concatenateListOfScopes); return(await _scopeRepository.SearchByNamesAsync(scopeNames)); }
private async Task FillInResourceOwnerClaimsFromScopes( JwsPayload jwsPayload, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal) { // 1. Fill-in the subject claim var subject = claimsPrincipal.GetSubject(); jwsPayload.Add(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject); if (authorizationParameter == null || string.IsNullOrWhiteSpace(authorizationParameter.Scope)) { return; } // 2. Fill-in the other claims var scopes = _parameterParserHelper.ParseScopes(authorizationParameter.Scope); var claims = await GetClaimsFromRequestedScopes(scopes, claimsPrincipal); foreach (var claim in claims) { if (claim.Key == Jwt.Constants.StandardResourceOwnerClaimNames.Subject) { continue; } jwsPayload.Add(claim.Key, claim.Value); } }
public async Task <Consent> GetConfirmedConsentsAsync(string subject, AuthorizationParameter authorizationParameter) { if (string.IsNullOrWhiteSpace(subject)) { throw new ArgumentNullException(nameof(subject)); } if (authorizationParameter == null) { throw new ArgumentNullException(nameof(authorizationParameter)); } var consents = await _consentRepository.GetConsentsForGivenUserAsync(subject); Consent confirmedConsent = null; if (consents != null && consents.Any()) { var claimsParameter = authorizationParameter.Claims; if (claimsParameter.IsAnyUserInfoClaimParameter() || claimsParameter.IsAnyIdentityTokenClaimParameter()) { var expectedClaims = claimsParameter.GetClaimNames(); confirmedConsent = consents.FirstOrDefault( c => c.Client.ClientId == authorizationParameter.ClientId && c.Claims != null && c.Claims.Any() && expectedClaims.Count() == c.Claims.Count() && expectedClaims.All(cl => c.Claims.Contains(cl))); } else { var scopeNames = _parameterParserHelper.ParseScopes(authorizationParameter.Scope); confirmedConsent = consents.FirstOrDefault( c => c.Client.ClientId == authorizationParameter.ClientId && c.GrantedScopes != null && c.GrantedScopes.Any() && scopeNames.Count() == c.GrantedScopes.Count() && c.GrantedScopes.All(g => scopeNames.Contains(g.Name))); } } return(confirmedConsent); }
public ScopeValidationResult Check(string scope, Core.Common.Models.Client client) { var emptyList = new List <string>(); var scopes = _parameterParserHelper.ParseScopes(scope); if (!scopes.Any()) { return(new ScopeValidationResult(false) { ErrorMessage = string.Format(ErrorDescriptions.TheScopesNeedToBeSpecified, scope) }); } var duplicates = scopes.GroupBy(p => p) .Where(g => g.Count() > 1) .Select(g => g.Key) .ToList(); if (duplicates.Any()) { return(new ScopeValidationResult(false) { ErrorMessage = string.Format(ErrorDescriptions.DuplicateScopeValues, string.Join(",", duplicates)) }); } var scopeAllowed = client.AllowedScopes.Select(a => a.Name).ToList(); var scopesNotAllowedOrInvalid = scopes .Where(s => !scopeAllowed.Contains(s)) .ToList(); if (scopesNotAllowedOrInvalid.Any()) { return(new ScopeValidationResult(false) { ErrorMessage = string.Format(ErrorDescriptions.ScopesAreNotAllowedOrInvalid, string.Join(",", scopesNotAllowedOrInvalid)) }); } return(new ScopeValidationResult(true) { Scopes = scopes }); }
public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Client client) { if (actionResult == null || actionResult.RedirectInstruction == null) { throw new ArgumentNullException(nameof(actionResult)); } ; if (authorizationParameter == null) { throw new ArgumentNullException(nameof(authorizationParameter)); } if (claimsPrincipal == null) { throw new ArgumentNullException(nameof(claimsPrincipal)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } var newAccessTokenGranted = false; var allowedTokenScopes = string.Empty; GrantedToken grantedToken = null; var newAuthorizationCodeGranted = false; AuthorizationCode authorizationCode = null; _simpleIdentityServerEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId, authorizationParameter.ResponseType); var responses = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType); var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter); var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter); if (responses.Contains(ResponseType.token)) // 1. Generate an access token. { if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope)) { allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope)); } grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, userInformationPayload, idTokenPayload); if (grantedToken == null) { grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, userInformationPayload, idTokenPayload); newAccessTokenGranted = true; } actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName, grantedToken.AccessToken); } if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code. { var subject = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject(); var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter); if (assignedConsent != null) { // Insert a temporary authorization code // It will be used later to retrieve tha id_token or an access token. authorizationCode = new AuthorizationCode { Code = Guid.NewGuid().ToString(), RedirectUri = authorizationParameter.RedirectUrl, CreateDateTime = DateTime.UtcNow, ClientId = authorizationParameter.ClientId, Scopes = authorizationParameter.Scope, IdTokenPayload = idTokenPayload, UserInfoPayLoad = userInformationPayload }; newAuthorizationCodeGranted = true; actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName, authorizationCode.Code); } } _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload, authorizationCode == null ? string.Empty : authorizationCode.Code, grantedToken == null ? string.Empty : grantedToken.AccessToken, authorizationParameter, client); if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching. { await _tokenStore.AddToken(grantedToken); _simpleIdentityServerEventSource.GrantAccessToClient(authorizationParameter.ClientId, grantedToken.AccessToken, allowedTokenScopes); } if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching. { if (client.RequirePkce) { authorizationCode.CodeChallenge = authorizationParameter.CodeChallenge; authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod; } await _authorizationCodeStore.AddAuthorizationCode(authorizationCode); _simpleIdentityServerEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId, authorizationCode.Code, authorizationParameter.Scope); } if (responses.Contains(ResponseType.id_token)) { var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter); actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken); } if (!string.IsNullOrWhiteSpace(authorizationParameter.State)) { actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State); } var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId); if (sessionState != null) { actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState); } if (authorizationParameter.ResponseMode == ResponseMode.form_post) { actionResult.Type = TypeActionResult.RedirectToAction; actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex; actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl); } // Set the response mode if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl) { var responseMode = authorizationParameter.ResponseMode; if (responseMode == ResponseMode.None) { var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType); var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes, authorizationParameter.State); responseMode = GetResponseMode(authorizationFlow); } actionResult.RedirectInstruction.ResponseMode = responseMode; } _simpleIdentityServerEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId, actionResult.RedirectInstruction.Parameters.SerializeWithJavascript()); }