private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; string accessTokenString; // if pop request, claims must be updated because we need a fresh proof token if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP) { var subject = request.RefreshToken.GetOriginalSubject(); var creationRequest = new TokenCreationRequest { Client = request.Client, Subject = subject, ValidatedRequest = request, Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes), }; // if pop request, embed proof token if (request.RequestedTokenType == RequestedTokenTypes.PoP) { creationRequest.ProofKey = GetProofKey(request); } var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest); accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken); } else { var copy = new Token(oldAccessToken); copy.CreationTime = DateTimeOffsetHelper.UtcNow; copy.Lifetime = request.Client.AccessTokenLifetime; accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy); } var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); var response = new TokenResponse { AccessToken = accessTokenString, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }; if (request.RequestedTokenType == RequestedTokenTypes.PoP) { response.TokenType = Constants.ResponseTokenTypes.PoP; response.Algorithm = request.ProofKeyAlgorithm; } response.IdentityToken = await CreateIdTokenFromRefreshTokenRequestAsync(request, accessTokenString); return(response); }
public async Task ShouldContainRequestedScopeNames() { await _setup; var result = (await _scopeStore.FindScopesAsync(_evenScopeNames)).ToArray(); foreach (var evenScopeName in _evenScopeNames) { Assert.Contains(evenScopeName, result.Select(x => x.Name)); } }
public async Task <global::IdentityServer3.Core.Models.AuthorizationCode> MakeAuthorizationCodeAsync(IClientStore clientStore, IScopeStore scopeStore) { AuthorizationCode result; try { var client = clientStore.FindClientByIdAsync(this.ClientId).Result; var requestedScopes = scopeStore.FindScopesAsync(DeserializeScopes(RequestedScopes)).Result; var subject = DeserializeSubject(ClaimIdentityRecords); result = new AuthorizationCode() { Client = client, CreationTime = CreationTime, IsOpenId = IsOpenId, RedirectUri = RedirectUri, WasConsentShown = WasConsentShown, Nonce = Nonce, RequestedScopes = requestedScopes, Subject = subject }; } catch (Exception e) { result = null; } return(await Task.FromResult(result)); }
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer) { var source = serializer.Deserialize <ScopeLite>(reader); var scopes = AsyncHelper.RunSync(async() => await scopeStore.FindScopesAsync(new string[] { source.Name })); return(scopes.Single()); }
internal static async Task<AuthorizationCode> FromDbFormat(StoredAuthorizationCode code, IAsyncDocumentSession s, IScopeStore scopeStore) { var result = new AuthorizationCode { CreationTime = code.CreationTime, IsOpenId = code.IsOpenId, RedirectUri = code.RedirectUri, WasConsentShown = code.WasConsentShown, Nonce = code.Nonce, Client = Data.StoredClient.FromDbFormat(await s.LoadAsync<Data.StoredClient>("clients/" + code.Client)), CodeChallenge = code.CodeChallenge, CodeChallengeMethod = code.CodeChallengeMethod, SessionId = code.SessionId, RequestedScopes = await scopeStore.FindScopesAsync(code.RequestedScopes) }; var claimsPrinciple = new ClaimsPrincipal(); foreach (var id in code.Subject) { claimsPrinciple.AddIdentity(Data.StoredIdentity.FromDbFormat(id)); } result.Subject = claimsPrinciple; return result; }
async Task <ConsentViewModel> BuildViewModelAsync(string returnUrl, ConsentInputModel model = null) { var request = await _interaction.GetAuthorizationContextAsync(returnUrl); if (request != null) { var client = await _clientStore.FindClientByIdAsync(request.ClientId); if (client != null) { var scopes = await _scopeStore.FindScopesAsync(request.ScopesRequested); if (scopes != null && scopes.Any()) { return(new ConsentViewModel(model, returnUrl, request, client, scopes)); } else { _logger.LogError("No scopes matching: {0}", request.ScopesRequested.Aggregate((x, y) => x + ", " + y)); } } else { _logger.LogError("Invalid client id: {0}", request.ClientId); } } else { _logger.LogError("No consent request matching request: {0}", returnUrl); } return(null); }
public async Task <IEnumerable <string> > GetRequestedClaimTypesAsync(IEnumerable <string> scopes) { if (scopes == null || !scopes.Any()) { return(Enumerable.Empty <string>()); } var scopeString = string.Join(" ", scopes); Logger.InfoFormat("Scopes in access token: {0}", scopeString); var scopeDetails = await _scopes.FindScopesAsync(scopes); var scopeClaims = new List <string>(); foreach (var scope in scopes) { var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope); if (scopeDetail != null) { if (scopeDetail.Type == ScopeType.Identity) { scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name)); } } } return(scopeClaims); }
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer) { var source = serializer.Deserialize <ScopeModel>(reader); var scopes = _scopeStore.FindScopesAsync(new[] { source.Name }).GetAwaiter().GetResult(); return(scopes.Single()); }
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer) { var source = serializer.Deserialize <ScopeLite>(reader); var factory = new TaskFactory(CancellationToken.None, TaskCreationOptions.None, TaskContinuationOptions.None, TaskScheduler.Default); return(factory.StartNew(async() => await _scopeStore.FindScopesAsync(new[] { source.Name })) .Unwrap() .GetAwaiter() .GetResult() .Single()); }
public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames) { var key = GetKey(scopeNames); var scopes = await _cache.GetAsync(key, _options.CachingOptions.ScopeStoreExpiration, () => _inner.FindScopesAsync(scopeNames), _logger); return(scopes); }
public async Task <ScopeSecretValidationResult> ValidateAsync(HttpContext context) { _logger.LogTrace("Start scope validation"); var fail = new ScopeSecretValidationResult { IsError = true }; var parsedSecret = await _parser.ParseAsync(context); if (parsedSecret == null) { await RaiseFailureEvent("unknown", "No scope id or secret found"); _logger.LogInformation("No scope secret found"); return(fail); } // load scope var scope = (await _scopes.FindScopesAsync(new[] { parsedSecret.Id })).FirstOrDefault(); if (scope == null) { await RaiseFailureEvent(parsedSecret.Id, "Unknown scope"); _logger.LogInformation("No scope with that name found. aborting"); return(fail); } var result = await _validator.ValidateAsync(parsedSecret, scope.ScopeSecrets); if (result.Success) { _logger.LogInformation("Scope validation success"); var success = new ScopeSecretValidationResult { IsError = false, Scope = scope }; await RaiseSuccessEvent(scope.Name); return(success); } await RaiseFailureEvent(scope.Name, "Invalid client secret"); _logger.LogInformation("Scope validation failed."); return(fail); }
/// <summary> /// Gets the client permissions asynchronous. /// </summary> /// <param name="subject">The subject identifier.</param> /// <returns> /// A list of client permissions /// </returns> /// <exception cref="System.ArgumentNullException">subject</exception> public virtual async Task <IEnumerable <ClientPermission> > GetClientPermissionsAsync(string subject) { if (String.IsNullOrWhiteSpace(subject)) { throw new ArgumentNullException("subject"); } var consents = await this.permissionsStore.LoadAllAsync(subject); var scopesNeeded = consents.Select(x => x.Scopes).SelectMany(x => x).Distinct(); var scopes = await scopeStore.FindScopesAsync(scopesNeeded); var list = new List <ClientPermission>(); foreach (var consent in consents) { var client = await clientStore.FindClientByIdAsync(consent.ClientId); if (client != null) { var identityScopes = from s in scopes where s.Type == ScopeType.Identity && consent.Scopes.Contains(s.Name) select new ClientPermissionDescription { DisplayName = s.DisplayName ?? localizationService.GetScopeDisplayName(s.Name), Description = s.Description ?? localizationService.GetScopeDescription(s.Name) }; var resourceScopes = from s in scopes where s.Type == ScopeType.Resource && consent.Scopes.Contains(s.Name) select new ClientPermissionDescription { DisplayName = s.DisplayName ?? localizationService.GetScopeDisplayName(s.Name), Description = s.Description ?? localizationService.GetScopeDescription(s.Name) }; list.Add(new ClientPermission { ClientId = client.ClientId, ClientName = client.ClientName, ClientUrl = client.ClientUri, ClientLogoUrl = client.LogoUri, IdentityPermissions = identityScopes, ResourcePermissions = resourceScopes }); } } return(list); }
public virtual AuthorizationCode Read(BinaryReader reader) { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } var code = new AuthorizationCode { IsOpenId = reader.ReadBoolean(), RedirectUri = reader.ReadString(), Nonce = reader.ReadString(), WasConsentShown = reader.ReadBoolean(), SessionId = reader.ReadString(), CreationTime = DateTimeOffset.FromUnixTimeMilliseconds(reader.ReadInt64()), }; // get the client var clientId = reader.ReadString(); code.Client = _clientStore.FindClientByIdAsync(clientId).Result; // Read the number of identities stored // in the serialized payload. var count = reader.ReadInt32(); if (count > 0) { var identities = new ClaimsIdentity[count]; for (var index = 0; index != count; ++index) { identities[index] = ReadIdentity(reader); } code.Subject = new ClaimsPrincipal(identities); } var scopeCount = reader.ReadInt32(); if (scopeCount > 0) { var scopeNames = new List <string>(scopeCount); for (var index = 0; index != scopeCount; ++index) { scopeNames.Add(reader.ReadString()); } code.RequestedScopes = _scopeStore.FindScopesAsync(scopeNames).Result; } return(code); }
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer) { if (objectType == typeof(Scope)) { var scopeName = serializer.Deserialize <string>(reader); var scope = scopeStore.FindScopesAsync(new[] { scopeName }).Result.Single(); return(scope); } else { var scopeNames = serializer.Deserialize <IEnumerable <string> >(reader); var scopes = scopeStore.FindScopesAsync(scopeNames).Result; if (objectType == typeof(List <Scope>)) { return(scopes.ToList()); } else if (objectType == typeof(Scope[])) { return(scopes.ToArray()); } return(scopes); } }
/// <summary>Find Scopes by Name</summary> /// <param name="scopeNames">Scope Names</param> /// <returns>Scope objects</returns> public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames) { if (scopeNames == null) { return(new List <Scope>()); } var names = scopeNames.ToList(); if (names.Count == 0) { return(new List <Scope>()); } var scopeResult = await scopeStore.FindScopesAsync(names).ConfigureAwait(false); if (scopeResult == null) { return(new List <Scope>()); } var scopes = scopeResult.ToList(); if (scopes.Count == 0) { return(new List <Scope>()); } foreach (var scope in scopes) { // Ignore standard scopes if (StandardScopes.All.Any(x => x.Name == scope.Name)) { continue; } if (StandardScopes.OfflineAccess.Name == scope.Name) { continue; } var scopeSecrets = await secretStore.GetSecrets(scope.Name).ConfigureAwait(false); scope.ScopeSecrets = scopeSecrets.Select(x => new Secret(x) { Type = Constants.VaultSharedSecretType }).ToList(); } return(scopes); }
private static async Task <AuthorizationCode> Version1( BsonDocument doc, IClientStore clientStore, IScopeStore scopeStore) { var code = new AuthorizationCode(); code.CreationTime = doc.GetValueOrDefault("creationTime", code.CreationTime); code.IsOpenId = doc.GetValueOrDefault("isOpenId", code.IsOpenId); code.RedirectUri = doc.GetValueOrDefault("redirectUri", code.RedirectUri); code.WasConsentShown = doc.GetValueOrDefault("wasConsentShown", code.WasConsentShown); code.Nonce = doc.GetValueOrDefault("nonce", code.Nonce); var claimsPrincipal = new ClaimsPrincipal(); IEnumerable <ClaimsIdentity> identities = doc.GetValueOrDefault("subject", sub => { string authenticationType = sub.GetValueOrDefault("authenticationType", (string)null); var claims = sub.GetNestedValueOrDefault("claimSet", ClaimSetSerializer.Deserialize, new Claim[] { }); ClaimsIdentity identity = authenticationType == null ? new ClaimsIdentity(claims) : new ClaimsIdentity(claims, authenticationType); return(identity); }, new ClaimsIdentity[] { }); claimsPrincipal.AddIdentities(identities); code.Subject = claimsPrincipal; var clientId = doc["_clientId"].AsString; code.Client = await clientStore.FindClientByIdAsync(clientId); if (code.Client == null) { throw new InvalidOperationException("Client not found when deserializing authorization code. Client id: " + clientId); } var scopes = doc.GetValueOrDefault( "requestedScopes", (IEnumerable <string>) new string[] { }).ToArray(); code.RequestedScopes = await scopeStore.FindScopesAsync(scopes); if (scopes.Count() > code.RequestedScopes.Count()) { throw new InvalidOperationException("Scopes not found when deserializing authorization code. Scopes: " + string.Join(", ", scopes.Except(code.RequestedScopes.Select(x => x.Name)))); } return(code); }
async Task <ConsentViewModel> BuildViewModelAsync(string id, ConsentInputModel model = null) { if (id != null) { var request = await consentInteraction.GetRequestAsync(id); if (request != null) { var client = await clientStore.FindClientByIdAsync(request.ClientId); if (client != null) { var scopes = await scopeStore.FindScopesAsync(request.ScopesRequested); var scopesArray = scopes as Scope[] ?? scopes.ToArray(); if (scopes != null && scopesArray.Any()) { return(new ConsentViewModel(model, id, request, client, scopesArray, localization)); } else { logger.LogError("No scopes matching: {0}", request.ScopesRequested.Aggregate((x, y) => x + ", " + y)); } } else { logger.LogError("Invalid client id: {0}", request.ClientId); } } else { logger.LogError("No consent request matching id: {0}", id); } } else { logger.LogError("No id passed"); } return(null); }
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { Logger.Info("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; string accessTokenString; if (request.Client.UpdateAccessTokenClaimsOnRefresh) { // re-create original subject var subject = IdentityServerPrincipal.FromClaims(oldAccessToken.Claims, allowMissing: true); var creationRequest = new TokenCreationRequest { Client = request.Client, Subject = subject, ValidatedRequest = request, Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes) }; var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest); accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken); } else { oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow; oldAccessToken.Lifetime = request.Client.AccessTokenLifetime; accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken); } var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); return(new TokenResponse { AccessToken = accessTokenString, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }); }
public async Task <bool> AreScopesValidAsync(IEnumerable <string> requestedScopes) { var availableScopes = await _store.FindScopesAsync(requestedScopes); foreach (var requestedScope in requestedScopes) { var scopeDetail = availableScopes.FirstOrDefault(s => s.Name == requestedScope); if (scopeDetail == null) { Logger.ErrorFormat("Invalid scope: {0}", requestedScope); return(false); } if (scopeDetail.Enabled == false) { Logger.ErrorFormat("Scope disabled: {0}", requestedScope); return(false); } if (scopeDetail.Type == ScopeType.Identity) { ContainsOpenIdScopes = true; } else { ContainsResourceScopes = true; } GrantedScopes.Add(scopeDetail); } if (requestedScopes.Contains(Constants.StandardScopes.OfflineAccess)) { ContainsOfflineAccessScope = true; } RequestedScopes.AddRange(GrantedScopes); return(true); }
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request) { _logger.LogVerbose("Processing refresh token request"); var oldAccessToken = request.RefreshToken.AccessToken; string accessTokenString; if (request.Client.UpdateAccessTokenClaimsOnRefresh) { var subject = request.RefreshToken.GetOriginalSubject(); var creationRequest = new TokenCreationRequest { Client = request.Client, Subject = subject, ValidatedRequest = request, Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes) }; var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest); accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken); } else { oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow; oldAccessToken.Lifetime = request.Client.AccessTokenLifetime; accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken); } var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client); return(new TokenResponse { AccessToken = accessTokenString, AccessTokenLifetime = request.Client.AccessTokenLifetime, RefreshToken = handle }); }
public static AuthorizationCode ToAuthorizationCode(this AuthorizationCodeHandle handle, IClientStore clientStore, IScopeStore scopeStore) { var claimsPrincipal = new ClaimsPrincipal(); claimsPrincipal.AddIdentities(handle.ClaimIdentityRecords.ToClaimsIdentitys()); var result = new AuthorizationCode() { Subject = claimsPrincipal, Client = clientStore.FindClientByIdAsync(handle.ClientId).Result, RequestedScopes = scopeStore.FindScopesAsync(handle.RequestedScopes).Result, CreationTime = handle.CreationTime, IsOpenId = handle.IsOpenId, RedirectUri = handle.RedirectUri, WasConsentShown = handle.WasConsentShown, Nonce = handle.Nonce }; return(result); }
public async Task <RequestedClaimTypes> GetRequestedClaimTypesAsync(IEnumerable <string> scopes) { if (scopes == null || !scopes.Any()) { return(new RequestedClaimTypes()); } var scopeString = string.Join(" ", scopes); _logger.LogInformation("Scopes in access token: {scopes}", scopeString); var scopeDetails = await _scopes.FindScopesAsync(scopes); var scopeClaims = new List <string>(); foreach (var scope in scopes) { var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope); if (scopeDetail != null) { if (scopeDetail.Type == ScopeType.Identity) { if (scopeDetail.IncludeAllClaimsForUser) { return(new RequestedClaimTypes { IncludeAllClaims = true }); } scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name)); } } } return(new RequestedClaimTypes(scopeClaims)); }
public async Task <ScopeSecretValidationResult> ValidateAsync() { Logger.Debug("Start scope validation"); var fail = new ScopeSecretValidationResult { IsError = true }; // see if a registered parser finds a secret on the request ParsedSecret parsedSecret = null; foreach (var parser in _parsers) { parsedSecret = await parser.ParseAsync(_environment.Environment); if (parsedSecret != null) { Logger.DebugFormat("Parser found scope secret: {0}", parser.GetType().Name); Logger.InfoFormat("Scope name found: {0}", parsedSecret.Id); break; } } if (parsedSecret == null) { await RaiseFailureEvent("unknown", "No client id or secret found"); Logger.Info("No scope secret found"); return(fail); } // load scope var scope = (await _scopes.FindScopesAsync(new[] { parsedSecret.Id })).FirstOrDefault(); if (scope == null) { await RaiseFailureEvent(parsedSecret.Id, "Unknown client"); Logger.Info("No scope with that name found. aborting"); return(fail); } // see if a registered validator can validate the secret foreach (var validator in _validators) { var secretValidationResult = await validator.ValidateAsync(scope.ScopeSecrets, parsedSecret); if (secretValidationResult.Success) { Logger.DebugFormat("Secret validator success: {0}", validator.GetType().Name); Logger.Info("Scope validation success"); var success = new ScopeSecretValidationResult { IsError = false, Scope = scope }; await RaiseSuccessEvent(scope.Name); return(success); } } await RaiseFailureEvent(scope.Name, "Invalid client secret"); Logger.Info("Scope validation failed."); return(fail); }
public async Task ScopeIsRemoved() { Assert.NotEmpty(await _scopeStore.FindScopesAsync(new[] { ScopeName })); _ps.Invoke(); Assert.Empty(await _scopeStore.FindScopesAsync(new[] { ScopeName })); }
public static async Task <IEnumerable <Scope> > FindEnabledScopesAsync(this IScopeStore store, IEnumerable <string> scopeNames) { var scopes = await store.FindScopesAsync(scopeNames); return(scopes.Where(s => s.Enabled == true).ToArray()); }
/// <summary> /// Gets all scopes. /// </summary> /// <param name="scopeNames"></param> /// <returns> /// List of scopes /// </returns> public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames) { var key = GetKey(scopeNames); return(await cache.GetAsync(key, async() => await inner.FindScopesAsync(scopeNames))); }
private static async Task<AuthorizationCode> Version1( BsonDocument doc, IClientStore clientStore, IScopeStore scopeStore) { var code = new AuthorizationCode(); code.CreationTime = doc.GetValueOrDefault("creationTime", code.CreationTime); code.IsOpenId = doc.GetValueOrDefault("isOpenId", code.IsOpenId); code.RedirectUri = doc.GetValueOrDefault("redirectUri", code.RedirectUri); code.WasConsentShown = doc.GetValueOrDefault("wasConsentShown", code.WasConsentShown); code.Nonce = doc.GetValueOrDefault("nonce", code.Nonce); var claimsPrincipal = new ClaimsPrincipal(); IEnumerable<ClaimsIdentity> identities = doc.GetValueOrDefault("subject", sub => { string authenticationType = sub.GetValueOrDefault("authenticationType", (string)null); var claims = sub.GetNestedValueOrDefault("claimSet", ClaimSetSerializer.Deserialize, new Claim[] { }); ClaimsIdentity identity = authenticationType == null ? new ClaimsIdentity(claims) : new ClaimsIdentity(claims, authenticationType); return identity; }, new ClaimsIdentity[] { }); claimsPrincipal.AddIdentities(identities); code.Subject = claimsPrincipal; var clientId = doc["_clientId"].AsString; code.Client = await clientStore.FindClientByIdAsync(clientId); if (code.Client == null) { throw new InvalidOperationException("Client not found when deserializing authorization code. Client id: " + clientId); } var scopes = doc.GetValueOrDefault( "requestedScopes", (IEnumerable<string>)new string[] { }).ToArray(); code.RequestedScopes = await scopeStore.FindScopesAsync(scopes); if (scopes.Count() > code.RequestedScopes.Count()) { throw new InvalidOperationException("Scopes not found when deserializing authorization code. Scopes: " + string.Join(", ",scopes.Except(code.RequestedScopes.Select(x=>x.Name)))); } return code; }