private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
// if pop request, claims must be updated because we need a fresh proof token
if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes),
};
// if pop request, embed proof token
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
creationRequest.ProofKey = GetProofKey(request);
}
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
var copy = new Token(oldAccessToken);
copy.CreationTime = DateTimeOffsetHelper.UtcNow;
copy.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
var response = new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
response.IdentityToken = await CreateIdTokenFromRefreshTokenRequestAsync(request, accessTokenString);
return(response);
}
public async Task ShouldContainRequestedScopeNames()
{
await _setup;
var result = (await _scopeStore.FindScopesAsync(_evenScopeNames)).ToArray();
foreach (var evenScopeName in _evenScopeNames)
{
Assert.Contains(evenScopeName, result.Select(x => x.Name));
}
}
public async Task <global::IdentityServer3.Core.Models.AuthorizationCode> MakeAuthorizationCodeAsync(IClientStore clientStore, IScopeStore scopeStore)
{
AuthorizationCode result;
try
{
var client = clientStore.FindClientByIdAsync(this.ClientId).Result;
var requestedScopes = scopeStore.FindScopesAsync(DeserializeScopes(RequestedScopes)).Result;
var subject = DeserializeSubject(ClaimIdentityRecords);
result = new AuthorizationCode()
{
Client = client,
CreationTime = CreationTime,
IsOpenId = IsOpenId,
RedirectUri = RedirectUri,
WasConsentShown = WasConsentShown,
Nonce = Nonce,
RequestedScopes = requestedScopes,
Subject = subject
};
}
catch (Exception e)
{
result = null;
}
return(await Task.FromResult(result));
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
var source = serializer.Deserialize <ScopeLite>(reader);
var scopes = AsyncHelper.RunSync(async() => await scopeStore.FindScopesAsync(new string[] { source.Name }));
return(scopes.Single());
}
internal static async Task<AuthorizationCode> FromDbFormat(StoredAuthorizationCode code, IAsyncDocumentSession s, IScopeStore scopeStore)
{
var result = new AuthorizationCode
{
CreationTime = code.CreationTime,
IsOpenId = code.IsOpenId,
RedirectUri = code.RedirectUri,
WasConsentShown = code.WasConsentShown,
Nonce = code.Nonce,
Client = Data.StoredClient.FromDbFormat(await s.LoadAsync<Data.StoredClient>("clients/" + code.Client)),
CodeChallenge = code.CodeChallenge,
CodeChallengeMethod = code.CodeChallengeMethod,
SessionId = code.SessionId,
RequestedScopes = await scopeStore.FindScopesAsync(code.RequestedScopes)
};
var claimsPrinciple = new ClaimsPrincipal();
foreach (var id in code.Subject)
{
claimsPrinciple.AddIdentity(Data.StoredIdentity.FromDbFormat(id));
}
result.Subject = claimsPrinciple;
return result;
}
async Task <ConsentViewModel> BuildViewModelAsync(string returnUrl, ConsentInputModel model = null)
{
var request = await _interaction.GetAuthorizationContextAsync(returnUrl);
if (request != null)
{
var client = await _clientStore.FindClientByIdAsync(request.ClientId);
if (client != null)
{
var scopes = await _scopeStore.FindScopesAsync(request.ScopesRequested);
if (scopes != null && scopes.Any())
{
return(new ConsentViewModel(model, returnUrl, request, client, scopes));
}
else
{
_logger.LogError("No scopes matching: {0}", request.ScopesRequested.Aggregate((x, y) => x + ", " + y));
}
}
else
{
_logger.LogError("Invalid client id: {0}", request.ClientId);
}
}
else
{
_logger.LogError("No consent request matching request: {0}", returnUrl);
}
return(null);
}
public async Task <IEnumerable <string> > GetRequestedClaimTypesAsync(IEnumerable <string> scopes)
{
if (scopes == null || !scopes.Any())
{
return(Enumerable.Empty <string>());
}
var scopeString = string.Join(" ", scopes);
Logger.InfoFormat("Scopes in access token: {0}", scopeString);
var scopeDetails = await _scopes.FindScopesAsync(scopes);
var scopeClaims = new List <string>();
foreach (var scope in scopes)
{
var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope);
if (scopeDetail != null)
{
if (scopeDetail.Type == ScopeType.Identity)
{
scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name));
}
}
}
return(scopeClaims);
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
var source = serializer.Deserialize <ScopeModel>(reader);
var scopes = _scopeStore.FindScopesAsync(new[] { source.Name }).GetAwaiter().GetResult();
return(scopes.Single());
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
var source = serializer.Deserialize <ScopeLite>(reader);
var factory = new TaskFactory(CancellationToken.None, TaskCreationOptions.None, TaskContinuationOptions.None, TaskScheduler.Default);
return(factory.StartNew(async() => await _scopeStore.FindScopesAsync(new[] { source.Name }))
.Unwrap()
.GetAwaiter()
.GetResult()
.Single());
}
public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames)
{
var key = GetKey(scopeNames);
var scopes = await _cache.GetAsync(key,
_options.CachingOptions.ScopeStoreExpiration,
() => _inner.FindScopesAsync(scopeNames),
_logger);
return(scopes);
}
public async Task <ScopeSecretValidationResult> ValidateAsync(HttpContext context)
{
_logger.LogTrace("Start scope validation");
var fail = new ScopeSecretValidationResult
{
IsError = true
};
var parsedSecret = await _parser.ParseAsync(context);
if (parsedSecret == null)
{
await RaiseFailureEvent("unknown", "No scope id or secret found");
_logger.LogInformation("No scope secret found");
return(fail);
}
// load scope
var scope = (await _scopes.FindScopesAsync(new[] { parsedSecret.Id })).FirstOrDefault();
if (scope == null)
{
await RaiseFailureEvent(parsedSecret.Id, "Unknown scope");
_logger.LogInformation("No scope with that name found. aborting");
return(fail);
}
var result = await _validator.ValidateAsync(parsedSecret, scope.ScopeSecrets);
if (result.Success)
{
_logger.LogInformation("Scope validation success");
var success = new ScopeSecretValidationResult
{
IsError = false,
Scope = scope
};
await RaiseSuccessEvent(scope.Name);
return(success);
}
await RaiseFailureEvent(scope.Name, "Invalid client secret");
_logger.LogInformation("Scope validation failed.");
return(fail);
}
/// <summary>
/// Gets the client permissions asynchronous.
/// </summary>
/// <param name="subject">The subject identifier.</param>
/// <returns>
/// A list of client permissions
/// </returns>
/// <exception cref="System.ArgumentNullException">subject</exception>
public virtual async Task <IEnumerable <ClientPermission> > GetClientPermissionsAsync(string subject)
{
if (String.IsNullOrWhiteSpace(subject))
{
throw new ArgumentNullException("subject");
}
var consents = await this.permissionsStore.LoadAllAsync(subject);
var scopesNeeded = consents.Select(x => x.Scopes).SelectMany(x => x).Distinct();
var scopes = await scopeStore.FindScopesAsync(scopesNeeded);
var list = new List <ClientPermission>();
foreach (var consent in consents)
{
var client = await clientStore.FindClientByIdAsync(consent.ClientId);
if (client != null)
{
var identityScopes =
from s in scopes
where s.Type == ScopeType.Identity && consent.Scopes.Contains(s.Name)
select new ClientPermissionDescription
{
DisplayName = s.DisplayName ?? localizationService.GetScopeDisplayName(s.Name),
Description = s.Description ?? localizationService.GetScopeDescription(s.Name)
};
var resourceScopes =
from s in scopes
where s.Type == ScopeType.Resource && consent.Scopes.Contains(s.Name)
select new ClientPermissionDescription
{
DisplayName = s.DisplayName ?? localizationService.GetScopeDisplayName(s.Name),
Description = s.Description ?? localizationService.GetScopeDescription(s.Name)
};
list.Add(new ClientPermission
{
ClientId = client.ClientId,
ClientName = client.ClientName,
ClientUrl = client.ClientUri,
ClientLogoUrl = client.LogoUri,
IdentityPermissions = identityScopes,
ResourcePermissions = resourceScopes
});
}
}
return(list);
}
public virtual AuthorizationCode Read(BinaryReader reader)
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
var code = new AuthorizationCode {
IsOpenId = reader.ReadBoolean(),
RedirectUri = reader.ReadString(),
Nonce = reader.ReadString(),
WasConsentShown = reader.ReadBoolean(),
SessionId = reader.ReadString(),
CreationTime = DateTimeOffset.FromUnixTimeMilliseconds(reader.ReadInt64()),
};
// get the client
var clientId = reader.ReadString();
code.Client = _clientStore.FindClientByIdAsync(clientId).Result;
// Read the number of identities stored
// in the serialized payload.
var count = reader.ReadInt32();
if (count > 0)
{
var identities = new ClaimsIdentity[count];
for (var index = 0; index != count; ++index)
{
identities[index] = ReadIdentity(reader);
}
code.Subject = new ClaimsPrincipal(identities);
}
var scopeCount = reader.ReadInt32();
if (scopeCount > 0)
{
var scopeNames = new List <string>(scopeCount);
for (var index = 0; index != scopeCount; ++index)
{
scopeNames.Add(reader.ReadString());
}
code.RequestedScopes = _scopeStore.FindScopesAsync(scopeNames).Result;
}
return(code);
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
if (objectType == typeof(Scope))
{
var scopeName = serializer.Deserialize <string>(reader);
var scope = scopeStore.FindScopesAsync(new[] { scopeName }).Result.Single();
return(scope);
}
else
{
var scopeNames = serializer.Deserialize <IEnumerable <string> >(reader);
var scopes = scopeStore.FindScopesAsync(scopeNames).Result;
if (objectType == typeof(List <Scope>))
{
return(scopes.ToList());
}
else if (objectType == typeof(Scope[]))
{
return(scopes.ToArray());
}
return(scopes);
}
}
/// <summary>Find Scopes by Name</summary>
/// <param name="scopeNames">Scope Names</param>
/// <returns>Scope objects</returns>
public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames)
{
if (scopeNames == null)
{
return(new List <Scope>());
}
var names = scopeNames.ToList();
if (names.Count == 0)
{
return(new List <Scope>());
}
var scopeResult = await scopeStore.FindScopesAsync(names).ConfigureAwait(false);
if (scopeResult == null)
{
return(new List <Scope>());
}
var scopes = scopeResult.ToList();
if (scopes.Count == 0)
{
return(new List <Scope>());
}
foreach (var scope in scopes)
{
// Ignore standard scopes
if (StandardScopes.All.Any(x => x.Name == scope.Name))
{
continue;
}
if (StandardScopes.OfflineAccess.Name == scope.Name)
{
continue;
}
var scopeSecrets = await secretStore.GetSecrets(scope.Name).ConfigureAwait(false);
scope.ScopeSecrets = scopeSecrets.Select(x => new Secret(x)
{
Type = Constants.VaultSharedSecretType
}).ToList();
}
return(scopes);
}
private static async Task <AuthorizationCode> Version1(
BsonDocument doc,
IClientStore clientStore,
IScopeStore scopeStore)
{
var code = new AuthorizationCode();
code.CreationTime = doc.GetValueOrDefault("creationTime", code.CreationTime);
code.IsOpenId = doc.GetValueOrDefault("isOpenId", code.IsOpenId);
code.RedirectUri = doc.GetValueOrDefault("redirectUri", code.RedirectUri);
code.WasConsentShown = doc.GetValueOrDefault("wasConsentShown", code.WasConsentShown);
code.Nonce = doc.GetValueOrDefault("nonce", code.Nonce);
var claimsPrincipal = new ClaimsPrincipal();
IEnumerable <ClaimsIdentity> identities = doc.GetValueOrDefault("subject", sub =>
{
string authenticationType = sub.GetValueOrDefault("authenticationType", (string)null);
var claims = sub.GetNestedValueOrDefault("claimSet", ClaimSetSerializer.Deserialize, new Claim[] { });
ClaimsIdentity identity = authenticationType == null
? new ClaimsIdentity(claims)
: new ClaimsIdentity(claims, authenticationType);
return(identity);
}, new ClaimsIdentity[] { });
claimsPrincipal.AddIdentities(identities);
code.Subject = claimsPrincipal;
var clientId = doc["_clientId"].AsString;
code.Client = await clientStore.FindClientByIdAsync(clientId);
if (code.Client == null)
{
throw new InvalidOperationException("Client not found when deserializing authorization code. Client id: " + clientId);
}
var scopes = doc.GetValueOrDefault(
"requestedScopes",
(IEnumerable <string>) new string[] { }).ToArray();
code.RequestedScopes = await scopeStore.FindScopesAsync(scopes);
if (scopes.Count() > code.RequestedScopes.Count())
{
throw new InvalidOperationException("Scopes not found when deserializing authorization code. Scopes: " + string.Join(", ", scopes.Except(code.RequestedScopes.Select(x => x.Name))));
}
return(code);
}
async Task <ConsentViewModel> BuildViewModelAsync(string id, ConsentInputModel model = null)
{
if (id != null)
{
var request = await consentInteraction.GetRequestAsync(id);
if (request != null)
{
var client = await clientStore.FindClientByIdAsync(request.ClientId);
if (client != null)
{
var scopes = await scopeStore.FindScopesAsync(request.ScopesRequested);
var scopesArray = scopes as Scope[] ?? scopes.ToArray();
if (scopes != null && scopesArray.Any())
{
return(new ConsentViewModel(model, id, request, client, scopesArray, localization));
}
else
{
logger.LogError("No scopes matching: {0}", request.ScopesRequested.Aggregate((x, y) => x + ", " + y));
}
}
else
{
logger.LogError("Invalid client id: {0}", request.ClientId);
}
}
else
{
logger.LogError("No consent request matching id: {0}", id);
}
}
else
{
logger.LogError("No id passed");
}
return(null);
}
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
if (request.Client.UpdateAccessTokenClaimsOnRefresh)
{
// re-create original subject
var subject = IdentityServerPrincipal.FromClaims(oldAccessToken.Claims, allowMissing: true);
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes)
};
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return(new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
});
}
public async Task <bool> AreScopesValidAsync(IEnumerable <string> requestedScopes)
{
var availableScopes = await _store.FindScopesAsync(requestedScopes);
foreach (var requestedScope in requestedScopes)
{
var scopeDetail = availableScopes.FirstOrDefault(s => s.Name == requestedScope);
if (scopeDetail == null)
{
Logger.ErrorFormat("Invalid scope: {0}", requestedScope);
return(false);
}
if (scopeDetail.Enabled == false)
{
Logger.ErrorFormat("Scope disabled: {0}", requestedScope);
return(false);
}
if (scopeDetail.Type == ScopeType.Identity)
{
ContainsOpenIdScopes = true;
}
else
{
ContainsResourceScopes = true;
}
GrantedScopes.Add(scopeDetail);
}
if (requestedScopes.Contains(Constants.StandardScopes.OfflineAccess))
{
ContainsOfflineAccessScope = true;
}
RequestedScopes.AddRange(GrantedScopes);
return(true);
}
private async Task <TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
_logger.LogVerbose("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
if (request.Client.UpdateAccessTokenClaimsOnRefresh)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes)
};
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return(new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
});
}
public static AuthorizationCode ToAuthorizationCode(this AuthorizationCodeHandle handle,
IClientStore clientStore,
IScopeStore scopeStore)
{
var claimsPrincipal = new ClaimsPrincipal();
claimsPrincipal.AddIdentities(handle.ClaimIdentityRecords.ToClaimsIdentitys());
var result = new AuthorizationCode()
{
Subject = claimsPrincipal,
Client = clientStore.FindClientByIdAsync(handle.ClientId).Result,
RequestedScopes = scopeStore.FindScopesAsync(handle.RequestedScopes).Result,
CreationTime = handle.CreationTime,
IsOpenId = handle.IsOpenId,
RedirectUri = handle.RedirectUri,
WasConsentShown = handle.WasConsentShown,
Nonce = handle.Nonce
};
return(result);
}
public async Task <RequestedClaimTypes> GetRequestedClaimTypesAsync(IEnumerable <string> scopes)
{
if (scopes == null || !scopes.Any())
{
return(new RequestedClaimTypes());
}
var scopeString = string.Join(" ", scopes);
_logger.LogInformation("Scopes in access token: {scopes}", scopeString);
var scopeDetails = await _scopes.FindScopesAsync(scopes);
var scopeClaims = new List <string>();
foreach (var scope in scopes)
{
var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope);
if (scopeDetail != null)
{
if (scopeDetail.Type == ScopeType.Identity)
{
if (scopeDetail.IncludeAllClaimsForUser)
{
return(new RequestedClaimTypes
{
IncludeAllClaims = true
});
}
scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name));
}
}
}
return(new RequestedClaimTypes(scopeClaims));
}
public async Task <ScopeSecretValidationResult> ValidateAsync()
{
Logger.Debug("Start scope validation");
var fail = new ScopeSecretValidationResult
{
IsError = true
};
// see if a registered parser finds a secret on the request
ParsedSecret parsedSecret = null;
foreach (var parser in _parsers)
{
parsedSecret = await parser.ParseAsync(_environment.Environment);
if (parsedSecret != null)
{
Logger.DebugFormat("Parser found scope secret: {0}", parser.GetType().Name);
Logger.InfoFormat("Scope name found: {0}", parsedSecret.Id);
break;
}
}
if (parsedSecret == null)
{
await RaiseFailureEvent("unknown", "No client id or secret found");
Logger.Info("No scope secret found");
return(fail);
}
// load scope
var scope = (await _scopes.FindScopesAsync(new[] { parsedSecret.Id })).FirstOrDefault();
if (scope == null)
{
await RaiseFailureEvent(parsedSecret.Id, "Unknown client");
Logger.Info("No scope with that name found. aborting");
return(fail);
}
// see if a registered validator can validate the secret
foreach (var validator in _validators)
{
var secretValidationResult = await validator.ValidateAsync(scope.ScopeSecrets, parsedSecret);
if (secretValidationResult.Success)
{
Logger.DebugFormat("Secret validator success: {0}", validator.GetType().Name);
Logger.Info("Scope validation success");
var success = new ScopeSecretValidationResult
{
IsError = false,
Scope = scope
};
await RaiseSuccessEvent(scope.Name);
return(success);
}
}
await RaiseFailureEvent(scope.Name, "Invalid client secret");
Logger.Info("Scope validation failed.");
return(fail);
}
public async Task ScopeIsRemoved()
{
Assert.NotEmpty(await _scopeStore.FindScopesAsync(new[] { ScopeName }));
_ps.Invoke();
Assert.Empty(await _scopeStore.FindScopesAsync(new[] { ScopeName }));
}
public static async Task <IEnumerable <Scope> > FindEnabledScopesAsync(this IScopeStore store, IEnumerable <string> scopeNames)
{
var scopes = await store.FindScopesAsync(scopeNames);
return(scopes.Where(s => s.Enabled == true).ToArray());
}
/// <summary>
/// Gets all scopes.
/// </summary>
/// <param name="scopeNames"></param>
/// <returns>
/// List of scopes
/// </returns>
public async Task <IEnumerable <Scope> > FindScopesAsync(IEnumerable <string> scopeNames)
{
var key = GetKey(scopeNames);
return(await cache.GetAsync(key, async() => await inner.FindScopesAsync(scopeNames)));
}
private static async Task<AuthorizationCode> Version1(
BsonDocument doc,
IClientStore clientStore,
IScopeStore scopeStore)
{
var code = new AuthorizationCode();
code.CreationTime = doc.GetValueOrDefault("creationTime", code.CreationTime);
code.IsOpenId = doc.GetValueOrDefault("isOpenId", code.IsOpenId);
code.RedirectUri = doc.GetValueOrDefault("redirectUri", code.RedirectUri);
code.WasConsentShown = doc.GetValueOrDefault("wasConsentShown", code.WasConsentShown);
code.Nonce = doc.GetValueOrDefault("nonce", code.Nonce);
var claimsPrincipal = new ClaimsPrincipal();
IEnumerable<ClaimsIdentity> identities = doc.GetValueOrDefault("subject", sub =>
{
string authenticationType = sub.GetValueOrDefault("authenticationType", (string)null);
var claims = sub.GetNestedValueOrDefault("claimSet", ClaimSetSerializer.Deserialize, new Claim[] { });
ClaimsIdentity identity = authenticationType == null
? new ClaimsIdentity(claims)
: new ClaimsIdentity(claims, authenticationType);
return identity;
}, new ClaimsIdentity[] { });
claimsPrincipal.AddIdentities(identities);
code.Subject = claimsPrincipal;
var clientId = doc["_clientId"].AsString;
code.Client = await clientStore.FindClientByIdAsync(clientId);
if (code.Client == null)
{
throw new InvalidOperationException("Client not found when deserializing authorization code. Client id: " + clientId);
}
var scopes = doc.GetValueOrDefault(
"requestedScopes",
(IEnumerable<string>)new string[] { }).ToArray();
code.RequestedScopes = await scopeStore.FindScopesAsync(scopes);
if (scopes.Count() > code.RequestedScopes.Count())
{
throw new InvalidOperationException("Scopes not found when deserializing authorization code. Scopes: " + string.Join(", ",scopes.Except(code.RequestedScopes.Select(x=>x.Name))));
}
return code;
}