protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { using (SAEONLogs.MethodCall(GetType())) { try { SAEONLogs.Debug("IntrospectionUrl: {IntrospectionUrl}", Options.IntrospectionUrl); var token = Request.GetBearerToken(); if (string.IsNullOrWhiteSpace(token)) { SAEONLogs.Error("ODPAuthorization Failed, no token"); return(AuthenticateResult.Fail("No token")); } SAEONLogs.Debug("Token: {Token}", token); // Validate token using (var client = new HttpClient()) { client.SetBearerToken(token); client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(MediaTypeNames.Application.Json)); using (var formContent = new FormUrlEncodedContent(new[] { new KeyValuePair <string, string>("token", token) })) { var response = await client.PostAsync(new Uri(Options.IntrospectionUrl), formContent).ConfigureAwait(false); if (!response.IsSuccessStatusCode) { SAEONLogs.Error("HttpError: {StatusCode} {Reason}", response.StatusCode, response.ReasonPhrase); SAEONLogs.Error("Response: {Response}", await response.Content.ReadAsStringAsync().ConfigureAwait(false)); } response.EnsureSuccessStatusCode(); var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); SAEONLogs.Information("Response: {Response}", json); var jObj = JObject.Parse(json); var isActive = jObj.Value <bool>("active"); if (!isActive) { SAEONLogs.Error("ODPAuthorization, invalid token {Token}", token); return(AuthenticateResult.Fail("Invalid token")); } if (jObj["ext"] is null) { // Access token var clientId = jObj.Value <string>("client_id"); var claims = new List <Claim> { new Claim(ODPAuthenticationDefaults.ClientIdClaim, clientId), new Claim(ODPAuthenticationDefaults.AccessTokenClaim, token) }; var identity = new ClaimsIdentity(claims, ODPAuthenticationDefaults.AuthenticationScheme); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, ODPAuthenticationDefaults.AuthenticationScheme); SAEONLogs.Debug("ODPAuthentication access token succeeded Claims: {@Claims}", claims.ToClaimsList()); return(AuthenticateResult.Success(ticket)); } else { var clientId = jObj.Value <string>("client_id"); var userId = jObj["ext"].Value <string>("user_id"); var userEmail = jObj["ext"].Value <string>("email"); var userRoles = from r in jObj["ext"]["access_rights"] select(string) r["role_name"]; SAEONLogs.Debug("User Id: {Id} Email: {Email}, Roles: {Role}", userId, userEmail, userRoles); var claims = new List <Claim> { new Claim(ODPAuthenticationDefaults.ClientIdClaim, clientId), new Claim(ODPAuthenticationDefaults.IdTokenClaim, token), new Claim(ClaimTypes.NameIdentifier, userId), new Claim(ClaimTypes.Email, userId) }; foreach (var userRole in userRoles) { claims.Add(new Claim(ClaimTypes.Role, userRole)); } if (userRoles.Contains("admin") || userRoles.Contains("Admin")) { claims.Add(new Claim(ODPAuthenticationDefaults.AdminTokenClaim, true.ToString())); } var identity = new ClaimsIdentity(claims, ODPAuthenticationDefaults.AuthenticationScheme); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, ODPAuthenticationDefaults.AuthenticationScheme); SAEONLogs.Debug("ODPAuthentication id token succeeded Claims: {@Claims}", claims.ToClaimsList()); return(AuthenticateResult.Success(ticket)); } } } } catch (Exception ex) { SAEONLogs.Exception(ex); throw; } } }