/// <summary>
/// Refreshes an access token.
/// </summary>
/// <param name="refreshToken">The refresh token.</param>
/// <param name="extraParameters">The extra parameters.</param>
/// <returns>
/// A token response.
/// </returns>
public virtual async Task <RefreshTokenResult> RefreshTokenAsync(string refreshToken, object extraParameters = null)
{
_logger.LogTrace("RefreshTokenAsync");
await EnsureConfigurationAsync();
var client = TokenClientFactory.Create(_options);
var response = await client.RequestRefreshTokenAsync(refreshToken, extra : extraParameters);
if (response.IsError)
{
return(new RefreshTokenResult {
Error = response.Error
});
}
// validate token response
var validationResult = await _processor.ValidateTokenResponseAsync(response, null, requireIdentityToken : _options.Policy.RequireIdentityTokenOnRefreshTokenResponse);
if (validationResult.IsError)
{
return(new RefreshTokenResult {
Error = validationResult.Error
});
}
return(new RefreshTokenResult
{
IdentityToken = response.IdentityToken,
AccessToken = response.AccessToken,
RefreshToken = response.RefreshToken,
ExpiresIn = (int)response.ExpiresIn,
AccessTokenExpiration = DateTime.Now.AddSeconds(response.ExpiresIn)
});
}
/// <summary>
/// Refreshes an access token.
/// </summary>
/// <param name="refreshToken">The refresh token.</param>
/// <returns>A token response.</returns>
public async Task <RefreshTokenResult> RefreshTokenAsync(string refreshToken)
{
_logger.LogTrace("RefreshTokenAsync");
await EnsureConfigurationAsync();
var client = TokenClientFactory.Create(_options);
var response = await client.RequestRefreshTokenAsync(refreshToken);
if (response.IsError)
{
return(new RefreshTokenResult {
Error = response.Error
});
}
// validate token response
var validationResult = await _processor.ValidateTokenResponseAsync(response, null, requireIdentityToken : _options.Policy.RequireIdentityTokenOnRefreshTokenResponse);
if (validationResult.IsError)
{
return(new RefreshTokenResult {
Error = validationResult.Error
});
}
return(new RefreshTokenResult
{
IdentityToken = response.IdentityToken,
AccessToken = response.AccessToken,
RefreshToken = response.RefreshToken,
ExpiresIn = (int)response.ExpiresIn
});
}
/// <summary>
/// Starts a refresh token request.
/// </summary>
/// <param name="refreshToken">The refresh token.</param>
/// <returns>A refresh token result</returns>
public async Task <RefreshTokenResult> RefreshTokenAsync(string refreshToken)
{
var client = await TokenClientFactory.CreateAsync(_options);
var response = await client.RequestRefreshTokenAsync(refreshToken);
if (response.IsError)
{
return(new RefreshTokenResult {
Error = response.Error
});
}
// validate token response
var validationResult = await _validator.ValidateTokenResponse(response, requireIdentityToken : false);
if (!validationResult.Success)
{
return(new RefreshTokenResult {
Error = validationResult.Error
});
}
return(new RefreshTokenResult
{
AccessToken = response.AccessToken,
RefreshToken = response.RefreshToken,
ExpiresIn = (int)response.ExpiresIn
});
}
private TokenClient GetTokenClient()
{
if (_tokenClient == null)
{
_tokenClient = TokenClientFactory.Create(_options);
}
return(_tokenClient);
}
/// <summary>
/// Refreshes an access token.
/// </summary>
/// <param name="refreshToken">The refresh token.</param>
/// <returns>A token response.</returns>
public async Task <RefreshTokenResult> RefreshTokenAsync(string refreshToken, Task <RsaSecurityKey> pregeneratedPopKeyTask = null)
{
if (string.IsNullOrEmpty(refreshToken))
{
throw new ArgumentException("refreshToken");
}
_logger.LogTrace("RefreshTokenAsync");
await EnsureConfigurationAsync().ConfigureAwait(false);
var client = TokenClientFactory.Create(_options);
TokenResponse response;
SigningCredentials popSigner = null;
if (_options.RequestPopTokens)
{
//-- PoP Key Creation
_logger.LogTrace("CreateProviderForPopToken");
var popKey = await(pregeneratedPopKeyTask ?? PopTokenExtensions.CreateProviderForPopTokenAsync()).ConfigureAwait(false);
var jwk = popKey.ToJwk();
response = await client.RequestRefreshTokenPopAsync(refreshToken, jwk.Alg, jwk.ToJwkString()).ConfigureAwait(false);
popSigner = new SigningCredentials(popKey, "RS256");
}
else
{
response = await client.RequestRefreshTokenAsync(refreshToken).ConfigureAwait(false);
}
if (response.IsError)
{
return(new RefreshTokenResult {
Error = response.Error
});
}
// validate token response
var validationResult = await _processor.ValidateTokenResponseAsync(response, null, requireIdentityToken : _options.Policy.RequireIdentityTokenOnRefreshTokenResponse).ConfigureAwait(false);
if (validationResult.IsError)
{
return(new RefreshTokenResult {
Error = validationResult.Error
});
}
return(new RefreshTokenResult
{
IdentityToken = response.IdentityToken,
AccessToken = response.AccessToken,
RefreshToken = response.RefreshToken,
ExpiresIn = (int)response.ExpiresIn,
PopTokenKey = popSigner
});
}
private async Task <TokenClient> GetTokenClientAsync()
{
if (_tokenClient == null)
{
_tokenClient = await TokenClientFactory.CreateAsync(_options);
}
return(_tokenClient);
}
private async Task <LoginResult> ProcessClaimsAsync(ResponseValidationResult result)
{
Logger.Debug("Processing claims");
// get profile if enabled
if (_options.LoadProfile)
{
Logger.Debug("load profile");
var userInfoResult = await GetUserInfoAsync(result.TokenResponse.AccessToken);
if (!userInfoResult.Success)
{
return(new LoginResult(userInfoResult.Error));
}
Logger.Debug("profile claims:");
Logger.LogClaims(userInfoResult.Claims);
var primaryClaimTypes = result.Claims.Select(c => c.Type).Distinct();
foreach (var claim in userInfoResult.Claims.Where(c => !primaryClaimTypes.Contains(c.Type)))
{
result.Claims.Add(claim);
}
}
else
{
Logger.Debug("don't load profile");
}
// success
var loginResult = new LoginResult
{
Claims = FilterClaims(result.Claims),
AccessToken = result.TokenResponse.AccessToken,
RefreshToken = result.TokenResponse.RefreshToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(result.TokenResponse.ExpiresIn),
IdentityToken = result.TokenResponse.IdentityToken,
AuthenticationTime = DateTime.Now
};
if (!string.IsNullOrWhiteSpace(result.TokenResponse.RefreshToken))
{
var providerInfo = await _options.GetProviderInformationAsync();
loginResult.Handler = new RefeshTokenHandler(
await TokenClientFactory.CreateAsync(_options),
result.TokenResponse.RefreshToken,
result.TokenResponse.AccessToken);
}
return(loginResult);
}
/// <summary>
/// Processes the authorize response.
/// </summary>
/// <param name="data">The response data.</param>
/// <param name="state">The state.</param>
/// <returns>Result of the login response validation</returns>
public async Task <LoginResult> ProcessResponseAsync(string data, AuthorizeState state)
{
_logger.LogTrace("ProcessResponseAsync");
_logger.LogInformation("Processing response.");
await EnsureConfigurationAsync();
_logger.LogDebug("Authorize response: {response}", data);
var authorizeResponse = new AuthorizeResponse(data);
if (authorizeResponse.IsError)
{
_logger.LogError(authorizeResponse.Error);
return(new LoginResult(authorizeResponse.Error));
}
var result = await _processor.ProcessResponseAsync(authorizeResponse, state);
if (result.IsError)
{
_logger.LogError(result.Error);
return(new LoginResult(result.Error));
}
var userInfoClaims = Enumerable.Empty <Claim>();
if (_options.LoadProfile)
{
var userInfoResult = await GetUserInfoAsync(result.TokenResponse.AccessToken);
if (userInfoResult.IsError)
{
var error = $"Error contacting userinfo endpoint: {userInfoResult.Error}";
_logger.LogError(error);
return(new LoginResult(error));
}
userInfoClaims = userInfoResult.Claims;
var userInfoSub = userInfoClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Subject);
if (userInfoSub == null)
{
var error = "sub claim is missing from userinfo endpoint";
_logger.LogError(error);
return(new LoginResult(error));
}
if (!string.Equals(userInfoSub.Value, result.User.FindFirst(JwtClaimTypes.Subject).Value))
{
var error = "sub claim from userinfo endpoint is different than sub claim from identity token.";
_logger.LogError(error);
return(new LoginResult(error));
}
}
var user = ProcessClaims(result.User, userInfoClaims);
var loginResult = new LoginResult
{
User = user,
AccessToken = result.TokenResponse.AccessToken,
RefreshToken = result.TokenResponse.RefreshToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(result.TokenResponse.ExpiresIn),
IdentityToken = result.TokenResponse.IdentityToken,
AuthenticationTime = DateTime.Now
};
if (!string.IsNullOrWhiteSpace(loginResult.RefreshToken))
{
loginResult.RefreshTokenHandler = new RefreshTokenHandler(
TokenClientFactory.Create(_options),
loginResult.RefreshToken,
loginResult.AccessToken);
}
return(loginResult);
}
