private void AddClaimsForAccessToken(TokenGeneratingContext context, string resource) { var scopes = context.RequestGrants.Scopes; var accessTokenScopes = GetAccessTokenScopes(scopes); context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Scope, GetScopeValue(scopes, excludeCanonical: true)); context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Audience, resource); context.AddClaimToCurrentToken(IdentityServiceClaimTypes.AuthorizedParty, context.RequestParameters.ClientId); }
public Task OnGeneratingClaims(TokenGeneratingContext context) { var resource = context.RequestGrants.Scopes.FirstOrDefault(rg => rg.ClientId != null)?.ClientId; if (context.IsContextForTokenTypes(TokenTypes.AccessToken) && resource != null) { // For access tokens we use the scopes from the set of granted scopes, this takes into account the // fact that a token request can ask for a subset of the scopes granted during authorization, either // on a code exchange or on a refresh token grant flow. AddClaimsForAccessToken(context, resource); return(Task.CompletedTask); } if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode)) { context.AddClaimToCurrentToken( IdentityServiceClaimTypes.Scope, GetScopeValue(context.RequestGrants.Scopes, excludeCanonical: false)); if (resource != null) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Resource, resource); } return(Task.CompletedTask); } if (context.IsContextForTokenTypes(TokenTypes.RefreshToken)) { // For refresh tokens the scope claim never changes as the set of scopes granted for a refresh token // should not change no matter what scopes are sent on a token request. var scopeClaim = context .RequestGrants .Claims .Single(c => c.Type.Equals(IdentityServiceClaimTypes.Scope, StringComparison.Ordinal)); var resourceClaim = context .RequestGrants .Claims .SingleOrDefault(c => c.Type.Equals(IdentityServiceClaimTypes.Resource, StringComparison.Ordinal)); context.AddClaimToCurrentToken(scopeClaim); if (resourceClaim != null) { context.AddClaimToCurrentToken(resourceClaim); } } return(Task.CompletedTask); }
public Task OnGeneratingClaims(TokenGeneratingContext context) { if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) && context.RequestParameters.Parameters.ContainsKey(ProofOfKeyForCodeExchangeParameterNames.CodeChallenge)) { context.AddClaimToCurrentToken( IdentityServiceClaimTypes.CodeChallenge, context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallenge]); context.AddClaimToCurrentToken( IdentityServiceClaimTypes.CodeChallengeMethod, context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod]); } return(Task.CompletedTask); }
public Task OnGeneratingClaims(TokenGeneratingContext context) { if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode)) { foreach (var grantedToken in GetGrantedTokensForAuthorizationCode(context)) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken); } } if (context.IsContextForTokenTypes(TokenTypes.RefreshToken)) { foreach (var grantedToken in context.RequestGrants.Tokens) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken); } } return(Task.CompletedTask); }
public Task OnGeneratingClaims(TokenGeneratingContext context) { var nonce = GetNonce(context); if (context.IsContextForTokenTypes( TokenTypes.IdToken, TokenTypes.AccessToken, TokenTypes.AuthorizationCode) && nonce != null) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Nonce, nonce); } return(Task.CompletedTask); }
public Task OnGeneratingClaims(TokenGeneratingContext context) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.TokenUniqueId, Guid.NewGuid().ToString()); var userMapping = GetUserPrincipalTokenMapping(context.CurrentToken); var applicationMapping = GetApplicationPrincipalTokenMapping(context.CurrentToken); var ambientMapping = GetAmbientClaimsTokenMapping(context.CurrentToken); MapFromPrincipal(context, context.User, userMapping); MapFromPrincipal(context, context.Application, applicationMapping); MapFromContext(context, context.AmbientClaims, ambientMapping); if (context.IsContextForTokenTypes(TokenTypes.AccessToken, TokenTypes.IdToken)) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Issuer, _options.Value.Issuer); } if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) && context.RequestParameters.RedirectUri != null) { context.AddClaimToCurrentToken(IdentityServiceClaimTypes.RedirectUri, context.RequestParameters.RedirectUri); } return(Task.CompletedTask); }
private static void MapFromContext( TokenGeneratingContext context, IList <Claim> ambientClaims, TokenMapping claimsDefinition) { foreach (var mapping in claimsDefinition) { var ctxValues = ambientClaims.Where(c => c.Type == mapping.Alias); ValidateCardinality(mapping, ctxValues, claimsDefinition.Source); foreach (var ctxValue in ctxValues) { context.AddClaimToCurrentToken(mapping.Name, ctxValue.Value); } } }
private static void MapFromPrincipal( TokenGeneratingContext context, ClaimsPrincipal user, TokenMapping claimsDefinition) { foreach (var mapping in claimsDefinition) { var foundClaims = user.FindAll(mapping.Alias); ValidateCardinality(mapping, foundClaims, claimsDefinition.Source); foreach (var userClaim in foundClaims) { context.AddClaimToCurrentToken(mapping.Name, userClaim.Value); } } }