public async Task <string> CreateIdTokenAsync(TClient client, IEnumerable <Claim> claims, IEnumerable <string> selectedScopes, string nonce, IEnumerable <string> responseTypes, string code, string accessToken, string algorithm) { if (!(client is OidcDownClient)) { throw new InvalidOperationException("Include ID Token only possible for OIDC Down Client."); } var onlyIdToken = !responseTypes.Contains(IdentityConstants.ResponseTypes.Code) && !responseTypes.Contains(IdentityConstants.ResponseTypes.Token); var idTokenClaims = new List <Claim>(await claimsLogic.FilterJwtClaims(client, claims, selectedScopes, includeIdTokenClaims: true, includeAccessTokenClaims: onlyIdToken)); if (nonce != null) { idTokenClaims.AddClaim(JwtClaimTypes.Nonce, nonce); } if (!onlyIdToken) { if (responseTypes.Contains(IdentityConstants.ResponseTypes.Token)) { idTokenClaims.AddClaim(JwtClaimTypes.AtHash, await accessToken.LeftMostBase64urlEncodedHash(algorithm)); } if (responseTypes.Contains(IdentityConstants.ResponseTypes.Code)) { idTokenClaims.AddClaim(JwtClaimTypes.CHash, await code.LeftMostBase64urlEncodedHash(algorithm)); } } var token = JwtHandler.CreateToken(trackKeyLogic.GetSecurityKey(RouteBinding.PrimaryKey), Issuer(RouteBinding), client.ClientId, idTokenClaims, expiresIn: (client as OidcDownClient).IdTokenLifetime, algorithm: algorithm, x509CertificateSHA1Thumbprint: RouteBinding.PrimaryKey.Key.Kid); return(await token.ToJwtString()); }
public async Task <string> CreateRefreshTokenGrantAsync(TClient client, List <Claim> claims, string scope) { logger.ScopeTrace($"Create Refresh Token grant, Route '{RouteBinding.Route}'."); CheckeConfiguration(client); var grantClaims = await claimsLogic.FilterJwtClaims(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true); var refreshToken = CreateRefreshToken(client); await CreateGrantInternal(client, grantClaims.ToClaimAndValues(), scope, refreshToken); logger.ScopeTrace($"Refresh token grant created, Refresh Token '{refreshToken}'."); return(refreshToken); }
public async Task <string> CreateAuthCodeGrantAsync(TClient client, List <Claim> claims, string redirectUri, string scope, string nonce, string codeChallenge, string codeChallengeMethod) { logger.ScopeTrace($"Create Authorization code grant, Route '{RouteBinding.Route}'."); if (!client.AuthorizationCodeLifetime.HasValue) { throw new EndpointException("Client AuthorizationCodeLifetime not configured.") { RouteBinding = RouteBinding } } ; var grantClaims = await claimsLogic.FilterJwtClaims(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true); var code = RandomGenerator.Generate(64); var grant = new AuthCodeTtlGrant { TimeToLive = client.AuthorizationCodeLifetime.Value, Claims = grantClaims.ToClaimAndValues(), ClientId = client.ClientId, RedirectUri = redirectUri, Scope = scope, Nonce = nonce, CodeChallenge = codeChallenge, CodeChallengeMethod = codeChallengeMethod }; await grant.SetIdAsync(new AuthCodeTtlGrant.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName, Code = code }); await tenantRepository.SaveAsync(grant); logger.ScopeTrace($"Authorization code grant created, Code '{code}'."); return(code); }