public async Task <string> CreateIdTokenAsync(TClient client, IEnumerable <Claim> claims, IEnumerable <string> selectedScopes, string nonce, IEnumerable <string> responseTypes, string code, string accessToken, string algorithm)
{
if (!(client is OidcDownClient))
{
throw new InvalidOperationException("Include ID Token only possible for OIDC Down Client.");
}
var onlyIdToken = !responseTypes.Contains(IdentityConstants.ResponseTypes.Code) && !responseTypes.Contains(IdentityConstants.ResponseTypes.Token);
var idTokenClaims = new List <Claim>(await claimsLogic.FilterJwtClaims(client, claims, selectedScopes, includeIdTokenClaims: true, includeAccessTokenClaims: onlyIdToken));
if (nonce != null)
{
idTokenClaims.AddClaim(JwtClaimTypes.Nonce, nonce);
}
if (!onlyIdToken)
{
if (responseTypes.Contains(IdentityConstants.ResponseTypes.Token))
{
idTokenClaims.AddClaim(JwtClaimTypes.AtHash, await accessToken.LeftMostBase64urlEncodedHash(algorithm));
}
if (responseTypes.Contains(IdentityConstants.ResponseTypes.Code))
{
idTokenClaims.AddClaim(JwtClaimTypes.CHash, await code.LeftMostBase64urlEncodedHash(algorithm));
}
}
var token = JwtHandler.CreateToken(trackKeyLogic.GetSecurityKey(RouteBinding.PrimaryKey), Issuer(RouteBinding), client.ClientId, idTokenClaims, expiresIn: (client as OidcDownClient).IdTokenLifetime, algorithm: algorithm, x509CertificateSHA1Thumbprint: RouteBinding.PrimaryKey.Key.Kid);
return(await token.ToJwtString());
}
public async Task <string> CreateRefreshTokenGrantAsync(TClient client, List <Claim> claims, string scope)
{
logger.ScopeTrace($"Create Refresh Token grant, Route '{RouteBinding.Route}'.");
CheckeConfiguration(client);
var grantClaims = await claimsLogic.FilterJwtClaims(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true);
var refreshToken = CreateRefreshToken(client);
await CreateGrantInternal(client, grantClaims.ToClaimAndValues(), scope, refreshToken);
logger.ScopeTrace($"Refresh token grant created, Refresh Token '{refreshToken}'.");
return(refreshToken);
}
public async Task <string> CreateAuthCodeGrantAsync(TClient client, List <Claim> claims, string redirectUri, string scope, string nonce, string codeChallenge, string codeChallengeMethod)
{
logger.ScopeTrace($"Create Authorization code grant, Route '{RouteBinding.Route}'.");
if (!client.AuthorizationCodeLifetime.HasValue)
{
throw new EndpointException("Client AuthorizationCodeLifetime not configured.")
{
RouteBinding = RouteBinding
}
}
;
var grantClaims = await claimsLogic.FilterJwtClaims(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true);
var code = RandomGenerator.Generate(64);
var grant = new AuthCodeTtlGrant
{
TimeToLive = client.AuthorizationCodeLifetime.Value,
Claims = grantClaims.ToClaimAndValues(),
ClientId = client.ClientId,
RedirectUri = redirectUri,
Scope = scope,
Nonce = nonce,
CodeChallenge = codeChallenge,
CodeChallengeMethod = codeChallengeMethod
};
await grant.SetIdAsync(new AuthCodeTtlGrant.IdKey {
TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName, Code = code
});
await tenantRepository.SaveAsync(grant);
logger.ScopeTrace($"Authorization code grant created, Code '{code}'.");
return(code);
}
