/// <summary>
/// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the
/// refresh token is still valid or revoked.
/// </summary>
public override async Task GrantRefreshToken(GrantRefreshTokenContext context)
{
var originalClient = context.AuthenticationTicket.Properties.Items["client_id"];
if (originalClient != context.ClientId)
{
context.Rejected("invalid_clientId", "Refresh token is issued to a different clientId.");
return;
}
var properties = context.AuthenticationTicket.Properties;
var validator = new RefreshTokenValidator(context.Request.RefreshToken,
properties.Items["client_id"],
context.AuthenticationTicket.Principal.GetClaim(ClaimTypes.NameIdentifier));
var result = await ExecuteMessage(context, validator);
if (!result.Succeeded)
{
context.Rejected(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token.");
return;
}
var principal = new ClaimsPrincipal(context.AuthenticationTicket.Principal);
var ticket = CreateAuthenticationTicket(principal, context.AuthenticationTicket.Properties, context.Options, context);
context.Validated(ticket);
}
public override async Task GrantRefreshToken([NotNull] GrantRefreshTokenContext context)
{
var manager = context.HttpContext.RequestServices.GetRequiredService <OpenIddictManager <TUser, TApplication> >();
var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <IdentityOptions> >();
// If the user manager doesn't support security
// stamps, skip the default validation logic.
if (!manager.SupportsUserSecurityStamp)
{
return;
}
var principal = context.AuthenticationTicket?.Principal;
Debug.Assert(principal != null);
var user = await manager.FindByIdAsync(principal.GetUserId());
if (user == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The refresh token is no longer valid.");
return;
}
var identifier = principal.GetClaim(options.Value.ClaimsIdentity.SecurityStampClaimType);
if (!string.IsNullOrEmpty(identifier) &&
!string.Equals(identifier, await manager.GetSecurityStampAsync(user), StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The refresh token is no longer valid.");
return;
}
// Note: the "scopes" property stored in context.AuthenticationTicket is automatically
// updated by ASOS when the client application requests a restricted scopes collection.
var identity = await manager.CreateIdentityAsync(user, context.AuthenticationTicket.GetScopes());
Debug.Assert(identity != null);
// Create a new authentication ticket holding the user identity but
// reuse the authentication properties stored in the refresh token.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
context.AuthenticationTicket.Properties,
context.Options.AuthenticationScheme);
context.Validate(ticket);
}
public async Task InvokeAsync(HttpContext context, IJwtSecurityTokenService iJwtSecurityTokenService)
{
var baseValidatingContext = default(BaseValidatingContext);
var grantType = this.GetGrantType(context);
switch (grantType)
{
case Parameters.Password:
baseValidatingContext = GrantResourceOwnerCredentialsContext.Create(context);
if (baseValidatingContext != null)
{
await jwtServerOptions.AuthorizationServerProvider.GrantClientCredentialsAsync
((GrantResourceOwnerCredentialsContext)baseValidatingContext);
}
break;
case Parameters.RefreshToken:
baseValidatingContext = GrantRefreshTokenContext.Create(context);
if (baseValidatingContext != null)
{
await jwtServerOptions.AuthorizationServerProvider.GrantRefreshTokenAsync
((GrantRefreshTokenContext)baseValidatingContext);
}
break;
default:
break;
}
if (baseValidatingContext != null)
{
if (baseValidatingContext.IsValidated)
{
var token = await iJwtSecurityTokenService.CreateAsync(baseValidatingContext, jwtServerOptions);
await WriteResponseAsync(context, JsonConvert.SerializeObject(token));
}
else
{
await WriteResponseError(context, baseValidatingContext.Error);
}
}
}
/// <summary>
/// Grant a new access_token based on the current refresh_token. Here we couldvalidate whether the
/// refresh token is still valid or revoked.
/// </summary>
public override async Task GrantRefreshToken(GrantRefreshTokenContext context)
{
var validator = new RefreshTokenValidator(
context.Ticket.GetTicketId(),
context.ClientId,
context.Ticket.Principal.GetClaim(ClaimTypes.NameIdentifier));
var result = await ExecuteMessage(context, validator);
if (!result.Succeeded)
{
context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "Could not validate refresh_token.");
return;
}
var principal = new ClaimsPrincipal(context.Ticket.Principal);
var ticket = CreateAuthenticationTicket(principal, context.Ticket.Properties, context.Options, context);
context.Validate(ticket);
}
public Task GrantRefreshToken(GrantRefreshTokenContext context)
{
throw new NotImplementedException();
}
public override async Task GrantRefreshToken(GrantRefreshTokenContext context)
{
//_authService = (IAuthService)context.HttpContext.ApplicationServices.GetService(typeof(IAuthService));
_authService = (IAuthService)context.HttpContext.RequestServices.GetService(typeof(IAuthService));
string originalClient = string.Empty;
context.Ticket.Properties.Items.TryGetValue("client_id", out originalClient);
var currentClient = context.ClientId;
if (originalClient != currentClient)
{
context.Reject("O Refresh token foi criado para outro client_id");
}
string username = string.Empty;
context.Ticket.Properties.Items.TryGetValue("userName", out username);
var user = await _authService.GetUsuarioEmail(username);
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
int casaId = await _authService.GetCasaSelecionada(user);
//verifica se usuario esta bloqueado para aquela casa
if (_authService.AcessoUsuarioBloqueado(user.Id, casaId))
{
//tenta obter acesso em outra casa
int novaCasaSelec = _authService.TentaSelecOutraCasa(user.Id, casaId);
if (novaCasaSelec == 0)
{
context.Reject("O seu acesso foi bloqueado");
return;
}
casaId = novaCasaSelec;
}
foreach (var claim in _authService.GetClaims(user, casaId))
{
identity.AddClaim(claim.Type, claim.Value, "access_token", "id_token");
}
identity.AddClaim("casa", casaId.ToString(), "access_token", "id_token");
identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, "access_token", "id_token");
identity.AddClaim(ClaimTypes.Name, user.UserName, "access_token", "id_token");
var principal = new ClaimsPrincipal(identity);
var newTicket = new AuthenticationTicket(principal,
context.Ticket.Properties,
OpenIdConnectServerDefaults.AuthenticationScheme);
context.Validate(newTicket);
}
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token" /// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token". /// The claims and properties associated with the refresh token are present in the context.Ticket. The token request is automatically handled, /// but the application can call context.Rejected to instruct the Authorization Server middleware to reject the token. /// The application may explicitly call context.Validated and flow a different AuthenticationTicket or ClaimsIdentity in order to control /// which information flows from the refresh token to the access token. The default behavior when using the OpenIdConnectServerProvider /// is to flow information from the refresh token to the access token unmodified. /// See also http://tools.ietf.org/html/rfc6749#section-6 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public virtual Task GrantRefreshToken(GrantRefreshTokenContext context) => OnGrantRefreshToken(context);
public virtual Task GrantRefreshTokenAsync(GrantRefreshTokenContext context)
{
return(this.OnGrantRefreshToken.Invoke(context));
}
