public async Task Build(IEnumerable <string> scopes, HandlerContext context, JObject claims = null)
{
if (!scopes.Contains(SIDOpenIdConstants.StandardScopes.OpenIdScope.Name) || context.User == null)
{
return;
}
var openidClient = (OpenIdClient)context.Client;
var payload = await BuildIdToken(context, context.Request.Data).ConfigureAwait(false);
var idToken = await _jwtBuilder.BuildClientToken(context.Client, payload, openidClient.IdTokenSignedResponseAlg, openidClient.IdTokenEncryptedResponseAlg, openidClient.IdTokenEncryptedResponseEnc);
context.Response.Add(Name, idToken);
}
public override async Task Build(IEnumerable <string> scopes, HandlerContext context, CancellationToken cancellationToken)
{
if (context.User == null)
{
return;
}
var openidClient = (OpenIdClient)context.Client;
var payload = await BuildIdToken(context, context.Request.Data, scopes, cancellationToken);
var idToken = await _jwtBuilder.BuildClientToken(context.Client, payload, openidClient.IdTokenSignedResponseAlg, openidClient.IdTokenEncryptedResponseAlg, openidClient.IdTokenEncryptedResponseEnc);
context.Response.Add(Name, idToken);
}
public async Task Enrich(JwsPayload jwsPayload, OpenIdClient client)
{
var subject = jwsPayload.GetClaimValue(Jwt.Constants.UserClaims.Subject);
using (var httpClient = new HttpClient())
{
var request = new HttpRequestMessage
{
RequestUri = new Uri(_httpClaimsSourceOptions.Url),
Method = HttpMethod.Get,
// Content = new StringContent(JsonConvert.SerializeObject(new { sub = subject }), Encoding.UTF8, "application/json")
};
if (!string.IsNullOrWhiteSpace(_httpClaimsSourceOptions.ApiToken))
{
request.Headers.Add("Authorization", $"Bearer {_httpClaimsSourceOptions.ApiToken}");
}
var result = await httpClient.SendAsync(request).ConfigureAwait(false);
var json = await result.Content.ReadAsStringAsync().ConfigureAwait(false);
var kvp = result.Content.Headers.FirstOrDefault(k => k.Key == "Content-Type");
if (!kvp.Equals(default(KeyValuePair <string, IEnumerable <string> >)) && !string.IsNullOrWhiteSpace(kvp.Key) && result.IsSuccessStatusCode)
{
string jwt = null;
JwsPayload jObj = null;
if (kvp.Value.Any(v => v.Contains("application/json")))
{
jObj = JsonConvert.DeserializeObject <JwsPayload>(json);
jwt = await _jwtBuilder.BuildClientToken(client, jObj, client.IdTokenSignedResponseAlg, client.IdTokenEncryptedResponseAlg, client.IdTokenEncryptedResponseEnc);
}
else if (kvp.Value.Any(v => v.Contains("application/jwt")))
{
throw new NotImplementedException();
/*
* jwt = json;
* jObj = Extract(json);
*/
}
if (!string.IsNullOrWhiteSpace(jwt))
{
ClaimsSourceHelper.AddAggregate(jwsPayload, jObj, jwt, _httpClaimsSourceOptions.Name);
}
}
}
}
private async Task <IActionResult> Common(JObject content, CancellationToken cancellationToken)
{
try
{
var accessToken = ExtractAccessToken(content);
var jwsPayload = await Extract(accessToken);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN);
}
var subject = jwsPayload.GetSub();
var scopes = jwsPayload.GetScopes();
var audiences = jwsPayload.GetAudiences();
var claims = jwsPayload.GetClaimsFromAccessToken(AuthorizationRequestClaimTypes.UserInfo);
var authTime = jwsPayload.GetAuthTime();
var user = await _oauthUserRepository.FindOAuthUserByLogin(subject, cancellationToken);
if (user == null)
{
return(new UnauthorizedResult());
}
var filteredClients = await _oauthClientRepository.FindOAuthClientByIds(audiences, cancellationToken);
if (!filteredClients.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT, ErrorMessages.INVALID_AUDIENCE);
}
var oauthClient = (OpenIdClient)filteredClients.First();
if (!user.HasOpenIDConsent(oauthClient.ClientId, scopes, claims, AuthorizationRequestClaimTypes.UserInfo))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.NO_CONSENT);
}
var token = await _tokenQueryRepository.Get(accessToken, cancellationToken);
if (token == null)
{
_logger.LogError("Cannot get user information because access token has been rejected");
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.ACCESS_TOKEN_REJECTED);
}
var oauthScopes = (await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken)).Cast <OpenIdScope>();
var payload = new JwsPayload();
IdTokenBuilder.EnrichWithScopeParameter(payload, oauthScopes, user, subject);
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(payload, claims, user, authTime, AuthorizationRequestClaimTypes.UserInfo);
foreach (var claimsSource in _claimsSources)
{
await claimsSource.Enrich(payload, oauthClient).ConfigureAwait(false);
}
string contentType = "application/json";
var result = JsonConvert.SerializeObject(payload).ToString();
if (!string.IsNullOrWhiteSpace(oauthClient.UserInfoSignedResponseAlg))
{
result = await _jwtBuilder.BuildClientToken(oauthClient, payload, oauthClient.UserInfoSignedResponseAlg, oauthClient.UserInfoEncryptedResponseAlg, oauthClient.UserInfoEncryptedResponseEnc);
contentType = "application/jwt";
}
return(new ContentResult
{
Content = result,
ContentType = contentType
});
}
catch (OAuthException ex)
{
var jObj = new JObject
{
{ ErrorResponseParameters.Error, ex.Code },
{ ErrorResponseParameters.ErrorDescription, ex.Message }
};
return(new ContentResult
{
Content = jObj.ToString(),
ContentType = "application/json",
StatusCode = (int)HttpStatusCode.BadRequest
});
}
}
