private async Task <bool> InvokeProfileEndpointAsync()
{
OpenIdConnectMessage request;
if (!string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase) &&
!string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"make sure to use either GET or POST."
});
return(true);
}
if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
request = new OpenIdConnectMessage(Request.Query.ToDictionary());
}
else
{
// See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
if (string.IsNullOrWhiteSpace(Request.ContentType))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"the mandatory 'Content-Type' header was missing from the POST request."
});
return(true);
}
// May have media/type; charset=utf-8, allow partial match.
if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received: " +
"the 'Content-Type' header contained an unexcepted value. " +
"Make sure to use 'application/x-www-form-urlencoded'."
});
return(true);
}
var form = await Request.ReadFormAsync(Context.RequestAborted);
request = new OpenIdConnectMessage(form.ToDictionary());
}
string token;
if (!string.IsNullOrEmpty(request.AccessToken))
{
token = request.AccessToken;
}
else
{
string header = Request.Headers[HeaderNames.Authorization];
if (string.IsNullOrEmpty(header))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
});
return(true);
}
if (!header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
});
return(true);
}
token = header.Substring("Bearer ".Length);
if (string.IsNullOrEmpty(token))
{
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "A malformed userinfo request has been received."
});
return(true);
}
}
var ticket = await DeserializeAccessTokenAsync(token, request);
if (ticket == null)
{
Logger.LogError("invalid token");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid token."
});
return(true);
}
if (!ticket.Properties.ExpiresUtc.HasValue ||
ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow)
{
Logger.LogError("expired token");
// Note: an invalid token should result in an unauthorized response
// but returning a 401 status would invoke the previously registered
// authentication middleware and potentially replace it by a 302 response.
// To work around this limitation, a 400 error is returned instead.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Expired token."
});
return(true);
}
// Insert the userinfo request in the ASP.NET context.
Context.SetOpenIdConnectRequest(request);
var notification = new ProfileEndpointContext(Context, Options, request, ticket);
notification.Subject = ticket.Principal.GetClaim(ClaimTypes.NameIdentifier);
notification.Issuer = Context.GetIssuer(Options);
// Note: when receiving an access token, its audiences list cannot be used for the "aud" claim
// as the client application is not the intented audience but only an authorized presenter.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
foreach (var presenter in ticket.GetPresenters())
{
notification.Audiences.Add(presenter);
}
// The following claims are all optional and should be excluded when
// no corresponding value has been found in the authentication ticket.
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
notification.FamilyName = ticket.Principal.GetClaim(ClaimTypes.Surname);
notification.GivenName = ticket.Principal.GetClaim(ClaimTypes.GivenName);
notification.BirthDate = ticket.Principal.GetClaim(ClaimTypes.DateOfBirth);
}
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
notification.Email = ticket.Principal.GetClaim(ClaimTypes.Email);
}
;
if (ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
notification.PhoneNumber = ticket.Principal.GetClaim(ClaimTypes.HomePhone) ??
ticket.Principal.GetClaim(ClaimTypes.MobilePhone) ??
ticket.Principal.GetClaim(ClaimTypes.OtherPhone);
}
;
await Options.Provider.ProfileEndpoint(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
// Ensure the "sub" claim has been correctly populated.
if (string.IsNullOrEmpty(notification.Subject))
{
Logger.LogError("The mandatory 'sub' claim was missing from the userinfo response.");
Response.StatusCode = 500;
await SendErrorPayloadAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "The mandatory 'sub' claim was missing."
});
return(true);
}
var payload = new JObject {
[JwtRegisteredClaimNames.Sub] = notification.Subject
};
if (notification.Address != null)
{
payload[OpenIdConnectConstants.Claims.Address] = notification.Address;
}
if (!string.IsNullOrEmpty(notification.BirthDate))
{
payload[JwtRegisteredClaimNames.Birthdate] = notification.BirthDate;
}
if (!string.IsNullOrEmpty(notification.Email))
{
payload[JwtRegisteredClaimNames.Email] = notification.Email;
}
if (notification.EmailVerified.HasValue)
{
payload[OpenIdConnectConstants.Claims.EmailVerified] = notification.EmailVerified.Value;
}
if (!string.IsNullOrEmpty(notification.FamilyName))
{
payload[JwtRegisteredClaimNames.FamilyName] = notification.FamilyName;
}
if (!string.IsNullOrEmpty(notification.GivenName))
{
payload[JwtRegisteredClaimNames.GivenName] = notification.GivenName;
}
if (!string.IsNullOrEmpty(notification.Issuer))
{
payload[JwtRegisteredClaimNames.Iss] = notification.Issuer;
}
if (!string.IsNullOrEmpty(notification.PhoneNumber))
{
payload[OpenIdConnectConstants.Claims.PhoneNumber] = notification.PhoneNumber;
}
if (notification.PhoneNumberVerified.HasValue)
{
payload[OpenIdConnectConstants.Claims.PhoneNumberVerified] = notification.PhoneNumberVerified.Value;
}
if (!string.IsNullOrEmpty(notification.PreferredUsername))
{
payload[OpenIdConnectConstants.Claims.PreferredUsername] = notification.PreferredUsername;
}
if (!string.IsNullOrEmpty(notification.Profile))
{
payload[OpenIdConnectConstants.Claims.Profile] = notification.Profile;
}
if (!string.IsNullOrEmpty(notification.Website))
{
payload[OpenIdConnectConstants.Claims.Website] = notification.Website;
}
switch (notification.Audiences.Count)
{
case 0: break;
case 1:
payload.Add(JwtRegisteredClaimNames.Aud, notification.Audiences[0]);
break;
default:
payload.Add(JwtRegisteredClaimNames.Aud, JArray.FromObject(notification.Audiences));
break;
}
foreach (var claim in notification.Claims)
{
// Ignore claims whose value is null.
if (claim.Value == null)
{
continue;
}
payload.Add(claim.Key, claim.Value);
}
var context = new ProfileEndpointResponseContext(Context, Options, request, payload);
await Options.Provider.ProfileEndpointResponse(context);
if (context.HandledResponse)
{
return(true);
}
using (var buffer = new MemoryStream())
using (var writer = new JsonTextWriter(new StreamWriter(buffer))) {
payload.WriteTo(writer);
writer.Flush();
Response.ContentLength = buffer.Length;
Response.ContentType = "application/json;charset=UTF-8";
Response.Headers[HeaderNames.CacheControl] = "no-cache";
Response.Headers[HeaderNames.Pragma] = "no-cache";
Response.Headers[HeaderNames.Expires] = "-1";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Context.RequestAborted);
}
return(true);
}
public override Task ProfileEndpointResponse(ProfileEndpointResponseContext context)
{
return base.ProfileEndpointResponse(context);
}
/// <summary> /// Called before the ProfileEndpoint endpoint starts writing to the response stream. /// If the web application wishes to produce the userinfo response directly in the ProfileEndpoint call it may write to the /// context.Response directly and should call context.RequestCompleted to stop other handlers from executing. /// This call may also be used to add additional response parameters to the authorization response. /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public virtual Task ProfileEndpointResponse(ProfileEndpointResponseContext context) => OnProfileEndpointResponse(context);
