/// <summary>
/// Serialize and sign the authentication ticket.
/// </summary>
/// <returns>The serialized and signed ticket.</returns>
public Task <string> SerializeTicketAsync()
{
if (SecurityTokenHandler == null)
{
return(Task.FromResult <string>(null));
}
// Work around a bug introduced in System.IdentityModel.Tokens for ASP.NET 5.
// See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/133
var identity = (ClaimsIdentity)AuthenticationTicket.Principal.Identity;
for (var actor = identity.Actor; actor != null; actor = actor.Actor)
{
actor.BootstrapContext = new JwtSecurityToken(claims: actor.Claims);
}
// When creating an identity token intended for a single audience, it's usually better
// to format the "aud" claim as a string, but CreateToken doesn't support multiple audiences:
// to work around this limitation, audience is initialized with a single resource and
// JwtPayload.Aud is replaced with an array containing the multiple resources if necessary.
// See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
var token = SecurityTokenHandler.CreateToken(
subject: identity, issuer: Issuer,
audience: Audiences.ElementAtOrDefault(0),
signatureProvider: SignatureProvider,
signingCredentials: SigningCredentials,
notBefore: AuthenticationTicket.Properties.IssuedUtc.Value.UtcDateTime,
expires: AuthenticationTicket.Properties.ExpiresUtc.Value.UtcDateTime);
if (Audiences.Count() > 1)
{
token.Payload[JwtRegisteredClaimNames.Aud] = Audiences.ToArray();
}
return(Task.FromResult(SecurityTokenHandler.WriteToken(token)));
}