public Task ValidateAsync(ExtensionGrantValidationContext context)
{
var response = new Dictionary <string, object>
{
{ "string_value", "some_string" },
{ "int_value", 42 },
{ "dto", CustomResponseDto.Create }
};
var credential = context.Request.Raw.Get("outcome");
if (credential == "succeed")
{
context.Result = new GrantValidationResult("bob", "custom", customResponse: response);
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid_credential", response);
}
return(Task.CompletedTask);
}
public Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.Raw["auth_code"];
if (_userStore.CheckVerificationCode(phone, code))
{
var userId = _userStore.CheckPhoneOrEmailAdd(phone);
if (!string.IsNullOrEmpty(userId))
{
context.Result = new GrantValidationResult(userId, "sms");
return(Task.CompletedTask);
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "添加用户失败");
return(Task.CompletedTask);
}
}
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "验证码不正确");
return(Task.CompletedTask);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var authcode = context.Request.Raw["auth_code"];
var errorValidateResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrEmpty(phone) || string.IsNullOrEmpty(authcode))
{
context.Result = errorValidateResult;
return;
}
//校验验证码
if (!_authCodeService.Validate(phone, authcode))
{
context.Result = errorValidateResult;
return;
}
//校验手机号是否存在,
var userInfoDto = await _userService.CheckOrCreateAsync(phone);
if (userInfoDto == null)
{
context.Result = errorValidateResult;
return;
}
var cliams = new List <Claim> {
new Claim("UserId", $"{userInfoDto?.Id}"),
new Claim(nameof(userInfoDto.Name), $"{userInfoDto?.Name}"),
new Claim(nameof(userInfoDto.Company), $"{userInfoDto?.Company}"),
new Claim(nameof(userInfoDto.Title), $"{userInfoDto?.Title}"),
new Claim(nameof(userInfoDto.Phone), $"{userInfoDto?.Phone}"),
new Claim(nameof(userInfoDto.Avatar), $"{userInfoDto?.Avatar}"),
};
context.Result = new GrantValidationResult(userInfoDto.Id.ToString(), GrantType, cliams);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userName = context.Request.Raw["username"];
var password = "";
var scope = "";
SysUsrMstrDto dto = null;
var bizType = context.Request.Raw["bizType"];
var orgNo = context.Request.Raw["orgNo"];
var bgNo = context.Request.Raw["bgNo"];
if (string.IsNullOrEmpty(bizType) || string.IsNullOrEmpty(orgNo) || string.IsNullOrEmpty(bgNo))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid user credential");
}
else
{
dto = await _sysUsrMstrService.Login(userName, password, orgNo, bgNo, bizType);
if (dto != null)
{
var result = await _sysRoleMstrRepository.GetUserRoleScope(dto.Id);
if (result.Count != 0)
{
scope = result[0];
}
context.Result = new GrantValidationResult(
subject: userName,
authenticationMethod: "user",
claims: GetUserCliams(dto, scope)
);
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid user credential");
}
}
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.Raw["auth_code"];
var errorValidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrWhiteSpace(phone) || string.IsNullOrWhiteSpace(code))
{
context.Result = errorValidationResult;
return;
}
//检查验证码
if (!_authCodeService.Validate(phone, code))
{
context.Result = errorValidationResult;
return;
}
//完成用户注册
var user = await _userService.CheckOrCreate(phone);
if (user == null)
{
context.Result = errorValidationResult;
return;
}
Claim[] claims = new Claim[] {
new Claim("name", user.Name ?? string.Empty),
new Claim("company", user.Company ?? string.Empty),
new Claim("title", user.Title ?? string.Empty),
new Claim("avatar", user.Avatar ?? string.Empty)
};
//获取用户信息 放入 Claim[], 也可以 在 ProfileService中的验证方法中 获取用户信息 放入 Claim[]
//这里 已经获取了用户信息,所有直接就完成上述操作
context.Result = new GrantValidationResult(user.UserId.ToString(), GrantType, claims);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userInfo = context.Request.Raw["userInfo"];
var userId = context.Request.Raw["userId"];
var errorValidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
//用户不存在
if (string.IsNullOrWhiteSpace(userInfo) || string.IsNullOrWhiteSpace(userId))
{
errorValidationResult.ErrorDescription = "用户不存在";
context.Result = errorValidationResult;
return;
}
try
{
var claims = new Claim[]
{
new Claim("userInfo", userInfo),
//new Claim("phone",userInfo.PhoneNumber??string.Empty),
//new Claim("cardId",userInfo.CardId??string.Empty),
//new Claim(JwtClaimTypes.Subject, userInfo.Id.ToString()),
new Claim(JwtClaimTypes.Role, "doctor"),
};
context.Result = new GrantValidationResult(userId, GrantType, claims);
}
catch (Exception e)
{
_logger.LogError("ValidateAsync错误:" + e.StackTrace);
errorValidationResult.ErrorDescription = e.Message;
context.Result = errorValidationResult;
}
await Task.CompletedTask;
return;
}
/// <summary> Validates the asynchronous described by context. </summary>
/// <param name="context"> The context. </param>
/// <returns> A Task. </returns>
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userToken = context.Request.Raw.Get("token");
if (string.IsNullOrEmpty(userToken))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var result = await _validator.ValidateAccessTokenAsync(userToken);
if (result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var delegationAllowed =
result.Client.Claims.Any(c => c.Type == GrantType && c.Value == context.Request.Client.ClientId);
if (!delegationAllowed)
{
_logger.LogInformation(
$"{result.Client.ClientName} not allowed to use delegation for {context.Request.Client.ClientName} (fitting Claim is missing).");
context.Result = new GrantValidationResult(TokenRequestErrors.UnauthorizedClient);
return;
}
// get user's identity
var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value;
_logger.LogInformation(
$"Issuing DelegationGrant for {result.Claims.FirstOrDefault(c => c.Type == "email")?.Value}.");
// grant
context.Result = new GrantValidationResult(sub, "delegation", result.Claims);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userToken = context.Request.Raw.Get("token");
if (string.IsNullOrEmpty(userToken))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var result = await _validator.ValidateAccessTokenAsync(userToken);
if (result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
// get user's identity
var sub = result.Claims.Where(c => c.Type == "sub").Select(c => c.Value).FirstOrDefault();
if (sub == null)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
/*
* When using delegation for calling from client to client
* The claims can differ so we need to set the ClientId to the
* ClientId of the Client we want to access. This can be achieved
* by adding the following line of code:
* context.Request.Client.ClientId = "private_api";
*/
context.Result = new GrantValidationResult(sub, GrantType);
return;
}
public async Task ValidateAsync_should_create_custom_result()
{
var validatorMock = new Mock <ITokenValidator>();
validatorMock.Setup(m => m.ValidateAccessTokenAsync(It.IsAny <string>(), It.IsAny <string>())).ReturnsAsync(new TokenValidationResult
{
IsError = false,
Claims = new Claim[]
{
new Claim(JwtClaimTypes.Subject, "test"),
new Claim(JwtClaimTypes.ClientId, "test")
}
});
var context = new ExtensionGrantValidationContext
{
Request = new ValidatedTokenRequest
{
Raw = new NameValueCollection
{
[OidcConstants.TokenRequest.SubjectToken] = "test",
[OidcConstants.TokenRequest.SubjectTokenType] = OidcConstants.TokenTypeIdentifiers.AccessToken,
["exchange_style"] = "custom"
},
Client = new Client
{
ClientId = "test"
}
}
};
var sut = new TokenExchangeGrantValidator(validatorMock.Object);
await sut.ValidateAsync(context).ConfigureAwait(false);
Assert.False(context.Result.IsError);
Assert.Contains(context.Result.Subject.Claims, c => c.Type == JwtClaimTypes.Subject && c.Value == "test");
Assert.Contains(context.Result.Subject.Claims, c => c.Type == JwtClaimTypes.AuthenticationMethod && c.Value == OidcConstants.GrantTypes.TokenExchange);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw.Get("phone");
var authCode = context.Request.Raw.Get("auth_code");
var errorGrantValidatorResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrWhiteSpace(phone) || string.IsNullOrWhiteSpace(authCode))
{
context.Result = errorGrantValidatorResult;
return;
}
//检查验证码
if (!await _authCodeService.ValidateAsync(phone, authCode))
{
context.Result = errorGrantValidatorResult;
return;
}
//完成用户注册与登录
var user = await _userService.CheckOrAddUserAsync(phone);
if (user == null)
{
context.Result = errorGrantValidatorResult;
return;
}
var claims = new Claim[] {
new Claim(nameof(user.Name).ToLower(), user.Name ?? string.Empty),
new Claim(nameof(user.Company).ToLower(), user.Company ?? string.Empty),
new Claim(nameof(user.Title).ToLower(), user.Title ?? string.Empty),
new Claim(nameof(user.Avatar).ToLower(), user.Avatar ?? string.Empty),
};
context.Result = new GrantValidationResult(user.Id.ToString(), GrantType, claims);
return;
}
/// <summary>
///
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.Raw["auth_code"];
var errorValidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrWhiteSpace(phone) || string.IsNullOrWhiteSpace(code))
{
context.Result = errorValidationResult;
return;
}
//检查验证码
if (!_authCodeService.Validate(phone, code))
{
context.Result = errorValidationResult;
return;
}
//完成用户注册
var userinfo = await _userService.CheckOrCreate(phone);
if (userinfo == null)
{
context.Result = errorValidationResult;
return;
}
var claims = new Claim[]
{
new Claim("name", userinfo.Name ?? string.Empty),
new Claim("company", userinfo.Company ?? string.Empty),
new Claim("title", userinfo.Tiltle ?? string.Empty),
new Claim("avatar", userinfo.Avatar ?? string.Empty),
};
context.Result = new GrantValidationResult(userinfo.Id.ToString(),
GrantType,
claims);
}
public Task ValidateAsync(ExtensionGrantValidationContext context)
{
context.Result = new GrantValidationResult(TokenErrors.InvalidRequest, "authentication");
var token = context.Request.Raw.Get("auth_token");
if (string.IsNullOrEmpty(token))
{
return(Task.FromResult(context.Result));
}
try
{
var authKey = DeserializeAuthToken(token);
if (!string.IsNullOrWhiteSpace(authKey))
{
context.Result = new GrantValidationResult(authKey, "authentication");
}
return(Task.FromResult(context.Result));
}
catch
{
return(Task.FromResult(context.Result));
}
}
public Task ValidateAsync(ExtensionGrantValidationContext context)
{
var rhubarb = context.Request.Raw.Get("rhubarb");
var custard = context.Request.Raw.Get("custard");
var music = context.Request.Raw.Get("music");
if (string.IsNullOrWhiteSpace(rhubarb) || string.IsNullOrWhiteSpace(custard) ||
string.IsNullOrWhiteSpace(music))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return(Task.FromResult(false));
}
if (bool.Parse(rhubarb) && bool.Parse(custard) && music == "ska")
{
var sub = "ThisIsNotGoodSub";
context.Result = new GrantValidationResult(sub, "my_crap_grant");
Task.FromResult(0);
}
context.Result = new GrantValidationResult(TokenRequestErrors.UnauthorizedClient);
return(Task.FromResult(false));
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var token = context.Request.Raw.Get("token");
if (string.IsNullOrEmpty(token))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var result = await _validator.ValidateAccessTokenAsync(token);
if (result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var sub = result.Claims.FirstOrDefault(x => x.Type == "sub").Value;
context.Result = new GrantValidationResult(sub, "delegation");
return;
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userToken = context.Request.Raw.Get("id_token");
if (string.IsNullOrEmpty(userToken))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Token não pode ser nulo");
return;
}
//Usa biblioteca para acessar o google e pegar o perfil
GetProfile getProfile = new GetProfile();
//Classe com os campos de retorno do google
ObjetoGoogle profile = await getProfile.Acessar(userToken);
if (profile != null)
{
var usuario = await identityContext.Usuario.FirstOrDefaultAsync(u => u.Email.Equals(profile.email));
if (usuario != null)
{
context.Result = new GrantValidationResult(usuario.Id, "google");
return;
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Usuário não cadastrado");
return;
}
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Erro ao obter informações do Google, tente novamente");
return;
}
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.Raw["auth_code"];
if (string.IsNullOrEmpty(phone) || string.IsNullOrEmpty(code))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "手机号或验证码不能为空");
return;
}
if (!_authCodeService.Validate(phone, code))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "无效的验证码");
return;
}
int id = await _userService.CreateOrCheckAsync(phone);
if (id <= 0)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "获取userid失败");
return;
}
context.Result = new GrantValidationResult(id.ToString(), GrantType);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var userToken = context.Request.Raw.Get("token");
if (string.IsNullOrEmpty(userToken))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var result = await _validator.ValidateAccessTokenAsync(userToken);
if (result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
// get user's identity
var sub = result.Claims.FirstOrDefault(c => c.Type == "sub")?.Value;
context.Result = new GrantValidationResult(sub, GrantType);
await Task.CompletedTask;
}
public async Task Build_ValidRequest_SuccessResult()
{
// Arrange
var expectedSub = this.successResult.SubjectTokenValidationResult.Claims.Sub();
var expectedClientId = this.successResult.SubjectTokenValidationResult.Client.ClientId;
var expectedClientClaim = "customValueFromSubject";
var tokenExchangeContext = new ExtensionGrantValidationContext()
{
Request = new ValidatedTokenRequest
{
Client = new Client
{
ClientId = "dummyClientFromRequest",
},
ClientClaims = new List <Claim> {
new Claim("client_custom_type", "customValueFromRequest")
}
}
};
this.requestValidatorMock.Setup(x => x.ValidateAsync(tokenExchangeContext.Request))
.ReturnsAsync(this.successResult);
var target = new TokenExchangeGrant(this.requestValidatorMock.Object, this.resultBuilder);
// Act
await target.ValidateAsync(tokenExchangeContext).ConfigureAwait(false);
// Assert
Assert.IsFalse(tokenExchangeContext.Result.IsError);
Assert.AreEqual(expectedSub, tokenExchangeContext.Result.Subject.Claims.Sub());
Assert.AreEqual(expectedClientId, tokenExchangeContext.Request.Client.ClientId);
Assert.AreEqual(expectedClientClaim, tokenExchangeContext.Request.ClientClaims.FirstOrDefault(c => c.Type == "client_custom_type").Value);
this.requestValidatorMock.Verify(v => v.ValidateAsync(It.IsAny <ValidatedTokenRequest>()), Times.Once());
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.AuthorizationCode;
var auth_code = context.Request.Raw["auth_code"];
var errorValidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrWhiteSpace(phone) || string.IsNullOrWhiteSpace(auth_code))
{
context.Result = errorValidationResult;
return;
}
//验证手机号码
if (!authCodeServce.Validate(phone, auth_code))
{
context.Result = errorValidationResult;
return;
}
//验证用户
var userInfo = await userServices.CheckOrCreate(phone);
if (userInfo == null)
{
context.Result = errorValidationResult;
return;
}
//返回正确的结果
var claims = new Claim[] {
new Claim("Name", userInfo.Name ?? string.Empty),
new Claim("Company", userInfo.Company),
new Claim("Title", userInfo.Title),
new Claim("Avatar", userInfo.Avatar)
};
context.Result = new GrantValidationResult(userInfo.Id.ToString(), GrantType, claims);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var provider = context.Request.Raw.Get("provider");
if (provider.IsEmpty())
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, "invalid provider");
return;
}
var providerType = (ProviderType)Enum.Parse(typeof(ProviderType), provider, true);
if (!Enum.IsDefined(typeof(ProviderType), providerType))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, "invalid provider");
return;
}
var token = context.Request.Raw.Get("external_token");
if (token.IsEmpty())
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, "invalid external token");
return;
}
var userInfo = await _providers[providerType].GetUserInfoAsync(token);
if (userInfo == null)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, "couldn't retrieve user info from specified provider, please make sure that access token is not expired.");
return;
}
context.Result = await _userProcessor.ExecuteAsync(userInfo, provider);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var code = context.Request.Raw["wechat_code"];
var errorvalidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
var obj = await _userServiceProxy.VerifyWechatAppletLoginUserByCode(code);
if (obj == null)
{
context.Result = errorvalidationResult;
return;
}
context.Result = new GrantValidationResult(
subject: obj.PartnerKey,
authenticationMethod: "custom",
claims: new Claim[] {
new Claim("UserId", obj.Id),
new Claim("Name", obj.PartnerKey),
new Claim("NickName", obj.PartnerKey)
}
);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var authcode = context.Request.Raw["authcode"];
if (string.IsNullOrEmpty(phone) || string.IsNullOrEmpty(authcode))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
if (!_authCodeService.Validate(phone, authcode))
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var userId = await _userService.CheckOrCreate(phone);
if (userId <= 0)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
context.Result = new GrantValidationResult(userId.ToString(), GrantType);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var name = context.Request.Raw["name"];
var code = context.Request.Raw["auth_code"];
var errorValidationResult = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
if (string.IsNullOrWhiteSpace(name) || string.IsNullOrWhiteSpace(code))
{
context.Result = errorValidationResult;
}
if (!_authCodeService.Validate(name, code))
{
context.Result = errorValidationResult;
return;
}
var userid = await _userService.CheckOrCreate(name);
if (userid <= 0)
{
context.Result = errorValidationResult;
return;
}
context.Result = new GrantValidationResult(userid.ToString(), GrantType);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var phone = context.Request.Raw["phone"];
var code = context.Request.Raw["auth_code"];
var error = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
////验证验证码
//if (!_authCodeService.Validate(phone, code))
//{
// context.Result = error;
// return;
//}
////用户注册
//var userId = await _userService.CheckOrCreate(phone);
//if (userId <= 0)
//{
// context.Result = error;
// return;
//}
//context.Result = new GrantValidationResult(userId.ToString(), GrantType);
context.Result = new GrantValidationResult("1", GrantType);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
_logger.LogDebug("Start token request validation");
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var raw = context.Request.Raw;
_validatedRequest = new ValidatedTokenRequest
{
Raw = raw ?? throw new ArgumentNullException(nameof(raw)),
Options = _options
};
var customTokenRequestValidationContext = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(_validatedRequest)
};
await _arbitraryOpenIdConnectIdentityTokenRequestValidator.ValidateAsync(customTokenRequestValidationContext);
if (customTokenRequestValidationContext.Result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest,
customTokenRequestValidationContext.Result.Error);
return;
}
var clientValidationResult = await _clientSecretValidator.ValidateAsync(_validatedRequest.Raw);
if (clientValidationResult == null)
{
throw new ArgumentNullException(nameof(clientValidationResult));
}
_validatedRequest.SetClient(clientValidationResult.Client, clientValidationResult.Secret);
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
// optional stuff;
var accessTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.AccessTokenLifetime);
if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride))
{
var accessTokenLifetime = Int32.Parse(accessTokenLifetimeOverride);
if (accessTokenLifetime > 0 && accessTokenLifetime < context.Request.AccessTokenLifetime)
{
context.Request.AccessTokenLifetime = accessTokenLifetime;
}
else
{
var errorDescription =
$"{Constants.AccessTokenLifetime} out of range. Must be > 0 and less than configured AccessTokenLifetime.";
LogError(errorDescription);
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription);
return;
}
}
var providerValidator = _providerValidatorManager.FetchProviderValidator(raw[Constants.Authority]);
var idToken = raw[Constants.IdToken];
var principal = await providerValidator.ValidateToken(idToken);
var subjectId = principal.GetClaimValue(ClaimTypes.NameIdentifier);
var newPrincipal = principal.AddUpdateClaim(ClaimTypes.NameIdentifier, $"myCompany.{subjectId}");
principal = newPrincipal;
_validatedRequest.GrantType = grantType;
var resource = await _resourceStore.GetAllResourcesAsync();
// get user's identity
_principalAugmenter.AugmentPrincipal(principal);
var userClaimsFinal = new List <Claim>()
{
new Claim(Constants.ArbitraryClaims, raw[Constants.ArbitraryClaims])
};
userClaimsFinal.AddRange(principal.Claims);
userClaimsFinal.Add(new Claim(ProfileServiceManager.Constants.ClaimKey, Constants.ArbitraryOpenIdConnectIdTokenProfileService));
context.Result = new GrantValidationResult(principal.GetNamedIdentifier(), Constants.ArbitraryOIDCResourceOwner, userClaimsFinal);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
// defaults
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest);
var customResponse = new Dictionary <string, object>
{
{ OidcConstants.TokenResponse.IssuedTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken }
};
var subjectToken = context.Request.Raw.Get(OidcConstants.TokenRequest.SubjectToken);
var subjectTokenType = context.Request.Raw.Get(OidcConstants.TokenRequest.SubjectTokenType);
// mandatory parameters
if (string.IsNullOrWhiteSpace(subjectToken))
{
return;
}
if (!string.Equals(subjectTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken))
{
return;
}
var validationResult = await _validator.ValidateAccessTokenAsync(subjectToken);
if (validationResult.IsError)
{
return;
}
var sub = validationResult.Claims.First(c => c.Type == JwtClaimTypes.Subject).Value;
var clientId = validationResult.Claims.First(c => c.Type == JwtClaimTypes.ClientId).Value;
var style = context.Request.Raw.Get("exchange_style");
if (style == "impersonation")
{
// set token client_id to original id
context.Request.ClientId = clientId;
context.Result = new GrantValidationResult(
subject: sub,
authenticationMethod: GrantType,
customResponse: customResponse);
}
else if (style == "delegation")
{
// set token client_id to original id
context.Request.ClientId = clientId;
var actor = new
{
client_id = context.Request.Client.ClientId
};
var actClaim = new Claim(JwtClaimTypes.Actor, JsonSerializer.Serialize(actor), IdentityServerConstants.ClaimValueTypes.Json);
context.Result = new GrantValidationResult(
subject: sub,
authenticationMethod: GrantType,
claims: new[] { actClaim },
customResponse: customResponse);
}
else if (style == "custom")
{
context.Result = new GrantValidationResult(
subject: sub,
authenticationMethod: GrantType,
customResponse: customResponse);
}
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
try
{
var providerName = context.Request.Raw.Get(TokenExchangeGrantParameters.Provider);
var externalToken = context.Request.Raw.Get(TokenExchangeGrantParameters.ExternalToken);
var requestEmail = context.Request.Raw.Get(TokenExchangeGrantParameters.Email);
if (string.IsNullOrWhiteSpace(providerName))
{
context.Result = GrantValidationResultHelpers.Error(TokenExchangeErrors.InvalidProvider);
return;
}
if (string.IsNullOrWhiteSpace(externalToken))
{
context.Result = GrantValidationResultHelpers.Error(TokenExchangeErrors.InvalidExternalToken);
return;
}
var provider = await _providerStore.GetProviderByNameAsync(providerName);
if (provider == null)
{
context.Result = GrantValidationResultHelpers.Error(TokenExchangeErrors.ProviderNotFound);
return;
}
var tokenService = _tokenServiceAccessor(providerName);
var userInfo = await tokenService.GetUserInfoAsync(externalToken);
if (userInfo == null)
{
context.Result = GrantValidationResultHelpers.Error(TokenExchangeErrors.UserInfoNotRetrieved);
return;
}
var externalId = userInfo.Value <string>("id");
if (!string.IsNullOrWhiteSpace(externalId))
{
var existingUserId = await _externalUserStore.FindByProviderAsync(providerName, externalId);
if (!string.IsNullOrWhiteSpace(existingUserId))
{
var claims = await _externalUserStore.GetUserClaimsByExternalIdAsync(externalId);
context.Result = GrantValidationResultHelpers.Success(existingUserId, providerName, claims);
}
}
if (string.IsNullOrWhiteSpace(requestEmail))
{
context.Result = await _nonEmailUserProcessor.ProcessAsync(userInfo, providerName);
return;
}
context.Result = await _emailUserProcessor.ProcessAsync(userInfo, requestEmail, providerName);
}
catch (Exception e)
{
context.Result = GrantValidationResultHelpers.Error(e.Message);
}
}
public Task ValidateAsync(ExtensionGrantValidationContext context)
{
throw new NotImplementedException();
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
var createUser = false;
var raw = context.Request.Raw;
var credential = raw.Get(OidcConstants.TokenRequest.GrantType);
if (credential == null || credential != Utils.AuthConstants.GrantType.PhoneNumberToken)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid verify_phone_number_token credential");
return;
}
var phoneNumber = raw.Get(Utils.AuthConstants.TokenRequest.PhoneNumber);
var verificationToken = raw.Get(Utils.AuthConstants.TokenRequest.Token);
var user = await _userManager.Users.SingleOrDefaultAsync(x =>
x.PhoneNumber == _userManager.NormalizeKey(phoneNumber));
if (user == null)
{
user = new User
{
UserName = phoneNumber,
PhoneNumber = phoneNumber,
SecurityStamp = new Secret("your_secret_key").Value + phoneNumber.Sha256()
};
createUser = true;
}
var result =
await _phoneNumberTokenProvider.ValidateAsync("verify_number", verificationToken, _userManager, user);
if (!result)
{
_logger.LogInformation("Authentication failed for token: {token}, reason: invalid token", verificationToken);
await _events.RaiseAsync(new UserLoginFailureEvent(verificationToken, "invalid token or verification id", false));
return;
}
if (createUser)
{
user.PhoneNumberConfirmed = true;
var resultCreation = await _userManager.CreateAsync(user);
if (resultCreation != IdentityResult.Success)
{
_logger.LogInformation("User creation failed: {username}, reason: invalid user", phoneNumber);
await _events.RaiseAsync(new UserLoginFailureEvent(phoneNumber,
resultCreation.Errors.Select(x => x.Description).Aggregate((a, b) => a + ", " + b), false));
return;
}
}
_logger.LogInformation("Credentials validated for username: {phoneNumber}", phoneNumber);
await _events.RaiseAsync(new UserLoginSuccessEvent(phoneNumber, user.Id, phoneNumber, false));
await _signInManager.SignInAsync(user, true);
context.Result = new GrantValidationResult(user.Id, OidcConstants.AuthenticationMethods.ConfirmationBySms);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
/* the "id_token" is generated by Google after user logs in to Google, and in exchange an "id_token" can be retrieved.
* This id_token should be then submitted to our AuthServer by the client-side app to obtain an access_token from our AuthServer.
* Study this on Google's docs if you are not entirely familiar with how it is done: https://developers.google.com/identity/sign-in/web/backend-auth
* Also have a look at this article, especially part 3: https://www.linkedin.com/pulse/securing-net-core-web-api-identityserver4-resource-owner-dalvandi/?trk=mp-author-card
*/
var userToken = context.Request.Raw.Get("id_token");
if (string.IsNullOrEmpty(userToken))
{
context.Result = new GrantValidationResult(TokenErrors.InvalidGrant, null);
return;
}
// validating the google's "id_token" to confirm its integrity
HttpClient client = new HttpClient();
var request = client.GetAsync("https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=" + userToken).Result;
// if the token is in fact integral:
if (request.StatusCode == System.Net.HttpStatusCode.OK)
{
// obtain the user's information from Google
var result = await request.Content.ReadAsStringAsync();
var obj = JObject.Parse(result);
var GoogleUser = new GoogleUserObject
{
Email = obj["email"].ToString(),
EmailVerified = bool.Parse(obj["email_verified"].ToString()),
FirstName = obj["given_name"].ToString(),
LastName = obj["family_name"].ToString(),
};
var U = new UnitOfWork(this._context);
// check if the user already exists in our database:
var userExists = U.Auth.Find(u => u.Email == GoogleUser.Email).Count() > 0;
// if the user does not exist, create a user in our database:
if (!userExists)
{
var newUser = new User
{
Email = GoogleUser.Email,
EmailVerified = GoogleUser.EmailVerified,
FirstName = GoogleUser.FirstName,
LastName = GoogleUser.LastName,
PhoneNumber = "",
PhoneNumberVerified = false,
Password = "******",
Username = GoogleUser.Email,
Active = GoogleUser.EmailVerified
};
U.Auth.Add(newUser);
U.Complete();
}
// Authenticate the user and deliver the access_token and refresh_token to him/her:
var authUser = U.Auth.Find(u => u.Email == GoogleUser.Email).FirstOrDefault();
context.Result = new GrantValidationResult(authUser.Id.ToString(), "google");
return;
}
else
{
return;
}
}
