/// <summary>
/// Represents an event called for each validated userinfo request
/// to allow the user code to decide how the request should be handled.
/// </summary>
/// <param name="context">The context instance associated with this event.</param>
/// <returns>A <see cref="T:System.Threading.Tasks.Task" /> that can be used to monitor the asynchronous operation.</returns>
public override Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
{
var result = base.HandleUserinfoRequest(context);
var clientId = context.Ticket?.Identity?.GetClaim("client_id");
var userName = context.Ticket?.Identity?.GetClaim("username");
if (clientId.IsNullOrWhiteSpace() || userName.IsNullOrWhiteSpace())
{
return(result);
}
// Populate requested/allowed claims
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/543
using (var rockContext = new RockContext())
{
var user = new UserLoginService(rockContext).GetByUserName(userName);
if (user == null)
{
return(result);
}
var requestedScopes = context.Ticket?.GetScopes();
var clientAllowedScopes = RockIdentityHelper.NarrowRequestedScopesToApprovedScopes(rockContext, clientId, requestedScopes);
var clientAllowedClaims = RockIdentityHelper.GetAllowedClientClaims(rockContext, clientId, clientAllowedScopes);
var claimsIdentity = RockIdentityHelper.GetRockClaimsIdentity(user, clientAllowedClaims, clientId);
foreach (var claim in claimsIdentity?.Claims)
{
context.Claims.Add(claim.Type, claim.Value);
}
}
return(result);
}
public override Task HandleUserinfoRequest([NotNull] HandleUserinfoRequestContext context)
{
// Invoke the rest of the pipeline to allow
// the user code to handle the userinfo request.
context.SkipToNextMiddleware();
return(Task.FromResult(0));
}
public override async Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
{
var user = await _authManager.GetRolesByUGetUserWithRolesByUserNameAsync(context.Ticket.Principal.Identity.Name);
context.Claims.Add(OpenIdConnectConstants.Claims.Username, user.UserName);
context.Claims.Add("fullName", user.FullName);
context.Claims.Add(OpenIdConnectConstants.Claims.Email, user.Email);
context.Claims.Add("roles", user.UserRoles.Select(r => r.Role.Name).ToList().JsonSerializeObject());
}
public override Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
{
// Note: by default, OpenIdConnectServerHandler automatically handles userinfo requests and directly
// writes the JSON response to the response stream. This sample uses a custom UserInfoController that
// handles userinfo requests: context.SkipToNextMiddleware() is called to bypass the default
// request processing executed by OpenIdConnectServerHandler.
context.SkipToNextMiddleware();
return(Task.FromResult <object>(null));
}
public override Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
{
// Note: by default, the OpenID Connect server middleware automatically handles
// userinfo requests and directly writes the JSON response to the response stream.
// Calling context.SkipToNextMiddleware() bypasses the default request processing
// and delegates it to a custom ASP.NET Core MVC controller (UserinfoController).
context.SkipToNextMiddleware();
return(Task.FromResult(0));
}
public override async Task HandleUserinfoRequest([NotNull] HandleUserinfoRequestContext context)
{
var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication> >();
var principal = context.Ticket?.Principal;
Debug.Assert(principal != null);
// Note: user may be null if the user has been removed.
// In this case, return a 400 response.
var user = await services.Users.GetUserAsync(principal);
if (user == null)
{
context.Response.StatusCode = 400;
context.HandleResponse();
return;
}
// Note: "sub" is a mandatory claim.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
context.Subject = await services.Users.GetUserIdAsync(user);
// Only add the "preferred_username" claim if the "profile" scope was present in the access token.
// Note: filtering the username is not needed at this stage as OpenIddictController.Accept
// and OpenIddictProvider.GrantResourceOwnerCredentials are expected to reject requests that
// don't include the "email" scope if the username corresponds to the registed email address.
if (context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
context.PreferredUsername = await services.Users.GetUserNameAsync(user);
if (services.Users.SupportsUserClaim)
{
context.FamilyName = await services.Users.FindClaimAsync(user, ClaimTypes.Surname);
context.GivenName = await services.Users.FindClaimAsync(user, ClaimTypes.GivenName);
context.BirthDate = await services.Users.FindClaimAsync(user, ClaimTypes.DateOfBirth);
}
}
// Only add the email address details if the "email" scope was present in the access token.
if (services.Users.SupportsUserEmail && context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
context.Email = await services.Users.GetEmailAsync(user);
// Only add the "email_verified" claim
// if the email address is non-null.
if (!string.IsNullOrEmpty(context.Email))
{
context.EmailVerified = await services.Users.IsEmailConfirmedAsync(user);
}
}
;
// Only add the phone number details if the "phone" scope was present in the access token.
if (services.Users.SupportsUserPhoneNumber &&
context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
context.PhoneNumber = await services.Users.GetPhoneNumberAsync(user);
// Only add the "phone_number_verified"
// claim if the phone number is non-null.
if (!string.IsNullOrEmpty(context.PhoneNumber))
{
context.PhoneNumberVerified = await services.Users.IsPhoneNumberConfirmedAsync(user);
}
}
// Only add the roles list if the "roles" scope was present in the access token.
if (services.Users.SupportsUserRole && context.Ticket.HasScope(OpenIddictConstants.Scopes.Roles))
{
var roles = await services.Users.GetRolesAsync(user);
if (roles.Count != 0)
{
context.Claims[OpenIddictConstants.Claims.Roles] = JArray.FromObject(roles);
}
}
}
public Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
{
throw new NotImplementedException();
}
public override Task HandleUserinfoRequest([NotNull] HandleUserinfoRequestContext context) => _eventService.PublishAsync(new OpenIddictServerEvents.HandleUserinfoRequest(context));
public override async Task HandleUserinfoRequest([NotNull] HandleUserinfoRequestContext context)
{
var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication, TAuthorization, TScope, TToken> >();
// Note: user may be null if the user was removed after the access token was issued.
var user = await services.Users.GetUserAsync(context.Ticket.Principal);
if (user == null)
{
services.Logger.LogError("The userinfo request was aborted because the user profile " +
"corresponding to the access token was not found in the database.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The access token is no longer valid.");
return;
}
// Note: "sub" is a mandatory claim.
// See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
context.Subject = await services.Users.GetUserIdAsync(user);
// Only add the "preferred_username" claim if the "profile" scope was present in the access token.
// Note: filtering the username is not needed at this stage as OpenIddictController.Accept
// and OpenIddictProvider.HandleTokenRequest are expected to reject requests that don't
// include the "email" scope if the username corresponds to the registed email address.
if (context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Profile))
{
context.PreferredUsername = await services.Users.GetUserNameAsync(user);
if (services.Users.SupportsUserClaim)
{
context.FamilyName = await services.Users.FindClaimAsync(user, ClaimTypes.Surname);
context.GivenName = await services.Users.FindClaimAsync(user, ClaimTypes.GivenName);
context.BirthDate = await services.Users.FindClaimAsync(user, ClaimTypes.DateOfBirth);
}
}
// Only add the email address details if the "email" scope was present in the access token.
if (services.Users.SupportsUserEmail && context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Email))
{
context.Email = await services.Users.GetEmailAsync(user);
// Only add the "email_verified" claim
// if the email address is non-null.
if (!string.IsNullOrEmpty(context.Email))
{
context.EmailVerified = await services.Users.IsEmailConfirmedAsync(user);
}
}
;
// Only add the phone number details if the "phone" scope was present in the access token.
if (services.Users.SupportsUserPhoneNumber && context.Ticket.HasScope(OpenIdConnectConstants.Scopes.Phone))
{
context.PhoneNumber = await services.Users.GetPhoneNumberAsync(user);
// Only add the "phone_number_verified"
// claim if the phone number is non-null.
if (!string.IsNullOrEmpty(context.PhoneNumber))
{
context.PhoneNumberVerified = await services.Users.IsPhoneNumberConfirmedAsync(user);
}
}
// Only add the roles list if the "roles" scope was present in the access token.
if (services.Users.SupportsUserRole && context.Ticket.HasScope(OpenIddictConstants.Scopes.Roles))
{
var roles = await services.Users.GetRolesAsync(user);
if (roles.Count != 0)
{
context.Claims[OpenIddictConstants.Claims.Roles] = JArray.FromObject(roles);
}
}
}
