public async Task <GrantedToken> Execute(RefreshTokenGrantTypeParameter refreshTokenGrantTypeParameter)
{
if (refreshTokenGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(refreshTokenGrantTypeParameter));
}
// 1. Validate parameters
var grantedToken = await ValidateParameter(refreshTokenGrantTypeParameter);
// 2. Generate a new access token & insert it
var generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(
grantedToken.ClientId,
grantedToken.Scope,
grantedToken.UserInfoPayLoad,
grantedToken.IdTokenPayLoad);
generatedToken.ParentTokenId = grantedToken.Id;
// 3. Fill-in the idtoken
if (generatedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad);
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(generatedToken.ClientId, generatedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(generatedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(generatedToken.ClientId,
generatedToken.AccessToken,
generatedToken.Scope);
return(generatedToken);
}
public async Task <GrantedToken> Execute(RefreshTokenGrantTypeParameter refreshTokenGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (refreshTokenGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(refreshTokenGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(refreshTokenGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (authResult.Client == null)
{
_oauthEventSource.Info(authResult.ErrorMessage);
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check client
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.refresh_token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.refresh_token));
}
// 3. Validate parameters
var grantedToken = await ValidateParameter(refreshTokenGrantTypeParameter);
if (grantedToken.ClientId != client.ClientId)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheRefreshTokenCanBeUsedOnlyByTheSameIssuer);
}
// 4. Generate a new access token & insert it
var generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(
grantedToken.ClientId,
grantedToken.Scope,
issuerName,
grantedToken.UserInfoPayLoad,
grantedToken.IdTokenPayLoad);
generatedToken.ParentTokenId = grantedToken.Id;
// 5. Fill-in the idtoken
if (generatedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad);
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(generatedToken.ClientId, generatedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(generatedToken);
_oauthEventSource.GrantAccessToClient(generatedToken.ClientId,
generatedToken.AccessToken,
generatedToken.Scope);
return(generatedToken);
}
public async Task <GrantedToken> Execute(
AuthorizationCodeGrantTypeParameter authorizationCodeGrantTypeParameter,
AuthenticationHeaderValue authenticationHeaderValue)
{
if (authorizationCodeGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(authorizationCodeGrantTypeParameter));
}
var result = await ValidateParameter(
authorizationCodeGrantTypeParameter,
authenticationHeaderValue);
await _authorizationCodeStore.RemoveAuthorizationCode(result.AuthCode.Code); // 1. Invalidate the authorization code by removing it !
var grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(
result.AuthCode.Scopes,
result.AuthCode.ClientId,
result.AuthCode.IdTokenPayload,
result.AuthCode.UserInfoPayLoad);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(result.Client, result.AuthCode.Scopes, result.AuthCode.UserInfoPayLoad, result.AuthCode.IdTokenPayload);
_simpleIdentityServerEventSource.GrantAccessToClient(
result.AuthCode.ClientId,
grantedToken.AccessToken,
grantedToken.IdToken);
// Fill-in the id-token
if (grantedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(grantedToken.IdTokenPayLoad);
grantedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(result.Client, grantedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(grantedToken);
}
return(grantedToken);
}
public async Task <GrantedToken> Execute(ClientCredentialsGrantTypeParameter clientCredentialsGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (clientCredentialsGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(clientCredentialsGrantTypeParameter));
}
_clientCredentialsGrantTypeParameterValidator.Validate(clientCredentialsGrantTypeParameter);
// 1. Authenticate the client
var instruction = CreateAuthenticateInstruction(clientCredentialsGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check client
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.client_credentials))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.client_credentials));
}
if (client.ResponseTypes == null || !client.ResponseTypes.Contains(ResponseType.token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, ResponseType.token));
}
// 3. Check scopes
string allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(clientCredentialsGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(clientCredentialsGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(
ErrorCodes.InvalidScope,
scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the JWT access token on the fly.
var grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, issuerName);
await _tokenStore.AddToken(grantedToken);
_oauthEventSource.GrantAccessToClient(client.ClientId, grantedToken.AccessToken, allowedTokenScopes);
}
return(grantedToken);
}
public async Task <EndpointResult> Generate(
EndpointResult endpointResult,
AuthorizationParameter authorizationParameter,
ClaimsPrincipal claimsPrincipal,
Client client,
string?issuerName,
CancellationToken cancellationToken)
{
var allowedTokenScopes = string.Empty;
GrantedToken?grantedToken = null;
var responses = authorizationParameter.ResponseType.ParseResponseTypes();
var generateIdToken = await GenerateIdTokenPayload(
claimsPrincipal,
authorizationParameter,
issuerName,
cancellationToken)
.ConfigureAwait(false);
if (generateIdToken is Option <JwtPayload> .Result p)
{
var idTokenPayload = p.Item;
var payload = await GenerateUserInformationPayload(
claimsPrincipal,
authorizationParameter,
cancellationToken)
.ConfigureAwait(false);
if (payload is Option <JwtPayload> .Error er)
{
return(EndpointResult.CreateBadRequestResult(er.Details));
}
var userInformationPayload = (payload as Option <JwtPayload> .Result) !.Item;
if (responses.Contains(ResponseTypeNames.Token))
{
// 1. Generate an access token.
var tokenScopes = authorizationParameter.Scope.ParseScopes();
allowedTokenScopes = string.Join(' ', tokenScopes);
grantedToken = await _tokenStore.GetValidGrantedToken(
_jwksStore,
allowedTokenScopes,
client.ClientId,
cancellationToken,
idTokenJwsPayload : userInformationPayload,
userInfoJwsPayload : idTokenPayload)
.ConfigureAwait(false)
?? await client.GenerateToken(
_jwksStore,
tokenScopes,
issuerName,
userInformationPayload,
idTokenPayload,
cancellationToken : cancellationToken,
claimsPrincipal.Claims.Where(
c => client.UserClaimsToIncludeInAuthToken.Any(
r => r.IsMatch(c.Type)))
.ToArray())
.ConfigureAwait(false);
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken)
};
}
AuthorizationCode?authorizationCode = null;
var authorizationParameterClientId = authorizationParameter.ClientId;
if (responses.Contains(ResponseTypeNames.Code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal.GetSubject() !;
var assignedConsent = await _consentRepository
.GetConfirmedConsents(subject, authorizationParameter, cancellationToken)
.ConfigureAwait(false);
if (assignedConsent != null)
{
if (authorizationParameterClientId == null ||
authorizationParameter.RedirectUrl == null ||
authorizationParameter.Scope == null)
{
throw new ArgumentException(Strings.MissingValues, nameof(authorizationParameter));
}
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Id.Create(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTimeOffset.UtcNow,
ClientId = authorizationParameterClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code)
};
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(
idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
client);
if (grantedToken != null)
// 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
if (authorizationParameterClientId == null || authorizationParameter.ResponseType == null)
{
throw new ArgumentException(Strings.MissingValues, nameof(authorizationParameter));
}
await _tokenStore.AddToken(grantedToken, cancellationToken).ConfigureAwait(false);
await _eventPublisher.Publish(
new TokenGranted(
Id.Create(),
claimsPrincipal.GetSubject(),
authorizationParameterClientId,
allowedTokenScopes,
authorizationParameter.ResponseType,
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
}
if (authorizationCode != null) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode = authorizationCode with
{
CodeChallenge = authorizationParameter.CodeChallenge ?? string.Empty,
CodeChallengeMethod = authorizationParameter.CodeChallengeMethod ?? string.Empty
};
}
await _authorizationCodeStore.Add(authorizationCode, cancellationToken).ConfigureAwait(false);
await _eventPublisher.Publish(
new AuthorizationGranted(
Id.Create(),
claimsPrincipal.GetSubject(),
authorizationParameterClientId !,
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
}
if (responses.Contains(ResponseTypeNames.IdToken))
{
var idToken = await _clientStore.GenerateIdToken(
authorizationParameterClientId !,
idTokenPayload,
_jwksStore,
cancellationToken)
.ConfigureAwait(false);
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.IdTokenName,
idToken)
};
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.StateName,
authorizationParameter.State)
};
}
var sessionState = GetSessionState(
authorizationParameterClientId,
authorizationParameter.OriginUrl,
authorizationParameter.SessionId);
if (sessionState != null)
{
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
StandardAuthorizationResponseNames.SessionState,
sessionState)
};
}
if (authorizationParameter.ResponseMode == ResponseModes.FormPost)
{
endpointResult = endpointResult with
{
Type = ActionResultType.RedirectToAction,
RedirectInstruction = endpointResult.RedirectInstruction !.AddParameter(
"redirect_uri",
authorizationParameter.RedirectUrl?.AbsoluteUri) with
{
Action = SimpleAuthEndPoints.FormIndex
}
};
}
// Set the response mode
if (endpointResult.Type == ActionResultType.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseModes.None)
{
var responseTypes = authorizationParameter.ResponseType.ParseResponseTypes();
var authorizationFlow = responseTypes.GetAuthorizationFlow(authorizationParameter.State);
switch (authorizationFlow)
{
case Option <AuthorizationFlow> .Error error:
return(EndpointResult.CreateBadRequestResult(error.Details));
case Option <AuthorizationFlow> .Result r:
responseMode = CoreConstants.MappingAuthorizationFlowAndResponseModes[r.Item];
break;
}
}
endpointResult = endpointResult with
{
RedirectInstruction = endpointResult.RedirectInstruction !with {
ResponseMode = responseMode
}
};
}
return(endpointResult);
}
var e = generateIdToken as Option <JwtPayload> .Error;
return(EndpointResult.CreateBadRequestResult(e !.Details));
}
public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
// 2. Try to authenticate the client.
var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket));
}
// 3. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 4. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter);
if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied);
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(grantedToken);
}
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate = null)
{
if (resourceOwnerGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction);
var client = authResult.Client;
if (authResult.Client == null)
{
_simpleIdentityServerEventSource.Info(ErrorDescriptions.TheClientCannotBeAuthenticated);
client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId);
if (client == null)
{
throw new IdentityServerException(ErrorCodes.InternalError, string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId));
}
}
// 2. Try to authenticate a resource owner
var resourceOwner = await _authenticateResourceOwnerService.AuthenticateResourceOwnerAsync(resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password);
if (resourceOwner == null)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid);
}
// 3. Check if the requested scopes are valid
var allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 4. Generate the user information payload and store it.
var claims = resourceOwner.Claims;
var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
Scope = resourceOwnerGrantTypeParameter.Scope
};
var payload = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(claimsPrincipal, authorizationParameter);
var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload);
if (generatedToken == null)
{
generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, payload, payload);
if (generatedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad);
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(generatedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes);
}
return(generatedToken);
}
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
if (resourceOwnerGrantTypeParameter == null)
{
throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter));
}
// 1. Try to authenticate the client
var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (authResult.Client == null)
{
_oauthEventSource.Info(authResult.ErrorMessage);
throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
// 2. Check the client.
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.password))
{
throw new IdentityServerException(ErrorCodes.InvalidClient,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.password));
}
if (client.ResponseTypes == null || !client.ResponseTypes.Contains(ResponseType.token) || !client.ResponseTypes.Contains(ResponseType.id_token))
{
throw new IdentityServerException(ErrorCodes.InvalidClient, string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, "token id_token"));
}
// 3. Try to authenticate a resource owner
var resourceOwner = await _resourceOwnerAuthenticateHelper.Authenticate(resourceOwnerGrantTypeParameter.UserName,
resourceOwnerGrantTypeParameter.Password,
resourceOwnerGrantTypeParameter.AmrValues);
if (resourceOwner == null)
{
throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid);
}
// 4. Check if the requested scopes are valid
var allowedTokenScopes = string.Empty;
if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope))
{
var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client);
if (!scopeValidation.IsValid)
{
throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage);
}
allowedTokenScopes = string.Join(" ", scopeValidation.Scopes);
}
// 5. Generate the user information payload and store it.
var claims = resourceOwner.Claims;
var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var authorizationParameter = new AuthorizationParameter
{
Scope = resourceOwnerGrantTypeParameter.Scope
};
var payload = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claimsPrincipal, authorizationParameter, issuerName);
var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload);
if (generatedToken == null)
{
generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, issuerName, payload, payload);
if (generatedToken.IdTokenPayLoad != null)
{
await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad);
generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad);
}
await _tokenStore.AddToken(generatedToken);
_oauthEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes);
}
return(generatedToken);
}
public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Client client)
{
if (actionResult == null || actionResult.RedirectInstruction == null)
{
throw new ArgumentNullException(nameof(actionResult));
}
;
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var newAccessTokenGranted = false;
var allowedTokenScopes = string.Empty;
GrantedToken grantedToken = null;
var newAuthorizationCodeGranted = false;
AuthorizationCode authorizationCode = null;
_simpleIdentityServerEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
authorizationParameter.ResponseType);
var responses = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter);
var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter);
if (responses.Contains(ResponseType.token)) // 1. Generate an access token.
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope))
{
allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope));
}
grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId,
userInformationPayload, idTokenPayload);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes,
userInformationPayload, idTokenPayload);
newAccessTokenGranted = true;
}
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken);
}
if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject();
var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter);
if (assignedConsent != null)
{
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Guid.NewGuid().ToString(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTime.UtcNow,
ClientId = authorizationParameter.ClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
newAuthorizationCodeGranted = true;
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code);
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
authorizationParameter, client);
if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
await _tokenStore.AddToken(grantedToken);
_simpleIdentityServerEventSource.GrantAccessToClient(authorizationParameter.ClientId,
grantedToken.AccessToken,
allowedTokenScopes);
}
if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode.CodeChallenge = authorizationParameter.CodeChallenge;
authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod;
}
await _authorizationCodeStore.AddAuthorizationCode(authorizationCode);
_simpleIdentityServerEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId,
authorizationCode.Code,
authorizationParameter.Scope);
}
if (responses.Contains(ResponseType.id_token))
{
var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter);
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken);
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State);
}
var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId);
if (sessionState != null)
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState);
}
if (authorizationParameter.ResponseMode == ResponseMode.form_post)
{
actionResult.Type = TypeActionResult.RedirectToAction;
actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex;
actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl);
}
// Set the response mode
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseMode.None)
{
var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes,
authorizationParameter.State);
responseMode = GetResponseMode(authorizationFlow);
}
actionResult.RedirectInstruction.ResponseMode = responseMode;
}
_simpleIdentityServerEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
actionResult.RedirectInstruction.Parameters.SerializeWithJavascript());
}
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
// 2. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 3. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false);
if (!authorizationResult.IsValid)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
return(new GetTokenByTicketIdResponse
{
IsValid = false,
ResourceValidationResult = authorizationResult
});
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(new GetTokenByTicketIdResponse
{
IsValid = true,
GrantedToken = grantedToken
});
}
