public async Task Code_Request_PKCE_Missing_CodeVerifier(string clientId) { var client = await _clients.FindClientByIdAsync(clientId); var store = new InMemoryAuthorizationCodeStore(); var options = new IdentityServerOptions(); var code = new AuthorizationCode { Client = client, Subject = IdentityServerPrincipal.Create("123", "bob"), RedirectUri = "https://server/cb", CodeChallenge = "x".Repeat(options.InputLengthRestrictions.CodeChallengeMinLength + 1), CodeChallengeMethod = Constants.CodeChallengeMethods.Plain, RequestedScopes = new List <Scope> { new Scope { Name = "openid" } } }; await store.StoreAsync("valid", code); var validator = Factory.CreateTokenRequestValidator( authorizationCodeStore: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode); parameters.Add(Constants.TokenRequest.Code, "valid"); parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(Constants.TokenErrors.InvalidGrant); }
public async Task Authenticated_User_with_restricted_current_Idp_must_SignIn() { var users = new Mock <IUserService>(); var generator = new AuthorizeInteractionResponseGenerator(options, null, users.Object, new DefaultLocalizationService()); var request = new ValidatedAuthorizeRequest { ClientId = "foo", Subject = IdentityServerPrincipal.Create("123", "dom"), Client = new Client { IdentityProviderRestrictions = new List <string> { "some_idp" } } }; var result = await generator.ProcessClientLoginAsync(request); result.IsLogin.Should().BeTrue(); }
public DefaultClaimsServiceTests() { _validatedRequest = new ValidatedRequest { }; _client = new Client { ClientId = "client", Claims = { new Claim("some_claim", "some_claim_value") } }; _user = IdentityServerPrincipal.Create("bob", "bob", new Claim[] { new Claim("foo", "foo1"), new Claim("foo", "foo2"), new Claim("bar", "bar1"), new Claim("bar", "bar2"), new Claim(JwtClaimTypes.AuthenticationContextClassReference, "acr1") }); _subject = new DefaultClaimsService(_mockMockProfileService, TestLogger.Create <DefaultClaimsService>()); }
public async Task valid_pkce_token_request_with_plain_method_should_succeed_hybrid() { var client = await _clients.FindEnabledClientByIdAsync("hybridclient.pkce"); var grants = Factory.CreateGrantService(); var verifier = "x".Repeat(lengths.CodeVerifierMinLength); var code = new AuthorizationCode { Subject = IdentityServerPrincipal.Create("123", "bob"), ClientId = client.ClientId, Lifetime = client.AuthorizationCodeLifetime, RedirectUri = "https://server/cb", CodeChallenge = verifier.Sha256(), CodeChallengeMethod = OidcConstants.CodeChallengeMethods.Plain, RequestedScopes = new List <string> { "openid" } }; await grants.StoreAuthorizationCodeAsync("valid", code); var validator = Factory.CreateTokenRequestValidator( grants: grants); var parameters = new NameValueCollection(); parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode); parameters.Add(OidcConstants.TokenRequest.Code, "valid"); parameters.Add(OidcConstants.TokenRequest.CodeVerifier, verifier); parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeFalse(); }
public async Task Authenticated_User_with_local_Idp_must_SignIn_when_client_options_does_not_allow_local_logins() { options.AuthenticationOptions.EnableLocalLogin = true; var users = new Mock <IUserService>(); var generator = new AuthorizeInteractionResponseGenerator(options, null, users.Object, new DefaultLocalizationService()); var request = new ValidatedAuthorizeRequest { ClientId = "foo", Subject = IdentityServerPrincipal.Create("123", "dom"), Client = new Client { ClientId = "foo", EnableLocalLogin = false } }; var principal = IdentityServerPrincipal.Create("123", "dom"); var result = await generator.ProcessClientLoginAsync(request); result.IsLogin.Should().BeTrue(); }
public async Task valid_id_token_hint_but_no_post_logout_redirect_uri_should_not_use_any_of_multiple_registered_post_logout_redirect_uri() { await _mockPipeline.LoginAsync(IdentityServerPrincipal.Create("bob", "Bob Loblaw")); _mockPipeline.BrowserClient.AllowAutoRedirect = false; var url = _mockPipeline.CreateAuthorizeUrl( clientId: "client2", responseType: "id_token", scope: "openid", redirectUri: "https://client2/callback", state: "123_state", nonce: "123_nonce"); var response = await _mockPipeline.BrowserClient.GetAsync(url); var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString()); var id_token = authorization.IdentityToken; _mockPipeline.BrowserClient.AllowAutoRedirect = true; response = await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.EndSessionEndpoint + "?id_token_hint=" + id_token); _mockPipeline.LogoutRequest.PostLogoutRedirectUri.Should().BeNull(); }
public async Task signin_response_should_allow_successful_authorization_response() { _mockPipeline.Subject = IdentityServerPrincipal.Create("bob", "Bob Loblaw"); _mockPipeline.BrowserClient.StopRedirectingAfter = 2; var url = _mockPipeline.CreateAuthorizeUrl( clientId: "client1", responseType: "id_token", scope: "openid", redirectUri: "https://client1/callback", state: "123_state", nonce: "123_nonce"); var response = await _mockPipeline.BrowserClient.GetAsync(url); response.StatusCode.Should().Be(HttpStatusCode.Redirect); response.Headers.Location.ToString().Should().StartWith("https://client1/callback"); var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString()); authorization.IsError.Should().BeFalse(); authorization.IdentityToken.Should().NotBeNull(); authorization.State.Should().Be("123_state"); }
public Task <ClaimsPrincipal> ValidateAsync(ValidatedTokenRequest request) { if (request.GrantType != "custom") { return(Task.FromResult <ClaimsPrincipal>(null)); } var assertion = request.Raw.Get("assertion"); if (string.IsNullOrWhiteSpace(assertion)) { return(Task.FromResult <ClaimsPrincipal>(null)); } // validate assertion and return principal var principal = IdentityServerPrincipal.Create( "bob", "bob", "custom_grant", "idsrv"); return(Task.FromResult(principal)); }
public async Task valid_signout_callback_should_render_iframes_for_all_clients() { await _mockPipeline.LoginAsync(IdentityServerPrincipal.Create("bob", "Bob Loblaw")); var sid = _mockPipeline.GetSessionCookie().Value; _mockPipeline.BrowserClient.AllowAutoRedirect = false; var url = _mockPipeline.CreateAuthorizeUrl( clientId: "client1", responseType: "id_token", scope: "openid", redirectUri: "https://client1/callback", state: "123_state", nonce: "123_nonce"); var response = await _mockPipeline.BrowserClient.GetAsync(url); var url2 = _mockPipeline.CreateAuthorizeUrl( clientId: "client2", responseType: "id_token", scope: "openid", redirectUri: "https://client2/callback", state: "123_state", nonce: "123_nonce"); var response2 = await _mockPipeline.BrowserClient.GetAsync(url2); _mockPipeline.BrowserClient.AllowAutoRedirect = true; response = await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.EndSessionEndpoint); var signoutFrameUrl = _mockPipeline.LogoutRequest.SignOutIFrameUrl; response = await _mockPipeline.BrowserClient.GetAsync(signoutFrameUrl); var html = await response.Content.ReadAsStringAsync(); html.Should().Contain("https://client1/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")); html.Should().Contain("https://client2/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")); }
public async Task Code_Request_with_disabled_User() { var client = await _clients.FindClientByIdAsync("codeclient"); var store = new InMemoryAuthorizationCodeStore(); var code = new AuthorizationCode { Client = client, Subject = IdentityServerPrincipal.Create("123", "bob"), RedirectUri = "https://server/cb", RequestedScopes = new List <Scope> { new Scope { Name = "openid" } } }; await store.StoreAsync("valid", code); var validator = Factory.CreateTokenRequestValidator( authorizationCodeStore: store, profile: new TestProfileService(shouldBeActive: false)); var parameters = new NameValueCollection(); parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode); parameters.Add(OidcConstants.TokenRequest.Code, "valid"); parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(OidcConstants.TokenErrors.InvalidRequest); }
public async Task token_request_with_missing_code_challenge_should_fail(string clientId) { var client = await _clients.FindEnabledClientByIdAsync(clientId); var grants = Factory.CreateAuthorizationCodeStore(); var code = new AuthorizationCode { CreationTime = DateTime.UtcNow, Subject = IdentityServerPrincipal.Create("123", "bob"), ClientId = client.ClientId, Lifetime = client.AuthorizationCodeLifetime, RedirectUri = "https://server/cb", RequestedScopes = new List <string> { "openid" } }; var handle = await grants.StoreAuthorizationCodeAsync(code); var validator = Factory.CreateTokenRequestValidator( authorizationCodeStore: grants); var parameters = new NameValueCollection(); parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode); parameters.Add(OidcConstants.TokenRequest.Code, handle); parameters.Add(OidcConstants.TokenRequest.CodeVerifier, "x".Repeat(lengths.CodeVerifierMinLength)); parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(OidcConstants.TokenErrors.InvalidGrant); }
public async Task Code_Request_with_disabled_User() { var client = await _clients.FindEnabledClientByIdAsync("codeclient"); var store = Factory.CreateAuthorizationCodeStore(); var code = new AuthorizationCode { CreationTime = DateTime.UtcNow, ClientId = client.ClientId, Lifetime = client.AuthorizationCodeLifetime, Subject = IdentityServerPrincipal.Create("123", "bob"), RedirectUri = "https://server/cb", RequestedScopes = new List <string> { "openid" } }; var handle = await store.StoreAuthorizationCodeAsync(code); var validator = Factory.CreateTokenRequestValidator( authorizationCodeStore: store, profile: new TestProfileService(shouldBeActive: false)); var parameters = new NameValueCollection(); parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode); parameters.Add(OidcConstants.TokenRequest.Code, handle); parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client.ToValidationResult()); result.IsError.Should().BeTrue(); result.Error.Should().Be(OidcConstants.TokenErrors.InvalidGrant); }
public async Task RemoveAllGrantsAsync_should_remove_all_grants() { await _subject.StoreUserConsentAsync(new Consent { ClientId = "client1", SubjectId = "123", Scopes = new[] { "foo1", "foo2" } }); await _subject.StoreUserConsentAsync(new Consent { ClientId = "client2", SubjectId = "123", Scopes = new[] { "foo3" } }); await _subject.StoreUserConsentAsync(new Consent { ClientId = "client1", SubjectId = "456", Scopes = new[] { "foo3" } }); await _subject.StoreReferenceTokenAsync("key1", new Token { ClientId = "client1", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar1"), new Claim("scope", "bar2") } }); await _subject.StoreReferenceTokenAsync("key2", new Token { ClientId = "client2", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar3") } }); await _subject.StoreReferenceTokenAsync("key3", new Token { ClientId = "client1", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "bar3") } }); await _subject.StoreRefreshTokenAsync("key4", new RefreshToken { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz1"), new Claim("scope", "baz2") } }, Version = 1 }); await _subject.StoreRefreshTokenAsync("key5", new RefreshToken { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "baz3") } }, Version = 1 }); await _subject.StoreRefreshTokenAsync("key6", new RefreshToken { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client2", Audience = "aud", CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz3") } }, Version = 1 }); await _subject.StoreAuthorizationCodeAsync("key7", new AuthorizationCode { ClientId = "client1", CreationTime = DateTime.Now, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new[] { "quux1", "quux2" } }); await _subject.StoreAuthorizationCodeAsync("key8", new AuthorizationCode { ClientId = "client2", CreationTime = DateTime.Now, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new[] { "quux3" } }); await _subject.StoreAuthorizationCodeAsync("key9", new AuthorizationCode { ClientId = "client1", CreationTime = DateTime.Now, Lifetime = 10, Subject = IdentityServerPrincipal.Create("456", "alice"), CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new[] { "quux3" } }); await _subject.RemoveAllGrantsAsync("123", "client1"); (await _subject.GetReferenceTokenAsync("key1")).Should().BeNull(); (await _subject.GetReferenceTokenAsync("key2")).Should().NotBeNull(); (await _subject.GetReferenceTokenAsync("key3")).Should().NotBeNull(); (await _subject.GetRefreshTokenAsync("key4")).Should().BeNull(); (await _subject.GetRefreshTokenAsync("key5")).Should().NotBeNull(); (await _subject.GetRefreshTokenAsync("key6")).Should().NotBeNull(); (await _subject.GetAuthorizationCodeAsync("key7")).Should().BeNull(); (await _subject.GetAuthorizationCodeAsync("key8")).Should().NotBeNull(); (await _subject.GetAuthorizationCodeAsync("key9")).Should().NotBeNull(); }
public async Task RemoveAllGrantsAsync_should_remove_all_grants() { await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client1", SubjectId = "123", Scopes = new string[] { "foo1", "foo2" } }); await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client2", SubjectId = "123", Scopes = new string[] { "foo3" } }); await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client1", SubjectId = "456", Scopes = new string[] { "foo3" } }); var handle1 = await _referenceTokens.StoreReferenceTokenAsync(new Token() { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Lifetime = 10, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar1"), new Claim("scope", "bar2"), }, }); var handle2 = await _referenceTokens.StoreReferenceTokenAsync(new Token() { ClientId = "client2", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Lifetime = 10, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar3"), }, }); var handle3 = await _referenceTokens.StoreReferenceTokenAsync(new Token() { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Lifetime = 10, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "bar3"), }, }); var handle4 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken() { CreationTime = DateTime.UtcNow, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz1"), new Claim("scope", "baz2") } }, Version = 1 }); var handle5 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken() { CreationTime = DateTime.UtcNow, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "baz3"), } }, Version = 1 }); var handle6 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken() { CreationTime = DateTime.UtcNow, Lifetime = 10, AccessToken = new Token { ClientId = "client2", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz3"), } }, Version = 1 }); var handle7 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode() { ClientId = "client1", CreationTime = DateTime.UtcNow, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux1", "quux2" } }); var handle8 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode() { ClientId = "client2", CreationTime = DateTime.UtcNow, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux3" } }); var handle9 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode() { ClientId = "client1", CreationTime = DateTime.UtcNow, Lifetime = 10, Subject = IdentityServerPrincipal.Create("456", "alice"), CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux3" } }); await _subject.RemoveAllGrantsAsync("123", "client1"); (await _referenceTokens.GetReferenceTokenAsync(handle1)).Should().BeNull(); (await _referenceTokens.GetReferenceTokenAsync(handle2)).Should().NotBeNull(); (await _referenceTokens.GetReferenceTokenAsync(handle3)).Should().NotBeNull(); (await _refreshTokens.GetRefreshTokenAsync(handle4)).Should().BeNull(); (await _refreshTokens.GetRefreshTokenAsync(handle5)).Should().NotBeNull(); (await _refreshTokens.GetRefreshTokenAsync(handle6)).Should().NotBeNull(); (await _codes.GetAuthorizationCodeAsync(handle7)).Should().BeNull(); (await _codes.GetAuthorizationCodeAsync(handle8)).Should().NotBeNull(); (await _codes.GetAuthorizationCodeAsync(handle9)).Should().NotBeNull(); }
private async Task <ValidationResult> ValidateRefreshTokenRequestAsync(NameValueCollection parameters) { Logger.Info("Start validation of refresh token request"); var refreshTokenHandle = parameters.Get(Constants.TokenRequest.RefreshToken); if (refreshTokenHandle.IsMissing()) { var error = "Refresh token is missing"; LogError(error); RaiseRefreshTokenRefreshFailureEvent(null, error); return(Invalid(Constants.TokenErrors.InvalidRequest)); } _validatedRequest.RefreshTokenHandle = refreshTokenHandle; ///////////////////////////////////////////// // check if refresh token is valid ///////////////////////////////////////////// var refreshToken = await _refreshTokens.GetAsync(refreshTokenHandle); if (refreshToken == null) { var error = "Refresh token is invalid"; LogWarn(error); RaiseRefreshTokenRefreshFailureEvent(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if refresh token has expired ///////////////////////////////////////////// if (refreshToken.CreationTime.HasExceeded(refreshToken.LifeTime)) { var error = "Refresh token has expired"; LogWarn(error); RaiseRefreshTokenRefreshFailureEvent(refreshTokenHandle, error); await _refreshTokens.RemoveAsync(refreshTokenHandle); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client belongs to requested refresh token ///////////////////////////////////////////// if (_validatedRequest.Client.ClientId != refreshToken.ClientId) { LogError(string.Format("Client {0} tries to refresh token belonging to client {1}", _validatedRequest.Client.ClientId, refreshToken.ClientId)); RaiseRefreshTokenRefreshFailureEvent(refreshTokenHandle, "Invalid client binding"); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client still has offline_access scope ///////////////////////////////////////////// if (_validatedRequest.Client.ScopeRestrictions != null && _validatedRequest.Client.ScopeRestrictions.Count != 0) { if (!_validatedRequest.Client.ScopeRestrictions.Contains(Constants.StandardScopes.OfflineAccess)) { var error = "Client does not have access to offline_access scope anymore"; LogError(error); RaiseRefreshTokenRefreshFailureEvent(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } } _validatedRequest.RefreshToken = refreshToken; ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var principal = IdentityServerPrincipal.FromSubjectId(_validatedRequest.RefreshToken.SubjectId, refreshToken.AccessToken.Claims); if (await _users.IsActiveAsync(principal) == false) { var error = "User has been disabled: " + _validatedRequest.RefreshToken.SubjectId; LogError(error); RaiseRefreshTokenRefreshFailureEvent(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidRequest)); } Logger.Info("Validation of refresh token request success"); return(Valid()); }
private async Task <TokenRequestValidationResult> ValidateRefreshTokenRequestAsync(NameValueCollection parameters) { Logger.Info("Start validation of refresh token request"); var refreshTokenHandle = parameters.Get(Constants.TokenRequest.RefreshToken); if (refreshTokenHandle.IsMissing()) { var error = "Refresh token is missing"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return(Invalid(Constants.TokenErrors.InvalidRequest)); } if (refreshTokenHandle.Length > _options.InputLengthRestrictions.RefreshToken) { var error = "Refresh token too long"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } _validatedRequest.RefreshTokenHandle = refreshTokenHandle; ///////////////////////////////////////////// // check if refresh token is valid ///////////////////////////////////////////// var refreshToken = await _refreshTokens.GetAsync(refreshTokenHandle); if (refreshToken == null) { var error = "Refresh token is invalid"; LogWarn(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if refresh token has expired ///////////////////////////////////////////// if (refreshToken.CreationTime.HasExceeded(refreshToken.LifeTime)) { var error = "Refresh token has expired"; LogWarn(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); await _refreshTokens.RemoveAsync(refreshTokenHandle); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client belongs to requested refresh token ///////////////////////////////////////////// if (_validatedRequest.Client.ClientId != refreshToken.ClientId) { LogError(string.Format("Client {0} tries to refresh token belonging to client {1}", _validatedRequest.Client.ClientId, refreshToken.ClientId)); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, "Invalid client binding"); return(Invalid(Constants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client still has offline_access scope ///////////////////////////////////////////// if (!_validatedRequest.Client.AllowAccessToAllScopes) { if (!_validatedRequest.Client.AllowedScopes.Contains(Constants.StandardScopes.OfflineAccess)) { var error = "Client does not have access to offline_access scope anymore"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } } ///////////////////////////////////////////// // check if client still has access to // all scopes from the original token request ///////////////////////////////////////////// if (!_validatedRequest.Client.AllowAccessToAllScopes) { foreach (var scope in refreshToken.Scopes) { if (!_validatedRequest.Client.AllowedScopes.Contains(scope)) { var error = "Client does not have access to a requested scope anymore: " + scope; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidGrant)); } } } _validatedRequest.RefreshToken = refreshToken; ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var principal = IdentityServerPrincipal.FromSubjectId(_validatedRequest.RefreshToken.SubjectId, refreshToken.AccessToken.Claims); var isActiveCtx = new IsActiveContext(principal, _validatedRequest.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { var error = "User has been disabled: " + _validatedRequest.RefreshToken.SubjectId; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(Constants.TokenErrors.InvalidRequest)); } ///////////////////////////////////////////// // validate token type and PoP parameters if pop token is requested ///////////////////////////////////////////// var tokenType = parameters.Get("token_type"); if (tokenType != null && tokenType == "pop") { var result = ValidatePopParameters(parameters); if (result.IsError) { var error = "PoP parameter validation failed: " + result.ErrorDescription; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(result.Error, result.ErrorDescription)); } else { _validatedRequest.RequestedTokenType = RequestedTokenTypes.PoP; } } Logger.Info("Validation of refresh token request success"); return(Valid()); }
/// <summary> /// Issues the login cookie for IdentityServer. /// </summary> /// <param name="env">The OWIN environment.</param> /// <param name="login">The login information.</param> /// <exception cref="System.ArgumentNullException"> /// env /// or /// login /// </exception> public static void IssueLoginCookie(this IDictionary <string, object> env, AuthenticatedLogin login) { if (env == null) { throw new ArgumentNullException("env"); } if (login == null) { throw new ArgumentNullException("login"); } var options = env.ResolveDependency <IdentityServerOptions>(); var sessionCookie = env.ResolveDependency <SessionCookie>(); var context = new OwinContext(env); var props = new AuthenticationProperties(); // if false, then they're explicit in preventing a persistent cookie if (login.PersistentLogin != false) { if (login.PersistentLogin == true || options.AuthenticationOptions.CookieOptions.IsPersistent) { props.IsPersistent = true; if (login.PersistentLogin == true) { var expires = login.PersistentLoginExpiration ?? DateTimeHelper.UtcNow.Add(options.AuthenticationOptions.CookieOptions.RememberMeDuration); props.ExpiresUtc = expires; } } } var authenticationMethod = login.AuthenticationMethod; var identityProvider = login.IdentityProvider ?? Constants.BuiltInIdentityProvider; if (String.IsNullOrWhiteSpace(authenticationMethod)) { if (identityProvider == Constants.BuiltInIdentityProvider) { authenticationMethod = Constants.AuthenticationMethods.Password; } else { authenticationMethod = Constants.AuthenticationMethods.External; } } var user = IdentityServerPrincipal.Create(login.Subject, login.Name, authenticationMethod, identityProvider, Constants.PrimaryAuthenticationType); var identity = user.Identities.First(); var claims = login.Claims; if (claims != null && claims.Any()) { claims = claims.Where(x => !Constants.OidcProtocolClaimTypes.Contains(x.Type)); claims = claims.Where(x => x.Type != Constants.ClaimTypes.Name); identity.AddClaims(claims); } context.Authentication.SignIn(props, identity); sessionCookie.IssueSessionId(login.PersistentLogin, login.PersistentLoginExpiration); }
/// <summary> /// Issues the login cookie for IdentityServer. /// </summary> /// <param name="env">The OWIN environment.</param> /// <param name="login">The login information.</param> /// <exception cref="System.ArgumentNullException"> /// env /// or /// login /// </exception> public static void IssueLoginCookie(this IDictionary <string, object> env, AuthenticatedLogin login, string partialSignInUrl = null, string loginId = null) { if (env == null) { throw new ArgumentNullException("env"); } if (login == null) { throw new ArgumentNullException("login"); } bool isPartial = !string.IsNullOrEmpty(partialSignInUrl); var options = env.ResolveDependency <IdentityServerOptions>(); var sessionCookie = env.ResolveDependency <SessionCookie>(); var context = new OwinContext(env); var props = new AuthenticationProperties(); //If the login id is empty, populate it from the request query. if (string.IsNullOrEmpty(loginId)) { var id = context.Request.Query.Get(Constants.Authentication.SigninQueryParamName); if (String.IsNullOrWhiteSpace(id)) { return; //We don't have a login id... Abort. } loginId = id; } // if false, then they're explicit in preventing a persistent cookie if (login.PersistentLogin != false) { if (login.PersistentLogin == true || options.AuthenticationOptions.CookieOptions.IsPersistent) { props.IsPersistent = true; if (login.PersistentLogin == true) { var expires = login.PersistentLoginExpiration ?? DateTimeHelper.UtcNow.Add(options.AuthenticationOptions.CookieOptions.RememberMeDuration); props.ExpiresUtc = expires; } } } //Populate the authentication metho and identity sources. var authenticationMethod = login.AuthenticationMethod; var identityProvider = login.IdentityProvider ?? Constants.BuiltInIdentityProvider; if (String.IsNullOrWhiteSpace(authenticationMethod)) { if (identityProvider == Constants.BuiltInIdentityProvider) { authenticationMethod = Constants.AuthenticationMethods.Password; } else { authenticationMethod = Constants.AuthenticationMethods.External; } } //Create the identity principal, setting the partial sign in if applicable. var user = IdentityServerPrincipal.Create(login.Subject, login.Name, authenticationMethod, identityProvider, isPartial ? Constants.PartialSignInAuthenticationType : Constants.PrimaryAuthenticationType); var identity = user.Identities.First(); var claims = login.Claims; if (claims != null && claims.Any()) { claims = claims.Where(x => !Constants.OidcProtocolClaimTypes.Contains(x.Type)); claims = claims.Where(x => x.Type != Constants.ClaimTypes.Name); identity.AddClaims(claims); } //Are we a partial sign in? if (isPartial) { // add claim so partial redirect can return here to continue login // we need a random ID to resume, and this will be the query string // to match a claim added. the claim added will be the original // signIn ID. var resumeId = IdentityModel.CryptoRandom.CreateUniqueId(); var resumeLoginUrl = context.GetPartialLoginResumeUrl(resumeId); var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl); identity.AddClaim(resumeLoginClaim); identity.AddClaim(new Claim(String.Format(Constants.ClaimTypes.PartialLoginResumeId, resumeId), loginId)); // add url to start login process over again (which re-triggers preauthenticate) var restartUrl = context.GetPartialLoginRestartUrl(loginId); identity.AddClaim(new Claim(Constants.ClaimTypes.PartialLoginRestartUrl, restartUrl)); } else { //We are not - issue the session. sessionCookie.IssueSessionId(login.PersistentLogin, login.PersistentLoginExpiration); } context.Authentication.SignIn(props, identity); }
private IHttpActionResult SignInAndRedirect( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime = 0) { logger.Verbose("[AuthenticationController.SignInAndRedirect] called"); if (authResult == null) { throw new ArgumentNullException("authResult"); } if (String.IsNullOrWhiteSpace(authenticationMethod)) { throw new ArgumentNullException("authenticationMethod"); } if (String.IsNullOrWhiteSpace(identityProvider)) { throw new ArgumentNullException("identityProvider"); } var signInMessage = LoadLoginRequestMessage(); var issuer = authResult.IsPartialSignIn ? Constants.PartialSignInAuthenticationType : Constants.PrimaryAuthenticationType; var principal = IdentityServerPrincipal.Create( authResult.Subject, authResult.Name, authenticationMethod, identityProvider, issuer, authTime); var id = principal.Identities.First(); if (authResult.IsPartialSignIn) { // TODO: put original return URL into cookie with a GUID ID // and put the ID as route param for the resume URL. then // we can always call ClearLoginRequestMessage() id.AddClaim(new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, Url.Route(Constants.RouteNames.ResumeLoginFromRedirect, null))); // allow redircting code to add claims for target page id.AddClaims(authResult.RedirectClaims); } var ctx = Request.GetOwinContext(); ctx.Authentication.SignOut( Constants.PrimaryAuthenticationType, Constants.ExternalAuthenticationType, Constants.PartialSignInAuthenticationType); ctx.Authentication.SignIn(id); if (authResult.IsPartialSignIn) { logger.Verbose("[AuthenticationController.SignInAndRedirect] partial login requested, redirecting to requested url"); var uri = new Uri(ctx.Request.Uri, authResult.PartialSignInRedirectPath.Value); return(Redirect(uri)); } else { logger.Verbose("[AuthenticationController.SignInAndRedirect] normal login requested, redirecting back to authorization"); // TODO -- manage this state better if we're doing redirect to custom page // would rather the redirect URL from request message put into cookie // and named with a nonce, then the resume url + nonce set as claim // in principal above so page being redirected to can know what url to return to ClearLoginRequestMessage(); return(Redirect(signInMessage.ReturnUrl)); } }
public static async Task SignInAsync(this AuthenticationManager manager, string scheme, string sub, string name, string identityProvider, IEnumerable <string> authenticationMethods, AuthenticationProperties properties, params Claim[] claims) { await manager.SignInAsync(scheme, IdentityServerPrincipal.Create(sub, name, identityProvider, authenticationMethods, claims), properties); }
public async Task GetAllGrantsAsync_should_return_all_grants() { await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client1", SubjectId = "123", Scopes = new string[] { "foo1", "foo2" } }); await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client2", SubjectId = "123", Scopes = new string[] { "foo3" } }); await _userConsent.StoreUserConsentAsync(new Consent() { ClientId = "client1", SubjectId = "456", Scopes = new string[] { "foo3" } }); await _referenceTokens.StoreReferenceTokenAsync("key1", new Token() { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar1"), new Claim("scope", "bar2"), }, }); await _referenceTokens.StoreReferenceTokenAsync("key2", new Token() { ClientId = "client2", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "bar3"), }, }); await _referenceTokens.StoreReferenceTokenAsync("key3", new Token() { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "bar3"), }, }); await _refreshTokens.StoreRefreshTokenAsync("key4", new RefreshToken() { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz1"), new Claim("scope", "baz2") } }, Version = 1 }); await _refreshTokens.StoreRefreshTokenAsync("key5", new RefreshToken() { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client1", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "456"), new Claim("scope", "baz3"), } }, Version = 1 }); await _refreshTokens.StoreRefreshTokenAsync("key6", new RefreshToken() { CreationTime = DateTime.Now, Lifetime = 10, AccessToken = new Token { ClientId = "client2", Audiences = { "aud" }, CreationTime = DateTime.Now, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "baz3"), } }, Version = 1 }); await _codes.StoreAuthorizationCodeAsync("key7", new AuthorizationCode() { ClientId = "client1", CreationTime = DateTime.Now, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux1", "quux2" } }); await _codes.StoreAuthorizationCodeAsync("key8", new AuthorizationCode() { ClientId = "client2", CreationTime = DateTime.Now, Lifetime = 10, Subject = _user, CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux3" } }); await _codes.StoreAuthorizationCodeAsync("key9", new AuthorizationCode() { ClientId = "client1", CreationTime = DateTime.Now, Lifetime = 10, Subject = IdentityServerPrincipal.Create("456", "alice"), CodeChallenge = "challenge", RedirectUri = "http://client/cb", Nonce = "nonce", RequestedScopes = new string[] { "quux3" } }); var grants = await _subject.GetAllGrantsAsync("123"); grants.Count().Should().Be(2); var grant1 = grants.First(x => x.ClientId == "client1"); grant1.SubjectId.Should().Be("123"); grant1.ClientId.Should().Be("client1"); grant1.Scopes.ShouldBeEquivalentTo(new string[] { "foo1", "foo2", "bar1", "bar2", "baz1", "baz2", "quux1", "quux2" }); var grant2 = grants.First(x => x.ClientId == "client2"); grant2.SubjectId.Should().Be("123"); grant2.ClientId.Should().Be("client2"); grant2.Scopes.ShouldBeEquivalentTo(new string[] { "foo3", "bar3", "baz3", "quux3" }); }
private void IssueAuthenticationCookie( AuthenticateResult authResult, string authenticationMethod, string identityProvider, long authTime) { if (authResult == null) { throw new ArgumentNullException("authResult"); } if (String.IsNullOrWhiteSpace(authenticationMethod)) { throw new ArgumentNullException("authenticationMethod"); } if (String.IsNullOrWhiteSpace(identityProvider)) { throw new ArgumentNullException("identityProvider"); } Logger.InfoFormat("logging user in as subject: {0}, name: {1}{2}", authResult.Subject, authResult.Name, authResult.IsPartialSignIn ? " (partial login)" : ""); var issuer = authResult.IsPartialSignIn ? Constants.PartialSignInAuthenticationType : Constants.PrimaryAuthenticationType; var principal = IdentityServerPrincipal.Create( authResult.Subject, authResult.Name, authenticationMethod, identityProvider, issuer, authTime); var props = new Microsoft.Owin.Security.AuthenticationProperties(); var id = principal.Identities.First(); if (authResult.IsPartialSignIn) { // add claim so partial redirect can return here to continue login var resumeLoginUrl = Url.Link(Constants.RouteNames.ResumeLoginFromRedirect, null); var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl); id.AddClaim(resumeLoginClaim); // store original authorization url as claim // so once we result we can return to authorization page var signInMessage = LoadSignInMessage(); var authorizationUrl = signInMessage.ReturnUrl; var authorizationUrlClaim = new Claim(Constants.ClaimTypes.AuthorizationReturnUrl, authorizationUrl); id.AddClaim(authorizationUrlClaim); // allow redircting code to add claims for target page id.AddClaims(authResult.RedirectClaims); } else if (this._options.CookieOptions.IsPersistent) { props.IsPersistent = true; } ClearAuthenticationCookies(); var ctx = Request.GetOwinContext(); ctx.Authentication.SignIn(props, id); }
/// <summary> /// Initializes a new instance of the <see cref="ClaimsPrincipal"/> class with Claims from the Membership User /// </summary> /// <param name="user">Membership User</param> /// <param name="identityProvider">Identity Provider Name</param> /// <param name="claims">List of additional claims</param> /// <returns>Claims Principal</returns> public static ClaimsPrincipal Create(this MembershipUser user, string identityProvider, params Claim[] claims) { return(IdentityServerPrincipal.Create(user.GetSubjectId(), user.UserName, identityProvider, DateTime.Now, claims)); }
private async Task <TokenRequestValidationResult> ValidateRefreshTokenRequestAsync(NameValueCollection parameters) { _logger.LogDebug("Start validation of refresh token request"); var refreshTokenHandle = parameters.Get(OidcConstants.TokenRequest.RefreshToken); if (refreshTokenHandle.IsMissing()) { var error = "Refresh token is missing"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return(Invalid(OidcConstants.TokenErrors.InvalidRequest)); } if (refreshTokenHandle.Length > _options.InputLengthRestrictions.RefreshToken) { var error = "Refresh token too long"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return(Invalid(OidcConstants.TokenErrors.InvalidGrant)); } _validatedRequest.RefreshTokenHandle = refreshTokenHandle; ///////////////////////////////////////////// // check if refresh token is valid ///////////////////////////////////////////// var refreshToken = await _refreshTokens.GetAsync(refreshTokenHandle); if (refreshToken == null) { var error = "Refresh token cannot be found in store: " + refreshTokenHandle; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(OidcConstants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if refresh token has expired ///////////////////////////////////////////// if (refreshToken.CreationTime.HasExceeded(refreshToken.LifeTime)) { var error = "Refresh token has expired"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); await _refreshTokens.RemoveAsync(refreshTokenHandle); return(Invalid(OidcConstants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client belongs to requested refresh token ///////////////////////////////////////////// if (_validatedRequest.Client.ClientId != refreshToken.ClientId) { LogError(string.Format("Client {0} tries to refresh token belonging to client {1}", _validatedRequest.Client.ClientId, refreshToken.ClientId)); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, "Invalid client binding"); return(Invalid(OidcConstants.TokenErrors.InvalidGrant)); } ///////////////////////////////////////////// // check if client still has offline_access scope ///////////////////////////////////////////// if (!_validatedRequest.Client.AllowAccessToAllScopes) { if (!_validatedRequest.Client.AllowedScopes.Contains(Constants.StandardScopes.OfflineAccess)) { var error = "Client does not have access to offline_access scope anymore"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(OidcConstants.TokenErrors.InvalidGrant)); } } _validatedRequest.RefreshToken = refreshToken; ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var principal = IdentityServerPrincipal.FromSubjectId(_validatedRequest.RefreshToken.SubjectId, refreshToken.AccessToken.Claims); var isActiveCtx = new IsActiveContext(principal, _validatedRequest.Client); await _profile.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { var error = "User has been disabled: " + _validatedRequest.RefreshToken.SubjectId; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return(Invalid(OidcConstants.TokenErrors.InvalidRequest)); } _logger.LogInformation("Validation of refresh token request success"); return(Valid()); }
public DefaultRefreshTokenServiceTests() { originalNowFunc = DateTimeOffsetHelper.UtcNowFunc; DateTimeOffsetHelper.UtcNowFunc = () => UtcNow; roclient_absolute_refresh_expiration_one_time_only = new Client { ClientName = "Resource Owner Client", Enabled = true, ClientId = "roclient_absolute_refresh_expiration_one_time_only", ClientSecrets = new List <Secret> { new Secret("secret".Sha256()) }, Flow = Flows.ResourceOwner, RefreshTokenExpiration = TokenExpiration.Absolute, RefreshTokenUsage = TokenUsage.OneTimeOnly, AbsoluteRefreshTokenLifetime = 200 }; roclient_sliding_refresh_expiration_one_time_only = new Client { ClientName = "Resource Owner Client", Enabled = true, ClientId = "roclient_sliding_refresh_expiration_one_time_only", ClientSecrets = new List <Secret> { new Secret("secret".Sha256()) }, Flow = Flows.ResourceOwner, RefreshTokenExpiration = TokenExpiration.Sliding, RefreshTokenUsage = TokenUsage.OneTimeOnly, AbsoluteRefreshTokenLifetime = 10, SlidingRefreshTokenLifetime = 4 }; roclient_absolute_refresh_expiration_reuse = new Client { ClientName = "Resource Owner Client", Enabled = true, ClientId = "roclient_absolute_refresh_expiration_reuse", ClientSecrets = new List <Secret> { new Secret("secret".Sha256()) }, Flow = Flows.ResourceOwner, RefreshTokenExpiration = TokenExpiration.Absolute, RefreshTokenUsage = TokenUsage.ReUse, AbsoluteRefreshTokenLifetime = 200 }; refreshTokenStore = new InMemoryRefreshTokenStore(); service = new DefaultRefreshTokenService(refreshTokenStore, new DefaultEventService()); user = IdentityServerPrincipal.Create("bob", "Bob Loblaw"); }
private async Task <string> GetToken(string userName, string audience) { var Request = new TokenCreationRequest(); var User = await _userManager.FindByNameAsync(userName); var IdentityPricipal = await _principalFactory.CreateAsync(User); var IdServerPrincipal = IdentityServerPrincipal.Create(User.Id.ToString(), User.UserName, IdentityPricipal.Claims.ToArray()); var lstScope = new List <Scope> { new Scope { Name = "api.main", Emphasize = true, UserClaims = new List <string> { "role", "name" } }, new Scope { Name = "api.blockchain", Emphasize = true, UserClaims = new List <string> { "role", "name" } } }; var c1 = new IdentityServer4.Models.Client { ClientId = "generatedTokenClient", ClientName = "generatedTokenClient", Enabled = true, AccessTokenType = AccessTokenType.Jwt, ClientSecrets = new List <IdentityServer4.Models.Secret> { new IdentityServer4.Models.Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) } }; Request.Subject = IdServerPrincipal; Request.IncludeAllIdentityClaims = true; Request.ValidatedRequest = new ValidatedRequest(); Request.ValidatedRequest.Subject = Request.Subject; Request.ValidatedRequest.SetClient(c1); Request.Resources = new Resources(Config.GetIdentityResources(), Config.GetApiResources()); Request.ValidatedRequest.Options = _option; Request.ValidatedRequest.ClientClaims = IdentityPricipal.Claims.ToArray(); var Token = await _ts.CreateAccessTokenAsync(Request); Token.Issuer = "https://" + HttpContext.Request.Host.Value; Token.Audiences = new List <string> { audience }; if (Token.Claims == null) { Token.Claims = new List <Claim>(); } var rolesClaim = IdentityPricipal.FindAll("role"); if (rolesClaim != null && rolesClaim.Count() > 0) { foreach (var r1 in rolesClaim) { Token.Claims.Add(r1); } } var nameClaim = IdentityPricipal.FindFirst("name"); if (nameClaim != null) { Token.Claims.Add(nameClaim); } var custIdClaim = IdentityPricipal.FindFirst("customerid"); if (custIdClaim != null) { Token.Claims.Add(custIdClaim); } var TokenValue = await _ts.CreateSecurityTokenAsync(Token); return(TokenValue); }
public DefaultUserSessionTests() { _user = IdentityServerPrincipal.Create("123", "bob"); _subject = new DefaultUserSession(_mockHttpContext, _options, TestLogger.Create <DefaultUserSession>()); }