private void AddClaimsForAccessToken(TokenGeneratingContext context, string resource)
{
var scopes = context.RequestGrants.Scopes;
var accessTokenScopes = GetAccessTokenScopes(scopes);
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Scope, GetScopeValue(scopes, excludeCanonical: true));
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Audience, resource);
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.AuthorizedParty, context.RequestParameters.ClientId);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
var resource = context.RequestGrants.Scopes.FirstOrDefault(rg => rg.ClientId != null)?.ClientId;
if (context.IsContextForTokenTypes(TokenTypes.AccessToken) && resource != null)
{
// For access tokens we use the scopes from the set of granted scopes, this takes into account the
// fact that a token request can ask for a subset of the scopes granted during authorization, either
// on a code exchange or on a refresh token grant flow.
AddClaimsForAccessToken(context, resource);
return(Task.CompletedTask);
}
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode))
{
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.Scope,
GetScopeValue(context.RequestGrants.Scopes, excludeCanonical: false));
if (resource != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Resource, resource);
}
return(Task.CompletedTask);
}
if (context.IsContextForTokenTypes(TokenTypes.RefreshToken))
{
// For refresh tokens the scope claim never changes as the set of scopes granted for a refresh token
// should not change no matter what scopes are sent on a token request.
var scopeClaim = context
.RequestGrants
.Claims
.Single(c => c.Type.Equals(IdentityServiceClaimTypes.Scope, StringComparison.Ordinal));
var resourceClaim = context
.RequestGrants
.Claims
.SingleOrDefault(c => c.Type.Equals(IdentityServiceClaimTypes.Resource, StringComparison.Ordinal));
context.AddClaimToCurrentToken(scopeClaim);
if (resourceClaim != null)
{
context.AddClaimToCurrentToken(resourceClaim);
}
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) &&
context.RequestParameters.Parameters.ContainsKey(ProofOfKeyForCodeExchangeParameterNames.CodeChallenge))
{
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.CodeChallenge,
context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallenge]);
context.AddClaimToCurrentToken(
IdentityServiceClaimTypes.CodeChallengeMethod,
context.RequestParameters.Parameters[ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod]);
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode))
{
foreach (var grantedToken in GetGrantedTokensForAuthorizationCode(context))
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken);
}
}
if (context.IsContextForTokenTypes(TokenTypes.RefreshToken))
{
foreach (var grantedToken in context.RequestGrants.Tokens)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.GrantedToken, grantedToken);
}
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
var nonce = GetNonce(context);
if (context.IsContextForTokenTypes(
TokenTypes.IdToken,
TokenTypes.AccessToken,
TokenTypes.AuthorizationCode) && nonce != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Nonce, nonce);
}
return(Task.CompletedTask);
}
public Task OnGeneratingClaims(TokenGeneratingContext context)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.TokenUniqueId, Guid.NewGuid().ToString());
var userMapping = GetUserPrincipalTokenMapping(context.CurrentToken);
var applicationMapping = GetApplicationPrincipalTokenMapping(context.CurrentToken);
var ambientMapping = GetAmbientClaimsTokenMapping(context.CurrentToken);
MapFromPrincipal(context, context.User, userMapping);
MapFromPrincipal(context, context.Application, applicationMapping);
MapFromContext(context, context.AmbientClaims, ambientMapping);
if (context.IsContextForTokenTypes(TokenTypes.AccessToken, TokenTypes.IdToken))
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.Issuer, _options.Value.Issuer);
}
if (context.IsContextForTokenTypes(TokenTypes.AuthorizationCode) && context.RequestParameters.RedirectUri != null)
{
context.AddClaimToCurrentToken(IdentityServiceClaimTypes.RedirectUri, context.RequestParameters.RedirectUri);
}
return(Task.CompletedTask);
}
private static void MapFromContext(
TokenGeneratingContext context,
IList <Claim> ambientClaims,
TokenMapping claimsDefinition)
{
foreach (var mapping in claimsDefinition)
{
var ctxValues = ambientClaims.Where(c => c.Type == mapping.Alias);
ValidateCardinality(mapping, ctxValues, claimsDefinition.Source);
foreach (var ctxValue in ctxValues)
{
context.AddClaimToCurrentToken(mapping.Name, ctxValue.Value);
}
}
}
private static void MapFromPrincipal(
TokenGeneratingContext context,
ClaimsPrincipal user,
TokenMapping claimsDefinition)
{
foreach (var mapping in claimsDefinition)
{
var foundClaims = user.FindAll(mapping.Alias);
ValidateCardinality(mapping, foundClaims, claimsDefinition.Source);
foreach (var userClaim in foundClaims)
{
context.AddClaimToCurrentToken(mapping.Name, userClaim.Value);
}
}
}