protected virtual async Task <IActionResult> ClientCredentialsGrant(TClient client, TokenRequest tokenRequest)
{
logger.ScopeTrace("Down, OAuth Client Credentials grant accepted.", triggerEvent: true);
var tokenResponse = new TokenResponse
{
TokenType = IdentityConstants.TokenTypes.Bearer,
ExpiresIn = client.AccessTokenLifetime,
};
string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256;
var claims = new List <Claim>();
claims.AddClaim(JwtClaimTypes.Subject, $"c_{client.ClientId}");
claims.AddClaim(JwtClaimTypes.AuthTime, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString());
//TODO should the amr claim be included???
//claims.AddClaim(JwtClaimTypes.Amr, IdentityConstants.AuthenticationMethodReferenceValues.Pwd);
var scopes = tokenRequest.Scope.ToSpaceList();
tokenResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm);
logger.ScopeTrace($"Token response '{tokenResponse.ToJsonIndented()}'.");
logger.ScopeTrace("Down, OAuth Token response.", triggerEvent: true);
return(new JsonResult(tokenResponse));
}
protected override async Task <IActionResult> AuthorizationCodeGrant(TClient client, TokenRequest tokenRequest, bool validatePkce, CodeVerifierSecret codeVerifierSecret)
{
var authCodeGrant = await oauthAuthCodeGrantLogic.GetAndValidateAuthCodeGrantAsync(tokenRequest.Code, tokenRequest.RedirectUri, tokenRequest.ClientId);
if (validatePkce)
{
await ValidatePkce(client, authCodeGrant.CodeChallenge, authCodeGrant.CodeChallengeMethod, codeVerifierSecret);
}
logger.ScopeTrace("Down, OIDC Authorization code grant accepted.", triggerEvent: true);
var tokenResponse = new TokenResponse
{
TokenType = IdentityConstants.TokenTypes.Bearer,
ExpiresIn = client.AccessTokenLifetime,
};
string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256;
var claims = authCodeGrant.Claims.ToClaimList();
var scopes = authCodeGrant.Scope.ToSpaceList();
tokenResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm);
var responseTypes = new[] { IdentityConstants.ResponseTypes.IdToken, IdentityConstants.ResponseTypes.Token };
tokenResponse.IdToken = await jwtLogic.CreateIdTokenAsync(client, claims, scopes, authCodeGrant.Nonce, responseTypes, null, tokenResponse.AccessToken, algorithm);
if (scopes.Contains(IdentityConstants.DefaultOidcScopes.OfflineAccess))
{
tokenResponse.RefreshToken = await oauthRefreshTokenGrantLogic.CreateRefreshTokenGrantAsync(client, claims, authCodeGrant.Scope);
}
logger.ScopeTrace($"Token response '{tokenResponse.ToJsonIndented()}'.");
logger.ScopeTrace("Down, OIDC Token response.", triggerEvent: true);
return(new JsonResult(tokenResponse));
}
protected override async Task <IActionResult> RefreshTokenGrantAsync(TClient client, TokenRequest tokenRequest)
{
(var refreshTokenGrant, var newRefreshToken) = await oauthRefreshTokenGrantDownLogic.ValidateAndUpdateRefreshTokenGrantAsync(client, tokenRequest.RefreshToken);
logger.ScopeTrace(() => "Down, OIDC Refresh Token grant accepted.", triggerEvent: true);
var scopes = refreshTokenGrant.Scope.ToSpaceList();
if (!tokenRequest.Scope.IsNullOrEmpty())
{
var requestScopes = tokenRequest.Scope.ToSpaceList();
var invalidScope = requestScopes.Where(s => !scopes.Contains(s) && IdentityConstants.DefaultOidcScopes.OpenId != s);
if (invalidScope.Count() > 0)
{
throw new OAuthRequestException($"Invalid scope '{tokenRequest.Scope}' not originally granted.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
scopes = scopes.Where(s => requestScopes.Contains(s)).Select(s => s).ToArray();
}
try
{
var tokenResponse = new TokenResponse
{
TokenType = IdentityConstants.TokenTypes.Bearer,
ExpiresIn = client.AccessTokenLifetime,
};
string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256;
var claims = refreshTokenGrant.Claims.ToClaimList();
tokenResponse.AccessToken = await jwtDownLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm);
var responseTypes = new[] { IdentityConstants.ResponseTypes.IdToken, IdentityConstants.ResponseTypes.Token };
tokenResponse.IdToken = await jwtDownLogic.CreateIdTokenAsync(client, claims, scopes, null, responseTypes, null, tokenResponse.AccessToken, algorithm);
if (!newRefreshToken.IsNullOrEmpty())
{
tokenResponse.RefreshToken = newRefreshToken;
}
logger.ScopeTrace(() => $"Token response '{tokenResponse.ToJsonIndented()}'.", traceType: TraceTypes.Message);
logger.ScopeTrace(() => "Down, OIDC Token response.", triggerEvent: true);
return(new JsonResult(tokenResponse));
}
catch (KeyException kex)
{
throw new OAuthRequestException(kex.Message, kex)
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.ServerError
};
}
}
protected virtual async Task <IActionResult> ClientCredentialsGrantAsync(TParty party, TokenRequest tokenRequest)
{
logger.ScopeTrace(() => "Down, OAuth Client Credentials grant accepted.", triggerEvent: true);
if (party.Client == null)
{
throw new NotSupportedException("Party Client not configured.");
}
try
{
var tokenResponse = new TokenResponse
{
TokenType = IdentityConstants.TokenTypes.Bearer,
ExpiresIn = party.Client.AccessTokenLifetime,
};
string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256;
var claims = new List <Claim>();
claims.AddClaim(JwtClaimTypes.Subject, $"c_{party.Client.ClientId}");
claims.AddClaim(JwtClaimTypes.AuthTime, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString());
//TODO should the amr claim be included???
//claims.AddClaim(JwtClaimTypes.Amr, IdentityConstants.AuthenticationMethodReferenceValues.Pwd);
logger.ScopeTrace(() => $"Down, OAuth created JWT claims '{claims.ToFormattedString()}'", traceType: TraceTypes.Claim);
claims = await claimTransformLogic.Transform(party.ClaimTransforms?.ConvertAll(t => (ClaimTransform)t), claims);
logger.ScopeTrace(() => $"Down, OAuth output JWT claims '{claims.ToFormattedString()}'", traceType: TraceTypes.Claim);
var scopes = tokenRequest.Scope.ToSpaceList();
tokenResponse.AccessToken = await jwtDownLogic.CreateAccessTokenAsync(party.Client, claims, scopes, algorithm);
logger.ScopeTrace(() => $"Token response '{tokenResponse.ToJsonIndented()}'.", traceType: TraceTypes.Message);
logger.ScopeTrace(() => "Down, OAuth Token response.", triggerEvent: true);
return(new JsonResult(tokenResponse));
}
catch (KeyException kex)
{
throw new OAuthRequestException(kex.Message, kex)
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.ServerError
};
}
}
