public async Task <string> CreateIdTokenAsync(TClient client, IEnumerable <Claim> claims, IEnumerable <string> selectedScopes, string nonce, IEnumerable <string> responseTypes, string code, string accessToken, string algorithm) { if (!(client is OidcDownClient)) { throw new InvalidOperationException("Include ID Token only possible for OIDC Down Client."); } var onlyIdToken = !responseTypes.Contains(IdentityConstants.ResponseTypes.Code) && !responseTypes.Contains(IdentityConstants.ResponseTypes.Token); var idTokenClaims = new List <Claim>(await claimsDownLogic.FilterJwtClaimsAsync(client, claims, selectedScopes, includeIdTokenClaims: true, includeAccessTokenClaims: onlyIdToken)); var clientClaims = claimsDownLogic.GetClientJwtClaims(client, onlyIdTokenClaims: true); if (clientClaims?.Count() > 0) { idTokenClaims.AddRange(clientClaims); } if (!nonce.IsNullOrEmpty()) { idTokenClaims.AddClaim(JwtClaimTypes.Nonce, nonce); } if (!onlyIdToken) { if (responseTypes.Contains(IdentityConstants.ResponseTypes.Token)) { idTokenClaims.AddClaim(JwtClaimTypes.AtHash, await accessToken.LeftMostBase64urlEncodedHashAsync(algorithm)); } if (responseTypes.Contains(IdentityConstants.ResponseTypes.Code)) { idTokenClaims.AddClaim(JwtClaimTypes.CHash, await code.LeftMostBase64urlEncodedHashAsync(algorithm)); } } logger.ScopeTrace(() => $"Down, JWT ID token claims '{idTokenClaims.ToFormattedString()}'", traceType: TraceTypes.Claim); var token = JwtHandler.CreateToken(await trackKeyLogic.GetPrimarySecurityKeyAsync(RouteBinding.Key), trackIssuerLogic.GetIssuer(), client.ClientId, idTokenClaims, expiresIn: (client as OidcDownClient).IdTokenLifetime, algorithm: algorithm); return(await token.ToJwtString()); }
public async Task <string> CreateRefreshTokenGrantAsync(TClient client, List <Claim> claims, string scope) { logger.ScopeTrace($"Create Refresh Token grant, Route '{RouteBinding.Route}'."); CheckeConfiguration(client); var grantClaims = await claimsDownLogic.FilterJwtClaimsAsync(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true); var refreshToken = CreateRefreshToken(client); await CreateGrantInternal(client, grantClaims.ToClaimAndValues(), scope, refreshToken); logger.ScopeTrace($"Refresh token grant created, Refresh Token '{refreshToken}'."); return(refreshToken); }
public async Task <string> CreateAuthCodeGrantAsync(TClient client, List <Claim> claims, string redirectUri, string scope, string nonce, string codeChallenge, string codeChallengeMethod) { logger.ScopeTrace($"Create Authorization code grant, Route '{RouteBinding.Route}'."); if (!client.AuthorizationCodeLifetime.HasValue) { throw new EndpointException("Client AuthorizationCodeLifetime not configured.") { RouteBinding = RouteBinding } } ; var grantClaims = await claimsDownLogic.FilterJwtClaimsAsync(client, claims, scope?.ToSpaceList(), includeIdTokenClaims : true, includeAccessTokenClaims : true); var code = RandomGenerator.Generate(64); var grant = new AuthCodeTtlGrant { TimeToLive = client.AuthorizationCodeLifetime.Value, Claims = grantClaims.ToClaimAndValues(), ClientId = client.ClientId, RedirectUri = redirectUri, Scope = scope, Nonce = nonce, CodeChallenge = codeChallenge, CodeChallengeMethod = codeChallengeMethod }; await grant.SetIdAsync(new AuthCodeTtlGrant.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName, Code = code }); await tenantRepository.SaveAsync(grant); logger.ScopeTrace($"Authorization code grant created, Code '{code}'."); return(code); }