public Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
if (context.UserName == context.Password)
{
var p = IdentityServerPrincipal.Create(context.UserName, context.UserName, "password", "idsvr");
context.AuthenticateResult = new AuthenticateResult(p);
}
else
{
context.AuthenticateResult = new AuthenticateResult("Username and/or password incorrect");
}
return Task.FromResult(0);
}
/// <summary>
/// This methods gets called for local authentication (whenever the user uses the username and password dialog).
/// </summary>
/// <param name="context">The context.</param>
/// <returns></returns>
public override Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
var query =
from u in _users
where u.Username == context.UserName && u.Password == context.Password
select u;
var user = query.SingleOrDefault();
if (user != null)
{
context.AuthenticateResult = new AuthenticateResult(user.Subject, GetDisplayName(user));
}
return Task.FromResult(0);
}
public Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
return Task.FromResult(0);
}
private async Task<TokenRequestValidationResult> ValidateResourceOwnerCredentialRequestAsync(NameValueCollection parameters)
{
_logger.LogInformation("Start password token request validation");
// if we've disabled local authentication, then fail
if (_options.AuthenticationOptions.EnableLocalLogin == false ||
_validatedRequest.Client.EnableLocalLogin == false)
{
LogError("EnableLocalLogin is disabled, failing with UnsupportedGrantType");
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
/////////////////////////////////////////////
// check if client is authorized for grant type
/////////////////////////////////////////////
if (_validatedRequest.Client.Flow != Flows.ResourceOwner)
{
LogError("Client not authorized for resource owner flow");
return Invalid(Constants.TokenErrors.UnauthorizedClient);
}
/////////////////////////////////////////////
// check if client is allowed to request scopes
/////////////////////////////////////////////
if (!(await ValidateRequestedScopesAsync(parameters)))
{
LogError("Invalid scopes.");
return Invalid(Constants.TokenErrors.InvalidScope);
}
/////////////////////////////////////////////
// check resource owner credentials
/////////////////////////////////////////////
var userName = parameters.Get(Constants.TokenRequest.UserName);
var password = parameters.Get(Constants.TokenRequest.Password);
if (userName.IsMissing() || password.IsMissing())
{
LogError("Username or password missing.");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
if (userName.Length > _options.InputLengthRestrictions.UserName ||
password.Length > _options.InputLengthRestrictions.Password)
{
LogError("Username or password too long.");
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.UserName = userName;
/////////////////////////////////////////////
// check optional parameters and populate SignInMessage
/////////////////////////////////////////////
var signInMessage = new SignInRequest();
// pass through client_id
signInMessage.ClientId = _validatedRequest.Client.ClientId;
// process acr values
var acr = parameters.Get(Constants.AuthorizeRequest.AcrValues);
if (acr.IsPresent())
{
if (acr.Length > _options.InputLengthRestrictions.AcrValues)
{
LogError("Acr values too long.");
return Invalid(Constants.TokenErrors.InvalidRequest);
}
var acrValues = acr.FromSpaceSeparatedString().Distinct().ToList();
// look for well-known acr value -- idp
var idp = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.HomeRealm));
if (idp.IsPresent())
{
signInMessage.IdP = idp.Substring(Constants.KnownAcrValues.HomeRealm.Length);
acrValues.Remove(idp);
}
// look for well-known acr value -- tenant
var tenant = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.Tenant));
if (tenant.IsPresent())
{
signInMessage.Tenant = tenant.Substring(Constants.KnownAcrValues.Tenant.Length);
acrValues.Remove(tenant);
}
// pass through any remaining acr values
if (acrValues.Any())
{
signInMessage.AcrValues = acrValues;
}
}
_validatedRequest.SignInMessage = signInMessage;
/////////////////////////////////////////////
// authenticate user
/////////////////////////////////////////////
var authenticationContext = new LocalAuthenticationContext
{
UserName = userName,
Password = password,
SignInRequest = signInMessage
};
await _users.AuthenticateLocalAsync(authenticationContext);
var authnResult = authenticationContext.AuthenticateResult;
if (authnResult == null || authnResult.IsError || authnResult.IsPartialSignIn)
{
var error = "invalid_username_or_password";
if (authnResult != null && authnResult.IsError)
{
error = authnResult.ErrorMessage;
}
if (authnResult != null && authnResult.IsPartialSignIn)
{
error = "Partial signin returned from AuthenticateLocalAsync";
}
LogError("User authentication failed: " + error);
await RaiseFailedResourceOwnerAuthenticationEventAsync(userName, signInMessage, error);
if (authnResult != null)
{
return Invalid(Constants.TokenErrors.InvalidGrant, authnResult.ErrorMessage);
}
return Invalid(Constants.TokenErrors.InvalidGrant);
}
_validatedRequest.UserName = userName;
_validatedRequest.Subject = authnResult.User;
await RaiseSuccessfulResourceOwnerAuthenticationEventAsync(userName, authnResult.User.GetSubjectId(), signInMessage);
_logger.LogInformation("Password token request validation success.");
return Valid();
}
