/// <summary>
/// Creates the refresh token.
/// </summary>
/// <param name="accessToken">The access token.</param>
/// <param name="client">The client.</param>
/// <returns>
/// The refresh token handle
/// </returns>
public async Task<string> CreateRefreshTokenAsync(Token accessToken, Client client)
{
Logger.Debug("Creating refresh token");
int lifetime;
if (client.RefreshTokenExpiration == TokenExpiration.Absolute)
{
Logger.Debug("Setting an absolute lifetime: " + client.AbsoluteRefreshTokenLifetime);
lifetime = client.AbsoluteRefreshTokenLifetime;
}
else
{
Logger.Debug("Setting a sliding lifetime: " + client.SlidingRefreshTokenLifetime);
lifetime = client.SlidingRefreshTokenLifetime;
}
var handle = CryptoRandom.CreateUniqueId();
var refreshToken = new RefreshToken
{
ClientId = client.ClientId,
CreationTime = DateTimeOffset.UtcNow,
LifeTime = lifetime,
AccessToken = accessToken
};
await _store.StoreAsync(handle, refreshToken);
return handle;
}
/// <summary>
/// Signs the token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A protected and serialized security token
/// </returns>
/// <exception cref="System.InvalidOperationException">Invalid token type</exception>
public Task<string> SignTokenAsync(Token token)
{
if (token.Type == Constants.TokenTypes.AccessToken ||
(token.Type == Constants.TokenTypes.IdentityToken &&
token.Client.IdentityTokenSigningKeyType == SigningKeyTypes.Default))
{
return Task.FromResult(CreateJsonWebToken(token, new X509SigningCredentials(_options.SigningCertificate)));
}
if (token.Type == Constants.TokenTypes.IdentityToken &&
token.Client.IdentityTokenSigningKeyType == SigningKeyTypes.ClientSecret)
{
return Task.FromResult(CreateJsonWebToken(token, new HmacSigningCredentials(token.Client.ClientSecret)));
}
throw new InvalidOperationException("Invalid token type");
}
/// <summary>
/// Creates the json web token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="credentials">The credentials.</param>
/// <returns></returns>
protected virtual string CreateJsonWebToken(Token token, SigningCredentials credentials)
{
var jwt = new JwtSecurityToken(
token.Issuer,
token.Audience,
token.Claims,
DateTimeHelper.UtcNow,
DateTimeHelper.UtcNow.AddSeconds(token.Lifetime),
credentials);
var x509credential = credentials as X509SigningCredentials;
if (x509credential != null)
{
jwt.Header.Add("kid", Base64Url.Encode(x509credential.Certificate.GetCertHash()));
}
var handler = new JwtSecurityTokenHandler();
return handler.WriteToken(jwt);
}
public static Token CreateIdentityToken(string clientId, string subjectId)
{
var clients = Factory.CreateClientStore();
var claims = new List<Claim>
{
new Claim("sub", subjectId)
};
var token = new Token(Constants.TokenTypes.IdentityToken)
{
Audience = clientId,
Client = clients.FindClientByIdAsync(clientId).Result,
Issuer = "https://idsrv3.com",
Lifetime = 600,
Claims = claims
};
return token;
}
public static Token CreateAccessToken(string clientId, string subjectId, int lifetime, params string[] scopes)
{
var claims = new List<Claim>
{
new Claim("client_id", clientId),
new Claim("sub", subjectId)
};
scopes.ToList().ForEach(s => claims.Add(new Claim("scope", s)));
var token = new Token(Constants.TokenTypes.AccessToken)
{
Audience = "https://idsrv3.com/resources",
Issuer = "https://idsrv3.com",
Lifetime = lifetime,
Claims = claims
};
return token;
}
protected virtual IEnumerable<Claim> ReferenceTokenToClaims(Token token)
{
var claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Audience, token.Audience),
new Claim(Constants.ClaimTypes.Issuer, token.Issuer),
new Claim(Constants.ClaimTypes.NotBefore, token.CreationTime.ToEpochTime().ToString()),
new Claim(Constants.ClaimTypes.Expiration, token.CreationTime.AddSeconds(token.Lifetime).ToEpochTime().ToString())
};
claims.AddRange(token.Claims);
return claims;
}
/// <summary>
/// Signs the token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A protected and serialized security token
/// </returns>
/// <exception cref="System.InvalidOperationException">Invalid token type</exception>
public virtual Task<string> SignTokenAsync(Token token)
{
return Task.FromResult(CreateJsonWebToken(token, new X509SigningCredentials(_options.SigningCertificate)));
}
/// <summary>
/// Stores the data.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="value">The value.</param>
/// <returns></returns>
public Task StoreAsync(string key, Token value)
{
_repository[key] = value;
return Task.FromResult<object>(null);
}
/// <summary>
/// Creates an identity token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An identity token
/// </returns>
public virtual async Task<Token> CreateIdentityTokenAsync(TokenCreationRequest request)
{
Logger.Debug("Creating identity token");
request.Validate();
// host provided claims
var claims = new List<Claim>();
// if nonce was sent, must be mirrored in id token
if (request.Nonce.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.Nonce, request.Nonce));
}
// add iat claim
claims.Add(new Claim(Constants.ClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer));
// add at_hash claim
if (request.AccessTokenToHash.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.AccessTokenHash, HashAdditionalToken(request.AccessTokenToHash)));
}
// add c_hash claim
if (request.AuthorizationCodeToHash.IsPresent())
{
claims.Add(new Claim(Constants.ClaimTypes.AuthorizationCodeHash, HashAdditionalToken(request.AuthorizationCodeToHash)));
}
claims.AddRange(await _claimsProvider.GetIdentityTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.IncludeAllIdentityClaims,
request.ValidatedRequest));
var token = new Token(Constants.TokenTypes.IdentityToken)
{
Audience = request.Client.ClientId,
Issuer = _options.IssuerUri,
Lifetime = request.Client.IdentityTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
Client = request.Client
};
return token;
}
/// <summary>
/// Creates a serialized and protected security token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A security token in serialized form
/// </returns>
/// <exception cref="System.InvalidOperationException">Invalid token type.</exception>
public virtual async Task<string> CreateSecurityTokenAsync(Token token)
{
if (token.Type == Constants.TokenTypes.AccessToken)
{
if (token.Client.AccessTokenType == AccessTokenType.Jwt)
{
Logger.Debug("Creating JWT access token");
return await _signingService.SignTokenAsync(token);
}
Logger.Debug("Creating reference access token");
var handle = CryptoRandom.CreateUniqueId();
await _tokenHandles.StoreAsync(handle, token);
return handle;
}
if (token.Type == Constants.TokenTypes.IdentityToken)
{
Logger.Debug("Creating JWT identity token");
return await _signingService.SignTokenAsync(token);
}
throw new InvalidOperationException("Invalid token type.");
}
/// <summary>
/// Creates an access token.
/// </summary>
/// <param name="request">The token creation request.</param>
/// <returns>
/// An access token
/// </returns>
public virtual async Task<Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.Debug("Creating access token");
request.Validate();
var claims = new List<Claim>();
claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Client,
request.Scopes,
request.ValidatedRequest));
if (request.Client.IncludeJwtId)
{
claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId()));
}
var token = new Token(Constants.TokenTypes.AccessToken)
{
Audience = string.Format(Constants.AccessTokenAudience, _options.IssuerUri.EnsureTrailingSlash()),
Issuer = _options.IssuerUri,
Lifetime = request.Client.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
Client = request.Client
};
return token;
}
