public override Task DeserializeAccessToken(DeserializeAccessTokenContext context)
{
if (_validIssuers != null && _validIssuers.Count > 0)
{
context.TokenValidationParameters.ValidIssuers = _validIssuers.ToList();
}
return(base.DeserializeAccessToken(context));
}
public override async Task DeserializeAccessToken([NotNull] DeserializeAccessTokenContext context)
{
var options = (OpenIddictOptions)context.Options;
if (!options.UseReferenceTokens)
{
return;
}
context.Ticket = await ReceiveTokenAsync(
context.AccessToken, options, context.HttpContext,
context.Request, context.DataFormat);
// Prevent the OpenID Connect server middleware from using
// its default logic to deserialize the reference token.
context.HandleDeserialization();
}
public override async Task DeserializeAccessToken([NotNull] DeserializeAccessTokenContext context)
{
var options = (OpenIddictOptions)context.Options;
if (options.DisableTokenRevocation)
{
return;
}
context.Ticket = await ReceiveTokenAsync(
OpenIdConnectConstants.TokenUsages.AccessToken,
context.AccessToken, options,
context.Request, context.DataFormat);
// Prevent the OpenID Connect server middleware from using
// its default logic to deserialize reference access tokens.
if (options.UseReferenceTokens)
{
context.HandleDeserialization();
}
}
public Task DeserializeAccessToken(DeserializeAccessTokenContext context)
{
throw new NotImplementedException();
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
var transaction = Context.Get <OpenIddictServerTransaction>(typeof(OpenIddictServerTransaction).FullName);
if (transaction?.Request == null)
{
throw new InvalidOperationException("An identity cannot be extracted from this request.");
}
switch (transaction.EndpointType)
{
case OpenIddictServerEndpointType.Authorization:
case OpenIddictServerEndpointType.Logout:
{
if (string.IsNullOrEmpty(transaction.Request.IdTokenHint))
{
return(null);
}
var notification = new DeserializeIdentityTokenContext(transaction)
{
Token = transaction.Request.IdTokenHint
};
await _provider.DispatchAsync(notification);
if (!notification.IsHandled)
{
throw new InvalidOperationException(new StringBuilder()
.Append("The identity token was not correctly processed. This may indicate ")
.Append("that the event handler responsible of validating identity tokens ")
.Append("was not registered or was explicitly removed from the handlers list.")
.ToString());
}
if (notification.Principal == null)
{
_logger.LogWarning("The identity token extracted from the 'id_token_hint' " +
"parameter was invalid or malformed and was ignored.");
return(null);
}
// Tickets are returned even if they are considered invalid (e.g expired).
return(new AuthenticationTicket((ClaimsIdentity)notification.Principal.Identity, new AuthenticationProperties()));
}
case OpenIddictServerEndpointType.Token when transaction.Request.IsAuthorizationCodeGrantType():
{
// Note: this method can be called from the ApplyTokenResponse event,
// which may be invoked for a missing authorization code/refresh token.
if (string.IsNullOrEmpty(transaction.Request.Code))
{
return(null);
}
var notification = new DeserializeAuthorizationCodeContext(transaction)
{
Token = transaction.Request.Code
};
await _provider.DispatchAsync(notification);
if (!notification.IsHandled)
{
throw new InvalidOperationException(new StringBuilder()
.Append("The authorization code was not correctly processed. This may indicate ")
.Append("that the event handler responsible of validating authorization codes ")
.Append("was not registered or was explicitly removed from the handlers list.")
.ToString());
}
if (notification.Principal == null)
{
_logger.LogWarning("The authorization code extracted from the token request was invalid and was ignored.");
return(null);
}
// Tickets are returned even if they are considered invalid (e.g expired).
return(new AuthenticationTicket((ClaimsIdentity)notification.Principal.Identity, new AuthenticationProperties()));
}
case OpenIddictServerEndpointType.Token when transaction.Request.IsRefreshTokenGrantType():
{
if (string.IsNullOrEmpty(transaction.Request.RefreshToken))
{
return(null);
}
var notification = new DeserializeRefreshTokenContext(transaction)
{
Token = transaction.Request.RefreshToken
};
await _provider.DispatchAsync(notification);
if (!notification.IsHandled)
{
throw new InvalidOperationException(new StringBuilder()
.Append("The refresh token was not correctly processed. This may indicate ")
.Append("that the event handler responsible of validating refresh tokens ")
.Append("was not registered or was explicitly removed from the handlers list.")
.ToString());
}
if (notification.Principal == null)
{
_logger.LogWarning("The refresh token extracted from the token request was invalid and was ignored.");
return(null);
}
// Tickets are returned even if they are considered invalid (e.g expired).
return(new AuthenticationTicket((ClaimsIdentity)notification.Principal.Identity, new AuthenticationProperties()));
}
case OpenIddictServerEndpointType.Userinfo:
{
if (string.IsNullOrEmpty(transaction.Request.AccessToken))
{
return(null);
}
var notification = new DeserializeAccessTokenContext(transaction)
{
Token = transaction.Request.AccessToken
};
await _provider.DispatchAsync(notification);
if (!notification.IsHandled)
{
throw new InvalidOperationException(new StringBuilder()
.Append("The access token was not correctly processed. This may indicate ")
.Append("that the event handler responsible of validating access tokens ")
.Append("was not registered or was explicitly removed from the handlers list.")
.ToString());
}
if (notification.Principal == null)
{
_logger.LogWarning("The access token extracted from the userinfo request was invalid and was ignored.");
return(null);
}
var date = notification.Principal.GetExpirationDate();
if (date.HasValue && date.Value < DateTimeOffset.UtcNow)
{
_logger.LogError("The access token extracted from the userinfo request was expired.");
return(null);
}
return(new AuthenticationTicket((ClaimsIdentity)notification.Principal.Identity, new AuthenticationProperties()));
}
default: throw new InvalidOperationException("An identity cannot be extracted from this request.");
}
}
