private async Task <AuthenticationTicket> CreateTicketAsync(
OpenIdConnectRequest request,
ApplicationUser user,
AuthenticationProperties properties = null)
{
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await signInManager.CreateUserPrincipalAsync(user);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal, properties,
OpenIdConnectServerDefaults.AuthenticationScheme);
if (!request.IsAuthorizationCodeGrantType())
{
ticket.SetScopes(new[] { OpenIdConnectConstants.Scopes.OfflineAccess }
.Concat(scopes.GetScopes())
.Intersect(request.GetScopes()));
}
ticket.SetResources("resource_server");
// Note: by default, claims are NOT automatically included in the access and identity tokens.
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
// whether they should be included in access tokens, in identity tokens or in both.
foreach (var claim in ticket.Principal.Claims)
{
// Never include the security stamp in the access and identity tokens, as it's a secret value.
if (claim.Type == identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
var destinations = new List <string>
{
OpenIdConnectConstants.Destinations.AccessToken
};
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
// The other claims will only be added to the access_token, which is encrypted when using the default format.
if (claim.Type == OpenIdConnectConstants.Claims.Name &&
ticket.HasScope(OpenIdConnectConstants.Scopes.Profile) ||
claim.Type == OpenIdConnectConstants.Claims.Email &&
ticket.HasScope(OpenIdConnectConstants.Scopes.Email) ||
claim.Type == OpenIdConnectConstants.Claims.Role &&
ticket.HasScope(OpenIddictConstants.Claims.Roles))
{
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
}
return(ticket);
}
public async Task InitializeAsync()
{
//if (await manager.FindByClientIdAsync("react") == null)
//{
// var descriptor = new OpenIddictApplicationDescriptor
// {
// ClientId = "react",
// ClientSecret = "react_secret",
// DisplayName = "SPA client application",
// PostLogoutRedirectUris = { new Uri("http://localhost:3000/signout-callback-oidc") },
// RedirectUris = { new Uri("http://localhost:3000/signin-oidc") },
// Permissions =
// {
// OpenIddictConstants.Permissions.Endpoints.Authorization,
// OpenIddictConstants.Permissions.Endpoints.Logout,
// OpenIddictConstants.Permissions.GrantTypes.Implicit
// }
// };
// await manager.CreateAsync(descriptor);
//}
var resourceServer = await manager.FindByClientIdAsync("resource_server");
if (resourceServer == null)
{
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "resource_server",
ClientSecret = "resource_server_secret",
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.ClientCredentials
}
};
await manager.CreateAsync(descriptor);
}
var mvcClient = await manager.FindByClientIdAsync("mvc_client");
if (mvcClient == null)
{
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "mvc_client",
ClientSecret = "mvc_client_secret",
DisplayName = "MVC Client application",
PostLogoutRedirectUris = { new Uri($"{configuration["Client:BaseUrl"]}external/logout") },
RedirectUris = { new Uri($"{configuration["Client:BaseUrl"]}external/login") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken
}
};
foreach (var scope in scopes.GetScopes())
{
descriptor.Permissions.Add($"scp:{scope}");
}
await manager.CreateAsync(descriptor);
}
else
{
var permissions = new JArray(
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken);
foreach (var scope in scopes.GetScopes())
{
permissions.Add($"scp:{scope}");
}
mvcClient.Permissions = JsonConvert.SerializeObject(permissions);
await manager.UpdateAsync(mvcClient);
}
var swagger = await manager.FindByClientIdAsync("swagger");
if (swagger == null)
{
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "swagger",
DisplayName = "Swagger",
RedirectUris = { new Uri(Combine(addressResolver.Resolve(), "/swagger/oauth2-redirect.html")) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.GrantTypes.Implicit
}
};
foreach (var scope in scopes.GetScopes())
{
descriptor.Permissions.Add($"scp:{scope}");
}
await manager.CreateAsync(descriptor);
}
else
{
var permissions = new JArray(OpenIddictConstants.Permissions.Endpoints.Authorization, OpenIddictConstants.Permissions.GrantTypes.Implicit);
foreach (var scope in scopes.GetScopes())
{
permissions.Add($"scp:{scope}");
}
swagger.Permissions = JsonConvert.SerializeObject(permissions);
await manager.UpdateAsync(swagger);
}
}