public async static Task <LoginResult> RefreshTokenAsync(OidcSettings settings, string refreshToken)
        {
            var config = await LoadOpenIdConnectConfigurationAsync(settings);

            var tokenClient = new TokenClient(
                config.TokenEndpoint,
                settings.ClientId,
                settings.ClientSecret);

            var provider = JwkNetExtensions.CreateProvider();
            var jwk      = provider.ToJsonWebKey();

            var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync(
                refreshToken : refreshToken,
                algorithm : jwk.Alg,
                key : jwk.ToJwkString());

            if (tokenResponse.IsError)
            {
                return(new LoginResult {
                    ErrorMessage = tokenResponse.Error
                });
            }
            else
            {
                return(new LoginResult
                {
                    Success = true,
                    AccessToken = tokenResponse.AccessToken,
                    RefreshToken = tokenResponse.RefreshToken,
                    IdentityToken = tokenResponse.IdentityToken,
                    AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
                });
            }
        }
示例#2
0
        private async void refresh_Click(object sender, RoutedEventArgs e)
        {
            if (_config == null)
            {
                await LoadOpenIdConnectConfigurationAsync();
            }

            var tokenClient = new TokenClient(
                _config.TokenEndpoint,
                _settings.ClientId,
                _settings.ClientSecret);

            _provider = JwkNetExtensions.CreateProvider();

            var jwk = _provider.ToJsonWebKey();

            var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync(
                refreshToken : _result?.RefreshToken,
                algorithm : jwk.Alg,
                key : jwk.ToJwkString());

            if (tokenResponse.IsError)
            {
                _result = new LoginResult {
                    ErrorMessage = tokenResponse.Error
                };
            }
            else
            {
                _result = new LoginResult
                {
                    Success               = true,
                    AccessToken           = tokenResponse.AccessToken,
                    RefreshToken          = tokenResponse.RefreshToken,
                    IdentityToken         = tokenResponse.IdentityToken,
                    AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
                };
            }

            ShowTokenResult();
        }
        private async static Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response, OidcSettings settings, OpenIdConnectConfiguration config, string expectedNonce, string verifier)
        {
            var tokenClaims = ValidateIdentityToken(response.IdentityToken, settings, config);

            if (tokenClaims == null)
            {
                return(new LoginResult {
                    ErrorMessage = "Invalid identity token."
                });
            }

            var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce);

            if (nonce == null || !string.Equals(nonce.Value, expectedNonce, StringComparison.Ordinal))
            {
                return(new LoginResult {
                    ErrorMessage = "Inalid nonce."
                });
            }

            var codeHash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash);

            if (codeHash == null || ValidateCodeHash(codeHash.Value, response.Code) == false)
            {
                return(new LoginResult {
                    ErrorMessage = "Invalid code."
                });
            }

            var provider = JwkNetExtensions.CreateProvider();
            var jwk      = provider.ToJsonWebKey();

            var tokenClient = new TokenClient(
                config.TokenEndpoint,
                settings.ClientId,
                settings.ClientSecret);

            var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync(
                code : response.Code,
                redirectUri : settings.RedirectUri,
                codeVerifier : settings.UsePkce?verifier : null,
                algorithm : jwk.Alg,
                key : jwk.ToJwkString());

            if (tokenResponse.IsError)
            {
                return(new LoginResult {
                    ErrorMessage = tokenResponse.Error
                });
            }

            var profileClaims = new List <Claim>();

            if (settings.LoadUserProfile)
            {
                var userInfoClient = new UserInfoClient(
                    new Uri(config.UserInfoEndpoint),
                    tokenResponse.AccessToken);

                var userInfoResponse = await userInfoClient.GetAsync();

                profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList();
            }

            var principal = CreatePrincipal(tokenClaims, profileClaims, settings);

            return(new LoginResult
            {
                Success = true,
                User = principal,
                IdentityToken = response.IdentityToken,
                AccessToken = tokenResponse.AccessToken,
                RefreshToken = tokenResponse.RefreshToken,
                AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
            });
        }
示例#4
0
        private async Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response)
        {
            // id_token validieren
            var tokenClaims = ValidateIdentityToken(response.IdentityToken);

            if (tokenClaims == null)
            {
                return(new LoginResult {
                    ErrorMessage = "Invalid identity token."
                });
            }

            // nonce validieren
            var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce);

            if (nonce == null || !string.Equals(nonce.Value, _nonce, StringComparison.Ordinal))
            {
                return(new LoginResult {
                    ErrorMessage = "Inalid nonce."
                });
            }

            // c_hash validieren
            var c_hash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash);

            if (c_hash == null || ValidateCodeHash(c_hash.Value, response.Code) == false)
            {
                return(new LoginResult {
                    ErrorMessage = "Invalid code."
                });
            }

            _provider = JwkNetExtensions.CreateProvider();
            var jwk = _provider.ToJsonWebKey();

            // code eintauschen gegen tokens
            var tokenClient = new TokenClient(
                _config.TokenEndpoint,
                _settings.ClientId,
                _settings.ClientSecret);

            var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync(
                code : response.Code,
                redirectUri : _settings.RedirectUri,
                codeVerifier : _verifier,
                algorithm : jwk.Alg,
                key : jwk.ToJwkString());

            if (tokenResponse.IsError)
            {
                return(new LoginResult {
                    ErrorMessage = tokenResponse.Error
                });
            }

            // optional userinfo aufrufen
            var profileClaims = new List <Claim>();

            if (_settings.LoadUserProfile)
            {
                var userInfoClient = new UserInfoClient(
                    new Uri(_config.UserInfoEndpoint),
                    tokenResponse.AccessToken);

                var userInfoResponse = await userInfoClient.GetAsync();

                profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList();
            }

            var principal = CreatePrincipal(tokenClaims, profileClaims);

            return(new LoginResult
            {
                Success = true,
                User = principal,
                IdentityToken = response.IdentityToken,
                AccessToken = tokenResponse.AccessToken,
                RefreshToken = tokenResponse.RefreshToken,
                AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
            });
        }