private static void ConfigureOpenIdConnect(OpenIdConnectOptions options)
{
var openIdConfiguration = new OpenIdConfiguration();
_configuration.GetSection(nameof(OpenIdConfiguration)).Bind(openIdConfiguration);
options.Authority = openIdConfiguration.Authority;
options.RequireHttpsMetadata = openIdConfiguration.RequireHttpsMetadata;
options.ClientSecret = openIdConfiguration.ClientSecret;
options.ClientId = openIdConfiguration.ClientId;
options.ResponseType = openIdConfiguration.ResponseType;
options.Scope.Clear();
foreach (var scope in openIdConfiguration.ScopesAsList)
{
options.Scope.Add(scope);
}
options.ClaimActions.Remove("amr");
options.ClaimActions.MapJsonKey("website", "website");
options.GetClaimsFromUserInfoEndpoint = openIdConfiguration.GetClaimsFromUserInfoEndpoint;
options.SaveTokens = openIdConfiguration.SaveTokens;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = ClaimTypes.Role
};
}
private async Task HandleOpenIdConfigurationRequest(IOwinContext context)
{
var configuration = new OpenIdConfiguration
{
Issuer = string.Format(IssuerFormat, baseUri),
AuthorizationEndpoint = string.Format(AuthorizationEndpointFormat, baseUri, tenant, defaultPolicy),
TokenEndpoint = string.Format(TokenEndpointFormat, baseUri, tenant, defaultPolicy),
EndSessionEndpoint = string.Format(EndSessionEndpointFormat, baseUri, tenant, defaultPolicy),
JwksUri = string.Format(JwksUriFormat, baseUri, tenant, defaultPolicy),
ResponseModeSupported = new List <string> {
"query", "fragment", "form_post"
},
ResponseTypeSupported = new List <string> {
"code", "code id_token", "code token", "code id_token token", "id_token", "id_token token", "token", "token id_token"
},
ScopesSupported = new List <string> {
"openid"
},
SubjectTypeSupported = new List <string> {
"pairwise"
},
IdTokenSigningAlgValuesSupported = new List <string> {
"RS256"
},
TokenEndpointAuthMethodsSuported = new List <string> {
"client_secret_post"
},
ClaimsSupported = new List <string> {
"name", "given_name", "family_name", "email", "sub", "idp", "alternativeSecurityId", "authenticationSource", "role"
}
};
context.Response.StatusCode = 200;
await context.Response.WriteAsync(JsonConvert.SerializeObject(configuration, Formatting.Indented));
}
private async Task EnsureDirectoryIsSetAsync()
{
if (configuration == null)
{
configuration = JsonObject.Parse(
text: await httpClient.GetStringAsync($"https://{host}/.well-known/openid-configuration")
).As <OpenIdConfiguration>();
}
}
private async Task <BankClientProfile> PersistOpenBankingClient(
BankClientProfile value,
OpenIdConfiguration openIdConfiguration,
OpenBankingClientRegistrationClaims registrationClaims,
BankClientRegistrationData openBankingRegistrationData)
{
value.State = "ok";
value.OpenIdConfiguration = openIdConfiguration;
value.BankClientRegistrationClaims =
_mapper.Map <BankClientRegistrationClaims>(registrationClaims);
value.BankClientRegistrationData = openBankingRegistrationData;
await _bankClientProfileRepo.UpsertAsync(value);
return(value);
}
public string GetOpenIdConfigJson()
{
OpenIdConfiguration openIdConfig = new OpenIdConfiguration
{
Issuer = MockRoutes.Url,
ResponseTypesSupported = new List <string> {
"code id_token"
}.ToArray(),
ScopesSupported = new List <string> {
"openid", "payments", "accounts", "fundsconfirmations", "profile"
}
.ToArray(),
ResponseModesSupported = new List <string> {
"fragment", "query", "form_post"
}.ToArray(),
TokenEndpoint = $"{MockRoutes.Url}{MockRoutes.Token}",
AuthorizationEndpoint = $"{MockRoutes.Url}{MockRoutes.Authorize}",
RegistrationEndpoint = $"{MockRoutes.Url}{MockRoutes.Register}"
};
return(JsonConvert.SerializeObject(openIdConfig));
}
public ValidateTokenRequestHandler(OpenIdConfiguration configuration)
{
_configuration = configuration;
}
public async Task <BankClientProfileResponse> CreateAsync(BankClientProfilePublic bankClientProfile)
{
bankClientProfile.ArgNotNull(nameof(bankClientProfile));
// Load relevant objects
SoftwareStatementProfile softwareStatementProfile =
_softwareStatementProfileService.GetSoftwareStatementProfile(
bankClientProfile.SoftwareStatementProfileId);
// STEP 1
// Compute claims associated with Open Banking client
// Get OpenID Connect configuration info
OpenIdConfiguration openIdConfiguration =
await GetOpenIdConfigurationAsync(bankClientProfile.IssuerUrl);
new OpenBankingOpenIdConfigurationResponseValidator().Validate(openIdConfiguration)
.RaiseErrorOnValidationError();
// Create claims for client reg
OpenBankingClientRegistrationClaims registrationClaims = Factories.CreateRegistrationClaims(
issuerUrl: bankClientProfile.IssuerUrl,
sProfile: softwareStatementProfile,
concatScopes: false);
BankClientRegistrationClaimsOverrides registrationClaimsOverrides =
bankClientProfile.BankClientRegistrationClaimsOverrides;
if (!(registrationClaimsOverrides is null))
{
if (!(registrationClaimsOverrides.RequestAudience is null))
{
registrationClaims.Aud = registrationClaimsOverrides.RequestAudience;
}
}
BankClientRegistrationClaims persistentRegistrationClaims =
_mapper.Map <BankClientRegistrationClaims>(registrationClaims);
// STEP 2
// Check for existing Open Banking client for issuer URL
// If we have an Open Banking client with the same issuer URL we will check if the claims match.
// If they do, we will re-use this client.
// Otherwise we will return an error as only support a single client per issuer URL at present.
IQueryable <BankClientProfile> clientList = await _bankClientProfileRepo
.GetAsync(c => c.IssuerUrl == bankClientProfile.IssuerUrl);
BankClientProfile existingClient = clientList
.SingleOrDefault();
if (existingClient is object)
{
if (existingClient.BankClientRegistrationClaims != persistentRegistrationClaims)
{
throw new Exception(
"There is already a client for this issuer URL but it cannot be re-used because claims are different.");
}
}
// STEP 3
// Create new Open Banking client by posting JWT
BankClientProfile client;
if (existingClient is null)
{
JwtFactory jwtFactory = new JwtFactory();
string jwt = jwtFactory.CreateJwt(
profile: softwareStatementProfile,
claims: registrationClaims,
useOpenBankingJwtHeaders: false);
OpenBankingClientRegistrationResponse registrationResponse = await new HttpRequestBuilder()
.SetMethod(HttpMethod.Post)
.SetUri(openIdConfiguration.RegistrationEndpoint)
.SetContent(jwt)
.SetContentType("application/jwt")
.Create()
.RequestJsonAsync <OpenBankingClientRegistrationResponse>(
client: _apiClient,
requestContentIsJson: false);
BankClientRegistrationData openBankingClientResponse = new BankClientRegistrationData
{
ClientId = registrationResponse.ClientId,
ClientIdIssuedAt = registrationResponse.ClientIdIssuedAt,
ClientSecret = registrationResponse.ClientSecret,
ClientSecretExpiresAt = registrationResponse.ClientSecretExpiresAt
};
// Create and store Open Banking client
BankClientProfile newClient = _mapper.Map <BankClientProfile>(bankClientProfile);
client = await PersistOpenBankingClient(
value : newClient,
openIdConfiguration : openIdConfiguration,
registrationClaims : registrationClaims,
openBankingRegistrationData : openBankingClientResponse);
await _dbMultiEntityMethods.SaveChangesAsync();
}
else
{
client = existingClient;
}
// Return
return(new BankClientProfileResponse(client));
}
public HandleAuthorizationRequestHandler(OpenIdConfiguration configuration)
{
_configuration = configuration;
}
