/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; // add aud based on ApiResources in the validated request foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct()) { token.Audiences.Add(aud); } if (Options.EmitLegacyResourceAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } // add cnf if present if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else { if (Options.MutualTls.AlwaysEmitConfirmationClaim) { var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { token.Confirmation = clientCertificate.CreateThumbprintCnf(); } } } return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { _logger.LogVerbose("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.ValidatedRequest)); if (request.Client.IncludeJwtId) { claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId())); } var issuer = _context.GetIssuerUri(); var token = new Token(Constants.TokenTypes.AccessToken) { Audience = string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()), Issuer = issuer, Lifetime = request.Client.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), Client = request.Client }; return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.Debug("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await _claimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.ValidatedRequest)); if (request.Client.IncludeJwtId) { claims.Add(new Claim(Constants.ClaimTypes.JwtId, CryptoRandom.CreateUniqueId())); } if (request.ProofKey.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.Confirmation, request.ProofKey, Constants.ClaimValueTypes.Json)); } return(CreateAccessToken(request.Client, claims)); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Resources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } claims.Add(new Claim(JwtClaimTypes.Name, request.Subject.GetDisplayName())); var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; foreach (var api in request.Resources.ApiResources) { if (!string.IsNullOrWhiteSpace(api.Name)) { token.Audiences.Add(api.Name); } } return(token); }
/// <summary> /// Creates an identity token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An identity token /// </returns> public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating identity token"); request.Validate(); // host provided claims var claims = new List <Claim>(); // if nonce was sent, must be mirrored in id token if (request.Nonce.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce)); } // add iat claim claims.Add(new Claim(JwtClaimTypes.IssuedAt, IdentityServerDateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer)); // add at_hash claim if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash))); } // add c_hash claim if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash))); } // add sid if present if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } claims.AddRange(await ClaimsProvider.GetIdentityTokenClaimsAsync( request.Subject, request.ValidatedRequest.Client, request.Resources, request.IncludeAllIdentityClaims, request.ValidatedRequest)); var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.IdentityToken) { Audiences = { request.ValidatedRequest.Client.ClientId }, Issuer = issuer, Lifetime = request.ValidatedRequest.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; return(token); }
/// <summary> /// Creates an identity token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An identity token /// </returns> public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.Debug("Creating identity token"); request.Validate(); // host provided claims var claims = new List <Claim>(); // if nonce was sent, must be mirrored in id token if (request.Nonce.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.Nonce, request.Nonce)); } // add iat claim claims.Add(new Claim(Constants.ClaimTypes.IssuedAt, DateTimeOffsetHelper.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer)); // add at_hash claim if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.AccessTokenHash, HashAdditionalData(request.AccessTokenToHash))); } // add c_hash claim if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.AuthorizationCodeHash, HashAdditionalData(request.AuthorizationCodeToHash))); } // add sid if present if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(Constants.ClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } claims.AddRange(await _claimsProvider.GetIdentityTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.IncludeAllIdentityClaims, request.ValidatedRequest)); var token = new Token(Constants.TokenTypes.IdentityToken) { Audience = request.Client.ClientId, Issuer = _issuerUri, WebService = _wsUri, Lifetime = request.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), Client = request.Client }; return(token); }
public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); List <Claim> claims = new List <Claim>(); List <Claim> list = claims; list.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim("jti", CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex))); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim("sid", request.ValidatedRequest.SessionId)); } claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64")); string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); Token token = new Token("access_token") { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = identityServerIssuerUri, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, Description = request.Description, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; foreach (string item in request.ValidatedResources.Resources.ApiResources.Select((ApiResource x) => x.Name).Distinct()) { token.Audiences.Add(item); } if (Options.EmitStaticAudienceClaim) { token.Audiences.Add($"{identityServerIssuerUri.EnsureTrailingSlash()}resources"); } if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else if (Options.MutualTls.AlwaysEmitConfirmationClaim) { X509Certificate2 x509Certificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (x509Certificate != null) { token.Confirmation = x509Certificate.CreateThumbprintCnf(); } } return(token); }
public Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { request.Validate(); return(Task.FromResult(new Token(TokenTypes.AccessToken) { CreationTime = _clock.UtcNow.UtcDateTime, Lifetime = request.ValidatedRequest.Client.AccessTokenLifetime, Claims = request.Subject.Claims.ToList(), ClientId = request.ValidatedRequest.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, Audiences = new List <string> { request.ValidatedRequest.ClientId }, })); }
public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating identity token"); request.Validate(); string algorithm = ((await KeyMaterialService.GetSigningCredentialsAsync(request.ValidatedRequest.Client.AllowedIdentityTokenSigningAlgorithms)) ?? throw new InvalidOperationException("No signing credential is configured.")).Algorithm; List <Claim> claims = new List <Claim>(); if (request.Nonce.IsPresent()) { claims.Add(new Claim("nonce", request.Nonce)); } claims.Add(new Claim("iat", Clock.UtcNow.ToUnixTimeSeconds().ToString(), "http://www.w3.org/2001/XMLSchema#integer64")); if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim("at_hash", CryptoHelper.CreateHashClaimValue(request.AccessTokenToHash, algorithm))); } if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim("c_hash", CryptoHelper.CreateHashClaimValue(request.AuthorizationCodeToHash, algorithm))); } if (request.StateHash.IsPresent()) { claims.Add(new Claim("s_hash", request.StateHash)); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim("sid", request.ValidatedRequest.SessionId)); } List <Claim> list = claims; list.AddRange(await ClaimsProvider.GetIdentityTokenClaimsAsync(request.Subject, request.ValidatedResources, request.IncludeAllIdentityClaims, request.ValidatedRequest)); string identityServerIssuerUri = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); return(new Token("id_token") { CreationTime = Clock.UtcNow.UtcDateTime, Audiences = { request.ValidatedRequest.Client.ClientId }, Issuer = identityServerIssuerUri, Lifetime = request.ValidatedRequest.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedRequest.Client.AllowedIdentityTokenSigningAlgorithms }); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Resources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.Resources.ApiResources.FindMatchingSigningAlgorithms() }; if (Options.EmitLegacyResourceAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } foreach (var api in request.Resources.ApiResources) { if (api.Name.IsPresent()) { token.Audiences.Add(api.Name); } } return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedRequest.Client, request.Resources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { Audiences = { string.Format(Constants.AccessTokenAudience, issuer.EnsureTrailingSlash()) }, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims, ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; foreach (var api in request.Resources.ApiResources) { if (api.Name.IsPresent()) { token.Audiences.Add(api.Name); } } return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.Debug("Creating access token"); request.Validate(); var claims = await _claimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Client, request.Scopes, request.ValidatedRequest); var token = new Token(Constants.TokenTypes.AccessToken) { Audience = string.Format(Constants.AccessTokenAudience, _options.IssuerUri.EnsureTrailingSlash()), Issuer = _options.IssuerUri, Lifetime = request.Client.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), Client = request.Client }; return(token); }
/// <summary> /// Creates an identity token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An identity token /// </returns> public virtual async Task <Token> CreateIdentityTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating identity token"); request.Validate(); // todo: Dom, add a test for this. validate the at and c hashes are correct for the id_token when the client's alg doesn't match the server default. var credential = await KeyMaterialService.GetSigningCredentialsAsync(request.ValidatedRequest.Client.AllowedIdentityTokenSigningAlgorithms); if (credential == null) { throw new InvalidOperationException("No signing credential is configured."); } var signingAlgorithm = credential.Algorithm; // host provided claims var claims = new List <Claim>(); // if nonce was sent, must be mirrored in id token if (request.Nonce.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.Nonce, request.Nonce)); } // add iat claim claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)); // add at_hash claim if (request.AccessTokenToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AccessTokenHash, CryptoHelper.CreateHashClaimValue(request.AccessTokenToHash, signingAlgorithm))); } // add c_hash claim if (request.AuthorizationCodeToHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.AuthorizationCodeHash, CryptoHelper.CreateHashClaimValue(request.AuthorizationCodeToHash, signingAlgorithm))); } // add s_hash claim if (request.StateHash.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.StateHash, request.StateHash)); } // add sid if present if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } claims.AddRange(await ClaimsProvider.GetIdentityTokenClaimsAsync( request.Subject, request.ValidatedResources, request.IncludeAllIdentityClaims, request.ValidatedRequest)); var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.IdentityToken) { CreationTime = Clock.UtcNow.UtcDateTime, Audiences = { request.ValidatedRequest.Client.ClientId }, Issuer = issuer, Lifetime = request.ValidatedRequest.Client.IdentityTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedRequest.Client.AllowedIdentityTokenSigningAlgorithms }; return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex))); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } // oz claims.Add(new Claim("userName", "*****@*****.**")); claims.Add(new Claim("serverName", "identityserver.test.rsa")); // iat claim as required by JWT profile claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)); var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, Description = request.Description, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; // add aud based on ApiResources in the validated request foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct()) { token.Audiences.Add(aud); } if (Options.EmitStaticAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } // add cnf if present if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else { if (Options.MutualTls.AlwaysEmitConfirmationClaim) { var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { token.Confirmation = clientCertificate.CreateThumbprintCnf(); } } } return(token); }
/// <summary> /// Creates an access token. /// </summary> /// <param name="request">The token creation request.</param> /// <returns> /// An access token /// </returns> public virtual async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex))); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } // oz bool foundUserName = false; var jwtToken = new JwtSecurityToken((string)request.ValidatedRequest.Secret.Credential); object o; if (jwtToken.Header.TryGetValue("ssiInvitation", out o)) { if (o is string s) { if (s != null && s != "") { Console.WriteLine("ssiURL = " + s); string email = ""; // Verifier verifier = new Verifier("http://192.168.178.33:5000"); //OpenId Server Verifier verifier = new Verifier(s + ":5000"); //OpenId Server Dictionary <string, string> attributes = verifier.GetVerifiedAttributes(s); foreach (var item in attributes) { Console.WriteLine(item.Key + ":" + item.Value); // OpenId Server responds with verified attributes if (item.Key == "email") { email = item.Value; } } claims.Add(new Claim("userName", email)); Console.WriteLine("username = "******"email", out o)) { if (o is string s) { if (s != null && s != "") { claims.Add(new Claim("userName", s.ToLower())); Console.WriteLine("username = "******"x5c", out o)) { if (o is JArray) { string[] x5c = (o as JArray).ToObject <string[]>(); if (x5c != null) { Byte[] certFileBytes = Convert.FromBase64String(x5c[0]); var x509 = new X509Certificate2(certFileBytes); if (x509.Issuer.ToLower().Contains("phoenix contact")) { string subject = x509.Subject.Substring(4); string[] split1 = subject.Split("("); if (split1.Length == 2) { string[] split2 = split1[0].Split(","); if (split2.Length == 2) { string email = split2[1].Substring(1, 1) + split2[0] + "@phoenixcontact.com"; email = email.ToLower(); email = email.Replace("ä", "ae"); email = email.Replace("ö", "oe"); email = email.Replace("ü", "ue"); email = email.Replace("ß", "ss"); claims.Add(new Claim("userName", email)); Console.WriteLine("username = "******"bosch")) { string subject = x509.Subject.Substring(3); string[] split1 = subject.Split(","); string email = split1[0] + "@de.bosch.com"; email = email.ToLower(); claims.Add(new Claim("userName", email)); Console.WriteLine("username = "******"festo")) { string subject = x509.Subject.Substring(3); string email = subject + "@de.festo.com"; email = email.ToLower(); claims.Add(new Claim("userName", email)); Console.WriteLine("username = "******"userName", "*****@*****.**")); claims.Add(new Claim("serverName", "identityserver.test.rsa")); // iat claim as required by JWT profile claims.Add(new Claim(JwtClaimTypes.IssuedAt, Clock.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)); var issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, Description = request.Description, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; // add aud based on ApiResources in the validated request foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct()) { token.Audiences.Add(aud); } if (Options.EmitStaticAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } // add cnf if present if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else { if (Options.MutualTls.AlwaysEmitConfirmationClaim) { var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { token.Confirmation = clientCertificate.CreateThumbprintCnf(); } } } return(token); }