protected virtual async Task <IActionResult> ClientCredentialsGrant(TClient client, TokenRequest tokenRequest) { logger.ScopeTrace("Down, OAuth Client Credentials grant accepted.", triggerEvent: true); var tokenResponse = new TokenResponse { TokenType = IdentityConstants.TokenTypes.Bearer, ExpiresIn = client.AccessTokenLifetime, }; string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; var claims = new List <Claim>(); claims.AddClaim(JwtClaimTypes.Subject, $"c_{client.ClientId}"); claims.AddClaim(JwtClaimTypes.AuthTime, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString()); //TODO should the amr claim be included??? //claims.AddClaim(JwtClaimTypes.Amr, IdentityConstants.AuthenticationMethodReferenceValues.Pwd); var scopes = tokenRequest.Scope.ToSpaceList(); tokenResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm); logger.ScopeTrace($"Token response '{tokenResponse.ToJsonIndented()}'."); logger.ScopeTrace("Down, OAuth Token response.", triggerEvent: true); return(new JsonResult(tokenResponse)); }
protected override async Task <IActionResult> AuthorizationCodeGrant(TClient client, TokenRequest tokenRequest, bool validatePkce, CodeVerifierSecret codeVerifierSecret) { var authCodeGrant = await oauthAuthCodeGrantLogic.GetAndValidateAuthCodeGrantAsync(tokenRequest.Code, tokenRequest.RedirectUri, tokenRequest.ClientId); if (validatePkce) { await ValidatePkce(client, authCodeGrant.CodeChallenge, authCodeGrant.CodeChallengeMethod, codeVerifierSecret); } logger.ScopeTrace("Down, OIDC Authorization code grant accepted.", triggerEvent: true); var tokenResponse = new TokenResponse { TokenType = IdentityConstants.TokenTypes.Bearer, ExpiresIn = client.AccessTokenLifetime, }; string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; var claims = authCodeGrant.Claims.ToClaimList(); var scopes = authCodeGrant.Scope.ToSpaceList(); tokenResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm); var responseTypes = new[] { IdentityConstants.ResponseTypes.IdToken, IdentityConstants.ResponseTypes.Token }; tokenResponse.IdToken = await jwtLogic.CreateIdTokenAsync(client, claims, scopes, authCodeGrant.Nonce, responseTypes, null, tokenResponse.AccessToken, algorithm); if (scopes.Contains(IdentityConstants.DefaultOidcScopes.OfflineAccess)) { tokenResponse.RefreshToken = await oauthRefreshTokenGrantLogic.CreateRefreshTokenGrantAsync(client, claims, authCodeGrant.Scope); } logger.ScopeTrace($"Token response '{tokenResponse.ToJsonIndented()}'."); logger.ScopeTrace("Down, OIDC Token response.", triggerEvent: true); return(new JsonResult(tokenResponse)); }
protected override async Task <IActionResult> RefreshTokenGrantAsync(TClient client, TokenRequest tokenRequest) { (var refreshTokenGrant, var newRefreshToken) = await oauthRefreshTokenGrantDownLogic.ValidateAndUpdateRefreshTokenGrantAsync(client, tokenRequest.RefreshToken); logger.ScopeTrace(() => "Down, OIDC Refresh Token grant accepted.", triggerEvent: true); var scopes = refreshTokenGrant.Scope.ToSpaceList(); if (!tokenRequest.Scope.IsNullOrEmpty()) { var requestScopes = tokenRequest.Scope.ToSpaceList(); var invalidScope = requestScopes.Where(s => !scopes.Contains(s) && IdentityConstants.DefaultOidcScopes.OpenId != s); if (invalidScope.Count() > 0) { throw new OAuthRequestException($"Invalid scope '{tokenRequest.Scope}' not originally granted.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope }; } scopes = scopes.Where(s => requestScopes.Contains(s)).Select(s => s).ToArray(); } try { var tokenResponse = new TokenResponse { TokenType = IdentityConstants.TokenTypes.Bearer, ExpiresIn = client.AccessTokenLifetime, }; string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; var claims = refreshTokenGrant.Claims.ToClaimList(); tokenResponse.AccessToken = await jwtDownLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm); var responseTypes = new[] { IdentityConstants.ResponseTypes.IdToken, IdentityConstants.ResponseTypes.Token }; tokenResponse.IdToken = await jwtDownLogic.CreateIdTokenAsync(client, claims, scopes, null, responseTypes, null, tokenResponse.AccessToken, algorithm); if (!newRefreshToken.IsNullOrEmpty()) { tokenResponse.RefreshToken = newRefreshToken; } logger.ScopeTrace(() => $"Token response '{tokenResponse.ToJsonIndented()}'.", traceType: TraceTypes.Message); logger.ScopeTrace(() => "Down, OIDC Token response.", triggerEvent: true); return(new JsonResult(tokenResponse)); } catch (KeyException kex) { throw new OAuthRequestException(kex.Message, kex) { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.ServerError }; } }
protected virtual async Task <IActionResult> ClientCredentialsGrantAsync(TParty party, TokenRequest tokenRequest) { logger.ScopeTrace(() => "Down, OAuth Client Credentials grant accepted.", triggerEvent: true); if (party.Client == null) { throw new NotSupportedException("Party Client not configured."); } try { var tokenResponse = new TokenResponse { TokenType = IdentityConstants.TokenTypes.Bearer, ExpiresIn = party.Client.AccessTokenLifetime, }; string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; var claims = new List <Claim>(); claims.AddClaim(JwtClaimTypes.Subject, $"c_{party.Client.ClientId}"); claims.AddClaim(JwtClaimTypes.AuthTime, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString()); //TODO should the amr claim be included??? //claims.AddClaim(JwtClaimTypes.Amr, IdentityConstants.AuthenticationMethodReferenceValues.Pwd); logger.ScopeTrace(() => $"Down, OAuth created JWT claims '{claims.ToFormattedString()}'", traceType: TraceTypes.Claim); claims = await claimTransformLogic.Transform(party.ClaimTransforms?.ConvertAll(t => (ClaimTransform)t), claims); logger.ScopeTrace(() => $"Down, OAuth output JWT claims '{claims.ToFormattedString()}'", traceType: TraceTypes.Claim); var scopes = tokenRequest.Scope.ToSpaceList(); tokenResponse.AccessToken = await jwtDownLogic.CreateAccessTokenAsync(party.Client, claims, scopes, algorithm); logger.ScopeTrace(() => $"Token response '{tokenResponse.ToJsonIndented()}'.", traceType: TraceTypes.Message); logger.ScopeTrace(() => "Down, OAuth Token response.", triggerEvent: true); return(new JsonResult(tokenResponse)); } catch (KeyException kex) { throw new OAuthRequestException(kex.Message, kex) { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.ServerError }; } }