/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your /// application has issued a "refresh_token" /// along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", /// and possibly a new "refresh_token". /// To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. /// The claims and properties /// associated with the refresh token are present in the context.Ticket. The application must call context.Validated to /// instruct the /// Authorization Server middleware to issue an access token based on those claims and properties. The call to /// context.Validated may /// be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the /// refresh token to /// the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the /// refresh token to /// the access token unmodified. /// See also http://tools.ietf.org/html/rfc6749#section-6 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { var originalClient = context.Ticket.Properties.Dictionary[".client_id"]; var currentClient = context.ClientId; if (originalClient != currentClient) { context.SetError("invalid_clientId", "Refresh token is issued to a different clientId."); return; } var applicationUserManager = context.OwinContext.Get <ApplicationUserManager>(); var identityUser = await this.FindUserFromTicket(applicationUserManager, context); if (identityUser.AccessRevokedDate != null) { context.SetError("invalid_grant", "User access is revoked."); return; } var newIdentity = await ProviderUtils.GenerateUserIdentityAsync(applicationUserManager, identityUser); var authenticationProperties = this.GetAuthenticationProperties(context.ClientId, newIdentity, identityUser); var newTicket = new AuthenticationTicket(newIdentity, authenticationProperties); await UpdateLastActivity(identityUser.Id); context.Validated(newTicket); }
/// <summary> /// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has /// provided name and password /// credentials directly into the client application's user interface, and the client application is using those to acquire /// an "access_token" and /// optional "refresh_token". If the web application supports the /// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To /// issue an /// access token the context.Validated must be called with a new ticket containing the claims about the resource owner /// which should be associated /// with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by /// malicious callers. /// The default behavior is to reject this grant type. /// See also http://tools.ietf.org/html/rfc6749#section-4.3.2 /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns>Task to enable asynchronous execution</returns> public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var allowedOrigin = context.OwinContext.Get <string>(OwinKeys.ClientAllowedOrigin) ?? "*"; context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin }); var userManager = context.OwinContext.Get <ApplicationUserManager>(); var user = await this.FindUserAsync(userManager, context); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } if (user.AccessRevokedDate != null) { context.SetError("invalid_grant", "User access is revoked."); return; } var claimsIdentity = await ProviderUtils.GenerateUserIdentityAsync(userManager, user); var authenticationProperties = this.GetAuthenticationProperties(context.ClientId, claimsIdentity, user); var ticket = new AuthenticationTicket(claimsIdentity, authenticationProperties); await UpdateLastActivity(user.Id); context.Validated(ticket); context.OwinContext.Set(OwinKeys.ClientId, context.ClientId); }
public override Task <ClaimsIdentity> CreateUserIdentityAsync(IdentityUser user) { return(ProviderUtils.GenerateUserIdentityAsync(this.UserManager, user)); }