protected override async Task <IActionResult> AuthorizationCodeGrant(TClient client, TokenRequest tokenRequest, bool validatePkce, CodeVerifierSecret codeVerifierSecret) { var authCodeGrant = await oauthAuthCodeGrantLogic.GetAndValidateAuthCodeGrantAsync(tokenRequest.Code, tokenRequest.RedirectUri, tokenRequest.ClientId); if (validatePkce) { await ValidatePkce(client, authCodeGrant.CodeChallenge, authCodeGrant.CodeChallengeMethod, codeVerifierSecret); } logger.ScopeTrace("Down, OIDC Authorization code grant accepted.", triggerEvent: true); var tokenResponse = new TokenResponse { TokenType = IdentityConstants.TokenTypes.Bearer, ExpiresIn = client.AccessTokenLifetime, }; string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; var claims = authCodeGrant.Claims.ToClaimList(); var scopes = authCodeGrant.Scope.ToSpaceList(); tokenResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(client, claims, scopes, algorithm); var responseTypes = new[] { IdentityConstants.ResponseTypes.IdToken, IdentityConstants.ResponseTypes.Token }; tokenResponse.IdToken = await jwtLogic.CreateIdTokenAsync(client, claims, scopes, authCodeGrant.Nonce, responseTypes, null, tokenResponse.AccessToken, algorithm); if (scopes.Contains(IdentityConstants.DefaultOidcScopes.OfflineAccess)) { tokenResponse.RefreshToken = await oauthRefreshTokenGrantLogic.CreateRefreshTokenGrantAsync(client, claims, authCodeGrant.Scope); } logger.ScopeTrace($"Token response '{tokenResponse.ToJsonIndented()}'."); logger.ScopeTrace("Down, OIDC Token response.", triggerEvent: true); return(new JsonResult(tokenResponse)); }
public async Task <IActionResult> AuthenticationResponseAsync(string partyId, List <Claim> claims) { logger.ScopeTrace("Down, OIDC Authentication response."); logger.SetScopeProperty("downPartyId", partyId); var party = await tenantRepository.GetAsync <TParty>(partyId); if (party.Client == null) { throw new NotSupportedException($"Party Client not configured."); } var sequenceData = await sequenceLogic.GetSequenceDataAsync <OidcDownSequenceData>(false); claims = await claimTransformationsLogic.Transform(party.ClaimTransformations?.ConvertAll(t => (ClaimTransformation)t), claims); var authenticationResponse = new AuthenticationResponse { TokenType = IdentityConstants.TokenTypes.Bearer, State = sequenceData.State, ExpiresIn = party.Client.AccessTokenLifetime, }; var sessionResponse = new SessionResponse { SessionState = claims.FindFirstValue(c => c.Type == JwtClaimTypes.SessionId) }; logger.ScopeTrace($"Response type '{sequenceData.ResponseType}'."); var responseTypes = sequenceData.ResponseType.ToSpaceList(); if (responseTypes.Contains(IdentityConstants.ResponseTypes.Code)) { authenticationResponse.Code = await oauthAuthCodeGrantLogic.CreateAuthCodeGrantAsync(party.Client as TClient, claims, sequenceData.RedirectUri, sequenceData.Scope, sequenceData.Nonce, sequenceData.CodeChallenge, sequenceData.CodeChallengeMethod); } string algorithm = IdentityConstants.Algorithms.Asymmetric.RS256; if (responseTypes.Contains(IdentityConstants.ResponseTypes.Token)) { authenticationResponse.AccessToken = await jwtLogic.CreateAccessTokenAsync(party.Client as TClient, claims, sequenceData.Scope?.ToSpaceList(), algorithm); } if (responseTypes.Contains(IdentityConstants.ResponseTypes.IdToken)) { authenticationResponse.IdToken = await jwtLogic.CreateIdTokenAsync(party.Client as TClient, claims, sequenceData.Scope?.ToSpaceList(), sequenceData.Nonce, responseTypes, authenticationResponse.Code, authenticationResponse.AccessToken, algorithm); } logger.ScopeTrace($"Authentication response '{authenticationResponse.ToJsonIndented()}'."); var nameValueCollection = authenticationResponse.ToDictionary(); if (!sessionResponse.SessionState.IsNullOrWhiteSpace()) { logger.ScopeTrace($"Session response '{sessionResponse.ToJsonIndented()}'."); nameValueCollection = nameValueCollection.AddToDictionary(sessionResponse); } logger.ScopeTrace($"Redirect Uri '{sequenceData.RedirectUri}'."); logger.ScopeTrace("Down, OIDC Authentication response.", triggerEvent: true); var responseMode = GetResponseMode(sequenceData.ResponseMode, sequenceData.ResponseType); await sequenceLogic.RemoveSequenceDataAsync <OidcDownSequenceData>(); await formActionLogic.RemoveFormActionSequenceDataAsync(); switch (responseMode) { case IdentityConstants.ResponseModes.FormPost: return(await nameValueCollection.ToHtmlPostContentResultAsync(sequenceData.RedirectUri)); case IdentityConstants.ResponseModes.Query: return(await nameValueCollection.ToRedirectResultAsync(sequenceData.RedirectUri)); case IdentityConstants.ResponseModes.Fragment: return(await nameValueCollection.ToFragmentResultAsync(sequenceData.RedirectUri)); default: throw new NotSupportedException(); } }