private async Task<LoginResult> ValidateResponseAsync(AuthorizeResponse response) { // id_token validieren var tokenClaims = ValidateIdentityToken(response.IdentityToken); if (tokenClaims == null) { return new LoginResult { ErrorMessage = "Invalid identity token." }; } // nonce validieren var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce); if (nonce == null || !string.Equals(nonce.Value, _nonce, StringComparison.Ordinal)) { return new LoginResult { ErrorMessage = "Inalid nonce." }; } // c_hash validieren var c_hash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash); if (c_hash == null || ValidateCodeHash(c_hash.Value, response.Code) == false) { return new LoginResult { ErrorMessage = "Invalid code." }; } _provider = JwkNetExtensions.CreateProvider(); var jwk = _provider.ToJsonWebKey(); // code eintauschen gegen tokens var tokenClient = new TokenClient( _config.TokenEndpoint, _settings.ClientId, _settings.ClientSecret); var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync( code: response.Code, redirectUri: _settings.RedirectUri, codeVerifier: _verifier, algorithm: jwk.Alg, key: jwk.ToJwkString()); if (tokenResponse.IsError) { return new LoginResult { ErrorMessage = tokenResponse.Error }; } // optional userinfo aufrufen var profileClaims = new List<Claim>(); if (_settings.LoadUserProfile) { var userInfoClient = new UserInfoClient( new Uri(_config.UserInfoEndpoint), tokenResponse.AccessToken); var userInfoResponse = await userInfoClient.GetAsync(); profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList(); } var principal = CreatePrincipal(tokenClaims, profileClaims); return new LoginResult { Success = true, User = principal, IdentityToken = response.IdentityToken, AccessToken = tokenResponse.AccessToken, RefreshToken = tokenResponse.RefreshToken, AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn) }; }