/// <summary>
        /// Finds a client by id
        /// </summary>
        /// <param name="clientId">The client id</param>
        /// <returns>
        /// The client
        /// </returns>
        public Task<Client> FindClientByIdAsync(string clientId)
        {
            try
            {
                var temp = new Client
                {
                    ClientId = "client",
                    ClientSecrets = new List<Secret>
                    {
                        new Secret("secret".Sha256())
                    },

                    Flow = Flows.ClientCredentials,

                    AllowedScopes = new List<string>
                    {
                        "api1",
                        "api2"
                    }
                };

                var query =
                    from client in _clients
                    where client.ClientId == clientId && client.Enabled
                    select client;

                var result = query.SingleOrDefault();
                return Task.FromResult(result);

            }
            catch (Exception e)
            {
                throw;
            }
        }
        /// <summary>
        /// Creates the refresh token.
        /// </summary>
        /// <param name="subject">The subject.</param>
        /// <param name="accessToken">The access token.</param>
        /// <param name="client">The client.</param>
        /// <returns>
        /// The refresh token handle
        /// </returns>
        public virtual async Task<string> CreateRefreshTokenAsync(ClaimsPrincipal subject, Token accessToken, Client client)
        {
            _logger.LogVerbose("Creating refresh token");

            int lifetime;
            if (client.RefreshTokenExpiration == TokenExpiration.Absolute)
            {
                _logger.LogVerbose("Setting an absolute lifetime: " + client.AbsoluteRefreshTokenLifetime);
                lifetime = client.AbsoluteRefreshTokenLifetime;
            }
            else
            {
                _logger.LogVerbose("Setting a sliding lifetime: " + client.SlidingRefreshTokenLifetime);
                lifetime = client.SlidingRefreshTokenLifetime;
            }

            var handle = CryptoRandom.CreateUniqueId();
            var refreshToken = new RefreshToken
            {
                CreationTime = DateTimeOffsetHelper.UtcNow,
                LifeTime = lifetime,
                AccessToken = accessToken,
                Subject = subject
            };

            await _store.StoreAsync(handle, refreshToken);

            await RaiseRefreshTokenIssuedEventAsync(handle, refreshToken);
            return handle;
        }
示例#3
0
        public static Token CreateAccessTokenLong(Client client, string subjectId, int lifetime, int count, params string[] scopes)
        {
            var claims = new List<Claim>
            {
                new Claim("client_id", client.ClientId),
                new Claim("sub", subjectId)
            };

            for (int i = 0; i < count; i++)
            {
                claims.Add(new Claim("junk", "x".Repeat(100)));
            }

            scopes.ToList().ForEach(s => claims.Add(new Claim("scope", s)));

            var token = new Token(Constants.TokenTypes.AccessToken)
            {
                Audience = "https://idsrv3.com/resources",
                Issuer = "https://idsrv3.com",
                Lifetime = lifetime,
                Claims = claims,
                Client = client
            };

            return token;
        }
        public Task UpdateConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
        {
            ConsentClient = client;
            ConsentSubject = subject;
            ConsentScopes = scopes;

            return Task.FromResult(0);
        }
        /// <summary>
        /// Initializes a new instance of the <see cref="IsActiveContext"/> class.
        /// </summary>
        public IsActiveContext(ClaimsPrincipal subject, Client client)
        {
            if (subject == null) throw new ArgumentNullException("subject");
            if (client == null) throw new ArgumentNullException("client");

            Subject = subject;
            Client = client;
            
            IsActive = true;
        }
        public ConsentViewModel(ConsentInputModel model, string consentId, ConsentRequest request, Client client, IEnumerable<Scope> scopes, ILocalizationService localization)
        {
            RememberConsent = model?.RememberConsent ?? true;
            ScopesConsented = model?.ScopesConsented ?? Enumerable.Empty<string>();

            ConsentId = consentId;

            ClientName = client.ClientName;
            ClientUrl = client.ClientUri;
            ClientLogoUrl = client.LogoUri;
            AllowRememberConsent = client.AllowRememberConsent;

            IdentityScopes = scopes.Where(x => x.Type == ScopeType.Identity).Select(x => new ScopeViewModel(localization, x, ScopesConsented.Contains(x.Name) || model == null)).ToArray();
            ResourceScopes = scopes.Where(x => x.Type == ScopeType.Resource).Select(x => new ScopeViewModel(localization, x, ScopesConsented.Contains(x.Name) || model == null)).ToArray();
        }
        public async Task<Dictionary<string, object>> ProcessAsync(string subject, IEnumerable<string> scopes, Client client)
        {
            _logger.LogVerbose("Creating userinfo response");

            var profileData = new Dictionary<string, object>();
            
            var requestedClaimTypes = await GetRequestedClaimTypesAsync(scopes);
            var principal = Principal.Create("UserInfo", new Claim("sub", subject));

            IEnumerable<Claim> profileClaims;
            if (requestedClaimTypes.IncludeAllClaims)
            {
                _logger.LogInformation("Requested claim types: all");

                var context = new ProfileDataRequestContext(
                    principal, 
                    client, 
                    Constants.ProfileDataCallers.UserInfoEndpoint);

                await _profile.GetProfileDataAsync(context);
                profileClaims = context.IssuedClaims;
            }
            else
            {
                _logger.LogInformation("Requested claim types: {types}", requestedClaimTypes.ClaimTypes.ToSpaceSeparatedString());

                var context = new ProfileDataRequestContext(
                    principal,
                    client,
                    Constants.ProfileDataCallers.UserInfoEndpoint,
                    requestedClaimTypes.ClaimTypes);

                await _profile.GetProfileDataAsync(context);
                profileClaims = context.IssuedClaims;
            }
            
            if (profileClaims != null)
            {
                profileData = profileClaims.ToClaimsDictionary();
                _logger.LogInformation("Profile service returned to the following claim types: {types}", profileClaims.Select(c => c.Type).ToSpaceSeparatedString());
            }
            else
            {
                _logger.LogInformation("Profile service returned no claims (null)");
            }

            return profileData;
        }
示例#8
0
        public async Task <Client> FindClientByIdAsync(string clientId)
        {
            var client = await _context.Clients
                         .Include(x => x.ClientSecrets)
                         .Include(x => x.RedirectUris)
                         .Include(x => x.PostLogoutRedirectUris)
                         .Include(x => x.AllowedScopes)
                         .Include(x => x.IdentityProviderRestrictions)
                         .Include(x => x.Claims)
                         .Include(x => x.AllowedCustomGrantTypes)
                         .Include(x => x.AllowedCorsOrigins)
                         .SingleOrDefaultAsync(x => x.ClientId == clientId);

            IdentityServer4.Core.Models.Client model = client.ToModel();
            return(model);
        }
        /// <summary>
        /// Initializes a new instance of the <see cref="ProfileDataRequestContext" /> class.
        /// </summary>
        /// <param name="subject">The subject.</param>
        /// <param name="client">The client.</param>
        /// <param name="caller">The caller.</param>
        /// <param name="requestedClaimTypes">The requested claim types.</param>
        public ProfileDataRequestContext(ClaimsPrincipal subject, Client client, string caller, IEnumerable<string> requestedClaimTypes = null)
        {
            Subject = subject;
            Client = client;
            Caller = caller;

            if (requestedClaimTypes == null)
            {
                AllClaimsRequested = true;
            }
            else
            {
                RequestedClaimTypes = requestedClaimTypes;
            }

            IssuedClaims = Enumerable.Empty<Claim>();
        }
示例#10
0
        public bool AreScopesAllowed(Client client, IEnumerable<string> requestedScopes)
        {
            if (client.AllowAccessToAllScopes)
            {
                return true;
            }

            foreach (var scope in requestedScopes)
            {
                if (!client.AllowedScopes.Contains(scope))
                {
                    _logger.LogError("Requested scope not allowed: {scope}", scope);
                    return false;
                }
            }

            return true;
        }
        public static Token CreateAccessToken(Client client, string subjectId, int lifetime, params string[] scopes)
        {
            var claims = new List<Claim>
            {
                new Claim("client_id", client.ClientId),
                new Claim("sub", subjectId)
            };

            scopes.ToList().ForEach(s => claims.Add(new Claim("scope", s)));

            var token = new Token(OidcConstants.TokenTypes.AccessToken)
            {
                Audience = "https://idsrv3.com/resources",
                Issuer = "https://idsrv3.com",
                Lifetime = lifetime,
                Claims = claims,
                Client = client
            };

            return token;
        }
        public void CanSerializeAndDeserializeAClient()
        {
            var client = new Client
            {
                ClientId = "123",
                Enabled = true,
                AbsoluteRefreshTokenLifetime = 5,
                AccessTokenLifetime = 10,
                AccessTokenType = AccessTokenType.Jwt,
                AllowRememberConsent = true,
                RedirectUris = new List<string> { "http://foo.com" }
            };
            var clientStore = new InMemoryClientStore(new Client[] { client });
            var converter = new ClientConverter(clientStore);

            var settings = new JsonSerializerSettings();
            settings.Converters.Add(converter);
            var json = JsonConvert.SerializeObject(client, settings);

            var result = JsonConvert.DeserializeObject<Client>(json, settings);
            Assert.Same(client, result);
        }
        /// <summary>
        /// Checks if consent is required.
        /// </summary>
        /// <param name="client">The client.</param>
        /// <param name="subject">The user.</param>
        /// <param name="scopes">The scopes.</param>
        /// <returns>Boolean if consent is required.</returns>
        public virtual async Task<bool> RequiresConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
        {
            if (client == null) throw new ArgumentNullException("client");
            if (subject == null) throw new ArgumentNullException("subject");

            if (!client.RequireConsent)
            {
                return false;
            }

            // TODO: validate that this is a correct statement
            if (!client.AllowRememberConsent)
            {
                return true;
            }

            if (scopes == null || !scopes.Any())
            {
                return false;
            }

            // we always require consent for offline access if
            // the client has not disabled RequireConsent 
            if (scopes.Contains(Constants.StandardScopes.OfflineAccess))
            {
                return true;
            }
            
            var consent = await _store.LoadAsync(subject.GetSubjectId(), client.ClientId);
            if (consent != null && consent.Scopes != null)
            {
                var intersect = scopes.Intersect(consent.Scopes);
                return !(scopes.Count() == intersect.Count());
            }

            return true;
        }
示例#14
0
        /// <summary>
        /// Returns claims for an identity token
        /// </summary>
        /// <param name="subject">The subject</param>
        /// <param name="client">The client</param>
        /// <param name="scopes">The requested scopes</param>
        /// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param>
        /// <param name="request">The raw request</param>
        /// <returns>
        /// Claims for the identity token
        /// </returns>
        public virtual async Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
        {
            _logger.LogInformation("Getting claims for identity token for subject: " + subject.GetSubjectId());

            var outputClaims = new List<Claim>(GetStandardSubjectClaims(subject));
            outputClaims.AddRange(GetOptionalClaims(subject));
            
            var additionalClaims = new List<string>();

            // if a include all claims rule exists, call the user service without a claims filter
            if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity))
            {
                _logger.LogInformation("All claims rule found - emitting all claims for user.");

                var context = new ProfileDataRequestContext(
                    subject,
                    client,
                    Constants.ProfileDataCallers.ClaimsProviderIdentityToken);

                await _profile.GetProfileDataAsync(context);
                
                var claims = FilterProtocolClaims(context.IssuedClaims);
                if (claims != null)
                {
                    outputClaims.AddRange(claims);
                }

                return outputClaims;
            }

            // fetch all identity claims that need to go into the id token
            foreach (var scope in scopes)
            {
                if (scope.Type == ScopeType.Identity)
                {
                    foreach (var scopeClaim in scope.Claims)
                    {
                        if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken)
                        {
                            additionalClaims.Add(scopeClaim.Name);
                        }
                    }
                }
            }

            if (additionalClaims.Count > 0)
            {
                var context = new ProfileDataRequestContext(
                    subject,
                    client,
                    Constants.ProfileDataCallers.ClaimsProviderIdentityToken,
                    additionalClaims);
                
                await _profile.GetProfileDataAsync(context);

                var claims = FilterProtocolClaims(context.IssuedClaims);
                if (claims != null)
                {
                    outputClaims.AddRange(claims);
                }
            }

            return outputClaims;
        }
示例#15
0
        /// <summary>
        /// Returns claims for an identity token.
        /// </summary>
        /// <param name="subject">The subject.</param>
        /// <param name="client">The client.</param>
        /// <param name="scopes">The requested scopes.</param>
        /// <param name="request">The raw request.</param>
        /// <returns>
        /// Claims for the access token
        /// </returns>
        public virtual async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
        {
            // add client_id
            var outputClaims = new List<Claim>
            {
                new Claim(JwtClaimTypes.ClientId, client.ClientId),
            };

            // check for client claims
            if (client.Claims != null && client.Claims.Any())
            {
                if (subject == null || client.AlwaysSendClientClaims)
                {
                    foreach (var claim in client.Claims)
                    {
                        var claimType = claim.Type;

                        if (client.PrefixClientClaims)
                        {
                            claimType = "client_" + claimType;
                        }

                        outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
                    }
                }
            }

            // add scopes
            foreach (var scope in scopes)
            {
                outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
            }

            // a user is involved
            if (subject != null)
            {
                outputClaims.AddRange(GetStandardSubjectClaims(subject));
                outputClaims.AddRange(GetOptionalClaims(subject));

                // if a include all claims rule exists, call the user service without a claims filter
                if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource))
                {
                    var context = new ProfileDataRequestContext(
                    subject,
                    client,
                    Constants.ProfileDataCallers.ClaimsProviderAccessToken);

                    await _profile.GetProfileDataAsync(context);

                    var claims = FilterProtocolClaims(context.IssuedClaims);
                    if (claims != null)
                    {
                        outputClaims.AddRange(claims);
                    }

                    return outputClaims;
                }


                // fetch all resource claims that need to go into the access token
                var additionalClaims = new List<string>();
                foreach (var scope in scopes)
                {
                    if (scope.Type == ScopeType.Resource)
                    {
                        if (scope.Claims != null)
                        {
                            foreach (var scopeClaim in scope.Claims)
                            {
                                additionalClaims.Add(scopeClaim.Name);
                            }
                        }
                    }
                }

                if (additionalClaims.Count > 0)
                {
                    var context = new ProfileDataRequestContext(
                    subject,
                    client,
                    Constants.ProfileDataCallers.ClaimsProviderAccessToken,
                    additionalClaims.Distinct());

                    await _profile.GetProfileDataAsync(context);

                    var claims = FilterProtocolClaims(context.IssuedClaims);
                    if (claims != null)
                    {
                        outputClaims.AddRange(claims);
                    }
                }
            }

            return outputClaims;
        }
        /// <summary>
        /// Updates the consent.
        /// </summary>
        /// <param name="client">The client.</param>
        /// <param name="subject">The subject.</param>
        /// <param name="scopes">The scopes.</param>
        /// <returns></returns>
        public virtual async Task UpdateConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
        {
            if (client == null) throw new ArgumentNullException("client");
            if (subject == null) throw new ArgumentNullException("subject");

            if (client.AllowRememberConsent)
            {
                var subjectId = subject.GetSubjectId();
                var clientId = client.ClientId;

                if (scopes != null && scopes.Any())
                {
                    var consent = new Consent
                    {
                        Subject = subjectId,
                        ClientId = clientId,
                        Scopes = scopes
                    };
                    await _store.UpdateAsync(consent);
                }
                else
                {
                    await _store.RevokeAsync(subjectId, clientId);
                }
            }
        }
 /// <summary>
 /// Determines whether a post logout URI is valid for a client.
 /// </summary>
 /// <param name="requestedUri">The requested URI.</param>
 /// <param name="client">The client.</param>
 /// <returns>
 ///   <c>true</c> is the URI is valid; <c>false</c> otherwise.
 /// </returns>
 public virtual Task<bool> IsPostLogoutRedirectUriValidAsync(string requestedUri, Client client)
 {
     return Task.FromResult(StringCollectionContainsString(client.PostLogoutRedirectUris, requestedUri));
 }
        /// <summary>
        /// Updates the refresh token.
        /// </summary>
        /// <param name="handle">The handle.</param>
        /// <param name="refreshToken">The refresh token.</param>
        /// <param name="client">The client.</param>
        /// <returns>
        /// The refresh token handle
        /// </returns>
        public virtual async Task<string> UpdateRefreshTokenAsync(string handle, RefreshToken refreshToken, Client client)
        {
            _logger.LogVerbose("Updating refresh token");

            bool needsUpdate = false;

            if (client.RefreshTokenUsage == TokenUsage.OneTimeOnly)
            {
                _logger.LogVerbose("Token usage is one-time only. Generating new handle");

                // delete old one
                await _store.RemoveAsync(handle);

                // create new one
                handle = CryptoRandom.CreateUniqueId();
                needsUpdate = true;
            }

            if (client.RefreshTokenExpiration == TokenExpiration.Sliding)
            {
                _logger.LogVerbose("Refresh token expiration is sliding - extending lifetime");

                // make sure we don't exceed absolute exp
                // cap it at absolute exp
                var currentLifetime = refreshToken.CreationTime.GetLifetimeInSeconds();
                _logger.LogVerbose("Current lifetime: " + currentLifetime.ToString());

                var newLifetime = currentLifetime + client.SlidingRefreshTokenLifetime;
                _logger.LogVerbose("New lifetime: " + newLifetime.ToString());

                if (newLifetime > client.AbsoluteRefreshTokenLifetime)
                {
                    newLifetime = client.AbsoluteRefreshTokenLifetime;
                    _logger.LogVerbose("New lifetime exceeds absolute lifetime, capping it to " + newLifetime.ToString());
                }

                refreshToken.LifeTime = newLifetime;
                needsUpdate = true;
            }

            if (needsUpdate)
            {
                await _store.StoreAsync(handle, refreshToken);
                _logger.LogVerbose("Updated refresh token in store");
            }
            else
            {
                _logger.LogVerbose("No updates to refresh token done");
            }

            await RaiseRefreshTokenRefreshedEventAsync(handle, handle, refreshToken);
            _logger.LogVerbose("No updates to refresh token done");

            return handle;
        }
 public async Task ProcessConsentAsync_AllowConsentSelected_SavesConsent()
 {
     RequiresConsent(true);
     var client = new Client { AllowRememberConsent = true };
     var user = new ClaimsPrincipal();
     var request = new ValidatedAuthorizeRequest()
     {
         ResponseMode = OidcConstants.ResponseModes.Fragment,
         State = "12345",
         RedirectUri = "https://client.com/callback",
         ValidatedScopes = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory()),
         Client = client,
         Subject = user
     };
     await request.ValidatedScopes.AreScopesValidAsync(new string[] { "read", "write" });
     var consent = new ConsentResponse
     {
         RememberConsent = true,
         ScopesConsented = new string[] { "read" }
     };
     var result = _subject.ProcessConsentAsync(request, consent).Result;
     AssertUpdateConsentCalled(client, user, "read");
 }
        public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentGrantedButMissingRequiredScopes_ReturnsErrorResult()
        {
            RequiresConsent(true);
            var client = new Client {};
            var scopeValidator = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory());
            var request = new ValidatedAuthorizeRequest()
            {
                ResponseMode = OidcConstants.ResponseModes.Fragment,
                State = "12345",
                RedirectUri = "https://client.com/callback",
                RequestedScopes = new List<string> { "openid", "read" },
                ValidatedScopes = scopeValidator,
                Client = client
            };
            var valid = scopeValidator.AreScopesValidAsync(request.RequestedScopes).Result;

            var consent = new ConsentResponse
            {
                RememberConsent = false,
                ScopesConsented = new string[] { "read" }
            };

            var result = _subject.ProcessConsentAsync(request, consent).Result;
            result.IsError.Should().BeTrue();
            result.Error.ErrorType.Should().Be(ErrorTypes.Client);
            result.Error.Error.Should().Be(OidcConstants.AuthorizeErrors.AccessDenied);
            AssertErrorReturnsRequestValues(result.Error, request);
            AssertUpdateConsentNotCalled();
        }
        public ViewResult Submit()
        {
            Context.Database.EnsureDeleted();
            Context.Database.EnsureCreated();
            foreach (var field in typeof(Constants.ClaimTypes).GetTypeInfo().DeclaredFields)
            {
                Context.ClaimDefinitions.Add(new ClaimDefinition<Int32>() { Name = field.Name });
            }
            Context.SaveChanges();

            foreach (var scope in IDS4.StandardScopes.AllAlwaysInclude)
            {
                _scopeStore.CreateScopeAsync(scope).Wait();
            }
            _scopeStore.CreateScopeAsync(IDS4.StandardScopes.OfflineAccess).Wait();
            _scopeStore.CreateScopeAsync(IDS4.StandardScopes.Roles).Wait();

            var ScopeApi1 = new IDS4.Scope
            {
                Name = "api1",
                DisplayName = "API 1",
                Description = "API 1 features and data",
                Type = IDS4.ScopeType.Resource,

                ScopeSecrets = new List<IDS4.Secret>
                {
                    new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
                },
                Claims = new List<IDS4.ScopeClaim>
                {
                    new IDS4. ScopeClaim("role")
                }
            };
            var ScopeApi2 = new IDS4.Scope
            {
                Name = "api2",
                DisplayName = "API 2",
                Description = "API 2 features and data, which are better than API 1",
                Type = IDS4.ScopeType.Resource
            };

            _scopeStore.CreateScopeAsync(ScopeApi1).Wait();
            _scopeStore.CreateScopeAsync(ScopeApi2).Wait();

            ///////////////////////////////////////////
            // Console Client Credentials Flow Sample
            //////////////////////////////////////////
            var client = new IDS4.Client
            {
                ClientId = "client",
                ClientSecrets = new List<IDS4.Secret>
                {
                    new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
                },

                Flow = IDS4.Flows.ClientCredentials,

                AllowedScopes = new List<String>
                {
                    ScopeApi1.Name,
                    ScopeApi2.Name
                }
            };
            _clientStore.CreateClientAsync(client).Wait();

            ///////////////////////////////////////////
            // Console Resource Owner Flow Sample
            //////////////////////////////////////////
            var roclient = new IDS4.Client
            {
                ClientId = "roclient",
                ClientSecrets = new List<IDS4.Secret>
                {
                    new IDS4.Secret(IDS4.HashExtensions.Sha256("secret") )
                },

                Flow = IDS4.Flows.ResourceOwner,

                AllowedScopes = new List<String>
                {
                    IDS4.StandardScopes.OpenId.Name ,
                    IDS4.StandardScopes.Email.Name ,
                    IDS4.StandardScopes.OfflineAccess.Name,

                    ScopeApi1.Name,
                    ScopeApi2.Name
                }
            };
            _clientStore.CreateClientAsync(roclient).Wait();

            ///////////////////////////////////////////
            // Console Client Credentials Flow Sample
            //////////////////////////////////////////
            var client_custom = new IDS4.Client
            {
                ClientId = "client.custom",
                ClientSecrets = new List<IDS4.Secret>
                {
                   new IDS4.Secret( IDS4.HashExtensions.Sha256("secret"))
                },

                Flow = IDS4.Flows.Custom,

                AllowedCustomGrantTypes = new List<String>
                {
                    "custom"
                },

                AllowedScopes = new List<String>
                {
                    ScopeApi1.Name,
                    ScopeApi2.Name
                }
            };
            _clientStore.CreateClientAsync(client_custom).Wait();

            ///////////////////////////////////////////
            // Introspection Client Sample
            //////////////////////////////////////////
            var roclient_reference = new IDS4.Client
            {
                ClientId = "roclient.reference",
                ClientSecrets = new List<IDS4.Secret>
                {
                    new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
                },

                Flow = IDS4.Flows.ResourceOwner,

                AllowedScopes = new List<String>
                {
                    ScopeApi1.Name,
                    ScopeApi2.Name
                },

                AccessTokenType = IDS4.AccessTokenType.Reference
            };
            _clientStore.CreateClientAsync(roclient_reference).Wait();

            ///////////////////////////////////////////
            // MVC Implicit Flow Samples
            //////////////////////////////////////////
            var mvc_implicit = new IDS4.Client
            {
                ClientId = "mvc_implicit",
                ClientName = "MVC Implicit",
                ClientUri = "http://identityserver.io",

                Flow = IDS4.Flows.Implicit,
                RedirectUris = new List<String>
                {
                     "http://*****:*****@email.com"),
                    new SSC.Claim(Constants.ClaimTypes.EmailVerified, "true", SSC.ClaimValueTypes.Boolean),
                    new SSC.Claim(Constants.ClaimTypes.Role, "Developer"),
                    new SSC.Claim(Constants.ClaimTypes.Role, "Geek"),
                    new SSC.Claim(Constants.ClaimTypes.WebSite, "http://bob.com"),
                    new SSC.Claim(
                        Constants.ClaimTypes.Address,
                        @"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }",
                        Constants.ClaimValueTypes.Json)
                }
            ).Wait();
            _userManager.CreateAsync(BobUser).Wait();


            var AliceUser = new User<Int32>
            {
                Name = "alice",
                Password = "******"
            };
            _userManager.AddClaimsAsync(
                AliceUser,
                new SSC.Claim[]
                {
                    new SSC.Claim(Constants.ClaimTypes.Name, "Alice Smith"),
                    new SSC.Claim(Constants.ClaimTypes.GivenName, "Alice") ,
                    new SSC.Claim(Constants.ClaimTypes.FamilyName, "Smith"),
                    new SSC.Claim(Constants.ClaimTypes.Email, "*****@*****.**"),
                    new SSC.Claim(Constants.ClaimTypes.EmailVerified, "true", SSC.ClaimValueTypes.Boolean),
                    new SSC.Claim(Constants.ClaimTypes.Role, "Admin"),
                    new SSC.Claim(Constants.ClaimTypes.Role, "Geek"),
                    new SSC.Claim(Constants.ClaimTypes.WebSite, "http://alice.com"),
                    new SSC.Claim(
                        Constants.ClaimTypes.Address,
                        @"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }",
                        Constants.ClaimValueTypes.Json
                    )
                }
            ).Wait();
            _userManager.CreateAsync(AliceUser).Wait();



            return View("Home");
        }
示例#22
0
        public async Task<TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
        {
            _logger.LogTrace("Start token request validation");

            _validatedRequest = new ValidatedTokenRequest();

            if (client == null)
            {
                throw new ArgumentNullException("client");
            }

            if (parameters == null)
            {
                throw new ArgumentNullException("parameters");
            }

            _validatedRequest.Raw = parameters;
            _validatedRequest.Client = client;
            _validatedRequest.Options = _options;

            /////////////////////////////////////////////
            // check grant type
            /////////////////////////////////////////////
            var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
            if (grantType.IsMissing())
            {
                LogError("Grant type is missing.");
                return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
            }

            if (grantType.Length > _options.InputLengthRestrictions.GrantType)
            {
                LogError("Grant type is too long.");
                return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
            }

            _validatedRequest.GrantType = grantType;

            // standard grant types
            switch (grantType)
            {
                case OidcConstants.GrantTypes.AuthorizationCode:
                    return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters);
                case OidcConstants.GrantTypes.ClientCredentials:
                    return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters);
                case OidcConstants.GrantTypes.Password:
                    return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters);
                case OidcConstants.GrantTypes.RefreshToken:
                    return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters);
            }

            // custom grant type
            var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);

            if (result.IsError)
            {
                if (result.Error.IsPresent())
                {
                    return result;
                }

                LogError("Unsupported grant_type: " + grantType);
                return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
            }

            return result;
        }
 private void AssertUpdateConsentCalled(Client client, ClaimsPrincipal user, params string[] scopes)
 {
     _mockConsent.ConsentClient.Should().BeSameAs(client);
     _mockConsent.ConsentSubject.Should().BeSameAs(user);
     _mockConsent.ConsentScopes.Should().BeEquivalentTo(scopes);
 }
 public Task<bool> RequiresConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
 {
     return Task.FromResult(RequiresConsentResult);
 }