/// <summary>
/// Finds a client by id
/// </summary>
/// <param name="clientId">The client id</param>
/// <returns>
/// The client
/// </returns>
public Task<Client> FindClientByIdAsync(string clientId)
{
try
{
var temp = new Client
{
ClientId = "client",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
Flow = Flows.ClientCredentials,
AllowedScopes = new List<string>
{
"api1",
"api2"
}
};
var query =
from client in _clients
where client.ClientId == clientId && client.Enabled
select client;
var result = query.SingleOrDefault();
return Task.FromResult(result);
}
catch (Exception e)
{
throw;
}
}
/// <summary>
/// Creates the refresh token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="accessToken">The access token.</param>
/// <param name="client">The client.</param>
/// <returns>
/// The refresh token handle
/// </returns>
public virtual async Task<string> CreateRefreshTokenAsync(ClaimsPrincipal subject, Token accessToken, Client client)
{
_logger.LogVerbose("Creating refresh token");
int lifetime;
if (client.RefreshTokenExpiration == TokenExpiration.Absolute)
{
_logger.LogVerbose("Setting an absolute lifetime: " + client.AbsoluteRefreshTokenLifetime);
lifetime = client.AbsoluteRefreshTokenLifetime;
}
else
{
_logger.LogVerbose("Setting a sliding lifetime: " + client.SlidingRefreshTokenLifetime);
lifetime = client.SlidingRefreshTokenLifetime;
}
var handle = CryptoRandom.CreateUniqueId();
var refreshToken = new RefreshToken
{
CreationTime = DateTimeOffsetHelper.UtcNow,
LifeTime = lifetime,
AccessToken = accessToken,
Subject = subject
};
await _store.StoreAsync(handle, refreshToken);
await RaiseRefreshTokenIssuedEventAsync(handle, refreshToken);
return handle;
}
public static Token CreateAccessTokenLong(Client client, string subjectId, int lifetime, int count, params string[] scopes)
{
var claims = new List<Claim>
{
new Claim("client_id", client.ClientId),
new Claim("sub", subjectId)
};
for (int i = 0; i < count; i++)
{
claims.Add(new Claim("junk", "x".Repeat(100)));
}
scopes.ToList().ForEach(s => claims.Add(new Claim("scope", s)));
var token = new Token(Constants.TokenTypes.AccessToken)
{
Audience = "https://idsrv3.com/resources",
Issuer = "https://idsrv3.com",
Lifetime = lifetime,
Claims = claims,
Client = client
};
return token;
}
public Task UpdateConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
{
ConsentClient = client;
ConsentSubject = subject;
ConsentScopes = scopes;
return Task.FromResult(0);
}
/// <summary>
/// Initializes a new instance of the <see cref="IsActiveContext"/> class.
/// </summary>
public IsActiveContext(ClaimsPrincipal subject, Client client)
{
if (subject == null) throw new ArgumentNullException("subject");
if (client == null) throw new ArgumentNullException("client");
Subject = subject;
Client = client;
IsActive = true;
}
public ConsentViewModel(ConsentInputModel model, string consentId, ConsentRequest request, Client client, IEnumerable<Scope> scopes, ILocalizationService localization)
{
RememberConsent = model?.RememberConsent ?? true;
ScopesConsented = model?.ScopesConsented ?? Enumerable.Empty<string>();
ConsentId = consentId;
ClientName = client.ClientName;
ClientUrl = client.ClientUri;
ClientLogoUrl = client.LogoUri;
AllowRememberConsent = client.AllowRememberConsent;
IdentityScopes = scopes.Where(x => x.Type == ScopeType.Identity).Select(x => new ScopeViewModel(localization, x, ScopesConsented.Contains(x.Name) || model == null)).ToArray();
ResourceScopes = scopes.Where(x => x.Type == ScopeType.Resource).Select(x => new ScopeViewModel(localization, x, ScopesConsented.Contains(x.Name) || model == null)).ToArray();
}
public async Task<Dictionary<string, object>> ProcessAsync(string subject, IEnumerable<string> scopes, Client client)
{
_logger.LogVerbose("Creating userinfo response");
var profileData = new Dictionary<string, object>();
var requestedClaimTypes = await GetRequestedClaimTypesAsync(scopes);
var principal = Principal.Create("UserInfo", new Claim("sub", subject));
IEnumerable<Claim> profileClaims;
if (requestedClaimTypes.IncludeAllClaims)
{
_logger.LogInformation("Requested claim types: all");
var context = new ProfileDataRequestContext(
principal,
client,
Constants.ProfileDataCallers.UserInfoEndpoint);
await _profile.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
else
{
_logger.LogInformation("Requested claim types: {types}", requestedClaimTypes.ClaimTypes.ToSpaceSeparatedString());
var context = new ProfileDataRequestContext(
principal,
client,
Constants.ProfileDataCallers.UserInfoEndpoint,
requestedClaimTypes.ClaimTypes);
await _profile.GetProfileDataAsync(context);
profileClaims = context.IssuedClaims;
}
if (profileClaims != null)
{
profileData = profileClaims.ToClaimsDictionary();
_logger.LogInformation("Profile service returned to the following claim types: {types}", profileClaims.Select(c => c.Type).ToSpaceSeparatedString());
}
else
{
_logger.LogInformation("Profile service returned no claims (null)");
}
return profileData;
}
public async Task <Client> FindClientByIdAsync(string clientId)
{
var client = await _context.Clients
.Include(x => x.ClientSecrets)
.Include(x => x.RedirectUris)
.Include(x => x.PostLogoutRedirectUris)
.Include(x => x.AllowedScopes)
.Include(x => x.IdentityProviderRestrictions)
.Include(x => x.Claims)
.Include(x => x.AllowedCustomGrantTypes)
.Include(x => x.AllowedCorsOrigins)
.SingleOrDefaultAsync(x => x.ClientId == clientId);
IdentityServer4.Core.Models.Client model = client.ToModel();
return(model);
}
/// <summary>
/// Initializes a new instance of the <see cref="ProfileDataRequestContext" /> class.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="client">The client.</param>
/// <param name="caller">The caller.</param>
/// <param name="requestedClaimTypes">The requested claim types.</param>
public ProfileDataRequestContext(ClaimsPrincipal subject, Client client, string caller, IEnumerable<string> requestedClaimTypes = null)
{
Subject = subject;
Client = client;
Caller = caller;
if (requestedClaimTypes == null)
{
AllClaimsRequested = true;
}
else
{
RequestedClaimTypes = requestedClaimTypes;
}
IssuedClaims = Enumerable.Empty<Claim>();
}
public bool AreScopesAllowed(Client client, IEnumerable<string> requestedScopes)
{
if (client.AllowAccessToAllScopes)
{
return true;
}
foreach (var scope in requestedScopes)
{
if (!client.AllowedScopes.Contains(scope))
{
_logger.LogError("Requested scope not allowed: {scope}", scope);
return false;
}
}
return true;
}
public static Token CreateAccessToken(Client client, string subjectId, int lifetime, params string[] scopes)
{
var claims = new List<Claim>
{
new Claim("client_id", client.ClientId),
new Claim("sub", subjectId)
};
scopes.ToList().ForEach(s => claims.Add(new Claim("scope", s)));
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
Audience = "https://idsrv3.com/resources",
Issuer = "https://idsrv3.com",
Lifetime = lifetime,
Claims = claims,
Client = client
};
return token;
}
public void CanSerializeAndDeserializeAClient()
{
var client = new Client
{
ClientId = "123",
Enabled = true,
AbsoluteRefreshTokenLifetime = 5,
AccessTokenLifetime = 10,
AccessTokenType = AccessTokenType.Jwt,
AllowRememberConsent = true,
RedirectUris = new List<string> { "http://foo.com" }
};
var clientStore = new InMemoryClientStore(new Client[] { client });
var converter = new ClientConverter(clientStore);
var settings = new JsonSerializerSettings();
settings.Converters.Add(converter);
var json = JsonConvert.SerializeObject(client, settings);
var result = JsonConvert.DeserializeObject<Client>(json, settings);
Assert.Same(client, result);
}
/// <summary>
/// Checks if consent is required.
/// </summary>
/// <param name="client">The client.</param>
/// <param name="subject">The user.</param>
/// <param name="scopes">The scopes.</param>
/// <returns>Boolean if consent is required.</returns>
public virtual async Task<bool> RequiresConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
{
if (client == null) throw new ArgumentNullException("client");
if (subject == null) throw new ArgumentNullException("subject");
if (!client.RequireConsent)
{
return false;
}
// TODO: validate that this is a correct statement
if (!client.AllowRememberConsent)
{
return true;
}
if (scopes == null || !scopes.Any())
{
return false;
}
// we always require consent for offline access if
// the client has not disabled RequireConsent
if (scopes.Contains(Constants.StandardScopes.OfflineAccess))
{
return true;
}
var consent = await _store.LoadAsync(subject.GetSubjectId(), client.ClientId);
if (consent != null && consent.Scopes != null)
{
var intersect = scopes.Intersect(consent.Scopes);
return !(scopes.Count() == intersect.Count());
}
return true;
}
/// <summary>
/// Returns claims for an identity token
/// </summary>
/// <param name="subject">The subject</param>
/// <param name="client">The client</param>
/// <param name="scopes">The requested scopes</param>
/// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param>
/// <param name="request">The raw request</param>
/// <returns>
/// Claims for the identity token
/// </returns>
public virtual async Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
{
_logger.LogInformation("Getting claims for identity token for subject: " + subject.GetSubjectId());
var outputClaims = new List<Claim>(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
var additionalClaims = new List<string>();
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity))
{
_logger.LogInformation("All claims rule found - emitting all claims for user.");
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken);
await _profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return outputClaims;
}
// fetch all identity claims that need to go into the id token
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Identity)
{
foreach (var scopeClaim in scope.Claims)
{
if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderIdentityToken,
additionalClaims);
await _profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
return outputClaims;
}
/// <summary>
/// Returns claims for an identity token.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="client">The client.</param>
/// <param name="scopes">The requested scopes.</param>
/// <param name="request">The raw request.</param>
/// <returns>
/// Claims for the access token
/// </returns>
public virtual async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
// add client_id
var outputClaims = new List<Claim>
{
new Claim(JwtClaimTypes.ClientId, client.ClientId),
};
// check for client claims
if (client.Claims != null && client.Claims.Any())
{
if (subject == null || client.AlwaysSendClientClaims)
{
foreach (var claim in client.Claims)
{
var claimType = claim.Type;
if (client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType));
}
}
}
// add scopes
foreach (var scope in scopes)
{
outputClaims.Add(new Claim(JwtClaimTypes.Scope, scope.Name));
}
// a user is involved
if (subject != null)
{
outputClaims.AddRange(GetStandardSubjectClaims(subject));
outputClaims.AddRange(GetOptionalClaims(subject));
// if a include all claims rule exists, call the user service without a claims filter
if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource))
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken);
await _profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
return outputClaims;
}
// fetch all resource claims that need to go into the access token
var additionalClaims = new List<string>();
foreach (var scope in scopes)
{
if (scope.Type == ScopeType.Resource)
{
if (scope.Claims != null)
{
foreach (var scopeClaim in scope.Claims)
{
additionalClaims.Add(scopeClaim.Name);
}
}
}
}
if (additionalClaims.Count > 0)
{
var context = new ProfileDataRequestContext(
subject,
client,
Constants.ProfileDataCallers.ClaimsProviderAccessToken,
additionalClaims.Distinct());
await _profile.GetProfileDataAsync(context);
var claims = FilterProtocolClaims(context.IssuedClaims);
if (claims != null)
{
outputClaims.AddRange(claims);
}
}
}
return outputClaims;
}
/// <summary>
/// Updates the consent.
/// </summary>
/// <param name="client">The client.</param>
/// <param name="subject">The subject.</param>
/// <param name="scopes">The scopes.</param>
/// <returns></returns>
public virtual async Task UpdateConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
{
if (client == null) throw new ArgumentNullException("client");
if (subject == null) throw new ArgumentNullException("subject");
if (client.AllowRememberConsent)
{
var subjectId = subject.GetSubjectId();
var clientId = client.ClientId;
if (scopes != null && scopes.Any())
{
var consent = new Consent
{
Subject = subjectId,
ClientId = clientId,
Scopes = scopes
};
await _store.UpdateAsync(consent);
}
else
{
await _store.RevokeAsync(subjectId, clientId);
}
}
}
/// <summary>
/// Determines whether a post logout URI is valid for a client.
/// </summary>
/// <param name="requestedUri">The requested URI.</param>
/// <param name="client">The client.</param>
/// <returns>
/// <c>true</c> is the URI is valid; <c>false</c> otherwise.
/// </returns>
public virtual Task<bool> IsPostLogoutRedirectUriValidAsync(string requestedUri, Client client)
{
return Task.FromResult(StringCollectionContainsString(client.PostLogoutRedirectUris, requestedUri));
}
/// <summary>
/// Updates the refresh token.
/// </summary>
/// <param name="handle">The handle.</param>
/// <param name="refreshToken">The refresh token.</param>
/// <param name="client">The client.</param>
/// <returns>
/// The refresh token handle
/// </returns>
public virtual async Task<string> UpdateRefreshTokenAsync(string handle, RefreshToken refreshToken, Client client)
{
_logger.LogVerbose("Updating refresh token");
bool needsUpdate = false;
if (client.RefreshTokenUsage == TokenUsage.OneTimeOnly)
{
_logger.LogVerbose("Token usage is one-time only. Generating new handle");
// delete old one
await _store.RemoveAsync(handle);
// create new one
handle = CryptoRandom.CreateUniqueId();
needsUpdate = true;
}
if (client.RefreshTokenExpiration == TokenExpiration.Sliding)
{
_logger.LogVerbose("Refresh token expiration is sliding - extending lifetime");
// make sure we don't exceed absolute exp
// cap it at absolute exp
var currentLifetime = refreshToken.CreationTime.GetLifetimeInSeconds();
_logger.LogVerbose("Current lifetime: " + currentLifetime.ToString());
var newLifetime = currentLifetime + client.SlidingRefreshTokenLifetime;
_logger.LogVerbose("New lifetime: " + newLifetime.ToString());
if (newLifetime > client.AbsoluteRefreshTokenLifetime)
{
newLifetime = client.AbsoluteRefreshTokenLifetime;
_logger.LogVerbose("New lifetime exceeds absolute lifetime, capping it to " + newLifetime.ToString());
}
refreshToken.LifeTime = newLifetime;
needsUpdate = true;
}
if (needsUpdate)
{
await _store.StoreAsync(handle, refreshToken);
_logger.LogVerbose("Updated refresh token in store");
}
else
{
_logger.LogVerbose("No updates to refresh token done");
}
await RaiseRefreshTokenRefreshedEventAsync(handle, handle, refreshToken);
_logger.LogVerbose("No updates to refresh token done");
return handle;
}
public async Task ProcessConsentAsync_AllowConsentSelected_SavesConsent()
{
RequiresConsent(true);
var client = new Client { AllowRememberConsent = true };
var user = new ClaimsPrincipal();
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
ValidatedScopes = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory()),
Client = client,
Subject = user
};
await request.ValidatedScopes.AreScopesValidAsync(new string[] { "read", "write" });
var consent = new ConsentResponse
{
RememberConsent = true,
ScopesConsented = new string[] { "read" }
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
AssertUpdateConsentCalled(client, user, "read");
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentGrantedButMissingRequiredScopes_ReturnsErrorResult()
{
RequiresConsent(true);
var client = new Client {};
var scopeValidator = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory());
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
RequestedScopes = new List<string> { "openid", "read" },
ValidatedScopes = scopeValidator,
Client = client
};
var valid = scopeValidator.AreScopesValidAsync(request.RequestedScopes).Result;
var consent = new ConsentResponse
{
RememberConsent = false,
ScopesConsented = new string[] { "read" }
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
result.IsError.Should().BeTrue();
result.Error.ErrorType.Should().Be(ErrorTypes.Client);
result.Error.Error.Should().Be(OidcConstants.AuthorizeErrors.AccessDenied);
AssertErrorReturnsRequestValues(result.Error, request);
AssertUpdateConsentNotCalled();
}
public ViewResult Submit()
{
Context.Database.EnsureDeleted();
Context.Database.EnsureCreated();
foreach (var field in typeof(Constants.ClaimTypes).GetTypeInfo().DeclaredFields)
{
Context.ClaimDefinitions.Add(new ClaimDefinition<Int32>() { Name = field.Name });
}
Context.SaveChanges();
foreach (var scope in IDS4.StandardScopes.AllAlwaysInclude)
{
_scopeStore.CreateScopeAsync(scope).Wait();
}
_scopeStore.CreateScopeAsync(IDS4.StandardScopes.OfflineAccess).Wait();
_scopeStore.CreateScopeAsync(IDS4.StandardScopes.Roles).Wait();
var ScopeApi1 = new IDS4.Scope
{
Name = "api1",
DisplayName = "API 1",
Description = "API 1 features and data",
Type = IDS4.ScopeType.Resource,
ScopeSecrets = new List<IDS4.Secret>
{
new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
},
Claims = new List<IDS4.ScopeClaim>
{
new IDS4. ScopeClaim("role")
}
};
var ScopeApi2 = new IDS4.Scope
{
Name = "api2",
DisplayName = "API 2",
Description = "API 2 features and data, which are better than API 1",
Type = IDS4.ScopeType.Resource
};
_scopeStore.CreateScopeAsync(ScopeApi1).Wait();
_scopeStore.CreateScopeAsync(ScopeApi2).Wait();
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
var client = new IDS4.Client
{
ClientId = "client",
ClientSecrets = new List<IDS4.Secret>
{
new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
},
Flow = IDS4.Flows.ClientCredentials,
AllowedScopes = new List<String>
{
ScopeApi1.Name,
ScopeApi2.Name
}
};
_clientStore.CreateClientAsync(client).Wait();
///////////////////////////////////////////
// Console Resource Owner Flow Sample
//////////////////////////////////////////
var roclient = new IDS4.Client
{
ClientId = "roclient",
ClientSecrets = new List<IDS4.Secret>
{
new IDS4.Secret(IDS4.HashExtensions.Sha256("secret") )
},
Flow = IDS4.Flows.ResourceOwner,
AllowedScopes = new List<String>
{
IDS4.StandardScopes.OpenId.Name ,
IDS4.StandardScopes.Email.Name ,
IDS4.StandardScopes.OfflineAccess.Name,
ScopeApi1.Name,
ScopeApi2.Name
}
};
_clientStore.CreateClientAsync(roclient).Wait();
///////////////////////////////////////////
// Console Client Credentials Flow Sample
//////////////////////////////////////////
var client_custom = new IDS4.Client
{
ClientId = "client.custom",
ClientSecrets = new List<IDS4.Secret>
{
new IDS4.Secret( IDS4.HashExtensions.Sha256("secret"))
},
Flow = IDS4.Flows.Custom,
AllowedCustomGrantTypes = new List<String>
{
"custom"
},
AllowedScopes = new List<String>
{
ScopeApi1.Name,
ScopeApi2.Name
}
};
_clientStore.CreateClientAsync(client_custom).Wait();
///////////////////////////////////////////
// Introspection Client Sample
//////////////////////////////////////////
var roclient_reference = new IDS4.Client
{
ClientId = "roclient.reference",
ClientSecrets = new List<IDS4.Secret>
{
new IDS4.Secret(IDS4.HashExtensions.Sha256("secret"))
},
Flow = IDS4.Flows.ResourceOwner,
AllowedScopes = new List<String>
{
ScopeApi1.Name,
ScopeApi2.Name
},
AccessTokenType = IDS4.AccessTokenType.Reference
};
_clientStore.CreateClientAsync(roclient_reference).Wait();
///////////////////////////////////////////
// MVC Implicit Flow Samples
//////////////////////////////////////////
var mvc_implicit = new IDS4.Client
{
ClientId = "mvc_implicit",
ClientName = "MVC Implicit",
ClientUri = "http://identityserver.io",
Flow = IDS4.Flows.Implicit,
RedirectUris = new List<String>
{
"http://*****:*****@email.com"),
new SSC.Claim(Constants.ClaimTypes.EmailVerified, "true", SSC.ClaimValueTypes.Boolean),
new SSC.Claim(Constants.ClaimTypes.Role, "Developer"),
new SSC.Claim(Constants.ClaimTypes.Role, "Geek"),
new SSC.Claim(Constants.ClaimTypes.WebSite, "http://bob.com"),
new SSC.Claim(
Constants.ClaimTypes.Address,
@"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }",
Constants.ClaimValueTypes.Json)
}
).Wait();
_userManager.CreateAsync(BobUser).Wait();
var AliceUser = new User<Int32>
{
Name = "alice",
Password = "******"
};
_userManager.AddClaimsAsync(
AliceUser,
new SSC.Claim[]
{
new SSC.Claim(Constants.ClaimTypes.Name, "Alice Smith"),
new SSC.Claim(Constants.ClaimTypes.GivenName, "Alice") ,
new SSC.Claim(Constants.ClaimTypes.FamilyName, "Smith"),
new SSC.Claim(Constants.ClaimTypes.Email, "*****@*****.**"),
new SSC.Claim(Constants.ClaimTypes.EmailVerified, "true", SSC.ClaimValueTypes.Boolean),
new SSC.Claim(Constants.ClaimTypes.Role, "Admin"),
new SSC.Claim(Constants.ClaimTypes.Role, "Geek"),
new SSC.Claim(Constants.ClaimTypes.WebSite, "http://alice.com"),
new SSC.Claim(
Constants.ClaimTypes.Address,
@"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }",
Constants.ClaimValueTypes.Json
)
}
).Wait();
_userManager.CreateAsync(AliceUser).Wait();
return View("Home");
}
public async Task<TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogTrace("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters);
case OidcConstants.GrantTypes.ClientCredentials:
return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters);
case OidcConstants.GrantTypes.Password:
return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters);
case OidcConstants.GrantTypes.RefreshToken:
return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters);
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return result;
}
LogError("Unsupported grant_type: " + grantType);
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
return result;
}
private void AssertUpdateConsentCalled(Client client, ClaimsPrincipal user, params string[] scopes)
{
_mockConsent.ConsentClient.Should().BeSameAs(client);
_mockConsent.ConsentSubject.Should().BeSameAs(user);
_mockConsent.ConsentScopes.Should().BeEquivalentTo(scopes);
}
public Task<bool> RequiresConsentAsync(Client client, ClaimsPrincipal subject, IEnumerable<string> scopes)
{
return Task.FromResult(RequiresConsentResult);
}