|
|
|
@ -4,6 +4,7 @@ |
|
|
|
* the license and the contributors participating to this project. |
|
|
|
*/ |
|
|
|
|
|
|
|
using System.Collections.Generic; |
|
|
|
using System.Diagnostics; |
|
|
|
using System.Linq; |
|
|
|
using System.Threading.Tasks; |
|
|
|
@ -12,9 +13,11 @@ using AspNet.Security.OpenIdConnect.Primitives; |
|
|
|
using AspNet.Security.OpenIdConnect.Server; |
|
|
|
using Microsoft.AspNetCore.Authentication; |
|
|
|
using Microsoft.AspNetCore.Authorization; |
|
|
|
using Microsoft.AspNetCore.Builder; |
|
|
|
using Microsoft.AspNetCore.Http.Authentication; |
|
|
|
using Microsoft.AspNetCore.Identity; |
|
|
|
using Microsoft.AspNetCore.Mvc; |
|
|
|
using Microsoft.Extensions.Options; |
|
|
|
using Mvc.Server.Helpers; |
|
|
|
using Mvc.Server.Models; |
|
|
|
using Mvc.Server.ViewModels.Authorization; |
|
|
|
@ -27,15 +30,18 @@ namespace Mvc.Server |
|
|
|
public class AuthorizationController : Controller |
|
|
|
{ |
|
|
|
private readonly OpenIddictApplicationManager<OpenIddictApplication> _applicationManager; |
|
|
|
private readonly IOptions<IdentityOptions> _identityOptions; |
|
|
|
private readonly SignInManager<ApplicationUser> _signInManager; |
|
|
|
private readonly UserManager<ApplicationUser> _userManager; |
|
|
|
|
|
|
|
public AuthorizationController( |
|
|
|
OpenIddictApplicationManager<OpenIddictApplication> applicationManager, |
|
|
|
IOptions<IdentityOptions> identityOptions, |
|
|
|
SignInManager<ApplicationUser> signInManager, |
|
|
|
UserManager<ApplicationUser> userManager) |
|
|
|
{ |
|
|
|
_applicationManager = applicationManager; |
|
|
|
_identityOptions = identityOptions; |
|
|
|
_signInManager = signInManager; |
|
|
|
_userManager = userManager; |
|
|
|
} |
|
|
|
@ -268,19 +274,6 @@ namespace Mvc.Server |
|
|
|
// will be used to create an id_token, a token or a code.
|
|
|
|
var principal = await _signInManager.CreateUserPrincipalAsync(user); |
|
|
|
|
|
|
|
// Note: by default, claims are NOT automatically included in the access and identity tokens.
|
|
|
|
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
|
|
|
|
// whether they should be included in access tokens, in identity tokens or in both.
|
|
|
|
|
|
|
|
foreach (var claim in principal.Claims) |
|
|
|
{ |
|
|
|
// In this sample, every claim is serialized in both the access and the identity tokens.
|
|
|
|
// In a real world application, you'd probably want to exclude confidential claims
|
|
|
|
// or apply a claims policy based on the scopes requested by the client application.
|
|
|
|
claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, |
|
|
|
OpenIdConnectConstants.Destinations.IdentityToken); |
|
|
|
} |
|
|
|
|
|
|
|
// Create a new authentication ticket holding the user identity.
|
|
|
|
var ticket = new AuthenticationTicket(principal, properties, |
|
|
|
OpenIdConnectServerDefaults.AuthenticationScheme); |
|
|
|
@ -302,6 +295,35 @@ namespace Mvc.Server |
|
|
|
|
|
|
|
ticket.SetResources("resource_server"); |
|
|
|
|
|
|
|
// Note: by default, claims are NOT automatically included in the access and identity tokens.
|
|
|
|
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
|
|
|
|
// whether they should be included in access tokens, in identity tokens or in both.
|
|
|
|
|
|
|
|
foreach (var claim in ticket.Principal.Claims) |
|
|
|
{ |
|
|
|
// Never include the security stamp in the access and identity tokens, as it's a secret value.
|
|
|
|
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType) |
|
|
|
{ |
|
|
|
continue; |
|
|
|
} |
|
|
|
|
|
|
|
var destinations = new List<string> |
|
|
|
{ |
|
|
|
OpenIdConnectConstants.Destinations.AccessToken |
|
|
|
}; |
|
|
|
|
|
|
|
// Only add the iterated claim to the id_token if the corresponding scope was granted to the client application.
|
|
|
|
// The other claims will only be added to the access_token, which is encrypted when using the default format.
|
|
|
|
if ((claim.Type == OpenIdConnectConstants.Claims.Name && ticket.HasScope(OpenIdConnectConstants.Scopes.Profile)) || |
|
|
|
(claim.Type == OpenIdConnectConstants.Claims.Email && ticket.HasScope(OpenIdConnectConstants.Scopes.Email)) || |
|
|
|
(claim.Type == OpenIdConnectConstants.Claims.Role && ticket.HasScope(OpenIddictConstants.Claims.Roles))) |
|
|
|
{ |
|
|
|
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken); |
|
|
|
} |
|
|
|
|
|
|
|
claim.SetDestinations(destinations); |
|
|
|
} |
|
|
|
|
|
|
|
return ticket; |
|
|
|
} |
|
|
|
} |
|
|
|
|
Kévin Chalet
9 years ago