Use the new SecurityTokenDescriptor.TokenType property

6 years ago · f9f9c599e9
6 changed files with 39 additions and 125 deletions
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@ -6,8 +6,8 @@
    <PackageVersion Include="MartinCostello.Logging.XUnit" Version="0.1.0" />
    <PackageVersion Include="Microsoft.Bcl.HashCode" Version="1.1.0" />
    <PackageVersion Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.7.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.8.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.7.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
    <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
    <PackageVersion Include="Microsoft.Owin.Security" Version="4.1.1" />
    <PackageVersion Include="Microsoft.Owin.Testing" Version="4.1.1" />
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
@ -229,26 +229,17 @@ namespace OpenIddict.Server.AspNetCore
                    // Store the serialized authorization request parameters in the distributed cache.
                    var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                    {
                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
                        },
                        Audience = context.Issuer?.AbsoluteUri,
                        Claims = context.Request.GetParameters().ToDictionary(
                            parameter => parameter.Key,
                            parameter => parameter.Value.Value),
                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                        Issuer = context.Issuer?.AbsoluteUri,
                        SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
                        TokenType = JsonWebTokenTypes.Private.AuthorizationRequest
                    });
                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
                        additionalHeaderClaims: new Dictionary<string, object>
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
                        });
                    // Note: the cache key is always prefixed with a specific marker
                    // to avoid collisions with the other types of cached payloads.
                    await _cache.SetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId,
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
@ -227,26 +227,17 @@ namespace OpenIddict.Server.AspNetCore
                    // Store the serialized logout request parameters in the distributed cache.
                    var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                    {
                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
                        },
                        Audience = context.Issuer?.AbsoluteUri,
                        Claims = context.Request.GetParameters().ToDictionary(
                            parameter => parameter.Key,
                            parameter => parameter.Value.Value),
                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                        Issuer = context.Issuer?.AbsoluteUri,
                        SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
                        TokenType = JsonWebTokenTypes.Private.LogoutRequest
                    });
                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
                        additionalHeaderClaims: new Dictionary<string, object>
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
                        });
                    // Note: the cache key is always prefixed with a specific marker
                    // to avoid collisions with the other types of cached payloads.
                    await _cache.SetStringAsync(Cache.LogoutRequest + context.Request.RequestId,
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
@ -223,26 +223,17 @@ namespace OpenIddict.Server.Owin
                    // Store the serialized authorization request parameters in the distributed cache.
                    var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                    {
                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
                        },
                        Audience = context.Issuer?.AbsoluteUri,
                        Claims = context.Request.GetParameters().ToDictionary(
                            parameter => parameter.Key,
                            parameter => parameter.Value.Value),
                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                        Issuer = context.Issuer?.AbsoluteUri,
                        SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
                        TokenType = JsonWebTokenTypes.Private.AuthorizationRequest
                    });
                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
                        additionalHeaderClaims: new Dictionary<string, object>
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
                        });
                    // Note: the cache key is always prefixed with a specific marker
                    // to avoid collisions with the other types of cached payloads.
                    await _cache.SetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId,
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
@ -221,26 +221,17 @@ namespace OpenIddict.Server.Owin
                    // Store the serialized logout request parameters in the distributed cache.
                    var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                    {
                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
                        },
                        Audience = context.Issuer?.AbsoluteUri,
                        Claims = context.Request.GetParameters().ToDictionary(
                            parameter => parameter.Key,
                            parameter => parameter.Value.Value),
                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                        Issuer = context.Issuer?.AbsoluteUri,
                        SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
                        TokenType = JsonWebTokenTypes.Private.LogoutRequest
                    });
                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
                        additionalHeaderClaims: new Dictionary<string, object>
                        {
                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
                        });
                    // Note: the cache key is always prefixed with a specific marker
                    // to avoid collisions with the other types of cached payloads.
                    await _cache.SetStringAsync(Cache.LogoutRequest + context.Request.RequestId,
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@ -2725,28 +2725,19 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.AccessToken
                    },
                    Claims = claims,
                    // Note: unlike other tokens, encryption can be disabled for access tokens.
                    EncryptingCredentials = !context.Options.DisableAccessTokenEncryption ?
                        context.Options.EncryptionCredentials.First() : null,
                    Expires = context.AccessTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.AccessTokenPrincipal.GetCreationDate()?.UtcDateTime,
                    Issuer = context.Issuer?.AbsoluteUri,
                    SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.AccessToken
                };
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
+                context.AccessToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                if (!context.Options.DisableAccessTokenEncryption)
                {
                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
                        additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
                }
                context.AccessToken = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6013), principal.GetClaim(Claims.JwtId),
                                        context.AccessToken, principal.Claims);
@ -2974,15 +2965,13 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationCode
                    },
                    Expires = context.AuthorizationCodePrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.AuthorizationCodePrincipal.GetCreationDate()?.UtcDateTime,
                    Issuer = context.Issuer?.AbsoluteUri,
                    SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.Private.AuthorizationCode
                };
                // Attach claims destinations to the JWT claims collection.
@ -2995,14 +2984,7 @@ namespace OpenIddict.Server
                    };
                }
-                // Sign and encrypt the authorization code.
+                context.AuthorizationCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
                context.AuthorizationCode = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6016), principal.GetClaim(Claims.JwtId),
                                        context.AuthorizationCode, principal.Claims);
@ -3234,15 +3216,13 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.DeviceCode
                    },
                    Expires = context.DeviceCodePrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.DeviceCodePrincipal.GetCreationDate()?.UtcDateTime,
                    Issuer = context.Issuer?.AbsoluteUri,
                    SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.Private.DeviceCode
                };
                // Attach claims destinations to the JWT claims collection.
@ -3255,14 +3235,7 @@ namespace OpenIddict.Server
                    };
                }
-                // Sign and encrypt the device code.
+                context.DeviceCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
                context.DeviceCode = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6019), principal.GetClaim(Claims.JwtId),
                                        context.DeviceCode, principal.Claims);
@ -3578,15 +3551,13 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.RefreshToken
                    },
                    Expires = context.RefreshTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.RefreshTokenPrincipal.GetCreationDate()?.UtcDateTime,
                    Issuer = context.Issuer?.AbsoluteUri,
                    SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.Private.RefreshToken
                };
                // Attach claims destinations to the JWT claims collection.
@ -3599,13 +3570,7 @@ namespace OpenIddict.Server
                    };
                }
-                // Sign and encrypt the refresh token.
+                context.RefreshToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
                context.RefreshToken = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6023), principal.GetClaim(Claims.JwtId),
                                        context.RefreshToken, principal.Claims);
@ -3874,25 +3839,16 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.UserCode
                    },
                    Expires = context.UserCodePrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.UserCodePrincipal.GetCreationDate()?.UtcDateTime,
                    Issuer = context.Issuer?.AbsoluteUri,
                    SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.Private.UserCode
                };
-                // Sign and encrypt the user code.
+                context.UserCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
                context.UserCode = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6026), principal.GetClaim(Claims.JwtId),
                                        context.UserCode, principal.Claims);
@ -4295,10 +4251,6 @@ namespace OpenIddict.Server
                var descriptor = new SecurityTokenDescriptor
                {
                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
                    {
                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.IdentityToken
                    },
                    Claims = claims,
                    Expires = context.IdentityTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                    IssuedAt = context.IdentityTokenPrincipal.GetCreationDate()?.UtcDateTime,
@ -4307,13 +4259,11 @@ namespace OpenIddict.Server
                    // as they are meant to be validated by clients using the public keys exposed by the server.
                    SigningCredentials = context.Options.SigningCredentials.First(credentials =>
                        credentials.Key is AsymmetricSecurityKey),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
                    TokenType = JsonWebTokenTypes.IdentityToken
                };
-                // Sign and attach the identity token.
+                context.IdentityToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
                context.IdentityToken = token;
                context.Logger.LogTrace(SR.GetResourceString(SR.ID6029), principal.GetClaim(Claims.JwtId),
                                        context.IdentityToken, principal.Claims);