-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #168 from DuendeSoftware/joe/remote-api-token-retr…
…eival Joe/remote api token retreival
- Loading branch information
Showing
30 changed files
with
1,091 additions
and
634 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
using Duende.IdentityServer.Models; | ||
using Duende.IdentityServer.Validation; | ||
using IdentityModel; | ||
|
||
namespace IdentityServerHost; | ||
|
||
public class TokenExchangeGrantValidator : IExtensionGrantValidator | ||
{ | ||
private readonly ITokenValidator _validator; | ||
|
||
public TokenExchangeGrantValidator(ITokenValidator validator) | ||
{ | ||
_validator = validator; | ||
} | ||
|
||
// register for urn:ietf:params:oauth:grant-type:token-exchange | ||
public string GrantType => OidcConstants.GrantTypes.TokenExchange; | ||
|
||
public async Task ValidateAsync(ExtensionGrantValidationContext context) | ||
{ | ||
// default response is error | ||
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest); | ||
|
||
// the spec allows for various token types, most commonly you return an access token | ||
var customResponse = new Dictionary<string, object> | ||
{ | ||
{ OidcConstants.TokenResponse.IssuedTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken } | ||
}; | ||
|
||
// read the incoming token | ||
var subjectToken = context.Request.Raw.Get(OidcConstants.TokenRequest.SubjectToken); | ||
|
||
// and the token type | ||
var subjectTokenType = context.Request.Raw.Get(OidcConstants.TokenRequest.SubjectTokenType); | ||
|
||
// mandatory parameters | ||
if (string.IsNullOrWhiteSpace(subjectToken)) | ||
{ | ||
return; | ||
} | ||
|
||
// for our impersonation/delegation scenario we require an access token | ||
if (!string.Equals(subjectTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken)) | ||
{ | ||
return; | ||
} | ||
|
||
// validate the incoming access token with the built-in token validator | ||
var validationResult = await _validator.ValidateAccessTokenAsync(subjectToken); | ||
if (validationResult.IsError) | ||
{ | ||
return; | ||
} | ||
|
||
// these are two values you typically care about | ||
var sub = validationResult.Claims.First(c => c.Type == JwtClaimTypes.Subject).Value; | ||
|
||
var alice = TestUsers.Users.Single(u => u.Username == "alice").SubjectId; | ||
var bob = TestUsers.Users.Single(u => u.Username == "bob").SubjectId; | ||
|
||
var impersonateSub = sub == alice ? bob : alice; | ||
var impersonateClaims = TestUsers.Users.Single(u => u.SubjectId == impersonateSub).Claims; | ||
|
||
// create response | ||
context.Result = new GrantValidationResult( | ||
subject: impersonateSub, | ||
authenticationMethod: "swap-alice-and-bob", | ||
claims: impersonateClaims); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
// Copyright (c) Duende Software. All rights reserved. | ||
// See LICENSE in the project root for license information. | ||
|
||
using System.Net.Http; | ||
using System.Threading.Tasks; | ||
using Duende.Bff; | ||
using IdentityModel; | ||
using IdentityModel.Client; | ||
using Microsoft.Extensions.Logging; | ||
|
||
namespace Host6; | ||
|
||
public class ImpersonationAccessTokenRetriever : DefaultAccessTokenRetriever | ||
{ | ||
public ImpersonationAccessTokenRetriever(ILogger<ImpersonationAccessTokenRetriever> logger) : base(logger) | ||
{ | ||
} | ||
|
||
public override async Task<AccessTokenResult> GetAccessToken(AccessTokenRetrievalContext context) | ||
{ | ||
var result = await base.GetAccessToken(context); | ||
|
||
if(result.Token != null) | ||
{ | ||
var client = new HttpClient(); | ||
var exchangeResponse = await client.RequestTokenExchangeTokenAsync(new TokenExchangeTokenRequest | ||
{ | ||
Address = "https://localhost:5001/connect/token", | ||
GrantType = OidcConstants.GrantTypes.TokenExchange, | ||
|
||
ClientId = "spa", | ||
ClientSecret = "secret", | ||
|
||
SubjectToken = result.Token, | ||
SubjectTokenType = OidcConstants.TokenTypeIdentifiers.AccessToken | ||
}); | ||
if(exchangeResponse.IsError) | ||
{ | ||
return new AccessTokenResult | ||
{ | ||
IsError = true | ||
}; | ||
} | ||
return new AccessTokenResult | ||
{ | ||
IsError = false, | ||
Token = exchangeResponse.AccessToken | ||
}; | ||
} | ||
|
||
return result; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.