This article shows how to implement the OpenID Connect Implicit Flow using OpenIddict hosted in an ASP.NET Core application, an ASP.NET Core web API and an Angular application as the client.
Code: https://github.com/damienbod/AspNetCoreOpeniddictAngularImplicitFlow
Three different projects are used to implement the application. The OpenIddict Implicit Flow Server is used to authenticate and authorise, the resource server is used to provide the API, and the Angular application implements the UI.
OpenIddict Server implementing the Implicit Flow
To use the OpenIddict NuGet packages to implement an OpenID Connect server, you need to use the myget server. You can add a NuGet.config file to your project to configure this, or add it to the package sources in Visual Studio 2017.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="NuGet" value="https://api.nuget.org/v3/index.json" />
<add key="aspnet-contrib" value="https://www.myget.org/F/aspnet-contrib/api/v3/index.json" />
</packageSources>
</configuration>
Then you can use the NuGet package manager to download the required packages. You need to select the key for the correct source in the drop down on the right hand side, and select the required pre-release packages.
Or you can just add them directly to the csproj file.
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp1.1</TargetFramework>
<PreserveCompilationContext>true</PreserveCompilationContext>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AspNet.Security.OAuth.Validation" Version="1.0.0-rtm-0241" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.Twitter" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
<PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Cors" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="1.1.0" />
<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.CommandLine" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.1.1" />
<PackageReference Include="Openiddict" Version="1.0.0-beta2-0598" />
<PackageReference Include="OpenIddict.EntityFrameworkCore" Version="1.0.0-beta2-0598" />
<PackageReference Include="OpenIddict.Mvc" Version="1.0.0-beta2-0598" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite.Design" Version="1.1.1" />
</ItemGroup>
<ItemGroup>
<DotNetCliToolReference Include="Microsoft.EntityFrameworkCore.Tools.DotNet" Version="1.0.0" />
<DotNetCliToolReference Include="Microsoft.DotNet.Watcher.Tools" Version="1.0.0" />
</ItemGroup>
<ItemGroup>
<None Update="damienbodserver.pfx">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>
The OpenIddict packages are configured in the ConfigureServices and the Configure methods in the Startup class. The following code configures the OpenID Connect Implicit Flow with a SQLite database using Entity Framework Core. The required endpoints are enabled, and Json Web tokens are used.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
{
options.UseSqlite(Configuration.GetConnectionString("DefaultConnection"));
options.UseOpenIddict();
});
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>();
services.Configure<IdentityOptions>(options =>
{
options.ClaimsIdentity.UserNameClaimType = OpenIdConnectConstants.Claims.Name;
options.ClaimsIdentity.UserIdClaimType = OpenIdConnectConstants.Claims.Subject;
options.ClaimsIdentity.RoleClaimType = OpenIdConnectConstants.Claims.Role;
});
services.AddOpenIddict(options =>
{
options.AddEntityFrameworkCoreStores<ApplicationDbContext>();
options.AddMvcBinders();
options.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout")
.EnableIntrospectionEndpoint("/connect/introspect")
.EnableUserinfoEndpoint("/api/userinfo");
options.AllowImplicitFlow();
options.AddSigningCertificate(_cert);
options.UseJsonWebTokens();
});
var policy = new Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicy();
policy.Headers.Add("*");
policy.Methods.Add("*");
policy.Origins.Add("*");
policy.SupportsCredentials = true;
services.AddCors(x => x.AddPolicy("corsGlobalPolicy", policy));
services.AddMvc();
services.AddTransient<IEmailSender, AuthMessageSender>();
services.AddTransient<ISmsSender, AuthMessageSender>();
}
The Configure method defines JwtBearerAuthentication so the userinfo API can be used, or any other authorisered API. The OpenIddict middlware is also added. The commented out method InitializeAsync is used to add OpenIddict data to the existing database. The database was created using Entity Framework Core migrations from the command line.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseCors("corsGlobalPolicy");
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
var jwtOptions = new JwtBearerOptions()
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
RequireHttpsMetadata = true,
Audience = "dataEventRecords",
ClaimsIssuer = "https://localhost:44319/",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = OpenIdConnectConstants.Claims.Name,
RoleClaimType = OpenIdConnectConstants.Claims.Role
}
};
jwtOptions.TokenValidationParameters.ValidAudience = "dataEventRecords";
jwtOptions.TokenValidationParameters.ValidIssuer = "https://localhost:44319/";
jwtOptions.TokenValidationParameters.IssuerSigningKey = new RsaSecurityKey(_cert.GetRSAPrivateKey().ExportParameters(false));
app.UseJwtBearerAuthentication(jwtOptions);
app.UseIdentity();
app.UseOpenIddict();
app.UseMvcWithDefaultRoute();
// Seed the database with the sample applications.
// Note: in a real world application, this step should be part of a setup script.
// InitializeAsync(app.ApplicationServices, CancellationToken.None).GetAwaiter().GetResult();
}
Entity Framework Core database migrations:
> dotnet ef migrations add test > dotnet ef database update test
The UserinfoController controller is used to return user data to the client. The API requires a token which is validated using the JWT Bearer token validation, configured in the Startup class.
The required claims need to be added here, as the application requires. This example adds some extra role claims which are used in the Angular SPA.
using System.Threading.Tasks;
using AspNet.Security.OAuth.Validation;
using AspNet.Security.OpenIdConnect.Primitives;
using OpeniddictServer.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json.Linq;
using System.Collections.Generic;
namespace OpeniddictServer.Controllers
{
[Route("api")]
public class UserinfoController : Controller
{
private readonly UserManager<ApplicationUser> _userManager;
public UserinfoController(UserManager<ApplicationUser> userManager)
{
_userManager = userManager;
}
//
// GET: /api/userinfo
[Authorize(ActiveAuthenticationSchemes = OAuthValidationDefaults.AuthenticationScheme)]
[HttpGet("userinfo"), Produces("application/json")]
public async Task<IActionResult> Userinfo()
{
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
return BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The user profile is no longer available."
});
}
var claims = new JObject();
claims[OpenIdConnectConstants.Claims.Subject] = await _userManager.GetUserIdAsync(user);
if (User.HasClaim(OpenIdConnectConstants.Claims.Scope, OpenIdConnectConstants.Scopes.Email))
{
claims[OpenIdConnectConstants.Claims.Email] = await _userManager.GetEmailAsync(user);
claims[OpenIdConnectConstants.Claims.EmailVerified] = await _userManager.IsEmailConfirmedAsync(user);
}
if (User.HasClaim(OpenIdConnectConstants.Claims.Scope, OpenIdConnectConstants.Scopes.Phone))
{
claims[OpenIdConnectConstants.Claims.PhoneNumber] = await _userManager.GetPhoneNumberAsync(user);
claims[OpenIdConnectConstants.Claims.PhoneNumberVerified] = await _userManager.IsPhoneNumberConfirmedAsync(user);
}
List<string> roles = new List<string> { "dataEventRecords", "dataEventRecords.admin", "admin", "dataEventRecords.user" };
claims["role"] = JArray.FromObject(roles);
return Json(claims);
}
}
}
The AuthorizationController controller implements the CreateTicketAsync method where the claims can be added to the tokens as required. The Implict Flow in this example requires both the id_token and the access_token and extra claims are added to the access_token. These are the claims used by the resource server to set the policies.
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, ApplicationUser user)
{
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
var principal = await _signInManager.CreateUserPrincipalAsync(user);
foreach (var claim in principal.Claims)
{
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
{
continue;
}
var destinations = new List<string>
{
OpenIdConnectConstants.Destinations.AccessToken
};
if ((claim.Type == OpenIdConnectConstants.Claims.Name) ||
(claim.Type == OpenIdConnectConstants.Claims.Email) ||
(claim.Type == OpenIdConnectConstants.Claims.Role) )
{
destinations.Add(OpenIdConnectConstants.Destinations.IdentityToken);
}
claim.SetDestinations(destinations);
identity.AddClaim(claim);
}
// Add custom claims
var claimdataEventRecordsAdmin = new Claim("role", "dataEventRecords.admin");
claimdataEventRecordsAdmin.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
var claimAdmin = new Claim("role", "admin");
claimAdmin.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
var claimUser = new Claim("role", "dataEventRecords.user");
claimUser.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(claimdataEventRecordsAdmin);
identity.AddClaim(claimAdmin);
identity.AddClaim(claimUser);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
"role",
"dataEventRecords"
}.Intersect(request.GetScopes()));
ticket.SetResources("dataEventRecords");
return ticket;
}
If you require more examples, or different flows, refer to the excellent openiddict-samples .
Angular Implicit Flow client
The Angular application uses the AuthConfiguration class to set the options required for the OpenID Connect Implicit Flow. The ‘id_token token’ is defined as the response type so that an access_token is returned as well as the id_token. The jwks_url is required so that the client can ge the signiture from the server to validate the token. The userinfo_url and the logoutEndSession_url are used to define the user data url and the logout url. These could be removed and the data from the jwks_url could be ued to get these parameters. The configuration here has to match the configuration on the server.
import { Injectable } from '@angular/core';
@Injectable()
export class AuthConfiguration {
// The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
public iss = 'https://localhost:44319/';
public server = 'https://localhost:44319';
public redirect_url = 'https://localhost:44308';
// This is required to get the signing keys so that the signiture of the Jwt can be validated.
public jwks_url = 'https://localhost:44319/.well-known/jwks';
public userinfo_url = 'https://localhost:44319/api/userinfo';
public logoutEndSession_url = 'https://localhost:44319/connect/logout';
// The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.
// The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
public client_id = 'angular4client';
public response_type = 'id_token token';
public scope = 'dataEventRecords openid';
public post_logout_redirect_uri = 'https://localhost:44308/Unauthorized';
}
The OidcSecurityService is used to send the login request to the server and also handle the callback which validates the tokens. This class also persists the token data to the local storage.
import { Injectable } from '@angular/core';
import { Http, Response, Headers } from '@angular/http';
import 'rxjs/add/operator/map';
import 'rxjs/add/operator/catch';
import { Observable } from 'rxjs/Rx';
import { Router } from '@angular/router';
import { AuthConfiguration } from '../auth.configuration';
import { OidcSecurityValidation } from './oidc.security.validation';
import { JwtKeys } from './jwtkeys';
@Injectable()
export class OidcSecurityService {
public HasAdminRole: boolean;
public HasUserAdminRole: boolean;
public UserData: any;
private _isAuthorized: boolean;
private actionUrl: string;
private headers: Headers;
private storage: any;
private oidcSecurityValidation: OidcSecurityValidation;
private errorMessage: string;
private jwtKeys: JwtKeys;
constructor(private _http: Http, private _configuration: AuthConfiguration, private _router: Router) {
this.actionUrl = _configuration.server + 'api/DataEventRecords/';
this.oidcSecurityValidation = new OidcSecurityValidation();
this.headers = new Headers();
this.headers.append('Content-Type', 'application/json');
this.headers.append('Accept', 'application/json');
this.storage = sessionStorage; //localStorage;
if (this.retrieve('_isAuthorized') !== '') {
this.HasAdminRole = this.retrieve('HasAdminRole');
this._isAuthorized = this.retrieve('_isAuthorized');
}
}
public IsAuthorized(): boolean {
if (this._isAuthorized) {
if (this.oidcSecurityValidation.IsTokenExpired(this.retrieve('authorizationDataIdToken'))) {
console.log('IsAuthorized: isTokenExpired');
this.ResetAuthorizationData();
return false;
}
return true;
}
return false;
}
public GetToken(): any {
return this.retrieve('authorizationData');
}
public ResetAuthorizationData() {
this.store('authorizationData', '');
this.store('authorizationDataIdToken', '');
this._isAuthorized = false;
this.HasAdminRole = false;
this.store('HasAdminRole', false);
this.store('_isAuthorized', false);
}
public SetAuthorizationData(token: any, id_token: any) {
if (this.retrieve('authorizationData') !== '') {
this.store('authorizationData', '');
}
console.log(token);
console.log(id_token);
console.log('storing to storage, getting the roles');
this.store('authorizationData', token);
this.store('authorizationDataIdToken', id_token);
this._isAuthorized = true;
this.store('_isAuthorized', true);
this.getUserData()
.subscribe(data => this.UserData = data,
error => this.HandleError(error),
() => {
for (let i = 0; i < this.UserData.role.length; i++) {
console.log(this.UserData.role[i]);
if (this.UserData.role[i] === 'dataEventRecords.admin') {
this.HasAdminRole = true;
this.store('HasAdminRole', true);
}
if (this.UserData.role[i] === 'admin') {
this.HasUserAdminRole = true;
this.store('HasUserAdminRole', true);
}
}
});
}
public Authorize() {
this.ResetAuthorizationData();
console.log('BEGIN Authorize, no auth data');
let authorizationUrl = this._configuration.server + '/connect/authorize';
let client_id = this._configuration.client_id;
let redirect_uri = this._configuration.redirect_url;
let response_type = this._configuration.response_type;
let scope = this._configuration.scope;
let nonce = 'N' + Math.random() + '' + Date.now();
let state = Date.now() + '' + Math.random();
this.store('authStateControl', state);
this.store('authNonce', nonce);
console.log('AuthorizedController created. adding myautostate: ' + this.retrieve('authStateControl'));
let url =
authorizationUrl + '?' +
'response_type=' + encodeURI(response_type) + '&' +
'client_id=' + encodeURI(client_id) + '&' +
'redirect_uri=' + encodeURI(redirect_uri) + '&' +
'scope=' + encodeURI(scope) + '&' +
'nonce=' + encodeURI(nonce) + '&' +
'state=' + encodeURI(state);
window.location.href = url;
}
public AuthorizedCallback() {
console.log('BEGIN AuthorizedCallback, no auth data');
this.ResetAuthorizationData();
let hash = window.location.hash.substr(1);
let result: any = hash.split('&').reduce(function (result: any, item: string) {
let parts = item.split('=');
result[parts[0]] = parts[1];
return result;
}, {});
console.log(result);
console.log('AuthorizedCallback created, begin token validation');
let token = '';
let id_token = '';
let authResponseIsValid = false;
this.getSigningKeys()
.subscribe(jwtKeys => {
this.jwtKeys = jwtKeys;
if (!result.error) {
// validate state
if (this.oidcSecurityValidation.ValidateStateFromHashCallback(result.state, this.retrieve('authStateControl'))) {
token = result.access_token;
id_token = result.id_token;
let decoded: any;
let headerDecoded;
decoded = this.oidcSecurityValidation.GetPayloadFromToken(id_token, false);
headerDecoded = this.oidcSecurityValidation.GetHeaderFromToken(id_token, false);
// validate jwt signature
if (this.oidcSecurityValidation.Validate_signature_id_token(id_token, this.jwtKeys)) {
// validate nonce
if (this.oidcSecurityValidation.Validate_id_token_nonce(decoded, this.retrieve('authNonce'))) {
// validate iss
if (this.oidcSecurityValidation.Validate_id_token_iss(decoded, this._configuration.iss)) {
// validate aud
if (this.oidcSecurityValidation.Validate_id_token_aud(decoded, this._configuration.client_id)) {
// valiadate at_hash and access_token
if (this.oidcSecurityValidation.Validate_id_token_at_hash(token, decoded.at_hash) || !token) {
this.store('authNonce', '');
this.store('authStateControl', '');
authResponseIsValid = true;
console.log('AuthorizedCallback state, nonce, iss, aud, signature validated, returning token');
} else {
console.log('AuthorizedCallback incorrect aud');
}
} else {
console.log('AuthorizedCallback incorrect aud');
}
} else {
console.log('AuthorizedCallback incorrect iss');
}
} else {
console.log('AuthorizedCallback incorrect nonce');
}
} else {
console.log('AuthorizedCallback incorrect Signature id_token');
}
} else {
console.log('AuthorizedCallback incorrect state');
}
}
if (authResponseIsValid) {
this.SetAuthorizationData(token, id_token);
console.log(this.retrieve('authorizationData'));
// router navigate to DataEventRecordsList
this._router.navigate(['/dataeventrecords/list']);
} else {
this.ResetAuthorizationData();
this._router.navigate(['/Unauthorized']);
}
});
}
public Logoff() {
// /connect/endsession?id_token_hint=...&post_logout_redirect_uri=https://myapp.com
console.log('BEGIN Authorize, no auth data');
let authorizationEndsessionUrl = this._configuration.logoutEndSession_url;
let id_token_hint = this.retrieve('authorizationDataIdToken');
let post_logout_redirect_uri = this._configuration.post_logout_redirect_uri;
let url =
authorizationEndsessionUrl + '?' +
'id_token_hint=' + encodeURI(id_token_hint) + '&' +
'post_logout_redirect_uri=' + encodeURI(post_logout_redirect_uri);
this.ResetAuthorizationData();
window.location.href = url;
}
private runGetSigningKeys() {
this.getSigningKeys()
.subscribe(
jwtKeys => this.jwtKeys = jwtKeys,
error => this.errorMessage = <any>error);
}
private getSigningKeys(): Observable<JwtKeys> {
return this._http.get(this._configuration.jwks_url)
.map(this.extractData)
.catch(this.handleError);
}
private extractData(res: Response) {
let body = res.json();
return body;
}
private handleError(error: Response | any) {
// In a real world app, you might use a remote logging infrastructure
let errMsg: string;
if (error instanceof Response) {
const body = error.json() || '';
const err = body.error || JSON.stringify(body);
errMsg = `${error.status} - ${error.statusText || ''} ${err}`;
} else {
errMsg = error.message ? error.message : error.toString();
}
console.error(errMsg);
return Observable.throw(errMsg);
}
public HandleError(error: any) {
console.log(error);
if (error.status == 403) {
this._router.navigate(['/Forbidden']);
} else if (error.status == 401) {
this.ResetAuthorizationData();
this._router.navigate(['/Unauthorized']);
}
}
private retrieve(key: string): any {
let item = this.storage.getItem(key);
if (item && item !== 'undefined') {
return JSON.parse(this.storage.getItem(key));
}
return;
}
private store(key: string, value: any) {
this.storage.setItem(key, JSON.stringify(value));
}
private getUserData = (): Observable<string[]> => {
this.setHeaders();
return this._http.get(this._configuration.userinfo_url, {
headers: this.headers,
body: ''
}).map(res => res.json());
}
private setHeaders() {
this.headers = new Headers();
this.headers.append('Content-Type', 'application/json');
this.headers.append('Accept', 'application/json');
let token = this.GetToken();
if (token !== '') {
this.headers.append('Authorization', 'Bearer ' + token);
}
}
}
The OidcSecurityValidation class defines the functions used to validate the tokens defined in the OpenID Connect specification for the Implicit Flow.
import { Injectable } from '@angular/core';
// from jsrasiign
declare var KJUR: any;
declare var KEYUTIL: any;
declare var hextob64u: any;
// http://openid.net/specs/openid-connect-implicit-1_0.html
// id_token
//// id_token C1: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
//// id_token C2: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
// id_token C3: If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
// id_token C4: If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
//// id_token C5: The Client MUST validate the signature of the ID Token according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header. The Client MUST use the keys provided by the Issuer.
//// id_token C6: The alg value SHOULD be RS256. Validation of tokens using other signing algorithms is described in the OpenID Connect Core 1.0 [OpenID.Core] specification.
//// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
// id_token C8: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks.The acceptable range is Client specific.
//// id_token C9: The value of the nonce Claim MUST be checked to verify that it is the same value as the one that was sent in the Authentication Request.The Client SHOULD check the nonce value for replay attacks.The precise method for detecting replay attacks is Client specific.
// id_token C10: If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.The meaning and processing of acr Claim Values is out of scope for this document.
// id_token C11: When a max_age request is made, the Client SHOULD check the auth_time Claim value and request re- authentication if it determines too much time has elapsed since the last End- User authentication.
//// Access Token Validation
//// access_token C1: Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA[JWA] for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
//// access_token C2: Take the left- most half of the hash and base64url- encode it.
//// access_token C3: The value of at_hash in the ID Token MUST match the value produced in the previous step if at_hash is present in the ID Token.
@Injectable()
export class OidcSecurityValidation {
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
public IsTokenExpired(token: string, offsetSeconds?: number): boolean {
let decoded: any;
decoded = this.GetPayloadFromToken(token, false);
let tokenExpirationDate = this.getTokenExpirationDate(decoded);
offsetSeconds = offsetSeconds || 0;
if (tokenExpirationDate == null) {
return false;
}
// Token expired?
return !(tokenExpirationDate.valueOf() > (new Date().valueOf() + (offsetSeconds * 1000)));
}
// id_token C9: The value of the nonce Claim MUST be checked to verify that it is the same value as the one that was sent in the Authentication Request.The Client SHOULD check the nonce value for replay attacks.The precise method for detecting replay attacks is Client specific.
public Validate_id_token_nonce(dataIdToken: any, local_nonce: any): boolean {
if (dataIdToken.nonce !== local_nonce) {
console.log('Validate_id_token_nonce failed');
return false;
}
return true;
}
// id_token C1: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
public Validate_id_token_iss(dataIdToken: any, client_id: any): boolean {
if (dataIdToken.iss !== client_id) {
console.log('Validate_id_token_iss failed');
return false;
}
return true;
}
// id_token C2: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.
// The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
public Validate_id_token_aud(dataIdToken: any, aud: any): boolean {
if (dataIdToken.aud !== aud) {
console.log('Validate_id_token_aud failed');
return false;
}
return true;
}
public ValidateStateFromHashCallback(state: any, local_state: any): boolean {
if (state !== local_state) {
console.log('ValidateStateFromHashCallback failed');
return false;
}
return true;
}
public GetPayloadFromToken(token: any, encode: boolean) {
let data = {};
if (typeof token !== 'undefined') {
let encoded = token.split('.')[1];
if (encode) {
return encoded;
}
data = JSON.parse(this.urlBase64Decode(encoded));
}
return data;
}
public GetHeaderFromToken(token: any, encode: boolean) {
let data = {};
if (typeof token !== 'undefined') {
let encoded = token.split('.')[0];
if (encode) {
return encoded;
}
data = JSON.parse(this.urlBase64Decode(encoded));
}
return data;
}
public GetSignatureFromToken(token: any, encode: boolean) {
let data = {};
if (typeof token !== 'undefined') {
let encoded = token.split('.')[2];
if (encode) {
return encoded;
}
data = JSON.parse(this.urlBase64Decode(encoded));
}
return data;
}
// id_token C5: The Client MUST validate the signature of the ID Token according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header. The Client MUST use the keys provided by the Issuer.
// id_token C6: The alg value SHOULD be RS256. Validation of tokens using other signing algorithms is described in the OpenID Connect Core 1.0 [OpenID.Core] specification.
public Validate_signature_id_token(id_token: any, jwtkeys: any): boolean {
if (!jwtkeys || !jwtkeys.keys) {
return false;
}
let header_data = this.GetHeaderFromToken(id_token, false);
let kid = header_data.kid;
let alg = header_data.alg;
if ('RS256' != alg) {
console.log('Only RS256 supported');
return false;
}
let isValid = false;
for (let key of jwtkeys.keys) {
if (key.kid === kid) {
let publickey = KEYUTIL.getKey(key);
isValid = KJUR.jws.JWS.verify(id_token, publickey, ['RS256']);
return isValid;
}
}
return isValid;
}
// Access Token Validation
// access_token C1: Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA[JWA] for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
// access_token C2: Take the left- most half of the hash and base64url- encode it.
// access_token C3: The value of at_hash in the ID Token MUST match the value produced in the previous step if at_hash is present in the ID Token.
public Validate_id_token_at_hash(access_token: any, at_hash: any): boolean {
let hash = KJUR.crypto.Util.hashString(access_token, 'sha256');
let first128bits = hash.substr(0, hash.length / 2);
let testdata = hextob64u(first128bits);
if (testdata === at_hash) {
return true; // isValid;
}
return false;
}
private getTokenExpirationDate(dataIdToken: any): Date {
if (!dataIdToken.hasOwnProperty('exp')) {
return null;
}
let date = new Date(0); // The 0 here is the key, which sets the date to the epoch
date.setUTCSeconds(dataIdToken.exp);
return date;
}
private urlBase64Decode(str: string) {
let output = str.replace('-', '+').replace('_', '/');
switch (output.length % 4) {
case 0:
break;
case 2:
output += '==';
break;
case 3:
output += '=';
break;
default:
throw 'Illegal base64url string!';
}
return window.atob(output);
}
}
The jsrsasign is used to validate the token signature and is added to the html file as a link.
!doctype html>
<html>
<head>
<base href="./">
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>ASP.NET Core 1.0 Angular IdentityServer4 Client</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<script src="assets/jsrsasign.min.js"></script>
</head>
<body>
<my-app>Loading...</my-app>
</body>
</html>
Once logged into the application, the access_token is added to the header of each request and sent to the resource server or the required APIs on the OpenIddict server.
private setHeaders() {
console.log('setHeaders started');
this.headers = new Headers();
this.headers.append('Content-Type', 'application/json');
this.headers.append('Accept', 'application/json');
this.headers.append('Cache-Control', 'no-cache');
let token = this._securityService.GetToken();
if (token !== '') {
let tokenValue = 'Bearer ' + token;
console.log('tokenValue:' + tokenValue);
this.headers.append('Authorization', tokenValue);
}
}
ASP.NET Core Resource Server API
The resource server provides an API protected by security policies, dataEventRecordsUser and dataEventRecordsAdmin.
using AspNet5SQLite.Model;
using AspNet5SQLite.Repositories;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace AspNet5SQLite.Controllers
{
[Authorize]
[Route("api/[controller]")]
public class DataEventRecordsController : Controller
{
private readonly IDataEventRecordRepository _dataEventRecordRepository;
public DataEventRecordsController(IDataEventRecordRepository dataEventRecordRepository)
{
_dataEventRecordRepository = dataEventRecordRepository;
}
[Authorize("dataEventRecordsUser")]
[HttpGet]
public IActionResult Get()
{
return Ok(_dataEventRecordRepository.GetAll());
}
[Authorize("dataEventRecordsAdmin")]
[HttpGet("{id}")]
public IActionResult Get(long id)
{
return Ok(_dataEventRecordRepository.Get(id));
}
[Authorize("dataEventRecordsAdmin")]
[HttpPost]
public void Post([FromBody]DataEventRecord value)
{
_dataEventRecordRepository.Post(value);
}
[Authorize("dataEventRecordsAdmin")]
[HttpPut("{id}")]
public void Put(long id, [FromBody]DataEventRecord value)
{
_dataEventRecordRepository.Put(id, value);
}
[Authorize("dataEventRecordsAdmin")]
[HttpDelete("{id}")]
public void Delete(long id)
{
_dataEventRecordRepository.Delete(id);
}
}
}
The policies are implemented in the Startup class and are implemented using the role claims dataEventRecords.user, dataEventRecords.admin and the scope dataEventRecords.
var guestPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("scope", "dataEventRecords")
.Build();
services.AddAuthorization(options =>
{
options.AddPolicy("dataEventRecordsAdmin", policyAdmin =>
{
policyAdmin.RequireClaim("role", "dataEventRecords.admin");
});
options.AddPolicy("dataEventRecordsUser", policyUser =>
{
policyUser.RequireClaim("role", "dataEventRecords.user");
});
});
Jwt Bearer Authentication is used to validate the API HTTP requests.
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "https://localhost:44319/",
Audience = "dataEventRecords",
RequireHttpsMetadata = true,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = OpenIdConnectConstants.Claims.Subject,
RoleClaimType = OpenIdConnectConstants.Claims.Role
}
});
Running the application
When the application is started, all 3 applications are run, using the Visual Studio 2017 multiple project start option.
After the user clicks the login button, the user is redirected to the OpenIddict server to login.
After a successful login, the user is redirected back to the Angular application.
Links:
https://github.com/openiddict/openiddict-core
https://github.com/openiddict/openiddict-core/issues/49
https://github.com/openiddict/openiddict-samples
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/
https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows
