Introduce SaveToken to enable delegation scenarios and copy scopes to user claims

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -29,6 +29,8 @@ public static class Parameters {
 
         public static class Properties {
             public const string Audiences = ".audiences";
+            public const string Scopes = ".scopes";
+            public const string Token = "access_token";
         }
 
         public static class TokenTypes {

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -87,7 +87,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
 
                 // Create a new authentication ticket from the introspection
                 // response returned by the authorization server.
-                ticket = await CreateTicketAsync(payload);
+                ticket = await CreateTicketAsync(token, payload);
                 Debug.Assert(ticket != null);
 
                 await StoreTicketAsync(token, ticket);
@@ -228,10 +228,17 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
             return true;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(JObject payload) {
+        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload) {
             var identity = new ClaimsIdentity(Options.AuthenticationScheme);
             var properties = new AuthenticationProperties();
 
+            if (Options.SaveToken) {
+                // Store the access token in the authentication ticket.
+                properties.StoreTokens(new[] {
+                    new AuthenticationToken { Name = OAuthIntrospectionConstants.Properties.Token, Value = token }
+                });
+            }
+
             foreach (var property in payload.Properties()) {
                 switch (property.Name) {
                     // Ignore the unwanted claims.
@@ -283,14 +290,21 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(JObject pay
                     // "scope" claim and store them as individual claims.
                     // See https://tools.ietf.org/html/rfc7662#section-2.2
                     case OAuthIntrospectionConstants.Claims.Scope: {
-                        foreach (var scope in property.Value.ToObject<string>().Split(' ')) {
+                        var scopes = (string) property.Value;
+
+                        // Store the scopes list as-is in the authentication properties.
+                        properties.Items[OAuthIntrospectionConstants.Properties.Scopes] = scopes;
+
+                        foreach (var scope in scopes.Split(' ')) {
                             identity.AddClaim(new Claim(property.Name, scope));
                         }
 
                         continue;
                     }
 
                     // Store the audience(s) in the ticket properties.
+                    // Note: the "aud" claim may be either a list of strings or a unique string.
+                    // See https://tools.ietf.org/html/rfc7662#section-2.2
                     case OAuthIntrospectionConstants.Claims.Audience: {
                         if (property.Value.Type == JTokenType.Array) {
                             var value = (JArray) property.Value;

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.Extensions.Caching.Distributed;
 
 namespace AspNet.Security.OAuth.Introspection {
@@ -47,6 +48,12 @@ public OAuthIntrospectionOptions() {
         /// </summary>
         public string ClientSecret { get; set; }
 
+        /// <summary>
+        /// Gets or sets a boolean determining whether the access token should be stored in the
+        /// <see cref="AuthenticationProperties"/> after a successful authentication process.
+        /// </summary>
+        public bool SaveToken { get; set; } = true;
+
         /// <summary>
         /// Gets or sets the cache used to store the authentication tickets
         /// resolved from the access tokens received by the resource server.

src/AspNet.Security.OAuth.Validation/OAuthValidationConstants.cs

@@ -6,8 +6,14 @@
 
 namespace AspNet.Security.OAuth.Validation {
     public static class OAuthValidationConstants {
+        public static class Claims {
+            public const string Scope = "scope";
+        }
+
         public static class Properties {
             public const string Audiences = ".audiences";
+            public const string Scopes = ".scopes";
+            public const string Token = "access_token";
         }
     }
 }

src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -5,7 +5,9 @@
  */
 
 using System;
+using System.Diagnostics;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
@@ -137,6 +139,28 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token) {
             var ticket = Options.AccessTokenFormat.Unprotect(token);
+            if (ticket == null) {
+                return null;
+            }
+
+            if (Options.SaveToken) {
+                // Store the access token in the authentication ticket.
+                ticket.Properties.StoreTokens(new[] {
+                    new AuthenticationToken { Name = OAuthValidationConstants.Properties.Token, Value = token }
+                });
+            }
+
+            var identity = ticket.Principal.Identity as ClaimsIdentity;
+            Debug.Assert(identity != null);
+
+            string scopes;
+            // Copy the scopes extracted from the authentication ticket to the
+            // ClaimsIdentity to make them easier to retrieve from application code.
+            if (ticket.Properties.Items.TryGetValue(OAuthValidationConstants.Properties.Scopes, out scopes)) {
+                foreach (var scope in scopes.Split(' ')) {
+                    identity.AddClaim(new Claim(OAuthValidationConstants.Claims.Scope, scope));
+                }
+            }
 
             var notification = new CreateTicketContext(Context, Options, ticket);
             await Options.Events.CreateTicket(notification);

src/AspNet.Security.OAuth.Validation/OAuthValidationOptions.cs

@@ -8,6 +8,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http.Authentication;
 
 namespace AspNet.Security.OAuth.Validation {
     public class OAuthValidationOptions : AuthenticationOptions {
@@ -24,6 +25,12 @@ public OAuthValidationOptions() {
         /// </summary>
         public IList<string> Audiences { get; } = new List<string>();
 
+        /// <summary>
+        /// Gets or sets a boolean determining whether the access token should be stored in the
+        /// <see cref="AuthenticationProperties"/> after a successful authentication process.
+        /// </summary>
+        public bool SaveToken { get; set; } = true;
+
         /// <summary>
         /// Gets or sets the clock used to determine the current date/time.
         /// </summary>

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -33,6 +33,8 @@ public static class Parameters {
 
         public static class Properties {
             public const string Audiences = ".audiences";
+            public const string Scopes = ".scopes";
+            public const string Token = "access_token";
         }
 
         public static class TokenTypes {

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -90,7 +90,7 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync() {
 
                 // Create a new authentication ticket from the introspection
                 // response returned by the authorization server.
-                ticket = await CreateTicketAsync(payload);
+                ticket = await CreateTicketAsync(token, payload);
                 Debug.Assert(ticket != null);
 
                 await StoreTicketAsync(token, ticket);
@@ -231,10 +231,15 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket) {
             return true;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(JObject payload) {
+        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload) {
             var identity = new ClaimsIdentity(Options.AuthenticationType);
             var properties = new AuthenticationProperties();
 
+            if (Options.SaveToken) {
+                // Store the access token in the authentication ticket.
+                properties.Dictionary[OAuthIntrospectionConstants.Properties.Token] = token;
+            }
+
             foreach (var property in payload.Properties()) {
                 switch (property.Name) {
                     // Ignore the unwanted claims.
@@ -275,14 +280,21 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(JObject pay
                     // "scope" claim and store them as individual claims.
                     // See https://tools.ietf.org/html/rfc7662#section-2.2
                     case OAuthIntrospectionConstants.Claims.Scope: {
-                        foreach (var scope in property.Value.ToObject<string>().Split(' ')) {
+                        var scopes = (string) property.Value;
+
+                        // Store the scopes list as-is in the authentication properties.
+                        properties.Dictionary[OAuthIntrospectionConstants.Properties.Scopes] = scopes;
+
+                        foreach (var scope in scopes.Split(' ')) {
                             identity.AddClaim(new Claim(property.Name, scope));
                         }
 
                         continue;
                     }
 
                     // Store the audience(s) in the ticket properties.
+                    // Note: the "aud" claim may be either a list of strings or a unique string.
+                    // See https://tools.ietf.org/html/rfc7662#section-2.2
                     case OAuthIntrospectionConstants.Claims.Audience: {
                         if (property.Value.Type == JTokenType.Array) {
                             var value = (JArray) property.Value;

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -47,6 +47,12 @@ public OAuthIntrospectionOptions()
         /// </summary>
         public string ClientSecret { get; set; }
 
+        /// <summary>
+        /// Gets or sets a boolean determining whether the access token should be stored in the
+        /// <see cref="AuthenticationProperties"/> after a successful authentication process.
+        /// </summary>
+        public bool SaveToken { get; set; } = true;
+
         /// <summary>
         /// Gets or sets the cache used to store the authentication tickets
         /// resolved from the access tokens received by the resource server.

src/Owin.Security.OAuth.Validation/OAuthValidationConstants.cs

@@ -6,12 +6,18 @@
 
 namespace Owin.Security.OAuth.Validation {
     public static class OAuthValidationConstants {
+        public static class Claims {
+            public const string Scope = "scope";
+        }
+
         public static class Headers {
             public const string Authorization = "Authorization";
         }
 
         public static class Properties {
             public const string Audiences = ".audiences";
+            public const string Scopes = ".scopes";
+            public const string Token = "access_token";
         }
     }
 }