Identityserver4: Generating Access Tokens (& refresh tokens) manually

Using an extension grant. Check the docs.

Sent from my iPhone

On 28 Sep 2016, at 19:27, behrooz66 [email protected] wrote:

I am wondering if IS4 allows you to generate tokens manually, which I would like to use in my own custom scenario for authenticating with external providers.
Let's assume we obtain an access token from google, and we want to validate and then generate an access token for our own app to the client. After the validation of google's token, how can we generate access & refresh tokens manually to the user?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Any update on the issue? closing for now - feel free to re-open if it needs further discussion.

I am wondering, if implemented with asp.net identity core, how user would be registered, or where and how to call extension grant endpoint. should be from Account Controller?

@khushalpatel1981 have a look at this, not exactly what you are looking for but can be of your interest:
Securing .Net Core Web API with IdentityServer4

@leastprivilege can you provide an example?

@leastprivilege I am trying to create Access and Refresh Tokens from a customized login (basically, I am trying to make an ASP Membership table work until we can switch it over to ASP Identity). I have the ability to create the actual Access Token and Identity Token, however I am not seeing where I can create the Refresh Token. Additionally, when Introspecting the Access Token that is returned, I am getting

{"active" : false}

Below is my method for creating the Token. The Google/Facebook tokens work great. This is just the last piece.

    public async Task<String> generateToken(BHIUserAccount user)
    {
        var Request = new TokenCreationRequest();
        var IdentityUser = new IdentityServer4.IdentityServerUser(user.username);
        var ApiResources = new List<ApiResource>();
        String TokenValue = String.Empty;
        String AccessToken = String.Empty;
        String IdentityToken = String.Empty;
        String RefreshToken = String.Empty;

        try
        {
            ApiResources.Add(new ApiResource
            {
                Name = "mobileBHI",
                DisplayName = "Mobile Connectivity",
                ApiSecrets =
                {
                    new Secret("SuperSecretPassword".Sha256())
                },
                Enabled = true,
                Description = "BHI Mobile Connectivity",
                Scopes =
                {
                    new Scope("mobileBHI", "Mobile Connectivity"),
                }
            }
            );

            // Add Identity User information
            IdentityUser.DisplayName = user.firstname + " " + user.lastname;
            IdentityUser.AuthenticationTime = DateTime.UtcNow;
            IdentityUser.IdentityProvider = IdentityServer4.IdentityServerConstants.LocalIdentityProvider;

            // Build Token Request information
            Request.Subject = IdentityUser.CreatePrincipal();
            Request.IncludeAllIdentityClaims = true;
            Request.ValidatedRequest = new IdentityServer4.Validation.ValidatedRequest();
            Request.ValidatedRequest.Subject = Request.Subject;
            Request.ValidatedRequest.SetClient(new Client()
            {
                ClientId = "rw.MobileClient",
                ClientSecrets = {
                new Secret("AnotherSecretPassword".Sha256())
            },
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "mobileConnectivity", 
                    "offline_access"
                },
                AllowOfflineAccess = true
            }
            );      // end of SetClient
            Request.Resources = new Resources(Host.Config.GetIdentityResources(), ApiResources);

            var AccessTokenObj = await _tokenCreationService.CreateAccessTokenAsync(Request);
            AccessTokenObj.Issuer = "BISSELL.com";
            AccessToken = await _tokenCreationService.CreateSecurityTokenAsync(AccessTokenObj);

            var IDTokenObj = await _tokenCreationService.CreateIdentityTokenAsync(Request);
            IDTokenObj.Issuer = "myHost.com";
            IdentityToken = await _tokenCreationService.CreateSecurityTokenAsync(IDTokenObj);

            //var RefreshTokenObj = await _tokenCreationService.CreateAccessTokenAsync(Request);
            //RefreshTokenObj.Type = "refresh";
            //RefreshToken = await _tokenCreationService.CreateSecurityTokenAsync(RefreshTokenObj);

            TokenValue = "{\"access_token\": \"" + AccessToken + "\", \"refresh_token\" : \"" + RefreshToken + "\", \"identity_token\" : \"" + IdentityToken + "\"}";

        }
        catch (Exception e)
        {
            Log.Error(e, "Error Creating Token");
            TokenValue = null;
        }
        return TokenValue;
    }           // end of  public void generateToken(BHIUserAccount user)

I just saw that there is an IRefreshTokenService that I will work on implementing next

@rwhertenstein2 were you able to get refresh tokens to work for you?

Did anyone created refresh tokens manually at the end? Any examples ?

Same question. I wonder how to create reference token manually or not.

Same for me : how to generate a refresh token by code ;(

Hey guys, I am the one who created this thread. May I ask why do you guys need to generate the refresh token manually? Because I ended up not even needing it for my purpose!

Hi @behrooz66

My specific scénario is a native mobile app using Facebook login through native app. So I send the Facebook token to identity server to exchange for an access token ... and a refresh token.

I use the same kind of code than rwhertenstein2 ... just need to return both tokens as I don't use connect/token api.

Hey @renaudLVLP , Can you have a look at this four piece article? The part 3 includes adding external authentication through Google and the result does include RefreshToken delivering to the end user.
However you better start reading it from the first part so you follow the logic. I wrote it years ago, which means it is using an older version of everything and you may need to do adjustment but the idea should be the same.

@behrooz66 I followed your article, part 3, works like a charm, I get my refresh token via connect/token for facebook auth ! Thanks a lot !!!

@renaudLVLP I am glad it came to use for someone!
By the way, did it take lots of modifications to use the latest versions of everything? Or did you just use the exact versions mentioned in the article?

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.