Update the samples to use ASOS RC1

Author: kevinchalet

build/dependencies.props

@@ -2,8 +2,8 @@
 
   <PropertyGroup>
     <AspNetCoreVersion>1.0.0</AspNetCoreVersion>
-    <AspNetContribOpenIdExtensionsVersion>1.0.0-alpha3-final</AspNetContribOpenIdExtensionsVersion>
-    <AspNetContribOpenIdServerVersion>1.0.0-beta7-final</AspNetContribOpenIdServerVersion>
+    <AspNetContribOpenIdExtensionsVersion>1.0.0-beta1-final</AspNetContribOpenIdExtensionsVersion>
+    <AspNetContribOpenIdServerVersion>1.0.0-rc1-final</AspNetContribOpenIdServerVersion>
     <NetStandardImplicitPackageVersion>1.6.0</NetStandardImplicitPackageVersion>
     <RuntimeFrameworkVersion>1.0.0</RuntimeFrameworkVersion>
     <SignalRVersion>0.1.0-*</SignalRVersion>

samples/Cordova/Backend/Controllers/AuthorizationController.cs

@@ -90,24 +90,21 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
 
             // Create a new ClaimsIdentity containing the claims that
             // will be used to create an id_token, a token or a code.
-            var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
-
-            // Copy the claims retrieved from the external identity provider
-            // (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
-            foreach (var claim in HttpContext.User.Claims)
-            {
-                // Allow ClaimTypes.Name to be added in the id_token.
-                // ClaimTypes.NameIdentifier is automatically added, even if its
-                // destination is not defined or doesn't include "id_token".
-                // The other claims won't be visible for the client application.
-                if (claim.Type == ClaimTypes.Name)
-                {
-                    claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
-                                          OpenIdConnectConstants.Destinations.IdentityToken);
-                }
-
-                identity.AddClaim(claim);
-            }
+            var identity = new ClaimsIdentity(
+                OpenIdConnectServerDefaults.AuthenticationScheme,
+                OpenIdConnectConstants.Claims.Name,
+                OpenIdConnectConstants.Claims.Role);
+
+            // Note: the "sub" claim is mandatory and an exception is thrown if this claim is missing.
+            identity.AddClaim(
+                new Claim(OpenIdConnectConstants.Claims.Subject, User.FindFirst(ClaimTypes.NameIdentifier).Value)
+                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
+                                     OpenIdConnectConstants.Destinations.IdentityToken));
+
+            identity.AddClaim(
+                new Claim(OpenIdConnectConstants.Claims.Name, User.FindFirst(ClaimTypes.Name).Value)
+                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
+                                     OpenIdConnectConstants.Destinations.IdentityToken));
 
             var application = await GetApplicationAsync(request.ClientId, cancellationToken);
             if (application == null)
@@ -129,7 +126,8 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
             // Note: this sample always grants the "openid", "email" and "profile" scopes
             // when they are requested by the client application: a real world application
             // would probably display a form allowing to select the scopes to grant.
-            ticket.SetScopes(new[] {
+            ticket.SetScopes(new[]
+            {
                 /* openid: */ OpenIdConnectConstants.Scopes.OpenId,
                 /* email: */ OpenIdConnectConstants.Scopes.Email,
                 /* profile: */ OpenIdConnectConstants.Scopes.Profile,
@@ -140,8 +138,6 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
             ticket.SetResources("resource_server");
 
             // Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
-            // Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
-            // In this sample, the identity always contains the name identifier returned by the external provider.
             return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
         }
 

samples/Cordova/Backend/Startup.cs

@@ -97,11 +97,27 @@ public void Configure(IApplicationBuilder app)
                 options.LogoutEndpointPath = "/connect/logout";
                 options.TokenEndpointPath = "/connect/token";
 
-                // Register a new ephemeral key, that is discarded when the application
-                // shuts down. Tokens signed using this key are automatically invalidated.
-                // This method should only be used during development.
-                options.SigningCredentials.AddEphemeralKey();
+                // Note: see AuthorizationController.cs for more
+                // information concerning ApplicationCanDisplayErrors.
+                options.ApplicationCanDisplayErrors = true;
+                options.AllowInsecureHttp = true;
 
+                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
+                //
+                // options.AccessTokenHandler = new JwtSecurityTokenHandler
+                // {
+                //     InboundClaimTypeMap = new Dictionary<string, string>(),
+                //     OutboundClaimTypeMap = new Dictionary<string, string>()
+                // };
+                //
+                // Note: when using JWT as the access token format, you have to register a signing key.
+                //
+                // You can register a new ephemeral key, that is discarded when the application shuts down.
+                // Tokens signed using this key are automatically invalidated and thus this method
+                // should only be used during development:
+                //
+                // options.SigningCredentials.AddEphemeralKey();
+                //
                 // On production, using a X.509 certificate stored in the machine store is recommended.
                 // You can generate a self-signed certificate using Pluralsight's self-cert utility:
                 // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
@@ -115,14 +131,6 @@ public void Configure(IApplicationBuilder app)
                 //     assembly: typeof(Startup).GetTypeInfo().Assembly,
                 //     resource: "Backend.Certificate.pfx",
                 //     password: "Owin.Security.OpenIdConnect.Server");
-
-                // Note: see AuthorizationController.cs for more
-                // information concerning ApplicationCanDisplayErrors.
-                options.ApplicationCanDisplayErrors = true;
-                options.AllowInsecureHttp = true;
-
-                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
-                // options.AccessTokenHandler = new JwtSecurityTokenHandler();
             });
 
             app.UseStaticFiles();

samples/Mvc/Mvc.Server/Controllers/AuthorizationController.cs

@@ -90,24 +90,21 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
 
             // Create a new ClaimsIdentity containing the claims that
             // will be used to create an id_token, a token or a code.
-            var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
-
-            // Copy the claims retrieved from the external identity provider
-            // (e.g Google, Facebook, a WS-Fed provider or another OIDC server).
-            foreach (var claim in HttpContext.User.Claims)
-            {
-                // Allow ClaimTypes.Name to be added in the id_token.
-                // ClaimTypes.NameIdentifier is automatically added, even if its
-                // destination is not defined or doesn't include "id_token".
-                // The other claims won't be visible for the client application.
-                if (claim.Type == ClaimTypes.Name)
-                {
-                    claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
-                                          OpenIdConnectConstants.Destinations.IdentityToken);
-                }
-
-                identity.AddClaim(claim);
-            }
+            var identity = new ClaimsIdentity(
+                OpenIdConnectServerDefaults.AuthenticationScheme,
+                OpenIdConnectConstants.Claims.Name,
+                OpenIdConnectConstants.Claims.Role);
+
+            // Note: the "sub" claim is mandatory and an exception is thrown if this claim is missing.
+            identity.AddClaim(
+                new Claim(OpenIdConnectConstants.Claims.Subject, User.FindFirst(ClaimTypes.NameIdentifier).Value)
+                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
+                                     OpenIdConnectConstants.Destinations.IdentityToken));
+
+            identity.AddClaim(
+                new Claim(OpenIdConnectConstants.Claims.Name, User.FindFirst(ClaimTypes.Name).Value)
+                    .SetDestinations(OpenIdConnectConstants.Destinations.AccessToken,
+                                     OpenIdConnectConstants.Destinations.IdentityToken));
 
             var application = await GetApplicationAsync(request.ClientId, cancellationToken);
             if (application == null)
@@ -129,7 +126,8 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
             // Note: this sample always grants the "openid", "email" and "profile" scopes
             // when they are requested by the client application: a real world application
             // would probably display a form allowing to select the scopes to grant.
-            ticket.SetScopes(new[] {
+            ticket.SetScopes(new[]
+            {
                 /* openid: */ OpenIdConnectConstants.Scopes.OpenId,
                 /* email: */ OpenIdConnectConstants.Scopes.Email,
                 /* profile: */ OpenIdConnectConstants.Scopes.Profile,
@@ -140,8 +138,6 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
             ticket.SetResources("resource_server");
 
             // Returning a SignInResult will ask ASOS to serialize the specified identity to build appropriate tokens.
-            // Note: you should always make sure the identities you return contain ClaimTypes.NameIdentifier claim.
-            // In this sample, the identity always contains the name identifier returned by the external provider.
             return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
         }
 

samples/Mvc/Mvc.Server/Startup.cs

@@ -98,11 +98,27 @@ public void Configure(IApplicationBuilder app)
                 options.TokenEndpointPath = "/connect/token";
                 options.UserinfoEndpointPath = "/connect/userinfo";
 
-                // Register a new ephemeral key, that is discarded when the application
-                // shuts down. Tokens signed using this key are automatically invalidated.
-                // This method should only be used during development.
-                options.SigningCredentials.AddEphemeralKey();
+                // Note: see AuthorizationController.cs for more
+                // information concerning ApplicationCanDisplayErrors.
+                options.ApplicationCanDisplayErrors = true;
+                options.AllowInsecureHttp = true;
 
+                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
+                //
+                // options.AccessTokenHandler = new JwtSecurityTokenHandler
+                // {
+                //     InboundClaimTypeMap = new Dictionary<string, string>(),
+                //     OutboundClaimTypeMap = new Dictionary<string, string>()
+                // };
+                //
+                // Note: when using JWT as the access token format, you have to register a signing key.
+                //
+                // You can register a new ephemeral key, that is discarded when the application shuts down.
+                // Tokens signed using this key are automatically invalidated and thus this method
+                // should only be used during development:
+                //
+                // options.SigningCredentials.AddEphemeralKey();
+                //
                 // On production, using a X.509 certificate stored in the machine store is recommended.
                 // You can generate a self-signed certificate using Pluralsight's self-cert utility:
                 // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip
@@ -116,14 +132,6 @@ public void Configure(IApplicationBuilder app)
                 //     assembly: typeof(Startup).GetTypeInfo().Assembly,
                 //     resource: "Mvc.Server.Certificate.pfx",
                 //     password: "Owin.Security.OpenIdConnect.Server");
-
-                // Note: see AuthorizationController.cs for more
-                // information concerning ApplicationCanDisplayErrors.
-                options.ApplicationCanDisplayErrors = true;
-                options.AllowInsecureHttp = true;
-
-                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
-                // options.AccessTokenHandler = new JwtSecurityTokenHandler();
             });
 
             app.UseStaticFiles();

samples/Postman/Controllers/AuthorizationController.cs

@@ -33,13 +33,16 @@ public IActionResult Accept()
 
             // Create a new ClaimsIdentity containing the claims that
             // will be used to create an id_token, a token or a code.
-            var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
+            var identity = new ClaimsIdentity(
+                OpenIdConnectServerDefaults.AuthenticationScheme,
+                OpenIdConnectConstants.Claims.Name,
+                OpenIdConnectConstants.Claims.Role);
 
-            identity.AddClaim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString(),
+            identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString(),
                 OpenIdConnectConstants.Destinations.AccessToken,
                 OpenIdConnectConstants.Destinations.IdentityToken);
 
-            identity.AddClaim(ClaimTypes.Name, "Bob le Bricoleur",
+            identity.AddClaim(OpenIdConnectConstants.Claims.Name, "Bob le Bricoleur",
                 OpenIdConnectConstants.Destinations.AccessToken,
                 OpenIdConnectConstants.Destinations.IdentityToken);
 

samples/Postman/Providers/AuthorizationProvider.cs

@@ -110,13 +110,16 @@ public override Task HandleTokenRequest(HandleTokenRequestContext context)
 
                 // Create a new ClaimsIdentity containing the claims that
                 // will be used to create an id_token and/or an access token.
-                var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
+                var identity = new ClaimsIdentity(
+                    OpenIdConnectServerDefaults.AuthenticationScheme,
+                    OpenIdConnectConstants.Claims.Name,
+                    OpenIdConnectConstants.Claims.Role);
 
-                identity.AddClaim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString(),
+                identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString(),
                     OpenIdConnectConstants.Destinations.AccessToken,
                     OpenIdConnectConstants.Destinations.IdentityToken);
 
-                identity.AddClaim(ClaimTypes.Name, "Bob le Bricoleur",
+                identity.AddClaim(OpenIdConnectConstants.Claims.Name, "Bob le Bricoleur",
                     OpenIdConnectConstants.Destinations.AccessToken,
                     OpenIdConnectConstants.Destinations.IdentityToken);
 

samples/Postman/Startup.cs

@@ -38,11 +38,22 @@ public void Configure(IApplicationBuilder app)
                 options.TokenEndpointPath = "/connect/token";
                 options.AllowInsecureHttp = true;
 
-                // Register a new ephemeral key, that is discarded when the application
-                // shuts down. Tokens signed using this key are automatically invalidated.
-                // This method should only be used during development.
-                options.SigningCredentials.AddEphemeralKey();
-
+                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
+                //
+                // options.AccessTokenHandler = new JwtSecurityTokenHandler
+                // {
+                //     InboundClaimTypeMap = new Dictionary<string, string>(),
+                //     OutboundClaimTypeMap = new Dictionary<string, string>()
+                // };
+                //
+                // Note: when using JWT as the access token format, you have to register a signing key.
+                //
+                // You can register a new ephemeral key, that is discarded when the application shuts down.
+                // Tokens signed using this key are automatically invalidated and thus this method
+                // should only be used during development:
+                //
+                // options.SigningCredentials.AddEphemeralKey();
+                //
                 // On production, using a X.509 certificate stored in the machine store is recommended.
                 // You can generate a self-signed certificate using Pluralsight's self-cert utility:
                 // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip

samples/SignalR/HelloSignalR/Providers/AuthorizationProvider.cs

@@ -57,13 +57,16 @@ public override Task HandleTokenRequest(HandleTokenRequestContext context)
                     return Task.FromResult(0);
                 }
 
-                var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
+                var identity = new ClaimsIdentity(
+                    context.Options.AuthenticationScheme,
+                    OpenIdConnectConstants.Claims.Name,
+                    OpenIdConnectConstants.Claims.Role);
 
-                identity.AddClaim(ClaimTypes.NameIdentifier, user.Id,
+                identity.AddClaim(OpenIdConnectConstants.Claims.Subject, user.Id,
                     OpenIdConnectConstants.Destinations.AccessToken,
                     OpenIdConnectConstants.Destinations.IdentityToken);
 
-                identity.AddClaim(ClaimTypes.Name, user.UserName,
+                identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.UserName,
                     OpenIdConnectConstants.Destinations.AccessToken,
                     OpenIdConnectConstants.Destinations.IdentityToken);
 

samples/SignalR/HelloSignalR/Startup.cs

@@ -50,11 +50,22 @@ public void Configure(IApplicationBuilder app)
                 options.TokenEndpointPath = "/connect/token";
                 options.AllowInsecureHttp = true;
 
-                // Register a new ephemeral key, that is discarded when the application
-                // shuts down. Tokens signed using this key are automatically invalidated.
-                // This method should only be used during development.
-                options.SigningCredentials.AddEphemeralKey();
-
+                // Note: to override the default access token format and use JWT, assign AccessTokenHandler:
+                //
+                // options.AccessTokenHandler = new JwtSecurityTokenHandler
+                // {
+                //     InboundClaimTypeMap = new Dictionary<string, string>(),
+                //     OutboundClaimTypeMap = new Dictionary<string, string>()
+                // };
+                //
+                // Note: when using JWT as the access token format, you have to register a signing key.
+                //
+                // You can register a new ephemeral key, that is discarded when the application shuts down.
+                // Tokens signed using this key are automatically invalidated and thus this method
+                // should only be used during development:
+                //
+                // options.SigningCredentials.AddEphemeralKey();
+                //
                 // On production, using a X.509 certificate stored in the machine store is recommended.
                 // You can generate a self-signed certificate using Pluralsight's self-cert utility:
                 // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip