Generate access token with IdentityServer4 without password
Solution 1
[HttpPost("loginas/{id}")]
[Authorize(Roles = "admin")]
public async Task<IActionResult> LoginAs(int id, [FromServices] ITokenService TS,
[FromServices] IUserClaimsPrincipalFactory<ApplicationUser> principalFactory,
[FromServices] IdentityServerOptions options)
{
var Request = new TokenCreationRequest();
var User = await userManager.FindByIdAsync(id.ToString());
var IdentityPricipal = await principalFactory.CreateAsync(User);
var IdServerPrincipal = IdentityServerPrincipal.Create(User.Id.ToString(), User.UserName, IdentityPricipal.Claims.ToArray());
Request.Subject = IdServerPrincipal;
Request.IncludeAllIdentityClaims = true;
Request.ValidatedRequest = new ValidatedRequest();
Request.ValidatedRequest.Subject = Request.Subject;
Request.ValidatedRequest.SetClient(Config.GetClients().First());
Request.Resources = new Resources(Config.GetIdentityResources(), Config.GetApiResources());
Request.ValidatedRequest.Options = options;
Request.ValidatedRequest.ClientClaims = IdServerPrincipal.Claims.ToArray();
var Token = await TS.CreateAccessTokenAsync(Request);
Token.Issuer = "http://" + HttpContext.Request.Host.Value;
var TokenValue = await TS.CreateSecurityTokenAsync(Token);
return Ok(TokenValue);
}
For a newly released IdentityServer 2.0.0 the code needs some modifications:
[HttpPost("loginas/{id}")]
[Authorize(Roles = "admin")]
public async Task<IActionResult> LoginAs(int id, [FromServices] ITokenService TS,
[FromServices] IUserClaimsPrincipalFactory<ApplicationUser> principalFactory,
[FromServices] IdentityServerOptions options)
{
var Request = new TokenCreationRequest();
var User = await userManager.FindByIdAsync(id.ToString());
var IdentityPricipal = await principalFactory.CreateAsync(User);
var IdentityUser = new IdentityServerUser(User.Id.ToString());
IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray();
IdentityUser.DisplayName = User.UserName;
IdentityUser.AuthenticationTime = System.DateTime.UtcNow;
IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
Request.Subject = IdentityUser.CreatePrincipal();
Request.IncludeAllIdentityClaims = true;
Request.ValidatedRequest = new ValidatedRequest();
Request.ValidatedRequest.Subject = Request.Subject;
Request.ValidatedRequest.SetClient(Config.GetClients().First());
Request.Resources = new Resources(Config.GetIdentityResources(), Config.GetApiResources());
Request.ValidatedRequest.Options = options;
Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims;
var Token = await TS.CreateAccessTokenAsync(Request);
Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value;
var TokenValue = await TS.CreateSecurityTokenAsync(Token);
return Ok(TokenValue);
}
Solution 2
Use this:
http://docs.identityserver.io/en/latest/topics/tools.html
Use this tool that come with identity server:
Declare it in the constructor, to receive by dependecy injection.
IdentityServer4.IdentityServerTools _identityServerTools
var issuer = "http://" + httpRequest.Host.Value; var token = await _identityServerTools.IssueJwtAsync( 30000, issuer, new System.Security.Claims.Claim[1] { new System.Security.Claims.Claim("cpf", cpf) } );
Solution 3
Here is another way to achieve this:
first create a custom grant named loginBy
public class LoginByGrant : ICustomGrantValidator
{
private readonly ApplicationUserManager _userManager;
public string GrantType => "loginBy";
public LoginByGrant(ApplicationUserManager userManager)
{
_userManager = userManager;
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var userId = Guid.Parse(request.Raw.Get("user_id"));
var user = await _userManager.FindByIdAsync(userId);
if (user == null)
return await Task.FromResult<CustomGrantValidationResult>(new CustomGrantValidationResult("user not exist"));
var userClaims = await _userManager.GetClaimsAsync(user.Id);
return
await Task.FromResult<CustomGrantValidationResult>(new CustomGrantValidationResult(user.Id.ToString(), "custom", userClaims));
}
}
then add this custom grant in identity startup class
factory.CustomGrantValidators.Add(
new Registration<ICustomGrantValidator>(resolver => new LoginByGrant(ApplicaionUserManager)));
and finally in your api
public async Task<IHttpActionResult> LoginBy(Guid userId)
{
var tokenClient = new TokenClient(Constants.TokenEndPoint, Constants.ClientId, Constants.Secret);
var payload = new { user_id = userId.ToString() };
var result = await tokenClient.RequestCustomGrantAsync("loginBy", "customScope", payload);
if (result.IsError)
return Ok(result.Json);
return Ok(new { access_token = result.AccessToken, expires_in = result.ExpiresIn});
}
Solution 4
Further to my comment on your original question. Implement an impersonation feature within the implicit/hybrid flow. If a user is determined to be a "super admin" then present them with an additional step after authentication that lets them enter/select the account they wish to impersonate. Once that's done simply establish the session on the identity server as the selected user (and possibly store additional claims denoting that it is an impersonated session and who is doing the impersonation). Any tokens will then be issued as if you were that user and all without having to know the password.
Additionally if you wish to create tokens yourself have a look at the ITokenCreationService provided by IdSrv4. You can inject that into your own controller/service/whatever and use CreateTokenAsync(Token token) to generate a signed JWT with any claims you like.
Solution 5
A little late to answer.
in my case of Generating Access Token Without Password
there was another identity server
as an organization sso, and our implementation already used IdentityServer
, so we need to get user token from second IdentityServer
(after user login and redirected to our app), extract sub
, check if it is already existed(if not insert into our local IdentityServer
), finally select user and use newly grant to get token for user.
your client should have this granttype
as Allowed Grant types (here userexchange
):
see: identity server docs, or duende docs for more information
public class TokenExchangeGrantValidator : IExtensionGrantValidator {
protected readonly UserManager<ToranjApplicationUser> _userManager;
private readonly IEventService _events;
public TokenExchangeGrantValidator(ITokenValidator validator, IHttpContextAccessor httpContextAccessor, UserManager<ToranjApplicationUser> userManager
, IEventService events) {
_userManager = userManager;
_events = events;
}
public async Task ValidateAsync(ExtensionGrantValidationContext context) {
var userName = context.Request.Raw.Get("uname");
if (string.IsNullOrEmpty(userName)) {
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
var user = await _userManager.FindByNameAsync(userName);
// or use this one, if you are sending userId
//var user = await _userManager.FindByIdAsync(userId);
if (null == user) {
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
return;
}
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id.ToString(), user.UserName, false, context.Request.ClientId));
var customResponse = new Dictionary<string, object>
{
{OidcConstants.TokenResponse.IssuedTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken}
};
context.Result = new GrantValidationResult(
subject: user.Id.ToString(),
authenticationMethod: GrantType,
customResponse: customResponse);
}
public string GrantType => "userexchange";
}
in your startup
's ConfigureServices
after var builder = services.AddIdentityServer(...)
add your newly created class.
builder.AddExtensionGrantValidator<TokenExchangeGrantValidator>();
calling it to get token is as simple as:
POST /connect/token
grant_type=userexchange&
scope=yourapi&
uname=yourusername&
client_id=yourClientId
client_secret=secret
Related videos on Youtube
Roman Kolesnikov
Updated on July 11, 2022Comments
-
Roman Kolesnikov almost 2 years
I have created ASP.NET Core WebApi protected with IdentityServer4 using ROPC flow (using this example: https://github.com/robisim74/AngularSPAWebAPI).
How to manually generate access_token from the server without password?
-
Mashton almost 7 yearsWhat do you mean 'without a password'? The Resource Owner Password Crediental flow requires the client to provide the user's username and password in order to be given an access token.
-
Roman Kolesnikov almost 7 yearsYeah! But I want to generate token on the server, not on client
-
Mashton almost 7 yearsDo you mean generate a token for the server, not the client? What are you trying to achieve? How will your client authenticate itself to your server?
-
Roman Kolesnikov almost 7 yearsI want to make alternative to /connect/token endpoint so admin users can generate access_token of other users without knowledge of password
-
Mashton almost 7 yearsAn access_token is a credential that allows a client to access a protected resource: what is the client application in your scenario? Why would you want an admin to create one? Why would you want the admin to create one for a user? Why can't the client create its own? If you are not using passwords then ROPC is not the grant/flow you should be using. Either you're not explaining yourself very well (possible, because you've only written 4 sentences for this whole question) or you need to go back to basics and read up more on what identity server is, what it does and what it is for.
-
mackie almost 7 yearsSounds like you want an impersonation feature. We've implemented such a thing but via the implicit/hybrid flow where it is just another step in the sign in process. Permissions around impersonation are stored in the idsrv4 database. It's also easy enough to generate a signed JWT with any claims you like via a custom API but I'd recommend avoiding using anything other than implicit or hybrid for end user authentication. We only use resource owner password for legacy client support.
-
Roman Kolesnikov almost 7 yearsMy client is SPA. I want to allow for superadmins to login as users and look at their problems and see the site problems by their eyes
-
-
Roman Kolesnikov almost 7 yearsThanks! I have already seen ITokenCreationService , can you give me an example on how to use?
-
mackie almost 7 yearsIt only has one method that takes a IdentityServer4.Models.Token object and returns the encoded string.
-
Roman Kolesnikov almost 7 yearsActually I suspect I need to use TokenCreationRequest instead and I don't know how to get ClaimsPrincipal from IdentityUser
-
Steve Guidi over 6 yearsCould you please provide some context to this code? Where does it live -- in the IdentityServer host, or an external application? Looks like you're using ASPNET Core Identity for your user store too.
-
Roman Kolesnikov over 6 yearsI have an api and IdentityServer in the same app and LoginAs is part of one of its controllers. If I split api and auth parts then LoginAs will be in auth part
-
DaImTo about 6 yearsMind posting your startup i am having issues with the [FromServices] on this
-
Roman Kolesnikov about 6 yearsMy stratup is very big, let me know what dependency you can't resolve?
-
Roman Kolesnikov about 5 yearsGood idea! But it's slightly limited: it can not generate RefreshToken and one needs manually generate claims, from user and its roles
-
Martin Staufcik about 5 yearsWhat would be an option for authorization of this request, if the auth part is split from the api part?
-
Roman Kolesnikov almost 5 yearsDoes it work with IdentityServer4 or it is for IdentityServer3 only?
-
sajjad kalantari almost 5 yearsidentityServer4 also support ICustomGrantValidator so it should be pretty similar
-
Mykhailo K. almost 4 yearsHi, @xray. Thank you for this approach. However, would like to ask if you ever faced an error "unsupported_grant_type" on localhost?
-
Alexander over 3 years@xray it does not look like IdentityServer4 supports ICustomGrantValidator: docs.identityserver.io/en/dev/…, I think in IdentityServer4 you have to use IExtensionGrantValidator
-
Umair over 3 yearsIs there a way to generate refresh token as well to renew the access token?
-
sajjad kalantari over 3 years@Umair the result has another fields named "RefreshToken" so u can return it with access token (refresh_token = result.RefreshToken)
-
Umair over 3 years@xray perfect, will try it tonight.
-
Mokarom over 3 yearsFor those who are looking to generate refresh_token as well, you can try with IRefreshTokenService. As a extension to the answer by @Rem, the following piece of code will generate the refresh_token var refreshToken = await refreshTokenService.CreateRefreshTokenAsync(Request.Subject, Token, Config.GetClients().First());
-
liang over 3 yearsHow to validate and decode this token manually?
-
SzilardD about 2 yearsan additional step which is not in the answer is to make sure that the client has the grant type allowed:
userexchange
, otherwise it won't call theTokenExchangeGrantValidator