Generate access token with IdentityServer4 without password

Question

I have created ASP.NET Core WebApi protected with IdentityServer4 using ROPC flow (using this example: https://github.com/robisim74/AngularSPAWebAPI).

How to manually generate access_token from the server without password?

What do you mean 'without a password'? The Resource Owner *Password* Crediental flow requires the client to provide the user's username and password in order to be given an access token. — Mashton, May 25 '17 at 11:20
Yeah! But I want to generate token on the server, not on client — Roman Kolesnikov, May 25 '17 at 14:31
Do you mean generate a token *for* the server, not the client? What are you trying to achieve? How will your client authenticate itself to your server? — Mashton, May 25 '17 at 19:52
I want to make alternative to /connect/token endpoint so admin users can generate access_token of other users without knowledge of password — Roman Kolesnikov, May 30 '17 at 19:21
An access_token is a credential that allows a client to access a protected resource: what is the client application in your scenario? Why would you want an admin to create one? Why would you want the admin to create one for a *user*? Why can't the client create its own? If you are not using passwords then ROPC is not the grant/flow you should be using. Either you're not explaining yourself very well (possible, because you've only written 4 sentences for this whole question) or you need to go back to basics and read up more on what identity server is, what it does and what it is for. — Mashton, May 30 '17 at 19:57
Sounds like you want an impersonation feature. We've implemented such a thing but via the implicit/hybrid flow where it is just another step in the sign in process. Permissions around impersonation are stored in the idsrv4 database. It's also easy enough to generate a signed JWT with any claims you like via a custom API but I'd recommend avoiding using anything other than implicit or hybrid for end user authentication. We only use resource owner password for legacy client support. — mackie, May 31 '17 at 05:34
My client is SPA. I want to allow for superadmins to login as users and look at their problems and see the site problems by their eyes — Roman Kolesnikov, May 31 '17 at 06:41

score 31 · Accepted Answer · edited Jan 17 '19 at 20:54

[HttpPost("loginas/{id}")]
[Authorize(Roles = "admin")]
public async Task<IActionResult> LoginAs(int id, [FromServices] ITokenService TS, 
    [FromServices] IUserClaimsPrincipalFactory<ApplicationUser> principalFactory,
    [FromServices] IdentityServerOptions options)
{
    var Request = new TokenCreationRequest();                        
    var User = await userManager.FindByIdAsync(id.ToString());
    var IdentityPricipal = await principalFactory.CreateAsync(User);
    var IdServerPrincipal = IdentityServerPrincipal.Create(User.Id.ToString(), User.UserName, IdentityPricipal.Claims.ToArray());

    Request.Subject = IdServerPrincipal;
    Request.IncludeAllIdentityClaims = true;
    Request.ValidatedRequest = new ValidatedRequest();
    Request.ValidatedRequest.Subject = Request.Subject;
    Request.ValidatedRequest.SetClient(Config.GetClients().First());
    Request.Resources = new Resources(Config.GetIdentityResources(), Config.GetApiResources());
    Request.ValidatedRequest.Options = options;
    Request.ValidatedRequest.ClientClaims = IdServerPrincipal.Claims.ToArray();

    var Token = await TS.CreateAccessTokenAsync(Request);
    Token.Issuer = "http://" + HttpContext.Request.Host.Value;

    var TokenValue = await TS.CreateSecurityTokenAsync(Token);
    return Ok(TokenValue);
}

For a newly released IdentityServer 2.0.0 the code needs some modifications:

[HttpPost("loginas/{id}")]
[Authorize(Roles = "admin")]
public async Task<IActionResult> LoginAs(int id, [FromServices] ITokenService TS, 
    [FromServices] IUserClaimsPrincipalFactory<ApplicationUser> principalFactory, 
    [FromServices] IdentityServerOptions options)
{
    var Request = new TokenCreationRequest();
    var User = await userManager.FindByIdAsync(id.ToString());
    var IdentityPricipal = await principalFactory.CreateAsync(User);
    var IdentityUser = new IdentityServerUser(User.Id.ToString());
    IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray();
    IdentityUser.DisplayName = User.UserName;
    IdentityUser.AuthenticationTime = System.DateTime.UtcNow;
    IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
    Request.Subject = IdentityUser.CreatePrincipal();
    Request.IncludeAllIdentityClaims = true;
    Request.ValidatedRequest = new ValidatedRequest();
    Request.ValidatedRequest.Subject = Request.Subject;
    Request.ValidatedRequest.SetClient(Config.GetClients().First());
    Request.Resources = new Resources(Config.GetIdentityResources(), Config.GetApiResources());
    Request.ValidatedRequest.Options = options;
    Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims;
    var Token = await TS.CreateAccessTokenAsync(Request);
    Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value;
    var TokenValue = await TS.CreateSecurityTokenAsync(Token);
    return Ok(TokenValue);
}

Could you please provide some context to this code? Where does it live -- in the IdentityServer host, or an external application? Looks like you're using ASPNET Core Identity for your user store too. — Steve Guidi, Aug 17 '17 at 22:38
I have an api and IdentityServer in the same app and LoginAs is part of one of its controllers. If I split api and auth parts then LoginAs will be in auth part — Roman Kolesnikov, Aug 18 '17 at 05:45
Mind posting your startup i am having issues with the [FromServices] on this — Linda Lawton - DaImTo, Feb 21 '18 at 09:42
My stratup is very big, let me know what dependency you can't resolve? — Roman Kolesnikov, Feb 21 '18 at 10:29
What would be an option for authorization of this request, if the auth part is split from the api part? — Martin Staufcik, Apr 18 '19 at 12:49
For those who are looking to generate refresh_token as well, you can try with IRefreshTokenService. As a extension to the answer by @Rem, the following piece of code will generate the refresh_token var refreshToken = await refreshTokenService.CreateRefreshTokenAsync(Request.Subject, Token, Config.GetClients().First()); — Mokarom, Jan 14 '21 at 12:55
For those who use duende identity server 6, then the Resources propery is deprecated, please use below line instead of that `request.ValidatedResources = new ResourceValidationResult(new Resources(identityResource, apiResource, apiScope));` — Naveed Hematmal, Aug 04 '23 at 05:56

David Madi · Answer 2 · 2019-02-27T19:35:44.257

19

Use this:
http://docs.identityserver.io/en/latest/topics/tools.html

Use this tool that come with identity server:
Declare it in the constructor, to receive by dependecy injection.
IdentityServer4.IdentityServerTools _identityServerTools


    var issuer = "http://" + httpRequest.Host.Value;  
    var token = await _identityServerTools.IssueJwtAsync(  
        30000,  
        issuer,  
        new System.Security.Claims.Claim[1]   
        {  
            new System.Security.Claims.Claim("cpf", cpf)  
        }  
    );

edited Feb 27 '19 at 19:35

answered Feb 27 '19 at 19:30

David Madi

565
5
6

2

Good idea! But it's slightly limited: it can not generate RefreshToken and one needs manually generate claims, from user and its roles – Roman Kolesnikov Mar 01 '19 at 05:08
1

How to validate and decode this token manually? – liang Jan 28 '21 at 08:00
Many Thanx! Saved me from the big trouble. – Varsh Jun 15 '22 at 05:22
How to protect the API with this token because always I'm getting 401 – sohaib Aug 29 '23 at 20:48

score 5 · Answer 3 · answered Jul 29 '19 at 15:31

Here is another way to achieve this:

first create a custom grant named loginBy

    public class LoginByGrant : ICustomGrantValidator
    {
        private readonly ApplicationUserManager _userManager;

        public string GrantType => "loginBy";

        public LoginByGrant(ApplicationUserManager userManager)
        {
            _userManager = userManager;
        }     

        public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
        {

            var userId = Guid.Parse(request.Raw.Get("user_id"));

            var user = await _userManager.FindByIdAsync(userId);

            if (user == null)
                return await Task.FromResult<CustomGrantValidationResult>(new CustomGrantValidationResult("user not exist"));

            var userClaims = await _userManager.GetClaimsAsync(user.Id);

            return
                await Task.FromResult<CustomGrantValidationResult>(new CustomGrantValidationResult(user.Id.ToString(), "custom", userClaims));

        }
    }

then add this custom grant in identity startup class

    factory.CustomGrantValidators.Add(
                        new Registration<ICustomGrantValidator>(resolver => new LoginByGrant(ApplicaionUserManager)));

and finally in your api

      public async Task<IHttpActionResult> LoginBy(Guid userId)
       {
        var tokenClient = new TokenClient(Constants.TokenEndPoint, Constants.ClientId, Constants.Secret);

        var payload = new { user_id = userId.ToString() };

        var result = await tokenClient.RequestCustomGrantAsync("loginBy", "customScope", payload);

        if (result.IsError)
            return Ok(result.Json);

        return Ok(new { access_token = result.AccessToken, expires_in = result.ExpiresIn});
       }

Does it work with IdentityServer4 or it is for IdentityServer3 only? — Roman Kolesnikov, Jul 29 '19 at 16:07
identityServer4 also support ICustomGrantValidator so it should be pretty similar — sajjad kalantari, Jul 29 '19 at 16:12
Hi, @xray. Thank you for this approach. However, would like to ask if you ever faced an error "unsupported_grant_type" on localhost? — Mykhailo K., Jul 15 '20 at 11:30
@xray it does not look like IdentityServer4 supports ICustomGrantValidator: http://docs.identityserver.io/en/dev/search.html?q=ICustomGrantValidator&check_keywords=yes&area=default, I think in IdentityServer4 you have to use IExtensionGrantValidator — Alexander, Aug 22 '20 at 23:17
Is there a way to generate refresh token as well to renew the access token? — Umair, Nov 10 '20 at 09:22
@Umair the result has another fields named "RefreshToken" so u can return it with access token (refresh_token = result.RefreshToken) — sajjad kalantari, Nov 10 '20 at 10:26

score 3 · Answer 4 · answered May 31 '17 at 10:27

Further to my comment on your original question. Implement an impersonation feature within the implicit/hybrid flow. If a user is determined to be a "super admin" then present them with an additional step after authentication that lets them enter/select the account they wish to impersonate. Once that's done simply establish the session on the identity server as the selected user (and possibly store additional claims denoting that it is an impersonated session and who is doing the impersonation). Any tokens will then be issued as if you were that user and all without having to know the password.

Additionally if you wish to create tokens yourself have a look at the ITokenCreationService provided by IdSrv4. You can inject that into your own controller/service/whatever and use CreateTokenAsync(Token token) to generate a signed JWT with any claims you like.

Thanks! I have already seen ITokenCreationService , can you give me an example on how to use? — Roman Kolesnikov, May 31 '17 at 13:26
It only has one method that takes a IdentityServer4.Models.Token object and returns the encoded string. — mackie, May 31 '17 at 15:30
Actually I suspect I need to use TokenCreationRequest instead and I don't know how to get ClaimsPrincipal from IdentityUser — Roman Kolesnikov, Jun 01 '17 at 10:56

score 2 · Answer 5 · answered Aug 04 '21 at 08:15

A little late to answer.

in my case of Generating Access Token Without Password there was another identity server as an organization sso, and our implementation already used IdentityServer, so we need to get user token from second IdentityServer (after user login and redirected to our app), extract sub, check if it is already existed(if not insert into our local IdentityServer), finally select user and use newly grant to get token for user. your client should have this granttype as Allowed Grant types (here userexchange):

see: identity server docs, or duende docs for more information

    public class TokenExchangeGrantValidator : IExtensionGrantValidator {

        protected readonly UserManager<ToranjApplicationUser> _userManager;
        private readonly IEventService _events;

        public TokenExchangeGrantValidator(ITokenValidator validator, IHttpContextAccessor httpContextAccessor, UserManager<ToranjApplicationUser> userManager
            , IEventService events) {
            _userManager = userManager;
            _events = events;
        }


        public async Task ValidateAsync(ExtensionGrantValidationContext context) {
            var userName = context.Request.Raw.Get("uname");

            if (string.IsNullOrEmpty(userName)) {
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
                return;
            }

            var user = await _userManager.FindByNameAsync(userName);
            // or use this one, if you are sending userId
            //var user = await _userManager.FindByIdAsync(userId);
            if (null == user) {
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
                return;
            }

            await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id.ToString(), user.UserName, false, context.Request.ClientId));
            var customResponse = new Dictionary<string, object>
                {
                {OidcConstants.TokenResponse.IssuedTokenType, OidcConstants.TokenTypeIdentifiers.AccessToken}
            };
            context.Result = new GrantValidationResult(
                subject: user.Id.ToString(),
                authenticationMethod: GrantType,
                customResponse: customResponse);
        }

        public string GrantType => "userexchange";
    }

in your startup's ConfigureServices after var builder = services.AddIdentityServer(...) add your newly created class.

    builder.AddExtensionGrantValidator<TokenExchangeGrantValidator>();

calling it to get token is as simple as:

POST /connect/token

grant_type=userexchange&
scope=yourapi&
uname=yourusername&
client_id=yourClientId
client_secret=secret

an additional step which is not in the answer is to make sure that the client has the grant type allowed: `userexchange`, otherwise it won't call the `TokenExchangeGrantValidator` — SzilardD, Mar 04 '22 at 12:02

Generate access token with IdentityServer4 without password

5 Answers5

Linked

Related