public async Task <IActionResult> Authorize()
{
var request = HttpContext.GetOpenIdConnectRequest();
// Retrieve the claims stored in the authentication cookie.
// If they can't be extracted, redirect the user to the login page.
var result = await HttpContext.AuthenticateAsync();
if (!result.Succeeded || request.HasPrompt(OpenIdConnectConstants.Prompts.Login))
{
return(RedirectToLoginPage(request));
}
// If a max_age parameter was provided, ensure that the cookie is not too old.
// If it's too old, automatically redirect the user agent to the login page.
if (request.MaxAge != null && result.Properties.IssuedUtc != null &&
DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))
{
return(RedirectToLoginPage(request));
}
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = T["The specified 'client_id' parameter is invalid."]
}));
}
var authorizations = await _authorizationManager.FindAsync(
subject : _userManager.GetUserId(result.Principal),
client : await _applicationManager.GetIdAsync(application),
status : OpenIddictConstants.Statuses.Valid,
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(request.GetScopes()));
switch (await _applicationManager.GetConsentTypeAsync(application))
{
case OpenIddictConstants.ConsentTypes.External when authorizations.IsEmpty:
return(RedirectToClient(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.ConsentRequired,
ErrorDescription = T["The logged in user is not allowed to access this client application."]
}));
case OpenIddictConstants.ConsentTypes.Implicit:
case OpenIddictConstants.ConsentTypes.External when authorizations.Any():
case OpenIddictConstants.ConsentTypes.Explicit when authorizations.Any() &&
!request.HasPrompt(OpenIdConnectConstants.Prompts.Consent):
return(await IssueTokensAsync(result.Principal, request, application, authorizations.LastOrDefault()));
case OpenIddictConstants.ConsentTypes.Explicit when request.HasPrompt(OpenIdConnectConstants.Prompts.None):
return(RedirectToClient(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.ConsentRequired,
ErrorDescription = T["Interactive user consent is required."]
}));
default:
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
RequestId = request.RequestId,
Scope = request.Scope
}));
}
}
public async Task <IActionResult> Edit(EditOpenIdApplicationViewModel model, string returnUrl = null)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageOpenIdApplications))
{
return(Unauthorized());
}
if (model.Type == ClientType.Public && !string.IsNullOrEmpty(model.ClientSecret))
{
ModelState.AddModelError(nameof(model.ClientSecret), T["No client secret can be set for public applications."]);
}
else if (model.UpdateClientSecret)
{
var user = await _userManager.FindByNameAsync(User.Identity.Name);
await ValidateClientSecretAsync(user, model.ClientSecret, (key, message) => ModelState.AddModelError(key, message));
}
if (!model.AllowAuthorizationCodeFlow && !model.AllowClientCredentialsFlow &&
!model.AllowImplicitFlow && !model.AllowPasswordFlow && !model.AllowRefreshTokenFlow)
{
ModelState.AddModelError(string.Empty, "At least one flow must be enabled.");
}
IOpenIdApplication application = null;
if (ModelState.IsValid)
{
application = await _applicationManager.FindByPhysicalIdAsync(model.Id);
if (application == null)
{
return(NotFound());
}
if (model.Type == ClientType.Confidential && !model.UpdateClientSecret &&
await _applicationManager.IsPublicAsync(application))
{
ModelState.AddModelError(nameof(model.UpdateClientSecret), T["Setting a new client secret is required"]);
}
var other = await _applicationManager.FindByClientIdAsync(model.ClientId);
if (other != null && !string.Equals(
await _applicationManager.GetIdAsync(other),
await _applicationManager.GetIdAsync(application), StringComparison.Ordinal))
{
ModelState.AddModelError(nameof(model.ClientId), T["The client identifier is already taken by another application."]);
}
}
if (!ModelState.IsValid)
{
var openIdSettings = await _openIdService.GetOpenIdSettingsAsync();
if (!_openIdService.IsValidOpenIdSettings(openIdSettings))
{
_notifier.Warning(H["OpenID Connect settings are not properly configured."]);
}
ViewData["OpenIdSettings"] = openIdSettings;
ViewData["ReturnUrl"] = returnUrl;
return(View(model));
}
await _applicationManager.UpdateAsync(application, model);
if (string.IsNullOrEmpty(returnUrl))
{
return(RedirectToAction("Index"));
}
return(LocalRedirect(returnUrl));
}