private async Task <bool> HandleForbiddenResponseAsync()
{
// Stop processing the request if no OpenID Connect
// message has been found in the current context.
var request = Context.GetOpenIdConnectRequest();
if (request == null)
{
return(false);
}
// Stop processing the request if there's no challenge that matches
// the authentication type associated with this middleware instance
// or if the response status code doesn't indicate a challenge operation.
var context = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
if (context == null || Response.StatusCode != 403)
{
return(false);
}
var response = new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.AccessDenied,
ErrorDescription = "The authorization grant has been denied by the resource owner",
RedirectUri = request.RedirectUri,
State = request.State
};
// Create a new ticket containing an empty identity and
// the authentication properties extracted from the challenge.
var ticket = new AuthenticationTicket(new ClaimsIdentity(), context.Properties);
var notification = new ApplyAuthorizationResponseContext(Context, Options, ticket, request, response);
await Options.Provider.ApplyAuthorizationResponse(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
return(await SendErrorRedirectAsync(request, response));
}
/// <summary> /// Represents an event called before the authorization response is returned to the caller. /// </summary> /// <param name="context">The context instance associated with this event.</param> /// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns> public virtual Task ApplyAuthorizationResponse(ApplyAuthorizationResponseContext context) => OnApplyAuthorizationResponse(context);
private async Task <bool> SendAuthorizationResponseAsync(OpenIdConnectResponse response, AuthenticationTicket ticket = null)
{
var request = Context.GetOpenIdConnectRequest();
Context.SetOpenIdConnectResponse(response);
response.SetProperty(OpenIdConnectConstants.Properties.MessageType,
OpenIdConnectConstants.MessageTypes.AuthorizationResponse);
// Note: as this stage, the request may be null (e.g if it couldn't be extracted from the HTTP request).
var notification = new ApplyAuthorizationResponseContext(Context, Options, ticket, request, response)
{
RedirectUri = request?.GetProperty <string>(OpenIdConnectConstants.Properties.ValidatedRedirectUri),
ResponseMode = request?.ResponseMode
};
// If the response_mode parameter was not specified, try to infer it.
if (string.IsNullOrEmpty(notification.ResponseMode) && !string.IsNullOrEmpty(notification.RedirectUri))
{
notification.ResponseMode =
request.IsFormPostResponseMode() ? OpenIdConnectConstants.ResponseModes.FormPost :
request.IsFragmentResponseMode() ? OpenIdConnectConstants.ResponseModes.Fragment :
request.IsQueryResponseMode() ? OpenIdConnectConstants.ResponseModes.Query : null;
}
await Options.Provider.ApplyAuthorizationResponse(notification);
if (notification.HandledResponse)
{
Logger.LogDebug("The authorization request was handled in user code.");
return(true);
}
else if (notification.Skipped)
{
Logger.LogDebug("The default authorization request handling was skipped from user code.");
return(false);
}
// Directly display an error page if redirect_uri cannot be used to
// redirect the user agent back to the client application.
if (!string.IsNullOrEmpty(response.Error) && string.IsNullOrEmpty(notification.RedirectUri))
{
// Apply a 400 status code by default.
Response.StatusCode = 400;
if (Options.ApplicationCanDisplayErrors)
{
// Return false to allow the rest of
// the pipeline to handle the request.
return(false);
}
Logger.LogInformation("The authorization response was successfully returned " +
"as a plain-text document: {Response}.", response);
return(await SendNativePageAsync(response));
}
// At this stage, throw an exception if the request was not properly extracted.
if (request == null)
{
throw new InvalidOperationException("The authorization response cannot be returned.");
}
// Attach the request state to the authorization response.
if (string.IsNullOrEmpty(response.State))
{
response.State = request.State;
}
// Note: a dictionary is deliberately not used here to allow multiple parameters with the
// same name to be specified. While initially not allowed by the core OAuth2 specification,
// this is now accepted by derived drafts like the OAuth2 token exchange specification.
// For consistency, multiple parameters with the same name are also supported by this endpoint.
var parameters = new List <KeyValuePair <string, string> >();
foreach (var parameter in response.GetParameters())
{
var values = (string[])parameter.Value;
if (values == null)
{
continue;
}
foreach (var value in values)
{
parameters.Add(new KeyValuePair <string, string>(parameter.Key, value));
}
}
// Note: at this stage, the redirect_uri parameter MUST be trusted.
switch (notification.ResponseMode)
{
case OpenIdConnectConstants.ResponseModes.FormPost:
{
Logger.LogInformation("The authorization response was successfully returned to " +
"'{RedirectUri}' using the form post response mode: {Response}.",
notification.RedirectUri, response);
using (var buffer = new MemoryStream())
using (var writer = new StreamWriter(buffer))
{
writer.WriteLine("<!doctype html>");
writer.WriteLine("<html>");
writer.WriteLine("<body>");
// While the redirect_uri parameter should be guarded against unknown values
// by OpenIdConnectServerProvider.ValidateAuthorizationRequest,
// it's still safer to encode it to avoid cross-site scripting attacks
// if the authorization server has a relaxed policy concerning redirect URIs.
writer.WriteLine($@"<form name=""form"" method=""post"" action=""{Options.HtmlEncoder.Encode(notification.RedirectUri)}"">");
foreach (var parameter in parameters)
{
var key = Options.HtmlEncoder.Encode(parameter.Key);
var value = Options.HtmlEncoder.Encode(parameter.Value);
writer.WriteLine($@"<input type=""hidden"" name=""{key}"" value=""{value}"" />");
}
writer.WriteLine(@"<noscript>Click here to finish the authorization process: <input type=""submit"" /></noscript>");
writer.WriteLine("</form>");
writer.WriteLine("<script>document.form.submit();</script>");
writer.WriteLine("</body>");
writer.WriteLine("</html>");
writer.Flush();
Response.StatusCode = 200;
Response.ContentLength = buffer.Length;
Response.ContentType = "text/html;charset=UTF-8";
Response.Headers["Cache-Control"] = "no-cache";
Response.Headers["Pragma"] = "no-cache";
Response.Headers["Expires"] = "-1";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Request.CallCancelled);
return(true);
}
}
case OpenIdConnectConstants.ResponseModes.Fragment:
{
Logger.LogInformation("The authorization response was successfully returned to " +
"'{RedirectUri}' using the fragment response mode: {Response}.",
notification.RedirectUri, response);
var location = notification.RedirectUri;
var appender = new OpenIdConnectServerHelpers.Appender(location, '#');
foreach (var parameter in parameters)
{
appender.Append(parameter.Key, parameter.Value);
}
Response.Redirect(appender.ToString());
return(true);
}
case OpenIdConnectConstants.ResponseModes.Query:
{
Logger.LogInformation("The authorization response was successfully returned to " +
"'{RedirectUri}' using the query response mode: {Response}.",
notification.RedirectUri, response);
var location = notification.RedirectUri;
foreach (var parameter in parameters)
{
location = WebUtilities.AddQueryString(location, parameter.Key, parameter.Value);
}
Response.Redirect(location);
return(true);
}
default:
{
Logger.LogError("The authorization request was rejected because the 'response_mode' " +
"parameter was invalid: {ResponseMode}.", request.ResponseMode);
return(await SendNativePageAsync(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The specified 'response_mode' parameter is not supported."
}));
}
}
}
private async Task <bool> SendAuthorizationResponseAsync(OpenIdConnectResponse response, AuthenticationTicket ticket = null)
{
var request = Context.GetOpenIdConnectRequest();
if (request == null)
{
request = new OpenIdConnectRequest();
}
Context.SetOpenIdConnectResponse(response);
var notification = new ApplyAuthorizationResponseContext(Context, Options, ticket, request, response);
await Options.Provider.ApplyAuthorizationResponse(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
if (!string.IsNullOrEmpty(response.Error))
{
// Directly display an error page if redirect_uri cannot be used to
// redirect the user agent back to the client application.
if (string.IsNullOrEmpty(response.RedirectUri))
{
// Apply a 400 status code by default.
Response.StatusCode = 400;
if (Options.ApplicationCanDisplayErrors)
{
// Return false to allow the rest of
// the pipeline to handle the request.
return(false);
}
return(await SendNativePageAsync(response));
}
}
// Create a new parameters dictionary holding the name/value pairs.
var parameters = new Dictionary <string, string>();
foreach (var parameter in response.GetParameters())
{
// Don't include redirect_uri in the parameters dictionary.
if (string.Equals(parameter.Key, OpenIdConnectConstants.Parameters.RedirectUri, StringComparison.Ordinal))
{
continue;
}
var value = parameter.Value as JValue;
if (value == null)
{
Options.Logger.LogWarning("A parameter whose type was incompatible was ignored and excluded " +
"from the authorization response: '{Parameter}'.", parameter.Key);
continue;
}
parameters.Add(parameter.Key, (string)value);
}
// Note: at this stage, the redirect_uri parameter MUST be trusted.
if (request.IsFormPostResponseMode())
{
using (var buffer = new MemoryStream())
using (var writer = new StreamWriter(buffer)) {
writer.WriteLine("<!doctype html>");
writer.WriteLine("<html>");
writer.WriteLine("<body>");
// While the redirect_uri parameter should be guarded against unknown values
// by OpenIdConnectServerProvider.ValidateAuthorizationRequest,
// it's still safer to encode it to avoid cross-site scripting attacks
// if the authorization server has a relaxed policy concerning redirect URIs.
writer.WriteLine($"<form name='form' method='post' action='{Options.HtmlEncoder.Encode(response.RedirectUri)}'>");
foreach (var parameter in parameters)
{
var key = Options.HtmlEncoder.Encode(parameter.Key);
var value = Options.HtmlEncoder.Encode(parameter.Value);
writer.WriteLine($"<input type='hidden' name='{key}' value='{value}' />");
}
writer.WriteLine("<noscript>Click here to finish the authorization process: <input type='submit' /></noscript>");
writer.WriteLine("</form>");
writer.WriteLine("<script>document.form.submit();</script>");
writer.WriteLine("</body>");
writer.WriteLine("</html>");
writer.Flush();
Response.StatusCode = 200;
Response.ContentLength = buffer.Length;
Response.ContentType = "text/html;charset=UTF-8";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Request.CallCancelled);
return(true);
}
}
else if (request.IsFragmentResponseMode())
{
var location = response.RedirectUri;
var appender = new Appender(location, '#');
foreach (var parameter in parameters)
{
appender.Append(parameter.Key, parameter.Value);
}
Response.Redirect(appender.ToString());
return(true);
}
else if (request.IsQueryResponseMode())
{
var location = WebUtilities.AddQueryString(response.RedirectUri, parameters);
Response.Redirect(location);
return(true);
}
Options.Logger.LogError("The authorization request was rejected because the 'response_mode' " +
"parameter was invalid: {ResponseMode}.", request.ResponseMode);
return(await SendNativePageAsync(new OpenIdConnectResponse {
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "response_mode unsupported"
}));
}
private async Task <bool> SendAuthorizationResponseAsync(
OpenIdConnectMessage request, OpenIdConnectMessage response, AuthenticationTicket ticket = null)
{
if (request == null)
{
request = new OpenIdConnectMessage();
}
var notification = new ApplyAuthorizationResponseContext(Context, Options, ticket, request, response);
await Options.Provider.ApplyAuthorizationResponse(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
if (!string.IsNullOrEmpty(response.Error))
{
// When returning an error, remove the authorization request from the OWIN context
// to inform TeardownCoreAsync that there's nothing more to handle.
Context.SetOpenIdConnectRequest(request: null);
// Directly display an error page if redirect_uri cannot be used to
// redirect the user agent back to the client application.
if (string.IsNullOrEmpty(response.RedirectUri))
{
// Apply a 400 status code by default.
Response.StatusCode = 400;
if (Options.ApplicationCanDisplayErrors)
{
Context.SetOpenIdConnectResponse(response);
// Return false to allow the rest of
// the pipeline to handle the request.
return(false);
}
return(await SendNativePageAsync(response));
}
}
// Note: at this stage, the redirect_uri parameter MUST be trusted.
if (request.IsFormPostResponseMode())
{
using (var buffer = new MemoryStream())
using (var writer = new StreamWriter(buffer)) {
writer.WriteLine("<!doctype html>");
writer.WriteLine("<html>");
writer.WriteLine("<body>");
// While the redirect_uri parameter should be guarded against unknown values
// by IOpenIdConnectServerProvider.ValidateAuthorizationRequest,
// it's still safer to encode it to avoid cross-site scripting attacks
// if the authorization server has a relaxed policy concerning redirect URIs.
writer.WriteLine($"<form name='form' method='post' action='{Options.HtmlEncoder.Encode(response.RedirectUri)}'>");
foreach (var parameter in response.Parameters)
{
// Don't include redirect_uri in the form.
if (string.Equals(parameter.Key, OpenIdConnectParameterNames.RedirectUri, StringComparison.Ordinal))
{
continue;
}
var key = Options.HtmlEncoder.Encode(parameter.Key);
var value = Options.HtmlEncoder.Encode(parameter.Value);
writer.WriteLine($"<input type='hidden' name='{key}' value='{value}' />");
}
writer.WriteLine("<noscript>Click here to finish the authorization process: <input type='submit' /></noscript>");
writer.WriteLine("</form>");
writer.WriteLine("<script>document.form.submit();</script>");
writer.WriteLine("</body>");
writer.WriteLine("</html>");
writer.Flush();
Response.StatusCode = 200;
Response.ContentLength = buffer.Length;
Response.ContentType = "text/html;charset=UTF-8";
buffer.Seek(offset: 0, loc: SeekOrigin.Begin);
await buffer.CopyToAsync(Response.Body, 4096, Request.CallCancelled);
return(true);
}
}
else if (request.IsFragmentResponseMode())
{
var location = response.RedirectUri;
var appender = new Appender(location, '#');
foreach (var parameter in response.Parameters)
{
// Don't include redirect_uri in the fragment.
if (string.Equals(parameter.Key, OpenIdConnectParameterNames.RedirectUri, StringComparison.Ordinal))
{
continue;
}
appender.Append(parameter.Key, parameter.Value);
}
Response.Redirect(appender.ToString());
return(true);
}
else if (request.IsQueryResponseMode())
{
var location = response.RedirectUri;
foreach (var parameter in response.Parameters)
{
// Don't include redirect_uri in the query string.
if (string.Equals(parameter.Key, OpenIdConnectParameterNames.RedirectUri, StringComparison.Ordinal))
{
continue;
}
location = WebUtilities.AddQueryString(location, parameter.Key, parameter.Value);
}
Response.Redirect(location);
return(true);
}
return(await SendNativePageAsync(response));
}
private async Task <bool> HandleAuthorizationResponseAsync()
{
// request may be null when no authorization request has been received
// or has been already handled by InvokeAuthorizationEndpointAsync.
var request = Context.GetOpenIdConnectRequest();
if (request == null)
{
return(false);
}
// Stop processing the request if there's no response grant that matches
// the authentication type associated with this middleware instance
// or if the response status code doesn't indicate a successful response.
var context = Helper.LookupSignIn(Options.AuthenticationType);
if (context == null || Response.StatusCode != 200)
{
return(false);
}
if (!context.Principal.HasClaim(claim => claim.Type == ClaimTypes.NameIdentifier))
{
Options.Logger.LogError("The authentication ticket was rejected because it didn't " +
"contain the mandatory ClaimTypes.NameIdentifier claim.");
return(await SendNativeErrorPageAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "The mandatory ClaimTypes.NameIdentifier claim was not found."
}));
}
// redirect_uri is added to the response message since it's not a mandatory parameter
// in OAuth 2.0 and can be set or replaced from the ValidateClientRedirectUri event.
var response = new OpenIdConnectMessage {
RedirectUri = request.RedirectUri,
State = request.State
};
if (!string.IsNullOrEmpty(request.Nonce))
{
// Keep the original nonce parameter for later comparison.
context.Properties.Dictionary[OpenIdConnectConstants.Properties.Nonce] = request.Nonce;
}
if (!string.IsNullOrEmpty(request.RedirectUri))
{
// Keep original the original redirect_uri for later comparison.
context.Properties.Dictionary[OpenIdConnectConstants.Properties.RedirectUri] = request.RedirectUri;
}
// Always include the "openid" scope when the developer doesn't explicitly call SetScopes.
// Note: the application is allowed to specify a different "scopes"
// parameter when calling AuthenticationManager.SignInAsync: in this case,
// don't replace the "scopes" property stored in the authentication ticket.
if (!context.Properties.Dictionary.ContainsKey(OpenIdConnectConstants.Properties.Scopes) &&
request.HasScope(OpenIdConnectConstants.Scopes.OpenId))
{
context.Properties.Dictionary[OpenIdConnectConstants.Properties.Scopes] = OpenIdConnectConstants.Scopes.OpenId;
}
string audiences;
// When a "resources" property cannot be found in the authentication properties, infer it from the "audiences" property.
if (!context.Properties.Dictionary.ContainsKey(OpenIdConnectConstants.Properties.Resources) &&
context.Properties.Dictionary.TryGetValue(OpenIdConnectConstants.Properties.Audiences, out audiences))
{
context.Properties.Dictionary[OpenIdConnectConstants.Properties.Resources] = audiences;
}
// Determine whether an authorization code should be returned
// and invoke SerializeAuthorizationCodeAsync if necessary.
if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Code))
{
// Make sure to create a copy of the authentication properties
// to avoid modifying the properties set on the original ticket.
var properties = context.Properties.Copy();
// properties.IssuedUtc and properties.ExpiresUtc are always
// explicitly set to null to avoid aligning the expiration date
// of the authorization code with the lifetime of the other tokens.
properties.IssuedUtc = properties.ExpiresUtc = null;
response.Code = await SerializeAuthorizationCodeAsync(context.Identity, properties, request, response);
// Ensure that an authorization code is issued to avoid returning an invalid response.
// See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations
if (string.IsNullOrEmpty(response.Code))
{
Options.Logger.LogError("An error occurred during the serialization of the " +
"authorization code and a null value was returned.");
return(await SendNativeErrorPageAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "no valid authorization code was issued"
}));
}
}
// Determine whether an access token should be returned
// and invoke SerializeAccessTokenAsync if necessary.
if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Token))
{
// Make sure to create a copy of the authentication properties
// to avoid modifying the properties set on the original ticket.
var properties = context.Properties.Copy();
string resources;
if (!properties.Dictionary.TryGetValue(OpenIdConnectConstants.Properties.Resources, out resources))
{
Options.Logger.LogInformation("No explicit resource was associated with the authentication ticket: " +
"the access token will be issued without any audience attached.");
}
// Note: when the "resource" parameter added to the OpenID Connect response
// is identical to the request parameter, setting it is not necessary.
if (!string.IsNullOrEmpty(request.Resource) &&
!string.Equals(request.Resource, resources, StringComparison.Ordinal))
{
response.Resource = resources;
}
// Note: when the "scope" parameter added to the OpenID Connect response
// is identical to the request parameter, setting it is not necessary.
string scopes;
properties.Dictionary.TryGetValue(OpenIdConnectConstants.Properties.Scopes, out scopes);
if (!string.IsNullOrEmpty(request.Scope) &&
!string.Equals(request.Scope, scopes, StringComparison.Ordinal))
{
response.Scope = scopes;
}
response.TokenType = OpenIdConnectConstants.TokenTypes.Bearer;
response.AccessToken = await SerializeAccessTokenAsync(context.Identity, properties, request, response);
// Ensure that an access token is issued to avoid returning an invalid response.
// See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations
if (string.IsNullOrEmpty(response.AccessToken))
{
Options.Logger.LogError("An error occurred during the serialization of the " +
"access token and a null value was returned.");
return(await SendNativeErrorPageAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "no valid access token was issued"
}));
}
// properties.ExpiresUtc is automatically set by SerializeAccessTokenAsync but the end user
// is free to set a null value directly in the SerializeAccessToken event.
if (properties.ExpiresUtc.HasValue && properties.ExpiresUtc > Options.SystemClock.UtcNow)
{
var lifetime = properties.ExpiresUtc.Value - Options.SystemClock.UtcNow;
var expiration = (long)(lifetime.TotalSeconds + .5);
response.ExpiresIn = expiration.ToString(CultureInfo.InvariantCulture);
}
}
// Determine whether an identity token should be returned
// and invoke SerializeIdentityTokenAsync if necessary.
if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.IdToken))
{
// Make sure to create a copy of the authentication properties
// to avoid modifying the properties set on the original ticket.
var properties = context.Properties.Copy();
response.IdToken = await SerializeIdentityTokenAsync(context.Identity, properties, request, response);
// Ensure that an identity token is issued to avoid returning an invalid response.
// See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations
if (string.IsNullOrEmpty(response.IdToken))
{
Options.Logger.LogError("An error occurred during the serialization of the " +
"identity token and a null value was returned.");
return(await SendNativeErrorPageAsync(new OpenIdConnectMessage {
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "no valid identity token was issued"
}));
}
}
// Remove the OpenID Connect request from the cache.
var identifier = request.GetRequestId();
if (!string.IsNullOrEmpty(identifier))
{
await Options.Cache.RemoveAsync($"asos-request:{identifier}");
}
var ticket = new AuthenticationTicket(context.Identity, context.Properties);
var notification = new ApplyAuthorizationResponseContext(Context, Options, ticket, request, response);
await Options.Provider.ApplyAuthorizationResponse(notification);
if (notification.HandledResponse)
{
return(true);
}
else if (notification.Skipped)
{
return(false);
}
return(await ApplyAuthorizationResponseAsync(request, response));
}
