private ViewModel CreateConsentViewModel(InputModel model, DeviceFlowAuthorizationRequest request)
{
var vm = new ViewModel
{
ClientName = request.Client.ClientName ?? request.Client.ClientId,
ClientUrl = request.Client.ClientUri,
ClientLogoUrl = request.Client.LogoUri,
AllowRememberConsent = request.Client.AllowRememberConsent
};
vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources.Select(x => CreateScopeViewModel(x, model == null || model.ScopesConsented?.Contains(x.Name) == true)).ToArray();
var apiScopes = new List <ScopeViewModel>();
foreach (var parsedScope in request.ValidatedResources.ParsedScopes)
{
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
if (apiScope != null)
{
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, model == null || model.ScopesConsented?.Contains(parsedScope.RawValue) == true);
apiScopes.Add(scopeVm);
}
}
if (DeviceOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess)
{
apiScopes.Add(GetOfflineAccessScope(model == null || model.ScopesConsented?.Contains(Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess) == true));
}
vm.ApiScopes = apiScopes;
return(vm);
}
private async Task <DeviceAuthorizationViewModel> BuildViewModelAsync(
string userCode,
DeviceAuthorizationInputModel model = null)
{
DeviceFlowAuthorizationRequest request = await interaction.GetAuthorizationContextAsync(userCode);
if (request != null)
{
Client client = await clientStore.FindEnabledClientByIdAsync(request.ClientId);
if (client != null)
{
Resources resources =
await resourceStore.FindEnabledResourcesByScopeAsync(request.ScopesRequested);
if (resources != null &&
(resources.IdentityResources.Any() || resources.ApiResources.Any()))
{
return(CreateConsentViewModel(userCode, model, client, resources));
}
logger.LogError("No scopes matching: {0}",
request.ScopesRequested.Aggregate((x, y) => x + ", " + y));
}
else
{
logger.LogError("Invalid client id: {0}", request.ClientId);
}
}
return(null);
}
private async Task <DeviceAuthorizationViewModel> BuildViewModelAsync(string userCode, DeviceAuthorizationInputModel model = null)
{
DeviceFlowAuthorizationRequest request = await _interaction.GetAuthorizationContextAsync(userCode);
if (request != null)
{
return(CreateConsentViewModel(userCode, model, request));
}
return(null);
}
private DeviceAuthorizationViewModel CreateConsentViewModel(
string userCode, DeviceAuthorizationInputModel model, DeviceFlowAuthorizationRequest request)
{
var vm = new DeviceAuthorizationViewModel
{
UserCode = userCode,
Description = model?.Description,
RememberConsent = model?.RememberConsent ?? true,
ScopesConsented = model?.ScopesConsented ?? Enumerable.Empty <string>(),
ClientName = request.Client.ClientName ?? request.Client.ClientId,
ClientUrl = request.Client.ClientUri,
ClientLogoUrl = request.Client.LogoUri,
AllowRememberConsent = request.Client.AllowRememberConsent
};
vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources
.Select(x => CreateScopeViewModel(x, vm.ScopesConsented.Contains(x.Name) || model == null))
.ToArray();
var apiScopes = new List <ScopeViewModel>();
foreach (var parsedScope in request.ValidatedResources.ParsedScopes)
{
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
if (apiScope != null)
{
var scopeVm = CreateScopeViewModel(
parsedScope, apiScope, vm.ScopesConsented.Contains(parsedScope.RawValue) || model == null);
apiScopes.Add(scopeVm);
}
}
if (ConsentOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess)
{
apiScopes.Add(
GetOfflineAccessScope(
vm.ScopesConsented.Contains(
IdentityServer4.IdentityServerConstants.StandardScopes.OfflineAccess) || model == null));
}
vm.ApiScopes = apiScopes;
return(vm);
}
private async Task <DeviceAuthorizationViewModel> CreateViewModel(string userCode)
{
DeviceFlowAuthorizationRequest f = await _deviceFlowInteractionService.GetAuthorizationContextAsync(userCode);
var device = _repository.Find(d => d.ClientId == f.ClientId).Single();
if (device.UserId.ToString() != User.GetSubjectId())
{
throw new ArgumentException("This user can't authorize this device");
}
return(new DeviceAuthorizationViewModel()
{
UserCode = userCode,
ClientId = device.ClientId,
ClientName = device.ClientName
});
}
private void CreateConsentViewModel(string userCode, DeviceFlowAuthorizationRequest request)
{
var model = this.Input;
var check = model == null;
var scopesConsented = model?.ScopesConsented.ToArray() ?? Array.Empty <string>();
this.Input = new InputModel
{
UserCode = userCode,
Description = model?.Description,
RememberConsent = model?.RememberConsent ?? true,
ScopesConsented = model?.ScopesConsented ?? Enumerable.Empty <string>(),
};
this.ClientName = request.Client.ClientName ?? request.Client.ClientId;
this.ClientUrl = request.Client.ClientUri;
this.ClientLogoUrl = request.Client.LogoUri;
this.AllowRememberConsent = request.Client.AllowRememberConsent;
this.IdentityScopes = ScopeModel.GetIdentityResourcesFromRequest(request.ValidatedResources, scopesConsented, check);
this.ApiScopes = ScopeModel.GetApiScopeModelsFromRequest(request.ValidatedResources, scopesConsented, check);
}
public IActionResult DeviceSignInSuccess(HttpContext context, DeviceFlowAuthorizationRequest deviceContext)
{
_logger.Information($"Serving the DeviceSignInSuccess page");
return(new OkResult());
}
public IActionResult DeviceSignInAccessDenied(HttpContext context, DeviceFlowAuthorizationRequest deviceContext)
{
_logger.Information($"Serving the DeviceSignInAccessDenied page");
return(new RedirectResult("/signin/error?id=device-access-denied", false));
}
private async Task <ProcessConsentResult> ProcessConsent(DeviceAuthorizationInputModel model)
{
ProcessConsentResult result = new ProcessConsentResult();
DeviceFlowAuthorizationRequest request = await interaction.GetAuthorizationContextAsync(model.UserCode);
if (request == null)
{
return(result);
}
ConsentResponse grantedConsent = null;
// user clicked 'no' - send back the standard 'access_denied' response
if (model.Button == "no")
{
grantedConsent = ConsentResponse.Denied;
// emit event
await events.RaiseAsync(
new ConsentDeniedEvent(User.GetSubjectId(), request.ClientId, request.ScopesRequested));
}
// user clicked 'yes' - validate the data
else if (model.Button == "yes")
{
// if the user consented to some scope, build the response model
if (model.ScopesConsented != null &&
model.ScopesConsented.Any())
{
IEnumerable <string> scopes = model.ScopesConsented;
if (ConsentOptions.EnableOfflineAccess == false)
{
scopes = scopes.Where(x => x != IdentityServerConstants.StandardScopes.OfflineAccess);
}
grantedConsent = new ConsentResponse
{
RememberConsent = model.RememberConsent,
ScopesConsented = scopes.ToArray()
};
// emit event
await events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(),
request.ClientId,
request.ScopesRequested,
grantedConsent.ScopesConsented,
grantedConsent.RememberConsent));
}
else
{
result.ValidationError = ConsentOptions.MustChooseOneErrorMessage;
}
}
else
{
result.ValidationError = ConsentOptions.InvalidSelectionErrorMessage;
}
if (grantedConsent != null)
{
// communicate outcome of consent back to identityserver
await interaction.HandleRequestAsync(model.UserCode, grantedConsent);
// indicate that's it ok to redirect back to authorization endpoint
result.RedirectUri = model.ReturnUrl;
result.ClientId = request.ClientId;
}
else
{
// we need to redisplay the consent UI
result.ViewModel = await BuildViewModelAsync(model.UserCode, model);
}
return(result);
}