/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
ClientId = request.ClientId;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
LoginHint = request.LoginHint;
IdP = request.GetIdP();
Tenant = request.GetTenant();
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
AcrValues = acrValues;
}
// scopes
if (request.RequestedScopes.Any())
{
ScopesRequested = request.RequestedScopes;
}
Parameters = request.Raw;
}
public async Task <IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request)
{
var signin = new SignInRequest();
// let the login page know the client requesting authorization
signin.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
signin.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
signin.UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
signin.LoginHint = request.LoginHint;
}
// look for well-known acr value -- idp
var idp = request.GetIdP();
if (idp.IsPresent())
{
signin.IdP = idp;
}
// look for well-known acr value -- tenant
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
signin.Tenant = tenant;
}
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
signin.AcrValues = acrValues;
}
var message = new Message <SignInRequest>(signin)
{
ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin,
AuthorizeRequestParameters = request.Raw.ToDictionary()
};
await _signInRequestStore.WriteAsync(message);
return(new LoginPageResult(message.Id));
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
// let the login page know the client requesting authorization
ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
LoginHint = request.LoginHint;
}
// look for well-known acr value -- idp
var idp = request.GetIdP();
if (idp.IsPresent())
{
IdP = idp;
}
// look for well-known acr value -- tenant
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
Tenant = tenant;
}
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
AcrValues = acrValues;
}
// scopes
if (request.RequestedScopes.Any())
{
ScopesRequested = request.RequestedScopes;
}
Parameters = request.Raw;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
ClientId = request.ClientId;
RedirectUri = request.RedirectUri;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
IdP = request.GetIdP();
Tenant = request.GetTenant();
LoginHint = request.LoginHint;
PromptMode = request.PromptMode;
AcrValues = request.GetAcrValues();
ScopesRequested = request.RequestedScopes;
Parameters = request.Raw;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
Client = request.Client;
RedirectUri = request.RedirectUri;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
IdP = request.GetIdP();
Tenant = request.GetTenant();
LoginHint = request.LoginHint;
PromptModes = request.PromptModes;
AcrValues = request.GetAcrValues();
ValidatedResources = request.ValidatedResources;
Parameters = request.Raw;
RequestObjectValues = request.RequestObjectValues;
}
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = request.Client,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
AcrValues = request.GetAcrValues()
};
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest();
authRequest.Client = request.Client;
authRequest.RedirectUri = request.RedirectUri;
authRequest.DisplayMode = request.DisplayMode;
authRequest.UiLocales = request.UiLocales;
authRequest.IdP = request.GetIdP();
authRequest.Tenant = request.GetTenant();
authRequest.LoginHint = request.LoginHint;
authRequest.PromptModes = request.PromptModes;
authRequest.AcrValues = request.GetAcrValues();
authRequest.Client.AllowedScopes = request.RequestedScopes;
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
public static AuthorizationRequest ToAuthorizatonRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = request.Client,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
AcrValues = request.GetAcrValues(),
ValidatedResources = request.ValidatedResources
};
authRequest.Parameters.Add(request.Raw);
request.RequestObjectValues.Keys.ToList().ForEach(key => authRequest.RequestObjectValues.Add(key, request.RequestObjectValues[key]));
return(authRequest);
}
//[DebuggerStepThrough]
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = new Client()
{
ClientId = request.ClientId /*, AllowedScopes = request.RequestedScopes*/
},
//ClientId = request.ClientId,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
//PromptMode = request.PromptMode,
AcrValues = request.GetAcrValues(),
//ScopesRequested = request.RequestedScopes,
};
//var authRequest = new AuthorizationRequest
//{
// ClientId = request.ClientId,
// RedirectUri = request.RedirectUri,
// DisplayMode = request.DisplayMode,
// UiLocales = request.UiLocales,
// IdP = request.GetIdP(),
// Tenant = request.GetTenant(),
// LoginHint = request.LoginHint,
// PromptMode = request.PromptMode,
// AcrValues = request.GetAcrValues(),
// ScopesRequested = request.RequestedScopes,
//};
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
/// <summary>
/// Processes the login logic.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
using var activity = Tracing.BasicActivitySource.StartActivity("AuthorizeInteractionResponseGenerator.ProcessLogin");
if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) ||
request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount))
{
Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString());
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.RemovePrompt();
return(new InteractionResponse {
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.IsAuthenticated();
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint);
await Profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if (!isAuthenticated || !isActive)
{
if (!isAuthenticated)
{
Logger.LogInformation("Showing login: User is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing login: User is not active");
}
return(new InteractionResponse {
IsLogin = true
});
}
// check if tenant hint matches current tenant
if (Options.ValidateTenantOnAuthorization)
{
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
var currentTenant = request.Subject.GetTenant();
if (tenant != currentTenant)
{
Logger.LogInformation("Showing login: Current tenant ({currentTenant}) is not the requested tenant ({tenant})", currentTenant, tenant);
return(new InteractionResponse {
IsLogin = true
});
}
}
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp);
return(new InteractionResponse {
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (Clock.UtcNow.UtcDateTime > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check local idp restrictions
if (currentIdp == IdentityServerConstants.LocalIdentityProvider)
{
if (!request.Client.EnableLocalLogin)
{
Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check external idp restrictions if user not using local idp
else if (request.Client.IdentityProviderRestrictions != null &&
request.Client.IdentityProviderRestrictions.Any() &&
!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse {
IsLogin = true
});
}
// check client's user SSO timeout
if (request.Client.UserSsoLifetime.HasValue)
{
var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch();
var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds();
var diff = nowEpoch - authTimeEpoch;
if (diff > request.Client.UserSsoLifetime.Value)
{
Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime);
return(new InteractionResponse {
IsLogin = true
});
}
}
return(new InteractionResponse());
}
