public FederatedSignoutMiddlewareTests() { _user = IdentityServerPrincipal.Create("bob", "bob", new Claim(JwtClaimTypes.SessionId, "123")); _pipeline = new MockIdSvrUiPipeline(); _pipeline.Users.Add(new InMemoryUser { Subject = "bob", Username = "******", Claims = new Claim[] { new Claim("name", "Bob Loblaw"), new Claim("email", "*****@*****.**"), new Claim("role", "Attorney"), } }); _pipeline.FederatedSignOut = async ctx => { _idSvrIFrameUrl = await ctx.GetIdentityServerSignoutFrameCallbackUrlAsync(); ISessionIdService sessionId = ctx.RequestServices.GetRequiredService <ISessionIdService>(); _idSvrSid = await sessionId.GetCurrentSessionIdAsync(); }; _pipeline.Initialize(); _pipeline.Options.AuthenticationOptions.FederatedSignOutPaths.Add(MockIdSvrUiPipeline.FederatedSignOutPath); }
/// <summary> /// Ensures the client list cookie. /// </summary> /// <param name="sid">The sid.</param> /// <returns></returns> public async Task EnsureClientListCookieAsync(string sid) { if (await _sessionId.GetCurrentSessionIdAsync() == sid) { var value = await GetPropertyValueAsync(); SetCookie(sid, value); } }
public async Task <string> CreateLogoutContextAsync() { var sid = await _sessionIdService.GetCurrentSessionIdAsync(); if (sid != null) { await _clientSessionService.EnsureClientListCookieAsync(sid); var msg = new MessageWithId <LogoutMessage>(new LogoutMessage { SessionId = sid }); var id = msg.Id; await _logoutMessageStore.WriteAsync(id, msg); return(id); } return(null); }
private async Task <AuthorizeRequestValidationResult> ValidateOptionalParametersAsync(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // check nonce ////////////////////////////////////////////////////////// var nonce = request.Raw.Get(OidcConstants.AuthorizeRequest.Nonce); if (nonce.IsPresent()) { if (nonce.Length > _options.InputLengthRestrictions.Nonce) { LogError("Nonce too long", request); return(Invalid(request)); } request.Nonce = nonce; } else { if (request.GrantType == GrantType.Implicit || request.GrantType == GrantType.Hybrid) { // only openid requests require nonce if (request.IsOpenIdRequest) { LogError("Nonce required for implicit and hybrid flow with openid scope", request); return(Invalid(request)); } } } ////////////////////////////////////////////////////////// // check prompt ////////////////////////////////////////////////////////// var prompt = request.Raw.Get(OidcConstants.AuthorizeRequest.Prompt); if (prompt.IsPresent()) { if (Constants.SupportedPromptModes.Contains(prompt)) { request.PromptMode = prompt; } else { _logger.LogDebug("Unsupported prompt mode - ignored: " + prompt); } } ////////////////////////////////////////////////////////// // check ui locales ////////////////////////////////////////////////////////// var uilocales = request.Raw.Get(OidcConstants.AuthorizeRequest.UiLocales); if (uilocales.IsPresent()) { if (uilocales.Length > _options.InputLengthRestrictions.UiLocale) { LogError("UI locale too long", request); return(Invalid(request)); } request.UiLocales = uilocales; } ////////////////////////////////////////////////////////// // check display ////////////////////////////////////////////////////////// var display = request.Raw.Get(OidcConstants.AuthorizeRequest.Display); if (display.IsPresent()) { if (Constants.SupportedDisplayModes.Contains(display)) { request.DisplayMode = display; } _logger.LogDebug("Unsupported display mode - ignored: " + display); } ////////////////////////////////////////////////////////// // check max_age ////////////////////////////////////////////////////////// var maxAge = request.Raw.Get(OidcConstants.AuthorizeRequest.MaxAge); if (maxAge.IsPresent()) { int seconds; if (int.TryParse(maxAge, out seconds)) { if (seconds >= 0) { request.MaxAge = seconds; } else { LogError("Invalid max_age.", request); return(Invalid(request)); } } else { LogError("Invalid max_age.", request); return(Invalid(request)); } } ////////////////////////////////////////////////////////// // check login_hint ////////////////////////////////////////////////////////// var loginHint = request.Raw.Get(OidcConstants.AuthorizeRequest.LoginHint); if (loginHint.IsPresent()) { if (loginHint.Length > _options.InputLengthRestrictions.LoginHint) { LogError("Login hint too long", request); return(Invalid(request)); } request.LoginHint = loginHint; } ////////////////////////////////////////////////////////// // check acr_values ////////////////////////////////////////////////////////// var acrValues = request.Raw.Get(OidcConstants.AuthorizeRequest.AcrValues); if (acrValues.IsPresent()) { if (acrValues.Length > _options.InputLengthRestrictions.AcrValues) { LogError("Acr values too long", request); return(Invalid(request)); } request.AuthenticationContextReferenceClasses = acrValues.FromSpaceSeparatedString().Distinct().ToList(); } ////////////////////////////////////////////////////////// // check custom acr_values: idp ////////////////////////////////////////////////////////// var idp = request.GetIdP(); if (idp.IsPresent()) { // if idp is present but client does not allow it, strip it from the request message if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(idp)) { _logger.LogWarning("idp requested ({idp}) is not in client restriction list.", idp); request.RemoveIdP(); } } } ////////////////////////////////////////////////////////// // check session cookie ////////////////////////////////////////////////////////// if (_options.Endpoints.EnableCheckSessionEndpoint && request.Subject.Identity.IsAuthenticated) { var sessionId = await _sessionId.GetCurrentSessionIdAsync(); if (sessionId.IsPresent()) { request.SessionId = sessionId; } else { LogError("Check session endpoint enabled, but SessionId is missing", request); } } return(Valid(request)); }
public async Task <EndSessionValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject) { _logger.LogDebug("Start end session request validation"); var isAuthenticated = subject.IsAuthenticated(); if (!isAuthenticated && _options.AuthenticationOptions.RequireAuthenticatedUserForSignOutMessage) { return(Invalid("User is anonymous. Ignoring end session parameters")); } var validatedRequest = new ValidatedEndSessionRequest() { Raw = parameters, }; var idTokenHint = parameters.Get(OidcConstants.EndSessionRequest.IdTokenHint); if (idTokenHint.IsPresent()) { // validate id_token - no need to validate token life time var tokenValidationResult = await _tokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false); if (tokenValidationResult.IsError) { return(Invalid("Error validating id token hint", validatedRequest)); } validatedRequest.Client = tokenValidationResult.Client; // validate sub claim against currently logged on user var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Subject); if (subClaim != null && isAuthenticated) { if (subject.GetSubjectId() != subClaim.Value) { return(Invalid("Current user does not match identity token", validatedRequest)); } validatedRequest.Subject = subject; validatedRequest.SessionId = await _sessionId.GetCurrentSessionIdAsync(); } var redirectUri = parameters.Get(OidcConstants.EndSessionRequest.PostLogoutRedirectUri); if (redirectUri.IsPresent()) { if (await _uriValidator.IsPostLogoutRedirectUriValidAsync(redirectUri, validatedRequest.Client) == false) { return(Invalid("Invalid post logout URI", validatedRequest)); } validatedRequest.PostLogOutUri = redirectUri; } else if (validatedRequest.Client.PostLogoutRedirectUris.Count == 1) { validatedRequest.PostLogOutUri = validatedRequest.Client.PostLogoutRedirectUris.First(); } if (validatedRequest.PostLogOutUri != null) { var state = parameters.Get(OidcConstants.EndSessionRequest.State); if (state.IsPresent()) { validatedRequest.State = state; } } } LogSuccess(validatedRequest); return(new EndSessionValidationResult() { ValidatedRequest = validatedRequest, IsError = false }); }