public void Properties_Map()
{
var model = new OidcProvider()
{
Enabled = false,
Authority = "auth",
ClientId = "client",
ClientSecret = "secret",
DisplayName = "name",
ResponseType = "rt",
Scheme = "scheme",
Scope = "scope",
};
var mappedEntity = model.ToEntity();
mappedEntity.DisplayName.Should().Be("name");
mappedEntity.Scheme.Should().Be("scheme");
mappedEntity.Type.Should().Be("oidc");
mappedEntity.Properties.Should().NotBeNullOrEmpty();
var mappedModel = new OidcProvider(mappedEntity.ToModel());
mappedModel.Authority.Should().Be("auth");
mappedModel.ClientId.Should().Be("client");
mappedModel.ClientSecret.Should().Be("secret");
mappedModel.DisplayName.Should().Be("name");
mappedModel.ResponseType.Should().Be("rt");
mappedModel.Scheme.Should().Be("scheme");
mappedModel.Scope.Should().Be("scope");
mappedModel.Type.Should().Be("oidc");
}
public ActionResult Index(LoginViewModel loginModel)
{
OidcProvider oidcProvider = new OidcProvider();
// TODO: provide proper success and error page urls through widget properties
var successRedirectUrl = "http://localhost:60876/";
var errorRedirectUrl = "http://localhost:60876/";
// Get access token
var token = oidcProvider.LoginUser(loginModel.Username, loginModel.Password);
if (!string.IsNullOrEmpty(token.AccessToken))
{
// Get user information
var oidcUser = oidcProvider.GetUserInfo(token.AccessToken);
if (oidcUser != null)
{
UserService service = new UserService();
var sitefinityUser = service.Authenticate(oidcUser);
if (sitefinityUser != null)
{
var reason = SecurityManager.SkipAuthenticationAndLogin(sitefinityUser.ProviderName,
sitefinityUser.UserName, true, successRedirectUrl, errorRedirectUrl);
}
}
}
ModelState.AddModelError(string.Empty, "Login failed");
return(View(loginModel));
}
public IActionResult Edit([FromRoute] string providerId, [FromForm] OidcProviderUpdateViewModel vm)
{
if (!ModelState.IsValid)
{
return(View(vm));
}
try
{
OidcProvider updatedProvider = new OidcProvider();
updatedProvider.OidcProviderId = providerId.ToLower();
updatedProvider.Name = vm.Name;
updatedProvider.AuthorityUrl = vm.AuthorityUrl;
updatedProvider.ClientId = vm.ClientId;
updatedProvider.ClientSecret = vm.ClientSecret;
updatedProvider.CreationDate = DateTime.UtcNow;
updatedProvider.ExpectedResponseType = vm.ExpectedResponseType;
updatedProvider.RequireHttpsMetadata = vm.RequireHttpsMetadata;
updatedProvider.ScopesToRequest = vm.ScopesToRequest.Split(" ").ToList();
_oidcProviderStore.Update(updatedProvider);
}
catch (Exception ex)
{
ModelState.AddModelError(string.Empty, ex.ToString());
return(View(vm));
}
return(RedirectToAction(nameof(List)));
}
public void CanMapIdp()
{
var model = new OidcProvider();
var mappedEntity = model.ToEntity();
var mappedModel = mappedEntity.ToModel();
Assert.NotNull(mappedModel);
Assert.NotNull(mappedEntity);
}
/// <summary>
/// Performs a AccessToken Request as described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
/// </summary>
public Task <OidcCodeResponse> GetTokens(string authorizationCode, OidcProvider provider, string redirect_uri)
{
OidcCodeResponse codeResponse = new OidcCodeResponse
{
AccessToken = authorizationCode,
IdToken = authorizationCode
};
return(Task.FromResult(codeResponse));
}
/// <summary>
/// Configure the OIDC providers
/// </summary>
public static IServiceCollection ConfigureOidcProviders(
this IServiceCollection services, IConfigurationSection section)
{
IEnumerable <IConfigurationSection> providerSections = section.GetChildren();
foreach (IConfigurationSection providerSection in providerSections)
{
OidcProvider prov = new OidcProvider();
providerSection.Bind(prov);
prov.IssuerKey = providerSection.Key;
services.Configure <OidcProviderSettings>(x => x.Add(prov.IssuerKey, prov));
}
return(services);
}
public async Task <IActionResult> Edit([FromRoute] string providerId)
{
OidcProvider provider = await _oidcProviderStore.GetById(providerId);
OidcProviderUpdateViewModel vm = new OidcProviderUpdateViewModel();
vm.AuthorityUrl = provider.AuthorityUrl;
vm.ClientId = provider.ClientId;
vm.ClientSecret = provider.ClientSecret;
vm.ExpectedResponseType = provider.ExpectedResponseType;
vm.Name = provider.Name;
vm.ProviderId = provider.OidcProviderId;
vm.RequireHttpsMetadata = provider.RequireHttpsMetadata;
vm.ScopesToRequest = string.Join(" ", provider.ScopesToRequest);
return(View(vm));
}
public async Task correctly_populated_idp_should_succeed()
{
var idp = new OidcProvider
{
Scheme = "scheme",
ClientId = "client",
ClientSecret = "secret",
Authority = "authority",
ResponseType = "code",
Scope = "openid scope",
};
var ctx = new IdentityProviderConfigurationValidationContext(idp);
await _validator.ValidateAsync(ctx);
ctx.IsValid.Should().BeTrue();
}
public async Task when_implicit_flow_missing_clientid_should_succeed()
{
var idp = new OidcProvider
{
Scheme = "scheme",
ClientId = "client",
ClientSecret = "",
Authority = "authority",
ResponseType = "id_token",
Scope = "openid scope",
};
var ctx = new IdentityProviderConfigurationValidationContext(idp);
await _validator.ValidateAsync(ctx);
ctx.IsValid.Should().BeTrue();
}
public async Task missing_scope_should_fail()
{
var idp = new OidcProvider
{
Scheme = "scheme",
ClientId = "client",
ClientSecret = "secret",
Authority = "authority",
ResponseType = "code",
Scope = "",
};
var ctx = new IdentityProviderConfigurationValidationContext(idp);
await _validator.ValidateAsync(ctx);
ctx.IsValid.Should().BeFalse();
ctx.ErrorMessage.ToLowerInvariant().Should().Contain("scope");
}
public async Task missing_secret_should_be_allowed()
{
// we allow no secret because they might pull it from somewhere else
var idp = new OidcProvider
{
Scheme = "scheme",
ClientId = "client",
ClientSecret = "",
Authority = "authority",
ResponseType = "code",
Scope = "openid scope",
};
var ctx = new IdentityProviderConfigurationValidationContext(idp);
await _validator.ValidateAsync(ctx);
ctx.IsValid.Should().BeTrue();
}
public async Task GetBySchemeAsync_should_filter_by_scheme_casing(DbContextOptions <ConfigurationDbContext> options)
{
using (var context = new ConfigurationDbContext(options))
{
var idp = new OidcProvider
{
Scheme = "SCHEME3", Type = "oidc"
};
context.IdentityProviders.Add(idp.ToEntity());
context.SaveChanges();
}
using (var context = new ConfigurationDbContext(options))
{
var store = new IdentityProviderStore(context, FakeLogger <IdentityProviderStore> .Create(), new NoneCancellationTokenProvider());
var item = await store.GetBySchemeAsync("scheme3");
item.Should().BeNull();
}
}
/// <summary>
/// Performs a AccessToken Request as described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
/// </summary>
public async Task <OidcCodeResponse> GetTokens(string authorizationCode, OidcProvider provider, string redirect_uri)
{
OidcCodeResponse codeResponse = null;
Dictionary <string, string> kvps = new Dictionary <string, string>();
// REQUIRED. The authorization code received from the authorization server.
kvps.Add("code", authorizationCode);
// REQUIRED, if the "redirect_uri" parameter was included in the
// authorization request as described in Section 4.1.1, and their values MUST be identical.
kvps.Add("redirect_uri", redirect_uri);
// REQUIRED. Value MUST be set to "authorization_code".
kvps.Add("grant_type", "authorization_code");
// REQUIRED. Value MUST be set to "client_id".
kvps.Add("client_id", provider.ClientId);
// Client secret. Set if configured
if (!string.IsNullOrEmpty(provider.ClientSecret))
{
kvps.Add("client_secret", provider.ClientSecret);
}
FormUrlEncodedContent formUrlEncodedContent = new FormUrlEncodedContent(kvps);
HttpResponseMessage response = await _httpClient.PostAsync(provider.TokenEndpoint, formUrlEncodedContent);
if (response.StatusCode == System.Net.HttpStatusCode.OK)
{
string content = await response.Content.ReadAsStringAsync();
codeResponse = JsonSerializer.Deserialize <OidcCodeResponse>(content);
}
else
{
_logger.LogError("Getting tokens from code failed with statuscode {StatusCode}", response.StatusCode);
}
return(codeResponse);
}
public ActionResult Logout()
{
ClaimsPrincipal principal = HttpContext.User;
string orgIss = principal.GetClaim(OriginalIssClaimName);
OidcProvider provider = GetOidcProvider(orgIss);
if (provider == null)
{
return(Redirect(_generalSettings.SBLLogoutEndpoint));
}
CookieOptions opt = new CookieOptions()
{
Domain = _generalSettings.HostName, Secure = true, HttpOnly = true
};
Response.Cookies.Delete(_generalSettings.SblAuthCookieName, opt);
Response.Cookies.Delete(_generalSettings.JwtCookieName, opt);
return(Redirect(provider.LogoutEndpoint));
}
