/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { ClientId = request.ClientId; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; LoginHint = request.LoginHint; IdP = request.GetIdP(); Tenant = request.GetTenant(); // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { AcrValues = acrValues; } // scopes if (request.RequestedScopes.Any()) { ScopesRequested = request.RequestedScopes; } Parameters = request.Raw; }
public async Task <IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request) { var signin = new SignInRequest(); // let the login page know the client requesting authorization signin.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { signin.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { signin.UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { signin.LoginHint = request.LoginHint; } // look for well-known acr value -- idp var idp = request.GetIdP(); if (idp.IsPresent()) { signin.IdP = idp; } // look for well-known acr value -- tenant var tenant = request.GetTenant(); if (tenant.IsPresent()) { signin.Tenant = tenant; } // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { signin.AcrValues = acrValues; } var message = new Message <SignInRequest>(signin) { ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin, AuthorizeRequestParameters = request.Raw.ToDictionary() }; await _signInRequestStore.WriteAsync(message); return(new LoginPageResult(message.Id)); }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { // let the login page know the client requesting authorization ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { LoginHint = request.LoginHint; } // look for well-known acr value -- idp var idp = request.GetIdP(); if (idp.IsPresent()) { IdP = idp; } // look for well-known acr value -- tenant var tenant = request.GetTenant(); if (tenant.IsPresent()) { Tenant = tenant; } // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { AcrValues = acrValues; } // scopes if (request.RequestedScopes.Any()) { ScopesRequested = request.RequestedScopes; } Parameters = request.Raw; }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { ClientId = request.ClientId; RedirectUri = request.RedirectUri; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; IdP = request.GetIdP(); Tenant = request.GetTenant(); LoginHint = request.LoginHint; PromptMode = request.PromptMode; AcrValues = request.GetAcrValues(); ScopesRequested = request.RequestedScopes; Parameters = request.Raw; }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { Client = request.Client; RedirectUri = request.RedirectUri; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; IdP = request.GetIdP(); Tenant = request.GetTenant(); LoginHint = request.LoginHint; PromptModes = request.PromptModes; AcrValues = request.GetAcrValues(); ValidatedResources = request.ValidatedResources; Parameters = request.Raw; RequestObjectValues = request.RequestObjectValues; }
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = request.Client, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, AcrValues = request.GetAcrValues() }; authRequest.Parameters.Add(request.Raw); return(authRequest); }
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest(); authRequest.Client = request.Client; authRequest.RedirectUri = request.RedirectUri; authRequest.DisplayMode = request.DisplayMode; authRequest.UiLocales = request.UiLocales; authRequest.IdP = request.GetIdP(); authRequest.Tenant = request.GetTenant(); authRequest.LoginHint = request.LoginHint; authRequest.PromptModes = request.PromptModes; authRequest.AcrValues = request.GetAcrValues(); authRequest.Client.AllowedScopes = request.RequestedScopes; authRequest.Parameters.Add(request.Raw); return(authRequest); }
public static AuthorizationRequest ToAuthorizatonRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = request.Client, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, AcrValues = request.GetAcrValues(), ValidatedResources = request.ValidatedResources }; authRequest.Parameters.Add(request.Raw); request.RequestObjectValues.Keys.ToList().ForEach(key => authRequest.RequestObjectValues.Add(key, request.RequestObjectValues[key])); return(authRequest); }
//[DebuggerStepThrough] internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = new Client() { ClientId = request.ClientId /*, AllowedScopes = request.RequestedScopes*/ }, //ClientId = request.ClientId, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, //PromptMode = request.PromptMode, AcrValues = request.GetAcrValues(), //ScopesRequested = request.RequestedScopes, }; //var authRequest = new AuthorizationRequest //{ // ClientId = request.ClientId, // RedirectUri = request.RedirectUri, // DisplayMode = request.DisplayMode, // UiLocales = request.UiLocales, // IdP = request.GetIdP(), // Tenant = request.GetTenant(), // LoginHint = request.LoginHint, // PromptMode = request.PromptMode, // AcrValues = request.GetAcrValues(), // ScopesRequested = request.RequestedScopes, //}; authRequest.Parameters.Add(request.Raw); return(authRequest); }
/// <summary> /// Processes the login logic. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) || request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount)) { Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString()); // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.RemovePrompt(); return(new InteractionResponse { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.IsAuthenticated(); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint); await Profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if ((!isAuthenticated || !isActive) && request.DisplayMode == "popup") { var redirect = new Uri(request.RedirectUri); var closePopupUri = request.RedirectUri.Replace(redirect.PathAndQuery, "/popup.html#"); return(new InteractionResponse { RedirectUrl = closePopupUri }); } if (!isAuthenticated || !isActive) { if (!isAuthenticated) { Logger.LogInformation("Showing login: User is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing login: User is not active"); } return(new InteractionResponse { IsLogin = true }); } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp); return(new InteractionResponse { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.LogInformation("Showing login: Requested MaxAge exceeded."); return(new InteractionResponse { IsLogin = true }); } } // check local idp restrictions if (currentIdp == IdentityServerConstants.LocalIdentityProvider) { if (!request.Client.EnableLocalLogin) { Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins"); return(new InteractionResponse { IsLogin = true }); } } // check external idp restrictions if user not using local idp else if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any() && !request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse { IsLogin = true }); } // check client's user SSO timeout if (request.Client.UserSsoLifetime.HasValue) { var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch(); var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds(); var diff = nowEpoch - authTimeEpoch; if (diff > request.Client.UserSsoLifetime.Value) { Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime); return(new InteractionResponse { IsLogin = true }); } } return(new InteractionResponse()); }
/// <summary> /// Processes the login logic. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptMode == OidcConstants.PromptModes.Login || request.PromptMode == OidcConstants.PromptModes.SelectAccount) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.RemovePrompt(); Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptMode); return(new InteractionResponse { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.IsAuthenticated(); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint); await Profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if (!isAuthenticated || !isActive) { // prompt=none means user must be signed in already if (request.PromptMode == OidcConstants.PromptModes.None) { if (!isAuthenticated) { Logger.LogInformation("Showing error: prompt=none was requested but user is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing error: prompt=none was requested but user is not active"); } return(new InteractionResponse { Error = OidcConstants.AuthorizeErrors.LoginRequired }); } if (!isAuthenticated) { Logger.LogInformation("Showing login: User is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing login: User is not active"); } return(new InteractionResponse { IsLogin = true }); } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { Logger.LogInformation("Showing login: Current IdP ({idp}) is not the requested IdP ({idp})", currentIdp, idp); return(new InteractionResponse { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.LogInformation("Showing login: Requested MaxAge exceeded."); return(new InteractionResponse { IsLogin = true }); } } // check local idp restrictions if (currentIdp == IdentityServerConstants.LocalIdentityProvider && !request.Client.EnableLocalLogin) { Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins"); return(new InteractionResponse { IsLogin = true }); } // check external idp restrictions if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse { IsLogin = true }); } } return(new InteractionResponse()); }
internal async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptMode == OidcConstants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(OidcConstants.AuthorizeRequest.Prompt); _logger.LogInformation("Redirecting to login page because of prompt=login"); return(new InteractionResponse() { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.Identity.IsAuthenticated; // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client); await _profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if (!isAuthenticated || !isActive) { if (!isAuthenticated) { _logger.LogInformation("User is not authenticated."); } else if (!isActive) { _logger.LogInformation("User is not active."); } // prompt=none means user must be signed in already if (request.PromptMode == OidcConstants.PromptModes.None) { _logger.LogInformation("prompt=none was requested but user is not authenticated/active."); return(new InteractionResponse { Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = OidcConstants.AuthorizeErrors.LoginRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }); } return(new InteractionResponse() { IsLogin = true }); } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { _logger.LogInformation("Current IdP is not the requested IdP. Redirecting to login"); _logger.LogInformation("Current: {0} -- Requested: {1}", currentIdp, idp); return(new InteractionResponse() { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { _logger.LogInformation("Requested MaxAge exceeded."); return(new InteractionResponse() { IsLogin = true }); } } // check idp restrictions if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { _logger.LogWarning("User is logged in with idp: {0}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse() { IsLogin = true }); } } // check if idp is local and local logins are not allowed if (currentIdp == Constants.LocalIdentityProvider) { if (_options.AuthenticationOptions.EnableLocalLogin == false || request.Client.EnableLocalLogin == false) { _logger.LogWarning("User is logged in with local idp, but local logins not enabled."); return(new InteractionResponse() { IsLogin = true }); } } return(new InteractionResponse()); }
private async Task <AuthorizeRequestValidationResult> ValidateOptionalParametersAsync(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // check nonce ////////////////////////////////////////////////////////// var nonce = request.Raw.Get(OidcConstants.AuthorizeRequest.Nonce); if (nonce.IsPresent()) { if (nonce.Length > _options.InputLengthRestrictions.Nonce) { LogError("Nonce too long", request); return(Invalid(request, description: "Invalid nonce")); } request.Nonce = nonce; } else { if (request.ResponseType.FromSpaceSeparatedString().Contains(TokenTypes.IdentityToken)) { LogError("Nonce required for flow with id_token response type", request); return(Invalid(request, description: "Invalid nonce")); } } ////////////////////////////////////////////////////////// // check prompt ////////////////////////////////////////////////////////// var prompt = request.Raw.Get(OidcConstants.AuthorizeRequest.Prompt); if (prompt.IsPresent()) { var prompts = prompt.Split(' ', StringSplitOptions.RemoveEmptyEntries); if (prompts.All(p => Constants.SupportedPromptModes.Contains(p))) { if (prompts.Contains(OidcConstants.PromptModes.None) && prompts.Length > 1) { LogError("prompt contains 'none' and other values. 'none' should be used by itself.", request); return(Invalid(request, description: "Invalid prompt")); } request.OriginalPromptModes = prompts; } else { _logger.LogDebug("Unsupported prompt mode - ignored: " + prompt); } } var suppressed_prompt = request.Raw.Get(Constants.SuppressedPrompt); if (suppressed_prompt.IsPresent()) { var prompts = suppressed_prompt.Split(' ', StringSplitOptions.RemoveEmptyEntries); if (prompts.All(p => Constants.SupportedPromptModes.Contains(p))) { if (prompts.Contains(OidcConstants.PromptModes.None) && prompts.Length > 1) { LogError("suppressed_prompt contains 'none' and other values. 'none' should be used by itself.", request); return(Invalid(request, description: "Invalid prompt")); } request.SuppressedPromptModes = prompts; } else { _logger.LogDebug("Unsupported suppressed_prompt mode - ignored: " + prompt); } } request.PromptModes = request.OriginalPromptModes.Except(request.SuppressedPromptModes).ToArray(); ////////////////////////////////////////////////////////// // check ui locales ////////////////////////////////////////////////////////// var uilocales = request.Raw.Get(OidcConstants.AuthorizeRequest.UiLocales); if (uilocales.IsPresent()) { if (uilocales.Length > _options.InputLengthRestrictions.UiLocale) { LogError("UI locale too long", request); return(Invalid(request, description: "Invalid ui_locales")); } request.UiLocales = uilocales; } ////////////////////////////////////////////////////////// // check display ////////////////////////////////////////////////////////// var display = request.Raw.Get(OidcConstants.AuthorizeRequest.Display); if (display.IsPresent()) { if (Constants.SupportedDisplayModes.Contains(display)) { request.DisplayMode = display; } _logger.LogDebug("Unsupported display mode - ignored: " + display); } ////////////////////////////////////////////////////////// // check max_age ////////////////////////////////////////////////////////// var maxAge = request.Raw.Get(OidcConstants.AuthorizeRequest.MaxAge); if (maxAge.IsPresent()) { if (int.TryParse(maxAge, out var seconds)) { if (seconds >= 0) { request.MaxAge = seconds; } else { LogError("Invalid max_age.", request); return(Invalid(request, description: "Invalid max_age")); } } else { LogError("Invalid max_age.", request); return(Invalid(request, description: "Invalid max_age")); } } ////////////////////////////////////////////////////////// // check login_hint ////////////////////////////////////////////////////////// var loginHint = request.Raw.Get(OidcConstants.AuthorizeRequest.LoginHint); if (loginHint.IsPresent()) { if (loginHint.Length > _options.InputLengthRestrictions.LoginHint) { LogError("Login hint too long", request); return(Invalid(request, description: "Invalid login_hint")); } request.LoginHint = loginHint; } ////////////////////////////////////////////////////////// // check acr_values ////////////////////////////////////////////////////////// var acrValues = request.Raw.Get(OidcConstants.AuthorizeRequest.AcrValues); if (acrValues.IsPresent()) { if (acrValues.Length > _options.InputLengthRestrictions.AcrValues) { LogError("Acr values too long", request); return(Invalid(request, description: "Invalid acr_values")); } request.AuthenticationContextReferenceClasses = acrValues.FromSpaceSeparatedString().Distinct().ToList(); } ////////////////////////////////////////////////////////// // check custom acr_values: idp ////////////////////////////////////////////////////////// var idp = request.GetIdP(); if (idp.IsPresent()) { // if idp is present but client does not allow it, strip it from the request message if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(idp)) { _logger.LogWarning("idp requested ({idp}) is not in client restriction list.", idp); request.RemoveIdP(); } } } ////////////////////////////////////////////////////////// // check session cookie ////////////////////////////////////////////////////////// if (_options.Endpoints.EnableCheckSessionEndpoint) { if (request.Subject.IsAuthenticated()) { var sessionId = await _userSession.GetSessionIdAsync(); if (sessionId.IsPresent()) { request.SessionId = sessionId; } else { LogError("Check session endpoint enabled, but SessionId is missing", request); } } else { request.SessionId = ""; // empty string for anonymous users } } return(Valid(request)); }