public AuthorizeInteractionResponseGenerator(IConsentService consent, IUserService users, ILocalizationService localizationService)
{
_signIn = new SignInMessage();
_consent = consent;
_users = users;
_localizationService = localizationService;
}
public Task<AuthenticateResult> AuthenticateExternalAsync(ExternalIdentity externalUser, SignInMessage message)
{
// look for the user in our local identity system from the external identifiers
var user = Users.SingleOrDefault(x => x.Provider == externalUser.Provider && x.ProviderID == externalUser.ProviderId);
string name = "Unknown";
if (user == null)
{
// new user, so add them here
var nameClaim = externalUser.Claims.First(x => x.Type == Constants.ClaimTypes.Name);
if (nameClaim != null) name = nameClaim.Value;
user = new CustomUser {
Subject = Guid.NewGuid().ToString(),
Provider = externalUser.Provider,
ProviderID = externalUser.ProviderId,
Claims = new List<Claim> { new Claim(Constants.ClaimTypes.Name, name) }
};
Users.Add(user);
}
name = user.Claims.First(x => x.Type == Constants.ClaimTypes.Name).Value;
if (user.IsRegistered)
{
// user is registered so continue
return Task.FromResult<AuthenticateResult>(new AuthenticateResult(user.Subject, name, identityProvider:user.Provider));
}
else
{
// user not registered so we will issue a partial login and redirect them to our registration page
return Task.FromResult<AuthenticateResult>(new AuthenticateResult("/core/externalregistration", user.Subject, name, identityProvider: user.Provider));
}
}
public static string GetRedirectUrl(SignInMessage message, IDictionary<string, object> env, IdentityServerOptions options)
{
var result = new LoginResult(message, env, options);
var response = result.Execute();
return response.Headers.Location.AbsoluteUri;
}
public LoginActionResult(IViewService viewSvc, LoginViewModel model, SignInMessage message)
: base(async () => await viewSvc.Login(model, message))
{
if (viewSvc == null) throw new ArgumentNullException("viewSvc");
if (model == null) throw new ArgumentNullException("model");
if (message == null) throw new ArgumentNullException("message");
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
if (request.GrantType != "legacy_account_store")
{
Logger.Error("unknown custom grant type");
return null;
}
var legacyAccountStoreType = request.Raw.Get("account_store");
var id = request.Raw.Get("legacy_id");
var secret = request.Raw.Get("legacy_secret");
if (string.IsNullOrWhiteSpace(legacyAccountStoreType) ||
string.IsNullOrWhiteSpace(id) ||
string.IsNullOrWhiteSpace(secret))
{
Logger.Error("malformed request");
return null;
}
var message = new SignInMessage { Tenant = legacyAccountStoreType };
var result = await _users.AuthenticateLocalAsync(id, secret, message);
if (result.IsError)
{
Logger.Error("authentication failed");
return new CustomGrantValidationResult("Authentication failed.");
}
return new CustomGrantValidationResult(
result.User.GetSubjectId(),
"custom",
result.User.Claims);
}
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message) {
var user = _users.SingleOrDefault(x => x.Username == username && x.Password == password);
if (user == null) {
return Task.FromResult<AuthenticateResult>(null);
}
return Task.FromResult<AuthenticateResult>(new AuthenticateResult(user.Subject, user.Username));
}
public LoginResult(IDictionary<string, object> env, SignInMessage message)
{
if (env == null) throw new ArgumentNullException("env");
if (message == null) throw new ArgumentNullException("message");
this.env = env;
this.message = message;
}
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message)
{
if (username == password)
{
var p = IdentityServerPrincipal.Create(username, username, "password", "idsvr");
return Task.FromResult(new AuthenticateResult(p));
}
return Task.FromResult<AuthenticateResult>(null);
}
public LoginResult(SignInMessage message, IDictionary<string, object> env, IdentityServerOptions options)
{
if (message == null) throw new ArgumentNullException("message");
if (env == null) throw new ArgumentNullException("env");
if (options == null) throw new ArgumentNullException("options");
this.message = message;
this.env = env;
this.options = options;
}
private HttpResponseMessage GetLoginPage(SignInMessage msg = null)
{
msg = msg ?? new SignInMessage() { ReturnUrl = Url("authorize") };
if (msg.ClientId == null) msg.ClientId = TestClients.Get().First().ClientId;
SignInId = WriteMessageToCookie(msg);
var resp = Get(Constants.RoutePaths.Login + "?signin=" + SignInId);
ProcessXsrf(resp);
return resp;
}
void Login(bool setCookie = true)
{
var msg = new SignInMessage() { ReturnUrl = Url("authorize") };
var signInId = WriteMessageToCookie(msg);
var url = Constants.RoutePaths.Login + "?signin=" + signInId;
var resp = Get(url);
ProcessXsrf(resp);
if (setCookie)
{
resp = PostForm(url, new LoginCredentials { Username = "******", Password = "******" });
client.SetCookies(resp.GetCookies());
}
}
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message)
{
//var repo = new SHSRepository(new ODatabase(CONNECTION_NAME));
//var parent = repo.Create<Organization>((p) => { p.Name = "ForeMedical"; });
//repo.SaveChanges();
//var result = new AuthenticateResult("error");
// var claim = new Claim("vv", "ee");//claim.
//result.User.Claims[4].
//result.HasSubject = true;
//result.User.
return null;
}
public static void RaiseLocalLoginSuccessEvent(this IEventService events, IDictionary<string, object> env, string username, SignInMessage signInMessage, AuthenticateResult authResult)
{
if (events == null) throw new ArgumentNullException("events");
var evt = new LocalAuthenticationEvent()
{
Id = EventConstants.Ids.SuccessfulLocalLogin,
EventType = EventType.Success,
Message = Resources.Events.LocalLoginSuccess,
SubjectId = authResult.User.GetSubjectId(),
SignInMessage = signInMessage,
LoginUserName = username
};
evt.ApplyEnvironment(env);
events.Raise(evt);
}
public void LoginExternalCallback_WithLinkedAccount_RedirectsToAuthorizeEndpoint()
{
var msg = new SignInMessage();
msg.IdP = "Google";
msg.ReturnUrl = Url("authorize");
var resp1 = GetLoginPage(msg);
var sub = new Claim(Constants.ClaimTypes.Subject, "123", ClaimValueTypes.String, "Google");
SignInIdentity = new ClaimsIdentity(new Claim[] { sub }, Constants.ExternalAuthenticationType);
var resp2 = Client.GetAsync(resp1.Headers.Location.AbsoluteUri).Result;
Client.SetCookies(resp2.GetCookies());
var resp3 = Get(Constants.RoutePaths.LoginExternalCallback);
resp3.StatusCode.Should().Be(HttpStatusCode.Found);
resp3.Headers.Location.AbsoluteUri.Should().Be(Url("authorize"));
}
/// <summary>
/// This methods gets called for local authentication (whenever the user uses the username and password dialog).
/// </summary>
/// <param name="username">The username.</param>
/// <param name="password">The password.</param>
/// <param name="message">The signin message.</param>
/// <returns>
/// The authentication result
/// </returns>
public virtual Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message)
{
var query =
from u in _users
where u.Username == username && u.Password == password
select u;
var user = query.SingleOrDefault();
if (user != null)
{
var p = IdentityServerPrincipal.Create(user.Subject, GetDisplayName(user), Constants.AuthenticationMethods.Password, Constants.BuiltInIdentityProvider);
var result = new AuthenticateResult(p);
return Task.FromResult(result);
}
return Task.FromResult<AuthenticateResult>(null);
}
public override Task<AuthenticateResult> PreAuthenticateAsync(SignInMessage message)
{
var idp = context.Request.Cookies["idp"];
if (String.IsNullOrWhiteSpace(idp))
{
// no idp, so redirect
var url = new Claim("url", context.Request.Uri.AbsoluteUri);
var result = new AuthenticateResult("~/hrd", "hrd", "hrd", new Claim[] { url });
return Task.FromResult(result);
}
else
{
// we have idp, so set it
context.Response.Cookies.Append("idp", ".", new CookieOptions { Expires = DateTime.UtcNow.AddYears(-1) });
message.IdP = idp;
return Task.FromResult<AuthenticateResult>(null);
}
}
public void LoginExternalCallback_WithNoLinkedAccount_ReturnsErrorMessage()
{
var msg = new SignInMessage();
msg.IdP = "Google";
msg.ReturnUrl = Url("authorize");
var resp1 = GetLoginPage(msg);
var sub = new Claim(Constants.ClaimTypes.Subject, "123456", ClaimValueTypes.String, "Google");
SignInIdentity = new ClaimsIdentity(new Claim[] { sub }, Constants.ExternalAuthenticationType);
var resp2 = Client.GetAsync(resp1.Headers.Location.AbsoluteUri).Result;
Client.SetCookies(resp2.GetCookies());
var resp3 = Get(Constants.RoutePaths.LoginExternalCallback);
var model = resp3.GetModel<ErrorViewModel>();
resp3.StatusCode.Should().Be(HttpStatusCode.OK);
model.ErrorMessage.Should().Be("This provider is not associated with any exisiting account. If you haven't registered locally please do so, after which you can manage external providers. Alternatively check who is logged in on this machine to the external provider.");
}
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message)
{
var user = Users.SingleOrDefault(x => x.Username == username && x.Password == password);
if (user == null)
{
return Task.FromResult<AuthenticateResult>(null);
}
if (user.AcceptedEula)
{
return Task.FromResult<AuthenticateResult>(new AuthenticateResult(user.Subject, user.Username));
}
else
{
// either redirect path works
return Task.FromResult<AuthenticateResult>(new AuthenticateResult("/core/eula", user.Subject, user.Username));
//return Task.FromResult<AuthenticateResult>(new AuthenticateResult("~/eula", user.Subject, user.Username));
}
}
/// <summary>
/// This method gets called when the user uses an external identity provider to authenticate.
/// </summary>
/// <param name="externalUser">The external user.</param>
/// <param name="message">The signin message.</param>
/// <returns>
/// The authentication result.
/// </returns>
public virtual Task<AuthenticateResult> AuthenticateExternalAsync(ExternalIdentity externalUser, SignInMessage message)
{
var query =
from u in _users
where
u.Provider == externalUser.Provider &&
u.ProviderId == externalUser.ProviderId
select u;
var user = query.SingleOrDefault();
if (user == null)
{
string displayName;
var name = externalUser.Claims.FirstOrDefault(x => x.Type == Constants.ClaimTypes.Name);
if (name == null)
{
displayName = externalUser.ProviderId;
}
else
{
displayName = name.Value;
}
user = new User
{
Subject = RandomString(16),
Provider = externalUser.Provider,
ProviderId = externalUser.ProviderId,
Username = displayName,
Claims = externalUser.Claims
};
_users.Add(user);
}
//var p = IdentityServerPrincipal.Create(user.Subject, GetDisplayName(user), Constants.AuthenticationMethods.External, user.Provider);
//var result = new AuthenticateResult(p);
//return Task.FromResult(result);
return Task.FromResult(new AuthenticateResult("/core/account/eula", user.Subject, GetDisplayName(user)));
}
public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message = null)
{
if (message != null)
{
var tenant = message.Tenant;
if (username == password)
{
var claims = new List<Claim>
{
new Claim("account_store", tenant)
};
var result = new AuthenticateResult("123", username,
claims: claims,
authenticationMethod: "custom");
return Task.FromResult(new AuthenticateResult("123", username, claims));
}
}
// default account store
throw new NotImplementedException();
}
private IHttpActionResult SignInAndRedirect(SignInMessage signInMessage, string signInMessageId, AuthenticateResult authResult, bool? rememberMe = null)
{
IssueAuthenticationCookie(signInMessageId, authResult, rememberMe);
sessionCookie.IssueSessionId();
var redirectUrl = GetRedirectUrl(signInMessage, authResult);
Logger.InfoFormat("redirecting to: {0}", redirectUrl);
return Redirect(redirectUrl);
}
IHttpActionResult RedirectToLogin(SignInMessage message, NameValueCollection parameters)
{
message = message ?? new SignInMessage();
var path = Url.Route(Constants.RouteNames.Oidc.Authorize, null).AddQueryString(parameters.ToQueryString());
var host = new Uri(Request.GetOwinEnvironment().GetIdentityServerHost());
var url = new Uri(host, path);
message.ReturnUrl = url.AbsoluteUri;
return new LoginResult(Request.GetOwinContext().Environment, message);
}
private async Task<IEnumerable<string>> GetProviderFilterForClientAsync(SignInMessage message)
{
IEnumerable<string> filter = null;
if (!String.IsNullOrWhiteSpace(message.ClientId))
{
var client = await _clientStore.FindClientByIdAsync(message.ClientId);
if (client != null)
{
filter = client.IdentityProviderRestrictions;
}
}
filter = filter ?? Enumerable.Empty<string>();
return filter;
}
private async Task<IEnumerable<LoginPageLink>> GetExternalProviders(SignInMessage message, string signInMessageId)
{
IEnumerable<string> filter = await GetProviderFilterForClientAsync(message);
var ctx = Request.GetOwinContext();
var providers =
from p in ctx.Authentication.GetAuthenticationTypes(d => d.Caption.IsPresent())
where (!filter.Any() || filter.Contains(p.AuthenticationType))
select new LoginPageLink
{
Text = p.Caption,
Href = Url.Route(Constants.RouteNames.LoginExternal,
new { provider = p.AuthenticationType, signin = signInMessageId })
};
return providers.ToArray();
}
private async Task<IHttpActionResult> RenderLoginPage(SignInMessage message, string signInMessageId, string errorMessage = null, string username = null, bool rememberMe = false)
{
if (message == null) throw new ArgumentNullException("message");
username = username ?? GetLastUsernameFromCookie();
var providers = await GetExternalProviders(message, signInMessageId);
if (errorMessage != null)
{
Logger.InfoFormat("rendering login page with error message: {0}", errorMessage);
}
else
{
if (_authenticationOptions.EnableLocalLogin == false && providers.Count() == 1)
{
// no local login and only one provider -- redirect to provider
Logger.Info("no local login and only one provider -- redirect to provider");
var url = Request.GetOwinEnvironment().GetIdentityServerHost();
url += providers.First().Href;
return Redirect(url);
}
else
{
Logger.Info("rendering login page");
}
}
var loginPageLinks = PrepareLoginPageLinks(signInMessageId, _authenticationOptions.LoginPageLinks);
var loginModel = new LoginViewModel
{
SiteName = _options.SiteName,
SiteUrl = Request.GetIdentityServerBaseUrl(),
CurrentUser = await GetNameFromPrimaryAuthenticationType(),
ExternalProviders = providers,
AdditionalLinks = loginPageLinks,
ErrorMessage = errorMessage,
LoginUrl = _options.AuthenticationOptions.EnableLocalLogin ? Url.Route(Constants.RouteNames.Login, new { signin = signInMessageId }) : null,
AllowRememberMe = _options.AuthenticationOptions.CookieOptions.AllowRememberMe,
RememberMe = _options.AuthenticationOptions.CookieOptions.AllowRememberMe && rememberMe,
LogoutUrl = Url.Route(Constants.RouteNames.Logout, null),
AntiForgery = AntiForgeryTokenValidator.GetAntiForgeryHiddenInput(Request.GetOwinEnvironment()),
Username = username
};
return new LoginActionResult(_viewService, loginModel, message);
}
private void IssueAuthenticationCookie(SignInMessage signInMessage, string signInMessageId, AuthenticateResult authResult, bool? rememberMe = null)
{
if (signInMessage == null) throw new ArgumentNullException("signInId");
if (authResult == null) throw new ArgumentNullException("authResult");
Logger.InfoFormat("issuing cookie{0}", authResult.IsPartialSignIn ? " (partial login)" : "");
var props = new Microsoft.Owin.Security.AuthenticationProperties();
var id = authResult.User.Identities.First();
if (authResult.IsPartialSignIn)
{
// add claim so partial redirect can return here to continue login
// we need a random ID to resume, and this will be the query string
// to match a claim added. the claim added will be the original
// signIn ID.
var resumeId = CryptoRandom.CreateUniqueId();
var resumeLoginUrl = Url.Link(Constants.RouteNames.ResumeLoginFromRedirect, new { resume = resumeId });
var resumeLoginClaim = new Claim(Constants.ClaimTypes.PartialLoginReturnUrl, resumeLoginUrl);
id.AddClaim(resumeLoginClaim);
id.AddClaim(new Claim(GetClaimTypeForResumeId(resumeId), signInMessageId));
}
else
{
ClearSignInCookie(signInMessageId);
}
if (!authResult.IsPartialSignIn)
{
// don't issue persistnt cookie if it's a partial signin
if (rememberMe == true ||
(rememberMe != false && this._options.AuthenticationOptions.CookieOptions.IsPersistent))
{
// only issue persistent cookie if user consents (rememberMe == true) or
// if server is configured to issue persistent cookies and user has not explicitly
// denied the rememberMe (false)
// if rememberMe is null, then user was not prompted for rememberMe
props.IsPersistent = true;
if (rememberMe == true)
{
var expires = DateTime.UtcNow.Add(_options.AuthenticationOptions.CookieOptions.RememberMeDuration);
props.ExpiresUtc = new DateTimeOffset(expires);
}
}
}
ClearAuthenticationCookies();
var ctx = Request.GetOwinContext();
ctx.Authentication.SignIn(props, id);
}
public Task<AuthenticateResult> PreAuthenticateAsync(SignInMessage message)
{
return Task.FromResult<AuthenticateResult>(null);
}
public Task <AuthenticateResult> PreAuthenticateAsync(Thinktecture.IdentityServer.Core.Models.SignInMessage message)
{
return(Task.FromResult <AuthenticateResult>(null));
}
private Uri GetRedirectUrl(SignInMessage signInMessage, AuthenticateResult authResult)
{
if (signInMessage == null) throw new ArgumentNullException("signInMessage");
if (authResult == null) throw new ArgumentNullException("authResult");
if (authResult.IsPartialSignIn)
{
var path = authResult.PartialSignInRedirectPath;
if (path.StartsWith("~/"))
{
path = path.Substring(2);
path = Request.GetIdentityServerBaseUrl() + path;
}
var host = new Uri(context.GetIdentityServerHost());
return new Uri(host, path);
}
else
{
return new Uri(signInMessage.ReturnUrl);
}
}
private async Task<IHttpActionResult> RenderLoginPage(SignInMessage message, string signInMessageId, string errorMessage = null, string username = null, bool rememberMe = false)
{
if (message == null) throw new ArgumentNullException("message");
username = username ?? lastUsernameCookie.GetValue();
var idpRestrictions = await clientStore.GetIdentityProviderRestrictionsAsync(message.ClientId);
var providers = context.GetExternalAuthenticationProviders(idpRestrictions);
var providerLinks = context.GetLinksFromProviders(providers, signInMessageId);
var visibleLinks = providerLinks.FilterHiddenLinks();
if (errorMessage != null)
{
Logger.InfoFormat("rendering login page with error message: {0}", errorMessage);
}
else
{
if (options.AuthenticationOptions.EnableLocalLogin == false)
{
Logger.Info("local login disabled");
string url = null;
if (providerLinks.Count() == 0)
{
Logger.Info("no providers registered for client");
return RenderErrorPage();
}
else if (providerLinks.Count() == 1)
{
Logger.Info("only one provider for client");
url = providerLinks.First().Href;
}
else if (visibleLinks.Count() == 1)
{
Logger.Info("only one visible provider");
url = visibleLinks.First().Href;
}
if (url.IsPresent())
{
Logger.InfoFormat("redirecting to provider URL: {0}", url);
return Redirect(url);
}
}
Logger.Info("rendering login page");
}
var loginPageLinks = options.AuthenticationOptions.LoginPageLinks.Render(Request.GetIdentityServerBaseUrl(), signInMessageId);
var loginModel = new LoginViewModel
{
RequestId = context.GetRequestId(),
SiteName = options.SiteName,
SiteUrl = Request.GetIdentityServerBaseUrl(),
CurrentUser = User.Identity.Name,
ExternalProviders = visibleLinks,
AdditionalLinks = loginPageLinks,
ErrorMessage = errorMessage,
LoginUrl = options.AuthenticationOptions.EnableLocalLogin ? Url.Route(Constants.RouteNames.Login, new { signin = signInMessageId }) : null,
AllowRememberMe = options.AuthenticationOptions.CookieOptions.AllowRememberMe,
RememberMe = options.AuthenticationOptions.CookieOptions.AllowRememberMe && rememberMe,
LogoutUrl = Url.Route(Constants.RouteNames.Logout, null),
AntiForgery = antiForgeryToken.GetAntiForgeryToken(),
Username = username
};
return new LoginActionResult(viewService, loginModel, message);
}
private void RaiseLocalLoginSuccessEvent(string username, SignInMessage signInMessage, AuthenticateResult authResult)
{
_events.RaiseLocalLoginSuccessEvent(Request.GetOwinEnvironment(), username, signInMessage, authResult);
}
