public async Task <IActionResult> Edit(string id, string returnUrl = null) { if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications)) { return(Forbid()); } var application = await _applicationManager.FindByPhysicalIdAsync(id); if (application == null) { return(NotFound()); } Task <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission); var model = new EditOpenIdApplicationViewModel { AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode), AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials), AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit), AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password), AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken), AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout), ClientId = await _applicationManager.GetClientIdAsync(application), ConsentType = await _applicationManager.GetConsentTypeAsync(application), DisplayName = await _applicationManager.GetDisplayNameAsync(application), Id = await _applicationManager.GetPhysicalIdAsync(application), PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)), RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)), Type = await _applicationManager.GetClientTypeAsync(application) }; var roleService = HttpContext.RequestServices?.GetService <IRoleService>(); if (roleService != null) { var roles = await _applicationManager.GetRolesAsync(application); foreach (var role in await roleService.GetRoleNamesAsync()) { model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry { Name = role, Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase) }); } } else { _notifier.Warning(H["There are no registered services to provide roles."]); } ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync(); ViewData["ReturnUrl"] = returnUrl; return(View(model)); }
public async Task <IActionResult> Edit(string id, string returnUrl = null) { if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications)) { return(Unauthorized()); } var application = await _applicationManager.FindByPhysicalIdAsync(id); if (application == null) { return(NotFound()); } Task <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission); var model = new EditOpenIdApplicationViewModel { AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode), AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials), AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit), AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password), AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken), AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout), ClientId = await _applicationManager.GetClientIdAsync(application), ConsentType = await _applicationManager.GetConsentTypeAsync(application), DisplayName = await _applicationManager.GetDisplayNameAsync(application), Id = await _applicationManager.GetPhysicalIdAsync(application), PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)), RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)), Type = await _applicationManager.GetClientTypeAsync(application) }; foreach (var role in await _roleProvider.GetRoleNamesAsync()) { model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry { Name = role, Selected = await _applicationManager.IsInRoleAsync(application, role) }); } ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync(); ViewData["ReturnUrl"] = returnUrl; return(View(model)); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { // Retrieve the claims stored in the authentication cookie. // If they can't be extracted, redirect the user to the login page. var result = await HttpContext.AuthenticateAsync(); if (result == null || !result.Succeeded || request.HasPrompt(OpenIddictConstants.Prompts.Login)) { return(RedirectToLoginPage(request)); } // If a max_age parameter was provided, ensure that the cookie is not too old. // If it's too old, automatically redirect the user agent to the login page. if (request.MaxAge != null && result.Properties.IssuedUtc != null && DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)) { return(RedirectToLoginPage(request)); } var application = await _applicationManager.FindByClientIdAsync(request.ClientId); if (application == null) { return(View("Error", new ErrorViewModel { Error = OpenIddictConstants.Errors.InvalidClient, ErrorDescription = T["The specified 'client_id' parameter is invalid."] })); } var authorizations = await _authorizationManager.FindAsync( subject : _userManager.GetUserId(result.Principal), client : await _applicationManager.GetIdAsync(application), status : OpenIddictConstants.Statuses.Valid, type : OpenIddictConstants.AuthorizationTypes.Permanent, scopes : ImmutableArray.CreateRange(request.GetScopes())); switch (await _applicationManager.GetConsentTypeAsync(application)) { case OpenIddictConstants.ConsentTypes.External when authorizations.IsEmpty: return(RedirectToClient(new OpenIdConnectResponse { Error = OpenIddictConstants.Errors.ConsentRequired, ErrorDescription = T["The logged in user is not allowed to access this client application."] })); case OpenIddictConstants.ConsentTypes.Implicit: case OpenIddictConstants.ConsentTypes.External when authorizations.Any(): case OpenIddictConstants.ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(OpenIddictConstants.Prompts.Consent): return(await IssueTokensAsync(result.Principal, request, application, authorizations.LastOrDefault())); case OpenIddictConstants.ConsentTypes.Explicit when request.HasPrompt(OpenIddictConstants.Prompts.None): return(RedirectToClient(new OpenIdConnectResponse { Error = OpenIddictConstants.Errors.ConsentRequired, ErrorDescription = T["Interactive user consent is required."] })); default: return(View(new AuthorizeViewModel { ApplicationName = await _applicationManager.GetDisplayNameAsync(application), RequestId = request.RequestId, Scope = request.Scope })); } }
public async Task <IActionResult> Authorize() { var response = HttpContext.GetOpenIddictServerResponse(); if (response != null) { return(View("Error", new ErrorViewModel { Error = response.Error, ErrorDescription = response.ErrorDescription })); } var request = HttpContext.GetOpenIddictServerRequest(); if (request == null) { return(NotFound()); } // Retrieve the claims stored in the authentication cookie. // If they can't be extracted, redirect the user to the login page. var result = await HttpContext.AuthenticateAsync(); if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login)) { return(RedirectToLoginPage(request)); } // If a max_age parameter was provided, ensure that the cookie is not too old. // If it's too old, automatically redirect the user agent to the login page. if (request.MaxAge != null && result.Properties.IssuedUtc != null && DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)) { return(RedirectToLoginPage(request)); } var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ?? throw new InvalidOperationException("The application details cannot be found."); var authorizations = await _authorizationManager.FindAsync( subject : result.Principal.GetUserIdentifier(), client : await _applicationManager.GetIdAsync(application), status : Statuses.Valid, type : AuthorizationTypes.Permanent, scopes : request.GetScopes()).ToListAsync(); switch (await _applicationManager.GetConsentTypeAsync(application)) { case ConsentTypes.External when !authorizations.Any(): return(Forbid(new AuthenticationProperties(new Dictionary <string, string> { [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired, [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = S["The logged in user is not allowed to access this client application."] }), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)); case ConsentTypes.Implicit: case ConsentTypes.External when authorizations.Any(): case ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(Prompts.Consent): var identity = new ClaimsIdentity(result.Principal.Claims, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); var principal = new ClaimsPrincipal(identity); identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.User, Destinations.AccessToken, Destinations.IdentityToken); // Note: while ASP.NET Core Identity uses the legacy WS-Federation claims (exposed by the ClaimTypes class), // OpenIddict uses the newer JWT claims defined by the OpenID Connect specification. To ensure the mandatory // subject claim is correctly populated (and avoid an InvalidOperationException), it's manually added here. if (string.IsNullOrEmpty(result.Principal.FindFirst(Claims.Subject)?.Value)) { identity.AddClaim(new Claim(Claims.Subject, result.Principal.GetUserIdentifier())); } principal.SetScopes(request.GetScopes()); principal.SetResources(await GetResourcesAsync(request.GetScopes())); // Automatically create a permanent authorization to avoid requiring explicit consent // for future authorization or token requests containing the same scopes. var authorization = authorizations.LastOrDefault(); if (authorization == null) { authorization = await _authorizationManager.CreateAsync( principal : principal, subject : principal.GetUserIdentifier(), client : await _applicationManager.GetIdAsync(application), type : AuthorizationTypes.Permanent, scopes : principal.GetScopes()); } principal.SetAuthorizationId(await _authorizationManager.GetIdAsync(authorization)); foreach (var claim in principal.Claims) { claim.SetDestinations(GetDestinations(claim, principal)); } return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)); case ConsentTypes.Explicit when request.HasPrompt(Prompts.None): return(Forbid(new AuthenticationProperties(new Dictionary <string, string> { [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired, [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = S["Interactive user consent is required."] }), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)); default: return(View(new AuthorizeViewModel { ApplicationName = await _applicationManager.GetLocalizedDisplayNameAsync(application), RequestId = request.RequestId, Scope = request.Scope })); } IActionResult RedirectToLoginPage(OpenIddictRequest request) { // If the client application requested promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(Prompts.None)) { return(Forbid(new AuthenticationProperties(new Dictionary <string, string> { [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.LoginRequired, [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = S["The user is not logged in."] }), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)); } string GetRedirectUrl() { // Override the prompt parameter to prevent infinite authentication/authorization loops. var parameters = Request.Query.ToDictionary(kvp => kvp.Key, kvp => kvp.Value); parameters[Parameters.Prompt] = "continue"; return(Request.PathBase + Request.Path + QueryString.Create(parameters)); } return(Challenge(new AuthenticationProperties { RedirectUri = GetRedirectUrl() })); } }
public async Task <IActionResult> Edit(string id, string returnUrl = null) { if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications)) { return(Forbid()); } var application = await _applicationManager.FindByPhysicalIdAsync(id); if (application == null) { return(NotFound()); } ValueTask <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission); var model = new EditOpenIdApplicationViewModel { AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) && await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Code), AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials), // Note: the hybrid flow doesn't have a dedicated grant_type but is treated as a combination // of both the authorization code and implicit grants. As such, to determine whether the hybrid // flow is enabled, both the authorization code grant and the implicit grant MUST be enabled. AllowHybridFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) && await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) && (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken) || await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken) || await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeToken)), AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) && (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdToken) || await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken) || await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)), AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password), AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken), AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout), ClientId = await _applicationManager.GetClientIdAsync(application), ConsentType = await _applicationManager.GetConsentTypeAsync(application), DisplayName = await _applicationManager.GetDisplayNameAsync(application), Id = await _applicationManager.GetPhysicalIdAsync(application), PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)), RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)), Type = await _applicationManager.GetClientTypeAsync(application) }; var roleService = HttpContext.RequestServices?.GetService <IRoleService>(); if (roleService != null) { var roles = await _applicationManager.GetRolesAsync(application); foreach (var role in await roleService.GetRoleNamesAsync()) { model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry { Name = role, Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase) }); } } else { await _notifier.WarningAsync(H["There are no registered services to provide roles."]); } var permissions = await _applicationManager.GetPermissionsAsync(application); await foreach (var scope in _scopeManager.ListAsync()) { var scopeName = await _scopeManager.GetNameAsync(scope); model.ScopeEntries.Add(new EditOpenIdApplicationViewModel.ScopeEntry { Name = scopeName, Selected = await _applicationManager.HasPermissionAsync(application, OpenIddictConstants.Permissions.Prefixes.Scope + scopeName) }); } ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync(); ViewData["ReturnUrl"] = returnUrl; return(View(model)); }