public async Task <IActionResult> Edit(string id, string returnUrl = null)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))
{
return(Forbid());
}
var application = await _applicationManager.FindByPhysicalIdAsync(id);
if (application == null)
{
return(NotFound());
}
Task <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission);
var model = new EditOpenIdApplicationViewModel
{
AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode),
AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials),
AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit),
AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
ClientId = await _applicationManager.GetClientIdAsync(application),
ConsentType = await _applicationManager.GetConsentTypeAsync(application),
DisplayName = await _applicationManager.GetDisplayNameAsync(application),
Id = await _applicationManager.GetPhysicalIdAsync(application),
PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)),
RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)),
Type = await _applicationManager.GetClientTypeAsync(application)
};
var roleService = HttpContext.RequestServices?.GetService <IRoleService>();
if (roleService != null)
{
var roles = await _applicationManager.GetRolesAsync(application);
foreach (var role in await roleService.GetRoleNamesAsync())
{
model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry
{
Name = role,
Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase)
});
}
}
else
{
_notifier.Warning(H["There are no registered services to provide roles."]);
}
ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync();
ViewData["ReturnUrl"] = returnUrl;
return(View(model));
}
private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
{
// Note: client authentication is always enforced by OpenIddict before this action is invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.InvalidClient,
ErrorDescription = T["The specified 'client_id' parameter is invalid."]
}));
}
var identity = new ClaimsIdentity(
OpenIddictServerDefaults.AuthenticationScheme,
OpenIddictConstants.Claims.Name,
OpenIddictConstants.Claims.Role);
identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId);
identity.AddClaim(OpenIddictConstants.Claims.Name,
await _applicationManager.GetDisplayNameAsync(application),
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
foreach (var role in await _applicationManager.GetRolesAsync(application))
{
identity.AddClaim(identity.RoleClaimType, role,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
foreach (var claim in await _roleManager.GetClaimsAsync(await _roleManager.FindByIdAsync(role)))
{
identity.AddClaim(claim.Type, claim.Value,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
}
}
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIddictServerDefaults.AuthenticationScheme);
ticket.SetResources(await GetResourcesAsync(request.GetScopes()));
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIddictRequest request)
{
// Note: client authentication is always enforced by OpenIddict before this action is invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException("The application details cannot be found.");
var identity = new ClaimsIdentity(
OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
Claims.Name, Claims.Role);
identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.Application,
Destinations.AccessToken, Destinations.IdentityToken);
identity.AddClaim(Claims.Subject, request.ClientId,
Destinations.AccessToken, Destinations.IdentityToken);
identity.AddClaim(Claims.Name,
await _applicationManager.GetDisplayNameAsync(application),
Destinations.AccessToken, Destinations.IdentityToken);
// If the role service is available, add all the role claims
// associated with the application roles in the database.
var roleService = HttpContext.RequestServices.GetService <IRoleService>();
foreach (var role in await _applicationManager.GetRolesAsync(application))
{
identity.AddClaim(identity.RoleClaimType, role,
Destinations.AccessToken, Destinations.IdentityToken);
if (roleService != null)
{
foreach (var claim in await roleService.GetRoleClaimsAsync(role))
{
identity.AddClaim(claim.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
}
}
}
var principal = new ClaimsPrincipal(identity);
principal.SetResources(await GetResourcesAsync(request.GetScopes()));
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
{
// Note: client authentication is always enforced by OpenIddict before this action is invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.InvalidClient,
ErrorDescription = S["The specified 'client_id' parameter is invalid."]
}));
}
var identity = new ClaimsIdentity(
OpenIddictServerDefaults.AuthenticationScheme,
OpenIddictConstants.Claims.Name,
OpenIddictConstants.Claims.Role);
identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.Application,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
identity.AddClaim(OpenIddictConstants.Claims.Name,
await _applicationManager.GetDisplayNameAsync(application),
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
// If the role service is available, add all the role claims
// associated with the application roles in the database.
var roleService = HttpContext.RequestServices.GetService <IRoleService>();
foreach (var role in await _applicationManager.GetRolesAsync(application))
{
identity.AddClaim(identity.RoleClaimType, role,
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken);
if (roleService != null)
{
foreach (var claim in await roleService.GetRoleClaimsAsync(role))
{
identity.AddClaim(claim.SetDestinations(
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken));
}
}
}
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIddictServerDefaults.AuthenticationScheme);
ticket.SetResources(await GetResourcesAsync(request.GetScopes()));
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public async Task <IActionResult> Edit(string id, string returnUrl = null)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))
{
return(Forbid());
}
var application = await _applicationManager.FindByPhysicalIdAsync(id);
if (application == null)
{
return(NotFound());
}
ValueTask <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission);
var model = new EditOpenIdApplicationViewModel
{
AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Code),
AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials),
// Note: the hybrid flow doesn't have a dedicated grant_type but is treated as a combination
// of both the authorization code and implicit grants. As such, to determine whether the hybrid
// flow is enabled, both the authorization code grant and the implicit grant MUST be enabled.
AllowHybridFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
(await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken) ||
await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken) ||
await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeToken)),
AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
(await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdToken) ||
await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken) ||
await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)),
AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
ClientId = await _applicationManager.GetClientIdAsync(application),
ConsentType = await _applicationManager.GetConsentTypeAsync(application),
DisplayName = await _applicationManager.GetDisplayNameAsync(application),
Id = await _applicationManager.GetPhysicalIdAsync(application),
PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)),
RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)),
Type = await _applicationManager.GetClientTypeAsync(application)
};
var roleService = HttpContext.RequestServices?.GetService <IRoleService>();
if (roleService != null)
{
var roles = await _applicationManager.GetRolesAsync(application);
foreach (var role in await roleService.GetRoleNamesAsync())
{
model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry
{
Name = role,
Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase)
});
}
}
else
{
await _notifier.WarningAsync(H["There are no registered services to provide roles."]);
}
var permissions = await _applicationManager.GetPermissionsAsync(application);
await foreach (var scope in _scopeManager.ListAsync())
{
var scopeName = await _scopeManager.GetNameAsync(scope);
model.ScopeEntries.Add(new EditOpenIdApplicationViewModel.ScopeEntry
{
Name = scopeName,
Selected = await _applicationManager.HasPermissionAsync(application, OpenIddictConstants.Permissions.Prefixes.Scope + scopeName)
});
}
ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync();
ViewData["ReturnUrl"] = returnUrl;
return(View(model));
}