public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { if (!User.Identity.IsAuthenticated) { // If the client application request promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme)); } return(Challenge()); } // Retrieve the profile of the logged in user. var user = await _userManager.GetUserAsync(User); if (user == null) { return(_notice.Error(this, OpenIdConnectConstants.Errors.ServerError)); } // Create a new authentication ticket. var ticket = await CreateTicketAsync(request, user); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
private IActionResult RedirectToLoginPage(OpenIdConnectRequest request) { // If the client application requested promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(OpenIddictConstants.Prompts.None)) { return(RedirectToClient(new OpenIdConnectResponse { Error = OpenIddictConstants.Errors.LoginRequired, ErrorDescription = T["The user is not logged in."] })); } string GetRedirectUrl() { // Override the prompt parameter to prevent infinite authentication/authorization loops. var parameters = Request.Query.ToDictionary(kvp => kvp.Key, kvp => kvp.Value); parameters[OpenIddictConstants.Parameters.Prompt] = "continue"; return(Request.PathBase + Request.Path + QueryString.Create(parameters)); } var properties = new AuthenticationProperties { RedirectUri = GetRedirectUrl() }; return(Challenge(properties, IdentityConstants.ApplicationScheme)); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { if (!User.Identity.IsAuthenticated) { // if it's access_token renew request and user has logged out from IdP then we send error back. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme)); } return(Challenge()); } var user = await _userManager.GetUserAsync(User); if (user == null) { return(View("Error", new ErrorViewModel { Error = OpenIdConnectConstants.Errors.ServerError, ErrorDescription = "An internal server error occured" })); } var ticket = await CreateTicketAsync(request, user); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { // Retrieve the claims stored in the authentication cookie. // If they can't be extracted, redirect the user to the login page. var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme); if (!result.Succeeded || request.HasPrompt(OpenIdConnectConstants.Prompts.Login)) { return(Challenge(request)); } // If a max_age parameter was provided, ensure that the cookie is not too old. // If it's too old, automatically redirect the user agent to the login page. if (request.MaxAge != null && result.Properties.IssuedUtc != null && DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)) { return(Challenge(request)); } // Create a new authentication ticket. var ticket = CreateTicket(request, result); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
private IActionResult Challenge(OpenIdConnectRequest request) { // If the client application requested promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme)); } // Otherwise, simply redirect the user agent to the login endpoint. else { var properties = new AuthenticationProperties { RedirectUri = GetRedirectUrl() }; return(Challenge(properties, CookieAuthenticationDefaults.AuthenticationScheme)); } }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { if (!User.Identity.IsAuthenticated) { if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in" }); return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme)); } return(Challenge()); } var user = await _userManager.GetUserAsync(User); if (user == null) { return(BadRequest()); } var ticket = await CreateTicketAsync(request, user); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public void HasPrompt_ReturnsExpectedResult(string prompt, bool result) { // Arrange var request = new OpenIdConnectRequest { Prompt = prompt }; // Act and assert Assert.Equal(result, request.HasPrompt(OpenIdConnectConstants.Prompts.Consent)); }
public void HasPrompt_ThrowsAnExceptionForNullOrEmptyPrompt(string prompt) { // Arrange var request = new OpenIdConnectRequest(); // Act and assert var exception = Assert.Throws <ArgumentException>(delegate { request.HasPrompt(prompt); }); Assert.Equal("prompt", exception.ParamName); Assert.StartsWith("The prompt cannot be null or empty.", exception.Message); }
public async Task <IActionResult> Authorize([ModelBinder(typeof(OpenIddictMvcBinder))] OpenIdConnectRequest request) { // This demo only supports first-party clients with prompt=none. if (!request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.InvalidRequest, [OpenIdConnectConstants.Properties.ErrorDescription] = "The authorization request must have a prompt=none parameter." }); // Ask OpenIddict to return an access_denied error to the client application. return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme)); } if (!User.Identity.IsAuthenticated) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme)); } // Retrieve the profile of the logged in user. var user = await _userManager.GetUserAsync(User); if (user == null) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user's account has been deleted." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme)); } // Create a new authentication ticket. var ticket = await CreateTicketAsync(request, user); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { Debug.Assert(request.IsAuthorizationRequest(), "The OpenIddict binder for ASP.NET Core MVC is not registered. " + "Make sure services.AddOpenIddict().AddMvcBinders() is correctly called."); if (!User.Identity.IsAuthenticated) { // If the client application request promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme)); } return(Challenge()); } // Retrieve the application details from the database. var application = await applicationManager.FindByClientIdAsync(request.ClientId, HttpContext.RequestAborted); if (application == null) { return(View("Error", new ErrorViewModel { Error = OpenIdConnectConstants.Errors.InvalidClient, ErrorDescription = "Details concerning the calling client application cannot be found in the database." })); } // Flow the request_id to allow OpenIddict to restore // the original authorization request from the cache. return(View(new AuthorizeViewModel { ApplicationName = application.DisplayName, RequestId = request.RequestId, Scope = request.Scope })); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { Debug.Assert(request.IsAuthorizationRequest(), "The OpenIddict binder for ASP.NET Core MVC is not registered. " + "Make sure services.AddOpenIddict().AddMvcBinders() is correctly called."); if (!User.Identity.IsAuthenticated) { // If the client application request promptless authentication, // return an error indicating that the user is not logged in. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None)) { var properties = new AuthenticationProperties(new Dictionary <string, string> { [OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired, [OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in." }); // Ask OpenIddict to return a login_required error to the client application. return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme)); } return(Challenge()); } // Retrieve the profile of the logged in user. var user = await _userManager.GetUserAsync(User); if (user == null) { return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "The username/password couple is invalid." })); } // Create a new authentication ticket. var ticket = await CreateTicketAsync(request, user); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); }
public async Task <IActionResult> Authorize(OpenIdConnectRequest request) { // Retrieve the claims stored in the authentication cookie. // If they can't be extracted, redirect the user to the login page. var result = await HttpContext.AuthenticateAsync(); if (result == null || !result.Succeeded || request.HasPrompt(OpenIddictConstants.Prompts.Login)) { return(RedirectToLoginPage(request)); } // If a max_age parameter was provided, ensure that the cookie is not too old. // If it's too old, automatically redirect the user agent to the login page. if (request.MaxAge != null && result.Properties.IssuedUtc != null && DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)) { return(RedirectToLoginPage(request)); } var application = await _applicationManager.FindByClientIdAsync(request.ClientId); if (application == null) { return(View("Error", new ErrorViewModel { Error = OpenIddictConstants.Errors.InvalidClient, ErrorDescription = T["The specified 'client_id' parameter is invalid."] })); } var authorizations = await _authorizationManager.FindAsync( subject : _userManager.GetUserId(result.Principal), client : await _applicationManager.GetIdAsync(application), status : OpenIddictConstants.Statuses.Valid, type : OpenIddictConstants.AuthorizationTypes.Permanent, scopes : ImmutableArray.CreateRange(request.GetScopes())); switch (await _applicationManager.GetConsentTypeAsync(application)) { case OpenIddictConstants.ConsentTypes.External when authorizations.IsEmpty: return(RedirectToClient(new OpenIdConnectResponse { Error = OpenIddictConstants.Errors.ConsentRequired, ErrorDescription = T["The logged in user is not allowed to access this client application."] })); case OpenIddictConstants.ConsentTypes.Implicit: case OpenIddictConstants.ConsentTypes.External when authorizations.Any(): case OpenIddictConstants.ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(OpenIddictConstants.Prompts.Consent): return(await IssueTokensAsync(result.Principal, request, application, authorizations.LastOrDefault())); case OpenIddictConstants.ConsentTypes.Explicit when request.HasPrompt(OpenIddictConstants.Prompts.None): return(RedirectToClient(new OpenIdConnectResponse { Error = OpenIddictConstants.Errors.ConsentRequired, ErrorDescription = T["Interactive user consent is required."] })); default: return(View(new AuthorizeViewModel { ApplicationName = await _applicationManager.GetDisplayNameAsync(application), RequestId = request.RequestId, Scope = request.Scope })); } }