public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
if (!User.Identity.IsAuthenticated)
{
// If the client application request promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme));
}
return(Challenge());
}
// Retrieve the profile of the logged in user.
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
return(_notice.Error(this, OpenIdConnectConstants.Errors.ServerError));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private IActionResult RedirectToLoginPage(OpenIdConnectRequest request)
{
// If the client application requested promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(OpenIddictConstants.Prompts.None))
{
return(RedirectToClient(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.LoginRequired,
ErrorDescription = T["The user is not logged in."]
}));
}
string GetRedirectUrl()
{
// Override the prompt parameter to prevent infinite authentication/authorization loops.
var parameters = Request.Query.ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
parameters[OpenIddictConstants.Parameters.Prompt] = "continue";
return(Request.PathBase + Request.Path + QueryString.Create(parameters));
}
var properties = new AuthenticationProperties
{
RedirectUri = GetRedirectUrl()
};
return(Challenge(properties, IdentityConstants.ApplicationScheme));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
if (!User.Identity.IsAuthenticated)
{
// if it's access_token renew request and user has logged out from IdP then we send error back.
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme));
}
return(Challenge());
}
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.ServerError,
ErrorDescription = "An internal server error occured"
}));
}
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
// Retrieve the claims stored in the authentication cookie.
// If they can't be extracted, redirect the user to the login page.
var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
if (!result.Succeeded || request.HasPrompt(OpenIdConnectConstants.Prompts.Login))
{
return(Challenge(request));
}
// If a max_age parameter was provided, ensure that the cookie is not too old.
// If it's too old, automatically redirect the user agent to the login page.
if (request.MaxAge != null && result.Properties.IssuedUtc != null &&
DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))
{
return(Challenge(request));
}
// Create a new authentication ticket.
var ticket = CreateTicket(request, result);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
private IActionResult Challenge(OpenIdConnectRequest request)
{
// If the client application requested promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme));
}
// Otherwise, simply redirect the user agent to the login endpoint.
else
{
var properties = new AuthenticationProperties
{
RedirectUri = GetRedirectUrl()
};
return(Challenge(properties, CookieAuthenticationDefaults.AuthenticationScheme));
}
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
if (!User.Identity.IsAuthenticated)
{
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in"
});
return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme));
}
return(Challenge());
}
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
return(BadRequest());
}
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public void HasPrompt_ReturnsExpectedResult(string prompt, bool result)
{
// Arrange
var request = new OpenIdConnectRequest
{
Prompt = prompt
};
// Act and assert
Assert.Equal(result, request.HasPrompt(OpenIdConnectConstants.Prompts.Consent));
}
public void HasPrompt_ThrowsAnExceptionForNullOrEmptyPrompt(string prompt)
{
// Arrange
var request = new OpenIdConnectRequest();
// Act and assert
var exception = Assert.Throws <ArgumentException>(delegate
{
request.HasPrompt(prompt);
});
Assert.Equal("prompt", exception.ParamName);
Assert.StartsWith("The prompt cannot be null or empty.", exception.Message);
}
public async Task <IActionResult> Authorize([ModelBinder(typeof(OpenIddictMvcBinder))] OpenIdConnectRequest request)
{
// This demo only supports first-party clients with prompt=none.
if (!request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.InvalidRequest,
[OpenIdConnectConstants.Properties.ErrorDescription]
= "The authorization request must have a prompt=none parameter."
});
// Ask OpenIddict to return an access_denied error to the client application.
return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme));
}
if (!User.Identity.IsAuthenticated)
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme));
}
// Retrieve the profile of the logged in user.
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user's account has been deleted."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIddictServerDefaults.AuthenticationScheme));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
Debug.Assert(request.IsAuthorizationRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
if (!User.Identity.IsAuthenticated)
{
// If the client application request promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme));
}
return(Challenge());
}
// Retrieve the application details from the database.
var application =
await applicationManager.FindByClientIdAsync(request.ClientId, HttpContext.RequestAborted);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription =
"Details concerning the calling client application cannot be found in the database."
}));
}
// Flow the request_id to allow OpenIddict to restore
// the original authorization request from the cache.
return(View(new AuthorizeViewModel
{
ApplicationName = application.DisplayName,
RequestId = request.RequestId,
Scope = request.Scope
}));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
Debug.Assert(request.IsAuthorizationRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
if (!User.Identity.IsAuthenticated)
{
// If the client application request promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(OpenIdConnectConstants.Prompts.None))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIdConnectConstants.Properties.Error] = OpenIdConnectConstants.Errors.LoginRequired,
[OpenIdConnectConstants.Properties.ErrorDescription] = "The user is not logged in."
});
// Ask OpenIddict to return a login_required error to the client application.
return(Forbid(properties, OpenIdConnectServerDefaults.AuthenticationScheme));
}
return(Challenge());
}
// Retrieve the profile of the logged in user.
var user = await _userManager.GetUserAsync(User);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
// Retrieve the claims stored in the authentication cookie.
// If they can't be extracted, redirect the user to the login page.
var result = await HttpContext.AuthenticateAsync();
if (result == null || !result.Succeeded || request.HasPrompt(OpenIddictConstants.Prompts.Login))
{
return(RedirectToLoginPage(request));
}
// If a max_age parameter was provided, ensure that the cookie is not too old.
// If it's too old, automatically redirect the user agent to the login page.
if (request.MaxAge != null && result.Properties.IssuedUtc != null &&
DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))
{
return(RedirectToLoginPage(request));
}
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIddictConstants.Errors.InvalidClient,
ErrorDescription = T["The specified 'client_id' parameter is invalid."]
}));
}
var authorizations = await _authorizationManager.FindAsync(
subject : _userManager.GetUserId(result.Principal),
client : await _applicationManager.GetIdAsync(application),
status : OpenIddictConstants.Statuses.Valid,
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(request.GetScopes()));
switch (await _applicationManager.GetConsentTypeAsync(application))
{
case OpenIddictConstants.ConsentTypes.External when authorizations.IsEmpty:
return(RedirectToClient(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.ConsentRequired,
ErrorDescription = T["The logged in user is not allowed to access this client application."]
}));
case OpenIddictConstants.ConsentTypes.Implicit:
case OpenIddictConstants.ConsentTypes.External when authorizations.Any():
case OpenIddictConstants.ConsentTypes.Explicit when authorizations.Any() &&
!request.HasPrompt(OpenIddictConstants.Prompts.Consent):
return(await IssueTokensAsync(result.Principal, request, application, authorizations.LastOrDefault()));
case OpenIddictConstants.ConsentTypes.Explicit when request.HasPrompt(OpenIddictConstants.Prompts.None):
return(RedirectToClient(new OpenIdConnectResponse
{
Error = OpenIddictConstants.Errors.ConsentRequired,
ErrorDescription = T["Interactive user consent is required."]
}));
default:
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
RequestId = request.RequestId,
Scope = request.Scope
}));
}
}
