public async Task UpdateSettingsAsync(OpenIdServerSettings settings) { if (settings == null) { throw new ArgumentNullException(nameof(settings)); } var container = await _siteService.GetSiteSettingsAsync(); container.Properties[nameof(OpenIdServerSettings)] = JObject.FromObject(settings); await _siteService.UpdateSiteSettingsAsync(container); }
private static OpenIdServerSettings CreateSettings(string authority, TokenFormat tokenFormat, bool initializeAllProperties) { var result = new OpenIdServerSettings { Authority = new Uri(authority), AccessTokenFormat = tokenFormat }; if (initializeAllProperties) { result.TokenEndpointPath = "/connect/token"; result.AuthorizationEndpointPath = "/connect/authorize"; result.LogoutEndpointPath = "/connect/logout"; result.UserinfoEndpointPath = "/connect/userinfo"; result.IntrospectionEndpointPath = "/connect/introspect"; result.RevocationEndpointPath = "/connect/revoke"; result.EncryptionCertificateStoreLocation = StoreLocation.LocalMachine; result.EncryptionCertificateStoreName = StoreName.My; result.EncryptionCertificateThumbprint = Guid.NewGuid().ToString(); result.SigningCertificateStoreLocation = StoreLocation.LocalMachine; result.SigningCertificateStoreName = StoreName.My; result.SigningCertificateThumbprint = Guid.NewGuid().ToString(); result.AllowAuthorizationCodeFlow = true; result.AllowClientCredentialsFlow = true; result.AllowHybridFlow = true; result.AllowImplicitFlow = true; result.AllowPasswordFlow = true; result.AllowRefreshTokenFlow = true; result.DisableAccessTokenEncryption = true; result.DisableRollingRefreshTokens = true; result.UseReferenceAccessTokens = true; result.RequireProofKeyForCodeExchange = true; } return(result); }
private static Mock <IOpenIdServerService> CreateServerServiceWithSettingsMock(OpenIdServerSettings settings) { var serverService = new Mock <IOpenIdServerService>(); serverService .Setup(m => m.GetSettingsAsync()) .ReturnsAsync(settings); serverService .Setup(m => m.LoadSettingsAsync()) .ReturnsAsync(settings); return(serverService); }
public Task <ImmutableArray <ValidationResult> > ValidateSettingsAsync(OpenIdServerSettings settings) { if (settings == null) { throw new ArgumentNullException(nameof(settings)); } var results = ImmutableArray.CreateBuilder <ValidationResult>(); if (settings.GrantTypes.Count == 0) { results.Add(new ValidationResult(T["At least one OpenID Connect flow must be enabled."])); } if (settings.Authority != null) { if (!settings.Authority.IsAbsoluteUri || !settings.Authority.IsWellFormedOriginalString()) { results.Add(new ValidationResult(T["The authority must be a valid absolute URL."], new[] { nameof(settings.Authority) })); } if (!string.IsNullOrEmpty(settings.Authority.Query) || !string.IsNullOrEmpty(settings.Authority.Fragment)) { results.Add(new ValidationResult(T["The authority cannot contain a query string or a fragment."], new[] { nameof(settings.Authority) })); } } if (settings.CertificateStoreLocation != null && settings.CertificateStoreName != null && !string.IsNullOrEmpty(settings.CertificateThumbprint)) { var certificate = GetCertificate( settings.CertificateStoreLocation.Value, settings.CertificateStoreName.Value, settings.CertificateThumbprint); if (certificate == null) { results.Add(new ValidationResult(T["The certificate cannot be found."], new[] { nameof(settings.CertificateThumbprint) })); } else if (!certificate.HasPrivateKey) { results.Add(new ValidationResult(T["The certificate doesn't contain the required private key."], new[] { nameof(settings.CertificateThumbprint) })); } else if (certificate.Archived) { results.Add(new ValidationResult(T["The certificate is not valid because it is marked as archived."], new[] { nameof(settings.CertificateThumbprint) })); } else if (certificate.NotBefore > DateTime.Now || certificate.NotAfter < DateTime.Now) { results.Add(new ValidationResult(T["The certificate is not valid for current date."], new[] { nameof(settings.CertificateThumbprint) })); } } if (settings.GrantTypes.Contains(GrantTypes.Password) && !settings.TokenEndpointPath.HasValue) { results.Add(new ValidationResult(T["The password flow cannot be enabled when the token endpoint is disabled."], new[] { nameof(settings.GrantTypes) })); } if (settings.GrantTypes.Contains(GrantTypes.ClientCredentials) && !settings.TokenEndpointPath.HasValue) { results.Add(new ValidationResult(T["The client credentials flow cannot be enabled when the token endpoint is disabled."], new[] { nameof(settings.GrantTypes) })); } if (settings.GrantTypes.Contains(GrantTypes.AuthorizationCode) && (!settings.AuthorizationEndpointPath.HasValue || !settings.TokenEndpointPath.HasValue)) { results.Add(new ValidationResult(T["The authorization code flow cannot be enabled when the authorization and token endpoints are disabled."], new[] { nameof(settings.GrantTypes) })); } if (settings.GrantTypes.Contains(GrantTypes.RefreshToken)) { if (!settings.TokenEndpointPath.HasValue) { results.Add(new ValidationResult(T["The refresh token flow cannot be enabled when the token endpoint is disabled."], new[] { nameof(settings.GrantTypes) })); } if (!settings.GrantTypes.Contains(GrantTypes.Password) && !settings.GrantTypes.Contains(GrantTypes.AuthorizationCode)) { results.Add(new ValidationResult(T["The refresh token flow can only be enabled if the password, authorization code or hybrid flows are enabled."], new[] { nameof(settings.GrantTypes) })); } } if (settings.GrantTypes.Contains(GrantTypes.Implicit) && !settings.AuthorizationEndpointPath.HasValue) { results.Add(new ValidationResult(T["The implicit flow cannot be enabled when the authorization endpoint is disabled."], new[] { nameof(settings.GrantTypes) })); } return(Task.FromResult(results.ToImmutable())); }
public Task <ImmutableArray <ValidationResult> > ValidateSettingsAsync(OpenIdServerSettings settings) { if (settings == null) { throw new ArgumentNullException(nameof(settings)); } var results = ImmutableArray.CreateBuilder <ValidationResult>(); if (!settings.AllowAuthorizationCodeFlow && !settings.AllowClientCredentialsFlow && !settings.AllowImplicitFlow && !settings.AllowPasswordFlow) { results.Add(new ValidationResult(T["At least one OpenID Connect flow must be enabled."])); } if (!string.IsNullOrEmpty(settings.Authority)) { if (!Uri.TryCreate(settings.Authority, UriKind.Absolute, out Uri uri) || !uri.IsWellFormedOriginalString()) { results.Add(new ValidationResult(T["The authority must be a valid absolute URL."], new[] { nameof(settings.Authority) })); } if (!string.IsNullOrEmpty(uri.Query) || !string.IsNullOrEmpty(uri.Fragment)) { results.Add(new ValidationResult(T["The authority cannot contain a query string or a fragment."], new[] { nameof(settings.Authority) })); } if (!settings.TestingModeEnabled && string.Equals(uri.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase)) { results.Add(new ValidationResult(T["The authority cannot be a HTTP URL when the testing mode is disabled."], new[] { nameof(settings.Authority) })); } } if (!settings.TestingModeEnabled) { if (settings.CertificateStoreName == null) { results.Add(new ValidationResult(T["A Certificate Store Name is required."], new[] { nameof(settings.CertificateStoreName) })); } if (settings.CertificateStoreLocation == null) { results.Add(new ValidationResult(T["A Certificate Store Location is required."], new[] { nameof(settings.CertificateStoreLocation) })); } if (string.IsNullOrEmpty(settings.CertificateThumbprint)) { results.Add(new ValidationResult(T["A certificate is required when testing mode is disabled."], new[] { nameof(settings.CertificateThumbprint) })); } if (settings.CertificateStoreLocation != null && settings.CertificateStoreName != null && !string.IsNullOrEmpty(settings.CertificateThumbprint)) { var certificate = GetCertificate(settings.CertificateStoreLocation.Value, settings.CertificateStoreName.Value, settings.CertificateThumbprint); if (certificate == null) { results.Add(new ValidationResult(T["The certificate cannot be found."], new[] { nameof(settings.CertificateThumbprint) })); } if (!certificate.HasPrivateKey) { results.Add(new ValidationResult(T["The certificate doesn't contain the required private key."], new[] { nameof(settings.CertificateThumbprint) })); } if (certificate.Archived) { results.Add(new ValidationResult(T["The certificate is not valid because it is marked as archived."], new[] { nameof(settings.CertificateThumbprint) })); } if (certificate.NotBefore > DateTime.Now || certificate.NotAfter < DateTime.Now) { results.Add(new ValidationResult(T["The certificate is not valid for current date."], new[] { nameof(settings.CertificateThumbprint) })); } } } if (settings.AllowPasswordFlow && !settings.EnableTokenEndpoint) { results.Add(new ValidationResult(T["Password Flow cannot be enabled if Token Endpoint is disabled"], new[] { nameof(settings.AllowPasswordFlow) })); } if (settings.AllowClientCredentialsFlow && !settings.EnableTokenEndpoint) { results.Add(new ValidationResult(T["Client Credentials Flow cannot be enabled if Token Endpoint is disabled"], new[] { nameof(settings.AllowClientCredentialsFlow) })); } if (settings.AllowAuthorizationCodeFlow && (!settings.EnableAuthorizationEndpoint || !settings.EnableTokenEndpoint)) { results.Add(new ValidationResult(T["Authorization Code Flow cannot be enabled if Authorization Endpoint and Token Endpoint are disabled"], new[] { nameof(settings.AllowAuthorizationCodeFlow) })); } if (settings.AllowRefreshTokenFlow) { if (!settings.EnableTokenEndpoint) { results.Add(new ValidationResult(T["Refresh Token Flow cannot be enabled if Token Endpoint is disabled"], new[] { nameof(settings.AllowRefreshTokenFlow) })); } if (!settings.AllowPasswordFlow && !settings.AllowAuthorizationCodeFlow) { results.Add(new ValidationResult(T["Refresh Token Flow only can be enabled if Password Flow, Authorization Code Flow or Hybrid Flow are enabled"], new[] { nameof(settings.AllowRefreshTokenFlow) })); } } if (settings.AllowImplicitFlow && !settings.EnableAuthorizationEndpoint) { results.Add(new ValidationResult(T["Allow Implicit Flow cannot be enabled if Authorization Endpoint is disabled"], new[] { nameof(settings.AllowImplicitFlow) })); } return(Task.FromResult(results.ToImmutable())); }