public async Task UpdateSettingsAsync(OpenIdServerSettings settings)
{
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
var container = await _siteService.GetSiteSettingsAsync();
container.Properties[nameof(OpenIdServerSettings)] = JObject.FromObject(settings);
await _siteService.UpdateSiteSettingsAsync(container);
}
private static OpenIdServerSettings CreateSettings(string authority, TokenFormat tokenFormat, bool initializeAllProperties)
{
var result = new OpenIdServerSettings
{
Authority = new Uri(authority),
AccessTokenFormat = tokenFormat
};
if (initializeAllProperties)
{
result.TokenEndpointPath = "/connect/token";
result.AuthorizationEndpointPath = "/connect/authorize";
result.LogoutEndpointPath = "/connect/logout";
result.UserinfoEndpointPath = "/connect/userinfo";
result.IntrospectionEndpointPath = "/connect/introspect";
result.RevocationEndpointPath = "/connect/revoke";
result.EncryptionCertificateStoreLocation = StoreLocation.LocalMachine;
result.EncryptionCertificateStoreName = StoreName.My;
result.EncryptionCertificateThumbprint = Guid.NewGuid().ToString();
result.SigningCertificateStoreLocation = StoreLocation.LocalMachine;
result.SigningCertificateStoreName = StoreName.My;
result.SigningCertificateThumbprint = Guid.NewGuid().ToString();
result.AllowAuthorizationCodeFlow = true;
result.AllowClientCredentialsFlow = true;
result.AllowHybridFlow = true;
result.AllowImplicitFlow = true;
result.AllowPasswordFlow = true;
result.AllowRefreshTokenFlow = true;
result.DisableAccessTokenEncryption = true;
result.DisableRollingRefreshTokens = true;
result.UseReferenceAccessTokens = true;
result.RequireProofKeyForCodeExchange = true;
}
return(result);
}
private static Mock <IOpenIdServerService> CreateServerServiceWithSettingsMock(OpenIdServerSettings settings)
{
var serverService = new Mock <IOpenIdServerService>();
serverService
.Setup(m => m.GetSettingsAsync())
.ReturnsAsync(settings);
serverService
.Setup(m => m.LoadSettingsAsync())
.ReturnsAsync(settings);
return(serverService);
}
public Task <ImmutableArray <ValidationResult> > ValidateSettingsAsync(OpenIdServerSettings settings)
{
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
var results = ImmutableArray.CreateBuilder <ValidationResult>();
if (settings.GrantTypes.Count == 0)
{
results.Add(new ValidationResult(T["At least one OpenID Connect flow must be enabled."]));
}
if (settings.Authority != null)
{
if (!settings.Authority.IsAbsoluteUri || !settings.Authority.IsWellFormedOriginalString())
{
results.Add(new ValidationResult(T["The authority must be a valid absolute URL."], new[]
{
nameof(settings.Authority)
}));
}
if (!string.IsNullOrEmpty(settings.Authority.Query) || !string.IsNullOrEmpty(settings.Authority.Fragment))
{
results.Add(new ValidationResult(T["The authority cannot contain a query string or a fragment."], new[]
{
nameof(settings.Authority)
}));
}
}
if (settings.CertificateStoreLocation != null &&
settings.CertificateStoreName != null &&
!string.IsNullOrEmpty(settings.CertificateThumbprint))
{
var certificate = GetCertificate(
settings.CertificateStoreLocation.Value,
settings.CertificateStoreName.Value, settings.CertificateThumbprint);
if (certificate == null)
{
results.Add(new ValidationResult(T["The certificate cannot be found."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
else if (!certificate.HasPrivateKey)
{
results.Add(new ValidationResult(T["The certificate doesn't contain the required private key."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
else if (certificate.Archived)
{
results.Add(new ValidationResult(T["The certificate is not valid because it is marked as archived."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
else if (certificate.NotBefore > DateTime.Now || certificate.NotAfter < DateTime.Now)
{
results.Add(new ValidationResult(T["The certificate is not valid for current date."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
}
if (settings.GrantTypes.Contains(GrantTypes.Password) && !settings.TokenEndpointPath.HasValue)
{
results.Add(new ValidationResult(T["The password flow cannot be enabled when the token endpoint is disabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
if (settings.GrantTypes.Contains(GrantTypes.ClientCredentials) && !settings.TokenEndpointPath.HasValue)
{
results.Add(new ValidationResult(T["The client credentials flow cannot be enabled when the token endpoint is disabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
if (settings.GrantTypes.Contains(GrantTypes.AuthorizationCode) &&
(!settings.AuthorizationEndpointPath.HasValue || !settings.TokenEndpointPath.HasValue))
{
results.Add(new ValidationResult(T["The authorization code flow cannot be enabled when the authorization and token endpoints are disabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
if (settings.GrantTypes.Contains(GrantTypes.RefreshToken))
{
if (!settings.TokenEndpointPath.HasValue)
{
results.Add(new ValidationResult(T["The refresh token flow cannot be enabled when the token endpoint is disabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
if (!settings.GrantTypes.Contains(GrantTypes.Password) && !settings.GrantTypes.Contains(GrantTypes.AuthorizationCode))
{
results.Add(new ValidationResult(T["The refresh token flow can only be enabled if the password, authorization code or hybrid flows are enabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
}
if (settings.GrantTypes.Contains(GrantTypes.Implicit) && !settings.AuthorizationEndpointPath.HasValue)
{
results.Add(new ValidationResult(T["The implicit flow cannot be enabled when the authorization endpoint is disabled."], new[]
{
nameof(settings.GrantTypes)
}));
}
return(Task.FromResult(results.ToImmutable()));
}
public Task <ImmutableArray <ValidationResult> > ValidateSettingsAsync(OpenIdServerSettings settings)
{
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
var results = ImmutableArray.CreateBuilder <ValidationResult>();
if (!settings.AllowAuthorizationCodeFlow && !settings.AllowClientCredentialsFlow &&
!settings.AllowImplicitFlow && !settings.AllowPasswordFlow)
{
results.Add(new ValidationResult(T["At least one OpenID Connect flow must be enabled."]));
}
if (!string.IsNullOrEmpty(settings.Authority))
{
if (!Uri.TryCreate(settings.Authority, UriKind.Absolute, out Uri uri) || !uri.IsWellFormedOriginalString())
{
results.Add(new ValidationResult(T["The authority must be a valid absolute URL."], new[]
{
nameof(settings.Authority)
}));
}
if (!string.IsNullOrEmpty(uri.Query) || !string.IsNullOrEmpty(uri.Fragment))
{
results.Add(new ValidationResult(T["The authority cannot contain a query string or a fragment."], new[]
{
nameof(settings.Authority)
}));
}
if (!settings.TestingModeEnabled && string.Equals(uri.Scheme, Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
{
results.Add(new ValidationResult(T["The authority cannot be a HTTP URL when the testing mode is disabled."], new[]
{
nameof(settings.Authority)
}));
}
}
if (!settings.TestingModeEnabled)
{
if (settings.CertificateStoreName == null)
{
results.Add(new ValidationResult(T["A Certificate Store Name is required."], new[]
{
nameof(settings.CertificateStoreName)
}));
}
if (settings.CertificateStoreLocation == null)
{
results.Add(new ValidationResult(T["A Certificate Store Location is required."], new[]
{
nameof(settings.CertificateStoreLocation)
}));
}
if (string.IsNullOrEmpty(settings.CertificateThumbprint))
{
results.Add(new ValidationResult(T["A certificate is required when testing mode is disabled."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
if (settings.CertificateStoreLocation != null &&
settings.CertificateStoreName != null &&
!string.IsNullOrEmpty(settings.CertificateThumbprint))
{
var certificate = GetCertificate(settings.CertificateStoreLocation.Value,
settings.CertificateStoreName.Value, settings.CertificateThumbprint);
if (certificate == null)
{
results.Add(new ValidationResult(T["The certificate cannot be found."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
if (!certificate.HasPrivateKey)
{
results.Add(new ValidationResult(T["The certificate doesn't contain the required private key."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
if (certificate.Archived)
{
results.Add(new ValidationResult(T["The certificate is not valid because it is marked as archived."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
if (certificate.NotBefore > DateTime.Now || certificate.NotAfter < DateTime.Now)
{
results.Add(new ValidationResult(T["The certificate is not valid for current date."], new[]
{
nameof(settings.CertificateThumbprint)
}));
}
}
}
if (settings.AllowPasswordFlow && !settings.EnableTokenEndpoint)
{
results.Add(new ValidationResult(T["Password Flow cannot be enabled if Token Endpoint is disabled"], new[]
{
nameof(settings.AllowPasswordFlow)
}));
}
if (settings.AllowClientCredentialsFlow && !settings.EnableTokenEndpoint)
{
results.Add(new ValidationResult(T["Client Credentials Flow cannot be enabled if Token Endpoint is disabled"], new[]
{
nameof(settings.AllowClientCredentialsFlow)
}));
}
if (settings.AllowAuthorizationCodeFlow && (!settings.EnableAuthorizationEndpoint || !settings.EnableTokenEndpoint))
{
results.Add(new ValidationResult(T["Authorization Code Flow cannot be enabled if Authorization Endpoint and Token Endpoint are disabled"], new[]
{
nameof(settings.AllowAuthorizationCodeFlow)
}));
}
if (settings.AllowRefreshTokenFlow)
{
if (!settings.EnableTokenEndpoint)
{
results.Add(new ValidationResult(T["Refresh Token Flow cannot be enabled if Token Endpoint is disabled"], new[]
{
nameof(settings.AllowRefreshTokenFlow)
}));
}
if (!settings.AllowPasswordFlow && !settings.AllowAuthorizationCodeFlow)
{
results.Add(new ValidationResult(T["Refresh Token Flow only can be enabled if Password Flow, Authorization Code Flow or Hybrid Flow are enabled"], new[]
{
nameof(settings.AllowRefreshTokenFlow)
}));
}
}
if (settings.AllowImplicitFlow && !settings.EnableAuthorizationEndpoint)
{
results.Add(new ValidationResult(T["Allow Implicit Flow cannot be enabled if Authorization Endpoint is disabled"], new[]
{
nameof(settings.AllowImplicitFlow)
}));
}
return(Task.FromResult(results.ToImmutable()));
}
