/// <summary> /// Processes the login logic. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) || request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount)) { Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString()); // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.RemovePrompt(); return(new InteractionResponse { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.IsAuthenticated(); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint); await Profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if ((!isAuthenticated || !isActive) && request.DisplayMode == "popup") { var redirect = new Uri(request.RedirectUri); var closePopupUri = request.RedirectUri.Replace(redirect.PathAndQuery, "/popup.html#"); return(new InteractionResponse { RedirectUrl = closePopupUri }); } if (!isAuthenticated || !isActive) { if (!isAuthenticated) { Logger.LogInformation("Showing login: User is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing login: User is not active"); } return(new InteractionResponse { IsLogin = true }); } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp); return(new InteractionResponse { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.LogInformation("Showing login: Requested MaxAge exceeded."); return(new InteractionResponse { IsLogin = true }); } } // check local idp restrictions if (currentIdp == IdentityServerConstants.LocalIdentityProvider) { if (!request.Client.EnableLocalLogin) { Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins"); return(new InteractionResponse { IsLogin = true }); } } // check external idp restrictions if user not using local idp else if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any() && !request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse { IsLogin = true }); } // check client's user SSO timeout if (request.Client.UserSsoLifetime.HasValue) { var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch(); var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds(); var diff = nowEpoch - authTimeEpoch; if (diff > request.Client.UserSsoLifetime.Value) { Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime); return(new InteractionResponse { IsLogin = true }); } } return(new InteractionResponse()); }
/// <summary> /// Processes the login logic. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptMode == OidcConstants.PromptModes.Login || request.PromptMode == OidcConstants.PromptModes.SelectAccount) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.RemovePrompt(); Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptMode); return(new InteractionResponse { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.IsAuthenticated(); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint); await Profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if (!isAuthenticated || !isActive) { // prompt=none means user must be signed in already if (request.PromptMode == OidcConstants.PromptModes.None) { if (!isAuthenticated) { Logger.LogInformation("Showing error: prompt=none was requested but user is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing error: prompt=none was requested but user is not active"); } return(new InteractionResponse { Error = OidcConstants.AuthorizeErrors.LoginRequired }); } if (!isAuthenticated) { Logger.LogInformation("Showing login: User is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing login: User is not active"); } return(new InteractionResponse { IsLogin = true }); } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { Logger.LogInformation("Showing login: Current IdP ({idp}) is not the requested IdP ({idp})", currentIdp, idp); return(new InteractionResponse { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.LogInformation("Showing login: Requested MaxAge exceeded."); return(new InteractionResponse { IsLogin = true }); } } // check local idp restrictions if (currentIdp == IdentityServerConstants.LocalIdentityProvider && !request.Client.EnableLocalLogin) { Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins"); return(new InteractionResponse { IsLogin = true }); } // check external idp restrictions if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse { IsLogin = true }); } } return(new InteractionResponse()); }