public override Task MatchEndpoint(MatchEndpointContext context) { // Note: by default, OpenIdConnectServerHandler only handles authorization requests made to the authorization endpoint. // This context handler uses a more relaxed policy that allows extracting authorization requests received at // /connect/authorize/accept and /connect/authorize/deny (see AuthorizationController.cs for more information). if (context.Options.AuthorizationEndpointPath.HasValue && context.Request.Path.StartsWithSegments(context.Options.AuthorizationEndpointPath)) { context.MatchesAuthorizationEndpoint(); } return Task.FromResult(0); }
public override async Task <bool> HandleRequestAsync() { var notification = new MatchEndpointContext(Context, Options); if (Options.AuthorizationEndpointPath.HasValue && Options.AuthorizationEndpointPath == Request.Path) { notification.MatchesAuthorizationEndpoint(); } else if (Options.ConfigurationEndpointPath.HasValue && Options.ConfigurationEndpointPath == Request.Path) { notification.MatchesConfigurationEndpoint(); } else if (Options.CryptographyEndpointPath.HasValue && Options.CryptographyEndpointPath == Request.Path) { notification.MatchesCryptographyEndpoint(); } else if (Options.IntrospectionEndpointPath.HasValue && Options.IntrospectionEndpointPath == Request.Path) { notification.MatchesIntrospectionEndpoint(); } else if (Options.LogoutEndpointPath.HasValue && Options.LogoutEndpointPath == Request.Path) { notification.MatchesLogoutEndpoint(); } else if (Options.RevocationEndpointPath.HasValue && Options.RevocationEndpointPath == Request.Path) { notification.MatchesRevocationEndpoint(); } else if (Options.TokenEndpointPath.HasValue && Options.TokenEndpointPath == Request.Path) { notification.MatchesTokenEndpoint(); } else if (Options.UserinfoEndpointPath.HasValue && Options.UserinfoEndpointPath == Request.Path) { notification.MatchesUserinfoEndpoint(); } await Options.Provider.MatchEndpoint(notification); if (notification.HandledResponse) { return(true); } else if (notification.Skipped) { return(false); } // Reject non-HTTPS requests handled by ASOS if AllowInsecureHttp is not set to true. if (!Options.AllowInsecureHttp && !Request.IsHttps) { // Return the native error page for endpoints involving the user participation. if (notification.IsAuthorizationEndpoint || notification.IsLogoutEndpoint) { Logger.LogWarning("The current request was rejected because the OpenID Connect server middleware " + "has been configured to reject HTTP requests. To permanently disable the transport " + "security requirement, set 'OpenIdConnectServerOptions.AllowInsecureHttp' to 'true'."); return(await SendNativePageAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "This server only accepts HTTPS requests." })); } // Return a JSON error for endpoints that don't involve the user participation. else if (notification.IsConfigurationEndpoint || notification.IsCryptographyEndpoint || notification.IsIntrospectionEndpoint || notification.IsRevocationEndpoint || notification.IsTokenEndpoint || notification.IsUserinfoEndpoint) { Logger.LogWarning("The current request was rejected because the OpenID Connect server middleware " + "has been configured to reject HTTP requests. To permanently disable the transport " + "security requirement, set 'OpenIdConnectServerOptions.AllowInsecureHttp' to 'true'."); return(await SendPayloadAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "This server only accepts HTTPS requests." })); } } if (notification.IsAuthorizationEndpoint) { return(await InvokeAuthorizationEndpointAsync()); } else if (notification.IsConfigurationEndpoint) { return(await InvokeConfigurationEndpointAsync()); } else if (notification.IsCryptographyEndpoint) { return(await InvokeCryptographyEndpointAsync()); } else if (notification.IsIntrospectionEndpoint) { return(await InvokeIntrospectionEndpointAsync()); } else if (notification.IsLogoutEndpoint) { return(await InvokeLogoutEndpointAsync()); } else if (notification.IsRevocationEndpoint) { return(await InvokeRevocationEndpointAsync()); } else if (notification.IsTokenEndpoint) { return(await InvokeTokenEndpointAsync()); } else if (notification.IsUserinfoEndpoint) { return(await InvokeUserinfoEndpointAsync()); } return(false); }
protected override async Task <AuthenticateResult> HandleAuthenticateAsync() { var notification = new MatchEndpointContext(Context, Options); if (Options.AuthorizationEndpointPath.HasValue && Options.AuthorizationEndpointPath == Request.Path) { notification.MatchesAuthorizationEndpoint(); } else if (Options.LogoutEndpointPath.HasValue && Options.LogoutEndpointPath == Request.Path) { notification.MatchesLogoutEndpoint(); } else if (Options.ProfileEndpointPath.HasValue && Options.ProfileEndpointPath == Request.Path) { notification.MatchesProfileEndpoint(); } await Options.Provider.MatchEndpoint(notification); if (!notification.IsAuthorizationEndpoint && !notification.IsLogoutEndpoint && !notification.IsProfileEndpoint) { return(null); } // Try to retrieve the current OpenID Connect request from the ASP.NET context. // If the request cannot be found, this means that this middleware was configured // to use the automatic authentication mode and that HandleAuthenticateAsync // was invoked before Invoke*EndpointAsync: in this case, the OpenID Connect // request is directly extracted from the query string or the request form. var request = Context.GetOpenIdConnectRequest(); if (request == null) { if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase)) { request = new OpenIdConnectMessage(Request.Query.ToDictionary()); } else if (string.Equals(Request.Method, "POST", StringComparison.OrdinalIgnoreCase)) { if (string.IsNullOrEmpty(Request.ContentType)) { return(null); } else if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase)) { return(null); } var form = await Request.ReadFormAsync(Context.RequestAborted); request = new OpenIdConnectMessage(form.ToDictionary()); } } // Missing or invalid requests are ignored in HandleAuthenticateAsync: // in this case, null is always returned to indicate authentication failed. if (request == null) { return(null); } if (notification.IsAuthorizationEndpoint || notification.IsLogoutEndpoint) { if (string.IsNullOrEmpty(request.IdTokenHint)) { return(null); } var ticket = await ReceiveIdentityTokenAsync(request.IdTokenHint, request); if (ticket == null) { Logger.LogVerbose("Invalid id_token_hint"); return(null); } // Tickets are returned even if they // are considered invalid (e.g expired). return(AuthenticateResult.Success(ticket)); } else if (notification.IsProfileEndpoint) { string token; if (!string.IsNullOrEmpty(request.AccessToken)) { token = request.AccessToken; } else { string header = Request.Headers[HeaderNames.Authorization]; if (string.IsNullOrEmpty(header)) { return(null); } if (!header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { return(null); } token = header.Substring("Bearer ".Length); if (string.IsNullOrWhiteSpace(token)) { return(null); } } var ticket = await ReceiveAccessTokenAsync(token, request); if (ticket == null) { Logger.LogVerbose("Invalid access_token"); return(null); } if (!ticket.Properties.ExpiresUtc.HasValue || ticket.Properties.ExpiresUtc < Options.SystemClock.UtcNow) { Logger.LogVerbose("Expired access_token"); return(null); } return(AuthenticateResult.Success(ticket)); } return(null); }
public override async Task <bool> HandleRequestAsync() { var notification = new MatchEndpointContext(Context, Options); if (Options.AuthorizationEndpointPath.HasValue && Options.AuthorizationEndpointPath == Request.Path) { notification.MatchesAuthorizationEndpoint(); } else if (Options.TokenEndpointPath.HasValue && Options.TokenEndpointPath == Request.Path) { notification.MatchesTokenEndpoint(); } else if (Options.ValidationEndpointPath.HasValue && Options.ValidationEndpointPath == Request.Path) { notification.MatchesValidationEndpoint(); } else if (Options.ProfileEndpointPath.HasValue && Options.ProfileEndpointPath == Request.Path) { notification.MatchesProfileEndpoint(); } else if (Options.LogoutEndpointPath.HasValue && Options.LogoutEndpointPath == Request.Path) { notification.MatchesLogoutEndpoint(); } else if (Options.ConfigurationEndpointPath.HasValue && Options.ConfigurationEndpointPath == Request.Path) { notification.MatchesConfigurationEndpoint(); } else if (Options.CryptographyEndpointPath.HasValue && Options.CryptographyEndpointPath == Request.Path) { notification.MatchesCryptographyEndpoint(); } await Options.Provider.MatchEndpoint(notification); if (notification.HandledResponse) { return(true); } else if (notification.Skipped) { return(false); } // Reject non-HTTPS requests handled by the OpenID Connect // server middleware if AllowInsecureHttp is not set to true. if (!Options.AllowInsecureHttp && !Request.IsHttps) { Logger.LogWarning("The HTTP request was rejected because AllowInsecureHttp was false."); if (notification.IsAuthorizationEndpoint || notification.IsLogoutEndpoint) { // Return the native error page for endpoints involving the user participation. await SendNativeErrorPageAsync(new OpenIdConnectMessage { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "This server only accepts HTTPS requests." }); return(true); } else if (notification.IsTokenEndpoint || notification.IsProfileEndpoint || notification.IsValidationEndpoint || notification.IsConfigurationEndpoint || notification.IsCryptographyEndpoint) { // Return a JSON error for endpoints that don't involve the user participation. await SendErrorPayloadAsync(new OpenIdConnectMessage { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "This server only accepts HTTPS requests." }); return(true); } } if (notification.IsAuthorizationEndpoint) { return(await InvokeAuthorizationEndpointAsync()); } else if (notification.IsLogoutEndpoint) { return(await InvokeLogoutEndpointAsync()); } else if (notification.IsTokenEndpoint) { await InvokeTokenEndpointAsync(); return(true); } else if (notification.IsValidationEndpoint) { await InvokeValidationEndpointAsync(); return(true); } else if (notification.IsProfileEndpoint) { return(await InvokeProfileEndpointAsync()); } else if (notification.IsConfigurationEndpoint) { await InvokeConfigurationEndpointAsync(); return(true); } else if (notification.IsCryptographyEndpoint) { await InvokeCryptographyEndpointAsync(); return(true); } return(false); }