public async Task<IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request)
{
var signin = new SignInRequest();
// let the login page know the client requesting authorization
signin.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
signin.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
signin.UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
signin.LoginHint = request.LoginHint;
}
// look for well-known acr value -- idp
var idp = request.GetIdP();
if (idp.IsPresent())
{
signin.IdP = idp;
}
// look for well-known acr value -- tenant
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
signin.Tenant = tenant;
}
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
signin.AcrValues = acrValues;
}
var message = new Message<SignInRequest>(signin)
{
ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin,
AuthorizeRequestParameters = request.Raw.ToDictionary()
};
await _signInRequestStore.WriteAsync(message);
return new LoginPageResult(message.Id);
}
internal async Task<InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptMode == OidcConstants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(OidcConstants.AuthorizeRequest.Prompt);
_logger.LogInformation("Redirecting to login page because of prompt=login");
return new InteractionResponse() { IsLogin = true };
}
// unauthenticated user
var isAuthenticated = request.Subject.Identity.IsAuthenticated;
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client);
await _profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if (!isAuthenticated || !isActive)
{
if (!isAuthenticated) _logger.LogInformation("User is not authenticated.");
else if (!isActive) _logger.LogInformation("User is not active.");
// prompt=none means user must be signed in already
if (request.PromptMode == OidcConstants.PromptModes.None)
{
_logger.LogInformation("prompt=none was requested but user is not authenticated/active.");
return new InteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = OidcConstants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
return new InteractionResponse() { IsLogin = true };
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
_logger.LogInformation("Current IdP is not the requested IdP. Redirecting to login");
_logger.LogInformation("Current: {0} -- Requested: {1}", currentIdp, idp);
return new InteractionResponse() { IsLogin = true };
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
_logger.LogInformation("Requested MaxAge exceeded.");
return new InteractionResponse() { IsLogin = true };
}
}
// check idp restrictions
if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())
{
if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
_logger.LogWarning("User is logged in with idp: {0}, but idp not in client restriction list.", currentIdp);
return new InteractionResponse() { IsLogin = true };
}
}
// check if idp is local and local logins are not allowed
if (currentIdp == Constants.BuiltInIdentityProvider)
{
if (_options.AuthenticationOptions.EnableLocalLogin == false ||
request.Client.EnableLocalLogin == false)
{
_logger.LogWarning("User is logged in with local idp, but local logins not enabled.");
return new InteractionResponse() { IsLogin = true };
}
}
return new InteractionResponse();
}
