예제 #1
0
        public async Task <IActionResult> Edit(string id, string returnUrl = null)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))
            {
                return(Forbid());
            }

            var application = await _applicationManager.FindByPhysicalIdAsync(id);

            if (application == null)
            {
                return(NotFound());
            }

            Task <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission);

            var model = new EditOpenIdApplicationViewModel
            {
                AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode),
                AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials),
                AllowImplicitFlow          = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit),
                AllowPasswordFlow          = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
                AllowRefreshTokenFlow      = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
                AllowLogoutEndpoint        = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
                ClientId               = await _applicationManager.GetClientIdAsync(application),
                ConsentType            = await _applicationManager.GetConsentTypeAsync(application),
                DisplayName            = await _applicationManager.GetDisplayNameAsync(application),
                Id                     = await _applicationManager.GetPhysicalIdAsync(application),
                PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)),
                RedirectUris           = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)),
                Type                   = await _applicationManager.GetClientTypeAsync(application)
            };

            var roleService = HttpContext.RequestServices?.GetService <IRoleService>();

            if (roleService != null)
            {
                var roles = await _applicationManager.GetRolesAsync(application);

                foreach (var role in await roleService.GetRoleNamesAsync())
                {
                    model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry
                    {
                        Name     = role,
                        Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase)
                    });
                }
            }
            else
            {
                _notifier.Warning(H["There are no registered services to provide roles."]);
            }

            ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync();

            ViewData["ReturnUrl"] = returnUrl;
            return(View(model));
        }
예제 #2
0
        private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
        {
            // Note: client authentication is always enforced by OpenIddict before this action is invoked.
            var application = await _applicationManager.FindByClientIdAsync(request.ClientId);

            if (application == null)
            {
                return(BadRequest(new OpenIdConnectResponse
                {
                    Error = OpenIddictConstants.Errors.InvalidClient,
                    ErrorDescription = T["The specified 'client_id' parameter is invalid."]
                }));
            }

            var identity = new ClaimsIdentity(
                OpenIddictServerDefaults.AuthenticationScheme,
                OpenIddictConstants.Claims.Name,
                OpenIddictConstants.Claims.Role);

            identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId);
            identity.AddClaim(OpenIddictConstants.Claims.Name,
                              await _applicationManager.GetDisplayNameAsync(application),
                              OpenIddictConstants.Destinations.AccessToken,
                              OpenIddictConstants.Destinations.IdentityToken);

            foreach (var role in await _applicationManager.GetRolesAsync(application))
            {
                identity.AddClaim(identity.RoleClaimType, role,
                                  OpenIddictConstants.Destinations.AccessToken,
                                  OpenIddictConstants.Destinations.IdentityToken);

                foreach (var claim in await _roleManager.GetClaimsAsync(await _roleManager.FindByIdAsync(role)))
                {
                    identity.AddClaim(claim.Type, claim.Value,
                                      OpenIddictConstants.Destinations.AccessToken,
                                      OpenIddictConstants.Destinations.IdentityToken);
                }
            }

            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
                new AuthenticationProperties(),
                OpenIddictServerDefaults.AuthenticationScheme);

            ticket.SetResources(await GetResourcesAsync(request.GetScopes()));

            return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
        }
예제 #3
0
        private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIddictRequest request)
        {
            // Note: client authentication is always enforced by OpenIddict before this action is invoked.
            var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ??
                              throw new InvalidOperationException("The application details cannot be found.");

            var identity = new ClaimsIdentity(
                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                Claims.Name, Claims.Role);

            identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.Application,
                              Destinations.AccessToken, Destinations.IdentityToken);

            identity.AddClaim(Claims.Subject, request.ClientId,
                              Destinations.AccessToken, Destinations.IdentityToken);

            identity.AddClaim(Claims.Name,
                              await _applicationManager.GetDisplayNameAsync(application),
                              Destinations.AccessToken, Destinations.IdentityToken);

            // If the role service is available, add all the role claims
            // associated with the application roles in the database.
            var roleService = HttpContext.RequestServices.GetService <IRoleService>();

            foreach (var role in await _applicationManager.GetRolesAsync(application))
            {
                identity.AddClaim(identity.RoleClaimType, role,
                                  Destinations.AccessToken, Destinations.IdentityToken);

                if (roleService != null)
                {
                    foreach (var claim in await roleService.GetRoleClaimsAsync(role))
                    {
                        identity.AddClaim(claim.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
                    }
                }
            }

            var principal = new ClaimsPrincipal(identity);

            principal.SetResources(await GetResourcesAsync(request.GetScopes()));

            return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
        }
예제 #4
0
        private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
        {
            // Note: client authentication is always enforced by OpenIddict before this action is invoked.
            var application = await _applicationManager.FindByClientIdAsync(request.ClientId);

            if (application == null)
            {
                return(BadRequest(new OpenIdConnectResponse
                {
                    Error = OpenIddictConstants.Errors.InvalidClient,
                    ErrorDescription = S["The specified 'client_id' parameter is invalid."]
                }));
            }

            var identity = new ClaimsIdentity(
                OpenIddictServerDefaults.AuthenticationScheme,
                OpenIddictConstants.Claims.Name,
                OpenIddictConstants.Claims.Role);

            identity.AddClaim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.Application,
                              OpenIddictConstants.Destinations.AccessToken,
                              OpenIddictConstants.Destinations.IdentityToken);

            identity.AddClaim(OpenIddictConstants.Claims.Subject, request.ClientId,
                              OpenIddictConstants.Destinations.AccessToken,
                              OpenIddictConstants.Destinations.IdentityToken);

            identity.AddClaim(OpenIddictConstants.Claims.Name,
                              await _applicationManager.GetDisplayNameAsync(application),
                              OpenIddictConstants.Destinations.AccessToken,
                              OpenIddictConstants.Destinations.IdentityToken);

            // If the role service is available, add all the role claims
            // associated with the application roles in the database.
            var roleService = HttpContext.RequestServices.GetService <IRoleService>();

            foreach (var role in await _applicationManager.GetRolesAsync(application))
            {
                identity.AddClaim(identity.RoleClaimType, role,
                                  OpenIddictConstants.Destinations.AccessToken,
                                  OpenIddictConstants.Destinations.IdentityToken);

                if (roleService != null)
                {
                    foreach (var claim in await roleService.GetRoleClaimsAsync(role))
                    {
                        identity.AddClaim(claim.SetDestinations(
                                              OpenIdConnectConstants.Destinations.AccessToken,
                                              OpenIdConnectConstants.Destinations.IdentityToken));
                    }
                }
            }

            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
                new AuthenticationProperties(),
                OpenIddictServerDefaults.AuthenticationScheme);

            ticket.SetResources(await GetResourcesAsync(request.GetScopes()));

            return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
        }
        public async Task <IActionResult> Edit(string id, string returnUrl = null)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))
            {
                return(Forbid());
            }

            var application = await _applicationManager.FindByPhysicalIdAsync(id);

            if (application == null)
            {
                return(NotFound());
            }

            ValueTask <bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission);

            var model = new EditOpenIdApplicationViewModel
            {
                AllowAuthorizationCodeFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
                                             await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Code),

                AllowClientCredentialsFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials),

                // Note: the hybrid flow doesn't have a dedicated grant_type but is treated as a combination
                // of both the authorization code and implicit grants. As such, to determine whether the hybrid
                // flow is enabled, both the authorization code grant and the implicit grant MUST be enabled.
                AllowHybridFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode) &&
                                  await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
                                  (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken) ||
                                   await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken) ||
                                   await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.CodeToken)),

                AllowImplicitFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
                                    (await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdToken) ||
                                     await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken) ||
                                     await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)),

                AllowPasswordFlow     = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
                AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
                AllowLogoutEndpoint   = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
                ClientId               = await _applicationManager.GetClientIdAsync(application),
                ConsentType            = await _applicationManager.GetConsentTypeAsync(application),
                DisplayName            = await _applicationManager.GetDisplayNameAsync(application),
                Id                     = await _applicationManager.GetPhysicalIdAsync(application),
                PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)),
                RedirectUris           = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)),
                Type                   = await _applicationManager.GetClientTypeAsync(application)
            };

            var roleService = HttpContext.RequestServices?.GetService <IRoleService>();

            if (roleService != null)
            {
                var roles = await _applicationManager.GetRolesAsync(application);

                foreach (var role in await roleService.GetRoleNamesAsync())
                {
                    model.RoleEntries.Add(new EditOpenIdApplicationViewModel.RoleEntry
                    {
                        Name     = role,
                        Selected = roles.Contains(role, StringComparer.OrdinalIgnoreCase)
                    });
                }
            }
            else
            {
                await _notifier.WarningAsync(H["There are no registered services to provide roles."]);
            }

            var permissions = await _applicationManager.GetPermissionsAsync(application);

            await foreach (var scope in _scopeManager.ListAsync())
            {
                var scopeName = await _scopeManager.GetNameAsync(scope);

                model.ScopeEntries.Add(new EditOpenIdApplicationViewModel.ScopeEntry
                {
                    Name     = scopeName,
                    Selected = await _applicationManager.HasPermissionAsync(application, OpenIddictConstants.Permissions.Prefixes.Scope + scopeName)
                });
            }

            ViewData[nameof(OpenIdServerSettings)] = await GetServerSettingsAsync();

            ViewData["ReturnUrl"] = returnUrl;
            return(View(model));
        }