public void Configure(string name, OpenIddictServerOptions options)
{
// Ignore OpenIddict handler instances that don't correspond to the instance managed by the OpenID module.
if (!string.Equals(name, OpenIddictServerDefaults.AuthenticationScheme))
{
return;
}
var settings = GetServerSettingsAsync().GetAwaiter().GetResult();
if (settings == null)
{
return;
}
// Note: in Orchard, transport security is usually configured via the dedicated HTTPS module.
// To make configuration easier and avoid having to configure it in two different features,
// the transport security requirement enforced by OpenIddict by default is always turned off.
options.AllowInsecureHttp = true;
options.ApplicationCanDisplayErrors = true;
options.EnableRequestCaching = true;
options.IgnoreScopePermissions = true;
options.Issuer = settings.Authority;
options.UseRollingTokens = settings.UseRollingTokens;
options.UseReferenceTokens = settings.UseReferenceTokens;
foreach (var key in _serverService.GetSigningKeysAsync().GetAwaiter().GetResult())
{
options.SigningCredentials.AddKey(key);
}
if (settings.AccessTokenFormat == OpenIdServerSettings.TokenFormat.JWT)
{
options.AccessTokenHandler = new JwtSecurityTokenHandler();
}
options.AuthorizationEndpointPath = settings.AuthorizationEndpointPath;
options.LogoutEndpointPath = settings.LogoutEndpointPath;
options.TokenEndpointPath = settings.TokenEndpointPath;
options.UserinfoEndpointPath = settings.UserinfoEndpointPath;
options.GrantTypes.Clear();
options.GrantTypes.UnionWith(settings.GrantTypes);
options.Scopes.Add(OpenIddictConstants.Scopes.Email);
options.Scopes.Add(OpenIddictConstants.Scopes.Phone);
options.Scopes.Add(OpenIddictConstants.Scopes.Profile);
options.Scopes.Add(OpenIddictConstants.Claims.Roles);
}
public void Configure(string name, OpenIddictServerOptions options)
{
// Ignore OpenIddict handler instances that don't correspond to the instance managed by the OpenID module.
if (!string.Equals(name, OpenIddictServerDefaults.AuthenticationScheme, StringComparison.Ordinal))
{
return;
}
var settings = GetServerSettingsAsync().GetAwaiter().GetResult();
if (settings == null)
{
return;
}
options.ApplicationCanDisplayErrors = true;
options.EnableRequestCaching = true;
options.IgnoreScopePermissions = true;
options.UseRollingTokens = settings.UseRollingTokens;
options.AllowInsecureHttp = settings.TestingModeEnabled;
foreach (var key in _serverService.GetSigningKeysAsync().GetAwaiter().GetResult())
{
options.SigningCredentials.AddKey(key);
}
if (!string.IsNullOrEmpty(settings.Authority))
{
options.Issuer = new Uri(settings.Authority, UriKind.Absolute);
}
if (settings.AccessTokenFormat == OpenIdServerSettings.TokenFormat.JWT)
{
options.AccessTokenHandler = new JwtSecurityTokenHandler();
}
options.AuthorizationEndpointPath = settings.AuthorizationEndpointPath;
options.LogoutEndpointPath = settings.LogoutEndpointPath;
options.TokenEndpointPath = settings.TokenEndpointPath;
options.UserinfoEndpointPath = settings.UserinfoEndpointPath;
options.GrantTypes.Clear();
options.GrantTypes.UnionWith(settings.GrantTypes);
options.Scopes.Add(OpenIddictConstants.Scopes.Email);
options.Scopes.Add(OpenIddictConstants.Scopes.Phone);
options.Scopes.Add(OpenIddictConstants.Scopes.Profile);
options.Scopes.Add(OpenIddictConstants.Claims.Roles);
}
public void Configure(OpenIddictServerOptions options)
{
var settings = GetServerSettingsAsync().GetAwaiter().GetResult();
if (settings == null)
{
return;
}
options.IgnoreScopePermissions = true;
options.Issuer = settings.Authority;
options.DisableAccessTokenEncryption = settings.DisableAccessTokenEncryption;
options.UseRollingRefreshTokens = settings.UseRollingRefreshTokens;
options.UseReferenceAccessTokens = settings.UseReferenceAccessTokens;
foreach (var key in _serverService.GetEncryptionKeysAsync().GetAwaiter().GetResult())
{
options.EncryptionCredentials.Add(new EncryptingCredentials(key,
SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512));
}
foreach (var key in _serverService.GetSigningKeysAsync().GetAwaiter().GetResult())
{
options.SigningCredentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256));
}
if (settings.AuthorizationEndpointPath.HasValue)
{
options.AuthorizationEndpointUris.Add(new Uri(settings.AuthorizationEndpointPath.Value, UriKind.Relative));
}
if (settings.LogoutEndpointPath.HasValue)
{
options.LogoutEndpointUris.Add(new Uri(settings.LogoutEndpointPath.Value, UriKind.Relative));
}
if (settings.TokenEndpointPath.HasValue)
{
options.TokenEndpointUris.Add(new Uri(settings.TokenEndpointPath.Value, UriKind.Relative));
}
if (settings.UserinfoEndpointPath.HasValue)
{
options.UserinfoEndpointUris.Add(new Uri(settings.UserinfoEndpointPath.Value, UriKind.Relative));
}
options.GrantTypes.UnionWith(settings.GrantTypes);
options.Scopes.Add(Scopes.Email);
options.Scopes.Add(Scopes.Phone);
options.Scopes.Add(Scopes.Profile);
options.Scopes.Add(Scopes.Roles);
}
public void Configure(OpenIddictServerOptions options)
{
var settings = GetServerSettingsAsync().GetAwaiter().GetResult();
if (settings == null)
{
return;
}
options.Issuer = settings.Authority;
options.DisableAccessTokenEncryption = settings.DisableAccessTokenEncryption;
options.DisableRollingRefreshTokens = settings.DisableRollingRefreshTokens;
options.UseReferenceAccessTokens = settings.UseReferenceAccessTokens;
foreach (var key in _serverService.GetEncryptionKeysAsync().GetAwaiter().GetResult())
{
options.EncryptionCredentials.Add(new EncryptingCredentials(key,
SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512));
}
foreach (var key in _serverService.GetSigningKeysAsync().GetAwaiter().GetResult())
{
options.SigningCredentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256));
}
if (settings.AuthorizationEndpointPath.HasValue)
{
options.AuthorizationEndpointUris.Add(new Uri(settings.AuthorizationEndpointPath.Value, UriKind.Relative));
}
if (settings.LogoutEndpointPath.HasValue)
{
options.LogoutEndpointUris.Add(new Uri(settings.LogoutEndpointPath.Value, UriKind.Relative));
}
if (settings.TokenEndpointPath.HasValue)
{
options.TokenEndpointUris.Add(new Uri(settings.TokenEndpointPath.Value, UriKind.Relative));
}
if (settings.UserinfoEndpointPath.HasValue)
{
options.UserinfoEndpointUris.Add(new Uri(settings.UserinfoEndpointPath.Value, UriKind.Relative));
}
if (settings.IntrospectionEndpointPath.HasValue)
{
options.IntrospectionEndpointUris.Add(new Uri(settings.IntrospectionEndpointPath.Value, UriKind.Relative));
}
if (settings.RevocationEndpointPath.HasValue)
{
options.RevocationEndpointUris.Add(new Uri(settings.RevocationEndpointPath.Value, UriKind.Relative));
}
// For now, response types and response modes are not directly
// configurable and are inferred from the selected flows.
if (settings.AllowAuthorizationCodeFlow)
{
options.CodeChallengeMethods.Add(CodeChallengeMethods.Sha256);
options.GrantTypes.Add(GrantTypes.AuthorizationCode);
options.ResponseModes.Add(ResponseModes.FormPost);
options.ResponseModes.Add(ResponseModes.Fragment);
options.ResponseModes.Add(ResponseModes.Query);
options.ResponseTypes.Add(ResponseTypes.Code);
}
if (settings.AllowClientCredentialsFlow)
{
options.GrantTypes.Add(GrantTypes.ClientCredentials);
}
if (settings.AllowHybridFlow)
{
options.CodeChallengeMethods.Add(CodeChallengeMethods.Sha256);
options.GrantTypes.Add(GrantTypes.AuthorizationCode);
options.GrantTypes.Add(GrantTypes.Implicit);
options.ResponseModes.Add(ResponseModes.FormPost);
options.ResponseModes.Add(ResponseModes.Fragment);
options.ResponseTypes.Add(ResponseTypes.Code + ' ' + ResponseTypes.IdToken);
options.ResponseTypes.Add(ResponseTypes.Code + ' ' + ResponseTypes.IdToken + ' ' + ResponseTypes.Token);
options.ResponseTypes.Add(ResponseTypes.Code + ' ' + ResponseTypes.Token);
}
if (settings.AllowImplicitFlow)
{
options.GrantTypes.Add(GrantTypes.Implicit);
options.ResponseModes.Add(ResponseModes.FormPost);
options.ResponseModes.Add(ResponseModes.Fragment);
options.ResponseTypes.Add(ResponseTypes.IdToken);
options.ResponseTypes.Add(ResponseTypes.IdToken + ' ' + ResponseTypes.Token);
options.ResponseTypes.Add(ResponseTypes.Token);
}
if (settings.AllowPasswordFlow)
{
options.GrantTypes.Add(GrantTypes.Password);
}
if (settings.AllowRefreshTokenFlow)
{
options.GrantTypes.Add(GrantTypes.RefreshToken);
options.Scopes.Add(Scopes.OfflineAccess);
}
options.RequireProofKeyForCodeExchange = settings.RequireProofKeyForCodeExchange;
options.Scopes.Add(Scopes.Email);
options.Scopes.Add(Scopes.Phone);
options.Scopes.Add(Scopes.Profile);
options.Scopes.Add(Scopes.Roles);
}