public async Task <IActionResult> Authorize()
{
var request = HttpContext.GetOpenIddictServerRequest() ??
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException("Details concerning the calling client application cannot be found.");
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
Scope = request.Scope
}));
}
public async Task <IActionResult> Exchange()
{
var request = HttpContext.GetOpenIddictServerRequest();
if (request.IsAuthorizationCodeGrantType())
{
// Note: the client credentials are automatically validated by OpenIddict:
// if client_id or client_secret are invalid, this action won't be invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
throw new InvalidOperationException("The application details cannot be found in the database.");
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token, a token or a code.
var identity = new ClaimsIdentity(
TokenValidationParameters.DefaultAuthenticationType,
Claims.Name, Claims.Role);
// Use the client_id as the subject identifier.
identity.AddClaim(Claims.Subject, await _applicationManager.GetClientIdAsync(application),
Destinations.AccessToken, Destinations.IdentityToken);
identity.AddClaim(Claims.Name, await _applicationManager.GetDisplayNameAsync(application),
Destinations.AccessToken, Destinations.IdentityToken);
return(SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
throw new NotImplementedException("The specified grant type is not implemented.");
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
Debug.Assert(request.IsAuthorizationRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddServer().UseMvc() is correctly called.");
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
}));
}
// Flow the request_id to allow OpenIddict to restore
// the original authorization request from the cache.
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
RequestId = request.RequestId,
Scope = request.Scope
}));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error",
new ErrorViewModel
{
Error = OpenIddictConstants.Errors.InvalidClient,
ErrorDescription =
"Details concerning the calling client application cannot be found in the database"
}));
}
var userId = _userManager.GetUserId(User);
if (!string.IsNullOrEmpty(
await OpenIdExtensions.IsUserAuthorized(_authorizationManager, request, userId, application.Id)))
{
return(await Authorize(request, "YES", false));
}
// Flow the request_id to allow OpenIddict to restore
// the original authorization request from the cache.
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
RequestId = request.RequestId,
Scope = request.GetScopes()
}));
}
public async Task <IActionResult> Authorize()
{
var request = HttpContext.GetOpenIddictServerRequest();
if (request == null)
{
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
}
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = Errors.InvalidClient,
ErrorDescription = "Details concerning the calling client application cannot be found in the database"
}));
}
// Flow the request_id to allow OpenIddict to restore
// the original authorization request from the cache.
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
Parameters = request.GetFlattenedParameters(),
Scope = request.Scope
}));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest req)
{
//Debug.Assert(request.IsAuthorizationRequest(),
// "The OpenIddict binder for ASP.NET Core MVC is not registered." +
// "Make sure services.AddOpenIddict().AddServer().UseMvc() is correctly called.");
var application = await applicationManager.FindByClientIdAsync(req.ClientId);
if (application == null)
{
var msg = "Details concerning the calling client application cannot be found in the database";
return(BadRequest(error: new ErrowVm
{
Error = Errors.InvalidClient,
ErrorDescription = msg
}.ToResponse(false, msg)));
}
return(Ok(new AuthorizeVm
{
ApplicationName = await applicationManager.GetDisplayNameAsync(application),
RequestId = req.RequestId,
Scope = req.Scope
}.ToResponse()));
}
private async Task <IActionResult> ExchangeClientCredentialsGrantType(OpenIdConnectRequest request)
{
// Note: client authentication is always enforced by OpenIddict before this action is invoked.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId, HttpContext.RequestAborted);
if (application == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = T["The client application is unknown."]
}));
}
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, application.ClientId);
identity.AddClaim(OpenIdConnectConstants.Claims.Name,
await _applicationManager.GetDisplayNameAsync(application, HttpContext.RequestAborted),
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
foreach (var roleName in application.RoleNames)
{
identity.AddClaim(identity.RoleClaimType, roleName,
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
foreach (var claim in await _roleManager.GetClaimsAsync(await _roleManager.FindByIdAsync(roleName)))
{
identity.AddClaim(claim.Type, claim.Value, OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
}
}
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources(await GetResourcesAsync(request));
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
public async Task <IActionResult> Authorize(OpenIdConnectRequest request)
{
Debug.Assert(request.IsAuthorizationRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddServer().UseMvc() is correctly called.");
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(BadRequest("Details concerning the calling client application cannot be found in the database"));
}
// Flow the request_id to allow OpenIddict to restore
// the original authorization request from the cache.
return(Redirect($"/Login?ApplicationName={await _applicationManager.GetDisplayNameAsync(application)}&RequestId={request.RequestId}&Scope={request.Scope}"));
}
public async Task <IActionResult> Authorize()
{
var request = HttpContext.GetOpenIddictServerRequest() ??
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
// Retrieve the user principal stored in the authentication cookie.
// If it can't be extracted, redirect the user to the login page.
var result = await HttpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
if (result == null || !result.Succeeded)
{
// If the client application requested promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPrompt(Prompts.None))
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.LoginRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is not logged in."
})));
}
return(Challenge(
authenticationSchemes: IdentityConstants.ApplicationScheme,
properties: new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(
Request.HasFormContentType ? Request.Form.ToList() : Request.Query.ToList())
}));
}
// If prompt=login was specified by the client application,
// immediately return the user agent to the login page.
if (request.HasPrompt(Prompts.Login))
{
// To avoid endless login -> authorization redirects, the prompt=login flag
// is removed from the authorization request payload before redirecting the user.
var prompt = string.Join(" ", request.GetPrompts().Remove(Prompts.Login));
var parameters = Request.HasFormContentType ?
Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() :
Request.Query.Where(parameter => parameter.Key != Parameters.Prompt).ToList();
parameters.Add(KeyValuePair.Create(Parameters.Prompt, new StringValues(prompt)));
return(Challenge(
authenticationSchemes: IdentityConstants.ApplicationScheme,
properties: new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(parameters)
}));
}
// If a max_age parameter was provided, ensure that the cookie is not too old.
// If it's too old, automatically redirect the user agent to the login page.
if (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))
{
if (request.HasPrompt(Prompts.None))
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.LoginRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is not logged in."
})));
}
return(Challenge(
authenticationSchemes: IdentityConstants.ApplicationScheme,
properties: new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(
Request.HasFormContentType ? Request.Form.ToList() : Request.Query.ToList())
}));
}
// Retrieve the profile of the logged in user.
var user = await _userManager.GetUserAsync(result.Principal) ??
throw new InvalidOperationException("The user details cannot be retrieved.");
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException("Details concerning the calling client application cannot be found.");
// Retrieve the permanent authorizations associated with the user and the calling client application.
var authorizations = await _authorizationManager.FindAsync(
subject : await _userManager.GetUserIdAsync(user),
client : await _applicationManager.GetIdAsync(application),
status : Statuses.Valid,
type : AuthorizationTypes.Permanent,
scopes : request.GetScopes()).ToListAsync();
switch (await _applicationManager.GetConsentTypeAsync(application))
{
// If the consent is external (e.g when authorizations are granted by a sysadmin),
// immediately return an error if no authorization can be found in the database.
case ConsentTypes.External when !authorizations.Any():
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
"The logged in user is not allowed to access this client application."
})));
// If the consent is implicit or if an authorization was found,
// return an authorization response without displaying the consent form.
case ConsentTypes.Implicit:
case ConsentTypes.External when authorizations.Any():
case ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(Prompts.Consent):
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Note: in this sample, the granted scopes match the requested scope
// but you may want to allow the user to uncheck specific scopes.
// For that, simply restrict the list of scopes before calling SetScopes.
principal.SetScopes(request.GetScopes());
principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
// Automatically create a permanent authorization to avoid requiring explicit consent
// for future authorization or token requests containing the same scopes.
var authorization = authorizations.LastOrDefault();
if (authorization == null)
{
authorization = await _authorizationManager.CreateAsync(
principal : principal,
subject : await _userManager.GetUserIdAsync(user),
client : await _applicationManager.GetIdAsync(application),
type : AuthorizationTypes.Permanent,
scopes : principal.GetScopes());
}
principal.SetInternalAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
foreach (var claim in principal.Claims)
{
claim.SetDestinations(GetDestinations(claim, principal));
}
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
// At this point, no authorization was found in the database and an error must be returned
// if the client application specified prompt=none in the authorization request.
case ConsentTypes.Explicit when request.HasPrompt(Prompts.None):
case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
"Interactive user consent is required."
})));
// In every other case, render the consent form.
default:
return(View(new AuthorizeViewModel
{
ApplicationName = await _applicationManager.GetDisplayNameAsync(application),
Scope = request.Scope
}));
}
}
public virtual async Task <IActionResult> Authorize([RequestUser] User requestUser,
[FromQuery] string returnUrl = "")
{
if (requestUser == null)
{
return(Redirect("/OpenId/Login?ReturnUrl=" + returnUrl));
}
// Identity cookie that is not valid anymore (e.g. deleted user), still gets through
// the [Authorize] attribute by design. Check that user actually exists.
var user = await _userManager.GetUserAsync(HttpContext.User);
if (user == null)
{
await _signInManager.SignOutAsync();
return(Redirect(HttpContext.Request.GetEncodedUrl()));
}
// Extract the authorization request from the ASP.NET environment.
var request = HttpContext.GetOpenIdConnectRequest();
// Retrieve the application details from the database.
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(RedirectToAction(nameof(ErrorController.Error), nameof(ErrorController), new { message = FatalErrors.InvalidClient }));
}
// Check if the application is official (registered in settings) and
// accept any request by default
if (_officialApplications.Value.Any(x => x.Value.ClientId == request.ClientId))
{
return(await Accept());
}
var appName = await _applicationManager.GetDisplayNameAsync(application);
var inputs = "";
var hiddenParams = new Dictionary <string, string> {
{ "request_id", request.RequestId }
};
foreach (var item in hiddenParams)
{
var key = WebUtility.HtmlEncode(item.Key);
var value = WebUtility.HtmlEncode(item.Value);
inputs = inputs + $@"<input type=""hidden"" name=""{key}"" value=""{value}"" />";
}
// TODO: Anti forgery token for Accept and Deny
var data = JsonConvert.SerializeObject(new
{
Display = request.GetParameter("display"),
Scopes = request.GetScopes().ToList(),
FormMethod = "POST",
FormActionAccept = Url.Action(nameof(Accept)),
FormActionDeny = Url.Action(nameof(Deny)),
ApplicationName = appName,
FormData = hiddenParams
}, _mvcJsonOptions.SerializerSettings);
return(new ContentResult()
{
Content = $@"<!DOCTYPE html>
<html>
<head>
<script>var OPENID_AUTHORIZE_PAGE = {data};</script>
{_brandingHtml?.Authorize}
</head>
<body>
<form enctype=""application/x-www-form-urlencoded"" method=""POST"">
{inputs}
<div>{WebUtility.HtmlEncode(appName)}</div>
<button formaction=""{Url.Action(nameof(Accept))}"" type=""submit"" />ACCEPT</button>
<button formaction=""{Url.Action(nameof(Deny))}"" type=""submit"">DENY</button>
",
ContentType = "text/html; charset=utf8"
});
}
