public SignOutMessage CreateSignoutMessage(ValidatedEndSessionRequest request)
{
var message = new SignOutMessage();
if (request.Client != null)
{
message.ClientId = request.Client.ClientId;
if (request.PostLogOutUri != null)
{
message.ReturnUrl = request.PostLogOutUri;
}
else
{
if (request.Client.PostLogoutRedirectUris.Any())
{
message.ReturnUrl = request.Client.PostLogoutRedirectUris.First();
}
}
if (request.State.IsPresent())
{
if (message.ReturnUrl.IsPresent())
{
message.ReturnUrl = message.ReturnUrl.AddQueryString("state=" + request.State);
}
}
}
return(message);
}
public EndSessionRequestValidationLog(ValidatedEndSessionRequest request)
{
if (request.Options.LoggingOptions.IncludeSensitiveDataInLogs)
{
Raw = request.Raw.ToDictionary();
}
SubjectId = "unknown";
if (request.Subject != null)
{
var subjectClaim = request.Subject.FindFirst(Constants.ClaimTypes.Subject);
if (subjectClaim != null)
{
SubjectId = subjectClaim.Value;
}
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
PostLogOutUri = request.PostLogOutUri;
State = request.State;
}
/// <summary>
/// Initializes a new instance of the <see cref="LogoutMessage"/> class.
/// </summary>
/// <param name="request">The request.</param>
public LogoutMessage(ValidatedEndSessionRequest request)
{
if (request != null)
{
if (request.Raw != null)
{
Parameters = request.Raw.ToFullDictionary();
}
// optimize params sent to logout page, since we'd like to send them in URL (not as cookie)
Parameters.Remove(OidcConstants.EndSessionRequest.IdTokenHint);
Parameters.Remove(OidcConstants.EndSessionRequest.PostLogoutRedirectUri);
Parameters.Remove(OidcConstants.EndSessionRequest.State);
ClientId = request.Client?.ClientId;
ClientName = request.Client?.ClientName;
SubjectId = request.Subject?.GetSubjectId();
SessionId = request.SessionId;
ClientIds = request.ClientIds;
if (request.PostLogOutUri != null)
{
PostLogoutRedirectUri = request.PostLogOutUri;
if (request.State != null)
{
PostLogoutRedirectUri = PostLogoutRedirectUri.AddQueryString(OidcConstants.EndSessionRequest.State, request.State);
}
}
}
}
public LogoutMessage(ValidatedEndSessionRequest request)
{
if (request != null)
{
ClientId = request.Client?.ClientId;
if (request.PostLogOutUri != null)
{
PostLogoutRedirectUri = request.PostLogOutUri;
if (request.State != null)
{
PostLogoutRedirectUri = PostLogoutRedirectUri.AddQueryString(OidcConstants.EndSessionRequest.State + "=" + request.State);
}
}
}
}
/// <summary>
/// Creates a result that indicates an error.
/// </summary>
/// <param name="message"></param>
/// <param name="request"></param>
/// <returns></returns>
protected virtual EndSessionValidationResult Invalid(string message, ValidatedEndSessionRequest request = null)
{
message = "End session request validation failure: " + message;
if (request != null)
{
var log = new EndSessionRequestValidationLog(request);
Logger.LogInformation(message + Environment.NewLine + "{@details}", log);
}
else
{
Logger.LogInformation(message);
}
return(new EndSessionValidationResult
{
IsError = true,
Error = "Invalid request",
ErrorDescription = message
});
}
public EndSessionRequestValidationLog(ValidatedEndSessionRequest request)
{
Raw = request.Raw.ToScrubbedDictionary(OidcConstants.EndSessionRequest.IdTokenHint);
SubjectId = "unknown";
var subjectClaim = request.Subject?.FindFirst(JwtClaimTypes.Subject);
if (subjectClaim != null)
{
SubjectId = subjectClaim.Value;
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
PostLogOutUri = request.PostLogOutUri;
State = request.State;
}
/// <summary>
/// Initializes a new instance of the <see cref="LogoutMessage"/> class.
/// </summary>
/// <param name="request">The request.</param>
public LogoutMessage(ValidatedEndSessionRequest request)
{
if (request != null)
{
if (request.Raw != null)
{
// optimize params sent to logout page, since we'd like to send them in URL (not as cookie)
var optimizationParameters = new[]
{
OidcConstants.EndSessionRequest.IdTokenHint,
OidcConstants.EndSessionRequest.PostLogoutRedirectUri,
OidcConstants.EndSessionRequest.State
};
foreach (var(key, value) in request.Raw.ToDictionary())
{
if (!Parameters.ContainsKey(key) && !optimizationParameters.Contains(key))
{
Parameters.Add(key, value);
}
}
}
ClientId = request.Client?.ClientId;
ClientName = request.Client?.ClientName;
SubjectId = request.Subject?.GetSubjectId();
SessionId = request.SessionId;
ClientIds = request.ClientIds;
if (request.PostLogOutUri != null)
{
PostLogoutRedirectUri = request.PostLogOutUri;
if (request.State != null)
{
PostLogoutRedirectUri = PostLogoutRedirectUri.AddQueryString(OidcConstants.EndSessionRequest.State, request.State);
}
}
}
}
public EndSessionRequestValidationLog(ValidatedEndSessionRequest request)
{
Raw = request.Raw.ToDictionary();
SubjectId = "unknown";
if (request.Subject != null)
{
var subjectClaim = request.Subject.FindFirst(JwtClaimTypes.Subject);
if (subjectClaim != null)
{
SubjectId = subjectClaim.Value;
}
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
PostLogOutUri = request.PostLogOutUri;
State = request.State;
}
/// <summary>
/// Logs a success result.
/// </summary>
/// <param name="request"></param>
protected virtual void LogSuccess(ValidatedEndSessionRequest request)
{
var log = new EndSessionRequestValidationLog(request);
Logger.LogInformation("End session request validation success" + Environment.NewLine + "{@details}", log);
}
/// <inheritdoc />
public async Task <EndSessionValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject)
{
using var activity = Tracing.BasicActivitySource.StartActivity("EndSessionRequestValidator.Validate");
Logger.LogDebug("Start end session request validation");
var isAuthenticated = subject.IsAuthenticated();
if (!isAuthenticated && Options.Authentication.RequireAuthenticatedUserForSignOutMessage)
{
return(Invalid("User is anonymous. Ignoring end session parameters"));
}
var validatedRequest = new ValidatedEndSessionRequest
{
Raw = parameters
};
var idTokenHint = parameters.Get(OidcConstants.EndSessionRequest.IdTokenHint);
if (idTokenHint.IsPresent())
{
// validate id_token - no need to validate token life time
var tokenValidationResult = await TokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false);
if (tokenValidationResult.IsError)
{
return(Invalid("Error validating id token hint", validatedRequest));
}
validatedRequest.SetClient(tokenValidationResult.Client);
// validate sub claim against currently logged on user
var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Subject);
if (subClaim != null && isAuthenticated)
{
if (subject.GetSubjectId() != subClaim.Value)
{
return(Invalid("Current user does not match identity token", validatedRequest));
}
validatedRequest.Subject = subject;
validatedRequest.SessionId = await UserSession.GetSessionIdAsync();
validatedRequest.ClientIds = await UserSession.GetClientListAsync();
}
var redirectUri = parameters.Get(OidcConstants.EndSessionRequest.PostLogoutRedirectUri);
if (redirectUri.IsPresent())
{
if (await UriValidator.IsPostLogoutRedirectUriValidAsync(redirectUri, validatedRequest.Client))
{
validatedRequest.PostLogOutUri = redirectUri;
}
else
{
Logger.LogWarning("Invalid PostLogoutRedirectUri: {postLogoutRedirectUri}", redirectUri);
}
}
if (validatedRequest.PostLogOutUri != null)
{
var state = parameters.Get(OidcConstants.EndSessionRequest.State);
if (state.IsPresent())
{
validatedRequest.State = state;
}
}
}
else
{
// no id_token to authenticate the client, but we do have a user and a user session
validatedRequest.Subject = subject;
validatedRequest.SessionId = await UserSession.GetSessionIdAsync();
validatedRequest.ClientIds = await UserSession.GetClientListAsync();
}
var uilocales = parameters.Get(OidcConstants.EndSessionRequest.UiLocales);
if (uilocales.IsPresent())
{
if (uilocales.Length > Options.InputLengthRestrictions.UiLocale)
{
var log = new EndSessionRequestValidationLog(validatedRequest);
Logger.LogWarning("UI locale too long. It will be ignored." + Environment.NewLine + "{@details}", log);
}
else
{
validatedRequest.UiLocales = uilocales;
}
}
LogSuccess(validatedRequest);
return(new EndSessionValidationResult
{
ValidatedRequest = validatedRequest,
IsError = false
});
}
