/// <summary>
/// Processes the login logic.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) ||
request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount))
{
Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString());
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.RemovePrompt();
return(new InteractionResponse {
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.IsAuthenticated();
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint);
await Profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if ((!isAuthenticated || !isActive) && request.DisplayMode == "popup")
{
var redirect = new Uri(request.RedirectUri);
var closePopupUri = request.RedirectUri.Replace(redirect.PathAndQuery, "/popup.html#");
return(new InteractionResponse {
RedirectUrl = closePopupUri
});
}
if (!isAuthenticated || !isActive)
{
if (!isAuthenticated)
{
Logger.LogInformation("Showing login: User is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing login: User is not active");
}
return(new InteractionResponse {
IsLogin = true
});
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp);
return(new InteractionResponse {
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check local idp restrictions
if (currentIdp == IdentityServerConstants.LocalIdentityProvider)
{
if (!request.Client.EnableLocalLogin)
{
Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check external idp restrictions if user not using local idp
else if (request.Client.IdentityProviderRestrictions != null &&
request.Client.IdentityProviderRestrictions.Any() &&
!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse {
IsLogin = true
});
}
// check client's user SSO timeout
if (request.Client.UserSsoLifetime.HasValue)
{
var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch();
var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds();
var diff = nowEpoch - authTimeEpoch;
if (diff > request.Client.UserSsoLifetime.Value)
{
Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime);
return(new InteractionResponse {
IsLogin = true
});
}
}
return(new InteractionResponse());
}
/// <summary>
/// Processes the login logic.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptMode == OidcConstants.PromptModes.Login ||
request.PromptMode == OidcConstants.PromptModes.SelectAccount)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.RemovePrompt();
Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptMode);
return(new InteractionResponse {
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.IsAuthenticated();
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint);
await Profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if (!isAuthenticated || !isActive)
{
// prompt=none means user must be signed in already
if (request.PromptMode == OidcConstants.PromptModes.None)
{
if (!isAuthenticated)
{
Logger.LogInformation("Showing error: prompt=none was requested but user is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing error: prompt=none was requested but user is not active");
}
return(new InteractionResponse
{
Error = OidcConstants.AuthorizeErrors.LoginRequired
});
}
if (!isAuthenticated)
{
Logger.LogInformation("Showing login: User is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing login: User is not active");
}
return(new InteractionResponse {
IsLogin = true
});
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
Logger.LogInformation("Showing login: Current IdP ({idp}) is not the requested IdP ({idp})", currentIdp, idp);
return(new InteractionResponse {
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check local idp restrictions
if (currentIdp == IdentityServerConstants.LocalIdentityProvider && !request.Client.EnableLocalLogin)
{
Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins");
return(new InteractionResponse {
IsLogin = true
});
}
// check external idp restrictions
if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())
{
if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse {
IsLogin = true
});
}
}
return(new InteractionResponse());
}
