public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context)
{
var options = (OpenIddictServerOptions)context.Options;
// Note: though it's natively supported by the OpenID Connect server middleware,
// OpenIddict disallows the use of the unsecure code_challenge_method=plain method,
// which is manually removed from the code_challenge_methods_supported property.
// See https://tools.ietf.org/html/rfc7636#section-7.2 for more information.
context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain);
// Note: the OpenID Connect server middleware automatically populates grant_types_supported
// by determining whether the authorization and token endpoints are enabled or not but
// OpenIddict uses a different approach and relies on a configurable "grants list".
context.GrantTypes.Clear();
context.GrantTypes.UnionWith(options.GrantTypes);
// Only return the scopes and the claims configured by the developer.
context.Scopes.Clear();
context.Scopes.UnionWith(options.Scopes);
context.Claims.Clear();
context.Claims.UnionWith(options.Claims);
// Note: the optional claims/request/request_uri parameters are not supported
// by OpenIddict, so "false" is returned to encourage clients not to use them.
context.Metadata[OpenIdConnectConstants.Metadata.ClaimsParameterSupported] = false;
context.Metadata[OpenIdConnectConstants.Metadata.RequestParameterSupported] = false;
context.Metadata[OpenIdConnectConstants.Metadata.RequestUriParameterSupported] = false;
return(_eventService.PublishAsync(new OpenIddictServerEvents.HandleConfigurationRequest(context)));
}
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context)
{
var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <OpenIddictOptions> >();
// Note: though it's natively supported by the OpenID Connect server middleware,
// OpenIddict disallows the use of the unsecure code_challenge_method=plain method,
// which is manually removed from the code_challenge_methods_supported property.
// See https://tools.ietf.org/html/rfc7636#section-7.2 for more information.
context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain);
// Note: the OpenID Connect server middleware automatically populates grant_types_supported
// by determining whether the authorization and token endpoints are enabled or not but
// OpenIddict uses a different approach and relies on a configurable "grants list".
context.GrantTypes.IntersectWith(options.Value.GrantTypes);
// Note: the "openid" scope is automatically
// added by the OpenID Connect server middleware.
context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile);
context.Scopes.Add(OpenIdConnectConstants.Scopes.Email);
context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone);
context.Scopes.Add(OpenIddictConstants.Scopes.Roles);
// Only add the "offline_access" scope if the refresh token grant is enabled.
if (context.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))
{
context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess);
}
context.Metadata[OpenIddictConstants.Metadata.ExternalProvidersSupported] = new JArray(
from provider in context.HttpContext.Authentication.GetAuthenticationSchemes()
where !string.IsNullOrEmpty(provider.DisplayName)
select provider.AuthenticationScheme);
return(Task.FromResult(0));
}
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context)
{
var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication, TAuthorization, TScope, TToken> >();
// Note: though it's natively supported by the OpenID Connect server middleware,
// OpenIddict disallows the use of the unsecure code_challenge_method=plain method,
// which must be manually removed from the code_challenge_methods_supported property.
// See https://tools.ietf.org/html/rfc7636#section-7.2 for more information.
context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain);
// Note: the OpenID Connect server middleware automatically populates grant_types_supported
// by determining whether the authorization and token endpoints are enabled or not but
// OpenIddict uses a different approach and relies on a configurable "supported list".
context.GrantTypes.Clear();
// Copy the supported grant types list to the discovery document.
foreach (var type in services.Options.GrantTypes)
{
context.GrantTypes.Add(type);
}
// Note: the "openid" scope is automatically
// added by the OpenID Connect server middleware.
context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile);
// Only add the "email" scope if it's supported
// by the user manager and the underlying store.
if (services.Users.SupportsUserEmail)
{
context.Scopes.Add(OpenIdConnectConstants.Scopes.Email);
}
// Only add the "phone" scope if it's supported
// by the user manager and the underlying store.
if (services.Users.SupportsUserPhoneNumber)
{
context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone);
}
// Only add the "roles" scope if it's supported
// by the user manager and the underlying store.
if (services.Users.SupportsUserRole)
{
context.Scopes.Add(OpenIddictConstants.Scopes.Roles);
}
// Only add the "offline_access" scope if "refresh_token" is listed as a supported grant type.
if (context.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))
{
context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess);
}
return(Task.FromResult(0));
}
/// <summary>
/// Represents an event called for each validated configuration request
/// to allow the user code to decide how the request should be handled.
/// </summary>
/// <param name="context">The context instance associated with this event.</param>
/// <returns>A <see cref="T:System.Threading.Tasks.Task" /> that can be used to monitor the asynchronous operation.</returns>
public override Task HandleConfigurationRequest(HandleConfigurationRequestContext context)
{
var result = base.HandleConfigurationRequest(context);
using (var rockContext = new RockContext())
{
var activeScopes = RockIdentityHelper.GetActiveAuthScopes(rockContext);
context.Scopes.UnionWith(activeScopes);
var activeClaims = RockIdentityHelper.GetActiveAuthClaims(rockContext, activeScopes);
context.Claims.UnionWith(activeClaims);
}
return(result);
}
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context)
{
var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <OpenIddictOptions> >();
// Note: though it's natively supported by the OpenID Connect server middleware,
// OpenIddict disallows the use of the unsecure code_challenge_method=plain method,
// which must be manually removed from the code_challenge_methods_supported property.
// See https://tools.ietf.org/html/rfc7636#section-7.2 for more information.
context.CodeChallengeMethods.Clear();
context.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Sha256);
// Note: the OpenID Connect server middleware automatically populates grant_types_supported
// by determining whether the authorization and token endpoints are enabled or not but
// OpenIddict uses a different approach and relies on a configurable "supported list".
context.GrantTypes.Clear();
// Copy the supported grant types list to the discovery document.
foreach (var type in options.Value.GrantTypes)
{
context.GrantTypes.Add(type);
}
// Note: the "openid" scope is automatically
// added by the OpenID Connect server middleware.
context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile);
context.Scopes.Add(OpenIdConnectConstants.Scopes.Email);
context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone);
context.Scopes.Add(OpenIddictConstants.Scopes.Roles);
// Only add the "offline_access" scope if the refresh
// token flow is enabled in the OpenIddict options.
if (options.Value.IsRefreshTokenFlowEnabled())
{
context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess);
}
return(Task.FromResult(0));
}
public override async Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context)
{
var options = (OpenIddictServerOptions)context.Options;
// Note: though it's natively supported by the OpenID Connect server middleware,
// OpenIddict disallows the use of the unsecure code_challenge_method=plain method,
// which is manually removed from the code_challenge_methods_supported property.
// See https://tools.ietf.org/html/rfc7636#section-7.2 for more information.
context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain);
// Note: the OpenID Connect server middleware automatically populates grant_types_supported
// by determining whether the authorization and token endpoints are enabled or not but
// OpenIddict uses a different approach and relies on a configurable "grants list".
context.GrantTypes.Clear();
context.GrantTypes.UnionWith(options.GrantTypes);
// Only return the scopes configured by the developer.
context.Scopes.Clear();
context.Scopes.UnionWith(options.Scopes);
// Note: claims_supported is a recommended parameter but is not strictly required.
// If no claim was registered, the claims_supported property will be automatically
// excluded from the response by the OpenID Connect server middleware.
context.Metadata[OpenIdConnectConstants.Metadata.ClaimsSupported] = new JArray(options.Claims);
// Note: the optional claims/request/request_uri parameters are not supported
// by OpenIddict, so "false" is returned to encourage clients not to use them.
context.Metadata[OpenIdConnectConstants.Metadata.ClaimsParameterSupported] = false;
context.Metadata[OpenIdConnectConstants.Metadata.RequestParameterSupported] = false;
context.Metadata[OpenIdConnectConstants.Metadata.RequestUriParameterSupported] = false;
var schemes = context.HttpContext.RequestServices.GetRequiredService <IAuthenticationSchemeProvider>();
context.Metadata[OpenIddictConstants.Metadata.ExternalProvidersSupported] = new JArray(
from provider in await schemes.GetAllSchemesAsync()
where !string.IsNullOrEmpty(provider.DisplayName)
select provider.Name);
}
public Task HandleConfigurationRequest(HandleConfigurationRequestContext context) => OnHandleConfigurationRequest(context);
