public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context) { var options = (OpenIddictServerOptions)context.Options; // Note: though it's natively supported by the OpenID Connect server middleware, // OpenIddict disallows the use of the unsecure code_challenge_method=plain method, // which is manually removed from the code_challenge_methods_supported property. // See https://tools.ietf.org/html/rfc7636#section-7.2 for more information. context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain); // Note: the OpenID Connect server middleware automatically populates grant_types_supported // by determining whether the authorization and token endpoints are enabled or not but // OpenIddict uses a different approach and relies on a configurable "grants list". context.GrantTypes.Clear(); context.GrantTypes.UnionWith(options.GrantTypes); // Only return the scopes and the claims configured by the developer. context.Scopes.Clear(); context.Scopes.UnionWith(options.Scopes); context.Claims.Clear(); context.Claims.UnionWith(options.Claims); // Note: the optional claims/request/request_uri parameters are not supported // by OpenIddict, so "false" is returned to encourage clients not to use them. context.Metadata[OpenIdConnectConstants.Metadata.ClaimsParameterSupported] = false; context.Metadata[OpenIdConnectConstants.Metadata.RequestParameterSupported] = false; context.Metadata[OpenIdConnectConstants.Metadata.RequestUriParameterSupported] = false; return(_eventService.PublishAsync(new OpenIddictServerEvents.HandleConfigurationRequest(context))); }
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context) { var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <OpenIddictOptions> >(); // Note: though it's natively supported by the OpenID Connect server middleware, // OpenIddict disallows the use of the unsecure code_challenge_method=plain method, // which is manually removed from the code_challenge_methods_supported property. // See https://tools.ietf.org/html/rfc7636#section-7.2 for more information. context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain); // Note: the OpenID Connect server middleware automatically populates grant_types_supported // by determining whether the authorization and token endpoints are enabled or not but // OpenIddict uses a different approach and relies on a configurable "grants list". context.GrantTypes.IntersectWith(options.Value.GrantTypes); // Note: the "openid" scope is automatically // added by the OpenID Connect server middleware. context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile); context.Scopes.Add(OpenIdConnectConstants.Scopes.Email); context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone); context.Scopes.Add(OpenIddictConstants.Scopes.Roles); // Only add the "offline_access" scope if the refresh token grant is enabled. if (context.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) { context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess); } context.Metadata[OpenIddictConstants.Metadata.ExternalProvidersSupported] = new JArray( from provider in context.HttpContext.Authentication.GetAuthenticationSchemes() where !string.IsNullOrEmpty(provider.DisplayName) select provider.AuthenticationScheme); return(Task.FromResult(0)); }
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context) { var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication, TAuthorization, TScope, TToken> >(); // Note: though it's natively supported by the OpenID Connect server middleware, // OpenIddict disallows the use of the unsecure code_challenge_method=plain method, // which must be manually removed from the code_challenge_methods_supported property. // See https://tools.ietf.org/html/rfc7636#section-7.2 for more information. context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain); // Note: the OpenID Connect server middleware automatically populates grant_types_supported // by determining whether the authorization and token endpoints are enabled or not but // OpenIddict uses a different approach and relies on a configurable "supported list". context.GrantTypes.Clear(); // Copy the supported grant types list to the discovery document. foreach (var type in services.Options.GrantTypes) { context.GrantTypes.Add(type); } // Note: the "openid" scope is automatically // added by the OpenID Connect server middleware. context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile); // Only add the "email" scope if it's supported // by the user manager and the underlying store. if (services.Users.SupportsUserEmail) { context.Scopes.Add(OpenIdConnectConstants.Scopes.Email); } // Only add the "phone" scope if it's supported // by the user manager and the underlying store. if (services.Users.SupportsUserPhoneNumber) { context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone); } // Only add the "roles" scope if it's supported // by the user manager and the underlying store. if (services.Users.SupportsUserRole) { context.Scopes.Add(OpenIddictConstants.Scopes.Roles); } // Only add the "offline_access" scope if "refresh_token" is listed as a supported grant type. if (context.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) { context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess); } return(Task.FromResult(0)); }
/// <summary> /// Represents an event called for each validated configuration request /// to allow the user code to decide how the request should be handled. /// </summary> /// <param name="context">The context instance associated with this event.</param> /// <returns>A <see cref="T:System.Threading.Tasks.Task" /> that can be used to monitor the asynchronous operation.</returns> public override Task HandleConfigurationRequest(HandleConfigurationRequestContext context) { var result = base.HandleConfigurationRequest(context); using (var rockContext = new RockContext()) { var activeScopes = RockIdentityHelper.GetActiveAuthScopes(rockContext); context.Scopes.UnionWith(activeScopes); var activeClaims = RockIdentityHelper.GetActiveAuthClaims(rockContext, activeScopes); context.Claims.UnionWith(activeClaims); } return(result); }
public override Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context) { var options = context.HttpContext.RequestServices.GetRequiredService <IOptions <OpenIddictOptions> >(); // Note: though it's natively supported by the OpenID Connect server middleware, // OpenIddict disallows the use of the unsecure code_challenge_method=plain method, // which must be manually removed from the code_challenge_methods_supported property. // See https://tools.ietf.org/html/rfc7636#section-7.2 for more information. context.CodeChallengeMethods.Clear(); context.CodeChallengeMethods.Add(OpenIdConnectConstants.CodeChallengeMethods.Sha256); // Note: the OpenID Connect server middleware automatically populates grant_types_supported // by determining whether the authorization and token endpoints are enabled or not but // OpenIddict uses a different approach and relies on a configurable "supported list". context.GrantTypes.Clear(); // Copy the supported grant types list to the discovery document. foreach (var type in options.Value.GrantTypes) { context.GrantTypes.Add(type); } // Note: the "openid" scope is automatically // added by the OpenID Connect server middleware. context.Scopes.Add(OpenIdConnectConstants.Scopes.Profile); context.Scopes.Add(OpenIdConnectConstants.Scopes.Email); context.Scopes.Add(OpenIdConnectConstants.Scopes.Phone); context.Scopes.Add(OpenIddictConstants.Scopes.Roles); // Only add the "offline_access" scope if the refresh // token flow is enabled in the OpenIddict options. if (options.Value.IsRefreshTokenFlowEnabled()) { context.Scopes.Add(OpenIdConnectConstants.Scopes.OfflineAccess); } return(Task.FromResult(0)); }
public override async Task HandleConfigurationRequest([NotNull] HandleConfigurationRequestContext context) { var options = (OpenIddictServerOptions)context.Options; // Note: though it's natively supported by the OpenID Connect server middleware, // OpenIddict disallows the use of the unsecure code_challenge_method=plain method, // which is manually removed from the code_challenge_methods_supported property. // See https://tools.ietf.org/html/rfc7636#section-7.2 for more information. context.CodeChallengeMethods.Remove(OpenIdConnectConstants.CodeChallengeMethods.Plain); // Note: the OpenID Connect server middleware automatically populates grant_types_supported // by determining whether the authorization and token endpoints are enabled or not but // OpenIddict uses a different approach and relies on a configurable "grants list". context.GrantTypes.Clear(); context.GrantTypes.UnionWith(options.GrantTypes); // Only return the scopes configured by the developer. context.Scopes.Clear(); context.Scopes.UnionWith(options.Scopes); // Note: claims_supported is a recommended parameter but is not strictly required. // If no claim was registered, the claims_supported property will be automatically // excluded from the response by the OpenID Connect server middleware. context.Metadata[OpenIdConnectConstants.Metadata.ClaimsSupported] = new JArray(options.Claims); // Note: the optional claims/request/request_uri parameters are not supported // by OpenIddict, so "false" is returned to encourage clients not to use them. context.Metadata[OpenIdConnectConstants.Metadata.ClaimsParameterSupported] = false; context.Metadata[OpenIdConnectConstants.Metadata.RequestParameterSupported] = false; context.Metadata[OpenIdConnectConstants.Metadata.RequestUriParameterSupported] = false; var schemes = context.HttpContext.RequestServices.GetRequiredService <IAuthenticationSchemeProvider>(); context.Metadata[OpenIddictConstants.Metadata.ExternalProvidersSupported] = new JArray( from provider in await schemes.GetAllSchemesAsync() where !string.IsNullOrEmpty(provider.DisplayName) select provider.Name); }
public Task HandleConfigurationRequest(HandleConfigurationRequestContext context) => OnHandleConfigurationRequest(context);