public static bool IsExcluded(this IOpenIdConnectRequestOptions options, IOpenIdConnectRequest openIdConnectRequest)
{
var username = openIdConnectRequest.GetUsername();
if (!string.IsNullOrEmpty(username) && options.ExcludedUsernameExpression != null &&
options.ExcludedUsernameExpression.IsMatch(username))
{
return(true);
}
var tenant = openIdConnectRequest.GetTenant();
if (!string.IsNullOrEmpty(tenant) && options.ExcludedTenantExpression != null &&
options.ExcludedTenantExpression.IsMatch(tenant))
{
return(true);
}
var osVersion = openIdConnectRequest.GetOsVersion();
if (!string.IsNullOrEmpty(osVersion) && options.ExcludedOsVersionExpression != null &&
options.ExcludedOsVersionExpression.IsMatch(osVersion))
{
return(true);
}
var device = openIdConnectRequest.GetDevice();
if (!string.IsNullOrEmpty(device?.DeviceType) && options.ExcludedDeviceExpression != null && options.ExcludedDeviceExpression.IsMatch(device.DeviceType))
{
return(true);
}
return(options.ExcludedSubnets.Any(excludedSubnet => excludedSubnet.Contains(openIdConnectRequest.GetRemoteIpAddress())));
}
protected override async Task <PipelineState> DoInvoke(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, ILoginStatistics loginStatistics)
{
var challengeForAllLogins = await ShouldChallengeForAllLogins(context);
if (challengeForAllLogins)
{
return(PipelineState.Challenge);
}
return(PipelineState.Continue);
}
public string CreateHtmlBody(IOpenIdConnectRequest openIdConnectRequest)
{
var languageCode = openIdConnectRequest.GetLanguage();
if (string.IsNullOrEmpty(languageCode))
{
languageCode = DefaultLanguageCode;
}
return(_options.SupportsPartialRecaptcha(openIdConnectRequest)
? CreatePartialHtmlBody(languageCode, openIdConnectRequest.GetDevice())
: CreateFullHtmlBody(languageCode, openIdConnectRequest.GetDevice()));
}
private async Task ChallengeWithRequestForRecaptcha(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest)
{
var httpChallenge = context.Get <IHttpRecaptchaChallenge>();
if (openIdConnectRequest == null)
{
await httpChallenge.ReturnResponse(context, _options);
return;
}
await httpChallenge.ReturnResponse(context, _options, openIdConnectRequest);
}
private async Task ChallengeWithRequestForRecaptcha(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, int numberOfFailedLogins)
{
var loginStatistics = context.Get <ILoginStatistics>();
await loginStatistics.IncrementFailedLoginsForUserAndIpAddress(openIdConnectRequest.GetUsername(),
openIdConnectRequest.GetRemoteIpAddress());
await loginStatistics.IncrementChallengedLoginsForUserAndIpAddress(openIdConnectRequest.GetUsername(),
openIdConnectRequest.GetRemoteIpAddress(), numberOfFailedLogins, _options.NumberOfAllowedLoginFailuresPerIpAddress);
var httpChallenge = context.Get <IHttpRecaptchaChallenge>();
await httpChallenge.ReturnResponse(context, _options, openIdConnectRequest);
}
public override async Task <PipelineState> DoInvoke(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, ILoginStatistics loginStatistics)
{
var numberOfFailedLogins = await loginStatistics.GetNumberOfFailedLoginsForIpAddress(openIdConnectRequest.GetRemoteIpAddress());
if (numberOfFailedLogins < _options.NumberOfAllowedLoginFailuresPerIpAddress)
{
await loginStatistics.IncrementUnchallengedLoginsForUserAndIpAddress(openIdConnectRequest.GetUsername(),
openIdConnectRequest.GetRemoteIpAddress(), numberOfFailedLogins, _options.NumberOfAllowedLoginFailuresPerIpAddress);
return(PipelineState.Continue);
}
return(PipelineState.Challenge);
}
private async Task ChallengeWithRequestForRecaptcha(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest)
{
var recaptchaMonitor = context.Get <IRecaptchaMonitor>();
recaptchaMonitor?.ChallengeIssued(openIdConnectRequest.ToRecaptchaUserContext());
var httpChallenge = context.Get <IHttpRecaptchaChallenge>();
if (openIdConnectRequest == null)
{
await httpChallenge.ReturnResponse(context, _options);
return;
}
await httpChallenge.ReturnResponse(context, _options, openIdConnectRequest);
}
private static async Task SetLoginStatusForUser(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest)
{
var loginStatistics = context.Get <ILoginStatistics>();
if (loginStatistics == null)
{
return;
}
if (IsSuccessStatusCode(context.Response.StatusCode))
{
await loginStatistics.IncrementSuccessfulLoginsForUsernameAndIpAddress(openIdConnectRequest.GetUsername(), openIdConnectRequest.GetRemoteIpAddress());
}
else
{
await loginStatistics.IncrementFailedLoginsForUserAndIpAddress(openIdConnectRequest.GetUsername(), openIdConnectRequest.GetRemoteIpAddress());
}
}
private async Task InvokeCore(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest)
{
var username = openIdConnectRequest.GetUsername();
var loginStatistics = context.Get <ILoginStatistics>();
if (loginStatistics != null)
{
var numberOfFailedLogins = await loginStatistics.GetNumberOfFailedLoginsForUser(username);
if (numberOfFailedLogins > _options.NumberOfAllowedLoginFailures)
{
await ReturnThrottledResponse(context);
return;
}
}
await Next.Invoke(context);
await SetLoginStatusForUser(context, openIdConnectRequest);
}
protected override async Task <PipelineState> DoInvoke(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, ILoginStatistics loginStatistics)
{
var recaptchaValidationService = context.Get <IRecaptchaValidationService>();
var recaptchaChallengeResponse = openIdConnectRequest.GetRecaptchaChallengeResponse();
if (!string.IsNullOrEmpty(recaptchaChallengeResponse))
{
var recaptchaVerificationResponse = await recaptchaValidationService.Validate(recaptchaChallengeResponse, Options);
if (recaptchaVerificationResponse.Succeeded)
{
context.Set <IRecaptchaContext>(new RecaptchaContext(RecaptchaState.ChallengeSucceeded, recaptchaVerificationResponse.Hostname, recaptchaVerificationResponse.Timestamp));
return(PipelineState.Continue);
}
context.Set <IRecaptchaContext>(new RecaptchaContext(RecaptchaState.Failed, recaptchaVerificationResponse.Hostname, recaptchaVerificationResponse.Timestamp));
return(PipelineState.Challenge);
}
return(PipelineState.Continue);
}
public static RecaptchaUserContext ToRecaptchaUserContext(this IOpenIdConnectRequest request)
{
if (request == null)
{
return(new RecaptchaUserContext());
}
var device = request.GetDevice();
return(new RecaptchaUserContext
{
Username = request.GetUsername(),
UserAgent = request.GetUserAgent(),
Device = new RecaptchaUserDevice
{
Id = device?.DeviceId,
Name = device?.DeviceName,
Token = device?.DeviceToken,
Type = device?.DeviceType
},
IpAddress = request.GetRemoteIpAddress().ToString(),
Tenant = request.GetTenant()
});
}
private static async Task SetLoginStatusForExcludedUser(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest)
{
var loginStatistics = context.Get <ILoginStatistics>();
if (loginStatistics == null)
{
return;
}
await loginStatistics.IncrementAttemptedLoginsForExcludedUsernameAndIpAddress(openIdConnectRequest.GetUsername(), openIdConnectRequest.GetRemoteIpAddress());
}
private async Task Challenge(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, ILoginStatistics loginStatistics)
{
var numberOfFailedLogins = await loginStatistics.GetNumberOfFailedLoginsForIpAddress(openIdConnectRequest.GetRemoteIpAddress());
await ChallengeWithRequestForRecaptcha(context, openIdConnectRequest, numberOfFailedLogins);
}
public static bool Matches(this IOpenIdConnectRequestOptions openIdConnectRequestOptions, IOpenIdConnectRequest openIdConnectRequest)
{
var grantType = openIdConnectRequest.GetGrantType();
var path = openIdConnectRequestOptions.ProtectedPath;
if (string.IsNullOrEmpty(grantType) || string.IsNullOrEmpty(path))
{
return(false);
}
return(path.Equals(openIdConnectRequest.GetPath(), StringComparison.OrdinalIgnoreCase) &&
openIdConnectRequestOptions.ProtectedGrantTypes.Contains(grantType));
}
public async Task ReturnResponse(IOwinContext context, IIdentityServerRecaptchaOptions options, IOpenIdConnectRequest openIdConnectRequest)
{
var identityServerChallengeResource = new IdentityServerBadRequestChallengeResource
{
Message = CreateResponseMessage(),
ChallengeHtml = _recaptchaPage.CreateHtmlBody(openIdConnectRequest)
};
await context.ReturnResponse(HttpStatusCode.BadRequest, identityServerChallengeResource);
}
public abstract Task <PipelineState> DoInvoke(IOwinContext context, IOpenIdConnectRequest openIdConnectRequest, ILoginStatistics loginStatistics);
public static bool SupportsPartialRecaptcha(this IIdentityServerRecaptchaOptions openIdConnectRequestOptions, IOpenIdConnectRequest openIdConnectRequest)
{
var basicAuthenticationHeaderValue = openIdConnectRequest.GetBasicAuthenticationHeaderValue();
if (string.IsNullOrEmpty(basicAuthenticationHeaderValue))
{
return(true);
}
var basicAuthenticationHeaders = openIdConnectRequestOptions.WebClients.Select(client => Convert.ToBase64String(Encoding.UTF8.GetBytes($"{client.ClientId}:{client.Secret}")))
.Select(authorizationValue => new AuthenticationHeaderValue("Basic", authorizationValue));
return(basicAuthenticationHeaders
.Any(authenticationHeaderValue =>
{
return authenticationHeaderValue.ToString() == basicAuthenticationHeaderValue;
}));
}
public static bool IsExcluded(this RecaptchaValidationOptions recaptchaValidationOptions, IOwinContext owinContext, IOpenIdConnectRequest openIdConnectRequest)
{
var subnetExcluded = recaptchaValidationOptions.ExcludedSubnets.Any(excludedSubnet =>
{
var remoteClientIpAddress = owinContext.GetRemoteClientIpAddress();
IPAddress ipAaddress;
return(IPAddress.TryParse(remoteClientIpAddress, out ipAaddress) && excludedSubnet.Contains(ipAaddress));
});
if (subnetExcluded)
{
return(true);
}
if (openIdConnectRequest == null)
{
return(false);
}
var username = openIdConnectRequest.GetUsername();
if (!string.IsNullOrEmpty(username) && recaptchaValidationOptions.ExcludedUsernameExpression != null &&
recaptchaValidationOptions.ExcludedUsernameExpression.IsMatch(username))
{
return(true);
}
var tenant = openIdConnectRequest.GetTenant();
if (!string.IsNullOrEmpty(tenant) && recaptchaValidationOptions.ExcludedTenantExpression != null &&
recaptchaValidationOptions.ExcludedTenantExpression.IsMatch(tenant))
{
return(true);
}
var osVersion = openIdConnectRequest.GetOsVersion();
if (!string.IsNullOrEmpty(osVersion) && recaptchaValidationOptions.ExcludedOsVersionExpression != null &&
recaptchaValidationOptions.ExcludedOsVersionExpression.IsMatch(osVersion))
{
return(true);
}
return(false);
}
public async Task ReturnResponse(IOwinContext context, IIdentityServerRecaptchaOptions options, IOpenIdConnectRequest openIdConnectRequest)
{
await context.ReturnResponse(HttpStatusCode.Unauthorized,
new IdentityServerUnauthorizedChallengeResource
{
ChallengeHtml = _recaptchaPage.CreateHtmlBody(openIdConnectRequest),
LinkToChallenge = options.LinkToChallenge,
Description = CreateResponseMessage()
}, $@"recaptcha url=""{options.LinkToChallenge}""");
}
