/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { ClientId = request.ClientId; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; LoginHint = request.LoginHint; IdP = request.GetIdP(); Tenant = request.GetTenant(); // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { AcrValues = acrValues; } // scopes if (request.RequestedScopes.Any()) { ScopesRequested = request.RequestedScopes; } Parameters = request.Raw; }
public async Task <IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request) { var signin = new SignInRequest(); // let the login page know the client requesting authorization signin.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { signin.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { signin.UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { signin.LoginHint = request.LoginHint; } // look for well-known acr value -- idp var idp = request.GetIdP(); if (idp.IsPresent()) { signin.IdP = idp; } // look for well-known acr value -- tenant var tenant = request.GetTenant(); if (tenant.IsPresent()) { signin.Tenant = tenant; } // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { signin.AcrValues = acrValues; } var message = new Message <SignInRequest>(signin) { ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin, AuthorizeRequestParameters = request.Raw.ToDictionary() }; await _signInRequestStore.WriteAsync(message); return(new LoginPageResult(message.Id)); }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { // let the login page know the client requesting authorization ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { LoginHint = request.LoginHint; } // look for well-known acr value -- idp var idp = request.GetIdP(); if (idp.IsPresent()) { IdP = idp; } // look for well-known acr value -- tenant var tenant = request.GetTenant(); if (tenant.IsPresent()) { Tenant = tenant; } // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { AcrValues = acrValues; } // scopes if (request.RequestedScopes.Any()) { ScopesRequested = request.RequestedScopes; } Parameters = request.Raw; }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { ClientId = request.ClientId; RedirectUri = request.RedirectUri; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; IdP = request.GetIdP(); Tenant = request.GetTenant(); LoginHint = request.LoginHint; PromptMode = request.PromptMode; AcrValues = request.GetAcrValues(); ScopesRequested = request.RequestedScopes; Parameters = request.Raw; }
/// <summary> /// Initializes a new instance of the <see cref="AuthorizationRequest"/> class. /// </summary> internal AuthorizationRequest(ValidatedAuthorizeRequest request) { Client = request.Client; RedirectUri = request.RedirectUri; DisplayMode = request.DisplayMode; UiLocales = request.UiLocales; IdP = request.GetIdP(); Tenant = request.GetTenant(); LoginHint = request.LoginHint; PromptModes = request.PromptModes; AcrValues = request.GetAcrValues(); ValidatedResources = request.ValidatedResources; Parameters = request.Raw; RequestObjectValues = request.RequestObjectValues; }
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = request.Client, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, AcrValues = request.GetAcrValues() }; authRequest.Parameters.Add(request.Raw); return(authRequest); }
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest(); authRequest.Client = request.Client; authRequest.RedirectUri = request.RedirectUri; authRequest.DisplayMode = request.DisplayMode; authRequest.UiLocales = request.UiLocales; authRequest.IdP = request.GetIdP(); authRequest.Tenant = request.GetTenant(); authRequest.LoginHint = request.LoginHint; authRequest.PromptModes = request.PromptModes; authRequest.AcrValues = request.GetAcrValues(); authRequest.Client.AllowedScopes = request.RequestedScopes; authRequest.Parameters.Add(request.Raw); return(authRequest); }
public static AuthorizationRequest ToAuthorizatonRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = request.Client, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, AcrValues = request.GetAcrValues(), ValidatedResources = request.ValidatedResources }; authRequest.Parameters.Add(request.Raw); request.RequestObjectValues.Keys.ToList().ForEach(key => authRequest.RequestObjectValues.Add(key, request.RequestObjectValues[key])); return(authRequest); }
//[DebuggerStepThrough] internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request) { var authRequest = new AuthorizationRequest { Client = new Client() { ClientId = request.ClientId /*, AllowedScopes = request.RequestedScopes*/ }, //ClientId = request.ClientId, RedirectUri = request.RedirectUri, DisplayMode = request.DisplayMode, UiLocales = request.UiLocales, IdP = request.GetIdP(), Tenant = request.GetTenant(), LoginHint = request.LoginHint, PromptModes = request.PromptModes, //PromptMode = request.PromptMode, AcrValues = request.GetAcrValues(), //ScopesRequested = request.RequestedScopes, }; //var authRequest = new AuthorizationRequest //{ // ClientId = request.ClientId, // RedirectUri = request.RedirectUri, // DisplayMode = request.DisplayMode, // UiLocales = request.UiLocales, // IdP = request.GetIdP(), // Tenant = request.GetTenant(), // LoginHint = request.LoginHint, // PromptMode = request.PromptMode, // AcrValues = request.GetAcrValues(), // ScopesRequested = request.RequestedScopes, //}; authRequest.Parameters.Add(request.Raw); return(authRequest); }
/// <summary> /// Processes the login logic. /// </summary> /// <param name="request">The request.</param> /// <returns></returns> protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { using var activity = Tracing.BasicActivitySource.StartActivity("AuthorizeInteractionResponseGenerator.ProcessLogin"); if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) || request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount)) { Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString()); // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.RemovePrompt(); return(new InteractionResponse { IsLogin = true }); } // unauthenticated user var isAuthenticated = request.Subject.IsAuthenticated(); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint); await Profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if (!isAuthenticated || !isActive) { if (!isAuthenticated) { Logger.LogInformation("Showing login: User is not authenticated"); } else if (!isActive) { Logger.LogInformation("Showing login: User is not active"); } return(new InteractionResponse { IsLogin = true }); } // check if tenant hint matches current tenant if (Options.ValidateTenantOnAuthorization) { var tenant = request.GetTenant(); if (tenant.IsPresent()) { var currentTenant = request.Subject.GetTenant(); if (tenant != currentTenant) { Logger.LogInformation("Showing login: Current tenant ({currentTenant}) is not the requested tenant ({tenant})", currentTenant, tenant); return(new InteractionResponse { IsLogin = true }); } } } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp); return(new InteractionResponse { IsLogin = true }); } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (Clock.UtcNow.UtcDateTime > authTime.AddSeconds(request.MaxAge.Value)) { Logger.LogInformation("Showing login: Requested MaxAge exceeded."); return(new InteractionResponse { IsLogin = true }); } } // check local idp restrictions if (currentIdp == IdentityServerConstants.LocalIdentityProvider) { if (!request.Client.EnableLocalLogin) { Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins"); return(new InteractionResponse { IsLogin = true }); } } // check external idp restrictions if user not using local idp else if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any() && !request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp); return(new InteractionResponse { IsLogin = true }); } // check client's user SSO timeout if (request.Client.UserSsoLifetime.HasValue) { var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch(); var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds(); var diff = nowEpoch - authTimeEpoch; if (diff > request.Client.UserSsoLifetime.Value) { Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime); return(new InteractionResponse { IsLogin = true }); } } return(new InteractionResponse()); }