public static OpenIddictBuilder UseNWebsec([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
return(builder.UseNWebsec(options => {
options.DefaultSources(directive => directive.Self())
.ImageSources(directive => directive.Self().CustomSources("*"))
.ScriptSources(directive => directive.Self().UnsafeInline())
.StyleSources(directive => directive.Self().UnsafeInline());
}));
}
/// <summary>
/// Sets the issuer address, which is used as the base address
/// for the endpoint URIs returned from the discovery endpoint.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="address">The issuer address.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder SetIssuer(
[NotNull] this OpenIddictBuilder builder, [NotNull] Uri address)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (address == null)
{
throw new ArgumentNullException(nameof(address));
}
return(builder.Configure(options => options.Issuer = address));
}
/// <summary>
/// Enables the userinfo endpoint.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="path">The relative path of the userinfo endpoint.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder EnableUserinfoEndpoint(
[NotNull] this OpenIddictBuilder builder, PathString path)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (!path.HasValue)
{
throw new ArgumentException("The path cannot be empty.", nameof(path));
}
return(builder.Configure(options => options.UserinfoEndpointPath = path));
}
/// <summary>
/// Enables custom grant type support.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="type">The grant type associated with the flow.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AllowCustomFlow(
[NotNull] this OpenIddictBuilder builder, [NotNull] string type)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (string.IsNullOrEmpty(type))
{
throw new ArgumentException("The grant type cannot be null or empty.", nameof(type));
}
return(builder.Configure(options => options.GrantTypes.Add(type)));
}
/// <summary>
/// Registers a <see cref="SecurityKey"/> used to sign the JWT tokens issued by OpenIddict.
/// Note: using <see cref="RsaSecurityKey"/> asymmetric keys is recommended on production.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="key">The security key.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddSigningKey(
[NotNull] this OpenIddictBuilder builder, [NotNull] SecurityKey key)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
return(builder.Configure(options => options.SigningCredentials.AddKey(key)));
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> retrieved from the X.509
/// machine store and used to sign the JWT tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="thumbprint">The thumbprint of the certificate used to identify it in the X.509 store.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] string thumbprint)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (string.IsNullOrEmpty(thumbprint))
{
throw new ArgumentNullException(nameof(thumbprint));
}
return(builder.Configure(options => options.SigningCredentials.AddCertificate(thumbprint)));
}
/// <summary>
/// Registers a new ephemeral key used to sign the JWT tokens issued by OpenIddict: the key
/// is discarded when the application shuts down and tokens signed using this key are
/// automatically invalidated. This method should only be used during development.
/// On production, using a X.509 certificate stored in the machine store is recommended.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="algorithm">The algorithm associated with the signing key.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddEphemeralSigningKey(
[NotNull] this OpenIddictBuilder builder, [NotNull] string algorithm)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (string.IsNullOrEmpty(algorithm))
{
throw new ArgumentException("The algorithm cannot be null or empty.", nameof(algorithm));
}
return(builder.Configure(options => options.SigningCredentials.AddEphemeralKey(algorithm)));
}
/// <summary>
/// Registers (and generates if necessary) a user-specific development
/// certificate used to sign the JWT tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="subject">The subject name associated with the certificate.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddDevelopmentSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] X500DistinguishedName subject)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
return(builder.Configure(options => options.SigningCredentials.AddDevelopmentCertificate(subject)));
}
/// <summary>
/// Configures OpenIddict to use a specific data protection provider
/// instead of relying on the default instance provided by the DI container.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="provider">The data protection provider used to create token protectors.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseDataProtectionProvider(
[NotNull] this OpenIddictBuilder builder, [NotNull] IDataProtectionProvider provider)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (provider == null)
{
throw new ArgumentNullException(nameof(provider));
}
return(builder.Configure(options => options.DataProtectionProvider = provider));
}
/// <summary>
/// Sets JWT as the default token format for access tokens.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseJsonWebTokens([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
return(builder.Configure(options =>
{
options.AccessTokenHandler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = new Dictionary <string, string>(),
OutboundClaimTypeMap = new Dictionary <string, string>()
};
}));
}
/// <summary>
/// Amends the default OpenIddict configuration.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="configuration">The delegate used to configure the OpenIddict options.</param>
/// <remarks>This extension can be safely called multiple times.</remarks>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder Configure(
[NotNull] this OpenIddictBuilder builder,
[NotNull] Action <OpenIddictOptions> configuration)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
builder.Services.Configure(configuration);
return(builder);
}
public static OpenIddictBuilder UseCors(
[NotNull] this OpenIddictBuilder builder,
[NotNull] Action <CorsPolicyBuilder> configuration)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
builder.AddModule("CORS", -10, map => map.UseCors(configuration));
return(builder);
}
public static IApplicationBuilder UseOpenIddictCore(
[NotNull] this IApplicationBuilder app,
[NotNull] Action <OpenIddictBuilder> configuration)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
var builder = new OpenIddictBuilder();
// Resolve the OpenIddict provider from the services container.
builder.Options.Provider = app.ApplicationServices.GetRequiredService <IOpenIdConnectServerProvider>();
// By default, enable AllowInsecureHttp in development/testing environments.
var environment = app.ApplicationServices.GetRequiredService <IHostingEnvironment>();
builder.Options.AllowInsecureHttp = environment.IsDevelopment() || environment.IsEnvironment("Testing");
// Run the configuration delegate
// provided by the application.
configuration.Invoke(builder);
// Add OpenIdConnectServerMiddleware to the ASP.NET Core pipeline.
builder.AddModule("ASOS", 0, map => map.UseOpenIdConnectServer(builder.Options));
// Register the OpenIddict modules in the ASP.NET Core pipeline.
foreach (var module in builder.Modules.OrderBy(module => module.Position))
{
if (module.Registration == null)
{
throw new InvalidOperationException("The registration delegate cannot be null.");
}
module.Registration(app);
}
return(app);
}
/// <summary>
/// Registers the OpenIddict core services in the DI container.
/// When using this method, custom stores must be manually registered.
/// </summary>
/// <typeparam name="TUser">The type of the User entity.</typeparam>
/// <typeparam name="TRole">The type of the Role entity.</typeparam>
/// <typeparam name="TApplication">The type of the Application entity.</typeparam>
/// <typeparam name="TAuthorization">The type of the Authorization entity.</typeparam>
/// <typeparam name="TScope">The type of the Scope entity.</typeparam>
/// <typeparam name="TToken">The type of the Token entity.</typeparam>
/// <param name="services">The services collection.</param>
/// <remarks>
/// Note: the core services include native support for the non-interactive flows
/// (resource owner password credentials, client credentials, refresh token).
/// To support interactive flows like authorization code or implicit/hybrid,
/// consider adding the MVC module or creating your own authorization controller.
/// </remarks>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddOpenIddict <TUser, TRole, TApplication, TAuthorization, TScope, TToken>(
[NotNull] this IServiceCollection services)
where TUser : class
where TRole : class
where TApplication : class
where TAuthorization : class
where TScope : class
where TToken : class
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
var builder = new OpenIddictBuilder(services)
{
ApplicationType = typeof(TApplication),
AuthorizationType = typeof(TAuthorization),
RoleType = typeof(TRole),
ScopeType = typeof(TScope),
TokenType = typeof(TToken),
UserType = typeof(TUser)
};
// Register the services required by the OpenID Connect server middleware.
builder.Services.AddAuthentication();
builder.Services.AddDistributedMemoryCache();
builder.Configure(options => {
// Register the OpenID Connect server provider in the OpenIddict options.
options.Provider = new OpenIddictProvider <TUser, TApplication, TAuthorization, TScope, TToken>();
});
// Register the OpenIddict core services in the DI container.
builder.Services.TryAddScoped <OpenIddictApplicationManager <TApplication> >();
builder.Services.TryAddScoped <OpenIddictAuthorizationManager <TAuthorization> >();
builder.Services.TryAddScoped <OpenIddictScopeManager <TScope> >();
builder.Services.TryAddScoped <OpenIddictTokenManager <TToken> >();
builder.Services.TryAddScoped <OpenIddictUserManager <TUser> >();
builder.Services.TryAddScoped <OpenIddictServices <TUser, TApplication, TAuthorization, TScope, TToken> >();
return(builder);
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> that is used to sign the JWT tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="certificate">The certificate used to sign the security tokens issued by the server.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddSigningCertificate(
[NotNull] this OpenIddictBuilder builder,
[NotNull] X509Certificate2 certificate)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
if (!certificate.HasPrivateKey)
{
throw new InvalidOperationException("The certificate doesn't contain the required private key.");
}
return(builder.Configure(options => options.SigningCredentials.AddCertificate(certificate)));
}
/// <summary>
/// Registers a <see cref="X509Certificate2"/> extracted from a
/// stream and used to sign the JWT tokens issued by OpenIddict.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="stream">The stream containing the certificate.</param>
/// <param name="password">The password used to open the certificate.</param>
/// <param name="flags">
/// An enumeration of flags indicating how and where
/// to store the private key of the certificate.
/// </param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddSigningCertificate(
[NotNull] this OpenIddictBuilder builder, [NotNull] Stream stream,
[NotNull] string password, X509KeyStorageFlags flags)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (stream == null)
{
throw new ArgumentNullException(nameof(stream));
}
if (string.IsNullOrEmpty(password))
{
throw new ArgumentNullException(nameof(password));
}
return(builder.Configure(options => options.SigningCredentials.AddCertificate(stream, password, flags)));
}
public static OpenIddictBuilder UseMvc([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
// Run MVC in an isolated environment.
return(builder.AddModule("MVC", 10, app => app.Isolate(map => map.UseMvc(routes => {
// Register the actions corresponding to the authorization endpoint.
if (builder.Options.AuthorizationEndpointPath.HasValue)
{
routes.MapRoute("{D97891B4}", builder.Options.AuthorizationEndpointPath.Value.Substring(1), new {
controller = "OpenIddict", action = nameof(OpenIddictController <object, object> .Authorize)
});
routes.MapRoute("{7148DB83}", builder.Options.AuthorizationEndpointPath.Value.Substring(1) + "/accept", new {
controller = "OpenIddict", action = nameof(OpenIddictController <object, object> .Accept)
});
routes.MapRoute("{23438BCC}", builder.Options.AuthorizationEndpointPath.Value.Substring(1) + "/deny", new {
controller = "OpenIddict", action = nameof(OpenIddictController <object, object> .Deny)
});
}
// Register the action corresponding to the logout endpoint.
if (builder.Options.LogoutEndpointPath.HasValue)
{
routes.MapRoute("{C7DB102A}", builder.Options.LogoutEndpointPath.Value.Substring(1), new {
controller = "OpenIddict", action = nameof(OpenIddictController <object, object> .Logout)
});
}
}), services => {
var configuration = app.ApplicationServices.GetRequiredService <OpenIddictConfiguration>();
services.AddMvc()
// Note: ConfigureApplicationPartManager() must be
// called before AddControllersAsServices().
.ConfigureApplicationPartManager(manager => {
manager.ApplicationParts.Clear();
manager.ApplicationParts.Add(new OpenIddictPart(configuration));
})
.AddControllersAsServices()
// Add an OpenIddict-specific convention to ensure that the generic
// OpenIddictController gets an appropriate controller name.
.AddMvcOptions(options => options.Conventions.Add(new OpenIddictConvention()))
.AddRazorOptions(options => {
// Update the Razor options to also use an embedded file provider that
// falls back to the current assembly when searching for views.
options.FileProviders.Add(new EmbeddedFileProvider(
assembly: typeof(OpenIddictController <,>).GetTypeInfo().Assembly,
baseNamespace: typeof(OpenIddictController <,>).Namespace));
});
// Register the user manager in the isolated container.
services.AddScoped(typeof(OpenIddictManager <,>).MakeGenericType(configuration.UserType, configuration.ApplicationType), provider => {
var accessor = provider.GetRequiredService <IHttpContextAccessor>();
var container = (IServiceProvider)accessor.HttpContext.Items[typeof(IServiceProvider)];
Debug.Assert(container != null);
// Resolve the user manager from the parent container.
return container.GetRequiredService(typeof(OpenIddictManager <,>).MakeGenericType(configuration.UserType, configuration.ApplicationType));
});
// Register the services context in the isolated container.
services.AddScoped(typeof(OpenIddictServices <,>).MakeGenericType(configuration.UserType, configuration.ApplicationType), provider => {
var accessor = provider.GetRequiredService <IHttpContextAccessor>();
var container = (IServiceProvider)accessor.HttpContext.Items[typeof(IServiceProvider)];
Debug.Assert(container != null);
// Resolve the services context from the parent container.
return container.GetRequiredService(typeof(OpenIddictServices <,>).MakeGenericType(configuration.UserType, configuration.ApplicationType));
});
// Register the sign-in manager in the isolated container.
services.AddScoped(typeof(SignInManager <>).MakeGenericType(configuration.UserType), provider => {
var accessor = provider.GetRequiredService <IHttpContextAccessor>();
var container = (IServiceProvider)accessor.HttpContext.Items[typeof(IServiceProvider)];
Debug.Assert(container != null);
// Resolve the sign-in manager from the parent container.
return container.GetRequiredService(typeof(SignInManager <>).MakeGenericType(configuration.UserType));
});
// Register the user manager in the isolated container.
services.AddScoped(typeof(UserManager <>).MakeGenericType(configuration.UserType), provider => {
var accessor = provider.GetRequiredService <IHttpContextAccessor>();
var container = (IServiceProvider)accessor.HttpContext.Items[typeof(IServiceProvider)];
Debug.Assert(container != null);
// Resolve the user manager from the parent container.
return container.GetRequiredService(typeof(UserManager <>).MakeGenericType(configuration.UserType));
});
// Register the compilation service in the isolated container.
services.AddScoped(provider => {
var accessor = provider.GetRequiredService <IHttpContextAccessor>();
var container = (IServiceProvider)accessor.HttpContext.Items[typeof(IServiceProvider)];
Debug.Assert(container != null);
// Resolve the compilation service from the parent container.
return container.GetRequiredService <ICompilationService>();
});
// Register the options in the isolated container.
services.AddSingleton(Options.Create(builder.Options));
})));
}
/// <summary>
/// Registers the Entity Framework stores.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddEntityFramework <TContext, TKey>([NotNull] this OpenIddictBuilder builder)
where TContext : DbContext
where TKey : IEquatable <TKey>
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
Debug.Assert(builder.ApplicationType != null &&
builder.AuthorizationType != null &&
builder.RoleType != null &&
builder.ScopeType != null &&
builder.TokenType != null, "The entity types exposed by OpenIddictBuilder shouldn't be null.");
// Register the application store in the DI container.
builder.Services.TryAddScoped(
typeof(IOpenIddictApplicationStore <>).MakeGenericType(builder.ApplicationType),
typeof(OpenIddictApplicationStore <, , ,>).MakeGenericType(
/* TApplication: */ builder.ApplicationType,
/* TToken: */ builder.TokenType,
/* TContext: */ typeof(TContext),
/* TKey: */ typeof(TKey)));
// Register the authorization store in the DI container.
builder.Services.TryAddScoped(
typeof(IOpenIddictAuthorizationStore <>).MakeGenericType(builder.AuthorizationType),
typeof(OpenIddictAuthorizationStore <, , ,>).MakeGenericType(
/* TAuthorization: */ builder.AuthorizationType,
/* TToken: */ builder.TokenType,
/* TContext: */ typeof(TContext),
/* TKey: */ typeof(TKey)));
// Register the scope store in the DI container.
builder.Services.TryAddScoped(
typeof(IOpenIddictScopeStore <>).MakeGenericType(builder.ScopeType),
typeof(OpenIddictScopeStore <, ,>).MakeGenericType(
/* TScope: */ builder.ScopeType,
/* TContext: */ typeof(TContext),
/* TKey: */ typeof(TKey)));
// Register the token store in the DI container.
builder.Services.TryAddScoped(
typeof(IOpenIddictTokenStore <>).MakeGenericType(builder.TokenType),
typeof(OpenIddictTokenStore <, , , ,>).MakeGenericType(
/* TToken: */ builder.TokenType,
/* TAuthorization: */ builder.AuthorizationType,
/* TUser: */ builder.UserType,
/* TContext: */ typeof(TContext),
/* TKey: */ typeof(TKey)));
// Register the token store in the DI container.
builder.Services.TryAddScoped(
typeof(IOpenIddictUserStore <>).MakeGenericType(builder.UserType),
typeof(OpenIddictUserStore <, , , , , ,>).MakeGenericType(
/* TUser: */ builder.UserType,
/* TApplication: */ builder.ApplicationType,
/* TAuthorization: */ builder.AuthorizationType,
/* TRole: */ builder.RoleType,
/* TToken: */ builder.TokenType,
/* TContext: */ typeof(TContext),
/* TKey: */ typeof(TKey)));
return(builder);
}
/// <summary>
/// Registers the Entity Framework stores.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder AddEntityFramework <TContext>([NotNull] this OpenIddictBuilder builder)
where TContext : DbContext
{
return(builder.AddEntityFramework <TContext, string>());
}