public void OidcMaxAge() { var properties = new OpenIdConnectChallengeProperties() { MaxAge = TimeSpan.FromSeconds(200) }; Assert.Equal(TimeSpan.FromSeconds(200), properties.MaxAge); }
public void OidcPrompt_NullValue() { var properties = new OpenIdConnectChallengeProperties(); properties.Parameters["prompt"] = "consent"; Assert.Equal("consent", properties.Prompt); properties.Prompt = null; Assert.Null(properties.Prompt); }
public void OidcPrompt() { var properties = new OpenIdConnectChallengeProperties() { Prompt = "login" }; Assert.Equal("login", properties.Prompt); Assert.Equal("login", properties.Parameters["prompt"]); }
public void OidcMaxAge_NullValue() { var properties = new OpenIdConnectChallengeProperties(); properties.Parameters["max_age"] = TimeSpan.FromSeconds(500); Assert.Equal(TimeSpan.FromSeconds(500), properties.MaxAge); properties.MaxAge = null; Assert.Null(properties.MaxAge); }
public async Task Challenge_HasOverwrittenMaxAgeParam() { var settings = new TestSettings(opt => { opt.ClientId = "Test Id"; opt.Authority = TestServerBuilder.DefaultAuthority; opt.MaxAge = TimeSpan.FromSeconds(500); }); var properties = new OpenIdConnectChallengeProperties() { MaxAge = TimeSpan.FromSeconds(1234), }; var server = settings.CreateTestServer(properties); var transaction = await server.SendAsync(TestServerBuilder.TestHost + TestServerBuilder.ChallengeWithProperties); var res = transaction.Response; Assert.Equal(HttpStatusCode.Redirect, res.StatusCode); settings.ValidateChallengeRedirect(res.Headers.Location); Assert.Contains("max_age=1234", res.Headers.Location.Query); }
public async Task Challenge_HasOverwrittenScopeParam() { var settings = new TestSettings(opt => { opt.ClientId = "Test Id"; opt.Authority = TestServerBuilder.DefaultAuthority; opt.Scope.Clear(); opt.Scope.Add("foo"); opt.Scope.Add("bar"); }); var properties = new OpenIdConnectChallengeProperties(); properties.SetScope("baz", "qux"); var server = settings.CreateTestServer(properties); var transaction = await server.SendAsync(TestServerBuilder.TestHost + TestServerBuilder.ChallengeWithProperties); var res = transaction.Response; Assert.Equal(HttpStatusCode.Redirect, res.StatusCode); settings.ValidateChallengeRedirect(res.Headers.Location); Assert.Contains("scope=baz%20qux", res.Headers.Location.Query); }
public async Task <IActionResult> Login(LoginInputModel model, string button) { // check if we are in the context of an authorization request var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl); // the user clicked the "cancel" button if (button != "login") { if (context != null) { // if the user cancels, send a result back into IdentityServer as if they // denied the consent (even if this client does not require consent). // this will send back an access denied OIDC error response to the client. await _interaction.GrantConsentAsync(context, ConsentResponse.Denied); // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null if (await _clientStore.IsPkceClientAsync(context.ClientId)) { // if the client is PKCE then we assume it's native, so this change in how to // return the response is for better UX for the end user. return(View("Redirect", new RedirectViewModel { RedirectUrl = model.ReturnUrl })); } return(Redirect(model.ReturnUrl)); } else { // since we don't have a valid context, then we just go back to the home page return(Redirect("~/")); } } if (ModelState.IsValid) { // validate username/password against in-memory store if (_users.ValidateCredentials(model.Username, model.Password)) { var user = _users.FindByUsername(model.Username); await _events.RaiseAsync(new UserLoginSuccessEvent(user.Username, user.SubjectId, user.Username)); // only set explicit expiration here if user chooses "remember me". // otherwise we rely upon expiration configured in cookie middleware. AuthenticationProperties props = new OpenIdConnectChallengeProperties(); if (AccountOptions.AllowRememberLogin && model.RememberLogin) { props = new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration) }; } ; // issue authentication cookie with subject ID and username await HttpContext.SignInAsync(user.SubjectId, user.Username, props); if (context != null) { if (await _clientStore.IsPkceClientAsync(context.ClientId)) { // if the client is PKCE then we assume it's native, so this change in how to // return the response is for better UX for the end user. return(View("Redirect", new RedirectViewModel { RedirectUrl = model.ReturnUrl })); } // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null return(Redirect(model.ReturnUrl)); } // request for a local page if (Url.IsLocalUrl(model.ReturnUrl)) { return(Redirect(model.ReturnUrl)); } else if (string.IsNullOrEmpty(model.ReturnUrl)) { return(Redirect("~/")); } else { // user might have clicked on a malicious link - should be logged throw new Exception("invalid return URL"); } } await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials")); ModelState.AddModelError("", AccountOptions.InvalidCredentialsErrorMessage); } // something went wrong, show form with error var vm = await BuildLoginViewModelAsync(model); return(View(vm)); }