/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
ClientId = request.ClientId;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
LoginHint = request.LoginHint;
IdP = request.GetIdP();
Tenant = request.GetTenant();
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
AcrValues = acrValues;
}
// scopes
if (request.RequestedScopes.Any())
{
ScopesRequested = request.RequestedScopes;
}
Parameters = request.Raw;
}
public async Task <IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request)
{
var signin = new SignInRequest();
// let the login page know the client requesting authorization
signin.ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
signin.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
signin.UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
signin.LoginHint = request.LoginHint;
}
// look for well-known acr value -- idp
var idp = request.GetIdP();
if (idp.IsPresent())
{
signin.IdP = idp;
}
// look for well-known acr value -- tenant
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
signin.Tenant = tenant;
}
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
signin.AcrValues = acrValues;
}
var message = new Message <SignInRequest>(signin)
{
ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin,
AuthorizeRequestParameters = request.Raw.ToDictionary()
};
await _signInRequestStore.WriteAsync(message);
return(new LoginPageResult(message.Id));
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
// let the login page know the client requesting authorization
ClientId = request.ClientId;
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
UiLocales = request.UiLocales;
}
// pass through login_hint
if (request.LoginHint.IsPresent())
{
LoginHint = request.LoginHint;
}
// look for well-known acr value -- idp
var idp = request.GetIdP();
if (idp.IsPresent())
{
IdP = idp;
}
// look for well-known acr value -- tenant
var tenant = request.GetTenant();
if (tenant.IsPresent())
{
Tenant = tenant;
}
// process acr values
var acrValues = request.GetAcrValues();
if (acrValues.Any())
{
AcrValues = acrValues;
}
// scopes
if (request.RequestedScopes.Any())
{
ScopesRequested = request.RequestedScopes;
}
Parameters = request.Raw;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
ClientId = request.ClientId;
RedirectUri = request.RedirectUri;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
IdP = request.GetIdP();
Tenant = request.GetTenant();
LoginHint = request.LoginHint;
PromptMode = request.PromptMode;
AcrValues = request.GetAcrValues();
ScopesRequested = request.RequestedScopes;
Parameters = request.Raw;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationRequest"/> class.
/// </summary>
internal AuthorizationRequest(ValidatedAuthorizeRequest request)
{
Client = request.Client;
RedirectUri = request.RedirectUri;
DisplayMode = request.DisplayMode;
UiLocales = request.UiLocales;
IdP = request.GetIdP();
Tenant = request.GetTenant();
LoginHint = request.LoginHint;
PromptModes = request.PromptModes;
AcrValues = request.GetAcrValues();
ValidatedResources = request.ValidatedResources;
Parameters = request.Raw;
RequestObjectValues = request.RequestObjectValues;
}
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = request.Client,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
AcrValues = request.GetAcrValues()
};
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest();
authRequest.Client = request.Client;
authRequest.RedirectUri = request.RedirectUri;
authRequest.DisplayMode = request.DisplayMode;
authRequest.UiLocales = request.UiLocales;
authRequest.IdP = request.GetIdP();
authRequest.Tenant = request.GetTenant();
authRequest.LoginHint = request.LoginHint;
authRequest.PromptModes = request.PromptModes;
authRequest.AcrValues = request.GetAcrValues();
authRequest.Client.AllowedScopes = request.RequestedScopes;
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
public static AuthorizationRequest ToAuthorizatonRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = request.Client,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
AcrValues = request.GetAcrValues(),
ValidatedResources = request.ValidatedResources
};
authRequest.Parameters.Add(request.Raw);
request.RequestObjectValues.Keys.ToList().ForEach(key => authRequest.RequestObjectValues.Add(key, request.RequestObjectValues[key]));
return(authRequest);
}
//[DebuggerStepThrough]
internal static AuthorizationRequest ToAuthorizationRequest(this ValidatedAuthorizeRequest request)
{
var authRequest = new AuthorizationRequest
{
Client = new Client()
{
ClientId = request.ClientId /*, AllowedScopes = request.RequestedScopes*/
},
//ClientId = request.ClientId,
RedirectUri = request.RedirectUri,
DisplayMode = request.DisplayMode,
UiLocales = request.UiLocales,
IdP = request.GetIdP(),
Tenant = request.GetTenant(),
LoginHint = request.LoginHint,
PromptModes = request.PromptModes,
//PromptMode = request.PromptMode,
AcrValues = request.GetAcrValues(),
//ScopesRequested = request.RequestedScopes,
};
//var authRequest = new AuthorizationRequest
//{
// ClientId = request.ClientId,
// RedirectUri = request.RedirectUri,
// DisplayMode = request.DisplayMode,
// UiLocales = request.UiLocales,
// IdP = request.GetIdP(),
// Tenant = request.GetTenant(),
// LoginHint = request.LoginHint,
// PromptMode = request.PromptMode,
// AcrValues = request.GetAcrValues(),
// ScopesRequested = request.RequestedScopes,
//};
authRequest.Parameters.Add(request.Raw);
return(authRequest);
}
/// <summary>
/// Processes the login logic.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptModes.Contains(OidcConstants.PromptModes.Login) ||
request.PromptModes.Contains(OidcConstants.PromptModes.SelectAccount))
{
Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptModes.ToSpaceSeparatedString());
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.RemovePrompt();
return(new InteractionResponse {
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.IsAuthenticated();
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint);
await Profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if ((!isAuthenticated || !isActive) && request.DisplayMode == "popup")
{
var redirect = new Uri(request.RedirectUri);
var closePopupUri = request.RedirectUri.Replace(redirect.PathAndQuery, "/popup.html#");
return(new InteractionResponse {
RedirectUrl = closePopupUri
});
}
if (!isAuthenticated || !isActive)
{
if (!isAuthenticated)
{
Logger.LogInformation("Showing login: User is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing login: User is not active");
}
return(new InteractionResponse {
IsLogin = true
});
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
Logger.LogInformation("Showing login: Current IdP ({currentIdp}) is not the requested IdP ({idp})", currentIdp, idp);
return(new InteractionResponse {
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check local idp restrictions
if (currentIdp == IdentityServerConstants.LocalIdentityProvider)
{
if (!request.Client.EnableLocalLogin)
{
Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check external idp restrictions if user not using local idp
else if (request.Client.IdentityProviderRestrictions != null &&
request.Client.IdentityProviderRestrictions.Any() &&
!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse {
IsLogin = true
});
}
// check client's user SSO timeout
if (request.Client.UserSsoLifetime.HasValue)
{
var authTimeEpoch = request.Subject.GetAuthenticationTimeEpoch();
var nowEpoch = Clock.UtcNow.ToUnixTimeSeconds();
var diff = nowEpoch - authTimeEpoch;
if (diff > request.Client.UserSsoLifetime.Value)
{
Logger.LogInformation("Showing login: User's auth session duration: {sessionDuration} exceeds client's user SSO lifetime: {userSsoLifetime}.", diff, request.Client.UserSsoLifetime);
return(new InteractionResponse {
IsLogin = true
});
}
}
return(new InteractionResponse());
}
/// <summary>
/// Processes the login logic.
/// </summary>
/// <param name="request">The request.</param>
/// <returns></returns>
protected internal virtual async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptMode == OidcConstants.PromptModes.Login ||
request.PromptMode == OidcConstants.PromptModes.SelectAccount)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.RemovePrompt();
Logger.LogInformation("Showing login: request contains prompt={0}", request.PromptMode);
return(new InteractionResponse {
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.IsAuthenticated();
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client, IdentityServerConstants.ProfileIsActiveCallers.AuthorizeEndpoint);
await Profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if (!isAuthenticated || !isActive)
{
// prompt=none means user must be signed in already
if (request.PromptMode == OidcConstants.PromptModes.None)
{
if (!isAuthenticated)
{
Logger.LogInformation("Showing error: prompt=none was requested but user is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing error: prompt=none was requested but user is not active");
}
return(new InteractionResponse
{
Error = OidcConstants.AuthorizeErrors.LoginRequired
});
}
if (!isAuthenticated)
{
Logger.LogInformation("Showing login: User is not authenticated");
}
else if (!isActive)
{
Logger.LogInformation("Showing login: User is not active");
}
return(new InteractionResponse {
IsLogin = true
});
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
Logger.LogInformation("Showing login: Current IdP ({idp}) is not the requested IdP ({idp})", currentIdp, idp);
return(new InteractionResponse {
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (Clock.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
return(new InteractionResponse {
IsLogin = true
});
}
}
// check local idp restrictions
if (currentIdp == IdentityServerConstants.LocalIdentityProvider && !request.Client.EnableLocalLogin)
{
Logger.LogInformation("Showing login: User logged in locally, but client does not allow local logins");
return(new InteractionResponse {
IsLogin = true
});
}
// check external idp restrictions
if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())
{
if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
Logger.LogInformation("Showing login: User is logged in with idp: {idp}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse {
IsLogin = true
});
}
}
return(new InteractionResponse());
}
internal async Task <InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request)
{
if (request.PromptMode == OidcConstants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(OidcConstants.AuthorizeRequest.Prompt);
_logger.LogInformation("Redirecting to login page because of prompt=login");
return(new InteractionResponse()
{
IsLogin = true
});
}
// unauthenticated user
var isAuthenticated = request.Subject.Identity.IsAuthenticated;
// user de-activated
bool isActive = false;
if (isAuthenticated)
{
var isActiveCtx = new IsActiveContext(request.Subject, request.Client);
await _profile.IsActiveAsync(isActiveCtx);
isActive = isActiveCtx.IsActive;
}
if (!isAuthenticated || !isActive)
{
if (!isAuthenticated)
{
_logger.LogInformation("User is not authenticated.");
}
else if (!isActive)
{
_logger.LogInformation("User is not active.");
}
// prompt=none means user must be signed in already
if (request.PromptMode == OidcConstants.PromptModes.None)
{
_logger.LogInformation("prompt=none was requested but user is not authenticated/active.");
return(new InteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = OidcConstants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
});
}
return(new InteractionResponse()
{
IsLogin = true
});
}
// check current idp
var currentIdp = request.Subject.GetIdentityProvider();
// check if idp login hint matches current provider
var idp = request.GetIdP();
if (idp.IsPresent())
{
if (idp != currentIdp)
{
_logger.LogInformation("Current IdP is not the requested IdP. Redirecting to login");
_logger.LogInformation("Current: {0} -- Requested: {1}", currentIdp, idp);
return(new InteractionResponse()
{
IsLogin = true
});
}
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = request.Subject.GetAuthenticationTime();
if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
_logger.LogInformation("Requested MaxAge exceeded.");
return(new InteractionResponse()
{
IsLogin = true
});
}
}
// check idp restrictions
if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())
{
if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp))
{
_logger.LogWarning("User is logged in with idp: {0}, but idp not in client restriction list.", currentIdp);
return(new InteractionResponse()
{
IsLogin = true
});
}
}
// check if idp is local and local logins are not allowed
if (currentIdp == Constants.LocalIdentityProvider)
{
if (_options.AuthenticationOptions.EnableLocalLogin == false ||
request.Client.EnableLocalLogin == false)
{
_logger.LogWarning("User is logged in with local idp, but local logins not enabled.");
return(new InteractionResponse()
{
IsLogin = true
});
}
}
return(new InteractionResponse());
}
private async Task <AuthorizeRequestValidationResult> ValidateOptionalParametersAsync(ValidatedAuthorizeRequest request)
{
//////////////////////////////////////////////////////////
// check nonce
//////////////////////////////////////////////////////////
var nonce = request.Raw.Get(OidcConstants.AuthorizeRequest.Nonce);
if (nonce.IsPresent())
{
if (nonce.Length > _options.InputLengthRestrictions.Nonce)
{
LogError("Nonce too long", request);
return(Invalid(request, description: "Invalid nonce"));
}
request.Nonce = nonce;
}
else
{
if (request.ResponseType.FromSpaceSeparatedString().Contains(TokenTypes.IdentityToken))
{
LogError("Nonce required for flow with id_token response type", request);
return(Invalid(request, description: "Invalid nonce"));
}
}
//////////////////////////////////////////////////////////
// check prompt
//////////////////////////////////////////////////////////
var prompt = request.Raw.Get(OidcConstants.AuthorizeRequest.Prompt);
if (prompt.IsPresent())
{
var prompts = prompt.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (prompts.All(p => Constants.SupportedPromptModes.Contains(p)))
{
if (prompts.Contains(OidcConstants.PromptModes.None) && prompts.Length > 1)
{
LogError("prompt contains 'none' and other values. 'none' should be used by itself.", request);
return(Invalid(request, description: "Invalid prompt"));
}
request.OriginalPromptModes = prompts;
}
else
{
_logger.LogDebug("Unsupported prompt mode - ignored: " + prompt);
}
}
var suppressed_prompt = request.Raw.Get(Constants.SuppressedPrompt);
if (suppressed_prompt.IsPresent())
{
var prompts = suppressed_prompt.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (prompts.All(p => Constants.SupportedPromptModes.Contains(p)))
{
if (prompts.Contains(OidcConstants.PromptModes.None) && prompts.Length > 1)
{
LogError("suppressed_prompt contains 'none' and other values. 'none' should be used by itself.", request);
return(Invalid(request, description: "Invalid prompt"));
}
request.SuppressedPromptModes = prompts;
}
else
{
_logger.LogDebug("Unsupported suppressed_prompt mode - ignored: " + prompt);
}
}
request.PromptModes = request.OriginalPromptModes.Except(request.SuppressedPromptModes).ToArray();
//////////////////////////////////////////////////////////
// check ui locales
//////////////////////////////////////////////////////////
var uilocales = request.Raw.Get(OidcConstants.AuthorizeRequest.UiLocales);
if (uilocales.IsPresent())
{
if (uilocales.Length > _options.InputLengthRestrictions.UiLocale)
{
LogError("UI locale too long", request);
return(Invalid(request, description: "Invalid ui_locales"));
}
request.UiLocales = uilocales;
}
//////////////////////////////////////////////////////////
// check display
//////////////////////////////////////////////////////////
var display = request.Raw.Get(OidcConstants.AuthorizeRequest.Display);
if (display.IsPresent())
{
if (Constants.SupportedDisplayModes.Contains(display))
{
request.DisplayMode = display;
}
_logger.LogDebug("Unsupported display mode - ignored: " + display);
}
//////////////////////////////////////////////////////////
// check max_age
//////////////////////////////////////////////////////////
var maxAge = request.Raw.Get(OidcConstants.AuthorizeRequest.MaxAge);
if (maxAge.IsPresent())
{
if (int.TryParse(maxAge, out var seconds))
{
if (seconds >= 0)
{
request.MaxAge = seconds;
}
else
{
LogError("Invalid max_age.", request);
return(Invalid(request, description: "Invalid max_age"));
}
}
else
{
LogError("Invalid max_age.", request);
return(Invalid(request, description: "Invalid max_age"));
}
}
//////////////////////////////////////////////////////////
// check login_hint
//////////////////////////////////////////////////////////
var loginHint = request.Raw.Get(OidcConstants.AuthorizeRequest.LoginHint);
if (loginHint.IsPresent())
{
if (loginHint.Length > _options.InputLengthRestrictions.LoginHint)
{
LogError("Login hint too long", request);
return(Invalid(request, description: "Invalid login_hint"));
}
request.LoginHint = loginHint;
}
//////////////////////////////////////////////////////////
// check acr_values
//////////////////////////////////////////////////////////
var acrValues = request.Raw.Get(OidcConstants.AuthorizeRequest.AcrValues);
if (acrValues.IsPresent())
{
if (acrValues.Length > _options.InputLengthRestrictions.AcrValues)
{
LogError("Acr values too long", request);
return(Invalid(request, description: "Invalid acr_values"));
}
request.AuthenticationContextReferenceClasses = acrValues.FromSpaceSeparatedString().Distinct().ToList();
}
//////////////////////////////////////////////////////////
// check custom acr_values: idp
//////////////////////////////////////////////////////////
var idp = request.GetIdP();
if (idp.IsPresent())
{
// if idp is present but client does not allow it, strip it from the request message
if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())
{
if (!request.Client.IdentityProviderRestrictions.Contains(idp))
{
_logger.LogWarning("idp requested ({idp}) is not in client restriction list.", idp);
request.RemoveIdP();
}
}
}
//////////////////////////////////////////////////////////
// check session cookie
//////////////////////////////////////////////////////////
if (_options.Endpoints.EnableCheckSessionEndpoint)
{
if (request.Subject.IsAuthenticated())
{
var sessionId = await _userSession.GetSessionIdAsync();
if (sessionId.IsPresent())
{
request.SessionId = sessionId;
}
else
{
LogError("Check session endpoint enabled, but SessionId is missing", request);
}
}
else
{
request.SessionId = ""; // empty string for anonymous users
}
}
return(Valid(request));
}
