public async Task<IEndpointResult> CreateLoginResultAsync(ValidatedAuthorizeRequest request) { var signin = new SignInRequest(); // let the login page know the client requesting authorization signin.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { signin.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { signin.UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { signin.LoginHint = request.LoginHint; } // look for well-known acr value -- idp var idp = request.GetIdP(); if (idp.IsPresent()) { signin.IdP = idp; } // look for well-known acr value -- tenant var tenant = request.GetTenant(); if (tenant.IsPresent()) { signin.Tenant = tenant; } // process acr values var acrValues = request.GetAcrValues(); if (acrValues.Any()) { signin.AcrValues = acrValues; } var message = new Message<SignInRequest>(signin) { ResponseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash() + Constants.RoutePaths.Oidc.AuthorizeAfterLogin, AuthorizeRequestParameters = request.Raw.ToDictionary() }; await _signInRequestStore.WriteAsync(message); return new LoginPageResult(message.Id); }
internal async Task<InteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request) { if (request.PromptMode == OidcConstants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(OidcConstants.AuthorizeRequest.Prompt); _logger.LogInformation("Redirecting to login page because of prompt=login"); return new InteractionResponse() { IsLogin = true }; } // unauthenticated user var isAuthenticated = request.Subject.Identity.IsAuthenticated; // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(request.Subject, request.Client); await _profile.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; } if (!isAuthenticated || !isActive) { if (!isAuthenticated) _logger.LogInformation("User is not authenticated."); else if (!isActive) _logger.LogInformation("User is not active."); // prompt=none means user must be signed in already if (request.PromptMode == OidcConstants.PromptModes.None) { _logger.LogInformation("prompt=none was requested but user is not authenticated/active."); return new InteractionResponse { Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = OidcConstants.AuthorizeErrors.LoginRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }; } return new InteractionResponse() { IsLogin = true }; } // check current idp var currentIdp = request.Subject.GetIdentityProvider(); // check if idp login hint matches current provider var idp = request.GetIdP(); if (idp.IsPresent()) { if (idp != currentIdp) { _logger.LogInformation("Current IdP is not the requested IdP. Redirecting to login"); _logger.LogInformation("Current: {0} -- Requested: {1}", currentIdp, idp); return new InteractionResponse() { IsLogin = true }; } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = request.Subject.GetAuthenticationTime(); if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { _logger.LogInformation("Requested MaxAge exceeded."); return new InteractionResponse() { IsLogin = true }; } } // check idp restrictions if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any()) { if (!request.Client.IdentityProviderRestrictions.Contains(currentIdp)) { _logger.LogWarning("User is logged in with idp: {0}, but idp not in client restriction list.", currentIdp); return new InteractionResponse() { IsLogin = true }; } } // check if idp is local and local logins are not allowed if (currentIdp == Constants.BuiltInIdentityProvider) { if (_options.AuthenticationOptions.EnableLocalLogin == false || request.Client.EnableLocalLogin == false) { _logger.LogWarning("User is logged in with local idp, but local logins not enabled."); return new InteractionResponse() { IsLogin = true }; } } return new InteractionResponse(); }