/// <summary> /// Registers a <see cref="X509Certificate2"/> retrieved from an /// embedded resource and used to sign the JWT tokens issued by OpenIddict. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="assembly">The assembly containing the certificate.</param> /// <param name="resource">The name of the embedded resource.</param> /// <param name="password">The password used to open the certificate.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddSigningCertificate( [NotNull] this OpenIddictBuilder builder, [NotNull] Assembly assembly, [NotNull] string resource, [NotNull] string password) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (assembly == null) { throw new ArgumentNullException(nameof(assembly)); } if (string.IsNullOrEmpty(resource)) { throw new ArgumentNullException(nameof(resource)); } if (string.IsNullOrEmpty(password)) { throw new ArgumentNullException(nameof(password)); } return(builder.Configure(options => options.SigningCredentials.AddCertificate(assembly, resource, password))); }
/// <summary> /// Disables sliding expiration. When using this option, refresh tokens /// are issued with a fixed expiration date: when it expires, a complete /// authorization flow must be started to retrieve a new refresh token. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder DisableSlidingExpiration([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.UseSlidingExpiration = false)); }
/// <summary> /// Configures OpenIddict to use rolling refresh tokens. When this option is enabled, /// a new refresh token is always issued for each refresh token request (and the previous /// one is automatically revoked unless token revocation was explicitly disabled). /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder UseRollingTokens([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.UseRollingTokens = true)); }
/// <summary> /// Enables request caching, so that both authorization and logout requests /// are automatically stored in the distributed cache, which allows flowing /// large payloads across requests. Enabling this option is recommended /// when using external authentication providers or when large GET or POST /// OpenID Connect authorization requests support is required. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder EnableRequestCaching([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.EnableRequestCaching = true)); }
/// <summary> /// Rejects authorization and token requests that specify scopes that have not been /// registered in the database using <see cref="OpenIddictScopeManager{TScope}"/>. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> public static OpenIddictBuilder ValidateScopes([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.ValidateScopes = true)); }
/// <summary> /// Makes client identification mandatory so that token and revocation /// requests that don't specify a client_id are automatically rejected. /// Note: enabling this option doesn't prevent public clients from using /// the token and revocation endpoints, but specifying a client_id is required. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> public static OpenIddictBuilder RequireClientIdentification([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.RequireClientIdentification = true)); }
/// <summary> /// Registers a new ephemeral key used to sign the JWT tokens issued by OpenIddict: the key /// is discarded when the application shuts down and tokens signed using this key are /// automatically invalidated. This method should only be used during development. /// On production, using a X.509 certificate stored in the machine store is recommended. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddEphemeralSigningKey([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.SigningCredentials.AddEphemeralKey())); }
/// <summary> /// Disables token revocation, so that authorization code and /// refresh tokens are never stored and cannot be revoked. /// Using this option is generally not recommended. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder DisableTokenRevocation([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.DisableTokenRevocation = true)); }
/// <summary> /// Disables the cryptography endpoint. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder DisableCryptographyEndpoint([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.CryptographyEndpointPath = PathString.Empty)); }
/// <summary> /// Disables the HTTPS requirement during development. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder DisableHttpsRequirement([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.AllowInsecureHttp = true)); }
/// <summary> /// Enables refresh token flow support. For more information about this /// specific OAuth2 flow, visit https://tools.ietf.org/html/rfc6749#section-6. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AllowRefreshTokenFlow([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.GrantTypes.Add(OpenIdConnectConstants.GrantTypes.RefreshToken))); }
/// <summary> /// Sets the refresh token lifetime, after which client applications must get /// a new authorization from the user. When sliding expiration is enabled, /// a new refresh token is always issued to the client application, /// which prolongs the validity period of the refresh token. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="lifetime">The refresh token lifetime.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder SetRefreshTokenLifetime( [NotNull] this OpenIddictBuilder builder, TimeSpan lifetime) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.RefreshTokenLifetime = lifetime)); }
/// <summary> /// Registers (and generates if necessary) a user-specific development /// certificate used to sign the JWT tokens issued by OpenIddict. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddDevelopmentSigningCertificate( [NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => options.SigningCredentials.AddDevelopmentCertificate())); }
/// <summary> /// Registers a <see cref="X509Certificate2"/> retrieved from the X.509 /// machine store and used to sign the JWT tokens issued by OpenIddict. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="thumbprint">The thumbprint of the certificate used to identify it in the X.509 store.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddSigningCertificate( [NotNull] this OpenIddictBuilder builder, [NotNull] string thumbprint) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (string.IsNullOrEmpty(thumbprint)) { throw new ArgumentNullException(nameof(thumbprint)); } return(builder.Configure(options => options.SigningCredentials.AddCertificate(thumbprint))); }
/// <summary> /// Enables custom grant type support. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="type">The grant type associated with the flow.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AllowCustomFlow( [NotNull] this OpenIddictBuilder builder, [NotNull] string type) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (string.IsNullOrEmpty(type)) { throw new ArgumentException("The grant type cannot be null or empty.", nameof(type)); } return(builder.Configure(options => options.GrantTypes.Add(type))); }
/// <summary> /// Registers a <see cref="SecurityKey"/> used to sign the JWT tokens issued by OpenIddict. /// Note: using <see cref="RsaSecurityKey"/> asymmetric keys is recommended on production. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="key">The security key.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddSigningKey( [NotNull] this OpenIddictBuilder builder, [NotNull] SecurityKey key) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } return(builder.Configure(options => options.SigningCredentials.AddKey(key))); }
/// <summary> /// Sets the issuer address, which is used as the base address /// for the endpoint URIs returned from the discovery endpoint. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="address">The issuer address.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder SetIssuer( [NotNull] this OpenIddictBuilder builder, [NotNull] Uri address) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (address == null) { throw new ArgumentNullException(nameof(address)); } return(builder.Configure(options => options.Issuer = address)); }
/// <summary> /// Registers a new ephemeral key used to sign the JWT tokens issued by OpenIddict: the key /// is discarded when the application shuts down and tokens signed using this key are /// automatically invalidated. This method should only be used during development. /// On production, using a X.509 certificate stored in the machine store is recommended. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="algorithm">The algorithm associated with the signing key.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddEphemeralSigningKey( [NotNull] this OpenIddictBuilder builder, [NotNull] string algorithm) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (string.IsNullOrEmpty(algorithm)) { throw new ArgumentException("The algorithm cannot be null or empty.", nameof(algorithm)); } return(builder.Configure(options => options.SigningCredentials.AddEphemeralKey(algorithm))); }
/// <summary> /// Enables the userinfo endpoint. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="path">The relative path of the userinfo endpoint.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder EnableUserinfoEndpoint( [NotNull] this OpenIddictBuilder builder, PathString path) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (!path.HasValue) { throw new ArgumentException("The path cannot be empty.", nameof(path)); } return(builder.Configure(options => options.UserinfoEndpointPath = path)); }
/// <summary> /// Configures OpenIddict to use a specific data protection provider /// instead of relying on the default instance provided by the DI container. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="provider">The data protection provider used to create token protectors.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder UseDataProtectionProvider( [NotNull] this OpenIddictBuilder builder, [NotNull] IDataProtectionProvider provider) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (provider == null) { throw new ArgumentNullException(nameof(provider)); } return(builder.Configure(options => options.DataProtectionProvider = provider)); }
/// <summary> /// Sets JWT as the default token format for access tokens. /// Note: this option cannot be used when using reference tokens. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder UseJsonWebTokens([NotNull] this OpenIddictBuilder builder) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } return(builder.Configure(options => { options.AccessTokenHandler = new JwtSecurityTokenHandler { InboundClaimTypeMap = new Dictionary <string, string>(), OutboundClaimTypeMap = new Dictionary <string, string>() }; })); }
/// <summary> /// Registers the specified scopes as supported scopes so /// they can be returned as part of the discovery document. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="scopes">The supported scopes.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder RegisterScopes( [NotNull] this OpenIddictBuilder builder, [NotNull] params string[] scopes) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (scopes == null) { throw new ArgumentNullException(nameof(scopes)); } if (scopes.Any(scope => string.IsNullOrEmpty(scope))) { throw new ArgumentException("Scopes cannot be null or empty.", nameof(scopes)); } return(builder.Configure(options => options.Scopes.UnionWith(scopes))); }
/// <summary> /// Registers the specified claims as supported claims so /// they can be returned as part of the discovery document. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="claims">The supported claims.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder RegisterClaims( [NotNull] this OpenIddictBuilder builder, [NotNull] params string[] claims) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (claims == null) { throw new ArgumentNullException(nameof(claims)); } if (claims.Any(claim => string.IsNullOrEmpty(claim))) { throw new ArgumentException("Claims cannot be null or empty.", nameof(claims)); } return(builder.Configure(options => options.Claims.UnionWith(claims))); }
/// <summary> /// Registers a <see cref="X509Certificate2"/> that is used to sign the JWT tokens issued by OpenIddict. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="certificate">The certificate used to sign the security tokens issued by the server.</param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddSigningCertificate( [NotNull] this OpenIddictBuilder builder, [NotNull] X509Certificate2 certificate) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (certificate == null) { throw new ArgumentNullException(nameof(certificate)); } if (!certificate.HasPrivateKey) { throw new InvalidOperationException("The certificate doesn't contain the required private key."); } return(builder.Configure(options => options.SigningCredentials.AddCertificate(certificate))); }
/// <summary> /// Registers a <see cref="X509Certificate2"/> extracted from a /// stream and used to sign the JWT tokens issued by OpenIddict. /// </summary> /// <param name="builder">The services builder used by OpenIddict to register new services.</param> /// <param name="stream">The stream containing the certificate.</param> /// <param name="password">The password used to open the certificate.</param> /// <param name="flags"> /// An enumeration of flags indicating how and where /// to store the private key of the certificate. /// </param> /// <returns>The <see cref="OpenIddictBuilder"/>.</returns> public static OpenIddictBuilder AddSigningCertificate( [NotNull] this OpenIddictBuilder builder, [NotNull] Stream stream, [NotNull] string password, X509KeyStorageFlags flags) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (stream == null) { throw new ArgumentNullException(nameof(stream)); } if (string.IsNullOrEmpty(password)) { throw new ArgumentNullException(nameof(password)); } return(builder.Configure(options => options.SigningCredentials.AddCertificate(stream, password, flags))); }