feat(openiddict): Enhance session validity checks

- `UserInfoIdentitySession` 标记为已过时 - 增加 `ValidationTokenCheckIdentitySession` 用于验证过程中检查会话 - 增加 `ServerValidationTokenCheckIdentitySession` 用于授权过程中检查会话
2 months ago · 01b03d6d71
7 changed files with 105 additions and 69 deletions
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/Session/IdentitySessionManager.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/Session/IdentitySessionManager.cs
@ -37,15 +37,16 @@ public class IdentitySessionManager : DomainService, IIdentitySessionManager
        if (claimsPrincipal != null)
        {
            var userId = claimsPrincipal.FindUserId();
+            var sessionId = claimsPrincipal.FindSessionId();
+            if (!userId.HasValue || sessionId.IsNullOrWhiteSpace())
+            {
+                return;
+            }
+
            var tenantId = claimsPrincipal.FindTenantId();

            using (CurrentTenant.Change(tenantId))
            {
-                var sessionId = claimsPrincipal.FindSessionId();
-                if (!userId.HasValue || sessionId.IsNullOrWhiteSpace())
-                {
-                    return;
-                }
                if (await IdentitySessionStore.ExistAsync(sessionId, cancellationToken))
                {
                    return;
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.Application.Contracts/LINGYUN/Abp/OpenIddict/Scopes/OpenIddictScopeCreateOrUpdateDto.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.Application.Contracts/LINGYUN/Abp/OpenIddict/Scopes/OpenIddictScopeCreateOrUpdateDto.cs
@ -23,5 +23,5 @@ public abstract class OpenIddictScopeCreateOrUpdateDto : ExtensibleObject

    public Dictionary<string, string> Properties { get; set; } = new Dictionary<string, string>();

-    public List<string> Resources { get; set; } = new List<string>();
+    public HashSet<string> Resources { get; set; } = new HashSet<string>();
 }
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/AbpOpenIddictAspNetCoreSessionModule.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/AbpOpenIddictAspNetCoreSessionModule.cs
@ -2,6 +2,7 @@
 using LINGYUN.Abp.Identity.Session;
 using LINGYUN.Abp.Identity.Session.AspNetCore;
 using Microsoft.Extensions.DependencyInjection;
+using OpenIddict.Validation;
 using Volo.Abp.Modularity;
 using static OpenIddict.Abstractions.OpenIddictConstants;

@ -20,7 +21,8 @@ public class AbpOpenIddictAspNetCoreSessionModule : AbpModule
            builder.AddEventHandler(ProcessSignOutIdentitySession.Descriptor);
            builder.AddEventHandler(ProcessSignInIdentitySession.Descriptor);
            builder.AddEventHandler(RevocationIdentitySession.Descriptor);
-            builder.AddEventHandler(UserInfoIdentitySession.Descriptor);
+            builder.AddEventHandler(ServerValidationTokenCheckIdentitySession.Descriptor);
+            // builder.AddEventHandler(UserInfoIdentitySession.Descriptor);
        });
    }

@ -36,5 +38,12 @@ public class AbpOpenIddictAspNetCoreSessionModule : AbpModule
        {
            options.PersistentSessionGrantTypes.Add(GrantTypes.Password);
        });
+
+        context.Services.Add(ValidationTokenCheckIdentitySession.Descriptor.ServiceDescriptor);
+
+        Configure<OpenIddictValidationOptions>(options =>
+        {
+            options.Handlers.Add(ValidationTokenCheckIdentitySession.Descriptor);
+        });
    }
 }
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/ServerValidationTokenCheckIdentitySession.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/ServerValidationTokenCheckIdentitySession.cs
@ -0,0 +1,43 @@
+using LINGYUN.Abp.Identity.Session;
+using Microsoft.Extensions.Logging;
+using OpenIddict.Server;
+using System.Security.Principal;
+using System.Threading.Tasks;
+using Volo.Abp.MultiTenancy;
+using static OpenIddict.Abstractions.OpenIddictConstants;
+
+namespace LINGYUN.Abp.OpenIddict.AspNetCore.Session;
+public class ServerValidationTokenCheckIdentitySession : IOpenIddictServerHandler<OpenIddictServerEvents.ValidateTokenContext>
+{
+    protected ICurrentTenant CurrentTenant { get; }
+    protected IIdentitySessionChecker IdentitySessionChecker { get; }
+
+    public static OpenIddictServerHandlerDescriptor Descriptor { get; } =
+        OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ValidateTokenContext>()
+        .UseSingletonHandler<ServerValidationTokenCheckIdentitySession>()
+        .SetOrder(OpenIddictServerHandlers.Protection.ValidatePrincipal.Descriptor.Order + 2_000)
+        .SetType(OpenIddictServerHandlerType.Custom).Build();
+
+    public ServerValidationTokenCheckIdentitySession(
+        ICurrentTenant currentTenant, 
+        IIdentitySessionChecker identitySessionChecker)
+    {
+        CurrentTenant = currentTenant;
+        IdentitySessionChecker = identitySessionChecker;
+    }
+
+    public async virtual ValueTask HandleAsync(OpenIddictServerEvents.ValidateTokenContext context)
+    {
+        var tenantId = context.Principal.FindTenantId();
+        using (CurrentTenant.Change(tenantId))
+        {
+            if (!await IdentitySessionChecker.ValidateSessionAsync(context.Principal))
+            {
+                context.Logger.LogWarning("The token is no longer valid because the user's session expired.");
+                // Errors.InvalidToken --->  401
+                // Errors.ExpiredToken --->  400
+                context.Reject(Errors.InvalidToken, "The user session has expired.");
+            }
+        }
+    }
+}
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/UserinfoIdentitySession.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/UserinfoIdentitySession.cs
@ -11,6 +11,7 @@ namespace LINGYUN.Abp.OpenIddict.AspNetCore.Session;
 /// <summary>
 /// UserInfoEndpoint 检查用户会话
 /// </summary>
+[Obsolete("UserInfoIdentitySession is outdated, please use the CheckIdentitySessionOnServerValidationToken")]
 public class UserInfoIdentitySession : IOpenIddictServerHandler<OpenIddictServerEvents.HandleUserInfoRequestContext>
 {
    protected ICurrentTenant CurrentTenant { get; }
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/ValidationTokenCheckIdentitySession.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore.Session/LINGYUN/Abp/OpenIddict/AspNetCore/Session/ValidationTokenCheckIdentitySession.cs
@ -0,0 +1,44 @@
+using LINGYUN.Abp.Identity.Session;
+using Microsoft.Extensions.Logging;
+using OpenIddict.Validation;
+using System.Security.Principal;
+using System.Threading.Tasks;
+using Volo.Abp.MultiTenancy;
+using static OpenIddict.Abstractions.OpenIddictConstants;
+
+namespace LINGYUN.Abp.OpenIddict.AspNetCore.Session;
+public class ValidationTokenCheckIdentitySession : IOpenIddictValidationHandler<OpenIddictValidationEvents.ValidateTokenContext>
+{
+    protected ICurrentTenant CurrentTenant { get; }
+    protected IIdentitySessionChecker IdentitySessionChecker { get; }
+
+    public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
+        = OpenIddictValidationHandlerDescriptor.CreateBuilder<OpenIddictValidationEvents.ValidateTokenContext>()
+            .UseSingletonHandler<ValidationTokenCheckIdentitySession>()
+            .SetOrder(OpenIddictValidationHandlers.Protection.ValidatePrincipal.Descriptor.Order + 2_000)
+            .SetType(OpenIddictValidationHandlerType.Custom)
+            .Build();
+
+    public ValidationTokenCheckIdentitySession(
+        ICurrentTenant currentTenant,
+        IIdentitySessionChecker identitySessionChecker)
+    {
+        CurrentTenant = currentTenant;
+        IdentitySessionChecker = identitySessionChecker;
+    }
+
+    public async virtual ValueTask HandleAsync(OpenIddictValidationEvents.ValidateTokenContext context)
+    {
+        var tenantId = context.Principal.FindTenantId();
+        using (CurrentTenant.Change(tenantId))
+        {
+            if (!await IdentitySessionChecker.ValidateSessionAsync(context.Principal))
+            {
+                context.Logger.LogWarning("The token is no longer valid because the user's session expired.");
+                // Errors.InvalidToken --->  401
+                // Errors.ExpiredToken --->  400
+                context.Reject(Errors.InvalidToken, "The user session has expired.");
+            }
+        }
+    }
+}
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore/LINGYUN/Abp/OpenIddict/AspNetCore/Controllers/UserInfoController.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.AspNetCore/LINGYUN/Abp/OpenIddict/AspNetCore/Controllers/UserInfoController.cs
@ -1,62 +0,0 @@
-using OpenIddict.Abstractions;
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Volo.Abp.DependencyInjection;
-using Volo.Abp.Security.Claims;
-using Volo.Abp.Users;
-using VoloUserInfoController = Volo.Abp.OpenIddict.Controllers.UserInfoController;
-
-namespace LINGYUN.Abp.OpenIddict.AspNetCore.Controllers;
-
-[ExposeServices(
-    typeof(VoloUserInfoController),
-    typeof(UserInfoController))]
-public class UserInfoController : VoloUserInfoController
-{
-    protected async override Task<Dictionary<string, object>> GetUserInfoClaims()
-    {
-        var user = await UserManager.GetUserAsync(User);
-        if (user == null)
-        {
-            return null;
-        }
-
-        var claims = new Dictionary<string, object>(StringComparer.Ordinal)
-        {
-            // Note: the "sub" claim is a mandatory claim and must be included in the JSON response.
-            [OpenIddictConstants.Claims.Subject] = await UserManager.GetUserIdAsync(user),
-            [AbpClaimTypes.SessionId] = CurrentUser.FindSessionId(),
-        };
-
-        if (User.HasScope(OpenIddictConstants.Scopes.Profile))
-        {
-            claims[AbpClaimTypes.TenantId] = user.TenantId;
-            claims[OpenIddictConstants.Claims.PreferredUsername] = user.UserName;
-            claims[OpenIddictConstants.Claims.FamilyName] = user.Surname;
-            claims[OpenIddictConstants.Claims.GivenName] = user.Name;
-        }
-
-        if (User.HasScope(OpenIddictConstants.Scopes.Email))
-        {
-            claims[OpenIddictConstants.Claims.Email] = await UserManager.GetEmailAsync(user);
-            claims[OpenIddictConstants.Claims.EmailVerified] = await UserManager.IsEmailConfirmedAsync(user);
-        }
-
-        if (User.HasScope(OpenIddictConstants.Scopes.Phone))
-        {
-            claims[OpenIddictConstants.Claims.PhoneNumber] = await UserManager.GetPhoneNumberAsync(user);
-            claims[OpenIddictConstants.Claims.PhoneNumberVerified] = await UserManager.IsPhoneNumberConfirmedAsync(user);
-        }
-
-        if (User.HasScope(OpenIddictConstants.Scopes.Roles))
-        {
-            claims[OpenIddictConstants.Claims.Role] = await UserManager.GetRolesAsync(user);
-        }
-
-        // Note: the complete list of standard claims supported by the OpenID Connect specification
-        // can be found here: http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-
-        return claims;
-    }
-}