Resolve #1512 AbpResourceOwnerPasswordValidator support custom claims.

7 years ago · c823e41a99
1 changed files with 75 additions and 13 deletions
--- a/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AspNetIdentity/AbpResourceOwnerPasswordValidator.cs
+++ b/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AspNetIdentity/AbpResourceOwnerPasswordValidator.cs
@ -1,33 +1,95 @@
-using System.Threading.Tasks;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using IdentityModel;
 using IdentityServer4.AspNetIdentity;
+using IdentityServer4.Events;
+using IdentityServer4.Models;
 using IdentityServer4.Services;
 using IdentityServer4.Validation;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Logging;
 using Volo.Abp.Identity;
+using Volo.Abp.Security.Claims;
 using Volo.Abp.Uow;

 namespace Volo.Abp.IdentityServer.AspNetIdentity
 {
-    public class AbpResourceOwnerPasswordValidator : ResourceOwnerPasswordValidator<IdentityUser>
+    public class AbpResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator //ResourceOwnerPasswordValidator<IdentityUser>
    {
+        private readonly SignInManager<IdentityUser> _signInManager;
+        private readonly IEventService _events;
+        private readonly UserManager<IdentityUser> _userManager;
+        private readonly ILogger<ResourceOwnerPasswordValidator<IdentityUser>> _logger;
+
        public AbpResourceOwnerPasswordValidator(
-            IdentityUserManager userManager, 
-            SignInManager<IdentityUser> signInManager, 
-            IEventService events, 
-            ILogger<ResourceOwnerPasswordValidator<IdentityUser>> logger
-            ) : base(
-                userManager, 
-                signInManager, 
-                events, 
-                logger)
+            UserManager<IdentityUser> userManager,
+            SignInManager<IdentityUser> signInManager,
+            IEventService events,
+            ILogger<ResourceOwnerPasswordValidator<IdentityUser>> logger)
        {
+            _userManager = userManager;
+            _signInManager = signInManager;
+            _events = events;
+            _logger = logger;
        }

+        /// <summary>
+        /// https://github.com/IdentityServer/IdentityServer4/blob/master/src/AspNetIdentity/src/ResourceOwnerPasswordValidator.cs#L53
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns></returns>
        [UnitOfWork]
-        public override async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
+        public virtual async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
-            await base.ValidateAsync(context);
+            var user = await _userManager.FindByNameAsync(context.UserName);
+            if (user != null)
+            {
+                var result = await _signInManager.CheckPasswordSignInAsync(user, context.Password, true);
+                if (result.Succeeded)
+                {
+                    var sub = await _userManager.GetUserIdAsync(user);
+
+                    _logger.LogInformation("Credentials validated for username: {username}", context.UserName);
+                    await _events.RaiseAsync(new UserLoginSuccessEvent(context.UserName, sub, context.UserName, interactive: false));
+
+                    context.Result = new GrantValidationResult(sub, OidcConstants.AuthenticationMethods.Password, GetAdditionalClaimsOrNull(user));
+
+                    return;
+                }
+                else if (result.IsLockedOut)
+                {
+                    _logger.LogInformation("Authentication failed for username: {username}, reason: locked out", context.UserName);
+                    await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "locked out", interactive: false));
+                }
+                else if (result.IsNotAllowed)
+                {
+                    _logger.LogInformation("Authentication failed for username: {username}, reason: not allowed", context.UserName);
+                    await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "not allowed", interactive: false));
+                }
+                else
+                {
+                    _logger.LogInformation("Authentication failed for username: {username}, reason: invalid credentials", context.UserName);
+                    await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "invalid credentials", interactive: false));
+                }
+            }
+            else
+            {
+                _logger.LogInformation("No user found matching username: {username}", context.UserName);
+                await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "invalid username", interactive: false));
+            }
+
+            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
+        }
+
+        protected virtual IEnumerable<Claim> GetAdditionalClaimsOrNull(IdentityUser user)
+        {
+            if (!user.TenantId.HasValue)
+            {
+                return null;
+            }
+
+            return new[] { new Claim(AbpClaimTypes.TenantId, user.TenantId?.ToString()) };
        }
    }
 }