Merge pull request #25356 from abpframework/feat-openiddict-default-scopes-fallback

Add default scopes fallback for `client_credentials`/`password`/`token_exchange` grants
2 weeks ago · dab20819e1
5 changed files with 144 additions and 0 deletions
--- a/docs/en/modules/openiddict.md
+++ b/docs/en/modules/openiddict.md
@ -303,6 +303,18 @@ PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>

 - `UpdateAbpClaimTypes(default: true)`:  Updates `AbpClaimTypes` to be compatible with the Openiddict claims.
 - `AddDevelopmentEncryptionAndSigningCertificate(default: true)`:  Registers (and generates if necessary) a user-specific development encryption/development signing certificate. This is a certificate used for signing and encrypting the tokens and for **development environment only**. You must set it to **false** for non-development environments.
+- `UseDefaultScopesForClientCredentials(default: false)`: When set to `true`, the access token issued for the `client_credentials` grant automatically grants the scopes configured on the client application (permissions prefixed with `oi_scp:`) when the client does not explicitly request any scope.
+- `UseDefaultScopesForPassword(default: false)`: When set to `true`, the token response for the `password` grant automatically grants the scopes configured on the client application when the client does not explicitly request any scope. If the configured scopes include `openid`/`profile`/`email`/`roles`, the corresponding `id_token` and claim destinations are affected as well.
+- `UseDefaultScopesForTokenExchange(default: false)`: When set to `true`, the token response for the `urn:ietf:params:oauth:grant-type:token-exchange` grant automatically grants the scopes configured on the client application when the client does not explicitly request any scope. If the configured scopes include `openid`/`profile`/`email`/`roles`, the corresponding `id_token` and claim destinations are affected as well.
+
+Example to enable the default-scope fallback for the `client_credentials` grant:
+
+```csharp
+PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
+{
+    options.UseDefaultScopesForClientCredentials = true;
+});
+```

 > `AddDevelopmentEncryptionAndSigningCertificate` cannot be used in applications deployed on IIS or Azure App Service: trying to use them on IIS or Azure App Service will result in an exception being thrown at runtime (unless the application pool is configured to load a user profile). To avoid that, consider creating self-signed certificates and storing them in the X.509 certificates store of the host machine(s). Please refer to: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-development-certificate

--- a/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddict.Demo.Server.csproj
+++ b/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddict.Demo.Server.csproj
@ -68,6 +68,10 @@
            <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
            <PrivateAssets>compile; contentFiles; build; buildMultitargeting; buildTransitive; analyzers; native</PrivateAssets>
        </PackageReference>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Design">
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+            <PrivateAssets>compile; contentFiles; build; buildMultitargeting; buildTransitive; analyzers; native</PrivateAssets>
+        </PackageReference>
    </ItemGroup>

    <ItemGroup>
--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs
@ -25,9 +25,16 @@ public class AbpOpenIddictAspNetCoreModule : AbpModule

        Configure<AbpOpenIddictClaimsPrincipalOptions>(options =>
        {
+            options.ClaimsPrincipalHandlers.Add<AbpDefaultScopesHandler>();
            options.ClaimsPrincipalHandlers.Add<AbpDefaultOpenIddictClaimsPrincipalHandler>();
        });

+        var preActions = context.Services.GetPreConfigureActions<AbpOpenIddictAspNetCoreOptions>();
+        Configure<AbpOpenIddictAspNetCoreOptions>(options =>
+        {
+            preActions.Configure(options);
+        });
+
        Configure<RazorViewEngineOptions>(options =>
        {
            options.ViewLocationFormats.Add("/Volo/Abp/OpenIddict/Views/{1}/{0}.cshtml");
--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictOptions.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictOptions.cs
@ -25,4 +25,33 @@ public class AbpOpenIddictAspNetCoreOptions
    /// Set the url of the select account page.
    /// </summary>
    public string SelectAccountPage { get; set; } = "~/Account/SelectAccount";
+
+    /// <summary>
+    /// When set to <c>true</c>, the access token issued for the <c>client_credentials</c> grant
+    /// automatically includes the scopes configured on the client application (permissions
+    /// prefixed with <c>oi_scp:</c>) when the client does not explicitly request any scope.
+    /// Default: false.
+    /// </summary>
+    public bool UseDefaultScopesForClientCredentials { get; set; }
+
+    /// <summary>
+    /// When set to <c>true</c>, the token response for the <c>password</c> grant automatically
+    /// grants the scopes configured on the client application (permissions prefixed with
+    /// <c>oi_scp:</c>) when the client does not explicitly request any scope. If the configured
+    /// scopes include <c>openid</c>/<c>profile</c>/<c>email</c>/<c>roles</c>, the corresponding
+    /// id_token and claim destinations are affected as well.
+    /// Default: false.
+    /// </summary>
+    public bool UseDefaultScopesForPassword { get; set; }
+
+    /// <summary>
+    /// When set to <c>true</c>, the token response for the
+    /// <c>urn:ietf:params:oauth:grant-type:token-exchange</c> grant automatically grants the
+    /// scopes configured on the client application (permissions prefixed with <c>oi_scp:</c>)
+    /// when the client does not explicitly request any scope. If the configured scopes include
+    /// <c>openid</c>/<c>profile</c>/<c>email</c>/<c>roles</c>, the corresponding id_token and
+    /// claim destinations are affected as well.
+    /// Default: false.
+    /// </summary>
+    public bool UseDefaultScopesForTokenExchange { get; set; }
 }
--- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Claims/AbpDefaultScopesHandler.cs
+++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Claims/AbpDefaultScopesHandler.cs
@ -0,0 +1,92 @@
+using System;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using OpenIddict.Abstractions;
+using Volo.Abp.DependencyInjection;
+
+namespace Volo.Abp.OpenIddict;
+
+public class AbpDefaultScopesHandler : IAbpOpenIddictClaimsPrincipalHandler, ITransientDependency
+{
+    public ILogger<AbpDefaultScopesHandler> Logger { get; set; }
+        = NullLogger<AbpDefaultScopesHandler>.Instance;
+
+    public virtual async Task HandleAsync(AbpOpenIddictClaimsPrincipalHandlerContext context)
+    {
+        var options = context.ScopeServiceProvider
+            .GetRequiredService<IOptions<AbpOpenIddictAspNetCoreOptions>>().Value;
+
+        var request = context.OpenIddictRequest;
+        if (!IsDefaultScopesEnabled(request, options))
+        {
+            return;
+        }
+
+        if (!context.Principal.GetScopes().IsDefaultOrEmpty)
+        {
+            return;
+        }
+
+        var clientId = request.ClientId;
+        if (string.IsNullOrEmpty(clientId))
+        {
+            return;
+        }
+
+        var applicationManager = context.ScopeServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
+        var scopeManager = context.ScopeServiceProvider.GetRequiredService<IOpenIddictScopeManager>();
+
+        var application = await applicationManager.FindByClientIdAsync(clientId);
+        if (application == null)
+        {
+            return;
+        }
+
+        var permissions = await applicationManager.GetPermissionsAsync(application);
+        var prefix = OpenIddictConstants.Permissions.Prefixes.Scope;
+
+        var scopes = permissions
+            .Where(p => p.StartsWith(prefix, StringComparison.Ordinal))
+            .Select(p => p[prefix.Length..])
+            .ToImmutableArray();
+
+        if (scopes.IsDefaultOrEmpty)
+        {
+            return;
+        }
+
+        Logger.LogDebug(
+            "Injecting default scopes for client {ClientId} (grant_type {GrantType}): {Scopes}",
+            clientId,
+            request.GrantType,
+            string.Join(", ", scopes));
+
+        context.Principal.SetScopes(scopes);
+        context.Principal.SetResources(await scopeManager.ListResourcesAsync(scopes).ToListAsync());
+    }
+
+    protected virtual bool IsDefaultScopesEnabled(OpenIddictRequest request, AbpOpenIddictAspNetCoreOptions options)
+    {
+        if (request.IsClientCredentialsGrantType())
+        {
+            return options.UseDefaultScopesForClientCredentials;
+        }
+
+        if (request.IsPasswordGrantType())
+        {
+            return options.UseDefaultScopesForPassword;
+        }
+
+        if (request.IsTokenExchangeGrantType())
+        {
+            return options.UseDefaultScopesForTokenExchange;
+        }
+
+        return false;
+    }
+}