tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update the authorization/logout validation/handling events to expose the ClaimsPrincipal resolved from id_token_hint

pull/793/head
Kévin Chalet 7 years ago
committed by GitHub
parent
b16adca7b2
commit
10cf3794b3
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 131 additions and 25 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      src/OpenIddict.Server/OpenIddictServerEvents.Authentication.cs
  2. 19
      src/OpenIddict.Server/OpenIddictServerEvents.Session.cs
  3. 47
      src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
  4. 76
      src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs

14
src/OpenIddict.Server/OpenIddictServerEvents.Authentication.cs
View File

@ -76,6 +76,13 @@ namespace OpenIddict.Server
RedirectUri = address; RedirectUri = address;
} }
/// <summary>
/// Gets or sets the security principal extracted from the id_token_hint, if available.
/// Note: the principal may not represent the user currently logged in,
/// so additional validation is strongly encouraged when using this property.
/// </summary>
public ClaimsPrincipal IdentityTokenHintPrincipal { get; set; }
} }
/// <summary> /// <summary>
@ -91,6 +98,13 @@ namespace OpenIddict.Server
: base(transaction) : base(transaction)
{ {
} }
/// <summary>
/// Gets or sets the security principal extracted from the id_token_hint, if available.
/// Note: the principal may not represent the user currently logged in,
/// so additional validation is strongly encouraged when using this property.
/// </summary>
public ClaimsPrincipal IdentityTokenHintPrincipal { get; set; }
} }
/// <summary> /// <summary>

19
src/OpenIddict.Server/OpenIddictServerEvents.Session.cs
View File

@ -5,6 +5,7 @@
*/ */
using System; using System;
using System.Security.Claims;
using JetBrains.Annotations; using JetBrains.Annotations;
namespace OpenIddict.Server namespace OpenIddict.Server
@ -68,6 +69,13 @@ namespace OpenIddict.Server
PostLogoutRedirectUri = address; PostLogoutRedirectUri = address;
} }
/// <summary>
/// Gets or sets the security principal extracted from the id_token_hint, if available.
/// Note: the principal may not represent the user currently logged in,
/// so additional validation is strongly encouraged when using this property.
/// </summary>
public ClaimsPrincipal IdentityTokenHintPrincipal { get; set; }
} }
/// <summary> /// <summary>
@ -85,14 +93,11 @@ namespace OpenIddict.Server
} }
/// <summary> /// <summary>
/// Gets a boolean indicating whether the logout request should be processed. /// Gets or sets the security principal extracted from the id_token_hint, if available.
/// </summary> /// Note: the principal may not represent the user currently logged in,
public bool IsLogoutAllowed { get; private set; } /// so additional validation is strongly encouraged when using this property.
/// <summary>
/// Allow the logout request to be processed.
/// </summary> /// </summary>
public void ProcessLogout() => IsLogoutAllowed = true; public ClaimsPrincipal IdentityTokenHintPrincipal { get; set; }
} }
/// <summary> /// <summary>

47
src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
View File

@ -6,6 +6,7 @@
using System; using System;
using System.Collections.Immutable; using System.Collections.Immutable;
using System.Security.Claims;
using System.Text; using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
using JetBrains.Annotations; using JetBrains.Annotations;
@ -55,6 +56,11 @@ namespace OpenIddict.Server
ValidateGrantTypePermissions.Descriptor, ValidateGrantTypePermissions.Descriptor,
ValidateScopePermissions.Descriptor, ValidateScopePermissions.Descriptor,
/*
* Authorization request handling:
*/
AttachIdentityTokenHintPrincipal.Descriptor,
/* /*
* Authorization response processing: * Authorization response processing:
*/ */
@ -1027,7 +1033,9 @@ namespace OpenIddict.Server
// Note: the expiration date associated with an identity token used as an id_token_hint is deliberately ignored. // Note: the expiration date associated with an identity token used as an id_token_hint is deliberately ignored.
// Store the security principal extracted from the identity token as an environment property. // Attach the security principal extracted from the identity token to the
// validation context and store it as an environment property.
context.IdentityTokenHintPrincipal = notification.Principal;
context.Transaction.Properties[Properties.AmbientPrincipal] = notification.Principal; context.Transaction.Properties[Properties.AmbientPrincipal] = notification.Principal;
} }
} }
@ -1541,6 +1549,43 @@ namespace OpenIddict.Server
} }
} }
/// <summary>
/// Contains the logic responsible of attaching the principal extracted from the id_token_hint to the event context.
/// </summary>
public class AttachIdentityTokenHintPrincipal : IOpenIddictServerHandler<HandleAuthorizationRequestContext>
{
/// <summary>
/// Gets the default descriptor definition assigned to this handler.
/// </summary>
public static OpenIddictServerHandlerDescriptor Descriptor { get; }
= OpenIddictServerHandlerDescriptor.CreateBuilder<HandleAuthorizationRequestContext>()
.UseSingletonHandler<AttachIdentityTokenHintPrincipal>()
.SetOrder(int.MinValue + 100_000)
.Build();
/// <summary>
/// Processes the event.
/// </summary>
/// <param name="context">The context associated with the event to process.</param>
/// <returns>
/// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.
/// </returns>
public ValueTask HandleAsync([NotNull] HandleAuthorizationRequestContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (context.Transaction.Properties.TryGetValue(Properties.AmbientPrincipal, out var principal))
{
context.IdentityTokenHintPrincipal ??= (ClaimsPrincipal) principal;
}
return default;
}
}
/// <summary> /// <summary>
/// Contains the logic responsible of inferring the redirect URL /// Contains the logic responsible of inferring the redirect URL
/// used to send the response back to the client application. /// used to send the response back to the client application.

76
src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs
View File

@ -6,6 +6,7 @@
using System; using System;
using System.Collections.Immutable; using System.Collections.Immutable;
using System.Security.Claims;
using System.Text; using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
using JetBrains.Annotations; using JetBrains.Annotations;
@ -40,6 +41,11 @@ namespace OpenIddict.Server
ValidateIdTokenHint.Descriptor, ValidateIdTokenHint.Descriptor,
ValidateClientPostLogoutRedirectUri.Descriptor, ValidateClientPostLogoutRedirectUri.Descriptor,
/*
* Logout request handling:
*/
AttachIdentityTokenHintPrincipal.Descriptor,
/* /*
* Logout response processing: * Logout response processing:
*/ */
@ -255,26 +261,23 @@ namespace OpenIddict.Server
return; return;
} }
if (notification.IsLogoutAllowed) var @event = new ProcessSignoutContext(context.Transaction)
{ {
var @event = new ProcessSignoutContext(context.Transaction) Response = new OpenIddictResponse()
{ };
Response = new OpenIddictResponse()
};
await _provider.DispatchAsync(@event); await _provider.DispatchAsync(@event);
if (@event.IsRequestHandled) if (@event.IsRequestHandled)
{ {
context.HandleRequest(); context.HandleRequest();
return; return;
} }
else if (@event.IsRequestSkipped) else if (@event.IsRequestSkipped)
{ {
context.SkipRequest(); context.SkipRequest();
return; return;
}
} }
throw new InvalidOperationException(new StringBuilder() throw new InvalidOperationException(new StringBuilder()
@ -459,7 +462,9 @@ namespace OpenIddict.Server
// Note: the expiration date associated with an identity token used as an id_token_hint is deliberately ignored. // Note: the expiration date associated with an identity token used as an id_token_hint is deliberately ignored.
// Store the security principal extracted from the identity token as an environment property. // Attach the security principal extracted from the identity token to the
// validation context and store it as an environment property.
context.IdentityTokenHintPrincipal = notification.Principal;
context.Transaction.Properties[Properties.AmbientPrincipal] = notification.Principal; context.Transaction.Properties[Properties.AmbientPrincipal] = notification.Principal;
} }
} }
@ -549,6 +554,43 @@ namespace OpenIddict.Server
} }
} }
/// <summary>
/// Contains the logic responsible of attaching the principal extracted from the id_token_hint to the event context.
/// </summary>
public class AttachIdentityTokenHintPrincipal : IOpenIddictServerHandler<HandleLogoutRequestContext>
{
/// <summary>
/// Gets the default descriptor definition assigned to this handler.
/// </summary>
public static OpenIddictServerHandlerDescriptor Descriptor { get; }
= OpenIddictServerHandlerDescriptor.CreateBuilder<HandleLogoutRequestContext>()
.UseSingletonHandler<AttachIdentityTokenHintPrincipal>()
.SetOrder(int.MinValue + 100_000)
.Build();
/// <summary>
/// Processes the event.
/// </summary>
/// <param name="context">The context associated with the event to process.</param>
/// <returns>
/// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.
/// </returns>
public ValueTask HandleAsync([NotNull] HandleLogoutRequestContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (context.Transaction.Properties.TryGetValue(Properties.AmbientPrincipal, out var principal))
{
context.IdentityTokenHintPrincipal ??= (ClaimsPrincipal) principal;
}
return default;
}
}
/// <summary> /// <summary>
/// Contains the logic responsible of inferring the redirect URL /// Contains the logic responsible of inferring the redirect URL
/// used to send the response back to the client application. /// used to send the response back to the client application.

Write Preview
Loading…
Cancel
Save