From 28fe95f7db263e7ef0e1fc8986e7f4259150b38b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Sat, 9 Jul 2016 15:18:20 +0200 Subject: [PATCH] Disable the authorization/introspection/logout/revocation/token/userinfo endpoints by default --- .../Mvc.Server/Controllers/ErrorController.cs | 2 +- samples/Mvc.Server/Startup.cs | 18 ++++----- src/OpenIddict.Core/OpenIddictBuilder.cs | 39 ++++++++++++++++--- src/OpenIddict.Core/OpenIddictOptions.cs | 4 +- 4 files changed, 44 insertions(+), 19 deletions(-) diff --git a/samples/Mvc.Server/Controllers/ErrorController.cs b/samples/Mvc.Server/Controllers/ErrorController.cs index eefffc58..846bd697 100644 --- a/samples/Mvc.Server/Controllers/ErrorController.cs +++ b/samples/Mvc.Server/Controllers/ErrorController.cs @@ -16,7 +16,7 @@ namespace Mvc.Server { // OIDC request, display a generic error page. var response = HttpContext.GetOpenIdConnectResponse(); if (response == null) { - return View(); + return View(new ErrorViewModel()); } return View(new ErrorViewModel { diff --git a/samples/Mvc.Server/Startup.cs b/samples/Mvc.Server/Startup.cs index d994292e..27c73cc1 100644 --- a/samples/Mvc.Server/Startup.cs +++ b/samples/Mvc.Server/Startup.cs @@ -31,18 +31,16 @@ namespace Mvc.Server { // Register the OpenIddict services, including the default Entity Framework stores. services.AddOpenIddict, ApplicationDbContext, Guid>() - .SetAuthorizationEndpointPath("/connect/authorize") - .SetLogoutEndpointPath("/connect/logout") + + // Enable the authorization, logout, token and userinfo endpoints. + .EnableAuthorizationEndpoint("/connect/authorize") + .EnableLogoutEndpoint("/connect/logout") + .EnableTokenEndpoint("/connect/token") + .EnableUserinfoEndpoint("/connect/userinfo") // During development, you can disable the HTTPS requirement. .DisableHttpsRequirement(); - // When using your own authorization controller instead of using the - // MVC module, you need to configure the authorization/logout paths: - // services.AddOpenIddict() - // .SetAuthorizationEndpointPath("/connect/authorize") - // .SetLogoutEndpointPath("/connect/logout"); - // Note: if you don't explicitly register a signing key, one is automatically generated and // persisted on the disk. If the key cannot be persisted, an exception is thrown. // @@ -50,13 +48,13 @@ namespace Mvc.Server { // You can generate a self-signed certificate using Pluralsight's self-cert utility: // https://s3.amazonaws.com/pluralsight-free/keith-brown/samples/SelfCert.zip // - // services.AddOpenIddict() + // services.AddOpenIddict, ApplicationDbContext, Guid>() // .AddSigningCertificate("7D2A741FE34CC2C7369237A5F2078988E17A6A75"); // // Alternatively, you can also store the certificate as an embedded .pfx resource // directly in this assembly or in a file published alongside this project: // - // services.AddOpenIddict() + // services.AddOpenIddict, ApplicationDbContext, Guid>() // .AddSigningCertificate( // assembly: typeof(Startup).GetTypeInfo().Assembly, // resource: "Mvc.Server.Certificate.pfx", diff --git a/src/OpenIddict.Core/OpenIddictBuilder.cs b/src/OpenIddict.Core/OpenIddictBuilder.cs index b2d17678..d5480154 100644 --- a/src/OpenIddict.Core/OpenIddictBuilder.cs +++ b/src/OpenIddict.Core/OpenIddictBuilder.cs @@ -409,32 +409,59 @@ namespace Microsoft.AspNetCore.Builder { } /// - /// Sets the relative path corresponding to the authorization endpoint. + /// Enables the authorization endpoint. /// /// The relative path of the authorization endpoint. /// The . - public virtual OpenIddictBuilder SetAuthorizationEndpointPath(PathString path) { + public virtual OpenIddictBuilder EnableAuthorizationEndpoint(PathString path) { return Configure(options => options.AuthorizationEndpointPath = path); } /// - /// Sets the relative path corresponding to the logout endpoint. + /// Enables the introspection endpoint. /// /// The relative path of the logout endpoint. /// The . - public virtual OpenIddictBuilder SetLogoutEndpointPath(PathString path) { + public virtual OpenIddictBuilder EnableIntrospectionEndpoint(PathString path) { + return Configure(options => options.IntrospectionEndpointPath = path); + } + + /// + /// Enables the logout endpoint. + /// + /// The relative path of the logout endpoint. + /// The . + public virtual OpenIddictBuilder EnableLogoutEndpoint(PathString path) { return Configure(options => options.LogoutEndpointPath = path); } /// - /// Sets the relative path corresponding to the token endpoint. + /// Enables the revocation endpoint. + /// + /// The relative path of the revocation endpoint. + /// The . + public virtual OpenIddictBuilder EnableRevocationEndpoint(PathString path) { + return Configure(options => options.RevocationEndpointPath = path); + } + + /// + /// Enables the token endpoint. /// /// The relative path of the token endpoint. /// The . - public virtual OpenIddictBuilder SetTokenEndpointPath(PathString path) { + public virtual OpenIddictBuilder EnableTokenEndpoint(PathString path) { return Configure(options => options.TokenEndpointPath = path); } + /// + /// Enables the userinfo endpoint. + /// + /// The relative path of the userinfo endpoint. + /// The . + public virtual OpenIddictBuilder EnableUserinfoEndpoint(PathString path) { + return Configure(options => options.UserinfoEndpointPath = path); + } + /// /// Sets the access token lifetime, after which client applications must retrieve /// a new access token by making a grant_type=refresh_token token request diff --git a/src/OpenIddict.Core/OpenIddictOptions.cs b/src/OpenIddict.Core/OpenIddictOptions.cs index cfaf25ec..e6e18d3e 100644 --- a/src/OpenIddict.Core/OpenIddictOptions.cs +++ b/src/OpenIddict.Core/OpenIddictOptions.cs @@ -16,8 +16,8 @@ namespace OpenIddict { /// public class OpenIddictOptions : OpenIdConnectServerOptions { public OpenIddictOptions() { - // By default, disable the authorization and logout endpoints. - AuthorizationEndpointPath = LogoutEndpointPath = PathString.Empty; + AuthorizationEndpointPath = IntrospectionEndpointPath = LogoutEndpointPath = + RevocationEndpointPath = TokenEndpointPath = UserinfoEndpointPath = PathString.Empty; // Use the same lifespan as the default security stamp // verification interval used by ASP.NET Core Identity.