tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Relax the client authentication policy to allow public clients to use the authorization code flow

pull/31/head
Kévin Chalet 10 years ago
parent
c8011e7169
commit
290f54b582
2 changed files with 25 additions and 22 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      src/OpenIddict.Core/OpenIddictManager.cs
  2. 44
      src/OpenIddict.Core/OpenIddictProvider.cs

3
src/OpenIddict.Core/OpenIddictManager.cs
View File

@ -96,8 +96,7 @@ namespace OpenIddict {
throw new ArgumentNullException(nameof(application)); throw new ArgumentNullException(nameof(application));
} }
var type = await GetApplicationTypeAsync(application); if (!await this.IsConfidentialApplicationAsync(application)) {
if (!string.Equals(type, OpenIddictConstants.ApplicationTypes.Confidential, StringComparison.OrdinalIgnoreCase)) {
Logger.LogWarning("Client authentication cannot be enforced for non-confidential applications."); Logger.LogWarning("Client authentication cannot be enforced for non-confidential applications.");
return false; return false;

44
src/OpenIddict.Core/OpenIddictProvider.cs
View File

@ -30,8 +30,8 @@ namespace OpenIddict {
} }
public override async Task ValidateClientRedirectUri([NotNull] ValidateClientRedirectUriContext context) { public override async Task ValidateClientRedirectUri([NotNull] ValidateClientRedirectUriContext context) {
// Note: redirect_uri is not required for pure OAuth2 requests but this provider uses a stricter // Note: redirect_uri is not required for pure OAuth2 requests but this provider uses a stricter policy making it mandatory,
// policy making it mandatory. Requests missing an explicit redirect_uri are always rejected. // as required by the OpenID Connect specification: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
if (string.IsNullOrEmpty(context.RedirectUri)) { if (string.IsNullOrEmpty(context.RedirectUri)) {
context.Rejected( context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidRequest, error: OpenIdConnectConstants.Errors.InvalidRequest,
@ -79,22 +79,24 @@ namespace OpenIddict {
} }
public override async Task ValidateClientAuthentication([NotNull] ValidateClientAuthenticationContext context) { public override async Task ValidateClientAuthentication([NotNull] ValidateClientAuthenticationContext context) {
// Note: client authentication is not mandatory for non-confidential client applications like mobile apps // Note: in pure OAuth2, client authentication is not required for non-confidential client applications like mobile apps
// (except when using the client credentials grant type) but OpenIddict uses a safer policy that makes // but OpenIddict uses a stricter policy that makes client authentication mandatory when using the refresh token grant type,
// client authentication mandatory when using the authorization code grant type of the refresh token grant type // as required by the OpenID Connect specification: http://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
// and returns an error if the client_id and/or the client_secret is/are missing. // When client_id and/or client_secret is/are missing, an error is returned to the client application.
if (context.Request.IsAuthorizationCodeGrantType() || context.Request.IsRefreshTokenGrantType()) { if (context.Request.IsRefreshTokenGrantType() && (string.IsNullOrEmpty(context.ClientId) ||
if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) { string.IsNullOrEmpty(context.ClientSecret))) {
context.Rejected( context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidGrant, error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Missing credentials: ensure that your credentials were correctly " + description: "Missing credentials: ensure that your credentials were correctly " +
"flowed in the request body or in the authorization header."); "flowed in the request body or in the authorization header.");
return; return;
}
} }
// Skip client authentication if the client_id is missing. // Skip client authentication if the client identifier is missing.
// Note: ASOS will automatically ensure that the calling application
// cannot use an authorization code or a refresh token if it's not
// the intended audience, even if client authentication was skipped.
if (string.IsNullOrEmpty(context.ClientId)) { if (string.IsNullOrEmpty(context.ClientId)) {
context.Skipped(); context.Skipped();
@ -122,8 +124,8 @@ namespace OpenIddict {
return; return;
} }
// Confidential applications MUST authenticate. Note: this security // Confidential applications MUST authenticate
// measure also helps protecting them from impersonation attacks. // to protect them from impersonation attacks.
else if (await manager.IsConfidentialApplicationAsync(application)) { else if (await manager.IsConfidentialApplicationAsync(application)) {
if (string.IsNullOrEmpty(context.ClientSecret)) { if (string.IsNullOrEmpty(context.ClientSecret)) {
context.Rejected( context.Rejected(
@ -154,6 +156,8 @@ namespace OpenIddict {
// To prevent downgrade attacks, ensure that authorization requests using the hybrid/implicit // To prevent downgrade attacks, ensure that authorization requests using the hybrid/implicit
// flow are rejected if the client identifier corresponds to a confidential application. // flow are rejected if the client identifier corresponds to a confidential application.
// Note: when using the authorization code grant, ValidateClientAuthentication is responsible of
// rejecting the token request if the client_id corresponds to an unauthenticated confidential client.
if (await manager.IsConfidentialApplicationAsync(application) && !context.Request.IsAuthorizationCodeFlow()) { if (await manager.IsConfidentialApplicationAsync(application) && !context.Request.IsAuthorizationCodeFlow()) {
context.Rejected( context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidRequest, error: OpenIdConnectConstants.Errors.InvalidRequest,
@ -215,9 +219,9 @@ namespace OpenIddict {
} }
public override Task ValidateTokenRequest([NotNull] ValidateTokenRequestContext context) { public override Task ValidateTokenRequest([NotNull] ValidateTokenRequestContext context) {
// Note: OpenIdConnectServerHandler supports authorization code, refresh token, client credentials // Note: OpenIdConnectServerHandler supports authorization code, refresh token,
// and resource owner password credentials grant types but this authorization server uses a stricter policy // client credentials, resource owner password credentials and custom grants
// rejecting the last one. You may consider relaxing it to support the client credentials grant types. // but this authorization server uses a stricter policy rejecting custom grant types.
if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType() && if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType() &&
!context.Request.IsPasswordGrantType() && !context.Request.IsClientCredentialsGrantType()) { !context.Request.IsPasswordGrantType() && !context.Request.IsClientCredentialsGrantType()) {
context.Rejected( context.Rejected(

Write Preview
Loading…
Cancel
Save