tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Introduce dynamic options to disable nonce validation and add Dropbox to the list of supported providers

pull/1714/head
Kévin Chalet 3 years ago
parent
5c636d5fd7
commit
2b8211a8fc
8 changed files with 365 additions and 165 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 45
      src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
  2. 19
      src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
  3. 208
      src/OpenIddict.Client/OpenIddictClientEvents.cs
  4. 2
      src/OpenIddict.Client/OpenIddictClientExtensions.cs
  5. 34
      src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs
  6. 2
      src/OpenIddict.Client/OpenIddictClientHandlers.cs
  7. 200
      src/OpenIddict.Server/OpenIddictServerEvents.cs
  8. 20
      src/OpenIddict.Validation/OpenIddictValidationEvents.cs

45
src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
View File

@ -26,6 +26,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
AttachTokenRequestNonStandardClientCredentials.Descriptor,
AdjustRedirectUriInTokenRequest.Descriptor,
OverrideValidatedBackchannelTokens.Descriptor,
DisableBackchannelIdentityTokenNonceValidation.Descriptor,
AttachAdditionalUserinfoRequestParameters.Descriptor,
PopulateUserinfoTokenPrincipalFromTokenResponse.Descriptor,
@ -313,6 +314,48 @@ public static partial class OpenIddictClientWebIntegrationHandlers
}
}
/// <summary>
/// Contains the logic responsible for disabling the backchannel
/// identity token nonce validation for the providers that require it.
/// </summary>
public sealed class DisableBackchannelIdentityTokenNonceValidation : IOpenIddictClientHandler<ProcessAuthenticationContext>
{
/// <summary>
/// Gets the default descriptor definition assigned to this handler.
/// </summary>
public static OpenIddictClientHandlerDescriptor Descriptor { get; }
= OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
.UseSingletonHandler<DisableBackchannelIdentityTokenNonceValidation>()
.SetOrder(ValidateBackchannelIdentityTokenNonce.Descriptor.Order - 500)
.SetType(OpenIddictClientHandlerType.BuiltIn)
.Build();
/// <inheritdoc/>
public ValueTask HandleAsync(ProcessAuthenticationContext context)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
// Note: despite implementing OpenID Connect, some providers are known to implement the
// specification incorrectly and either don't support the "nonce" authorization request
// parameter, don't include it in the issued identity tokens or flow an unexpected value.
//
// Despite being an important security feature, nonce validation is explicitly disabled
// for the providers that are known to cause errors when nonce validation is enforced.
context.DisableBackchannelIdentityTokenNonceValidation = context.Registration.ProviderName switch
{
Providers.Dropbox => true, // Dropbox doesn't include the nonce in the identity tokens.
_ => context.DisableBackchannelIdentityTokenNonceValidation
};
return default;
}
}
/// <summary>
/// Contains the logic responsible for attaching additional parameters
/// to the userinfo request for the providers that require it.
@ -517,7 +560,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
}
/// <summary>
/// Contains the logic responsible for overriding response mode for providers that require it.
/// Contains the logic responsible for overriding the response mode for the providers that require it.
/// </summary>
public sealed class OverrideResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
{

19
src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
View File

@ -159,6 +159,25 @@
</Environment>
</Provider>
<!--
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ▄▄▀██ ▄▄▀██ ▄▄▄ ██ ▄▄ ██ ▄▄▀██ ▄▄▄ █▄▀█▀▄██
██ ██ ██ ▀▀▄██ ███ ██ ▀▀ ██ ▄▄▀██ ███ ███ ████
██ ▀▀ ██ ██ ██ ▀▀▀ ██ █████ ▀▀ ██ ▀▀▀ █▀▄█▄▀██
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
-->
<Provider Name="Dropbox" Documentation="https://developers.dropbox.com/oidc-guide">
<Environment Issuer="https://www.dropbox.com/">
<!--
Note: Dropbox requires sending at least either the "profile" or "email" scope.
To simplify the logic, the "profile" scope is considered required by OpenIddict.
-->
<Scope Name="profile" Default="true" Required="true" />
</Environment>
</Provider>
<!--
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ▄▄ █▄ ▄█▄▄ ▄▄██ ██ ██ ██ ██ ▄▄▀██

208
src/OpenIddict.Client/OpenIddictClientEvents.cs
View File

@ -376,257 +376,289 @@ public static partial class OpenIddictClientEvents
/// <summary>
/// Gets or sets a boolean indicating whether an authorization
/// code should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a backchannel
/// access token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractBackchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a backchannel
/// identity token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractBackchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a frontchannel
/// access token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractFrontchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a frontchannel
/// identity token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractFrontchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a refresh
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a state
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a userinfo
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractUserinfoToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an authorization
/// code must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a backchannel access
/// token must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireBackchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a backchannel identity
/// token must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireBackchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a frontchannel identity
/// token must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireFrontchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a frontchannel identity
/// token must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireFrontchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a refresh token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a state token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a userinfo token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireUserinfoToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the authorization
/// code extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the backchannel access
/// token extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateBackchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the backchannel identity
/// token extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateBackchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the frontchannel access
/// token extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateFrontchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the frontchannel identity
/// token extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateFrontchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the refresh token
/// extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the state token
/// extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the userinfo token
/// extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateUserinfoToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid authorization code
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid backchannel access token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectBackchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid backchannel identity token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectBackchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid frontchannel access token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectFrontchannelAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid frontchannel identity token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectFrontchannelIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid refresh token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid state token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid userinfo token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectUserinfoToken { get; set; }
/// <summary>
@ -742,17 +774,19 @@ public static partial class OpenIddictClientEvents
/// <summary>
/// Gets or sets a boolean indicating whether a client assertion
/// token should be generated (and optionally included in the request).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateClientAssertionToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated client
/// assertion token should be included as part of the request.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeClientAssertionToken { get; set; }
/// <summary>
@ -774,6 +808,24 @@ public static partial class OpenIddictClientEvents
/// used to create the client assertion token, if applicable.
/// </summary>
public ClaimsPrincipal? ClientAssertionTokenPrincipal { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether backchannel
/// identity token nonce validation should be disabled.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool DisableBackchannelIdentityTokenNonceValidation { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether frontchannel
/// identity token nonce validation should be disabled.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool DisableFrontchannelIdentityTokenNonceValidation { get; set; }
}
/// <summary>
@ -918,17 +970,19 @@ public static partial class OpenIddictClientEvents
/// <summary>
/// Gets or sets a boolean indicating whether a state token
/// should be generated (and optionally included in the request).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated
/// state token should be included as part of the request.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeStateToken { get; set; }
/// <summary>
@ -1047,17 +1101,19 @@ public static partial class OpenIddictClientEvents
/// <summary>
/// Gets or sets a boolean indicating whether a state token
/// should be generated (and optionally included in the request).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateStateToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated
/// state token should be included as part of the request.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeStateToken { get; set; }
/// <summary>

2
src/OpenIddict.Client/OpenIddictClientExtensions.cs
View File

@ -38,10 +38,12 @@ public static class OpenIddictClientExtensions
// Register the built-in filters used by the default OpenIddict client event handlers.
builder.Services.TryAddSingleton<RequireAuthorizationCodeValidated>();
builder.Services.TryAddSingleton<RequireBackchannelAccessTokenValidated>();
builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenNonceValidationEnabled>();
builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenValidated>();
builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenPrincipal>();
builder.Services.TryAddSingleton<RequireClientAssertionTokenGenerated>();
builder.Services.TryAddSingleton<RequireFrontchannelAccessTokenValidated>();
builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenNonceValidationEnabled>();
builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenValidated>();
builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenPrincipal>();
builder.Services.TryAddSingleton<RequireInteractiveGrantType>();

34
src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs
View File

@ -45,6 +45,23 @@ public static class OpenIddictClientHandlerFilters
}
}
/// <summary>
/// Represents a filter that excludes the associated handlers if backchannel identity token nonce validation was disabled.
/// </summary>
public sealed class RequireBackchannelIdentityTokenNonceValidationEnabled : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
{
/// <inheritdoc/>
public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
return new(!context.DisableBackchannelIdentityTokenNonceValidation);
}
}
/// <summary>
/// Represents a filter that excludes the associated handlers if no backchannel identity token principal is available.
/// </summary>
@ -113,6 +130,23 @@ public static class OpenIddictClientHandlerFilters
}
}
/// <summary>
/// Represents a filter that excludes the associated handlers if frontchannel identity token nonce validation was disabled.
/// </summary>
public sealed class RequireFrontchannelIdentityTokenNonceValidationEnabled : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
{
/// <inheritdoc/>
public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
return new(!context.DisableFrontchannelIdentityTokenNonceValidation);
}
}
/// <summary>
/// Represents a filter that excludes the associated handlers if no frontchannel identity token principal is available.
/// </summary>

2
src/OpenIddict.Client/OpenIddictClientHandlers.cs
View File

@ -1674,6 +1674,7 @@ public static partial class OpenIddictClientHandlers
/// </summary>
public static OpenIddictClientHandlerDescriptor Descriptor { get; }
= OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
.AddFilter<RequireFrontchannelIdentityTokenNonceValidationEnabled>()
.AddFilter<RequireFrontchannelIdentityTokenPrincipal>()
.AddFilter<RequireStateTokenPrincipal>()
.AddFilter<RequireStateTokenValidated>()
@ -2997,6 +2998,7 @@ public static partial class OpenIddictClientHandlers
/// </summary>
public static OpenIddictClientHandlerDescriptor Descriptor { get; }
= OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
.AddFilter<RequireBackchannelIdentityTokenNonceValidationEnabled>()
.AddFilter<RequireBackchannelIdentityTokenPrincipal>()
.AddFilter<RequireStateTokenPrincipal>()
.AddFilter<RequireStateTokenValidated>()

200
src/OpenIddict.Server/OpenIddictServerEvents.cs
View File

@ -316,225 +316,253 @@ public static partial class OpenIddictServerEvents
/// <summary>
/// Gets or sets a boolean indicating whether an access
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an authorization
/// code should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a device
/// code should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a generic
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractGenericToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an identity
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a refresh
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a user
/// code should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractUserCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an access token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an authorization code
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a device code
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a generic token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireGenericToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an identity token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a refresh token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a user code
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireUserCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the access
/// token extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the authorization
/// code extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the device
/// code extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generic
/// token extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateGenericToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the identity
/// token extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the refresh
/// token extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the user
/// code extracted from the current request should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateUserCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid access token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid authorization code
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid device code
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid generic token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectGenericToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid identity token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid refresh token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid user code
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectUserCode { get; set; }
/// <summary>
@ -699,97 +727,109 @@ public static partial class OpenIddictServerEvents
/// <summary>
/// Gets or sets a boolean indicating whether an access token
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an authorization code
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a device code
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an identity token
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a refresh token
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether a user code
/// should be generated (and optionally returned to the client).
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool GenerateUserCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated access token
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated authorization code
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeAuthorizationCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated device code
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeDeviceCode { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated identity token
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeIdentityToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated refresh token
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeRefreshToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the generated user code
/// should be returned to the client application as part of the response.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool IncludeUserCode { get; set; }
/// <summary>

20
src/OpenIddict.Validation/OpenIddictValidationEvents.cs
View File

@ -301,33 +301,37 @@ public static partial class OpenIddictValidationEvents
/// <summary>
/// Gets or sets a boolean indicating whether an access
/// token should be extracted from the current context.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ExtractAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an access token
/// must be resolved for the authentication to be considered valid.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RequireAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether the access
/// token extracted from the current context should be validated.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool ValidateAccessToken { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether an invalid access token
/// will cause the authentication demand to be rejected or will be ignored.
/// Note: overriding the value of this property is generally not
/// recommended, except when dealing with non-standard clients.
/// </summary>
/// <remarks>
/// Note: overriding the value of this property is generally not recommended.
/// </remarks>
public bool RejectAccessToken { get; set; }
}

Write Preview
Loading…
Cancel
Save