tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Introduce new OpenIddictOptions extensions

pull/184/head
Kévin Chalet 10 years ago
parent
ce61ab5779
commit
5fe563d80d
3 changed files with 82 additions and 25 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
  2. 16
      src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs
  3. 79
      src/OpenIddict.Core/OpenIddictExtensions.cs

12
src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
View File

@ -103,8 +103,7 @@ namespace OpenIddict.Infrastructure {
} }
// Reject code flow authorization requests if the authorization code flow is not enabled. // Reject code flow authorization requests if the authorization code flow is not enabled.
if (context.Request.IsAuthorizationCodeFlow() && if (context.Request.IsAuthorizationCodeFlow() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
services.Logger.LogError("The authorization request was rejected because " + services.Logger.LogError("The authorization request was rejected because " +
"the authorization code flow was not enabled."); "the authorization code flow was not enabled.");
@ -116,7 +115,7 @@ namespace OpenIddict.Infrastructure {
} }
// Reject implicit flow authorization requests if the implicit flow is not enabled. // Reject implicit flow authorization requests if the implicit flow is not enabled.
if (context.Request.IsImplicitFlow() && !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit)) { if (context.Request.IsImplicitFlow() && !services.Options.IsImplicitFlowEnabled()) {
services.Logger.LogError("The authorization request was rejected because the implicit flow was not enabled."); services.Logger.LogError("The authorization request was rejected because the implicit flow was not enabled.");
context.Reject( context.Reject(
@ -127,8 +126,8 @@ namespace OpenIddict.Infrastructure {
} }
// Reject hybrid flow authorization requests if the authorization code or the implicit flows are not enabled. // Reject hybrid flow authorization requests if the authorization code or the implicit flows are not enabled.
if (context.Request.IsHybridFlow() && (!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) || if (context.Request.IsHybridFlow() && (!services.Options.IsAuthorizationCodeFlowEnabled() ||
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) { !services.Options.IsImplicitFlowEnabled())) {
services.Logger.LogError("The authorization request was rejected because the " + services.Logger.LogError("The authorization request was rejected because the " +
"authorization code flow or the implicit flow was not enabled."); "authorization code flow or the implicit flow was not enabled.");
@ -140,8 +139,7 @@ namespace OpenIddict.Infrastructure {
} }
// Reject authorization requests that specify scope=offline_access if the refresh token flow is not enabled. // Reject authorization requests that specify scope=offline_access if the refresh token flow is not enabled.
if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
context.Reject( context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest, error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'offline_access' scope is not allowed."); description: "The 'offline_access' scope is not allowed.");

16
src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs
View File

@ -12,6 +12,7 @@ using AspNet.Security.OpenIdConnect.Extensions;
using AspNet.Security.OpenIdConnect.Server; using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations; using JetBrains.Annotations;
using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http.Authentication; using Microsoft.AspNetCore.Http.Authentication;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging;
@ -39,8 +40,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=authorization_code // Reject token requests using grant_type=authorization_code
// if the authorization code flow support is not enabled. // if the authorization code flow support is not enabled.
if (context.Request.IsAuthorizationCodeGrantType() && if (context.Request.IsAuthorizationCodeGrantType() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
services.Logger.LogError("The token request was rejected because the authorization code flow was not enabled."); services.Logger.LogError("The token request was rejected because the authorization code flow was not enabled.");
context.Reject( context.Reject(
@ -52,8 +52,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=client_credentials // Reject token requests using grant_type=client_credentials
// if the client credentials flow support is not enabled. // if the client credentials flow support is not enabled.
else if (context.Request.IsClientCredentialsGrantType() && else if (context.Request.IsClientCredentialsGrantType() && !services.Options.IsClientCredentialsFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials)) {
services.Logger.LogError("The token request was rejected because the client credentials flow was not enabled."); services.Logger.LogError("The token request was rejected because the client credentials flow was not enabled.");
context.Reject( context.Reject(
@ -65,8 +64,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=password if the // Reject token requests using grant_type=password if the
// resource owner password credentials flow support is not enabled. // resource owner password credentials flow support is not enabled.
else if (context.Request.IsPasswordGrantType() && else if (context.Request.IsPasswordGrantType() && !services.Options.IsPasswordFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password)) {
services.Logger.LogError("The token request was rejected because the resource " + services.Logger.LogError("The token request was rejected because the resource " +
"owner password credentials flow was not enabled."); "owner password credentials flow was not enabled.");
@ -79,8 +77,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=refresh_token // Reject token requests using grant_type=refresh_token
// if the refresh token flow support is not enabled. // if the refresh token flow support is not enabled.
else if (context.Request.IsRefreshTokenGrantType() && if (context.Request.IsRefreshTokenGrantType() && !services.Options.IsRefreshTokenFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
services.Logger.LogError("The token request was rejected because the refresh token flow was not enabled."); services.Logger.LogError("The token request was rejected because the refresh token flow was not enabled.");
context.Reject( context.Reject(
@ -91,8 +88,7 @@ namespace OpenIddict.Infrastructure {
} }
// Reject token requests that specify scope=offline_access if the refresh token flow is not enabled. // Reject token requests that specify scope=offline_access if the refresh token flow is not enabled.
if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
context.Reject( context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest, error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'offline_access' scope is not allowed."); description: "The 'offline_access' scope is not allowed.");

79
src/OpenIddict.Core/OpenIddictExtensions.cs
View File

@ -116,20 +116,18 @@ namespace Microsoft.AspNetCore.Builder {
// Ensure the authorization endpoint has been enabled when // Ensure the authorization endpoint has been enabled when
// the authorization code or implicit grants are supported. // the authorization code or implicit grants are supported.
if (!options.AuthorizationEndpointPath.HasValue && if (!options.AuthorizationEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
(options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) || options.IsImplicitFlowEnabled())) {
options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) {
throw new InvalidOperationException("The authorization endpoint must be enabled to use " + throw new InvalidOperationException("The authorization endpoint must be enabled to use " +
"the authorization code and implicit flows."); "the authorization code and implicit flows.");
} }
// Ensure the token endpoint has been enabled when the authorization code, // Ensure the token endpoint has been enabled when the authorization code,
// client credentials, password or refresh token grants are supported. // client credentials, password or refresh token grants are supported.
else if (!options.TokenEndpointPath.HasValue && else if (!options.TokenEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
(options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) || options.IsClientCredentialsFlowEnabled() ||
options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials) || options.IsPasswordFlowEnabled() ||
options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password) || options.IsRefreshTokenFlowEnabled())) {
options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))) {
throw new InvalidOperationException("The token endpoint must be enabled to use the authorization code, " + throw new InvalidOperationException("The token endpoint must be enabled to use the authorization code, " +
"client credentials, password and refresh token flows."); "client credentials, password and refresh token flows.");
} }
@ -150,5 +148,70 @@ namespace Microsoft.AspNetCore.Builder {
return app; return app;
} }
/// <summary>
/// Determines whether the authorization code flow has been enabled.
/// </summary>
/// <param name="options">The OpenIddict options.</param>
/// <returns><c>true</c> if the authorization code flow has been enabled, <c>false</c> otherwise.</returns>
public static bool IsAuthorizationCodeFlowEnabled([NotNull] this OpenIddictOptions options) {
if (options == null) {
throw new ArgumentNullException(nameof(options));
}
return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode);
}
/// <summary>
/// Determines whether the client credentials flow has been enabled.
/// </summary>
/// <param name="options">The OpenIddict options.</param>
/// <returns><c>true</c> if the client credentials flow has been enabled, <c>false</c> otherwise.</returns>
public static bool IsClientCredentialsFlowEnabled([NotNull] this OpenIddictOptions options) {
if (options == null) {
throw new ArgumentNullException(nameof(options));
}
return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials);
}
/// <summary>
/// Determines whether the implicit flow has been enabled.
/// </summary>
/// <param name="options">The OpenIddict options.</param>
/// <returns><c>true</c> if the implicit flow has been enabled, <c>false</c> otherwise.</returns>
public static bool IsImplicitFlowEnabled([NotNull] this OpenIddictOptions options) {
if (options == null) {
throw new ArgumentNullException(nameof(options));
}
return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit);
}
/// <summary>
/// Determines whether the password flow has been enabled.
/// </summary>
/// <param name="options">The OpenIddict options.</param>
/// <returns><c>true</c> if the password flow has been enabled, <c>false</c> otherwise.</returns>
public static bool IsPasswordFlowEnabled([NotNull] this OpenIddictOptions options) {
if (options == null) {
throw new ArgumentNullException(nameof(options));
}
return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password);
}
/// <summary>
/// Determines whether the refresh token flow has been enabled.
/// </summary>
/// <param name="options">The OpenIddict options.</param>
/// <returns><c>true</c> if the refresh token flow has been enabled, <c>false</c> otherwise.</returns>
public static bool IsRefreshTokenFlowEnabled([NotNull] this OpenIddictOptions options) {
if (options == null) {
throw new ArgumentNullException(nameof(options));
}
return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken);
}
} }
} }
Write Preview
Loading…
Cancel
Save