tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Introduce a new DisableUserinfo option in RefreshTokenAuthenticationRequest to allow refreshing tokens acquired during a client credentials flow

pull/1957/head
Kévin Chalet 2 years ago
parent
b1005dad22
commit
7af133f98c
4 changed files with 32 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      src/OpenIddict.Client/OpenIddictClientEvents.cs
  2. 8
      src/OpenIddict.Client/OpenIddictClientHandlers.cs
  3. 19
      src/OpenIddict.Client/OpenIddictClientModels.cs
  4. 6
      src/OpenIddict.Client/OpenIddictClientService.cs

5
src/OpenIddict.Client/OpenIddictClientEvents.cs
View File

@ -859,6 +859,11 @@ public static partial class OpenIddictClientEvents
/// </remarks>
public bool DisableFrontchannelIdentityTokenNonceValidation { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether userinfo retrieval should be disabled.
/// </summary>
public bool DisableUserinfoRetrieval { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether userinfo validation should be disabled.
/// </summary>

8
src/OpenIddict.Client/OpenIddictClientHandlers.cs
View File

@ -2262,7 +2262,7 @@ public static partial class OpenIddictClientHandlers
// For client credentials, device authorization, resource owner password
// credentials and refresh token requests, always send a token request.
GrantTypes.ClientCredentials or GrantTypes.DeviceCode or
GrantTypes.Password or GrantTypes.RefreshToken => true,
GrantTypes.Password or GrantTypes.RefreshToken => true,
_ => false
};
@ -3557,8 +3557,8 @@ public static partial class OpenIddictClientHandlers
//
// Note: the userinfo endpoint is an optional endpoint and may not be supported.
GrantTypes.AuthorizationCode or GrantTypes.Implicit or
GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
when context.UserinfoEndpoint is not null &&
GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
when !context.DisableUserinfoRetrieval && context.UserinfoEndpoint is not null &&
(!string.IsNullOrEmpty(context.BackchannelAccessToken) ||
!string.IsNullOrEmpty(context.FrontchannelAccessToken)) => true,
@ -3721,7 +3721,7 @@ public static partial class OpenIddictClientHandlers
context.RejectUserinfoToken) = context.GrantType switch
{
GrantTypes.AuthorizationCode or GrantTypes.Implicit or
GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
when context.SendUserinfoRequest => (true, false, true, true),
_ => (false, false, false, false)

19
src/OpenIddict.Client/OpenIddictClientModels.cs
View File

@ -283,8 +283,7 @@ public static class OpenIddictClientModels
/// </summary>
/// <remarks>
/// Note: in most cases, an empty principal will be returned, unless the authorization server
/// supports returning a non-standard identity token for the client credentials grant or
/// allows sending userinfo requests with an access token representing a client application.
/// supports returning a non-standard identity token for the client credentials grant.
/// </remarks>
public required ClaimsPrincipal Principal { get; init; }
@ -342,6 +341,11 @@ public static class OpenIddictClientModels
/// </summary>
public required string DeviceCode { get; init; }
/// <summary>
/// Gets or sets a boolean indicating whether userinfo should be disabled.
/// </summary>
public bool DisableUserinfo { get; set; }
/// <summary>
/// Gets or sets the maximum duration during which token requests will be sent
/// (typically, the same value as the "expires_in" parameter returned by the
@ -561,6 +565,11 @@ public static class OpenIddictClientModels
/// </summary>
public CancellationToken CancellationToken { get; init; }
/// <summary>
/// Gets or sets a boolean indicating whether userinfo should be disabled.
/// </summary>
public bool DisableUserinfo { get; set; }
/// <summary>
/// Gets or sets the password that will be sent to the authorization server.
/// </summary>
@ -680,6 +689,12 @@ public static class OpenIddictClientModels
/// </summary>
public CancellationToken CancellationToken { get; init; }
/// <summary>
/// Gets or sets a boolean indicating whether userinfo should be disabled, which may be required
/// when sending a refresh token that was acquired using a user-less flow (e.g client credentials).
/// </summary>
public bool DisableUserinfo { get; set; }
/// <summary>
/// Gets or sets the application-specific properties that will be added to the context.
/// </summary>

6
src/OpenIddict.Client/OpenIddictClientService.cs
View File

@ -571,6 +571,8 @@ public class OpenIddictClientService
{
CancellationToken = source.Token,
DeviceCode = request.DeviceCode,
DisableUserinfoRetrieval = request.DisableUserinfo,
DisableUserinfoValidation = request.DisableUserinfo,
GrantType = GrantTypes.DeviceCode,
Issuer = request.Issuer,
ProviderName = request.ProviderName,
@ -773,6 +775,8 @@ public class OpenIddictClientService
var context = new ProcessAuthenticationContext(transaction)
{
CancellationToken = request.CancellationToken,
DisableUserinfoRetrieval = request.DisableUserinfo,
DisableUserinfoValidation = request.DisableUserinfo,
GrantType = GrantTypes.Password,
Issuer = request.Issuer,
Password = request.Password,
@ -868,6 +872,8 @@ public class OpenIddictClientService
var context = new ProcessAuthenticationContext(transaction)
{
CancellationToken = request.CancellationToken,
DisableUserinfoRetrieval = request.DisableUserinfo,
DisableUserinfoValidation = request.DisableUserinfo,
GrantType = GrantTypes.RefreshToken,
Issuer = request.Issuer,
ProviderName = request.ProviderName,

Write Preview
Loading…
Cancel
Save