Kévin Chalet
7 years ago
committed by
GitHub
GitHub
27 changed files with 1946 additions and 15 deletions
@ -0,0 +1,659 @@ |
|||
/* |
|||
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
|
|||
* See https://github.com/openiddict/openiddict-core for more information concerning
|
|||
* the license and the contributors participating to this project. |
|||
*/ |
|||
|
|||
using System; |
|||
using System.Collections.Immutable; |
|||
using System.IO; |
|||
using System.Security.Cryptography; |
|||
using System.Text; |
|||
using System.Threading.Tasks; |
|||
using JetBrains.Annotations; |
|||
using Microsoft.AspNetCore; |
|||
using Microsoft.AspNetCore.Diagnostics; |
|||
using Microsoft.AspNetCore.WebUtilities; |
|||
using Microsoft.Extensions.Caching.Distributed; |
|||
using Microsoft.Extensions.Logging; |
|||
using Microsoft.Extensions.Options; |
|||
using Microsoft.IdentityModel.Tokens; |
|||
using Microsoft.Net.Http.Headers; |
|||
using Newtonsoft.Json; |
|||
using Newtonsoft.Json.Bson; |
|||
using Newtonsoft.Json.Linq; |
|||
using OpenIddict.Abstractions; |
|||
using static OpenIddict.Abstractions.OpenIddictConstants; |
|||
using static OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreConstants; |
|||
using static OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlerFilters; |
|||
using static OpenIddict.Server.OpenIddictServerEvents; |
|||
|
|||
namespace OpenIddict.Server.AspNetCore |
|||
{ |
|||
public static partial class OpenIddictServerAspNetCoreHandlers |
|||
{ |
|||
public static class Session |
|||
{ |
|||
public static ImmutableArray<OpenIddictServerHandlerDescriptor> DefaultHandlers { get; } = ImmutableArray.Create( |
|||
/* |
|||
* Logout request extraction: |
|||
*/ |
|||
ExtractGetOrPostRequest<ExtractLogoutRequestContext>.Descriptor, |
|||
RestoreCachedRequestParameters.Descriptor, |
|||
CacheRequestParameters.Descriptor, |
|||
|
|||
/* |
|||
* Logout request handling: |
|||
*/ |
|||
EnablePassthroughMode.Descriptor, |
|||
|
|||
/* |
|||
* Logout response processing: |
|||
*/ |
|||
RemoveCachedRequest.Descriptor, |
|||
ProcessEmptyResponse.Descriptor, |
|||
ProcessQueryResponse.Descriptor, |
|||
ProcessStatusCodePagesErrorResponse.Descriptor, |
|||
ProcessPassthroughErrorResponse.Descriptor, |
|||
ProcessLocalErrorResponse.Descriptor); |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of restoring cached requests from the request_id, if specified.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class RestoreCachedRequestParameters : IOpenIddictServerHandler<ExtractLogoutRequestContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
|
|||
public RestoreCachedRequestParameters() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public RestoreCachedRequestParameters([NotNull] IDistributedCache cache) |
|||
=> _cache = cache; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ExtractLogoutRequestContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<RestoreCachedRequestParameters>() |
|||
.SetOrder(ExtractGetOrPostRequest<ExtractLogoutRequestContext>.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ExtractLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// If a request_id parameter can be found in the logout request,
|
|||
// restore the complete logout request from the distributed cache.
|
|||
|
|||
if (string.IsNullOrEmpty(context.Request.RequestId)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
var payload = await _cache.GetAsync(Cache.LogoutRequest + context.Request.RequestId); |
|||
if (payload == null) |
|||
{ |
|||
context.Logger.LogError("The logout request was rejected because an unknown " + |
|||
"or invalid request_id parameter was specified."); |
|||
|
|||
context.Reject( |
|||
error: Errors.InvalidRequest, |
|||
description: "The specified 'request_id' parameter is invalid."); |
|||
|
|||
return; |
|||
} |
|||
|
|||
// Restore the logout request parameters from the serialized payload.
|
|||
using var reader = new BsonDataReader(new MemoryStream(payload)); |
|||
foreach (var parameter in JObject.Load(reader)) |
|||
{ |
|||
// Avoid overriding the current request parameters.
|
|||
if (context.Request.HasParameter(parameter.Key)) |
|||
{ |
|||
continue; |
|||
} |
|||
|
|||
context.Request.SetParameter(parameter.Key, parameter.Value); |
|||
} |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of caching logout requests, if applicable.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class CacheRequestParameters : IOpenIddictServerHandler<ExtractLogoutRequestContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
private readonly IOptionsMonitor<OpenIddictServerAspNetCoreOptions> _options; |
|||
|
|||
public CacheRequestParameters() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public CacheRequestParameters( |
|||
[NotNull] IDistributedCache cache, |
|||
[NotNull] IOptionsMonitor<OpenIddictServerAspNetCoreOptions> options) |
|||
{ |
|||
_cache = cache; |
|||
_options = options; |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ExtractLogoutRequestContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<CacheRequestParameters>() |
|||
.SetOrder(RestoreCachedRequestParameters.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ExtractLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var request = context.Transaction.GetHttpRequest(); |
|||
if (request == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
// Don't cache the request if the request doesn't include any parameter.
|
|||
// If a request_id parameter can be found in the logout request,
|
|||
// ignore the following logic to prevent an infinite redirect loop.
|
|||
if (context.Request.GetParameters().IsEmpty || !string.IsNullOrEmpty(context.Request.RequestId)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Generate a 256-bit request identifier using a crypto-secure random number generator.
|
|||
var data = new byte[256 / 8]; |
|||
RandomNumberGenerator.Fill(data); |
|||
|
|||
context.Request.RequestId = Base64UrlEncoder.Encode(data); |
|||
|
|||
// Store the serialized logout request parameters in the distributed cache.
|
|||
var stream = new MemoryStream(); |
|||
using (var writer = new BsonDataWriter(stream)) |
|||
{ |
|||
writer.CloseOutput = false; |
|||
|
|||
var serializer = JsonSerializer.CreateDefault(); |
|||
serializer.Serialize(writer, context.Request); |
|||
} |
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
await _cache.SetAsync(Cache.LogoutRequest + context.Request.RequestId, |
|||
stream.ToArray(), _options.CurrentValue.RequestCachingPolicy); |
|||
|
|||
// Create a new GET logout request containing only the request_id parameter.
|
|||
var address = QueryHelpers.AddQueryString( |
|||
uri: request.Scheme + "://" + request.Host + request.PathBase + request.Path, |
|||
name: Parameters.RequestId, |
|||
value: context.Request.RequestId); |
|||
|
|||
request.HttpContext.Response.Redirect(address); |
|||
|
|||
// Mark the response as handled to skip the rest of the pipeline.
|
|||
context.HandleRequest(); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of enabling the pass-through mode for the received request.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class EnablePassthroughMode : IOpenIddictServerHandler<HandleLogoutRequestContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<HandleLogoutRequestContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireLogoutEndpointPassthroughEnabled>() |
|||
.UseSingletonHandler<EnablePassthroughMode>() |
|||
.SetOrder(int.MaxValue - 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] HandleLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
context.SkipRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of removing cached logout requests from the distributed cache.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class RemoveCachedRequest : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
|
|||
public RemoveCachedRequest() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public RemoveCachedRequest([NotNull] IDistributedCache cache) |
|||
=> _cache = cache; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<RemoveCachedRequest>() |
|||
.SetOrder(ProcessQueryResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Request?.RequestId)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Note: the ApplyLogoutResponse event is called for both successful
|
|||
// and errored logout responses but discrimination is not necessary here,
|
|||
// as the logout request must be removed from the distributed cache in both cases.
|
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
return _cache.RemoveAsync(Cache.LogoutRequest + context.Request.RequestId); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that don't specify a post_logout_redirect_uri.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class ProcessEmptyResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.UseSingletonHandler<ProcessQueryResponse>() |
|||
.SetOrder(ProcessPassthroughErrorResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetHttpRequest()?.HttpContext.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned: {Response}.", response); |
|||
context.HandleRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class ProcessQueryResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.UseSingletonHandler<ProcessQueryResponse>() |
|||
.SetOrder(ProcessEmptyResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetHttpRequest()?.HttpContext.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned to '{PostLogoutRedirectUri}': {Response}.", |
|||
context.PostLogoutRedirectUri, response); |
|||
|
|||
var location = context.PostLogoutRedirectUri; |
|||
|
|||
// Note: while initially not allowed by the core OAuth 2.0 specification, multiple parameters
|
|||
// with the same name are used by derived drafts like the OAuth 2.0 token exchange specification.
|
|||
// For consistency, multiple parameters with the same name are also supported by this endpoint.
|
|||
foreach (var parameter in context.Response.GetFlattenedParameters()) |
|||
{ |
|||
location = QueryHelpers.AddQueryString(location, parameter.Key, parameter.Value); |
|||
} |
|||
|
|||
response.Redirect(location); |
|||
context.HandleRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that must be handled by another
|
|||
/// middleware in the pipeline at a later stage (e.g an ASP.NET Core MVC action or a NancyFX module).
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class ProcessPassthroughErrorResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireErrorPassthroughEnabled>() |
|||
.AddFilter<RequireLogoutEndpointPassthroughEnabled>() |
|||
.UseSingletonHandler<ProcessPassthroughErrorResponse>() |
|||
.SetOrder(ProcessStatusCodePagesErrorResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetHttpRequest()?.HttpContext.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Response.Error) || !string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Apply a 400 status code by default.
|
|||
response.StatusCode = 400; |
|||
|
|||
context.SkipRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses handled by the status code pages middleware.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class ProcessStatusCodePagesErrorResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.AddFilter<RequireStatusCodePagesIntegrationEnabled>() |
|||
.UseSingletonHandler<ProcessStatusCodePagesErrorResponse>() |
|||
.SetOrder(ProcessLocalErrorResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.Response == null) |
|||
{ |
|||
throw new InvalidOperationException("This handler cannot be invoked without a response attached."); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetHttpRequest()?.HttpContext.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Error) || !string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Determine if the status code pages middleware has been enabled for this request.
|
|||
// If it was not registered or enabled, let the default OpenIddict server handlers render
|
|||
// a default error page instead of delegating the rendering to the status code middleware.
|
|||
var feature = response.HttpContext.Features.Get<IStatusCodePagesFeature>(); |
|||
if (feature == null || !feature.Enabled) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Replace the default status code to return a 400 response.
|
|||
response.StatusCode = 400; |
|||
|
|||
// Mark the request as fully handled to prevent the other OpenIddict server handlers
|
|||
// from displaying the default error page and to allow the status code pages middleware
|
|||
// to rewrite the response using the logic defined by the developer when registering it.
|
|||
context.HandleRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that must be returned as plain-text.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
|
|||
/// </summary>
|
|||
public class ProcessLocalErrorResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireHttpRequest>() |
|||
.UseSingletonHandler<ProcessLocalErrorResponse>() |
|||
.SetOrder(int.MaxValue - 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to ASP.NET Core requests. If the HTTP context cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetHttpRequest()?.HttpContext.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The ASP.NET Core HTTP request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Response.Error) || !string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Don't return the state originally sent by the client application.
|
|||
context.Response.State = null; |
|||
|
|||
// Apply a 400 status code by default.
|
|||
response.StatusCode = 400; |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned " + |
|||
"as a plain-text document: {Response}.", context.Response); |
|||
|
|||
using (var buffer = new MemoryStream()) |
|||
using (var writer = new StreamWriter(buffer)) |
|||
{ |
|||
foreach (var parameter in context.Response.GetParameters()) |
|||
{ |
|||
// Ignore null or empty parameters, including JSON
|
|||
// objects that can't be represented as strings.
|
|||
var value = (string) parameter.Value; |
|||
if (string.IsNullOrEmpty(value)) |
|||
{ |
|||
continue; |
|||
} |
|||
|
|||
writer.WriteLine("{0}:{1}", parameter.Key, value); |
|||
} |
|||
|
|||
writer.Flush(); |
|||
|
|||
response.ContentLength = buffer.Length; |
|||
response.ContentType = "text/plain;charset=UTF-8"; |
|||
|
|||
response.Headers[HeaderNames.CacheControl] = "no-cache"; |
|||
response.Headers[HeaderNames.Pragma] = "no-cache"; |
|||
response.Headers[HeaderNames.Expires] = "Thu, 01 Jan 1970 00:00:00 GMT"; |
|||
|
|||
buffer.Seek(offset: 0, loc: SeekOrigin.Begin); |
|||
await buffer.CopyToAsync(response.Body, 4096, response.HttpContext.RequestAborted); |
|||
} |
|||
|
|||
context.HandleRequest(); |
|||
} |
|||
} |
|||
} |
|||
} |
|||
} |
|||
@ -0,0 +1,587 @@ |
|||
/* |
|||
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
|
|||
* See https://github.com/openiddict/openiddict-core for more information concerning
|
|||
* the license and the contributors participating to this project. |
|||
*/ |
|||
|
|||
using System; |
|||
using System.Collections.Immutable; |
|||
using System.IO; |
|||
using System.Security.Cryptography; |
|||
using System.Text; |
|||
using System.Threading.Tasks; |
|||
using JetBrains.Annotations; |
|||
using Microsoft.Extensions.Caching.Distributed; |
|||
using Microsoft.Extensions.Logging; |
|||
using Microsoft.Extensions.Options; |
|||
using Microsoft.IdentityModel.Tokens; |
|||
using Microsoft.Owin.Infrastructure; |
|||
using Newtonsoft.Json; |
|||
using Newtonsoft.Json.Bson; |
|||
using Newtonsoft.Json.Linq; |
|||
using OpenIddict.Abstractions; |
|||
using Owin; |
|||
using static OpenIddict.Abstractions.OpenIddictConstants; |
|||
using static OpenIddict.Server.OpenIddictServerEvents; |
|||
using static OpenIddict.Server.Owin.OpenIddictServerOwinConstants; |
|||
using static OpenIddict.Server.Owin.OpenIddictServerOwinHandlerFilters; |
|||
|
|||
namespace OpenIddict.Server.Owin |
|||
{ |
|||
public static partial class OpenIddictServerOwinHandlers |
|||
{ |
|||
public static class Session |
|||
{ |
|||
public static ImmutableArray<OpenIddictServerHandlerDescriptor> DefaultHandlers { get; } = ImmutableArray.Create( |
|||
/* |
|||
* Logout request extraction: |
|||
*/ |
|||
ExtractGetOrPostRequest<ExtractLogoutRequestContext>.Descriptor, |
|||
RestoreCachedRequestParameters.Descriptor, |
|||
CacheRequestParameters.Descriptor, |
|||
|
|||
/* |
|||
* Logout request handling: |
|||
*/ |
|||
EnablePassthroughMode.Descriptor, |
|||
|
|||
/* |
|||
* Logout response processing: |
|||
*/ |
|||
RemoveCachedRequest.Descriptor, |
|||
ProcessEmptyResponse.Descriptor, |
|||
ProcessQueryResponse.Descriptor, |
|||
ProcessPassthroughErrorResponse.Descriptor, |
|||
ProcessLocalErrorResponse.Descriptor); |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of restoring cached requests from the request_id, if specified.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class RestoreCachedRequestParameters : IOpenIddictServerHandler<ExtractLogoutRequestContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
|
|||
public RestoreCachedRequestParameters() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public RestoreCachedRequestParameters([NotNull] IDistributedCache cache) |
|||
=> _cache = cache; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ExtractLogoutRequestContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<RestoreCachedRequestParameters>() |
|||
.SetOrder(ExtractGetOrPostRequest<ExtractLogoutRequestContext>.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ExtractLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// If a request_id parameter can be found in the logout request,
|
|||
// restore the complete logout request from the distributed cache.
|
|||
|
|||
if (string.IsNullOrEmpty(context.Request.RequestId)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
var payload = await _cache.GetAsync(Cache.LogoutRequest + context.Request.RequestId); |
|||
if (payload == null) |
|||
{ |
|||
context.Logger.LogError("The logout request was rejected because an unknown " + |
|||
"or invalid request_id parameter was specified."); |
|||
|
|||
context.Reject( |
|||
error: Errors.InvalidRequest, |
|||
description: "The specified 'request_id' parameter is invalid."); |
|||
|
|||
return; |
|||
} |
|||
|
|||
// Restore the logout request parameters from the serialized payload.
|
|||
using var reader = new BsonDataReader(new MemoryStream(payload)); |
|||
foreach (var parameter in JObject.Load(reader)) |
|||
{ |
|||
// Avoid overriding the current request parameters.
|
|||
if (context.Request.HasParameter(parameter.Key)) |
|||
{ |
|||
continue; |
|||
} |
|||
|
|||
context.Request.SetParameter(parameter.Key, parameter.Value); |
|||
} |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of caching logout requests, if applicable.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class CacheRequestParameters : IOpenIddictServerHandler<ExtractLogoutRequestContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
private readonly IOptionsMonitor<OpenIddictServerOwinOptions> _options; |
|||
|
|||
public CacheRequestParameters() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public CacheRequestParameters( |
|||
[NotNull] IDistributedCache cache, |
|||
[NotNull] IOptionsMonitor<OpenIddictServerOwinOptions> options) |
|||
{ |
|||
_cache = cache; |
|||
_options = options; |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ExtractLogoutRequestContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<CacheRequestParameters>() |
|||
.SetOrder(RestoreCachedRequestParameters.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ExtractLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var request = context.Transaction.GetOwinRequest(); |
|||
if (request == null) |
|||
{ |
|||
throw new InvalidOperationException("The OWIN request cannot be resolved."); |
|||
} |
|||
|
|||
// Don't cache the request if the request doesn't include any parameter.
|
|||
// If a request_id parameter can be found in the logout request,
|
|||
// ignore the following logic to prevent an infinite redirect loop.
|
|||
if (context.Request.GetParameters().IsEmpty || !string.IsNullOrEmpty(context.Request.RequestId)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Generate a 256-bit request identifier using a crypto-secure random number generator.
|
|||
var data = new byte[256 / 8]; |
|||
using var generator = RandomNumberGenerator.Create(); |
|||
generator.GetBytes(data); |
|||
|
|||
context.Request.RequestId = Base64UrlEncoder.Encode(data); |
|||
|
|||
// Store the serialized logout request parameters in the distributed cache.
|
|||
var stream = new MemoryStream(); |
|||
using (var writer = new BsonDataWriter(stream)) |
|||
{ |
|||
writer.CloseOutput = false; |
|||
|
|||
var serializer = JsonSerializer.CreateDefault(); |
|||
serializer.Serialize(writer, context.Request); |
|||
} |
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
await _cache.SetAsync(Cache.LogoutRequest + context.Request.RequestId, |
|||
stream.ToArray(), _options.CurrentValue.RequestCachingPolicy); |
|||
|
|||
// Create a new GET logout request containing only the request_id parameter.
|
|||
var address = WebUtilities.AddQueryString( |
|||
uri: request.Scheme + "://" + request.Host + request.PathBase + request.Path, |
|||
name: Parameters.RequestId, |
|||
value: context.Request.RequestId); |
|||
|
|||
request.Context.Response.Redirect(address); |
|||
|
|||
// Mark the response as handled to skip the rest of the pipeline.
|
|||
context.HandleRequest(); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of enabling the pass-through mode for the received request.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class EnablePassthroughMode : IOpenIddictServerHandler<HandleLogoutRequestContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<HandleLogoutRequestContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.AddFilter<RequireLogoutEndpointPassthroughEnabled>() |
|||
.UseSingletonHandler<EnablePassthroughMode>() |
|||
.SetOrder(int.MaxValue - 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] HandleLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
context.SkipRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of removing cached logout requests from the distributed cache.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class RemoveCachedRequest : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
private readonly IDistributedCache _cache; |
|||
|
|||
public RemoveCachedRequest() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("A distributed cache instance must be registered when enabling request caching.") |
|||
.Append("To register the default in-memory distributed cache implementation, reference the ") |
|||
.Append("'Microsoft.Extensions.Caching.Memory' package and call ") |
|||
.Append("'services.AddDistributedMemoryCache()' from 'ConfigureServices'.") |
|||
.ToString()); |
|||
|
|||
public RemoveCachedRequest([NotNull] IDistributedCache cache) |
|||
=> _cache = cache; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.AddFilter<RequireRequestCachingEnabled>() |
|||
.UseSingletonHandler<RemoveCachedRequest>() |
|||
.SetOrder(ProcessQueryResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Request?.RequestId)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Note: the ApplyLogoutResponse event is called for both successful
|
|||
// and errored logout responses but discrimination is not necessary here,
|
|||
// as the logout request must be removed from the distributed cache in both cases.
|
|||
|
|||
// Note: the cache key is always prefixed with a specific marker
|
|||
// to avoid collisions with the other types of cached payloads.
|
|||
return _cache.RemoveAsync(Cache.LogoutRequest + context.Request.RequestId); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that don't specify a post_logout_redirect_uri.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class ProcessEmptyResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.UseSingletonHandler<ProcessQueryResponse>() |
|||
.SetOrder(ProcessPassthroughErrorResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetOwinRequest()?.Context.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The OWIN request cannot be resolved."); |
|||
} |
|||
|
|||
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned: {Response}.", response); |
|||
context.HandleRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class ProcessQueryResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.UseSingletonHandler<ProcessQueryResponse>() |
|||
.SetOrder(ProcessEmptyResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetOwinRequest()?.Context.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The OWIN request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned to '{PostLogoutRedirectUri}': {Response}.", |
|||
context.PostLogoutRedirectUri, response); |
|||
|
|||
var location = context.PostLogoutRedirectUri; |
|||
|
|||
// Note: while initially not allowed by the core OAuth 2.0 specification, multiple parameters
|
|||
// with the same name are used by derived drafts like the OAuth 2.0 token exchange specification.
|
|||
// For consistency, multiple parameters with the same name are also supported by this endpoint.
|
|||
foreach (var parameter in context.Response.GetFlattenedParameters()) |
|||
{ |
|||
location = WebUtilities.AddQueryString(location, parameter.Key, parameter.Value); |
|||
} |
|||
|
|||
response.Redirect(location); |
|||
context.HandleRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that must be handled by another
|
|||
/// middleware in the pipeline at a later stage (e.g an OWIN MVC action or a NancyFX module).
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class ProcessPassthroughErrorResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.AddFilter<RequireErrorPassthroughEnabled>() |
|||
.AddFilter<RequireLogoutEndpointPassthroughEnabled>() |
|||
.UseSingletonHandler<ProcessPassthroughErrorResponse>() |
|||
.SetOrder(ProcessLocalErrorResponse.Descriptor.Order - 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetOwinRequest()?.Context.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The OWIN request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Response.Error) || !string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Apply a 400 status code by default.
|
|||
response.StatusCode = 400; |
|||
|
|||
context.SkipRequest(); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing logout responses that must be returned as plain-text.
|
|||
/// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
|
|||
/// </summary>
|
|||
public class ProcessLocalErrorResponse : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.AddFilter<RequireOwinRequest>() |
|||
.UseSingletonHandler<ProcessLocalErrorResponse>() |
|||
.SetOrder(int.MaxValue - 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// This handler only applies to OWIN requests. If The OWIN request cannot be resolved,
|
|||
// this may indicate that the request was incorrectly processed by another server stack.
|
|||
var response = context.Transaction.GetOwinRequest()?.Context.Response; |
|||
if (response == null) |
|||
{ |
|||
throw new InvalidOperationException("The OWIN request cannot be resolved."); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.Response.Error) || !string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
// Don't return the state originally sent by the client application.
|
|||
context.Response.State = null; |
|||
|
|||
// Apply a 400 status code by default.
|
|||
response.StatusCode = 400; |
|||
|
|||
context.Logger.LogInformation("The logout response was successfully returned " + |
|||
"as a plain-text document: {Response}.", context.Response); |
|||
|
|||
using (var buffer = new MemoryStream()) |
|||
using (var writer = new StreamWriter(buffer)) |
|||
{ |
|||
foreach (var parameter in context.Response.GetParameters()) |
|||
{ |
|||
// Ignore null or empty parameters, including JSON
|
|||
// objects that can't be represented as strings.
|
|||
var value = (string) parameter.Value; |
|||
if (string.IsNullOrEmpty(value)) |
|||
{ |
|||
continue; |
|||
} |
|||
|
|||
writer.WriteLine("{0}:{1}", parameter.Key, value); |
|||
} |
|||
|
|||
writer.Flush(); |
|||
|
|||
response.ContentLength = buffer.Length; |
|||
response.ContentType = "text/plain;charset=UTF-8"; |
|||
|
|||
response.Headers["Cache-Control"] = "no-cache"; |
|||
response.Headers["Pragma"] = "no-cache"; |
|||
response.Headers["Expires"] = "Thu, 01 Jan 1970 00:00:00 GMT"; |
|||
|
|||
buffer.Seek(offset: 0, loc: SeekOrigin.Begin); |
|||
await buffer.CopyToAsync(response.Body, 4096, response.Context.Request.CallCancelled); |
|||
} |
|||
|
|||
context.HandleRequest(); |
|||
} |
|||
} |
|||
} |
|||
} |
|||
} |
|||
@ -0,0 +1,571 @@ |
|||
/* |
|||
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
|
|||
* See https://github.com/openiddict/openiddict-core for more information concerning
|
|||
* the license and the contributors participating to this project. |
|||
*/ |
|||
|
|||
using System; |
|||
using System.Collections.Immutable; |
|||
using System.Text; |
|||
using System.Threading.Tasks; |
|||
using JetBrains.Annotations; |
|||
using Microsoft.Extensions.Logging; |
|||
using OpenIddict.Abstractions; |
|||
using static OpenIddict.Abstractions.OpenIddictConstants; |
|||
using static OpenIddict.Server.OpenIddictServerEvents; |
|||
using static OpenIddict.Server.OpenIddictServerHandlerFilters; |
|||
|
|||
namespace OpenIddict.Server |
|||
{ |
|||
public static partial class OpenIddictServerHandlers |
|||
{ |
|||
public static class Session |
|||
{ |
|||
public static ImmutableArray<OpenIddictServerHandlerDescriptor> DefaultHandlers { get; } = ImmutableArray.Create( |
|||
/* |
|||
* Logout request top-level processing: |
|||
*/ |
|||
ExtractLogoutRequest.Descriptor, |
|||
ValidateLogoutRequest.Descriptor, |
|||
HandleLogoutRequest.Descriptor, |
|||
ApplyLogoutResponse<ProcessErrorResponseContext>.Descriptor, |
|||
ApplyLogoutResponse<ProcessRequestContext>.Descriptor, |
|||
ApplyLogoutResponse<ProcessSignoutResponseContext>.Descriptor, |
|||
|
|||
/* |
|||
* Logout request validation: |
|||
*/ |
|||
ValidatePostLogoutRedirectUriParameter.Descriptor, |
|||
ValidateClientPostLogoutRedirectUri.Descriptor, |
|||
|
|||
/* |
|||
* Logout response processing: |
|||
*/ |
|||
AttachPostLogoutRedirectUri.Descriptor, |
|||
AttachResponseState.Descriptor); |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of extracting logout requests and invoking the corresponding event handlers.
|
|||
/// </summary>
|
|||
public class ExtractLogoutRequest : IOpenIddictServerHandler<ProcessRequestContext> |
|||
{ |
|||
private readonly IOpenIddictServerProvider _provider; |
|||
|
|||
public ExtractLogoutRequest([NotNull] IOpenIddictServerProvider provider) |
|||
=> _provider = provider; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ProcessRequestContext>() |
|||
.UseScopedHandler<ExtractLogoutRequest>() |
|||
.SetOrder(int.MinValue + 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ProcessRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.EndpointType != OpenIddictServerEndpointType.Logout) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
var notification = new ExtractLogoutRequestContext(context.Transaction); |
|||
await _provider.DispatchAsync(notification); |
|||
|
|||
if (notification.IsRequestHandled) |
|||
{ |
|||
context.HandleRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRequestSkipped) |
|||
{ |
|||
context.SkipRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRejected) |
|||
{ |
|||
context.Reject( |
|||
error: notification.Error ?? Errors.InvalidRequest, |
|||
description: notification.ErrorDescription, |
|||
uri: notification.ErrorUri); |
|||
return; |
|||
} |
|||
|
|||
if (notification.Request == null) |
|||
{ |
|||
throw new InvalidOperationException(new StringBuilder() |
|||
.Append("The logout request was not correctly extracted. To extract logout requests, ") |
|||
.Append("create a class implementing 'IOpenIddictServerHandler<ExtractLogoutRequestContext>' ") |
|||
.AppendLine("and register it using 'services.AddOpenIddict().AddServer().AddEventHandler()'.") |
|||
.ToString()); |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout request was successfully extracted: {Request}.", notification.Request); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of validating logout requests and invoking the corresponding event handlers.
|
|||
/// </summary>
|
|||
public class ValidateLogoutRequest : IOpenIddictServerHandler<ProcessRequestContext> |
|||
{ |
|||
private readonly IOpenIddictServerProvider _provider; |
|||
|
|||
public ValidateLogoutRequest([NotNull] IOpenIddictServerProvider provider) |
|||
=> _provider = provider; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ProcessRequestContext>() |
|||
.UseScopedHandler<ValidateLogoutRequest>() |
|||
.SetOrder(ExtractLogoutRequest.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ProcessRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.EndpointType != OpenIddictServerEndpointType.Logout) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
var notification = new ValidateLogoutRequestContext(context.Transaction); |
|||
await _provider.DispatchAsync(notification); |
|||
|
|||
if (notification.IsRequestHandled) |
|||
{ |
|||
context.HandleRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRequestSkipped) |
|||
{ |
|||
context.SkipRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRejected) |
|||
{ |
|||
context.Reject( |
|||
error: notification.Error ?? Errors.InvalidRequest, |
|||
description: notification.ErrorDescription, |
|||
uri: notification.ErrorUri); |
|||
return; |
|||
} |
|||
|
|||
if (!string.IsNullOrEmpty(notification.PostLogoutRedirectUri)) |
|||
{ |
|||
// Store the validated post_logout_redirect_uri as an environment property.
|
|||
context.Transaction.Properties[Properties.PostLogoutRedirectUri] = notification.PostLogoutRedirectUri; |
|||
} |
|||
|
|||
context.Logger.LogInformation("The logout request was successfully validated."); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of handling logout requests and invoking the corresponding event handlers.
|
|||
/// </summary>
|
|||
public class HandleLogoutRequest : IOpenIddictServerHandler<ProcessRequestContext> |
|||
{ |
|||
private readonly IOpenIddictServerProvider _provider; |
|||
|
|||
public HandleLogoutRequest([NotNull] IOpenIddictServerProvider provider) |
|||
=> _provider = provider; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ProcessRequestContext>() |
|||
.UseScopedHandler<HandleLogoutRequest>() |
|||
.SetOrder(ValidateLogoutRequest.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ProcessRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.EndpointType != OpenIddictServerEndpointType.Logout) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
var notification = new HandleLogoutRequestContext(context.Transaction); |
|||
await _provider.DispatchAsync(notification); |
|||
|
|||
if (notification.IsRequestHandled) |
|||
{ |
|||
context.HandleRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRequestSkipped) |
|||
{ |
|||
context.SkipRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRejected) |
|||
{ |
|||
context.Reject( |
|||
error: notification.Error ?? Errors.InvalidRequest, |
|||
description: notification.ErrorDescription, |
|||
uri: notification.ErrorUri); |
|||
return; |
|||
} |
|||
|
|||
if (notification.IsLogoutAllowed) |
|||
{ |
|||
var @event = new ProcessSignoutResponseContext(context.Transaction) |
|||
{ |
|||
Response = new OpenIddictResponse() |
|||
}; |
|||
|
|||
await _provider.DispatchAsync(@event); |
|||
|
|||
if (@event.IsRequestHandled) |
|||
{ |
|||
context.HandleRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (@event.IsRequestSkipped) |
|||
{ |
|||
context.SkipRequest(); |
|||
return; |
|||
} |
|||
} |
|||
|
|||
throw new InvalidOperationException(new StringBuilder() |
|||
.Append("The logout request was not handled. To handle logout requests, ") |
|||
.Append("create a class implementing 'IOpenIddictServerHandler<HandleLogoutRequestContext>' ") |
|||
.AppendLine("and register it using 'services.AddOpenIddict().AddServer().AddEventHandler()'.") |
|||
.Append("Alternatively, enable the pass-through mode to handle them at a later stage.") |
|||
.ToString()); |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of processing sign-in responses and invoking the corresponding event handlers.
|
|||
/// </summary>
|
|||
public class ApplyLogoutResponse<TContext> : IOpenIddictServerHandler<TContext> where TContext : BaseRequestContext |
|||
{ |
|||
private readonly IOpenIddictServerProvider _provider; |
|||
|
|||
public ApplyLogoutResponse([NotNull] IOpenIddictServerProvider provider) |
|||
=> _provider = provider; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<TContext>() |
|||
.UseScopedHandler<ApplyLogoutResponse<TContext>>() |
|||
.SetOrder(int.MaxValue - 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] TContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.EndpointType != OpenIddictServerEndpointType.Logout) |
|||
{ |
|||
return; |
|||
} |
|||
|
|||
var notification = new ApplyLogoutResponseContext(context.Transaction); |
|||
await _provider.DispatchAsync(notification); |
|||
|
|||
if (notification.IsRequestHandled) |
|||
{ |
|||
context.HandleRequest(); |
|||
return; |
|||
} |
|||
|
|||
else if (notification.IsRequestSkipped) |
|||
{ |
|||
context.SkipRequest(); |
|||
return; |
|||
} |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of rejecting logout requests that specify an invalid post_logout_redirect_uri parameter.
|
|||
/// </summary>
|
|||
public class ValidatePostLogoutRedirectUriParameter : IOpenIddictServerHandler<ValidateLogoutRequestContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ValidateLogoutRequestContext>() |
|||
.UseSingletonHandler<ValidatePostLogoutRedirectUriParameter>() |
|||
.SetOrder(int.MinValue + 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ValidateLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri)) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// If an optional post_logout_redirect_uri was provided, validate it.
|
|||
if (!Uri.TryCreate(context.PostLogoutRedirectUri, UriKind.Absolute, out Uri uri) || |
|||
!uri.IsWellFormedOriginalString()) |
|||
{ |
|||
context.Logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri " + |
|||
"was not a valid absolute URL: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri); |
|||
|
|||
context.Reject( |
|||
error: Errors.InvalidRequest, |
|||
description: "The 'post_logout_redirect_uri' parameter must be a valid absolute URL."); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
if (!string.IsNullOrEmpty(uri.Fragment)) |
|||
{ |
|||
context.Logger.LogError("The logout request was rejected because the 'post_logout_redirect_uri' contained " + |
|||
"a URL fragment: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri); |
|||
|
|||
context.Reject( |
|||
error: Errors.InvalidRequest, |
|||
description: "The 'post_logout_redirect_uri' parameter must not include a fragment."); |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of rejecting logout requests that use an invalid redirect_uri.
|
|||
/// Note: this handler is not used when the degraded mode is enabled.
|
|||
/// </summary>
|
|||
public class ValidateClientPostLogoutRedirectUri : IOpenIddictServerHandler<ValidateLogoutRequestContext> |
|||
{ |
|||
private readonly IOpenIddictApplicationManager _applicationManager; |
|||
|
|||
public ValidateClientPostLogoutRedirectUri() => throw new InvalidOperationException(new StringBuilder() |
|||
.AppendLine("The core services must be registered when enabling the OpenIddict server feature.") |
|||
.Append("To register the OpenIddict core services, reference the 'OpenIddict.Core' package ") |
|||
.AppendLine("and call 'services.AddOpenIddict().AddCore()' from 'ConfigureServices'.") |
|||
.Append("Alternatively, you can disable the built-in database-based server features by enabling ") |
|||
.Append("the degraded mode with 'services.AddOpenIddict().AddServer().EnableDegradedMode()'.") |
|||
.ToString()); |
|||
|
|||
public ValidateClientPostLogoutRedirectUri([NotNull] IOpenIddictApplicationManager applicationManager) |
|||
=> _applicationManager = applicationManager; |
|||
|
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ValidateLogoutRequestContext>() |
|||
.AddFilter<RequireDegradedModeDisabled>() |
|||
.AddFilter<RequirePostLogoutRedirectUriParameter>() |
|||
.UseScopedHandler<ValidateClientPostLogoutRedirectUri>() |
|||
.SetOrder(ValidatePostLogoutRedirectUriParameter.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public async Task HandleAsync([NotNull] ValidateLogoutRequestContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
async Task<bool> ValidatePostLogoutRedirectUriAsync(string address) |
|||
{ |
|||
var applications = await _applicationManager.FindByPostLogoutRedirectUriAsync(address); |
|||
if (applications.IsDefaultOrEmpty) |
|||
{ |
|||
return false; |
|||
} |
|||
|
|||
if (context.Options.IgnoreEndpointPermissions) |
|||
{ |
|||
return true; |
|||
} |
|||
|
|||
foreach (var application in applications) |
|||
{ |
|||
if (await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Logout)) |
|||
{ |
|||
return true; |
|||
} |
|||
} |
|||
|
|||
return false; |
|||
} |
|||
|
|||
if (!await ValidatePostLogoutRedirectUriAsync(context.PostLogoutRedirectUri)) |
|||
{ |
|||
context.Logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri " + |
|||
"was unknown: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri); |
|||
|
|||
context.Reject( |
|||
error: Errors.InvalidRequest, |
|||
description: "The specified 'post_logout_redirect_uri' parameter is not valid."); |
|||
|
|||
return; |
|||
} |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of inferring the redirect URL
|
|||
/// used to send the response back to the client application.
|
|||
/// </summary>
|
|||
public class AttachPostLogoutRedirectUri : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.UseSingletonHandler<AttachPostLogoutRedirectUri>() |
|||
.SetOrder(int.MinValue + 100_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
if (context.Request == null) |
|||
{ |
|||
return Task.CompletedTask; |
|||
} |
|||
|
|||
// Note: at this stage, the validated redirect URI property may be null (e.g if an error
|
|||
// is returned from the ExtractLogoutRequest/ValidateLogoutRequest events).
|
|||
if (context.Transaction.Properties.TryGetValue(Properties.PostLogoutRedirectUri, out var property)) |
|||
{ |
|||
context.PostLogoutRedirectUri = (string) property; |
|||
} |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
|
|||
/// <summary>
|
|||
/// Contains the logic responsible of attaching the state to the response.
|
|||
/// </summary>
|
|||
public class AttachResponseState : IOpenIddictServerHandler<ApplyLogoutResponseContext> |
|||
{ |
|||
/// <summary>
|
|||
/// Gets the default descriptor definition assigned to this handler.
|
|||
/// </summary>
|
|||
public static OpenIddictServerHandlerDescriptor Descriptor { get; } |
|||
= OpenIddictServerHandlerDescriptor.CreateBuilder<ApplyLogoutResponseContext>() |
|||
.UseSingletonHandler<AttachResponseState>() |
|||
.SetOrder(AttachPostLogoutRedirectUri.Descriptor.Order + 1_000) |
|||
.Build(); |
|||
|
|||
/// <summary>
|
|||
/// Processes the event.
|
|||
/// </summary>
|
|||
/// <param name="context">The context associated with the event to process.</param>
|
|||
/// <returns>
|
|||
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
|
|||
/// </returns>
|
|||
public Task HandleAsync([NotNull] ApplyLogoutResponseContext context) |
|||
{ |
|||
if (context == null) |
|||
{ |
|||
throw new ArgumentNullException(nameof(context)); |
|||
} |
|||
|
|||
// Attach the request state to the logout response.
|
|||
if (string.IsNullOrEmpty(context.Response.State)) |
|||
{ |
|||
context.Response.State = context.Request?.State; |
|||
} |
|||
|
|||
return Task.CompletedTask; |
|||
} |
|||
} |
|||
} |
|||
} |
|||
} |
|||
Loading…
Reference in new issue