From 8b590c67cd1e7f6646e2652044faa6611fae6a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Tue, 9 Jan 2024 07:53:27 +0100 Subject: [PATCH] Add Okta to the list of supported providers --- .../InteractiveService.cs | 16 +++++++++--- .../OpenIddictClientWebIntegrationHandlers.cs | 15 +++++++++++ ...penIddictClientWebIntegrationProviders.xml | 25 +++++++++++++++++-- 3 files changed, 50 insertions(+), 6 deletions(-) diff --git a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs index e19c9ccf..bf18e8f3 100644 --- a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs +++ b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs @@ -58,16 +58,22 @@ public class InteractiveService : BackgroundService if (result.VerificationUriComplete is not null) { - AnsiConsole.MarkupLineInterpolated( - $"[yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the displayed code is '{result.UserCode}' to complete the authentication demand.[/]"); + AnsiConsole.MarkupLineInterpolated($""" + [yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the + displayed code is '{result.UserCode}' to complete the authentication demand.[/] + """); } else { - AnsiConsole.MarkupLineInterpolated( - $"[yellow]Please visit [link]{result.VerificationUri}[/] and enter '{result.UserCode}' to complete the authentication demand.[/]"); + AnsiConsole.MarkupLineInterpolated($""" + [yellow]Please visit [link]{result.VerificationUri}[/] and enter + '{result.UserCode}' to complete the authentication demand.[/] + """); } + AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]"); + // Wait for the user to complete the demand on the other device. principal = (await _service.AuthenticateWithDeviceAsync(new() { @@ -90,6 +96,8 @@ public class InteractiveService : BackgroundService ProviderName = provider }); + AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]"); + // Wait for the user to complete the authorization process. principal = (await _service.AuthenticateInteractivelyAsync(new() { diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs index 3cb6b3ce..c67c24ec 100644 --- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs +++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs @@ -706,6 +706,21 @@ public static partial class OpenIddictClientWebIntegrationHandlers _ => context.SendUserinfoRequest }, + // Note: some providers don't allow querying the userinfo endpoint when the "openid" scope + // is not requested or granted. To work around that, userinfo is disabled when the "openid" + // scope wasn't requested during the initial authorization request or during the token request. + ProviderTypes.Okta => context.GrantType switch + { + GrantTypes.AuthorizationCode or GrantTypes.Implicit when + context.StateTokenPrincipal is ClaimsPrincipal principal && !principal.HasScope(Scopes.OpenId) + => false, + + GrantTypes.DeviceCode or GrantTypes.RefreshToken when !context.Scopes.Contains(Scopes.OpenId) + => false, + + _ => context.SendUserinfoRequest + }, + _ => context.SendUserinfoRequest }; diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml index 6bb70c38..1c68f286 100644 --- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml +++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml @@ -711,6 +711,27 @@ + + + + + + + + + + - +