Update the ADFS provider to support configuring the requested resources

3 years ago · 8f2ee984d2
3 changed files with 14 additions and 1 deletions
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
@ -1321,7 +1321,7 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
                .AddFilter<RequireAuthenticationNonce>()
                .UseSingletonHandler<RestoreUserinfoDetailsFromMarshalledAuthentication>()
-                .SetOrder(SendUserinfoRequest.Descriptor.Order + 500)
+                .SetOrder(ValidateUserinfoTokenSubject.Descriptor.Order + 500)
                .SetType(OpenIddictClientHandlerType.BuiltIn)
                .Build();

--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@ -673,6 +673,15 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                throw new ArgumentNullException(nameof(context));
            }

+            // Active Directory Federation Services allows sending a custom "resource"
+            // parameter to define what API resources the access token will give access to.
+            if (context.Registration.ProviderName is Providers.ActiveDirectoryFederationServices)
+            {
+                var options = context.Registration.GetActiveDirectoryFederationServicesOptions();
+
+                context.Request["resource"] = options.Resource;
+            }
+
            // By default, Google doesn't return a refresh token but allows sending an "access_type"
            // parameter to retrieve one (but it is only returned during the first authorization dance).
            if (context.Registration.ProviderName is Providers.Google)
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@ -24,6 +24,9 @@

    <Setting PropertyName="Issuer" ParameterName="issuer" Type="Uri" Required="true"
             Description="The URI used to access the ADFS instance, including the virtual directory (e.g https://contoso.com/adfs)" />
+
+    <Setting PropertyName="Resource" ParameterName="resource" Type="String" Required="false"
+             Description="The optional value used as the 'resource' parameter (e.g urn:microsoft:userinfo)" />
  </Provider>

  <!--
@ -350,6 +353,7 @@
        it seems that new applications are only allowed to use "read_write". As such,
        "read_write" is automatically added if no scope is explicitly configured.
      -->
+
      <Scope Name="read_write" Default="true" Required="false" />
    </Environment>