Add SuperOffice to the list of supported providers

3 years ago · 8f73e5fcce
2 changed files with 97 additions and 0 deletions
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@ -28,6 +28,8 @@ public static partial class OpenIddictClientWebIntegrationHandlers
        AdjustRedirectUriInTokenRequest.Descriptor,
        OverrideValidatedBackchannelTokens.Descriptor,
        DisableBackchannelIdentityTokenNonceValidation.Descriptor,
+        OverrideUserinfoEndpoint.Descriptor,
+        DisableUserinfoValidation.Descriptor,
        AttachAdditionalUserinfoRequestParameters.Descriptor,
        PopulateUserinfoTokenPrincipalFromTokenResponse.Descriptor,

@ -398,6 +400,87 @@ public static partial class OpenIddictClientWebIntegrationHandlers
        }
    }

+    /// <summary>
+    /// Contains the logic responsible for overriding the address
+    /// of the userinfo endpoint for the providers that require it.
+    /// </summary>
+    public sealed class OverrideUserinfoEndpoint : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    {
+        /// <summary>
+        /// Gets the default descriptor definition assigned to this handler.
+        /// </summary>
+        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
+            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .UseSingletonHandler<OverrideUserinfoEndpoint>()
+                .SetOrder(ResolveUserinfoEndpoint.Descriptor.Order + 500)
+                .SetType(OpenIddictClientHandlerType.BuiltIn)
+                .Build();
+
+        /// <inheritdoc/>
+        public ValueTask HandleAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            context.UserinfoEndpoint = context.Registration.ProviderName switch
+            {
+                // SuperOffice doesn't expose a static OpenID Connect userinfo endpoint but offers an API whose
+                // absolute URI needs to be computed based on a special claim returned in the identity token.
+                Providers.SuperOffice when
+                    (context.BackchannelIdentityTokenPrincipal ?? // Always prefer the backchannel identity token when available.
+                     context.FrontchannelIdentityTokenPrincipal) is ClaimsPrincipal principal &&
+                    Uri.TryCreate(principal.GetClaim("http://schemes.superoffice.net/identity/webapi_url"), UriKind.Absolute, out Uri? uri)
+                    => OpenIddictHelpers.CreateAbsoluteUri(uri, new Uri("v1/user/currentPrincipal", UriKind.Relative)),
+
+                _ => context.UserinfoEndpoint
+            };
+
+            return default;
+        }
+    }
+
+    /// <summary>
+    /// Contains the logic responsible for disabling the userinfo validation for the providers that require it.
+    /// </summary>
+    public sealed class DisableUserinfoValidation : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    {
+        /// <summary>
+        /// Gets the default descriptor definition assigned to this handler.
+        /// </summary>
+        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
+            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .UseSingletonHandler<DisableUserinfoValidation>()
+                .SetOrder(EvaluateUserinfoRequest.Descriptor.Order + 500)
+                .SetType(OpenIddictClientHandlerType.BuiltIn)
+                .Build();
+
+        /// <inheritdoc/>
+        public ValueTask HandleAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            // Note: despite implementing OpenID Connect, some providers are known to implement completely custom
+            // userinfo endpoints or semi-standard endpoints that don't fully conform to the core specification.
+            //
+            // To ensure OpenIddict can be used with these providers, validation is disabled when necessary.
+
+            context.DisableUserinfoValidation = context.Registration.ProviderName switch
+            {
+                // SuperOffice doesn't offer a standard OpenID Connect userinfo endpoint.
+                Providers.SuperOffice => true,
+
+                _ => context.DisableUserinfoValidation
+            };
+
+            return default;
+        }
+    }
+
    /// <summary>
    /// Contains the logic responsible for attaching additional parameters
    /// to the userinfo request for the providers that require it.
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@ -625,6 +625,20 @@
    </Environment>
  </Provider>

+  <!--
+                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                            ██ ▄▄▄ ██ ██ ██ ▄▄ ██ ▄▄▄██ ▄▄▀██ ▄▄▄ ██ ▄▄▄██ ▄▄▄█▄ ▄██ ▄▄▀██ ▄▄▄██
+                            ██▄▄▄▀▀██ ██ ██ ▀▀ ██ ▄▄▄██ ▀▀▄██ ███ ██ ▄▄███ ▄▄███ ███ █████ ▄▄▄██
+                            ██ ▀▀▀ ██▄▀▀▄██ █████ ▀▀▀██ ██ ██ ▀▀▀ ██ █████ ████▀ ▀██ ▀▀▄██ ▀▀▀██
+                            ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="SuperOffice" Documentation="https://docs.superoffice.com/en/authentication/online/api.html">
+    <Environment Name="Production"  Issuer="https://online.superoffice.com/" />
+    <Environment Name="Development" Issuer="https://sod.superoffice.com/" />
+    <Environment Name="Staging"     Issuer="https://qaonline.superoffice.com/" />
+  </Provider>
+
  <!--
                                              ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                              █▄▄ ▄▄██ ▄▄▀█ ▄▄▀██ █▀▄█▄▄ ▄▄██