tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use Uri.OriginalString for issuer comparison

pull/1398/head
Kévin Chalet 4 years ago
parent
fdf34448f2
commit
cf0e49a3b8
7 changed files with 33 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
  2. 17
      src/OpenIddict.Client/OpenIddictClientHandlers.Userinfo.cs
  3. 6
      src/OpenIddict.Client/OpenIddictClientHandlers.cs
  4. 2
      src/OpenIddict.Validation.ServerIntegration/OpenIddictValidationServerIntegrationBuilder.cs
  5. 4
      src/OpenIddict.Validation.ServerIntegration/OpenIddictValidationServerIntegrationExtensions.cs
  6. 17
      src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs
  7. 2
      src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs

2
src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
View File

@ -110,7 +110,7 @@ public static partial class OpenIddictClientHandlers
var parameters = registration!.TokenValidationParameters.Clone();
parameters.ValidIssuer ??= configuration.Issuer?.AbsoluteUri ?? registration.Issuer?.AbsoluteUri;
parameters.ValidIssuer ??= configuration.Issuer?.OriginalString;
parameters.ValidateIssuer = !string.IsNullOrEmpty(parameters.ValidIssuer);
// Combine the signing keys registered statically in the token validation parameters

17
src/OpenIddict.Client/OpenIddictClientHandlers.Userinfo.cs
View File

@ -97,7 +97,7 @@ public static partial class OpenIddictClientHandlers
.Build();
/// <inheritdoc/>
public ValueTask HandleAsync(HandleUserinfoResponseContext context)
public async ValueTask HandleAsync(HandleUserinfoResponseContext context)
{
if (context is null)
{
@ -107,7 +107,16 @@ public static partial class OpenIddictClientHandlers
// Ignore the response instance if a userinfo token was extracted.
if (!string.IsNullOrEmpty(context.UserinfoToken))
{
return default;
return;
}
var configuration = await context.Registration.ConfigurationManager.GetConfigurationAsync(default) ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0140));
// Ensure the issuer resolved from the configuration matches the expected value.
if (configuration.Issuer != context.Issuer)
{
throw new InvalidOperationException(SR.GetResourceString(SR.ID0307));
}
// Create a new claims-based identity using the same authentication type
@ -120,7 +129,7 @@ public static partial class OpenIddictClientHandlers
// Resolve the issuer that will be attached to the claims created by this handler.
// Note: at this stage, the optional issuer extracted from the response is assumed
// to be valid, as it is guarded against unknown values by the ValidateIssuer handler.
var issuer = (string?) context.Response[Claims.Issuer] ?? context.Issuer?.AbsoluteUri ?? ClaimsIdentity.DefaultIssuer;
var issuer = (string?) context.Response[Claims.Issuer] ?? configuration.Issuer!.OriginalString;
foreach (var parameter in context.Response.GetParameters())
{
@ -196,8 +205,6 @@ public static partial class OpenIddictClientHandlers
context.Principal = new ClaimsPrincipal(identity);
return default;
static string GetClaimValueType(JsonValueKind kind) => kind switch
{
JsonValueKind.True or JsonValueKind.False => ClaimValueTypes.Boolean,

6
src/OpenIddict.Client/OpenIddictClientHandlers.cs
View File

@ -75,7 +75,7 @@ public static partial class OpenIddictClientHandlers
ValidateRequiredUserinfoToken.Descriptor,
ValidateUserinfoToken.Descriptor,
ValidateUserinfoTokenWellknownClaims.Descriptor,
ValidateUserinfoTokenWellknownSubject.Descriptor,
ValidateUserinfoTokenSubject.Descriptor,
/*
* Challenge processing:
@ -2663,7 +2663,7 @@ public static partial class OpenIddictClientHandlers
/// <summary>
/// Contains the logic responsible of validating the subject claim contained in the userinfo token.
/// </summary>
public class ValidateUserinfoTokenWellknownSubject : IOpenIddictClientHandler<ProcessAuthenticationContext>
public class ValidateUserinfoTokenSubject : IOpenIddictClientHandler<ProcessAuthenticationContext>
{
/// <summary>
/// Gets the default descriptor definition assigned to this handler.
@ -2672,7 +2672,7 @@ public static partial class OpenIddictClientHandlers
= OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
.AddFilter<RequireStateTokenPrincipal>()
.AddFilter<RequireUserinfoTokenPrincipal>()
.UseSingletonHandler<ValidateUserinfoTokenWellknownSubject>()
.UseSingletonHandler<ValidateUserinfoTokenSubject>()
.SetOrder(ValidateUserinfoTokenWellknownClaims.Descriptor.Order + 1_000)
.SetType(OpenIddictClientHandlerType.BuiltIn)
.Build();

2
src/OpenIddict.Validation.ServerIntegration/OpenIddictValidationServerIntegrationBuilder.cs
View File

@ -15,7 +15,7 @@ namespace Microsoft.Extensions.DependencyInjection;
public class OpenIddictValidationServerIntegrationBuilder
{
/// <summary>
/// Initializes a new instance of <see cref="OpenIddictValidationBuilder"/>.
/// Initializes a new instance of <see cref="OpenIddictValidationServerIntegrationBuilder"/>.
/// </summary>
/// <param name="services">The services collection.</param>
public OpenIddictValidationServerIntegrationBuilder(IServiceCollection services)

4
src/OpenIddict.Validation.ServerIntegration/OpenIddictValidationServerIntegrationExtensions.cs
View File

@ -22,7 +22,7 @@ public static class OpenIddictValidationServerIntegrationExtensions
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <remarks>This extension can be safely called multiple times.</remarks>
/// <returns>The <see cref="OpenIddictValidationBuilder"/>.</returns>
/// <returns>The <see cref="OpenIddictValidationServerIntegrationBuilder"/>.</returns>
public static OpenIddictValidationServerIntegrationBuilder UseLocalServer(this OpenIddictValidationBuilder builder)
{
if (builder is null)
@ -47,7 +47,7 @@ public static class OpenIddictValidationServerIntegrationExtensions
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <param name="configuration">The configuration delegate used to configure the validation services.</param>
/// <remarks>This extension can be safely called multiple times.</remarks>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
/// <returns>The <see cref="OpenIddictValidationBuilder"/>.</returns>
public static OpenIddictValidationBuilder UseLocalServer(
this OpenIddictValidationBuilder builder, Action<OpenIddictValidationServerIntegrationBuilder> configuration)
{

17
src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs
View File

@ -351,13 +351,22 @@ public static partial class OpenIddictValidationHandlers
.Build();
/// <inheritdoc/>
public ValueTask HandleAsync(HandleIntrospectionResponseContext context)
public async ValueTask HandleAsync(HandleIntrospectionResponseContext context)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
var configuration = await context.Options.ConfigurationManager.GetConfigurationAsync(default) ??
throw new InvalidOperationException(SR.GetResourceString(SR.ID0140));
// Ensure the issuer resolved from the configuration matches the expected value.
if (configuration is not null && configuration.Issuer != context.Issuer)
{
throw new InvalidOperationException(SR.GetResourceString(SR.ID0307));
}
// Create a new claims-based identity using the same authentication type
// and the name/role claims as the one used by IdentityModel for JWT tokens.
var identity = new ClaimsIdentity(
@ -368,7 +377,9 @@ public static partial class OpenIddictValidationHandlers
// Resolve the issuer that will be attached to the claims created by this handler.
// Note: at this stage, the optional issuer extracted from the response is assumed
// to be valid, as it is guarded against unknown values by the ValidateIssuer handler.
var issuer = (string?) context.Response[Claims.Issuer] ?? context.Issuer?.AbsoluteUri ?? ClaimsIdentity.DefaultIssuer;
var issuer = (string?) context.Response[Claims.Issuer] ??
configuration?.Issuer?.OriginalString ??
context.Issuer?.OriginalString ?? ClaimsIdentity.DefaultIssuer;
foreach (var parameter in context.Response.GetParameters())
{
@ -444,8 +455,6 @@ public static partial class OpenIddictValidationHandlers
context.Principal = new ClaimsPrincipal(identity);
return default;
static string GetClaimValueType(JsonValueKind kind) => kind switch
{
JsonValueKind.True or JsonValueKind.False => ClaimValueTypes.Boolean,

2
src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
View File

@ -70,7 +70,7 @@ public static partial class OpenIddictValidationHandlers
// Clone the token validation parameters and set the issuer using the value found in the
// OpenID Connect server configuration (that can be static or retrieved using discovery).
var parameters = context.Options.TokenValidationParameters.Clone();
parameters.ValidIssuer ??= configuration.Issuer?.AbsoluteUri ?? context.Issuer?.AbsoluteUri;
parameters.ValidIssuer ??= configuration.Issuer?.OriginalString;
parameters.ValidateIssuer = !string.IsNullOrEmpty(parameters.ValidIssuer);
// Combine the signing keys registered statically in the token validation parameters

Write Preview
Loading…
Cancel
Save