Merge branch 'master' of github.com:Squidex/squidex

5 years ago · 4303d06512
7 changed files with 48 additions and 3 deletions
--- a/backend/src/Squidex.Infrastructure/Security/Extensions.cs
+++ b/backend/src/Squidex.Infrastructure/Security/Extensions.cs
@ -67,6 +67,12 @@ namespace Squidex.Infrastructure.Security
            return principal.Claims.FirstOrDefault(x => x.Type == OpenIdClaims.Email)?.Value;
        }

+        public static string? TryFindEmail(this ClaimsPrincipal principal)
+        {
+            return principal.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Email)?.Value ??
+                   principal.Claims.FirstOrDefault(x => x.Type == OpenIdClaims.Email)?.Value;
+        }
+
        public static bool IsInClient(this ClaimsPrincipal principal, string client)
        {
            return principal.Claims.Any(x => x.Type == OpenIdClaims.ClientId && string.Equals(x.Value, client, StringComparison.OrdinalIgnoreCase));
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@ -294,7 +294,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
            }
            else
            {
-                var email = externalLogin.Principal.FindFirst(ClaimTypes.Email)?.Value!;
+                var email = externalLogin.Principal.TryFindEmail();

                user = await userManager.FindByEmailWithClaimsAsync(email);

--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs
@ -12,6 +12,7 @@ using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Identity;
+using Squidex.Infrastructure.Security;
 using Squidex.Web;

 namespace Squidex.Areas.IdentityServer.Controllers
@ -22,7 +23,7 @@ namespace Squidex.Areas.IdentityServer.Controllers
        {
            var externalLogin = await signInManager.GetExternalLoginInfoAsync(expectedXsrf);

-            var email = externalLogin.Principal.FindFirst(ClaimTypes.Email)?.Value;
+            var email = externalLogin.Principal.TryFindEmail();

            if (string.IsNullOrWhiteSpace(email))
            {
--- a/backend/src/Squidex/Config/Authentication/OidcHandler.cs
+++ b/backend/src/Squidex/Config/Authentication/OidcHandler.cs
@ -40,5 +40,19 @@ namespace Squidex.Config.Authentication

            return base.TokenValidated(context);
        }
+
+        public override Task RedirectToIdentityProviderForSignOut(RedirectContext context)
+        {
+            if (!string.IsNullOrEmpty(options.OidcOnSignoutRedirectUrl))
+            {
+                var logoutUri = options.OidcOnSignoutRedirectUrl;
+                context.Response.Redirect(logoutUri);
+                context.HandleResponse();
+
+                return Task.CompletedTask;
+            }
+
+            return base.RedirectToIdentityProviderForSignOut(context);
+        }
    }
 }
--- a/backend/src/Squidex/Config/Authentication/OidcServices.cs
+++ b/backend/src/Squidex/Config/Authentication/OidcServices.cs
@ -24,9 +24,21 @@ namespace Squidex.Config.Authentication
                    options.Authority = identityOptions.OidcAuthority;
                    options.ClientId = identityOptions.OidcClient;
                    options.ClientSecret = identityOptions.OidcSecret;
-                    options.RequireHttpsMetadata = false;
+                    options.RequireHttpsMetadata = identityOptions.RequiresHttps;
                    options.Events = new OidcHandler(identityOptions);

+                    if (!string.IsNullOrEmpty(identityOptions.OidcMetadataAddress))
+                    {
+                        options.MetadataAddress = identityOptions.OidcMetadataAddress;
+                    }
+
+                    if (!string.IsNullOrEmpty(identityOptions.OidcResponseType))
+                    {
+                        options.ResponseType = identityOptions.OidcResponseType;
+                    }
+
+                    options.GetClaimsFromUserInfoEndpoint = identityOptions.OidcGetClaimsFromUserInfoEndpoint;
+
                    if (identityOptions.OidcScopes != null)
                    {
                        foreach (var scope in identityOptions.OidcScopes)
--- a/backend/src/Squidex/Config/MyIdentityOptions.cs
+++ b/backend/src/Squidex/Config/MyIdentityOptions.cs
@ -47,12 +47,20 @@ namespace Squidex.Config

        public string OidcAuthority { get; set; }

+        public string OidcMetadataAddress { get; set; }
+
        public string OidcRoleClaimType { get; set; }

        public string[] OidcScopes { get; set; }

+        public string OidcResponseType { get; set; }
+
+        public bool OidcGetClaimsFromUserInfoEndpoint { get; set; }
+
        public Dictionary<string, string[]> OidcRoleMapping { get; set; }

+        public string OidcOnSignoutRedirectUrl { get; set; }
+
        public bool AdminRecreate { get; set; }

        public bool AllowPasswordAuth { get; set; }
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@ -648,9 +648,13 @@
    "oidcAuthority": "",
    "oidcClient": "",
    "oidcSecret": "",
+    "oidcMetadataAddress": "",
    "oidcScopes": [
      "email"
    ],
+    "oidcResponseType": "id_token", // or "code"
+    "oidcGetClaimsFromUserInfoEndpoint": false,
+    "oidcOnSignoutRedirectUrl": "",

    /*
     * Lock new users automatically, the administrator must unlock them.