Better validation of email for external oidc provider.

7 years ago · 4390c696e8
4 changed files with 14 additions and 2 deletions
--- a/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs
@ -5,6 +5,7 @@
 //  All rights reserved. Licensed under the MIT license.
 // ==========================================================================

+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
@ -20,7 +21,14 @@ namespace Squidex.Areas.IdentityServer.Controllers
        {
            var externalLogin = await signInManager.GetExternalLoginInfoAsync(expectedXsrf);

-            externalLogin.ProviderDisplayName = externalLogin.Principal.FindFirst(ClaimTypes.Email).Value;
+            var email = externalLogin.Principal.FindFirst(ClaimTypes.Email)?.Value;
+
+            if (string.IsNullOrWhiteSpace(email))
+            {
+                throw new InvalidOperationException("External provider does not provide email claim.");
+            }
+
+            externalLogin.ProviderDisplayName = email;

            return externalLogin;
        }
@ -28,6 +36,7 @@ namespace Squidex.Areas.IdentityServer.Controllers
        public static async Task<List<ExternalProvider>> GetExternalProvidersAsync(this SignInManager<IdentityUser> signInManager)
        {
            var externalSchemes = await signInManager.GetExternalAuthenticationSchemesAsync();
+
            var externalProviders =
                externalSchemes.Where(x => x.Name != OpenIdConnectDefaults.AuthenticationScheme)
                    .Select(x => new ExternalProvider(x.Name, x.DisplayName)).ToList();
--- a/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml
+++ b/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml
@ -36,7 +36,7 @@

        <div class="form-group">
            <button class="btn external-button btn-block btn btn-@schema" type="submit" name="provider" value="@provider.AuthenticationScheme">
-                <i class="icon-@schema external-icon"></i> @type with <strong>@provider.AuthenticationScheme</strong>
+                <i class="icon-@schema external-icon"></i> @type with <strong>@provider.DisplayName</strong>
            </button>
        </div>
    }
--- a/src/Squidex/Config/Authentication/OidcServices.cs
+++ b/src/Squidex/Config/Authentication/OidcServices.cs
@ -24,6 +24,7 @@ namespace Squidex.Config.Authentication
                    options.Authority = identityOptions.OidcAuthority;
                    options.ClientId = identityOptions.OidcClient;
                    options.ClientSecret = identityOptions.OidcSecret;
+                    options.Scope.Add(Constants.EmailScope);
                    options.Scope.Add(Constants.PermissionsScope);
                    options.RequireHttpsMetadata = false;
                });
--- a/src/Squidex/Config/Constants.cs
+++ b/src/Squidex/Config/Constants.cs
@ -23,6 +23,8 @@ namespace Squidex.Config

        public static readonly string PortalPrefix = "/portal";

+        public static readonly string EmailScope = "email";
+
        public static readonly string RoleScope = "role";

        public static readonly string PermissionsScope = "permissions";