From 4390c696e84639edcb7e45a1e9e80c11a9637e07 Mon Sep 17 00:00:00 2001 From: Sebastian Stehle Date: Tue, 26 Mar 2019 17:47:17 +0100 Subject: [PATCH] Better validation of email for external oidc provider. --- .../Areas/IdentityServer/Controllers/Extensions.cs | 11 ++++++++++- .../Areas/IdentityServer/Views/Account/Login.cshtml | 2 +- src/Squidex/Config/Authentication/OidcServices.cs | 1 + src/Squidex/Config/Constants.cs | 2 ++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs b/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs index de5b21262..652c61f79 100644 --- a/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs +++ b/src/Squidex/Areas/IdentityServer/Controllers/Extensions.cs @@ -5,6 +5,7 @@ // All rights reserved. Licensed under the MIT license. // ========================================================================== +using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; @@ -20,7 +21,14 @@ namespace Squidex.Areas.IdentityServer.Controllers { var externalLogin = await signInManager.GetExternalLoginInfoAsync(expectedXsrf); - externalLogin.ProviderDisplayName = externalLogin.Principal.FindFirst(ClaimTypes.Email).Value; + var email = externalLogin.Principal.FindFirst(ClaimTypes.Email)?.Value; + + if (string.IsNullOrWhiteSpace(email)) + { + throw new InvalidOperationException("External provider does not provide email claim."); + } + + externalLogin.ProviderDisplayName = email; return externalLogin; } @@ -28,6 +36,7 @@ namespace Squidex.Areas.IdentityServer.Controllers public static async Task> GetExternalProvidersAsync(this SignInManager signInManager) { var externalSchemes = await signInManager.GetExternalAuthenticationSchemesAsync(); + var externalProviders = externalSchemes.Where(x => x.Name != OpenIdConnectDefaults.AuthenticationScheme) .Select(x => new ExternalProvider(x.Name, x.DisplayName)).ToList(); diff --git a/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml b/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml index 9e76e4eb0..54b6042d0 100644 --- a/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml +++ b/src/Squidex/Areas/IdentityServer/Views/Account/Login.cshtml @@ -36,7 +36,7 @@
} diff --git a/src/Squidex/Config/Authentication/OidcServices.cs b/src/Squidex/Config/Authentication/OidcServices.cs index 9d344601b..5d34ee58d 100644 --- a/src/Squidex/Config/Authentication/OidcServices.cs +++ b/src/Squidex/Config/Authentication/OidcServices.cs @@ -24,6 +24,7 @@ namespace Squidex.Config.Authentication options.Authority = identityOptions.OidcAuthority; options.ClientId = identityOptions.OidcClient; options.ClientSecret = identityOptions.OidcSecret; + options.Scope.Add(Constants.EmailScope); options.Scope.Add(Constants.PermissionsScope); options.RequireHttpsMetadata = false; }); diff --git a/src/Squidex/Config/Constants.cs b/src/Squidex/Config/Constants.cs index 84cd529e3..ee9aa76e8 100644 --- a/src/Squidex/Config/Constants.cs +++ b/src/Squidex/Config/Constants.cs @@ -23,6 +23,8 @@ namespace Squidex.Config public static readonly string PortalPrefix = "/portal"; + public static readonly string EmailScope = "email"; + public static readonly string RoleScope = "role"; public static readonly string PermissionsScope = "permissions";