tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Auth fixed.

pull/523/head
Sebastian 6 years ago
parent
2bad862e0c
commit
70d317f3be
4 changed files with 50 additions and 41 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      backend/src/Squidex.Web/Constants.cs
  2. 7
      backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs
  3. 4
      backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs
  4. 78
      backend/src/Squidex/Config/Authentication/IdentityServerServices.cs

2
backend/src/Squidex.Web/Constants.cs
View File

@ -18,7 +18,7 @@ namespace Squidex.Web
public static readonly string ApiScope = "squidex-api";
public static readonly string ApiSecurityScheme = "identity-server";
public static readonly string ApiSecurityScheme = "custom";
public static readonly string OrleansClusterId = "squidex-v2";

7
backend/src/Squidex.Web/Pipeline/AccessTokenQueryMiddleware.cs
View File

@ -24,12 +24,17 @@ namespace Squidex.Web.Pipeline
{
var request = context.Request;
if (!string.IsNullOrWhiteSpace(request.Headers[HeaderNames.Authorization]) && request.Query.TryGetValue("access_token", out var token))
if (HasNoAuthHeader(request) && request.Query.TryGetValue("access_token", out var token))
{
request.Headers[HeaderNames.Authorization] = token;
}
return next(context);
}
private static bool HasNoAuthHeader(HttpRequest request)
{
return string.IsNullOrWhiteSpace(request.Headers[HeaderNames.Authorization]);
}
}
}

4
backend/src/Squidex/Areas/OrleansDashboard/Middlewares/OrleansDashboardAuthenticationMiddleware.cs
View File

@ -44,9 +44,11 @@ namespace Squidex.Areas.OrleansDashboard.Middlewares
}
else
{
var redirectUri = context.Request.PathBase + context.Request.Path;
await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
{
RedirectUri = context.Request.PathBase + context.Request.Path
RedirectUri = redirectUri
});
}
}

78
backend/src/Squidex/Config/Authentication/IdentityServerServices.cs
View File

@ -5,14 +5,13 @@
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using IdentityModel.AspNetCore.OAuth2Introspection;
using IdentityServer4;
using IdentityServer4.AccessTokenValidation;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Squidex.Infrastructure;
using Squidex.Web;
namespace Squidex.Config.Authentication
@ -21,23 +20,21 @@ namespace Squidex.Config.Authentication
{
public static AuthenticationBuilder AddSquidexIdentityServerAuthentication(this AuthenticationBuilder authBuilder, MyIdentityOptions identityOptions, IConfiguration config)
{
var apiScope = Constants.ApiScope;
var apiAuthorityUrl = identityOptions.AuthorityUrl;
var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
var useCustomAuthorityUrl = !string.IsNullOrWhiteSpace(apiAuthorityUrl);
if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl))
if (!useCustomAuthorityUrl)
{
string apiAuthorityUrl;
var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
if (!string.IsNullOrWhiteSpace(identityOptions.AuthorityUrl))
{
apiAuthorityUrl = identityOptions.AuthorityUrl.BuildFullUrl(Constants.IdentityServerPrefix);
}
else
{
apiAuthorityUrl = urlsOptions.BuildUrl(Constants.IdentityServerPrefix);
}
apiAuthorityUrl = urlsOptions.BuildUrl(Constants.IdentityServerPrefix);
}
var apiScope = Constants.ApiScope;
if (useCustomAuthorityUrl)
{
authBuilder.AddIdentityServerAuthentication(options =>
{
options.Authority = apiAuthorityUrl;
@ -45,36 +42,41 @@ namespace Squidex.Config.Authentication
options.ApiSecret = null;
options.RequireHttpsMetadata = identityOptions.RequiresHttps;
options.SupportedTokens = SupportedTokens.Jwt;
var fromHeader = TokenRetrieval.FromAuthorizationHeader();
var fromQuery = TokenRetrieval.FromQueryString();
options.TokenRetriever = request =>
{
var result = fromHeader(request) ?? fromQuery(request);
return result;
};
});
authBuilder.AddOpenIdConnect(options =>
}
else
{
authBuilder.AddLocalApi(options =>
{
options.Authority = apiAuthorityUrl;
options.ClientId = Constants.InternalClientId;
options.ClientSecret = Constants.InternalClientSecret;
options.CallbackPath = "/signin-internal";
options.RequireHttpsMetadata = identityOptions.RequiresHttps;
options.SaveTokens = true;
options.Scope.Add(Constants.PermissionsScope);
options.Scope.Add(Constants.ProfileScope);
options.Scope.Add(Constants.RoleScope);
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ExpectedScope = apiScope;
});
}
authBuilder.AddLocalApi(Constants.ApiSecurityScheme, options =>
authBuilder.AddOpenIdConnect(options =>
{
options.ExpectedScope = Constants.ApiScope;
options.Authority = apiAuthorityUrl;
options.ClientId = Constants.InternalClientId;
options.ClientSecret = Constants.InternalClientSecret;
options.CallbackPath = "/signin-internal";
options.RequireHttpsMetadata = identityOptions.RequiresHttps;
options.SaveTokens = true;
options.Scope.Add(Constants.PermissionsScope);
options.Scope.Add(Constants.ProfileScope);
options.Scope.Add(Constants.RoleScope);
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});
authBuilder.AddPolicyScheme(Constants.ApiSecurityScheme, Constants.ApiSecurityScheme, options =>
{
options.ForwardDefaultSelector = context =>
{
if (useCustomAuthorityUrl)
{
return IdentityServerAuthenticationDefaults.AuthenticationScheme;
}
return IdentityServerConstants.LocalApi.PolicyName;
};
});
return authBuilder;

Write Preview
Loading…
Cancel
Save