paul/yavsc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

oidc

Browse Source
This commit is contained in:
Paul Schneider
2016-06-01 23:47:06 +02:00
parent 9342d48c9d
commit e85b41313f
41 changed files with 740 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Yavsc/Views/Shared/Authorize.cshtml
View File

@ -1,18 +1,18 @@
@using AspNet.Security.OpenIdConnect.Extensions
@using Microsoft.IdentityModel.Protocols.OpenIdConnect
@using Mvc.Server.Models
@model Tuple<OpenIdConnectMessage, Application>
@model AuthorisationView
<div class="jumbotron">
<h1>Authorization</h1>
<p class="lead text-left">Do you wanna grant <strong>@Model.Item2.DisplayName</strong> an access to your resources? (scopes requested: @Model.Item1.Scope)</p>
<p class="lead text-left">Do you wanna grant <strong>@Model.Application.DisplayName</strong> an access to your resources? (scopes requested: @Model.Message.Scope)</p>
<form enctype="application/x-www-form-urlencoded" method="post">
@Html.AntiForgeryToken()
@foreach (var parameter in Model.Item1.Parameters) {
@foreach (var parameter in Model.Message.Parameters) {
<input type="hidden" name="@parameter.Key" value="@parameter.Value" />
}

3
Yavsc/Views/Shared/Forbidden.cshtml Normal file
View File

@ -0,0 +1,3 @@
@model string
Accès interdit : @model

6
Yavsc/omnisharp.json Normal file
View File

@ -0,0 +1,6 @@
{
"dotnet": {
"projects": "*/project.json",
"enablePackageRestore": false
}
}

10
Yavsc/project.json
View File

@ -58,15 +58,15 @@
"Microsoft.AspNet.IISPlatformHandler": "1.0.0-rc1-*",
"Microsoft.AspNet.Mvc": "6.0.0-rc1-*",
"Microsoft.AspNet.Mvc.TagHelpers": "6.0.0-rc1-*",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-rc1-*",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-rc1-final",
"Microsoft.AspNet.StaticFiles": "1.0.0-rc1-*",
"Microsoft.AspNet.Tooling.Razor": "1.0.0-rc1-*",
"Microsoft.Extensions.Configuration.FileProviderExtensions": "1.0.0-rc1-*",
"Microsoft.Extensions.Configuration.Json": "1.0.0-rc1-*",
"Microsoft.Extensions.Configuration.Abstractions": "1.0.0-rc1-final",
"Microsoft.Extensions.Configuration.UserSecrets": "1.0.0-rc1-*",
"Microsoft.Extensions.Logging": "1.0.0-rc1-*",
"Microsoft.Extensions.Logging.Console": "1.0.0-rc1-*",
"Microsoft.Extensions.Logging": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Console": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Debug": "1.0.0-rc1-final",
"Microsoft.Framework.DependencyInjection": "1.0.0-beta8",
"Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-rc1-final",
@ -110,8 +110,8 @@
"Microsoft.AspNet.DataProtection": "1.0.0-rc1-final",
"Microsoft.AspNet.DataProtection.SystemWeb": "1.0.0-rc1-final",
"Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-rc1-final",
"System.IdentityModel.Tokens": "5.0.0-rc1-208241120",
"System.IdentityModel.Tokens.Jwt": "5.0.0-rc1-208241120",
"System.IdentityModel.Tokens": "5.0.0-rc1-211161024",
"System.IdentityModel.Tokens.Jwt": "5.0.0-rc1-211161024",
"Microsoft.AspNet.Authorization": "1.0.0-rc1-final",
"AspNet.Security.OpenIdConnect.Server": "1.0.0-beta4"
},

166
Yavsc/project.lock.json
View File

File diff suppressed because it is too large Load Diff

1
Yavsc/src/Controllers/AccountController.cs
View File

@ -136,7 +136,6 @@ namespace Yavsc.Controllers
[ValidateAntiForgeryToken]
public async Task<IActionResult> LogOff(string returnUrl = null)
{
await HttpContext.Authentication.SignOutAsync("ServerCookie");
await _signInManager.SignOutAsync();
_logger.LogInformation(4, "User logged out.");
if (returnUrl==null) return RedirectToAction(nameof(HomeController.Index), "Home");

12
Yavsc/src/Controllers/BlogspotController.cs
View File

@ -92,14 +92,14 @@ namespace Yavsc.Controllers
}
// GET: Blog/Create
[Authorize("Authenticated")]
[Authorize()]
public IActionResult Create()
{
return View();
}
// POST: Blog/Create
[HttpPost, Authorize("Authenticated"), ValidateAntiForgeryToken]
[HttpPost, Authorize(), ValidateAntiForgeryToken]
public IActionResult Create(Blog blog)
{
blog.modified = blog.posted = DateTime.Now;
@ -117,7 +117,7 @@ namespace Yavsc.Controllers
_logger.LogWarning("Invalid Blog posted ...");
return View(blog);
}
[Authorize("Authenticated")]
[Authorize()]
// GET: Blog/Edit/5
public async Task<IActionResult> Edit(long? id)
{
@ -143,7 +143,7 @@ namespace Yavsc.Controllers
// POST: Blog/Edit/5
[HttpPost]
[ValidateAntiForgeryToken,Authorize("Authenticated")]
[ValidateAntiForgeryToken,Authorize()]
public IActionResult Edit(Blog blog)
{
if (ModelState.IsValid)
@ -166,7 +166,7 @@ namespace Yavsc.Controllers
}
// GET: Blog/Delete/5
[ActionName("Delete"),Authorize("Authenticated")]
[ActionName("Delete"),Authorize()]
public IActionResult Delete(long? id)
{
if (id == null)
@ -186,7 +186,7 @@ namespace Yavsc.Controllers
}
// POST: Blog/Delete/5
[HttpPost, ActionName("Delete"), Authorize("Authenticated")]
[HttpPost, ActionName("Delete"), Authorize()]
[ValidateAntiForgeryToken]
public IActionResult DeleteConfirmed(long id)
{

19
Yavsc/src/Controllers/OAuthController.cs
View File

@ -26,6 +26,8 @@ namespace Yavsc.Controllers
{
ApplicationDbContext _context;
UserManager<ApplicationUser> _userManager;
SiteSettings _siteSettings;
ILogger _logger;
private readonly SignInManager<ApplicationUser> _signInManager;
@ -34,9 +36,11 @@ namespace Yavsc.Controllers
public OAuthController(ApplicationDbContext context, SignInManager<ApplicationUser> signInManager, IKeyManager keyManager,
IOptions<TokenAuthOptions> tokenOptions,
UserManager<ApplicationUser> userManager,
IOptions<SiteSettings> siteSettings,
ILoggerFactory loggerFactory
)
{
_siteSettings = siteSettings.Value;
_context = context;
_signInManager = signInManager;
_tokenOptions = tokenOptions.Value;
@ -48,6 +52,7 @@ namespace Yavsc.Controllers
[HttpGet("~/signin")]
public ActionResult SignIn(string returnUrl = null, string target = null)
{
_logger.LogWarning($"Singin wanted: returnUrl: {returnUrl} target: {target}");
// Note: the "returnUrl" parameter corresponds to the endpoint the user agent
// will be redirected to after a successful authentication and not
// the redirect_uri of the requesting client application.
@ -72,7 +77,7 @@ namespace Yavsc.Controllers
[HttpGet("~/forbidden")]
public ActionResult Forbidden(string returnUrl = null)
{
return SignIn("/Account/ExternalLoginCallback",returnUrl);
return View(returnUrl);
}
[HttpPost("~/signin")]
@ -200,11 +205,12 @@ namespace Yavsc.Controllers
})
});
}
// Note: ASOS automatically ensures that an application corresponds to the client_id specified
// in the authorization request by calling IOpenIdConnectServerProvider.ValidateAuthorizationRequest.
// In theory, this null check shouldn't be needed, but a race condition could occur if you
// manually removed the application details from the database after the initial check made by ASOS.
/* FIXME response.ClientId && request.ClientId are null or empty here */
_logger.LogInformation($"ensures that an application corresponds to the client_id specified ({request.ClientId})");
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null)
{
@ -217,10 +223,10 @@ namespace Yavsc.Controllers
}
// Note: in a real world application, you'd probably prefer creating a specific view model.
return View("Authorize", Tuple.Create(request, application));
return View("Authorize", new AuthorisationView { Message = request, Application = application});
}
[Authorize, HttpPost("~/connect/authorize/accept"), ValidateAntiForgeryToken]
[HttpPost("~/connect/authorize/accept"), ValidateAntiForgeryToken]
public async Task<IActionResult> Accept(CancellationToken cancellationToken)
{
var response = HttpContext.GetOpenIdConnectResponse();
@ -268,6 +274,7 @@ namespace Yavsc.Controllers
var application = await GetApplicationAsync(request.ClientId, cancellationToken);
if (application == null)
{
_logger.LogError($"OidcError: {request.ClientId} {response.ClientId} ");
return View("OidcError", new OpenIdConnectMessage
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
@ -296,7 +303,7 @@ namespace Yavsc.Controllers
// You can also limit the resources endpoints
// the access token should be issued for:
properties.SetResources(new[] {
"http://localhost:54540/"
_siteSettings.Audience
});
// This call will instruct AspNet.Security.OpenIdConnect.Server to serialize
@ -312,7 +319,7 @@ namespace Yavsc.Controllers
return new EmptyResult();
}
[Authorize, HttpPost("~/connect/authorize/deny"), ValidateAntiForgeryToken]
[HttpPost("~/connect/authorize/deny"), ValidateAntiForgeryToken]
public IActionResult Deny(CancellationToken cancellationToken)
{
var response = HttpContext.GetOpenIdConnectResponse();

21
Yavsc/src/Providers/OAuthProvider.cs
View File

@ -43,11 +43,11 @@ namespace Yavsc.Providers {
}
var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationDbContext>();
_logger.LogInformation($"Searching fo app id {context.ClientId}");
_logger.LogInformation($"Searching fo app id {context.Request.ClientId}");
// Retrieve the application details corresponding to the requested client_id.
var application = await (from entity in database.Applications
where entity.ApplicationID == context.ClientId
where entity.ApplicationID == context.Request.ClientId
select entity).SingleOrDefaultAsync(context.HttpContext.RequestAborted);
if (application == null) {
@ -66,7 +66,7 @@ namespace Yavsc.Providers {
return;
}
_logger.LogInformation("do Validate Authorization!");
context.Validated();
}
@ -120,19 +120,14 @@ namespace Yavsc.Providers {
return;
}
_logger.LogInformation("do Validate Token request!");
context.Validated();
}
/// <summary>
/// List provided offline access tokens, to a given
/// user by its id
/// </summary>
/// <param name="userid"></param>
/// <returns></returns>
public List<string> GetOfflineTokens(string userid) {
throw new NotImplementedException();
public override Task TokenEndpoint (TokenEndpointContext context)
{
_logger.LogWarning($"OIDC success : IsAccessToken: {context.AuthenticationTicket.IsAccessToken()}");
return Task.FromResult(0);
}
}
}

31
Yavsc/src/Startup.cs
View File

@ -156,10 +156,12 @@ namespace Yavsc
RSAKeyUtils.GetKeyParameters(keyParamsFileInfo.Name) :
RSAKeyUtils.GenerateKeyAndSave(keyParamsFileInfo.Name);
key = new RsaSecurityKey(keyParams);
services.Configure<SharedAuthenticationOptions>(options =>
{
options.SignInScheme = "ServerCookie";
});
});
/*
services.Configure<TokenAuthOptions>(
to =>
{
@ -169,7 +171,7 @@ namespace Yavsc
new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature);
}
);
);*/
services.Add(ServiceDescriptor.Singleton(typeof(IOptions<SiteSettings>), typeof(OptionsManager<SiteSettings>)));
services.Add(ServiceDescriptor.Singleton(typeof(IOptions<SmtpSettings>), typeof(OptionsManager<SmtpSettings>)));
@ -202,10 +204,6 @@ namespace Yavsc
{
option.User.AllowedUserNameCharacters += " ";
option.User.RequireUniqueEmail = true;
option.Cookies.ApplicationCookie.LoginPath = "/authenticate";
option.Cookies.ApplicationCookie.LogoutPath = "/signout";
option.Cookies.ApplicationCookie.AccessDeniedPath = "/forbidden"; // TODO /forbidden
// FIXME option.Cookies.ApplicationCookie.ReturnUrlParameter = "target";
}
).AddEntityFrameworkStores<ApplicationDbContext>()
.AddTokenProvider<EmailTokenProvider<ApplicationUser>>(Constants.EMailFactor)
@ -249,7 +247,7 @@ namespace Yavsc
});
// options.AddPolicy("EmployeeId", policy => policy.RequireClaim("EmployeeId", "123", "456"));
// options.AddPolicy("BuildingEntry", policy => policy.Requirements.Add(new OfficeEntryRequirement()));
options.AddPolicy("Authenticated", policy => policy.RequireAuthenticatedUser());
// options.AddPolicy("Authenticated", policy => policy.RequireAuthenticatedUser());
});
services.AddSingleton<IAuthorizationHandler, HasBadgeHandler>();
@ -404,8 +402,7 @@ namespace Yavsc
EnableDirectoryBrowsing = false
});
app.UseStaticFiles().UseWebSockets();
app.UseIdentity();
app.UseOpenIdConnectServer(options =>
{
options.Provider = new AuthorizationProvider(loggerFactory);
@ -426,7 +423,7 @@ namespace Yavsc
options.TokenEndpointPath = new PathString("/connect/authorize/accept");
options.UseSlidingExpiration = true;
options.AllowInsecureHttp = true;
options.AuthenticationScheme = "oidc"; // was = OpenIdConnectDefaults.AuthenticationScheme;
options.AuthenticationScheme = "ServerCookie"; // was = OpenIdConnectDefaults.AuthenticationScheme || "oidc";
options.LogoutEndpointPath = new PathString("/connect/logout");
/* options.ValidationEndpointPath = new PathString("/connect/introspect"); */
@ -434,6 +431,8 @@ namespace Yavsc
app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")), branch =>
{
branch.UseIdentity();
branch.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
@ -441,13 +440,15 @@ namespace Yavsc
options.RequireHttpsMetadata = false;
options.Audience = siteSettings.Value.Audience;
options.Authority = siteSettings.Value.Authority;
});
});
// Create a new branch where the registered middleware will be executed only for API calls.
app.UseWhen(context => !context.Request.Path.StartsWithSegments(new PathString("/api")), branch =>
{
// Create a new branch where the registered middleware will be executed only for non API calls.
branch.UseIdentity();
branch.UseCookieAuthentication(options =>
{
options.AutomaticAuthenticate = true;
@ -455,8 +456,9 @@ namespace Yavsc
options.AuthenticationScheme = "ServerCookie";
options.CookieName = CookieAuthenticationDefaults.CookiePrefix + "ServerCookie";
options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
options.LoginPath = new PathString("/authenticate");
options.LoginPath = new PathString("/signin");
options.LogoutPath = new PathString("/signout");
options.ReturnUrlParameter = "target";
});
branch.UseMiddleware<GoogleMiddleware>(googleOptions);
@ -472,8 +474,6 @@ namespace Yavsc
});
app.UseRequestLocalization(localizationOptions.Value, (RequestCulture)new RequestCulture((string)"fr"));
/* Generic OAuth (here GitHub): options.Notifications = new OAuthAuthenticationNotifications
@ -521,9 +521,6 @@ namespace Yavsc
}; */
app.UseMvc(routes =>
{
routes.MapRoute(

0
Yavsc/src/AuthorisationHandlers.cs → Yavsc/src/ViewModels/Auth/AuthorisationHandlers.cs
View File

12
Yavsc/src/ViewModels/Auth/AuthorisationView.cs Normal file
View File

@ -0,0 +1,12 @@
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
namespace Yavsc
{
public class AuthorisationView { 
public OpenIdConnectMessage Message { get; set; }
public Application Application { get; set; }
}
}

0
Yavsc/src/ClaimTypes.cs → Yavsc/src/ViewModels/Auth/ClaimTypes.cs
View File