Merge pull request #2072 from sbwalker/dev

OIDC improvements
2022-03-21 10:39:51 -04:00 · 2022-03-21 10:39:51 -04:00 · af5d25490a
commit af5d25490a
parent b92b20e8d2 fb161ae783
2 changed files with 17 additions and 6 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@ -154,6 +154,12 @@ else
 							<input id="clientsecret" class="form-control" @bind="@_clientsecret" />
 						</div>
 					</div>
+					<div class="row mb-1 align-items-center">
+						<Label Class="col-sm-3" For="redirecturl" HelpText="The Redirect Url (or Callback Url) Which May Need To Be Registered With The OpenID Connect Provider" ResourceKey="RedirectUrl">Redirect Url:</Label>
+						<div class="col-sm-9">
+							<input id="redirecturl" class="form-control" @bind="@_redirecturl" readonly />
+						</div>
+					</div>
 					<div class="row mb-1 align-items-center">
 						<Label Class="col-sm-3" For="metadata" HelpText="The Discovery Endpoint For Obtaining Metadata. Only Specify If The OpenID Connect Provider Does Not Use The Standard Approach (ie. /.well-known/openid-configuration)" ResourceKey="Metadata">Metadata Address:</Label>
 						<div class="col-sm-9">
@ -201,6 +207,7 @@ else
 	private string _authority;
 	private string _clientid;
 	private string _clientsecret;
+	private string _redirecturl;
 	private string _metadata;
 	private string _logouturl;
 	private string _allowsitelogin;
@ -227,6 +234,7 @@ else
 		_authority = SettingService.GetSetting(settings, "OpenIdConnectOptions:Authority", "");
 		_clientid = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientId", "");
 		_clientsecret = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientSecret", "");
+		_redirecturl = PageState.Alias.Name + "/signin-oidc";
 		_metadata = SettingService.GetSetting(settings, "OpenIdConnectOptions:MetadataAddress", "");
 		_logouturl = SettingService.GetSetting(settings, "OpenIdConnectOptions:LogoutUrl", "");
 		_allowsitelogin = SettingService.GetSetting(settings, "AllowSiteLogin", "true");
--- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
+++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@ -81,12 +81,14 @@ namespace Oqtane.Extensions

        private static async Task OnTokenValidated(TokenValidatedContext context)
        {
-            var email = context.Principal.FindFirstValue(ClaimTypes.Email);
            var providerKey = context.Principal.FindFirstValue(ClaimTypes.NameIdentifier);
            var loginProvider = context.HttpContext.GetAlias().SiteSettings["OpenIdConnectOptions:Authority"];
            var alias = context.HttpContext.GetAlias();
            var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();

+            // custom logic may be needed here to manipulate Principal sent by Provider - use interface similar to IClaimsTransformation
+
+            var email = context.Principal.FindFirstValue(ClaimTypes.Email);
            if (email != null)
            {
                var _identityUserManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<IdentityUser>>();
@ -208,7 +210,7 @@ namespace Oqtane.Extensions
            }
            else
            {
-                _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Provider Did Not Return An Email Claim");
+                _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Provider Did Not Return An Email Claim To Uniquely Identify The User");
            }
        }

@ -236,7 +238,7 @@ namespace Oqtane.Extensions
        private static Task OnAccessDenied(AccessDeniedContext context)
        {
            var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();
-            _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Access Denied - User May Have Cancelled Their External Login Attempt");
+            _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Access Denied - User May Have Cancelled Their External Login Attempt");
            // redirect to login page
            var alias = context.HttpContext.GetAlias();
            context.Response.Redirect(alias.Path + "/login?returnurl=" + context.Properties.RedirectUri);
@ -247,9 +249,10 @@ namespace Oqtane.Extensions
        private static Task OnRemoteFailure(RemoteFailureContext context)
        {
            var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();
-            _logger.Log(LogLevel.Error, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Remote Failure - {Error}", context.Failure.Message);
-            // redirect to original page
-            context.Response.Redirect(context.Properties.RedirectUri);
+            _logger.Log(LogLevel.Error, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Remote Failure - {Error}", context.Failure.Message);
+            // redirect to login page
+            var alias = context.HttpContext.GetAlias();
+            context.Response.Redirect(alias.Path + "/login?returnurl=" + context.Properties.RedirectUri);
            context.HandleResponse();
            return Task.CompletedTask;
        }