Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

OIDC improvements

Browse Source
This commit is contained in:
Shaun Walker
2022-03-21 10:39:35 -04:00
parent 4b19059df1
commit fb161ae783
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Oqtane.Client/Modules/Admin/Users/Index.razor
View File

@ -154,6 +154,12 @@ else
<input id="clientsecret" class="form-control" @bind="@_clientsecret" /> <input id="clientsecret" class="form-control" @bind="@_clientsecret" />
</div> </div>
</div> </div>
<div class="row mb-1 align-items-center">
<Label Class="col-sm-3" For="redirecturl" HelpText="The Redirect Url (or Callback Url) Which May Need To Be Registered With The OpenID Connect Provider" ResourceKey="RedirectUrl">Redirect Url:</Label>
<div class="col-sm-9">
<input id="redirecturl" class="form-control" @bind="@_redirecturl" readonly />
</div>
</div>
<div class="row mb-1 align-items-center"> <div class="row mb-1 align-items-center">
<Label Class="col-sm-3" For="metadata" HelpText="The Discovery Endpoint For Obtaining Metadata. Only Specify If The OpenID Connect Provider Does Not Use The Standard Approach (ie. /.well-known/openid-configuration)" ResourceKey="Metadata">Metadata Address:</Label> <Label Class="col-sm-3" For="metadata" HelpText="The Discovery Endpoint For Obtaining Metadata. Only Specify If The OpenID Connect Provider Does Not Use The Standard Approach (ie. /.well-known/openid-configuration)" ResourceKey="Metadata">Metadata Address:</Label>
<div class="col-sm-9"> <div class="col-sm-9">
@ -201,6 +207,7 @@ else
private string _authority; private string _authority;
private string _clientid; private string _clientid;
private string _clientsecret; private string _clientsecret;
private string _redirecturl;
private string _metadata; private string _metadata;
private string _logouturl; private string _logouturl;
private string _allowsitelogin; private string _allowsitelogin;
@ -227,6 +234,7 @@ else
_authority = SettingService.GetSetting(settings, "OpenIdConnectOptions:Authority", ""); _authority = SettingService.GetSetting(settings, "OpenIdConnectOptions:Authority", "");
_clientid = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientId", ""); _clientid = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientId", "");
_clientsecret = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientSecret", ""); _clientsecret = SettingService.GetSetting(settings, "OpenIdConnectOptions:ClientSecret", "");
_redirecturl = PageState.Alias.Name + "/signin-oidc";
_metadata = SettingService.GetSetting(settings, "OpenIdConnectOptions:MetadataAddress", ""); _metadata = SettingService.GetSetting(settings, "OpenIdConnectOptions:MetadataAddress", "");
_logouturl = SettingService.GetSetting(settings, "OpenIdConnectOptions:LogoutUrl", ""); _logouturl = SettingService.GetSetting(settings, "OpenIdConnectOptions:LogoutUrl", "");
_allowsitelogin = SettingService.GetSetting(settings, "AllowSiteLogin", "true"); _allowsitelogin = SettingService.GetSetting(settings, "AllowSiteLogin", "true");

15
Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
View File

@ -81,12 +81,14 @@ namespace Oqtane.Extensions
private static async Task OnTokenValidated(TokenValidatedContext context) private static async Task OnTokenValidated(TokenValidatedContext context)
{ {
var email = context.Principal.FindFirstValue(ClaimTypes.Email);
var providerKey = context.Principal.FindFirstValue(ClaimTypes.NameIdentifier); var providerKey = context.Principal.FindFirstValue(ClaimTypes.NameIdentifier);
var loginProvider = context.HttpContext.GetAlias().SiteSettings["OpenIdConnectOptions:Authority"]; var loginProvider = context.HttpContext.GetAlias().SiteSettings["OpenIdConnectOptions:Authority"];
var alias = context.HttpContext.GetAlias(); var alias = context.HttpContext.GetAlias();
var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>(); var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();
// custom logic may be needed here to manipulate Principal sent by Provider - use interface similar to IClaimsTransformation
var email = context.Principal.FindFirstValue(ClaimTypes.Email);
if (email != null) if (email != null)
{ {
var _identityUserManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<IdentityUser>>(); var _identityUserManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<IdentityUser>>();
@ -208,7 +210,7 @@ namespace Oqtane.Extensions
} }
else else
{ {
_logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Provider Did Not Return An Email Claim"); _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Provider Did Not Return An Email Claim To Uniquely Identify The User");
} }
} }
@ -236,7 +238,7 @@ namespace Oqtane.Extensions
private static Task OnAccessDenied(AccessDeniedContext context) private static Task OnAccessDenied(AccessDeniedContext context)
{ {
var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>(); var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();
_logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Access Denied - User May Have Cancelled Their External Login Attempt"); _logger.Log(LogLevel.Information, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Access Denied - User May Have Cancelled Their External Login Attempt");
// redirect to login page // redirect to login page
var alias = context.HttpContext.GetAlias(); var alias = context.HttpContext.GetAlias();
context.Response.Redirect(alias.Path + "/login?returnurl=" + context.Properties.RedirectUri); context.Response.Redirect(alias.Path + "/login?returnurl=" + context.Properties.RedirectUri);
@ -247,9 +249,10 @@ namespace Oqtane.Extensions
private static Task OnRemoteFailure(RemoteFailureContext context) private static Task OnRemoteFailure(RemoteFailureContext context)
{ {
var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>(); var _logger = context.HttpContext.RequestServices.GetRequiredService<ILogManager>();
_logger.Log(LogLevel.Error, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenId Connect Remote Failure - {Error}", context.Failure.Message); _logger.Log(LogLevel.Error, nameof(OqtaneSiteAuthenticationBuilderExtensions), Enums.LogFunction.Security, "OpenID Connect Remote Failure - {Error}", context.Failure.Message);
// redirect to original page // redirect to login page
context.Response.Redirect(context.Properties.RedirectUri); var alias = context.HttpContext.GetAlias();
context.Response.Redirect(alias.Path + "/login?returnurl=" + context.Properties.RedirectUri);
context.HandleResponse(); context.HandleResponse();
return Task.CompletedTask; return Task.CompletedTask;
} }