diff --git a/Oqtane.Client/Modules/Admin/Users/Index.razor b/Oqtane.Client/Modules/Admin/Users/Index.razor index a5211c55..c6114047 100644 --- a/Oqtane.Client/Modules/Admin/Users/Index.razor +++ b/Oqtane.Client/Modules/Admin/Users/Index.razor @@ -379,7 +379,16 @@ else -
+
+ +
+ +
+
+
@@ -497,6 +506,7 @@ else private string _roleclaimmappings; private string _synchronizeroles; private string _profileclaimtypes; + private string _savetokens; private string _domainfilter; private string _createusers; private string _verifyusers; @@ -577,6 +587,7 @@ else _roleclaimmappings = SettingService.GetSetting(settings, "ExternalLogin:RoleClaimMappings", ""); _synchronizeroles = SettingService.GetSetting(settings, "ExternalLogin:SynchronizeRoles", "false"); _profileclaimtypes = SettingService.GetSetting(settings, "ExternalLogin:ProfileClaimTypes", ""); + _savetokens = SettingService.GetSetting(settings, "ExternalLogin:SaveTokens", "false"); _domainfilter = SettingService.GetSetting(settings, "ExternalLogin:DomainFilter", ""); _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true"); _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true"); @@ -666,6 +677,7 @@ else settings = SettingService.SetSetting(settings, "ExternalLogin:RoleClaimMappings", _roleclaimmappings, true); settings = SettingService.SetSetting(settings, "ExternalLogin:SynchronizeRoles", _synchronizeroles, true); settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true); + settings = SettingService.SetSetting(settings, "ExternalLogin:SaveTokens", _savetokens, true); settings = SettingService.SetSetting(settings, "ExternalLogin:DomainFilter", _domainfilter, true); settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true); settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true); diff --git a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx index 381eff20..021788e8 100644 --- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx +++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx @@ -495,4 +495,10 @@ OpenID Connect (OIDC) + + Save Tokens? + + + Specify whether access and refresh tokens should be saved after a successful login. The default is false to reduce the size of the authentication cookie. + \ No newline at end of file diff --git a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs index 56b0d3bd..0a7b1094 100644 --- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs +++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs @@ -47,7 +47,6 @@ namespace Oqtane.Extensions // default options options.SignInScheme = Constants.AuthenticationScheme; // identity cookie options.RequireHttpsMetadata = true; - options.SaveTokens = false; options.GetClaimsFromUserInfoEndpoint = true; options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OpenIDConnect : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OpenIDConnect; options.ResponseMode = OpenIdConnectResponseMode.FormPost; // recommended as most secure @@ -63,6 +62,7 @@ namespace Oqtane.Extensions options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", ""); options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false")); + options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false")); if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", ""))) { options.TokenValidationParameters.RoleClaimType = sitesettings.GetValue("ExternalLogin:RoleClaimType", ""); @@ -102,7 +102,6 @@ namespace Oqtane.Extensions // default options options.SignInScheme = Constants.AuthenticationScheme; // identity cookie options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OAuth2 : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OAuth2; - options.SaveTokens = false; // site options options.AuthorizationEndpoint = sitesettings.GetValue("ExternalLogin:AuthorizationUrl", ""); @@ -111,6 +110,7 @@ namespace Oqtane.Extensions options.ClientId = sitesettings.GetValue("ExternalLogin:ClientId", ""); options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", ""); options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false")); + options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false")); options.Scope.Clear(); foreach (var scope in sitesettings.GetValue("ExternalLogin:Scopes", "").Split(',', StringSplitOptions.RemoveEmptyEntries)) { @@ -228,7 +228,6 @@ namespace Oqtane.Extensions var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal); if (identity.Label == ExternalLoginStatus.Success) { - identity.AddClaim(new Claim("access_token", context.AccessToken)); context.Principal = new ClaimsPrincipal(identity); } @@ -304,8 +303,6 @@ namespace Oqtane.Extensions var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal); if (identity.Label == ExternalLoginStatus.Success) { - // include access token - identity.AddClaim(new Claim("access_token", context.SecurityToken.RawData)); context.Principal = new ClaimsPrincipal(identity); } else