Merge pull request #4983 from sbwalker/dev

include option for external login to save tokens

Oqtane.Client/Modules/Admin/Users/Index.razor

@@ -379,7 +379,16 @@ else
 									<input id="profileclaimtypes" class="form-control" @bind="@_profileclaimtypes" />
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
+                            <div class="row mb-1 align-items-center">
+                                <Label Class="col-sm-3" For="savetokens" HelpText="Specify whether access and refresh tokens should be saved after a successful login. The default is false to reduce the size of the authentication cookie." ResourceKey="SaveTokens">Save Tokens?</Label>
+                                <div class="col-sm-9">
+                                    <select id="savetokens" class="form-select" @bind="@_savetokens" required>
+                                        <option value="true">@SharedLocalizer["Yes"]</option>
+                                        <option value="false">@SharedLocalizer["No"]</option>
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="domainfilter" HelpText="Provide any email domain filter criteria (separated by commas). Domains to exclude should be prefixed with an exclamation point (!). For example 'microsoft.com,!hotmail.com' would include microsoft.com email addresses but not hotmail.com email addresses." ResourceKey="DomainFilter">Domain Filter:</Label>
 								<div class="col-sm-9">
 									<input id="domainfilter" class="form-control" @bind="@_domainfilter" />
@@ -497,6 +506,7 @@ else
     private string _roleclaimmappings;
     private string _synchronizeroles;
     private string _profileclaimtypes;
+    private string _savetokens;
     private string _domainfilter;
     private string _createusers;
     private string _verifyusers;
@@ -577,6 +587,7 @@ else
         _roleclaimmappings = SettingService.GetSetting(settings, "ExternalLogin:RoleClaimMappings", "");
         _synchronizeroles = SettingService.GetSetting(settings, "ExternalLogin:SynchronizeRoles", "false");
         _profileclaimtypes = SettingService.GetSetting(settings, "ExternalLogin:ProfileClaimTypes", "");
+        _savetokens = SettingService.GetSetting(settings, "ExternalLogin:SaveTokens", "false");
         _domainfilter = SettingService.GetSetting(settings, "ExternalLogin:DomainFilter", "");
         _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true");
         _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true");
@@ -666,6 +677,7 @@ else
                 settings = SettingService.SetSetting(settings, "ExternalLogin:RoleClaimMappings", _roleclaimmappings, true);
                 settings = SettingService.SetSetting(settings, "ExternalLogin:SynchronizeRoles", _synchronizeroles, true);
                 settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:SaveTokens", _savetokens, true);
                 settings = SettingService.SetSetting(settings, "ExternalLogin:DomainFilter", _domainfilter, true);
                 settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                 settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);

Oqtane.Client/Resources/Modules/Admin/Users/Index.resx

@@ -495,4 +495,10 @@
   <data name="OIDC" xml:space="preserve">
     <value>OpenID Connect (OIDC)</value>
   </data>
+  <data name="SaveTokens.Text" xml:space="preserve">
+    <value>Save Tokens?</value>
+  </data>
+  <data name="SaveTokens.HelpText" xml:space="preserve">
+    <value>Specify whether access and refresh tokens should be saved after a successful login. The default is false to reduce the size of the authentication cookie.</value>
+  </data>
 </root>

Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs

@@ -47,7 +47,6 @@ namespace Oqtane.Extensions
                     // default options
                     options.SignInScheme = Constants.AuthenticationScheme; // identity cookie
                     options.RequireHttpsMetadata = true;
-                    options.SaveTokens = false;
                     options.GetClaimsFromUserInfoEndpoint = true;
                     options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OpenIDConnect : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OpenIDConnect;
                     options.ResponseMode = OpenIdConnectResponseMode.FormPost; // recommended as most secure
@@ -63,6 +62,7 @@ namespace Oqtane.Extensions
                     options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
                     options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow
                     options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
+                    options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false"));
                     if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", "")))
                     {
                         options.TokenValidationParameters.RoleClaimType = sitesettings.GetValue("ExternalLogin:RoleClaimType", "");
@@ -102,7 +102,6 @@ namespace Oqtane.Extensions
                     // default options
                     options.SignInScheme = Constants.AuthenticationScheme; // identity cookie
                     options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OAuth2 : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OAuth2;
-                    options.SaveTokens = false;
 
                     // site options
                     options.AuthorizationEndpoint = sitesettings.GetValue("ExternalLogin:AuthorizationUrl", "");
@@ -111,6 +110,7 @@ namespace Oqtane.Extensions
                     options.ClientId = sitesettings.GetValue("ExternalLogin:ClientId", "");
                     options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
                     options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
+                    options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false"));
                     options.Scope.Clear();
                     foreach (var scope in sitesettings.GetValue("ExternalLogin:Scopes", "").Split(',', StringSplitOptions.RemoveEmptyEntries))
                     {
@@ -228,7 +228,6 @@ namespace Oqtane.Extensions
             var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal);
             if (identity.Label == ExternalLoginStatus.Success)
             {
-                identity.AddClaim(new Claim("access_token", context.AccessToken));
                 context.Principal = new ClaimsPrincipal(identity);
             }
 
@@ -304,8 +303,6 @@ namespace Oqtane.Extensions
             var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal);
             if (identity.Label == ExternalLoginStatus.Success)
             {
-                // include access token
-                identity.AddClaim(new Claim("access_token", context.SecurityToken.RawData));
                 context.Principal = new ClaimsPrincipal(identity);
             }
             else