Merge pull request #4983 from sbwalker/dev

include option for external login to save tokens
2025-01-13 15:14:27 -05:00 · 2025-01-13 15:14:27 -05:00 · 9a82021a82
commit 9a82021a82
parent aa5ea61638 1fb54a0b0f
3 changed files with 21 additions and 6 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@ -379,7 +379,16 @@ else
 									<input id="profileclaimtypes" class="form-control" @bind="@_profileclaimtypes" />
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
+                            <div class="row mb-1 align-items-center">
+                                <Label Class="col-sm-3" For="savetokens" HelpText="Specify whether access and refresh tokens should be saved after a successful login. The default is false to reduce the size of the authentication cookie." ResourceKey="SaveTokens">Save Tokens?</Label>
+                                <div class="col-sm-9">
+                                    <select id="savetokens" class="form-select" @bind="@_savetokens" required>
+                                        <option value="true">@SharedLocalizer["Yes"]</option>
+                                        <option value="false">@SharedLocalizer["No"]</option>
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="domainfilter" HelpText="Provide any email domain filter criteria (separated by commas). Domains to exclude should be prefixed with an exclamation point (!). For example 'microsoft.com,!hotmail.com' would include microsoft.com email addresses but not hotmail.com email addresses." ResourceKey="DomainFilter">Domain Filter:</Label>
 								<div class="col-sm-9">
 									<input id="domainfilter" class="form-control" @bind="@_domainfilter" />
@ -497,6 +506,7 @@ else
    private string _roleclaimmappings;
    private string _synchronizeroles;
    private string _profileclaimtypes;
+    private string _savetokens;
    private string _domainfilter;
    private string _createusers;
    private string _verifyusers;
@ -577,6 +587,7 @@ else
        _roleclaimmappings = SettingService.GetSetting(settings, "ExternalLogin:RoleClaimMappings", "");
        _synchronizeroles = SettingService.GetSetting(settings, "ExternalLogin:SynchronizeRoles", "false");
        _profileclaimtypes = SettingService.GetSetting(settings, "ExternalLogin:ProfileClaimTypes", "");
+        _savetokens = SettingService.GetSetting(settings, "ExternalLogin:SaveTokens", "false");
        _domainfilter = SettingService.GetSetting(settings, "ExternalLogin:DomainFilter", "");
        _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true");
        _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true");
@ -666,6 +677,7 @@ else
                settings = SettingService.SetSetting(settings, "ExternalLogin:RoleClaimMappings", _roleclaimmappings, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:SynchronizeRoles", _synchronizeroles, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:SaveTokens", _savetokens, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:DomainFilter", _domainfilter, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);
--- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
@ -495,4 +495,10 @@
  <data name="OIDC" xml:space="preserve">
    <value>OpenID Connect (OIDC)</value>
  </data>
+  <data name="SaveTokens.Text" xml:space="preserve">
+    <value>Save Tokens?</value>
+  </data>
+  <data name="SaveTokens.HelpText" xml:space="preserve">
+    <value>Specify whether access and refresh tokens should be saved after a successful login. The default is false to reduce the size of the authentication cookie.</value>
+  </data>
 </root>
--- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
+++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@ -47,7 +47,6 @@ namespace Oqtane.Extensions
                    // default options
                    options.SignInScheme = Constants.AuthenticationScheme; // identity cookie
                    options.RequireHttpsMetadata = true;
-                    options.SaveTokens = false;
                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OpenIDConnect : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OpenIDConnect;
                    options.ResponseMode = OpenIdConnectResponseMode.FormPost; // recommended as most secure
@ -63,6 +62,7 @@ namespace Oqtane.Extensions
                    options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow
                    options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
+                    options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false"));
                    if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", "")))
                    {
                        options.TokenValidationParameters.RoleClaimType = sitesettings.GetValue("ExternalLogin:RoleClaimType", "");
@ -102,7 +102,6 @@ namespace Oqtane.Extensions
                    // default options
                    options.SignInScheme = Constants.AuthenticationScheme; // identity cookie
                    options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OAuth2 : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OAuth2;
-                    options.SaveTokens = false;

                    // site options
                    options.AuthorizationEndpoint = sitesettings.GetValue("ExternalLogin:AuthorizationUrl", "");
@ -111,6 +110,7 @@ namespace Oqtane.Extensions
                    options.ClientId = sitesettings.GetValue("ExternalLogin:ClientId", "");
                    options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
                    options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
+                    options.SaveTokens = bool.Parse(sitesettings.GetValue("ExternalLogin:SaveTokens", "false"));
                    options.Scope.Clear();
                    foreach (var scope in sitesettings.GetValue("ExternalLogin:Scopes", "").Split(',', StringSplitOptions.RemoveEmptyEntries))
                    {
@ -228,7 +228,6 @@ namespace Oqtane.Extensions
            var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal);
            if (identity.Label == ExternalLoginStatus.Success)
            {
-                identity.AddClaim(new Claim("access_token", context.AccessToken));
                context.Principal = new ClaimsPrincipal(identity);
            }

@ -304,8 +303,6 @@ namespace Oqtane.Extensions
            var identity = await ValidateUser(id, name, email, claims, context.HttpContext, context.Principal);
            if (identity.Label == ExternalLoginStatus.Success)
            {
-                // include access token
-                identity.AddClaim(new Claim("access_token", context.SecurityToken.RawData));
                context.Principal = new ClaimsPrincipal(identity);
            }
            else