From 93ab8b88d42535b319b955eee2899ca933733ffe Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Mon, 27 Nov 2023 15:07:48 -0500
Subject: [PATCH 1/2] include Review Claims option in External Login for
 troubleshooting settings

---
 Oqtane.Client/Modules/Admin/Users/Index.razor | 50 ++++++++++++-------
 .../Resources/Modules/Admin/Login/Index.resx  |  3 ++
 .../Resources/Modules/Admin/Users/Index.resx  |  6 +++
 ...taneSiteAuthenticationBuilderExtensions.cs | 10 +++-
 Oqtane.Shared/Shared/ExternalLoginStatus.cs   |  1 +
 5 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/Users/Index.razor b/Oqtane.Client/Modules/Admin/Users/Index.razor
index e994a4dc..3d08c8b5 100644
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@@ -254,19 +254,7 @@ else
 									</div>
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
-								<Label Class="col-sm-3" For="scopes" HelpText="A list of Scopes to request from the provider (separated by commas). If none are specified, standard Scopes will be used by default." ResourceKey="Scopes">Scopes:</Label>
-								<div class="col-sm-9">
-									<input id="scopes" class="form-control" @bind="@_scopes" />
-								</div>
-							</div>
-							<div class="row mb-1 align-items-center">
-								<Label Class="col-sm-3" For="parameters" HelpText="Optionally specify any additional parameters as name/value pairs to send to the provider (separated by commas if there are multiple)." ResourceKey="Parameters">Parameters:</Label>
-								<div class="col-sm-9">
-									<input id="parameters" class="form-control" @bind="@_parameters" />
-								</div>
-							</div>
-							@if (_providertype == AuthenticationProviderTypes.OpenIDConnect)
+                            @if (_providertype == AuthenticationProviderTypes.OpenIDConnect)
                             {
                                 <div class="row mb-1 align-items-center">
                                     <Label Class="col-sm-3" For="authresponsetype" HelpText="Specify the authorization response type. The default is Authorization Code which is considered to be the most secure option based on the latest OAuth specification." ResourceKey="AuthResponseType">Authorization Response Type:</Label>
@@ -284,6 +272,18 @@ else
                                     </div>
                                 </div>
                             }
+                            <div class="row mb-1 align-items-center">
+								<Label Class="col-sm-3" For="scopes" HelpText="A list of Scopes to request from the provider (separated by commas). If none are specified, standard Scopes will be used by default." ResourceKey="Scopes">Scopes:</Label>
+								<div class="col-sm-9">
+									<input id="scopes" class="form-control" @bind="@_scopes" />
+								</div>
+							</div>
+							<div class="row mb-1 align-items-center">
+								<Label Class="col-sm-3" For="parameters" HelpText="Optionally specify any additional parameters as name/value pairs to send to the provider (separated by commas if there are multiple)." ResourceKey="Parameters">Parameters:</Label>
+								<div class="col-sm-9">
+									<input id="parameters" class="form-control" @bind="@_parameters" />
+								</div>
+							</div>
                             <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="pkce" HelpText="Indicate if the provider supports Proof Key for Code Exchange (PKCE)" ResourceKey="PKCE">Use PKCE?</Label>
 								<div class="col-sm-9">
@@ -299,7 +299,16 @@ else
 									<input id="redirecturl" class="form-control" @bind="@_redirecturl" readonly />
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
+                            <div class="row mb-1 align-items-center">
+                                <Label Class="col-sm-3" For="reviewclaims" HelpText="This option should only be used for testing. It allows the full list of Claims returned by the Provider to be recorded in the Event Log. Please note that external login is restricted when this option is enabled." ResourceKey="ReviewClaims">Review Claims?</Label>
+                                <div class="col-sm-9">
+                                    <select id="reviewclaims" class="form-select" @bind="@_reviewclaims" required>
+                                        <option value="true">@SharedLocalizer["Yes"]</option>
+                                        <option value="false">@SharedLocalizer["No"]</option>
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="identifierclaimtype" HelpText="The name of the unique user identifier claim provided by the provider" ResourceKey="IdentifierClaimType">Identifier Claim:</Label>
 								<div class="col-sm-9">
 									<input id="identifierclaimtype" class="form-control" @bind="@_identifierclaimtype" />
@@ -428,11 +437,12 @@ else
     private string _clientsecret;
     private string _clientsecrettype = "password";
     private string _toggleclientsecret = string.Empty;
+    private string _authresponsetype;
     private string _scopes;
     private string _parameters;
     private string _pkce;
-    private string _authresponsetype;
     private string _redirecturl;
+    private string _reviewclaims;
     private string _identifierclaimtype;
     private string _emailclaimtype;
     private string _roleclaimtype;
@@ -489,11 +499,12 @@ else
             _clientid = SettingService.GetSetting(settings, "ExternalLogin:ClientId", "");
             _clientsecret = SettingService.GetSetting(settings, "ExternalLogin:ClientSecret", "");
             _toggleclientsecret = SharedLocalizer["ShowPassword"];
+            _authresponsetype = SettingService.GetSetting(settings, "ExternalLogin:AuthResponseType", "code");
             _scopes = SettingService.GetSetting(settings, "ExternalLogin:Scopes", "");
             _parameters = SettingService.GetSetting(settings, "ExternalLogin:Parameters", "");
             _pkce = SettingService.GetSetting(settings, "ExternalLogin:PKCE", "false");
-            _authresponsetype = SettingService.GetSetting(settings, "ExternalLogin:AuthResponseType", "code");
             _redirecturl = PageState.Uri.Scheme + "://" + PageState.Alias.Name + "/signin-" + _providertype;
+            _reviewclaims = SettingService.GetSetting(settings, "ExternalLogin:ReviewClaims", "false");
             _identifierclaimtype = SettingService.GetSetting(settings, "ExternalLogin:IdentifierClaimType", "sub");
             _emailclaimtype = SettingService.GetSetting(settings, "ExternalLogin:EmailClaimType", "email");
             _roleclaimtype = SettingService.GetSetting(settings, "ExternalLogin:RoleClaimType", "");
@@ -581,11 +592,12 @@ else
 				settings = SettingService.SetSetting(settings, "ExternalLogin:UserInfoUrl", _userinfourl, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ClientId", _clientid, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ClientSecret", _clientsecret, true);
-				settings = SettingService.SetSetting(settings, "ExternalLogin:Scopes", _scopes, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:AuthResponseType", _authresponsetype, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:Scopes", _scopes, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:Parameters", _parameters, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:PKCE", _pkce, true);
-                settings = SettingService.SetSetting(settings, "ExternalLogin:AuthResponseType", _authresponsetype, true);
-				settings = SettingService.SetSetting(settings, "ExternalLogin:IdentifierClaimType", _identifierclaimtype, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:ReviewClaims", _reviewclaims, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:IdentifierClaimType", _identifierclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:EmailClaimType", _emailclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:RoleClaimType", _roleclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true);
diff --git a/Oqtane.Client/Resources/Modules/Admin/Login/Index.resx b/Oqtane.Client/Resources/Modules/Admin/Login/Index.resx
index 67dbbfed..6c8ffd2a 100644
--- a/Oqtane.Client/Resources/Modules/Admin/Login/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Login/Index.resx
@@ -225,4 +225,7 @@
   <data name="ExternalLoginStatus.RemoteFailure" xml:space="preserve">
     <value>Your External Login Failed. Please Contact Your Administrator For Further Instructions.</value>
   </data>
+  <data name="ExternalLoginStatus.ReviewClaims" xml:space="preserve">
+    <value>The Review Claims Option Was Enabled In External Login Settings. Please Visit The Event Log To View The Claims Returned By The Provider.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
index d40eebc8..0b36da94 100644
--- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
@@ -456,4 +456,10 @@
   <data name="CookieExpiration.Text" xml:space="preserve">
     <value>Cookie Expiration Timespan:</value>
   </data>
+  <data name="ReviewClaims.Text" xml:space="preserve">
+    <value>Review Claims?</value>
+  </data>
+    <data name="ReviewClaims.HelpText" xml:space="preserve">
+    <value>This option should only be used for testing. It allows the full list of Claims returned by the Provider to be recorded in the Event Log. Please note that external login is restricted when this option is enabled.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
index 8ef2f7ad..b77a4ecb 100644
--- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
+++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@@ -50,7 +50,6 @@ namespace Oqtane.Extensions
                     options.SaveTokens = false;
                     options.GetClaimsFromUserInfoEndpoint = true;
                     options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OpenIDConnect : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OpenIDConnect;
-                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // authorization code flow
                     options.ResponseMode = OpenIdConnectResponseMode.FormPost; // recommended as most secure
 
                     // cookie config is required to avoid Correlation Failed errors
@@ -62,6 +61,7 @@ namespace Oqtane.Extensions
                     options.MetadataAddress = sitesettings.GetValue("ExternalLogin:MetadataUrl", "");
                     options.ClientId = sitesettings.GetValue("ExternalLogin:ClientId", "");
                     options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
+                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow
                     options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
                     if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", "")))
                     {
@@ -290,6 +290,14 @@ namespace Oqtane.Extensions
             ClaimsIdentity identity = new ClaimsIdentity(Constants.AuthenticationScheme);
             // use identity.Label as a temporary location to store validation status information
 
+            // review claims option (for testing)
+            if (bool.Parse(httpContext.GetSiteSettings().GetValue("ExternalLogin:ReviewClaims", "false")))
+            {
+                _logger.Log(LogLevel.Information, "ExternalLogin", Enums.LogFunction.Security, "Provider Returned The Following Claims: {Claims}", claims);
+                identity.Label = ExternalLoginStatus.ReviewClaims;
+                return identity;
+            }
+
             var providerType = httpContext.GetSiteSettings().GetValue("ExternalLogin:ProviderType", "");
             var providerName = httpContext.GetSiteSettings().GetValue("ExternalLogin:ProviderName", "");
             var alias = httpContext.GetAlias();
diff --git a/Oqtane.Shared/Shared/ExternalLoginStatus.cs b/Oqtane.Shared/Shared/ExternalLoginStatus.cs
index aec49985..78bdb678 100644
--- a/Oqtane.Shared/Shared/ExternalLoginStatus.cs
+++ b/Oqtane.Shared/Shared/ExternalLoginStatus.cs
@@ -9,5 +9,6 @@ namespace Oqtane.Shared {
         public const string VerificationRequired = "VerificationRequired";
         public const string AccessDenied = "AccessDenied";
         public const string RemoteFailure = "RemoteFailure";
+        public const string ReviewClaims = "ReviewClaims";
     }
 }

From c8ac4ec1e8a5dfa6d9ee3335575af544f513f516 Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Mon, 27 Nov 2023 15:35:58 -0500
Subject: [PATCH 2/2] include a more detailed error message for tenant database
 migration issues

---
 Oqtane.Server/Infrastructure/DatabaseManager.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Oqtane.Server/Infrastructure/DatabaseManager.cs b/Oqtane.Server/Infrastructure/DatabaseManager.cs
index 10d428ea..0960f893 100644
--- a/Oqtane.Server/Infrastructure/DatabaseManager.cs
+++ b/Oqtane.Server/Infrastructure/DatabaseManager.cs
@@ -377,7 +377,7 @@ namespace Oqtane.Infrastructure
                         }
                         catch (Exception ex)
                         {
-                            result.Message = "An Error Occurred Migrating A Tenant Database. This Is Usually Related To A Tenant Database Not Being In A Supported State. " + ex.ToString();
+                            result.Message = "An Error Occurred Migrating The Database For Tenant " + tenant.Name + ". This Is Usually Related To Database Permissions, Connection String Mappings, Or The Database Not Being In A Supported State. " + ex.ToString();
                             _filelogger.LogError(Utilities.LogMessage(this, result.Message));
                         }