Merge pull request #3511 from sbwalker/dev

include Review Claims option in External Login for troubleshooting settings

Oqtane.Client/Modules/Admin/Users/Index.razor

@@ -254,19 +254,7 @@ else
 									</div>
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
+                            @if (_providertype == AuthenticationProviderTypes.OpenIDConnect)
-								<Label Class="col-sm-3" For="scopes" HelpText="A list of Scopes to request from the provider (separated by commas). If none are specified, standard Scopes will be used by default." ResourceKey="Scopes">Scopes:</Label>
-								<div class="col-sm-9">
-									<input id="scopes" class="form-control" @bind="@_scopes" />
-								</div>
-							</div>
-							<div class="row mb-1 align-items-center">
-								<Label Class="col-sm-3" For="parameters" HelpText="Optionally specify any additional parameters as name/value pairs to send to the provider (separated by commas if there are multiple)." ResourceKey="Parameters">Parameters:</Label>
-								<div class="col-sm-9">
-									<input id="parameters" class="form-control" @bind="@_parameters" />
-								</div>
-							</div>
-							@if (_providertype == AuthenticationProviderTypes.OpenIDConnect)
                             {
                                 <div class="row mb-1 align-items-center">
                                     <Label Class="col-sm-3" For="authresponsetype" HelpText="Specify the authorization response type. The default is Authorization Code which is considered to be the most secure option based on the latest OAuth specification." ResourceKey="AuthResponseType">Authorization Response Type:</Label>
@@ -284,6 +272,18 @@ else
                                     </div>
                                 </div>
                             }
+                            <div class="row mb-1 align-items-center">
+								<Label Class="col-sm-3" For="scopes" HelpText="A list of Scopes to request from the provider (separated by commas). If none are specified, standard Scopes will be used by default." ResourceKey="Scopes">Scopes:</Label>
+								<div class="col-sm-9">
+									<input id="scopes" class="form-control" @bind="@_scopes" />
+								</div>
+							</div>
+							<div class="row mb-1 align-items-center">
+								<Label Class="col-sm-3" For="parameters" HelpText="Optionally specify any additional parameters as name/value pairs to send to the provider (separated by commas if there are multiple)." ResourceKey="Parameters">Parameters:</Label>
+								<div class="col-sm-9">
+									<input id="parameters" class="form-control" @bind="@_parameters" />
+								</div>
+							</div>
                             <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="pkce" HelpText="Indicate if the provider supports Proof Key for Code Exchange (PKCE)" ResourceKey="PKCE">Use PKCE?</Label>
 								<div class="col-sm-9">
@@ -299,7 +299,16 @@ else
 									<input id="redirecturl" class="form-control" @bind="@_redirecturl" readonly />
 								</div>
 							</div>
-							<div class="row mb-1 align-items-center">
+                            <div class="row mb-1 align-items-center">
+                                <Label Class="col-sm-3" For="reviewclaims" HelpText="This option should only be used for testing. It allows the full list of Claims returned by the Provider to be recorded in the Event Log. Please note that external login is restricted when this option is enabled." ResourceKey="ReviewClaims">Review Claims?</Label>
+                                <div class="col-sm-9">
+                                    <select id="reviewclaims" class="form-select" @bind="@_reviewclaims" required>
+                                        <option value="true">@SharedLocalizer["Yes"]</option>
+                                        <option value="false">@SharedLocalizer["No"]</option>
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="row mb-1 align-items-center">
 								<Label Class="col-sm-3" For="identifierclaimtype" HelpText="The name of the unique user identifier claim provided by the provider" ResourceKey="IdentifierClaimType">Identifier Claim:</Label>
 								<div class="col-sm-9">
 									<input id="identifierclaimtype" class="form-control" @bind="@_identifierclaimtype" />
@@ -428,11 +437,12 @@ else
     private string _clientsecret;
     private string _clientsecrettype = "password";
     private string _toggleclientsecret = string.Empty;
+    private string _authresponsetype;
     private string _scopes;
     private string _parameters;
     private string _pkce;
-    private string _authresponsetype;
     private string _redirecturl;
+    private string _reviewclaims;
     private string _identifierclaimtype;
     private string _emailclaimtype;
     private string _roleclaimtype;
@@ -489,11 +499,12 @@ else
             _clientid = SettingService.GetSetting(settings, "ExternalLogin:ClientId", "");
             _clientsecret = SettingService.GetSetting(settings, "ExternalLogin:ClientSecret", "");
             _toggleclientsecret = SharedLocalizer["ShowPassword"];
+            _authresponsetype = SettingService.GetSetting(settings, "ExternalLogin:AuthResponseType", "code");
             _scopes = SettingService.GetSetting(settings, "ExternalLogin:Scopes", "");
             _parameters = SettingService.GetSetting(settings, "ExternalLogin:Parameters", "");
             _pkce = SettingService.GetSetting(settings, "ExternalLogin:PKCE", "false");
-            _authresponsetype = SettingService.GetSetting(settings, "ExternalLogin:AuthResponseType", "code");
             _redirecturl = PageState.Uri.Scheme + "://" + PageState.Alias.Name + "/signin-" + _providertype;
+            _reviewclaims = SettingService.GetSetting(settings, "ExternalLogin:ReviewClaims", "false");
             _identifierclaimtype = SettingService.GetSetting(settings, "ExternalLogin:IdentifierClaimType", "sub");
             _emailclaimtype = SettingService.GetSetting(settings, "ExternalLogin:EmailClaimType", "email");
             _roleclaimtype = SettingService.GetSetting(settings, "ExternalLogin:RoleClaimType", "");
@@ -581,11 +592,12 @@ else
 				settings = SettingService.SetSetting(settings, "ExternalLogin:UserInfoUrl", _userinfourl, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ClientId", _clientid, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ClientSecret", _clientsecret, true);
-				settings = SettingService.SetSetting(settings, "ExternalLogin:Scopes", _scopes, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:AuthResponseType", _authresponsetype, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:Scopes", _scopes, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:Parameters", _parameters, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:PKCE", _pkce, true);
-                settings = SettingService.SetSetting(settings, "ExternalLogin:AuthResponseType", _authresponsetype, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:ReviewClaims", _reviewclaims, true);
-				settings = SettingService.SetSetting(settings, "ExternalLogin:IdentifierClaimType", _identifierclaimtype, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:IdentifierClaimType", _identifierclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:EmailClaimType", _emailclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:RoleClaimType", _roleclaimtype, true);
 				settings = SettingService.SetSetting(settings, "ExternalLogin:ProfileClaimTypes", _profileclaimtypes, true);

Oqtane.Client/Resources/Modules/Admin/Login/Index.resx

@@ -225,4 +225,7 @@
   <data name="ExternalLoginStatus.RemoteFailure" xml:space="preserve">
     <value>Your External Login Failed. Please Contact Your Administrator For Further Instructions.</value>
   </data>
+  <data name="ExternalLoginStatus.ReviewClaims" xml:space="preserve">
+    <value>The Review Claims Option Was Enabled In External Login Settings. Please Visit The Event Log To View The Claims Returned By The Provider.</value>
+  </data>
 </root>

Oqtane.Client/Resources/Modules/Admin/Users/Index.resx

@@ -456,4 +456,10 @@
   <data name="CookieExpiration.Text" xml:space="preserve">
     <value>Cookie Expiration Timespan:</value>
   </data>
+  <data name="ReviewClaims.Text" xml:space="preserve">
+    <value>Review Claims?</value>
+  </data>
+    <data name="ReviewClaims.HelpText" xml:space="preserve">
+    <value>This option should only be used for testing. It allows the full list of Claims returned by the Provider to be recorded in the Event Log. Please note that external login is restricted when this option is enabled.</value>
+  </data>
 </root>

Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs

@@ -50,7 +50,6 @@ namespace Oqtane.Extensions
                     options.SaveTokens = false;
                     options.GetClaimsFromUserInfoEndpoint = true;
                     options.CallbackPath = string.IsNullOrEmpty(alias.Path) ? "/signin-" + AuthenticationProviderTypes.OpenIDConnect : "/" + alias.Path + "/signin-" + AuthenticationProviderTypes.OpenIDConnect;
-                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // authorization code flow
                     options.ResponseMode = OpenIdConnectResponseMode.FormPost; // recommended as most secure
 
                     // cookie config is required to avoid Correlation Failed errors
@@ -62,6 +61,7 @@ namespace Oqtane.Extensions
                     options.MetadataAddress = sitesettings.GetValue("ExternalLogin:MetadataUrl", "");
                     options.ClientId = sitesettings.GetValue("ExternalLogin:ClientId", "");
                     options.ClientSecret = sitesettings.GetValue("ExternalLogin:ClientSecret", "");
+                    options.ResponseType = sitesettings.GetValue("ExternalLogin:AuthResponseType", "code"); // default is authorization code flow
                     options.UsePkce = bool.Parse(sitesettings.GetValue("ExternalLogin:PKCE", "false"));
                     if (!string.IsNullOrEmpty(sitesettings.GetValue("ExternalLogin:RoleClaimType", "")))
                     {
@@ -290,6 +290,14 @@ namespace Oqtane.Extensions
             ClaimsIdentity identity = new ClaimsIdentity(Constants.AuthenticationScheme);
             // use identity.Label as a temporary location to store validation status information
 
+            // review claims option (for testing)
+            if (bool.Parse(httpContext.GetSiteSettings().GetValue("ExternalLogin:ReviewClaims", "false")))
+            {
+                _logger.Log(LogLevel.Information, "ExternalLogin", Enums.LogFunction.Security, "Provider Returned The Following Claims: {Claims}", claims);
+                identity.Label = ExternalLoginStatus.ReviewClaims;
+                return identity;
+            }
+
             var providerType = httpContext.GetSiteSettings().GetValue("ExternalLogin:ProviderType", "");
             var providerName = httpContext.GetSiteSettings().GetValue("ExternalLogin:ProviderName", "");
             var alias = httpContext.GetAlias();

Oqtane.Server/Infrastructure/DatabaseManager.cs

@@ -377,7 +377,7 @@ namespace Oqtane.Infrastructure
                         }
                         catch (Exception ex)
                         {
-                            result.Message = "An Error Occurred Migrating A Tenant Database. This Is Usually Related To A Tenant Database Not Being In A Supported State. " + ex.ToString();
+                            result.Message = "An Error Occurred Migrating The Database For Tenant " + tenant.Name + ". This Is Usually Related To Database Permissions, Connection String Mappings, Or The Database Not Being In A Supported State. " + ex.ToString();
                             _filelogger.LogError(Utilities.LogMessage(this, result.Message));
                         }
 

Oqtane.Shared/Shared/ExternalLoginStatus.cs

@@ -9,5 +9,6 @@ namespace Oqtane.Shared {
         public const string VerificationRequired = "VerificationRequired";
         public const string AccessDenied = "AccessDenied";
         public const string RemoteFailure = "RemoteFailure";
+        public const string ReviewClaims = "ReviewClaims";
     }
 }