mirror of
https://github.com/btcpayserver/btcpayserver.git
synced 2025-03-01 17:07:10 +01:00
4055eda757
* Part 1 & Part 2 squashed commits pr changes pr fixes remove config for openid -- no need for it for now Part 1: OpenIddict - Minor Changes & Config prep Part2: Openiddict: Init OpenIddict & Database Migration & Auth Policies pr changes fix merge fix compile fix compile #2 Part 1: OpenIddict - Minor Changes & Config prep add missing nuget Part2: Openiddict: Init OpenIddict & Database Migration & Auth Policies * Part3: OpenIddict: Add Flows Event Handlers * pr changes * fix merge * fix rebase * fix imports * cleanup * do not allow u2f enabled accounts to log in * start better tests for flows * add tests * fixes * reintroduce dynamic policy as policies on jwt do not work without it * reduce logs * fix incorrect endpoint definitions * Add implicit flow e2e test * add code flow and refresh flow * do not allow jwt bearer auth for all requests( only those under /api) * remove commentedt code * make sure authorize attr is marked with scheme * remove dynamic policy and set claims in jwt handler * cleanup * change serversettings policy to not need a claim * Add test to checkadmin verification * revert server setting claim removal * fix test * switch back to claim * unit test fixes * try fix build with weird references to csprojes * start fixing rebase * remove https requirement to handle tor * reformat tests correctly * fix csproj * fix ut formatting * PR Changes * do not show selenium browser
104 lines
4.2 KiB
C#
104 lines
4.2 KiB
C#
using System.Collections.Generic;
|
|
using System.Security.Claims;
|
|
using System.Threading.Tasks;
|
|
using AspNet.Security.OpenIdConnect.Extensions;
|
|
using AspNet.Security.OpenIdConnect.Primitives;
|
|
using BTCPayServer.Models;
|
|
using Microsoft.AspNetCore.Authentication;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.Extensions.Options;
|
|
using OpenIddict.Abstractions;
|
|
using OpenIddict.Server;
|
|
|
|
namespace BTCPayServer.Authentication.OpenId
|
|
{
|
|
public abstract class BaseOpenIdGrantHandler<T> : IOpenIddictServerEventHandler<T>
|
|
where T : class, IOpenIddictServerEvent
|
|
{
|
|
protected readonly SignInManager<ApplicationUser> _signInManager;
|
|
protected readonly IOptions<IdentityOptions> _identityOptions;
|
|
|
|
protected BaseOpenIdGrantHandler(SignInManager<ApplicationUser> signInManager,
|
|
IOptions<IdentityOptions> identityOptions)
|
|
{
|
|
_signInManager = signInManager;
|
|
_identityOptions = identityOptions;
|
|
}
|
|
|
|
protected async Task<AuthenticationTicket> CreateTicketAsync(
|
|
OpenIdConnectRequest request, ApplicationUser user,
|
|
AuthenticationProperties properties = null)
|
|
{
|
|
// Create a new ClaimsPrincipal containing the claims that
|
|
// will be used to create an id_token, a token or a code.
|
|
var principal = await _signInManager.CreateUserPrincipalAsync(user);
|
|
|
|
// Create a new authentication ticket holding the user identity.
|
|
var ticket = new AuthenticationTicket(principal, properties,
|
|
OpenIddictServerDefaults.AuthenticationScheme);
|
|
|
|
if (!request.IsAuthorizationCodeGrantType() && !request.IsRefreshTokenGrantType())
|
|
{
|
|
// Note: in this sample, the granted scopes match the requested scope
|
|
// but you may want to allow the user to uncheck specific scopes.
|
|
// For that, simply restrict the list of scopes before calling SetScopes.
|
|
ticket.SetScopes(request.GetScopes());
|
|
}
|
|
|
|
foreach (var claim in ticket.Principal.Claims)
|
|
{
|
|
claim.SetDestinations(GetDestinations(claim, ticket));
|
|
}
|
|
|
|
return ticket;
|
|
}
|
|
|
|
private IEnumerable<string> GetDestinations(Claim claim, AuthenticationTicket ticket)
|
|
{
|
|
// Note: by default, claims are NOT automatically included in the access and identity tokens.
|
|
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
|
|
// whether they should be included in access tokens, in identity tokens or in both.
|
|
|
|
|
|
switch (claim.Type)
|
|
{
|
|
case OpenIddictConstants.Claims.Name:
|
|
yield return OpenIddictConstants.Destinations.AccessToken;
|
|
|
|
if (ticket.HasScope(OpenIddictConstants.Scopes.Profile))
|
|
yield return OpenIddictConstants.Destinations.IdentityToken;
|
|
|
|
yield break;
|
|
|
|
case OpenIddictConstants.Claims.Email:
|
|
yield return OpenIddictConstants.Destinations.AccessToken;
|
|
|
|
if (ticket.HasScope(OpenIddictConstants.Scopes.Email))
|
|
yield return OpenIddictConstants.Destinations.IdentityToken;
|
|
|
|
yield break;
|
|
|
|
case OpenIddictConstants.Claims.Role:
|
|
yield return OpenIddictConstants.Destinations.AccessToken;
|
|
|
|
if (ticket.HasScope(OpenIddictConstants.Scopes.Roles))
|
|
yield return OpenIddictConstants.Destinations.IdentityToken;
|
|
|
|
yield break;
|
|
default:
|
|
if (claim.Type == _identityOptions.Value.ClaimsIdentity.SecurityStampClaimType)
|
|
{
|
|
// Never include the security stamp in the access and identity tokens, as it's a secret value.
|
|
yield break;
|
|
}
|
|
else
|
|
{
|
|
yield return OpenIddictConstants.Destinations.AccessToken;
|
|
yield break;
|
|
}
|
|
}
|
|
}
|
|
|
|
public abstract Task<OpenIddictServerEventState> HandleAsync(T notification);
|
|
}
|
|
}
|